Panel Discussion: Research Privacy and HIPAA
October 18, 2011
- In order to be compliant with HIPAA, study teams must obtain either the written authorization from individual subjects or be granted a Waiver of HIPAA Authorization. Written authorizations are imbedded into the Informed Consent Document (ICD) templates; a separate document is not necessary when using an IRBMED approved ICD. A Waiver of HIPAA Authorization may be granted by the Privacy Board, a convened IRB Board, or an expedited reviewer.
- Section 12 of the eResearch Application outlines the “Exempt” categories and provides descriptions of the criteria that must be met in order to qualify for an exemption.
- Section 4 of the eResearch Application outlines the “Not-Regulated” categories and provides descriptions of the criteria that must be met in order to qualify for as not-regulated.
- Whenever there is a request for a Waiver of Consent or a Waiver of Informed Consent, there must also be a request for a Waiver of HIPAA Authorization.
- “Not-Regulated” is a term used to indicate that a project is not-regulated as research involving human subjects under the Common Rule. When study team members will be accessing Protected Health Information, however, the project may still be regulated under HIPAA.
- Waivers of HIPAA Authorization only allow access to the minimum amount of PHI necessary in order to complete the project.
- Applications for a Waiver of HIPAA Authorization were previously submitted on paper via fax. The process is now integrated into eResearch.
- Quality Improvement/Quality Assurance activities may require a Waiver of HIPAA Authorization. Notably if you suspect that you may want to publish the results, you’ll likely need a Determination Letter from an IRB or Privacy Board.
- Certification Preparatory to Research is not regulated under the Common Rule. Certification Preparatory to Research applications should be used to assess feasibility of a project; essentially, they are designed to find out if there would be enough subjects at a site to conduct the full study. Importantly, researchers may not record identifiers nor use the information to recruit subjects.
- The “Common Rule” refers to the federal regulations governing research involving human subjects; the language has been adopted by sixteen federal departments.
- Research on decedents, while not considered research on human subjects under the Common Rule, is regulated under HIPAA. HIPAA defines an individual to include “estates”; because of this, the access to PHI of decedents must comply with HIPAA provisions.
- De-Identified Data Sets are data sets where all eighteen (plus the nineteenth “catch-all”) identifiers have been removed. There is a second method for de-identifying date that requires statistical certification that the individuals can not be identified by the information that is collected.
For more information, click here: http://www.med.umich.edu/i/policies/umh/01-04-340.htm (De-identification and Re-identification).
- Information that is truly de-identified is not subject to HIPAA. This applies only to pre-existing de-identified data; if you will be accessing PHI in order to create a de-identified data set, HIPAA applies.
- Date Use Agreements will be required if you will be disclosing or receiving a Limited Data Set with a person or entity outside of the Covered Entity. Data Use Agreements are processed through the Compliance Office.
For more information, click here: http://www.med.umich.edu/i/policies/umh/01-04-342.htm (Limited Data sets).
- A convened Board may function in place of Privacy Board and grant Waivers of HIPAA Authorization.
- Not all types of investigations or assessments need IRB or Privacy Board approval. If you suspect you may want to publish the findings, however, you may want to seek a determination from either the IRB or Privacy Board. Most publications will require documentation that the investigation or assessment had been reviewed by one of these entities. Importantly, neither IRBMED nor Privacy Board will provide a retrospective review and approval. The project must be reviewed prior to activity.
- I2B2 – Help with template language; mining data; using for recruitment
- Policy 01-04-340: This policy sets forth two ways that information can be de-identified. To de-identify information, neither UMHS nor the individual performing the de-identification service may have actual knowledge that the information could be used by a recipient in any way to identify a patient who is a subject of the information. The first de-identification method includes removal of all of the following identifiers of the patient (and of relatives, employers, and household members of the patient) must be removed:
- all geographic subdivisions smaller than a State, except for the initial three digits of a zip code if (i) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and (ii) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
- all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- telephone and fax numbers; electronic mail addresses; web addresses (URLs); Internet Protocol (IP) addresses;
- Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers;
- device identifiers and serial numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and
- any other unique identifying number, characteristic, or code (such as a patient's initials or scrambled social security or medical record numbers)
The second method of de-identification is “De-identification Through Statistical Method.” With prior approval from the Privacy Director or the Privacy Director's designee, PHI may be de-identified through a statistical method. Under this method, a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable shall apply such principles to determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. In addition, the qualified expert shall document the methods and results of the analysis that justify his or her determination.
Update Approved by IRBMED Chairs and Director: November 10, 2011
Website Updated: January 4, 2012