HIPAA & Research

Background

The HIPAA Privacy Rule contains provisions that apply to research involving the use or disclosure of Protected Health Information (PHI).  PHI is health information that is individually identifiable. 

PHI may be used for research through several mechanisms:

  • Authorization: Subject provides written authorization to use their PHI for the research
  • Waiver of Authorization: IRB (or privacy board) grants a waiver of authorization
  • Decedents Representation: All PHI included in the research will be from deceased individuals
  • Activities Preparatory to Research: PHI will only be used to prepare for a research project and will remain within OHSU
  • Limited Data Set: PHI contains only a very limited set of indirect identifiers and is used within OHSU, or is only shared outside OHSU under a Data Use Agreement
  • Business Associate Agreement: PHI is used by an entity outside OHSU to perform a service on behalf of OHSU

Health information may be used for research without any of the above requirements if the information is de-identified (see below).  The details of how to comply with each of these requirements are explained in the specific sections that follow.

De-Identified Information & Obtaining Auth.

De-Identified Information

The HIPAA rules do not apply to de-identified health information.  (In some cases, IRB review is not required either.  If you are doing a project with de-identified health information/specimens, you can submit a Request for Determination via the eIRB to see whether you project needs IRB oversight.)  To de-identify subject information for a research purpose, OHSU investigators must remove all of the following identifiers of the subject and the subject’s relatives, employers, or household members:

  • Names;
  • Geographic Subdivisions smaller than a state, except for the first three digits of the zip code;
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all elements of date (including year) for those over 89;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locaters (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voiceprints;
  • Full-face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic or code, including any code that includes or is derived from any of the identifiers on this list.

In addition to the removal of the identifiers listed above, the investigators must not have actual knowledge that the remaining information could be used alone, or in combination with other information, by a recipient to identify the subject.

Alternatively, investigators who believe that a data set is de-identified despite containing one or more of the identifiers in the above list may obtain an expert determination by a qualified statistician confirming that the risk of identifying individuals in the data set is “very small.”  More information about this method of de-identification is available in guidance issued by the Office of Civil Rights.

Obtaining Authorization

A HIPAA authorization is different from informed consent, but they often go hand in hand and may be combined in the same document.  Informed consent seeks to provide subjects with information about the procedures and risks involved in a research activity so they may make an informed, voluntary decision as to whether to participate.  Authorization, on the other hand, focuses specifically on the use of private health information.  A HIPAA authorization must contain certain elements and statements, as well as a subject’s signature and date, to be valid.  The required authorization language is incorporated into the IRB’s informed consent form templates, which are available on the IRB Policies and Forms website.  By signing an IRB-approved consent and authorization form, subjects document their consent to be in the study as well as their authorization to use and disclose their PHI for the study.  The use of psychotherapy notes has special requirements, and there are some situations where the authorization must be a separate document or when more than one authorization document is required.  The IRB will work with you to address these requirements if they apply to your study.

Waiver of Authorization

Waiver of Authorization

HIPAA allows investigators to use or disclose PHI for research purposes without subjects’ authorization when the IRB has approved a waiver of authorization. To approve such a waiver, the investigator must establish:

  • That the research could not practicably be conducted without the waiver;
  • That the research could not practicably be conducted without access to and use of the PHI;
  • That the use or disclosure of the PHI involves no more than minimal risk to the privacy of the subjects as a result of:
  • An adequate plan to protect the PHI from improper use and disclosure;
  • An adequate plan to destroy any identifiers contained in the PHI at the earliest opportunity consistent with the research; and
  • Adequate written assurances that the PHI will not be reused or re-disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted.

The IRB uses the Waiver or Alteration of HIPAA Authorization Form, available on the IRB Policies and Forms website, to document these requirements.  If you are requesting a waiver of authorization, or a waiver or alteration of certain elements of a valid authorization (such as a signature – see the form for more details), include this form in your IRB application.  The waiver may apply to the whole study, or it may apply to one portion of the study, such as recruitment by phone where subjects will later be asked to sign an authorization.  Regardless, the PHI collected under the waiver must be the “minimum necessary” (see below) in order to accomplish the research purpose.  Disclosures of PHI under a waiver must be tracked in the Accounting of Disclosures system (see Accounting of Disclosures section below).

Examples of research protocols that may qualify for waiver of authorization include:

  • Records-based research that requires access to multiple existing patient records;
  • Minimal risk interview research that may occur via telephone;
  • Epidemiological research that may require the accession of thousands of clinical records; and
  • Utilization review research that may require the accession of thousands of billing records.

Research Involving Only Decedent's Information

Research Involving Only Decedents' Information

HIPAA allows investigators to use or disclose PHI of decedents for research purposes without the authorization of the subject and without a waiver of authorization from the IRB when OHSU obtains the appropriate representations from the investigator. 

