Section
25
SBU Policy and Procedure on
Research Subjects' Right to Privacy
Part I: Introduction
Part II: SBU Definitions pertaining to privacy in Research
Part III: Policy
Part IV: Procedures
Confidentiality/Protecting the Privacy of Health Information - Consent Form Instructions
Part V: Policy Violations
The privacy regulations (The Privacy Rule) that have been promulgated by the federal Office of Civil Rights under the Health Insurance Portability and Accountability Act (HIPAA) impact research involving human subjects. These regulations define conditions where certain health information may be used or disclosed in research activities. Further, the regulations define conditions where 'authorization' must be obtained from the patient. The full text of these regulations, is available at www.hhs.gov/ocr/hipaa. Further mandates will follow once the upcoming security regulations are finalized.
Deadlines:
PART II: SBU Definitions pertaining to Privacy in Research
1. Health Care: means care, services, or supplies related to the health of an individual. It includes, but is not limited to: preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status of an individual or that affects the structure or function of the body.
2. Health Care Provider: A researcher is a covered health care provider (and must comply fully with HIPAA privacy regulations) if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the federal Transaction Rule (involving e.g., health care claims and payments, health plan eligibility, enrollment and disenrollments; see 64 CFR 102 and 103 for specifics).
3. Health Information: any information, whether oral or recorded in any form or medium, that is created or received by an SBU investigator and relates to the past, present, or future physical or mental health or condition of an individual. To assist you in making the determination of what constitutes 'health information', this definition includes physical or mental information regarding the diagnosis, treatment and/or prevention of physical or mental conditions of the type that is now (or could be in the future) covered by health insurance.4. Individually Identifiable Health Information (IIHI): is a subset of health information, including demographic information collected from an individual that identifies the individual (either directly, or through codes/identifiers).
5. De-identified Health Information: health information can be considered de-identified if, EITHER:
a) The investigator provides to CORIHS a written attestation by an expert in de-identification methods that there is a very small risk that the information could be used by others to identify the subject.
The preamble to the Privacy Rule provides guidance (see http://www.fcsm.gov/working-papers/wp22.html as does the following link from the NIH, http://privacyruleandresearch.nih.gov/pr_08.asp#8a ) for what would be required in this regard (e.g., removing all direct identifiers, reducing the number of variables on which a match might be made, limiting the distribution of records).OR
b) The SBU investigator certifies to CORIHS (via the HIPAA De-identification Form) that all of the following 18 identifiers are removed and the investigator has no actual knowledge that the remaining information could be used, alone or in combination, to identify a specific subject. This is referred to as the Safe Harbor method. The 18 identifiers are: Name, Address (street address, city, county, zip code -with certain exceptions), Dates (e.g., birth date, admission date, discharge date, date of death) and individual ages if over 89, Telephone numbers, Fax numbers, Electronic mail addresses, Social security numbers, Medical record numbers, Health plan beneficiary numbers, Account numbers, Certificate/license numbers, Vehicle identifiers and serial numbers, License plate numbers, Device identifiers and serial numbers, Web Universal Resource Locators (URL's), Internet Protocol (IP) address numbers, Biometric identifiers (including finger and voice prints), Full face photographic images and any comparable images, and any other unique identifying number, characteristic, or code.
De-identified health information is NOT subject to the special authorization and disclosure accounting requirements addressed in this document. However, the CORIHS application and approval process for the research use of such 'anonymous' health information remains the same as is currently in place, and is not impacted by the privacy regulations (except for the need to complete the additional HIPAA form).
All SBU investigators who conduct research where individually identifiable health information is used, generated, or disclosed are required to protect their research subjects' right to privacy of their health information, using procedures as outlined in Part IV. This policy and associated procedures are in addition to provisions already in place under the Common Rule at 45 CFR 46.
