OHSU

HIPAA Research Guidelines


Authorization

Absent a waiver of authorization (discussed below), human subjects research participation at OHSU will require that each subject sign an IRB-approved HIPAA research authorization. Authorization forms are included at the end of each consent form template and can be found on the IRB Forms website.  Subjects must sign both the consent form and the authorization form.  The consent form shows the subject's permission to be in the study, and the authorization form shows the subject's permission to use and disclose his or her protected health information for the study.

 

Waiver of Authorization

HIPAA allows OHSU investigators to use or disclose PHI for research purposes without subjects’ consent or authorization when the IRB has approved a waiver of consent/authorization. To approve such a waiver, the investigator must establish:

  • That the research involves no more than minimal risk to the subjects;
  • That the waiver will not adversely affect the rights and welfare of the subjects;
  • That the research could not practicably be conducted without the waiver;
  • That the research could not practicably be conducted without access to and use of the PHI;
  • That the use or disclosure of the PHI involves no more than minimal risk to the privacy of the subjects as a result of:
    • An adequate plan to protect the PHI from improper use and disclosure;
    • An adequate plan to destroy any identifiers contained in the PHI at the earliest opportunity consistent with the research;
    • Adequate written assurances that the PHI will not be reused or re-disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted; and
  • Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

In general, “identifiers” means information about an individual or his or her relatives or employer that alone or in combination with other information could identify the individual.

Examples of research protocols that may qualify for waiver of consent/authorization include:

  • Records-based research that requires access to multiple existing patient records;
  • Minimal risk interview research that may occur via telephone;
  • Epidemiological research that may require the accession of thousands of clinical records;
  • Utilization review research that may require the accession of thousands of billing records; or
  • Research activities using a Limited Data Set (see below).

To apply for a waiver of authorization for research purposes, please download the wavier of authorization formand submit it to the IRB with all other documents related to the protocol. The IRB will process this request to insure that the waiver criteria are met and forward to the investigator, an approval memo signed by the IRB chair or co-chair. The approval memo will document:

  • The identification of the IRB and the date on with the alteration or waiver of authorization was approved;
  • A statement that the IRB has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
  • A brief description of the PHI for which use or access has been determined to be necessary by the IRB;
  • A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
  • The signature of the chair or co-chair of the IRB.

If the waiver criteria are not met or, if there is any other reason that the waiver may not be granted, a denial memo signed by the IRB chair or co-chair will be forwarded to the investigator. Such a denial memo will state the reason(s) for the denial.

Research Involving Only Decedents’ Information

HIPAA allows OHSU investigators to use or disclose PHI of decedents for research purposes without the consent or authorization of the subject or subject’s personal representative and without a waiver of authorization from the IRB when OHSU obtains the appropriate representations outlined below from the investigator. To approve such use and disclosure, the investigator must represent and agree to the following:

  • The use or disclosure of PHI is sought solely for research on the protected health information of decedents (not, e.g., for research on living relatives of decedents);
  • The decedents’ PHI is necessary for the research purposes; and
  • Upon the request of the IRB, the investigator will provide documentation of the death of the individuals
To apply for approval to use and disclose decedents’ information for research purposes, please complete the form available at the HIPAA Section on the Policies and Forms Page, and submit it to the OHSU Research Integrity Office (ORIO). The ORIO will process this request to ensure that the representations are present and will forward to the investigator, an approval signed by the IRB chair or co-chair, or the Director or Associate Director of the ORIO.

If the representations are not met or, if there is any other reason that the use or disclosure may not be granted, a denial memo will be forwarded to the investigator. Such a denial memo will state the reason(s) for the denial.

 

Recruitment of Research Subjects

OHRP rules include recruitment of potential research subjects as regulated research activity. Thus, these recruitment activities require IRB review and approval prior to their initiation. OHSU investigators have several options for subject recruitment.

  • An OHSU investigator may speak directly with his/her patients who may qualify for and be interested in a particular research protocol.
  • Because OHSU’s Notice of Privacy Practices (see below) includes the possibility that OHSU patients may be contacted for research purposes, OHSU investigators may send IRB-approved recruitment letters to potential subjects identified from the a clinical data base.
  • An OHSU investigator may publish an IRB-approved advertisement and potential subjects may call the investigator or a research assistant directly. If any PHI will be collected during the conversation, the process must receive a waiver of authorization from the IRB. The PHI collected must be the minimum necessary (see below) for recruitment for the specific protocol.
  • An OHSU investigator may publish an IRB-approved advertisement and potential subjects may call a screening service. If any PHI will be collected during the conversation, the process must receive a waiver of authorization from the IRB. The PHI collected must be the minimum necessary for recruitment for the specific protocol. A Business Associate’s Agreement (see below) may be necessary in these instances.

