Human Subjects Research Under the HIPAA Privacy Rule and the Common Rule

1
Human Subjects Research Under the HIPAA Privacy
Rule and the Common Rule

• Rebecca Hutton, JD, MS
• UW-Madison HIPAA Privacy Officer
• December 2, 2008

2
Two Main Sources of Federal Regulation of Human
Subjects Research

• Common Rule in effect in present form since
  early 1990s, established IRBs and the requirement
  for informed consent for participation in
  research
• HIPAA Privacy Rule in effect since April, 2003,
  and Security Rule, in effect since April,
  2005,cover use and disclosure of individually
  identifiable health information (called protected
  health information or PHI), including use and
  disclosure for research, by covered entities
  (i.e., most health care providers and health
  insurers)

3
Important Definitions in HIPAA

• Protected Health Information
• Individually identifiable information created or
  received by a covered entity in any form
  (written, electronic or spoken) that relates to
• 1) past, present, or future physical or mental
  health or condition of an individual or
• 2) provision of health care to an individual or
• 3) past, present, or future payment for the
  provision of health care to an individual.

4
Individually Identifiable

• Any of the following data elements relating to an
  individual, alone or in conjunction with health,
  health care, or billing information, constitutes
  Protected Health Information when held by a
  Covered Entity

5
Identifiers

• 1. Name
• 2. Geographic subdivisions smaller than state
  (i.e., county, town or city, street address,
• and zip code)
• 3. All elements of dates (except year) for dates
  directly related to individual
• (e.g. dates of birth, death, admission, and
  discharge) also all ages over 89
• 4. Phone numbers
• 5. Fax numbers
• 6. E-mail addresses
• 7. Social security number
• 8. Medical record number
• 9. Health plan beneficiary number
• 10. Account numbers
• 11. Certificate/license number
• 12. Vehicle identifiers and serial numbers
• 13. Device identifiers and serial numbers
• 14. URLs
• 15. Internet protocol addresses
• 16. Biometric identifiers (e.g., fingerprints)
• 17. Full face photographic and an comparable
  images

6
De-Identification

• Requires removal of all identifiers
• Resulting data is not Protected Health
  Information and not subject to HIPAA

7
Coded Data

• De-identified data can include a code to permit
  the Covered Entity to re-identify the data but
• Code cannot be derived from any information about
  the individual (e.g., cannot be initials or
  subset of social security number).
• Code cannot be used for any other purpose (e.g.,
  cannot be pathology identification number).
• Key to code cannot be available to those using
  the de-identified data for research.

8
Coded Data contd

• Code key can be used by others (not part of
  research team) within Covered Entity to audit
  data for accuracy, for example.

9
Covered Units at UW-Madison(the UW Health Care
Component)

• Units that provide health care or have staff that
  provide health care (e.g. clinical departments of
  UWSMPH, State Lab of Hygiene)
• Units that use identifiable health information to
  provide services to HIPAA covered health care
  provider units (e.g., Office of Administrative
  Legal Services)

10
Complete Listing

• A complete listing of all units in the UW health
  care component (UW HCC) can be found at the
  UW-Madison HIPAA website at www.wisc.edu/hipaa
  (in Policy 1.1 in the Privacy Manual).

11
UW Affiliated Covered Entity

• Many of the units of the UW HCC are also part of
  an organizational arrangement that includes UWHC
  and UW Medical Foundation, called the UW
  Affiliated Covered Entity or UW ACE. The UW ACE
  is considered to be a single covered entity under
  HIPAA.
• The UW HCC units that are part of the UW ACE can
  be found in Policy 1.2 of the Privacy Manual at
  www.wisc.edu/hipaa .

12
Privacy Rule and Common Rule

• Main purpose of research provisions of Privacy
  Rule is to protect the privacy of research
  subjects by informing them in detail about what
  PHI is required for the research, where it comes
  from, and where it will be sent.
• Common Rule focuses on informing subjects about
  the risks and benefits of the research study.

13
Privacy Rule andCommon Rule contd.

• Requirements of the Privacy Rule are in addition
  to requirements of the Common Rule
• Research that is exempt (or not human subjects
  research) under the Common Rule is still subject
  to the Privacy Rule no use/disclosure of PHI by
  a covered entity is exempt from the Privacy
  Rule.

14
Three Ways to Be Affected by HIPAA as a
Researcher at UW

• 1. You are within a UW HIPAA covered unit
  yourself (then all of your activities, including
  your research, involving PHI will be covered by
  all HIPAA provisions) or
• 2. You are not within a UW HIPAA covered unit
  yourself, but you are part of a research team for
  a study headed by a principal investigator who is
  within the UW HIPAA covered entity (then your
  activities in connection with that study will be
  covered by HIPAA) or
• 3. You are not within a UW HIPAA covered unit
  yourself, but you need PHI from a covered entity
  (e.g., UWHC) for a research study (then the
  covered entity will be required to comply with
  HIPAA in disclosing the PHI to you).

