Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB
HIPAA Background Health Insurance Portability and Accountability Act of 1996 mandated: – National uniform standards for electronic transactions in health care – Creation of “privacy rule” to safeguard personal health information Concern that increase in electronic transactions could lead to unauthorized disclosures of personal health information Final Privacy Rule published December 28, 2000 Effective Date – April 14, 2001 [two year implementation period] Final Implementation Date – April 14, 2003
What is Required? Health care providers, health plans and clearinghouses prohibited from using or disclosing “protected health information” (PHI) without patient authorization, except when specifically required or permitted under the regulations “Protected health information” includes any identifiable health information relating to the health of an individual, the care provided or payment for care PHI includes information in any form or medium (electronic, paper, oral, etc.) Providers must transmit health information electronically to be covered under the Rule
What is required to use PHI? FOR: Treatment, Payment or Healthcare Operations (e.g., quality assurance, compliance reviews, resident training) USC to make good faith effort to obtain Patient acknowledgement of receipt of Notice of Privacy Practices Notice describes all possible uses and disclosures of protected health information by USC USC to document good faith efforts, if unable to obtain acknowledgement
Health Insurance Portability and Accountability Act of 1996 “HIPAA Privacy Rule” Implementation Date: April 14, 2003 IRB related issues to be discussed: – Informed Consent – HIPAA Education Program – HIPAA Authorization Exceptions – Waiver of HIPAA Authorization
HIPAA –IRB Related Issues Informed Consent Investigators must attach a HIPAA authorization addendum to their Informed Consents for new subjects who will be accrued after April 14, Templates are available at: or When you submit Informed Consent(s) [either new submissions or revisions] to the IRB after 4/14/03, the HIPAA authorization addendum should be attached to the Informed Consent(s).
HIPAA – IRB Related Issues HIPAA Education All personnel who use identifiable health information (individual’s past, present or future physical or mental health condition, or payment for health care) must take the education course and be certified by the HIPAA education program. This includes researchers and staff in the following categories: -Principal Investigator(s) -Co-Investigator(s) -Individuals authorized to obtain Informed Consent -Individuals involved in data collection -Etc. The PI/Co-PIsare responsibleall The PI/Co-PIs are responsible for ensuring that all study personnel have completed the HIPAA education certificate program. USC’s web-based HIPAA education program:
HIPAA – IRB Related Issues USC HIPAA Privacy Education Program Chapter 1: Privacy of Health Information Chapter 2: Privacy Rule – General Information Chapter 3: How the USC Family is Organized Chapter 4: The Privacy Rule in the Practitioner Office Setting Chapter 5: Special Situation Chapter 6: Patient Rights Under HIPAA Chapter 7: Enforcement and Sanctions Chapter 8: Reporting Non-Compliance Those taking the course will be able to print out Certification upon successful completion of eight chapters.
Special Research Requirements Research Use/Disclosure without Authorization – De-Identification [requires removal of 19 potential identifiers to satisfy criteria] – Limited Data Sets [removal of facial identifiers only] – Waiver by Institutional Review Board (IRB) – PHI use/disclosure solely to prepare research protocol – PHI use/disclosure solely for research on the PHI of decedents
De-identification requires that identifiers of an individual or of relatives, employers or household members are removed, including: – Demographic information – Locating information – Elements of dates (birth date, admission date, discharge, date of death, etc.) If health information de-identified, information can be used without an authorization from the patient for research or other uses De-Identification
Limited Data Sets Permits use of limited data sets for research, public health and health care operations purposes without authorization – Requires removal of directly identifiable information Name, address, medical record number, etc. – Requires data use agreement between Covered Entity and user of information Recipient must agree to limit the use of the data set for the purposes for which it was given, and to ensure the security of the data, as well as not to identify the information or use it to contact any individual
Preparatory to Research No authorization or waiver required if: – Use/disclosure sought solely to prepare a research protocol or for similar purposes preparatory to research – Researcher will not remove PHI from the Covered Entity’s premises – PHI for which use or access is sought is necessary for the research purpose – Only de-identified PHI is recorded by the researchers Entity must obtain representation from researcher that the above requirements are met
Waiver of HIPAA Authorization Recruiting/Screening Only – Subjects at the LAC+USC Healthcare Network facilities, USC University Hospital, or USC Norris Hospital – Assessing potential eligibility before approaching potential subjects to enter the study – A limited waiver to review medical records information
Waiver of HIPAA Authorization Accessing, using or obtaining research subject’s identifiable health information: -HIPAA Authorization from the subject Or -Waiver of HIPAA authorization from the IRB
Waiver by IRB requires review and documentation of certain criteria, similar to the Common Rule requirements for waiver of informed consent Waiver of Authorization
HIPAA – IRB Related Issues Waiver Requirements: Research could not practicably be conducted without the waiver. Research could not practicably be conducted without access to and use of the PHI (Protected Health Information). privacy risk Disclosure involves no more than minimal privacy risk to the individuals. -Adequate plan to protect the PHI -Plan to destroy the identifiers -Adequate written assurance from the investigator that the PHI would not be reused or disclosed.
A waiver of patient authorization is not a waiver of the requirements of informed consent for the project. IRBs must review a request to waive informed consent separately, according to the Common Rule Waiver of Authorization
HIPAA – IRB Related Issues New Study: New Study: To be reviewed on or after 4/14/03 a) Use revised Sections I & II of the IRB application: -A check box for “Identifiable Health Information” -An additional PI responsibility statement: “I certify that all study personnel have completed the HIPAA education program and are certified.” -Item 33 “Waiver of HIPAA authorization” needs to be explained if the Section I Waiver of HIPAA authorization is checked. b) PI/Co-Investigators’ completion of the HIPAA education program: -Include copies of the certificates with the IRB application c) Informed Consent with HIPAA authorization addendum
Continuing Review: Continuing Review: On or after 4/14/03 a) PI/Co-Investigators’ completion of the HIPAA education program -Include the certificates with the continuing review form b) Informed Consent with the HIPAA authorization addendum which has a revision date of 4/08/03
HIPAA – IRB Related Issues After 4/14/03: The IRB will not review your new proposals until the IRB receives verification of the PI/Co-Investigators’ completion of the HIPAA education program. For continuing reviews, the IRB will not grant its full approval until the IRB receives verification of the PI/Co-Investigators’ completion of the HIPAA education program.
Special Research Requirements Challenges: Investigator access to 3 rd Party Protected Health Information May Be Denied or Delayed (e.g., Norris, USCUH, other clinics and hospitals) Additional Institutional Review Board workload analysis regarding privacy issues increase in submission of retrospective reviews Research Transition provisions Certain research practices may be inhibited (e.g., patient recruitment)