Minimum Necessary

Investigators may use or disclose only the PHI necessary for the protocol.

  • For research employing a subject’s authorization, the authorization will define the PHI to be used or disclosed.
  • For research employing a waiver of authorization, the investigator must specify in the waiver request, what PHI will be used and represent that it is the minimum necessary for the protocol.
  • For telephone screenings of prospective subjects, the person/entity providing the screening must limit the questions to those related to inclusion/exclusion criteria of a specified protocol and may not retain any information once it has been forwarded to OHSU or from callers who fail to meet these criteria. The investigator must specify how collected information will be protected and destroyed.

Tissue/Data Banks

PHI and tissues may be submitted into banks or repositories for research with a patient’s authorization or with an IRB waiver of authorization. This data or tissue may then be accessed for future research protocols either with an individual authorization or with an IRB waiver of authorization. Data and tissue repositories that were established prior to April 14, 2003 may also continue to be used for research purposes under these same rules.

If tissue is anonymous and is available from Pathology or a repository without any identifiers, it is not PHI and is not subject to HIPAA rules. However, these samples are subject to Oregon’s Genetic Privacy Act and special protections apply. A human biological sample or genetic information obtained from such a sample, on or after June 12, 2003, may be used without consent in genetic research only if the sample is anonymous and only if prior to the time the research is conducted, the subject was notified that anonymous research might take place in the future, and at the time notification took place, the subject did not request that the sample or information be withheld from anonymous research (ORS 192.535, 537 and 547).

Notice of Privacy Practices

All individuals who receive care at OHSU must receive a Notice of Privacy Practices (NPP) that contains an effective date. Many research subjects receive routine clinical care at OHSU and will already have received an NPP prior to becoming a research subject. Subjects who have received a currently effective NPP do not need to receive another NPP when they enter a research protocol.

Research subjects who have not previously been treated at OHSU may need to receive an NPP if the research provides standard care along with the experimental procedures. For example, a clinical trial that provides standard tests that the subject would receive even if he/she were not in the research protocol, may generate bills to the subject or the subject’s insurance carrier for that standard care. These subjects must receive an NPP. In general, NPP’s must be provided to research subjects if any of the following circumstances apply:

  • Clinical treatment that is standard care will be provided in the protocol, even if there will be no bill for this treatment (i.e., treatment purposes);
  • A bill for clinical services will be generated (i.e., payment purposes); or
  • Quality assessment, adverse event reporting or data monitoring procedures are done (i.e., operations purposes).

Examples of human subjects research that would not require provision of the NPP would include:

  • Qualitative protocols that involve no treatment interventions;
  • Interview-based research;
  • Records reviews that are done with or without a waiver of authorization; or
  • Epidemiological studies that are done pursuant to a waiver of authorization.

OHSU’s NPP may be accessed here. If an OHSU research subject has not previously received a currently effective NPP, the investigator must provide one and obtain the subject’s signed acknowledgment that it has been received.

Subjects’ Rights to Access and Amend PHI

HIPAA allows patients to review and request amendment of any information that is contained in their Designated Record Set (DRS). A DRS is a group of records about a patient that we maintain to make decisions about the patient. The DRS normally will include medical and billing records and may include health plan enrollment, payment, claims adjudication and case or medical management records. A clinical research record is not a DRS but may generate information that is entered into the DRS. For example, a protocol might involve blood tests and imaging studies that are part of standard care and that the subject would be receiving even if he/she were not in the study. This information is normally entered into the subject’s medical record as well as the research record. Once it is entered into the medical record, it becomes part of the DRS. While this subject would not have a right to access his/her research record, he/she could request access to the DRS. However, the investigator could delay access to the DRS until the end of the study if such access would violate a double blind protocol or otherwise be disallowed by the protocol for scientific reasons. The investigator must advise subjects of the possibility of such a delay in the research authorization.

Accounting for Disclosures

OHSU patients and research subjects have a right to receive an accounting of disclosures of their PHI that have been made over the six years prior to the request (but not including disclosures prior to April 14, 2003). A “disclosure” is defined as the release, transfer, provision of access to or divulging in any other manner of PHI outside of OHSU. In general, this right applies to disclosures that the individual may not have known about or authorized. For research, the right applies to:

  • Disclosures made pursuant to an IRB waiver of authorization; or
  • Disclosures made to Business Associates.