According to the Privacy Rule, researchers are performing a function specifically covered under HIPAA (and are, therefore, considered health care providers under the rule) if they:
1) provide health care as part of their research, and
2) are involved in standard electronic transactions (involving e.g., health care claims and payments, health plan eligibility, enrollment and disenrollments etc.; see 64 CFR 102 and 103 for specifics). SBU, therefore, requires that research investigators meeting both of these 2 criteria comply with all provisions of the privacy regulations and upcoming security regulations. SBUH staff members and medical staff members must additionally comply with this and all SBUH policies and procedures pertaining to HIPAA.
If you qualify as a health care provider, and either you or your co-investigators are NOT currently part of SBUH staff, you must contact the Office of Research Compliance for additional requirements (e.g., signing of specific privacy and/or confidentiality agreements).
The procedures below must be followed in addition to CORIHS submission and approval requirements detailed in the online version of the CORIHS Handbook for Investigators.
A) Notice of Privacy Practice (NOPP):
Effective April 14, 2003, all patients encountered in a health care facility (e.g., University Hospital) must receive an NOPP. In it, the patients are provided with information concerning how their IIHI may be used and/or disclosed by the facility, details concerning the patients' privacy rights, and the facility's legal responsibilities with respect to IIHI. For subjects who are SBUH patients, their signing of the research consent form will acknowledge receipt of the NOPP.B) Research Databases/Registries (see also Section 18 of the CORIHS Handbook)
The collection of health information for 'private' research registries is allowable if either:1) authorization is obtained from the subject (i.e., prospective collections) or
2) authorization is not obtained from the subjects (i.e., retrospective collections) but :
a. the health information is either in de-identified form (in accordance with HIPAA specifications) or
b. the health information is in the form of a limited data set where the recipient of the data enters into a data use agreement with the provider of the data. If the latter, only the minimum necessary information may be released as necessary to achieve the purpose of the database/registry.
If an SBU investigator wishes to obtain data from a registry for research purposes, the usual IRB application and approval requirements must be met (including assessment of consent/authorization waivers etc.)
C) Research involving De-identified data:
Along with the standard CORIHS application requirements for 'anonymous' data collection, one of the methods detailed in Part 2 above must be detailed for assuring that the data are de-identified. The HIPAA De-identification form must be completed and submitted if the 18 listed identifiers are to be removed to satisfy HIPAA standards. In addition, the spread sheet or the case report form (CRF) you intend to utilize to gather your de-identified data must be submitted for review. Include the name of the individual collecting the data on the spreadsheet/CRF.D) Research Use or Disclosure of IIHI without Subject Authorization:
1) CORIHS can waive the requirement to obtain authorization for use or disclosure of IIHI if either a, b, or c apply:
a. CORIHS finds and documents that all of the following criteria are addressed and met in the application submission (PI completes a HIPAA Waiver of Authorization form):
i) The use or disclosure of IIHI for the research involves no more than minimal risk to the privacy of individuals, based on:
1. an adequate plan to protect identifiers from improper use and disclosure;
2. an adequate plan to destroy identifiers at the earliest opportunity; and
3. adequate written assurances that health information will be protected (not re-used/disclosed to any other person or entity except as required by law, for authorized oversight, etc.)ii) The research could not practicably be conducted without the waiver or alteration; and
iii) The research could not practicably be conducted without access to and use of the health information.
ORb. The proposed activity is for research on a deceased person's IIHI
Investigators must provide representation that :i) the use of disclosure sought is solely for research on the IIHI of (verifiably) deceased individuals, and
ii) the IIHI for which use or disclosure is sought is necessary for the research purposes.ORc. The proposed use of health information is via a 'limited data set'.
A limited data set (LDS) contains information that is not completely de-identified as defined above (i.e., an LDS can contain dates of admission and discharge, dates of birth and death, dates of procedures, city, state, zip codes…it must exclude certain direct identifiers such as names, addresses, telephone #'s, e-mail addresses, etc.). To use a Limited Data Set, a Data Use Agreement (DUA) must first be in place with the recipient of the information, and a HIPAA LDS form must be completed and submitted to CORIHS for review. In addition, the spreadsheet or the case report form (CRF) you intend to utilize to gather your LDS must be submitted for review. Include the name of the individual collecting the data on the spreadsheet/CRF.If, for example, an investigator receives an LDS derived from UH medical records, the DUA would be generated through UH. The Data Use Agreement defines the permissible uses/disclosures of the LDS by the recipient, defines who can use or receive the data, and requires the recipient to assure that data will not be re-identified and that individuals will not be contacted.
