Understanding and Applying
New HIPAA Policy Requirements
May 15, 2017
WSU IRB Member Retreat
IRB Member Resources
New IRB Member Toolbox Webpage
WSU IRB Policy
Human Subject Research Use and Disclosure of
Protected Health Information Policy
- P19 Approved March 21, 2017
• https://www.wright.edu/research/compliance
/institutional-review-board-charter-andstandard-operating-procedures
Privacy Board
• A Privacy Board is a review body empowered
to oversee Privacy Rule requirements for the
use and disclosure of PHI for a particular
research study.
• For many institutions, the Institutional Review
Board (IRB) is charged with acting as the
Privacy Board for all human subject research.
Implementing Policy
Covered Entity
• A Covered Entity is a health plan, a health care
clearinghouse, or health care provider who
transmits health information. A covered entity
can be an institution, organization, or person.
• The covered entity is responsible for
implementing Privacy Rule protections for PHI
collected, generated, or stored under its
auspices.
HIPAA and Research
It is important to be aware that a Covered Entity’s Notice of
Privacy Practices and non-research HIPAA processes, in of
themselves, do not adequately address all of the requirements
to use PHI for research.
For example, Premier’s HIPAA requirements for healthcare do
not include provisions for obtaining written authorization from
research subjects or for obtaining waivers of authorization from
the Privacy
Board.
Therefore, if you review research involving PHI you must take
additional steps to be in compliance with HIPAA.
Workforce Member
• Employees, volunteers, trainees, and other
persons whose work performance is under the
direct control of a covered entity (i.e., Miami
Valley or Dayton Children’s), regardless of
whether they are paid by the covered entity.
Common Misconception
PHI ≠ Identifiers
Health Information + Identifiers = PHI
Protected Health Information
PHI is individually identifiable health information, including
demographic data that is collected from an individual, and:
• Is created or received by a covered entity (i.e., MVH, Good Sam,
Dayton Children’s etc.…); AND
• Relates to past present or future physical or mental health or
condition of the individual; or the provision of health care to an
individual; or the past present, or future payment for the provision
of health care to an individual; AND
• Identifies the individual or where there is a reasonable basis to
believe the information can be used to identify the individual; AND
• Is transmitted or maintained in any form or medium, whether
electronic, paper or oral.
HIPAA De-Identified
To be considered “de-identified” under the Privacy Rule, EITHER: all of
the following 18 identifiers of the individual, their relatives, employers,
or household members must have been removed from the individual’s
data set by an individual that is not a member of the study team (e.g.,
medical records official, administrator of a database):
1.
2.
3.
4.
5.
6.
Names (including the patient’s name and names of other
individuals connected to the patient)
Geographic subdivisions smaller than a state (zip-code, street
address, etc.…)
All elements of a date (except year) including birth date,
admission date, discharge date, date of death, and all ages
over 89)
Telephone numbers
Fax numbers
E-mail address
De-Identified
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Social security number
Medical record number
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers including license plates
Device identifiers and serial numbers
Web universal resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers including fingerprints and voice prints
Full face photographic (or comparable) images
Any other unique identifying number, characteristic, or code
unless otherwise permitted by the Privacy Rule for reidentification, and
De-Identified
The covered entity does not have actual knowledge that the
information could be used alone or in combination with other
information to identify an individual who is a subject of the
information.
OR
The data is grouped in such a way that a qualified statistician using
accepted analytic techniques concludes that the risk of identification
based on the information in the data set is substantially limited, and
that if the information is used alone or in combination with other
reasonably available information, it does not identify an individual
subject (e.g., aggregate data) [45 CFR 164.514(b)].
Coded
Coded means that:
Identifying information (such as name or social security
number) that would enable the investigator to readily
ascertain the identity of the individual to whom the
private information or specimens pertain has been
replaced with a number, letter, symbol, or combination
thereof (i.e., the code); and
A key to decipher the code exists, enabling linkage of the
identifying information to the private information or
specimens. - OHRP 2008 Guidance
Is it PHI?
• First and Last Name
• Blood Pressure, Date of Cardiac Surgery, Chest X-Rays
• Electronic survey of Wright State students by a Wright
State student as to date of flu shot in past twelve
months
• Chart review where Miami Valley researcher only
recorded age, weight and smoking status from medical
records
• Utilizing a data set that had been extracted by the
medical records department at Dayton Children’s
Hospital that only contains age, cancer diagnosis,
weight, and medications taken in past 12 months
Authorization
Researchers are required to obtain a written authorization for
the use and disclosure of a human subject’s PHI for a research
study unless the IRB has granted a waiver.
