1	HIPAA & Research The University of Alabama
2	What is HIPAA? Health Insurance Portability and Accountability Act Protected Health Information (PHI) “Covered Entities” – health care providers such as hospitals, nursing homes, clinics, and mental health centers. Places new requirements on use of PHI from covered entities for research purposes. Privacy rule effective April 14, 2003.
3	Protected Health Information PHI includes any information that relates to past, present, or future physical or mental health or condition of person; the provision of health care to a person; or the past, present, or future payment for the provision of health care to an individual. PHI excludes FERPA records and Employment records.
4	UA is a “hybrid entity” – having several Health Care Components that fall under HIPAA’s Health Care Provider definition. HIPAA applies to UA’s “Health Care Components”: Capstone Medical Center, Brewer-Porch, Student Health Center, Speech & Hearing Clinic, Nursing Clinic. UA will have one common approach to HIPAA compliance, but each Health Care Component will have their own set of policies.
5	HIPAA & Research: Any research that uses or discloses PHI obtained from any covered entity, including a UA Health Care Component, must conform to HIPAA research requirements. How the researcher uses or transmits the information does not define whether or not the research must comply.
6	HIPAA research requirements: Apply to: PHI from UA health care components. PHI from any other covered entity. Do not apply to: PHI generated by the researcher or other non-covered source. Research that does not use PHI.
7	Criminal Penalties for Faculty, Staff & Students: Wrongfully disclosing PHI: Fines up to $50,000 and up to 1 year in prison. Obtaining PHI under false pretenses: Fines up to $100,000 and up to 5 years in prison. Failure to comply to HIPAA while conducting research that is considered a commercial activity (paid for by a sponsor, or development of a device or discovery that can be sold): Fines up to $250,000 and up to 10 years in prison.
8	And, there are possible civil penalties for UA: Up to $100 per violation. Each name in a data set can be a violation. Not to exceed $25,000 per year. AND – civil monetary damages may be available to patients who win state tort claims, such as breach of privacy.
9	HIPAA & Common Rule Research using PHI from covered entities must meet the standards of both the Common Rule and HIPAA. (not instead of). Common Rule applies to federally regulated research on human subjects and requires either an informed consent from participants or an IRB waiver of informed consent.
10	Current IRB Protocol under the Common Rule requires: Statement by researcher describing the extent to which confidentiality of records will be maintained. IRB must decide whether these confidentiality provisions are adequate. This requirement remains in place for all research subject to IRB.
11	If research falls under HIPAA, the researcher must either: Receive valid authorization from the patient or subject in the study; Or, obtain a waiver from the UA’s IRB; Unless, the research falls under an exception (to be covered in more slides).
12	Requirements for valid authorization by participants: Specific description of information to be used or disclosed, specific to the study; Name or identification of person or class of persons that will be authorized to use or disclose the data; Description of each purpose of requested use and disclosure; Statement of the individual’s right to revoke authorization in writing, including how to revoke and exceptions to this right; and . . .
13	Additional requirements for a HIPAA Authorization: An expiration date or event, or a statement that there is no expiration date; A statement describing whether or not the University is making treatment, payment, enrollment, or eligibility for benefits contingent on the authorization; A statement that information disclosed pursuant to the authorization may be subject to further disclosure by the researcher and may no longer be protected by the Privacy Rule; and The signature of the individual, and date.
14	HIPAA Authorizations: Cannot authorize the researcher to use the data for future unspecified purposes. Must be written in plain language. MUST be obtained from every participant in a research study, unless the IRB has provided a waiver. May be combined with informed consent form. If the PHI is to be used in more than one study, a separate signature is required for each study.
15	IRB Waiver instead of Authorization must meet three criteria: Proposed research could not practicably be conducted without the waiver, and The research could not practicably be conducted without access to and use of PHI. Use and disclosure of PHI involves no more than a minimal risk to privacy.
16	IRB determines “minimal risk to privacy” if there is: An adequate plan to protect the identifiers from improper use and disclosure; An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research; Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, or for oversight of the project. HHS will issue Guidance for IRBs
17	Four exceptions when Authorization or IRB Waiver is not required: 1. Research on records of decedents 2. Reviews preparatory to research 3. De-identified data 4. Use of Limited Data Sets
18	1. Records of Decedents If subject is dead, PHI from covered entities may be used or disclosed solely for research purposes if the researcher represents PHI is necessary for research. UA may request that the researcher provide documentation of the death of the individual.
19	2. Reviews Preparatory to Research: Researcher must state that the use and disclosure is sought solely to review PHI as necessary to prepare a research protocol or similar purposes (recruitment); No PHI is to be removed from the covered entity in the course of the review; and PHI being sought is necessary for the stated research purpose.
20	Recruitment If the researcher is also the subject’s treating physician, the physician can recruit his/her patient for research without the patient’s authorization.
21	3. De-identified data: Option One A statistician must conclude “the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” This is not expected to realistically be an available option.
22	Option Two: Remove all 18 “Identifiers”: Name Addresses and zip codes Telephone Numbers Fax Numbers E-mail address Social Security Number Medical Record Numbers Full face photographic images URLs All elements of dates (except year) Medical record numbers Account Numbers Certificate/license numbers Vehicle identifiers Device identifiers Internet Protocols Biometric identifiers Any other identifying number or code.
23	4. Limited Data Sets: Can be used if the information is for research, public health, and health care operations. Removes 16 of the identifiers, but allows researcher to keep dates related to the individual (birth, death, date of admission or discharge) and geographic info - zip code. Requires a Data Use Agreement that specifies permitted use of the data, safeguards, and reporting if there is a breach.
24	Data Use Agreements: Establish permitted uses and disclosures of information, Establish who is permitted to use or receive the limited data set, Provide safeguards against and reporting of unauthorized disclosures, control of subcontractors, and ensure the information does not become identified and individuals are not contacted.
25	Accounting by Covered Entities for Waivers from an IRB Patients have a right to an accounting of disclosures made by a covered entity unless: Patient signed an authorization, or Data was de-identified, or the Covered Entity only released a limited data set and recipient signed a Data Use Agreement, or Covered Entity used/disclosed PHI for treatment, payment, or operations.
26	Covered Entities’ Accounting: If research is conducted with a waiver from the IRB, the Covered Entity must provide an accounting to individuals in the study who request it for up to 6 years. The accounting states who received the PHI, their address, and a brief statement of the purpose of the disclosure. No accounting is required for disclosures prior to April 14, 2003.
27	Due to the volume of some research records, HHS has an alternative for accounting: Must involve at least 50 records. Provide list of all protocols in which subject’s data may have been used. Provide name and contact information of researcher. Participant must request an accounting. Covers a six year period. CE must help person contact researchers to whom it is likely the person’s PHI was disclosed.
28	Grandfathering Existing Data: Researchers at UA may use and disclose PHI from data sets created and received before April 14, 2003 for research purposes if: The patient authorized use of PHI for research; or The patient signed an informed consent; Or the IRB waived informed consent.
29	Burdens of Research on Covered Entities: Will need to develop policies and procedures to guide the release of PHI. Review research proposals. Review IRB documentation. Assess risk/benefit Negotiate a Data Use Agreement Prepare access to data to be shared Maintain record of PHI disclosures