 |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ORSP - HIPAA
Rutgers Guidance Document Regarding the HIPAA Privacy Rule and the Impact on Rutgers Research
On April 14, 2003 the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPPA) took effect and will have an impact on Rutgers researchers who access identifiable health information from covered HIPAA entities. Identifiable health information is protected by the HIPAA Privacy Rule and is known as Protected Health Information (PHI). Often researchers need to request PHI to develop a research protocol or to access PHI when collecting data from a clinical record. While Rutgers is not a covered HIPAA entity, many researchers work or enter into partnerships with HIPAA covered entities (e.g. UMDNJ, St. Peters).Importance of Rutgers Researchers Being HIPAA Savvy
It is essential that Rutgers researchers have a
working knowledge of HIPAA as they establish or maintain partnerships with
covered entities so their human subjects protocols are not interrupted and so
that they can gain access to PHI for their human subjects research.
Researchers who want to access PHI must request the information from
and meet the requirements of the covered entity from which they are requesting
the information. While there are core standards that have been established by
the Federal Office of Civil Rights, the covered entities are establishing their
own forms and may exceed the standards. The
covered entities are establishing Privacy Boards to review and approve requests
for PHI. In many cases the covered
entity’s IRB will be serving as the Privacy Board. HIPAA covered entities are subjected to many rules and may be
subject to a civil fine if they do not follow them in accordance with the
Privacy Rule. HIPAA regulations are complex and many institutions are struggling
with refining their policies and procedures.
Unfortunately, HIPAA was not written with research in mind.
Health information received or purchased by a non-covered party from a
covered entity may still be protected by HIPAA.
Urgency in
Contacting the Covered Entity – Transition Measures
Since the act went into
effect on April 14, 2003 it is strongly recommended you contact the entity that you
deal with immediately. The Privacy
Rule of HIPAA has provided the following transition measures:
FOR ONGOING STUDIES:
-
A Grandfather Provision allows researchers to continue to create, use and disclose PHI after April 14, 2003 in a manner that is consistent with the approved terms of use in the following situations:
- Subject has signed an IRB approved informed consent form or some other legally valid authorization prior to April 14, 2003
- IRB waiver of informed consent was obtained prior to April 14, 2003
- NOTE: If the subject has not signed an informed consent form prior to April 14, 2003 OR if the study was exempted from IRB review prior to April 14, 2003, the grandfather provision does not apply
- If it is an ongoing study
and there is no informed consent or IRB waiver of informed consent prior to
April 14, 2003, then the researcher must:
- Have newly enrolled subjects sign a HIPAA authorization
- Obtain waiver of authorization from the Privacy Board of the entity
- If the ongoing study was deemed
‘exempt’ under the common rule AND the study involves the creation, use or
disclosure of PHI, then the researcher must:
- A. Seek HIPAA authorization from subjects
- B. Obtain waiver of authorization from the Privacy Board
- To use PHI created PRIOR to April 14,2003 for a new study, the researcher generally must obtain HIPAA –compliant authorization, waiver of authorization from the Privacy Board or meet other exception criteria as outlined by the entity
FOR A NEW STUDY:
·
To use PHI created PRIOR to April
14, 2003 the researcher must obtain HIPAA compliant authorization or a waiver of
authorization from the covered entity’s IRB-Privacy Board to meet other HIPAA
exceptions (information on the necessary elements for requesting a waiver of
authorization may be found at the bottom of the document).
·
NOTE:
If a researcher has obtained legal informed consent authorization of IRB
waiver of informed consent for ‘future unspecified research,’ such approval
may be relied on to conduct research after April 14, 2003.
Many IRB’s, however, will require an additional HIPAA PHI pathway to be
satisfied, especially in the case of databases.
Researchers
are reminded that if the covered entity requires a change in a consent form, an
amendment must be filed with the Rutgers IRB.
Pathways to Access PHI
The various pathways that researchers can follow in obtaining their PHI are outlined in the document provided below entitled, Pathways for Rutgers Researchers to Follow When Trying to Access Private Health Information (PHI) From HIPAA Covered Institutions. These pathways are:
· Information requested is “de-identified.” (if information is de-identified it does not fall under HIPAA. There are 18 elements of de-identifying PHI.)
· A patient authorization is obtained
· Authorization requirement is waived by IRB/Privacy Board
· Information is collected only for preparatory work of research
· Only a limited data set is collected and accompanied with a data use agreement
· Only decedent PHI is being collected
HIPAA’s Privacy Rule
Requirement vs. Human Subjects Regulations
It is important to know that the requirements for HIPAA are somewhat different than those required by the Common Rule regulations that govern the protection of human subjects in research. Both sets of regulations must be satisfied.
|
Comparison |
|
|
Common Rule |
HIPAA Privacy Rule |
|
· Governs Human Subject Protections · Requires Consent · Sets forth IRB review exemption requirements · May apply to research even if data is de-identified |
· Governs Use/Disclosure of PHI · Requires Authorization · Sets forth waiver of authorization requirements · May apply even if study is exempt |
Required Elements for Requesting a Waiver of Authorization for the Use or Disclosure of PHI:
The principal investigator must provide the rationale and the necessary elements for the items noted below to the Privacy Board or the IRB that is required to make the waiver determination:
-
The use or disclosure of PHI involves "minimal risk" to the subject's privacy;
-
An adequate plan exists to protect identifiers from improper use or disclosure (you may need to provide the reviewing body with a copy of the plan);
-
An adequate plan exists to describe the destruction of identifiers as soon as possible or at the end of the research period;
-
Written assurance by the PI that the PHI will not be reused or redisclosed (except as required by law);
-
The research could not "practicably" be conducted without the waiver;
-
The research could not "practicably" be conducted without the use or disclosure of PHI; and
-
A description the PHI requested for the research
________________________________________________________
Additional Guidance
This guidance document is meant to provide an overview of the Privacy Rule regarding HIPAA and to alert researchers of contacting the covered entity they may be dealing with. Please refer to the resources listed below for additional information:
· PowerPoint Presentation: Privacy and Protocols: HIPAA for Researchers – Presented by Heather Fields, J.D. Reinhardt Boemer. (Right Click on link and Save Target As to save powerpoint presentation)
Funding provided through an NIH grant awarded to the Office of Research and Sponsored Programs
· Pathways for Rutgers Investigators to Follow When Trying to Access Private Health Information
Related websites:
Office for Civil Rights: http://www.hhs.gov/ocr/hipaa/
Business Associate Agreement Information.