The following types of research disclosures do not require an accounting:

  • Disclosures made pursuant to a subject’s authorization;
  • Disclosures about the subject made to the subject;
  • Disclosures of a limited data set with a data use agreement;
  • Disclosures of de-identified data;
  • Disclosures made to a subject’s insurance carrier for billing purposes;
  • Disclosures made to a federal agency such as the FDA or NIH (so long as this was mentioned in the consent/authorization form);
  • Disclosures made for the purpose of adverse event reporting or similar data safety or monitoring purposes (so long as this was mentioned in the consent/authorization form); or
  • Disclosures made for the purpose of treating the subject.

In addition, internal uses (i.e., within OHSU or from one OHSU agent to another) of the PHI of OHSU patients or research subjects, do not require an accounting.

To account for research disclosures, OHSU investigators must first contact acctdisc@ohsu.edu to obtain a user account. Instructions and an icon to access the OHSU Accounting of Disclosures System (ADS) will be provided. Disclosures should be entered into the ADS with 5 days of any disclosure.

Access to 50 or more existing clinical records for a research purpose may be accounted for using a simplified process using the ADS. OHSU investigators who perform this type of research must also account for these disclosures within 5 days. To set up an ADS user account contact acctdisc@ohsu.edu. Instructions and an icon to access the OHSU ADS will be provided.

Limited Data Sets

A Limited Data Set (LDS) may be accessed and recorded from existing clinical records by OHSU investigators with an IRB waiver of authorization. These LDS’s do not need to be tracked in an accounting for disclosures.

An LDS may NOT include any of the following direct identifiers of the research subject or of relatives, employers or household members of the subject:

  • Name;
  • Postal address information other than town or city, State, and zip code;
  • Telephone numbers;
  • FAX numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Full face photographic images and any comparable images.
An OHSU investigator may not share an LDS with any non-OHSU person or entity unless a Data Use Agreement (DUA) is obtained from that person or entity. The DUA establishes the permitted uses of the LDS by the non-OHSU recipient and imposes certain duties upon that recipient. The OHSU DUA form may be found at the Policies and Forms page , and OHSU investigators who require a DUA must complete the form and forward it to the IRB for review, approval and signature by the chair or co-chair.

OHSU investigators may not receive an LDS from a non-OHSU investigator unless a copy of the approved DUA from the non-OHSU site is forwarded to and approved by the OHSU IRB chair or co-chair.

De-Identified Information

The HIPAA rules do not apply to de-identified information related to patients. OHSU investigators may record and use de-identified patient information by submitting the usual documents (PPQ, IRQ, protocol) to the IRB for review and approval. These protocols will normally qualify for an IRB-granted exemption from further review. To de-identify patient information for a research purpose, OHSU investigators will need to remove all of the following identifiers of the patient or of relatives, employers, or household members:

  • Names;
  • Geographic Subdivisions smaller than a state, except for the first three digits of the zip code;
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all elements of date (including year) for those over 89;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locaters (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voiceprints;
  • Full-face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic or code, except as permitted for re-identification as described under the Codes paragraph below.
In addition to the removal of the identifiers listed above, the investigators must not have actual knowledge that the remaining information could be used alone or in combination with other information by a recipient to identify the patient.

Codes - An OHSU Investigator may assign to, and retain with, the de-identified information (as described above), a code (or other means of record identification) to allow for re-identification by the OHSU investigator, provided that:
  • The code is not derived from or related to patient identifiers and is not otherwise capable of being translated by a recipient so as to identify the patient; and
  • The investigator does not use or disclose the code for any other purpose than as a re-identification code for the de-identified information; and
  • The investigator does not disclose the mechanism (key) for re-identification.

Business Associate Agreements

A Business Associate (BA) is a person or entity that performs a function for or on behalf of OHSU involving the use or disclosure of PHI from OHSU patients or research subjects. In general, sponsors, federal agencies or research collaborators (co-investigators at other institutions) will not be BAs. Examples of BAs in research include:

  • A company that bills subjects or their insurance carriers for standard care procedures;
  • A company that provides telephone screening services for prospective research subjects; or
  • A clerical service that transcribes or processes research data containing PHI.

Questions about whether or not another entity is a BA or whether or not an OHSU investigator is a BA should be directed to the IRB. OHSU investigators may not establish BA agreements on their own. To establish a BA agreement with a non-OHSU investigator or site, OHSU investigators will need to present an IRB approval memo and an approved research grant or contract to Contracts & Purchasing Services.