To approve such use and disclosure, the investigator must represent and agree to the following:

  • The use or disclosure of PHI is sought solely for research on the protected health information of decedents (not, e.g., for research on living relatives of decedents);
  • The decedents’ PHI is necessary for the research purposes; and
  • Upon the request of the IRB, the investigator will provide documentation of the death of the individuals.

To apply for approval to use and disclose decedents’ information for research purposes, investigators must complete the Decedents Representation form available on the IRB Policies and Forms website and submit it to the IRB for review and approval.  It can be submitted as part of a full eIRB study submission or, if no living individuals are involved in the project at all, as a Request for Determination.  Disclosures of decedents’ PHI must be tracked in the Accounting of Disclosures system (see Accounting of Disclosures section below).

Preparatory Activities & Limited Data Sets

Activities Preparatory to Research

Accessing and using PHI for activities involved in preparing for research may be conducted without an individual’s authorization or a waiver of authorization if the investigator provides certain assurances.  Such activities include accessing medical records to determine if a sufficient sample size can be obtained or to compile a recruitment list for a study. 

The required assurances for activities preparatory to research are:

  • The access to and use of PHI is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
  • The PHI will not be removed from OHSU in the course of review; and
  • The PHI for which use or access is requested is necessary for the research.

To apply for approval to use and disclose PHI for activities preparatory to research, investigators must complete the Prep to Research Form, available on the IRB Policies and Forms website, and submit it to the IRB for review and approval.  It can be submitted as part of a full eIRB study submission or, if no definite plans for human subjects research exist yet, as a Request for Determination.

It is important that no PHI leave OHSU when accessed under the Prep to Research provision.  If disclosure outside OHSU is needed, investigators must obtain signed authorization from the individuals or a waiver of authorization from the IRB.

Limited Data Sets and Data Use Agreements

A Limited Data Set (LDS) may be accessed from existing records and used by OHSU investigators without authorization from the subject and without a waiver of authorization from the IRB.  Disclosures of PHI in an LDS do not need to be tracked in an accounting of disclosures.

An LDS may include indirect identifiers, such as dates, but may NOT include any of the following direct identifiers of the research subject or of relatives, employers or household members of the subject:

  • Name;
  • Postal address information other than town or city, State, and zip code;
  • Telephone numbers;
  • FAX numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.

An OHSU investigator may not share an LDS with any non-OHSU person or entity unless a Data Use Agreement (DUA) is obtained from that person or entity. The DUA establishes the permitted uses of the LDS by the non-OHSU recipient and imposes certain duties upon that recipient. The OHSU DUA form may be found on the IRB Policies and Forms website, and OHSU investigators who require a DUA must complete the form and submit it to the IRB for review, approval and signature by the IRB Chair.

OHSU investigators may not receive an LDS from a non-OHSU investigator under a DUA unless a copy of the DUA from the non-OHSU site is submitted to the OHSU IRB and approved and signed by the IRB Chair.  OHSU investigators may NOT sign DUAs on behalf of OHSU.

Business Associate Agreements

Business Associate Agreements

A Business Associate (BA) is a person or entity that performs a function for or on behalf of OHSU involving the use or disclosure of PHI from OHSU patients or research subjects.

In general, sponsors, federal agencies or research collaborators (co-investigators at other institutions) will not be BAs. Examples of BAs in research include:

  • A company that bills subjects or their insurance carriers for standard care procedures;
  • A company that provides telephone screening services for prospective research subjects; or
  • A clerical service that transcribes or processes research data containing PHI.

Questions about whether an entity involved in a research study is a BA should be directed to the IRB. OHSU investigators may not establish BA Agreements (BAAs) on their own. To establish a BAA with a non-OHSU investigator or site, OHSU investigators should contact the department that processed the study agreement, contract, subcontract, or similar.  Disclosures of PHI to Business Associates must be tracked in the Accounting of Disclosures system (see Accounting of Disclosures section below).

Accounting of Disclosures

Accounting of Disclosures

OHSU patients and research subjects have a right to receive an accounting of disclosures of their PHI that have been made over the six years prior to the request (but not including disclosures prior to April 14, 2003). A “disclosure” is defined as the release, transfer, provision of access to or divulging in any other manner of PHI outside of OHSU. In general, this right applies to disclosures that the individual may not have known about or authorized.

For research, the right generally applies to:

  • Disclosures made pursuant to an IRB waiver of authorization;
  • Disclosures made pursuant to a Representation for Research Involving Only Decedents’ Information (a decedent’s Personal Representative may request this information); and
  • Disclosures made to Business Associates.