The purpose of a written authorization is to inform a potential
human subject:
• How his/her PHI and research information (collected or
created) is to be used, and
• With whom the information will be shared
• All required elements and statements must be included in
the document, if not waived by the IRB.
Issues with Sponsor
Authorization Language
• Sponsor Not Covered Entity/Business Associate
• Legalistic Language Prohibited (8th grade reading
level)
• Separate Decision
Example Policy Language: Any proposed deviation
to template language must be submitted according
to the IRB’s current study application requirements
for review and approval.
Screening Questions
• What specific data will be collected and used for the
research study?
• Is the source(s) of the data a covered entity?
• Does the source exist as a de-identified data set or
identifiable?
• Who will be recording it from an identifiable source?
• Does all of the data already exist?
• If it doesn’t all already exist, will prospective data be
generated for non-research purposes?
Expedited Review Refresher
May 15, 2017
WSU IRB Member Retreat
Types of Review
• Administrative Review - Exempt
Determinations, NHSR, Miscellaneous
Submissions
• Expedited Review
• Full Board Review
Is it human subject research?
Human subject means a living individual about
whom an investigator (whether professional or
student) conducting research obtains:
– Data through intervention or interaction with the
individual, or
– Identifiable private information.
Is it human subject research?
Private information includes information about behavior
that occurs in a context in which an individual can
reasonably expect that no observation or recording is
taking place, and information which has been provided
for specific purposes by an individual and which the
individual can reasonably expect will not be made public
(for example, a medical record).
Private information must be individually identifiable (i.e.,
the identity of the subject is or may readily be
ascertained by the investigator or associated with the
information) in order for obtaining the information to
constitute research involving human subjects.
Exempt from IRB Review
• 6 Categories
• Not applicable to research involving prisoners
• Categories 1-5 not applicable to FDAregulated research
Exempt Category #2
• Research involving the use of educational
tests (cognitive, diagnostic, aptitude,
achievement), survey procedures, interview
procedures or observation of public behavior,
unless:
– (i) information obtained is recorded in such a
manner that human subjects can be identified,
directly or through identifiers linked to the
subjects;
Exempt Category #2
– and (ii) any disclosure of the human subjects'
responses outside the research could reasonably
place the subjects at risk of criminal or civil
liability or be damaging to the subjects' financial
standing, employability, or reputation.
Research Involving Children: #2 can only apply to
observational research where investigators do not
participate in activities being observed.
Exempt Category #4
Research involving the collection or study of
existing data, documents, records, pathological
specimens, or diagnostic specimens, if these
sources are publicly available or if the
information is recorded by the investigator in
such a manner that subjects cannot be
identified, directly or through identifiers linked
to the subjects.
Data
De-Identified Data
(HIPAA – Not PHI or HSR)
vs.
Not Readily Identifiable Data
(OHRP/FDA – PHI and HSR )
Consent Not Required
However, institution may require the following if
exempt research involves interactions with subjects:
There will be a consent process that will disclose
such information as:
–
–
–
–
That the activities involve research.
The procedures to be performed.
That participation is voluntary.
Name and contact information for the investigator
Expedited Review
• Minor Modifications to Previously Approved
Research 45 CFR46.110(b)(2)
• Research conducted under Categories 1-9
• Consent is required unless waived or modified
Expedited Category #5
Research involving materials (data, documents,
records, or specimens) that have been collected,
or will be collected solely for non-research
purposes (such as medical treatment or
diagnosis). (NOTE: Some research in this
category may be exempt from the HHS
regulations for the protection of human
subjects. 45 CFR 46.101(b)(4). This listing refers
only to research that is not exempt.)
Expedited Category #8
Continuing review of research previously approved
by the convened IRB as follows:
• where (i) the research is permanently closed to
the enrollment of new subjects; (ii) all subjects
have completed all research-related
interventions; and (iii) the research remains
active only for long-term follow-up of subjects; or
• where no subjects have been enrolled and no
additional risks have been identified; or
• where the remaining research activities are
limited to data analysis.
Expedited Category #9
Continuing review of research, not conducted
under an investigational new drug application or
investigational device exemption where
categories two (2) through eight (8) do not apply
but the IRB has determined and documented at
a convened meeting that the research involves
no greater than minimal risk and no additional
risks have been identified.
Documenting Determinations
InfoED Reviewer Module – Provisions Box
• Category 1-9 or Minor Mods
• Children 45 CFR 46.404
• Prisoners
• Pregnant Women, Neonates and Fetuses
• Waiver of Consent and/or Authorization
• Waiver of Consent Documentation
• Approving in InfoED = Signature and Date