2) Minimum Necessary Requirement/Accounting for Disclosures Requirement
With the exception of limited data sets obtained under a data use agreement, disclosure of IIHI without authorization (i.e., a waiver of authorization was granted or the disclosure involved the IIHI of deceased individuals) made after April 14, 2003 requires that:
a. The disclosure of health information be kept to the minimum necessary to meet the purpose of the study; AND
b. The HIPAA disclosure accounting requirement must be met. This means that a patient/subject must be able to request, and be provided with, a list of all individuals or entities to which their IIHI was disclosed without their authorization. The SBU researcher must keep track of each instance where s/he has provided an entity outside of SBU with subjects' IIHI without that subject's authorization. (For disclosures from medical records, a mechanism at the University Hospital level would provide such accounting. For disclosures from departmental patient records, sometimes referred to as 'shadow chart', the department must provide such accounting).For disclosures involving less than 50 individuals, the accounting must include:
- date of the disclosure
- frequency or number of disclosures made during the accounting period
- date of the most recent disclosure
- name of the individual or entity receiving the information (and address, if known)
- brief description of the IIHI disclosed
- brief statement of the purpose of the disclosure
For disclosures involving 50 or more individuals, the accounting must include:
- name of the study or protocol
- description of the purpose of the study
- type of IIHI disclosed
- time frame over which disclosures took place (including the date of the most recent disclosure)
- name, address, and telephone # of the entity sponsoring the research, and of the researchers to whom the information was disclosed
In consideration of this accounting requirement, and the associated workload, it is strongly urged that the investigator either obtain an authorization, or utilize a limited data set prior to disclosure of his/her subjects' IIHI.
E) Research Use of Health Information with Subject Authorization*
Under the HIPAA regulations, a patient coming into a doctor's office or hospital for clinical treatment will sign a consent, basically allowing the physician's office (or hospital etc) to use or disclose his or her information for treatment, payment, and health care operations purposes.
In the research setting, it is clear that health information could be generated and used or disclosed during the course of a research study. It is also clear that health information could be derived from research activities where the procedure involves a simple blood draw from which genetic information can be obtained. It is thus important to assess the proposed research protocol for need to access health information, and the potential for producing health information. If either is possible, then the HIPAA regulations will likely apply.
It is important to remember that subjects can revoke their authorization for use of their health information at any time during the research. However, health information that was obtained prior to when authorization was revoked can continue to be used and disclosed if its inclusion is important to maintain the integrity of the research study. For example, health information could be reported to account for a subject's withdrawal from the study, to be used as part of a marketing application to the FDA, to conduct investigations of scientific misconduct, or to report adverse events.
For research involving IIHI where subject authorization is sought, please refer to the confidentiality/privacy sections of sections 14 (for consent text-Adult subjects) and/or section 15 (for parent permission text-Minor subjects) and follow directions carefully (e.g., including the directions regarding ..."obtaining or generating data regarding your subjects’ mental or physical health")
SBU faculty, staff, and students are obligated to report violations of this policy.
Such reports will be brought before CORIHS at a convened meeting. CORIHS will make a determination, in consultation with applicable University Officials, to assess whether additional information and/or further investigation is required. The affected departmental Chair and Dean will be copied on all correspondence between the committee and the involved parties. Where violations are apparent, the CORIHS chair, in consultation with applicable University Officials, may take immediate corrective action as deemed appropriate, prior to review by the full committee. In addition, other applicable University offices and/or external agencies (e.g., Office of Civil Rights) will be notified as required. Note that health care providers who violate HIPAA may also be subject to significant criminal and civil penalties.
Return to Human Subjects Research at SBU
Last Updated: 2007-06-28