Understanding and Applying New HIPAA Policy Requirements May 15, 2017 WSU IRB Member Retreat

New IRB Member Toolbox Webpage IRB Member Resources New IRB Member Toolbox Webpage

WSU IRB Policy Human Subject Research Use and Disclosure of Protected Health Information Policy - P19 Approved March 21, 2017 https://www.wright.edu/research/compliance/institutional-review-board-charter-and-standard-operating-procedures

Privacy Board A Privacy Board is a review body empowered to oversee Privacy Rule requirements for the use and disclosure of PHI for a particular research study. For many institutions, the Institutional Review Board (IRB) is charged with acting as the Privacy Board for all human subject research.

Implementing Policy

Covered Entity A Covered Entity is a health plan, a health care clearinghouse, or health care provider who transmits health information. A covered entity can be an institution, organization, or person. The covered entity is responsible for implementing Privacy Rule protections for PHI collected, generated, or stored under its auspices.

HIPAA and Research It is important to be aware that a Covered Entity’s Notice of Privacy Practices and non-research HIPAA processes, in of themselves, do not adequately address all of the requirements to use PHI for research. For example, Premier’s HIPAA requirements for healthcare do not include provisions for obtaining written authorization from research subjects or for obtaining waivers of authorization from the Privacy Board. Therefore, if you review research involving PHI you must take additional steps to be in compliance with HIPAA.

Workforce Member Employees, volunteers, trainees, and other persons whose work performance is under the direct control of a covered entity (i.e., Miami Valley or Dayton Children’s), regardless of whether they are paid by the covered entity.

Health Information + Identifiers = PHI Common Misconception PHI ≠ Identifiers Health Information + Identifiers = PHI

Protected Health Information PHI is individually identifiable health information, including demographic data that is collected from an individual, and: Is created or received by a covered entity (i.e., MVH, Good Sam, Dayton Children’s etc.…); AND Relates to past present or future physical or mental health or condition of the individual; or the provision of health care to an individual; or the past present, or future payment for the provision of health care to an individual; AND Identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual; AND Is transmitted or maintained in any form or medium, whether electronic, paper or oral.

HIPAA De-Identified To be considered “de-identified” under the Privacy Rule, EITHER: all of the following 18 identifiers of the individual, their relatives, employers, or household members must have been removed from the individual’s data set by an individual that is not a member of the study team (e.g., medical records official, administrator of a database): 1. Names (including the patient’s name and names of other individuals connected to the patient) 2. Geographic subdivisions smaller than a state (zip-code, street address, etc.…) 3. All elements of a date (except year) including birth date, admission date, discharge date, date of death, and all ages over 89) 4. Telephone numbers 5. Fax numbers 6. E-mail address

De-Identified 7. Social security number 8. Medical record number 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers including license plates 13. Device identifiers and serial numbers 14. Web universal resource locators (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers including fingerprints and voice prints 17. Full face photographic (or comparable) images 18. Any other unique identifying number, characteristic, or code unless otherwise permitted by the Privacy Rule for re- identification, and

De-Identified The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. OR The data is grouped in such a way that a qualified statistician using accepted analytic techniques concludes that the risk of identification based on the information in the data set is substantially limited, and that if the information is used alone or in combination with other reasonably available information, it does not identify an individual subject (e.g., aggregate data) [45 CFR 164.514(b)].

Coded Coded means that: Identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a number, letter, symbol, or combination thereof (i.e., the code); and A key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens. - OHRP 2008 Guidance

Is it PHI? First and Last Name Blood Pressure, Date of Cardiac Surgery, Chest X-Rays Electronic survey of Wright State students by a Wright State student as to date of flu shot in past twelve months Chart review where Miami Valley researcher only recorded age, weight and smoking status from medical records Utilizing a data set that had been extracted by the medical records department at Dayton Children’s Hospital that only contains age, cancer diagnosis, weight, and medications taken in past 12 months

Authorization Researchers are required to obtain a written authorization for the use and disclosure of a human subject’s PHI for a research study unless the IRB has granted a waiver. The purpose of a written authorization is to inform a potential human subject: How his/her PHI and research information (collected or created) is to be used, and With whom the information will be shared All required elements and statements must be included in the document, if not waived by the IRB.

Issues with Sponsor Authorization Language Sponsor Not Covered Entity/Business Associate Legalistic Language Prohibited (8th grade reading level) Separate Decision Example Policy Language: Any proposed deviation to template language must be submitted according to the IRB’s current study application requirements for review and approval.

Screening Questions What specific data will be collected and used for the research study? Is the source(s) of the data a covered entity? Does the source exist as a de-identified data set or identifiable? Who will be recording it from an identifiable source? Does all of the data already exist? If it doesn’t all already exist, will prospective data be generated for non-research purposes?

Expedited Review Refresher May 15, 2017 WSU IRB Member Retreat

Types of Review Administrative Review - Exempt Determinations, NHSR, Miscellaneous Submissions Expedited Review Full Board Review

Is it human subject research? Human subject means a living individual about whom an investigator (whether professional or student) conducting research obtains: Data through intervention or interaction with the individual, or Identifiable private information.

Is it human subject research? Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.

Exempt from IRB Review 6 Categories Not applicable to research involving prisoners Categories 1-5 not applicable to FDA-regulated research

Exempt Category #2 Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behavior, unless: (i) information obtained is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects;

Exempt Category #2 and (ii) any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation. Research Involving Children: #2 can only apply to observational research where investigators do not participate in activities being observed.

Exempt Category #4 Research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.

Data De-Identified Data (HIPAA – Not PHI or HSR) vs. Not Readily Identifiable Data (OHRP/FDA – PHI and HSR )

Consent Not Required However, institution may require the following if exempt research involves interactions with subjects: There will be a consent process that will disclose such information as: That the activities involve research. The procedures to be performed. That participation is voluntary. Name and contact information for the investigator

Expedited Review Minor Modifications to Previously Approved Research 45 CFR46.110(b)(2) Research conducted under Categories 1-9 Consent is required unless waived or modified

Expedited Category #5 Research involving materials (data, documents, records, or specimens) that have been collected, or will be collected solely for non-research purposes (such as medical treatment or diagnosis). (NOTE: Some research in this category may be exempt from the HHS regulations for the protection of human subjects. 45 CFR 46.101(b)(4). This listing refers only to research that is not exempt.)

Expedited Category #8 Continuing review of research previously approved by the convened IRB as follows: where (i) the research is permanently closed to the enrollment of new subjects; (ii) all subjects have completed all research-related interventions; and (iii) the research remains active only for long-term follow-up of subjects; or where no subjects have been enrolled and no additional risks have been identified; or where the remaining research activities are limited to data analysis.

Expedited Category #9 Continuing review of research, not conducted under an investigational new drug application or investigational device exemption where categories two (2) through eight (8) do not apply but the IRB has determined and documented at a convened meeting that the research involves no greater than minimal risk and no additional risks have been identified.

Documenting Determinations InfoED Reviewer Module – Provisions Box Category 1-9 or Minor Mods Children 45 CFR 46.404 Prisoners Pregnant Women, Neonates and Fetuses Waiver of Consent and/or Authorization Waiver of Consent Documentation Approving in InfoED = Signature and Date