Institutional Review Board

HIPAA and the Institutional Review Board (IRB)

Readers should note that Institutional Review Boards have long been in the business of ensuring the confidentiality of information gathered from or about research subjects. However, HIPAA's Privacy Rule may add a new layer of privacy protections involving use of an individual's protected health information and may result in additional documentation by IRB's and researchers when such information is involved.

What is Protected Health Information?

The Privacy Rule defines "protected health information" or PHI as:

individually identifiable health information held or maintained by a covered entity or its business associate acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a covered health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.

The Privacy Rule excludes from the definition of PHI individually identifiable health information that is maintained in education records covered by the Family Educational Right and Privacy Act (as amended, 20 U.S.C. 1232g) and records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records containing individually identifiable health information that are held by a covered entity in its role as an employer.

Back to Tabs

What is a Covered Entity?

"Covered entities" are defined in the HIPAA rules as:

1. health plans,
2. health care clearinghouses, and
3. health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, clinics, physicians, and other health care providers are usually covered entities. Covered entities can be institutions, organizations, or persons.

How does HIPAA affect research?

Covered Entities may not use or disclose PHI for research purposes unless individual privacy authorization has been obtained, or an exception to the privacy authorization requirement is met. Thus, for example, if medical tests are performed for purposes of a study, or a subject's information will be obtained from medical charts or lab reports, a researcher will need authorization to obtain the test results/records from a covered healthcare provider even if he or she is part of the same Covered Entity or covered component of the University.

Back to Tabs

Methods for Obtaining Access to PHI?

Under the Privacy Rule, a covered entity is not permitted to use or disclose PHI for research unless one of the following conditions has been met:

1. Permission has been granted by the research subject, through a written privacy authorization that meets HIPAA authorization requirements.
2. The information has been completely de-identified.
3. The information has been compiled in a "limited data set" and a data use agreement has been executed.
4. The activity is "preparatory to research."
5. A waiver of individual authorization has been obtained from an IRB or Privacy Board.
6. The researcher is accessing information solely on decedents.

Additional information regarding each of these conditions is discussed in more detail later.

Back to Tabs

Written Authorization

A HIPAA compliant privacy authorization can be combined with an informed consent document or other permission to participate in the research. Regardless of whether it is in a separate document, it must contain the following elements:

• A description of the information that will be used or disclosed
• The names or classes of individuals authorized to make the use or disclosure
• The names or classes of individuals authorized to receive the use or disclosure
• Description of each purpose of the requested use or disclosure
• An expiration date or event for the authorization
• A statement that the individual has a right to revoke the authorization, how to do so, and if applicable exceptions to the right to revoke
• A reference to the covered entity's right to condition service on the authorization, or the consequences of refusal to sign.
• A statement that the information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule
• The subject's right to a signed, dated copy of the authorization.

Additional requirements may apply in certain contexts. [See privacyruleandresearch.nih.gov/pr_08.asp#8b].

Back to Tabs

Waiver/Alteration of Individual Authorization

Some research projects cannot be undertaken using health information that has been de-identified or it may not be feasible for a researcher to obtain signed authorization for all PHI the researcher needs to obtain for the research study.

The Privacy Rule contains criteria for waivers/alterations of Authorizations by an IRB or Privacy Board, in certain cases where written authorization is not practicable. An IRB or Privacy Board may approve a waiver/alteration in whole or in part. When a request for a waiver/alteration is submitted, the IRB will review the request according to the criteria set forth in Privacy Rule (see privacyruleandresearch.nih.gov/pr_08.asp#8c).

De-identification

A covered entity is permitted to use and disclose "de-identified" data for research purposes without individual written authorization. To qualify as "de-identified," 18 data elements about the individual and the individual's relatives, employers, or household members must be removed. (See list of 18 identifiers at: privacyruleandresearch.nih.gov/pr_08.asp#8a).

This exception does not apply if the investigator plans to access identifiable records from a covered entity for research purposes, in order to create de-identified data. In such cases, another "exception" to the written authorization requirement must be met.

Back to Tabs

Limited Data Sets

A covered entity is permitted to use and disclose a "limited data set" for research purposes, without written authorization of the research subject. A limited data set is one in which certain direct identifiers have been removed, but certain potential identifiers remain. See list of identifiers at: privacyruleandresearch.nih.gov/pr_08.asp#8d).

In order to use a limited data set, a researcher must sign a "data use agreement" that meets the requirements of the Privacy Rule. The project must still be pre-approved by the IRB and human subjects regulations apply.

Using Health Information to Prepare for Research

The Privacy Rule includes a provision which permits researchers to review PHI without written authorization, in order to formulate hypotheses, assess feasibility of a project, or determine the availability of data or a patient base. Any information recorded during the review must meet de-identification standards. Thus, a researcher would not be able to rely on this provision to record individuals' names and contact information from a covered entity's records for recruitment purposes.

Back to Tabs

Research on Decedents

In order to use/access PHI on decedents, the researcher must provide the covered entity with certain assurances that the information is being sought for research on decedents and is necessary for research purposes. The researcher must state, either in writing or orally, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. The IRB will require a written statement in such cases, and will not review such research as long as there is no link to living individuals.

Research Recruitment under HIPAA

The requirements of the Privacy Rule impact the way in which potential subjects are identified and recruited for studies. Generally speaking, a health care provider covered by HIPAA may give a researcher's contact information to the patient, or secure a patient's written authorization to give contact information to the researcher.

In addition, the health care provider could release patient records/PHI directly to a researcher without individual privacy authorization (as required by HIPAA), if a waiver of the authorization is obtained from the IRB. Researchers may also post IRB-approved flyers or advertisements, so that eligible subjects can directly contact the researcher.

Back to Tabs

Research Repositories

The Privacy Rule specifies three ways in which protected health information can be compiled for a research repository:

• individual, written authorization is obtained from the subject of the information
• waiver of the individual authorization requirement is obtained from an IRB or privacy board
• the data or tissue is obtained from a covered entity in the form of a limited data set and accompanied by a data use agreement

Researchers should note that if approval is granted for the general purpose of constructing and maintaining the repository, then subsequent studies of the material require additional IRB review to determine whether informed consent/privacy authorization is required or if the informed consent/privacy authorization requirement is waived.

Other Additional Requirements

Studies that are "Exempt" under IRB standards are not necessarily exempt from the Privacy Rule. The most frequent example is retrospective chart reviews. These studies may be exempt from IRB rules if individual identifiers are not recorded. However, if a retrospective review involves accessing medical information or PHI of a covered entity (or covered component of the University) without patient consent a waiver of privacy authorization must first be approved.

Research data must be retained in accordance with applicable legal, University and sponsor requirements.

Back to Tabs

Computer Security for Research Records

In April 2005, the HIPAA Security Rule went into effect. The Security Rule requires Covered Entities to implement administrative, physical and technical safeguards to protect the security of electronic PHI. Researchers working with a Covered Entity or Covered Component of the University must be familiar with the security policies that apply to their work. Researchers must appropriately limit data access and disclosure as described in their study protocol. Adherence to technical safeguards is vital in ensuring that data are not intercepted, corrupted, or otherwise compromised.

Appropriate steps include but are not limited to practicing "role-based access" to ensure that permissions for research files are commensurate with the employee's role in the project; establishing password protections on electronic files; storing records on secure networks and servers. Release of computerized research records containing PHI must conform to HIPAA rules about allowable disclosures. If individually-identifiable data must be stored on hard drives or laptops, extra security protections must be arranged.

Back to Tabs