The following types of research disclosures do not require an accounting:

  • Disclosures made pursuant to a subject’s authorization;
  • Disclosures about the subject made to the subject;
  • Disclosures of a limited data set with a data use agreement;
  • Disclosures of de-identified data;
  • Disclosures made to a subject’s insurance carrier for billing purposes;
  • Disclosures made to a federal agency such as the FDA or NIH (so long as this was mentioned in the consent/authorization form);
  • Disclosures made for the purpose of adverse event reporting or similar data safety or monitoring purposes (so long as this was mentioned in the consent/authorization form); and
  • Disclosures made for the purpose of treating the subject.

In addition, internal uses (i.e., within OHSU or from one OHSU agent to another) of the PHI of OHSU patients or research subjects do not require an accounting.

To account for research disclosures, OHSU investigators must first contact to obtain a user account. Instructions on using the system are available here. Disclosures should be entered into the ADS within 5 days of any disclosure.  Access to 50 or more existing clinical records for a research purpose may be accounted for using a simplified process using the ADS. OHSU investigators who perform this type of research must account for these disclosures at the beginning of the study.

Additional Issues to Consider

Minimum Necessary Standard

Minimum Necessary Standard

Investigators may use or disclose only the PHI necessary for the protocol.

  • For research employing a subject’s authorization, the authorization will define the PHI to be used or disclosed.
  • For research employing a waiver of authorization, the investigator must specify in the waiver request what PHI will be used and represent that it is the minimum necessary for the protocol.
  • For recruitment and screening activities conducted before authorization is obtained, the screening must be limited to questions/items related to inclusion/exclusion criteria of a specified protocol. The investigator must specify how collected information will be protected and/or destroyed.

Tissue/Data Banks

Tissue/Data Bank

PHI and tissues may be submitted into banks or repositories for research with a patient’s or subject’s authorization or with an IRB waiver of authorization. This data or tissue may then be accessed for future research protocols either with an individual authorization or with an IRB waiver of authorization.

If tissue is completely de-identified(see above) and is available from Pathology or a repository without any identifiers, it is not PHI and is not subject to HIPAA rules. However, these samples are subject to Oregon’s Genetic Privacy Act, and special protections may apply. A human biological sample or genetic information obtained from such a sample, on or after June 12, 2003, may be used without consent in genetic research only if the sample is anonymous or coded, and only if prior to the time the research is conducted, the subject was notified that anonymous research might take place in the future, and at the time notification took place, the subject did not opt out of anonymous or coded genetic research (ORS 192.535, 537 and 547).  More information about genetic research is available on the IRB’s Genetic Research web page.

Notice of Privacy Practices

Notice of Privacy Practices

All individuals who receive care at OHSU must receive a Notice of Privacy Practices (NPP) that contains an effective date. Many research subjects receive routine clinical care at OHSU and will already have received an NPP prior to becoming a research subject. Subjects who have received a currently effective NPP do not need to receive another NPP when they enter a research protocol.

Research subjects who have not previously been treated at OHSU may need to receive an NPP if the research provides standard care along with the experimental procedures. For example, a clinical trial that provides standard tests that the subject would receive even if he/she were not in the research protocol may generate bills to the subject or the subject’s insurance carrier for that standard care. These subjects must receive an NPP.

In general, NPPs must be provided to research subjects if any of the following circumstances apply:

  • Clinical treatment that is standard care will be provided in the protocol, even if there will be no bill for this treatment (i.e., treatment purposes);
  • A bill for clinical services will be generated (i.e., payment purposes); or
  • Quality assessment, adverse event reporting or data monitoring procedures are done (i.e., operations purposes).

Examples of human subjects research that would not require provision of the NPP would include:

  • Qualitative protocols that involve no treatment interventions;
  • Interview-based research;
  • Records reviews that are done with or without a waiver of authorization; or
  • Epidemiological studies that are done pursuant to a waiver of authorization.

If an OHSU research subject has not previously received a currently effective NPP, the investigator must provide one and obtain the subject’s signed acknowledgment that it has been received.

Subjects' Rights to Access and Amend PHI

Subjects' Rights to Access and Amend PHI

HIPAA allows individuals to review and request amendment of any information that is contained in their Designated Record Set (DRS).  A DRS is a group of records about an individual that the institution maintains to make decisions about the individual. The DRS normally includes medical and billing records and may include health plan enrollment, payment, claims adjudication and case or medical management records. A clinical research record is not a DRS but may generate information that is entered into the DRS. For example, a protocol might involve blood tests and imaging studies that are part of standard care and that the subject would be receiving even if he/she were not in the study. This information is normally entered into the subject’s medical record as well as the research record. Once it is entered into the medical record, it becomes part of the DRS. While this subject would not have a right to access his/her research record, he/she could request access to the DRS. However, the investigator could delay access to the DRS until the end of the study if such access would violate a double blind protocol or otherwise be disallowed by the protocol for scientific reasons. The investigator must advise subjects of the possibility of such a delay in the research authorization.  The IRB’s template forms include language that addresses this.