15
Example 1.

• You have an appointment within the Department of
  Medicine of the UW School of Medicine and Public
  Health
• All of your activities, including research,
  involving PHI are covered by HIPAA

16
Example 2

• You have an appointment in the UWSMPH Department
  of Population Health Sciences (not covered by
  HIPAA, so not within the UW HCC), but you are key
  personnel on a research study with a PI from the
  Department of Medicine that involves PHI
• Your activities involving PHI for that study are
  covered by HIPAA you must complete HIPAA
  training, safeguard PHI in compliance with HIPAA,
  and follow the other rules of HIPAA in using and
  disclosing the PHI for that study.

17
Example 3

• You have an appointment in the UWSMPH Department
  of Population Health Sciences and are the PI on a
  study your study needs PHI from the UWHC
• UWHC, as a HIPAA covered entity, will be required
  to comply with HIPAA in disclosing the PHI to you.

18
More Definitions

• USE Means, with respect to PHI, the sharing,
  employment, application, utilization,
  examination, or analysis of such information
  within an entity that maintains such information.
• DISCLOSURE Means the release, transfer,
  provision of
• access to, or divulging in any other manner of
  PHI
• outside the entity holding the information

19
Examples

• If you are an employee of the UW HCC/ACE and need
  PHI from the UW HCC/ACE, the UW HCC/ACE will have
  to follow the requirements of HIPAA in permitting
  you to USE PHI.
• If you are an employee of the UW HCC/ACE and you
  need PHI from a non-UW covered entity (e.g. St.
  Marys Hospital), that covered entity will be
  required to follow the requirements of HIPAA in
  DISCLOSING PHI to you.
• If you are not an employee of the UW HCC/ACE and
  you need PHI from any covered entity (including
  the UW HCC/ACE), that covered entity will need to
  follow the requirements of HIPAA in DISCLOSING
  PHI to you.

20
How To Obtain PHI for Research under HIPAA

• 1. Obtain written authorization from the subject
  or
• 2. Obtain an IRB approved waiver of authorization
  or
• 3. Limit your analysis to a Limited Data Set
  and enter into a Data Use Agreement with the
  HIPAA covered unit holding the PHI or
• 4. If your study involved decedents only,
  complete a certification form for research on PHI
  of decedents.

21
Written Authorization

• Required elements are specified by the Privacy
  Rule
• Approved research Authorization template can be
  found at Health Sciences IRB website or
  www.wisc.edu/hipaa at Research Guide link.
• You can combine the Authorization form with the
  Consent form into a single form, with a single
  signature.

22
Conditions for Approval of Waiver of
Authorization by IRB

• Research cannot practicably be conducted without
  access to and use/disclosure of PHI (i.e.,
  identifiable health information is required for
  the research)
• Research cannot practicably be conducted without
  waiver (i.e., it is impracticable to obtain
  authorization) and
• Use/disclosure of PHI involves no more than
  minimal risk to privacy of subjects, based on
  existence of
• Adequate plan by PI to protect identifiers from
  improper use and disclosure
• Adequate plan by PI to destroy identifiers at the
  earliest opportunity consistent with conduct of
  research and
• Adequate written assurance by PI that PHI will
  not be reused or disclosed except as required by
  law or for authorized oversight of research.

23
Note Regarding Waiver

• Generally, it is impracticable to obtain
  authorization only in the case of retrospective
  record review (and not always then)
• Waiver will not be granted when there will be
  contact with subjects
• This is similar to criteria for waiver of
  informed consent requirement under the Common
  Rule

24
Altered Authorization

• HIPAA permits the IRB to approve an altered
  authorization, i.e., one that does not contain
  all of the required elements.
• Common example Data are being collected via a
  telephone call and obtaining a signature would be
  difficult. In that case, a phone script
  containing all of the other elements of
  authorization would be required but no signed
  authorization form.
• It must be impracticable to obtain the element in
  order for the IRB to approve an authorization
  without the element.

25
Limited Data Sets

• Limited data sets exclude the direct identifiers
  specified under the Privacy Rule, but may include
  the following indirect identifiers dates related
  to the subject and elements of address, including
  zip code
• Limited data sets may be used/disclosed by the
  covered entity for research with a data use
  agreement. A data use agreement is a legal
  contract and requires legally binding signature
  (for UW, generally from Research and Sponsored
  Programs) when data are coming from or going to a
  non-UW-Madison entity.
• Covered entities do not have to account for
  disclosures of limited data sets.
• Approved data use agreement form can be found at
  www.wisc.edu/hipaa at the Research Guide link.

26
Decedent PHI

• Covered entity may use or disclose PHI for
  research involving decedents only with a
  certification by the researcher that
• Use/disclosure is sought solely for research on
  PHI of decedents
• Documentation of death of subjects will be
  provided upon request of covered entity
• Use/disclosure of this PHI is necessary for the
  research
• An approved form for use of decedent PHI can be
  found at www.wisc.edu/hipaa at the Research Guide
  link.

27
Preparatory to Research Activities

• Under HIPAA, a covered entity may permit its
  researchers to use or it may disclose to outside
  researchers, PHI for the purpose of certain
  activities that take place for the preparation of
  a protocol (e.g., identifying the number of
  eligible subjects, developing eligibility
  criteria) without subject authorization
• Includes identifying but not contacting
  specific subjects for possible recruitment

28
Preparatory to Research Activities contd

• In order for a covered entity to disclose PHI to
  outside researchers or to allow its researchers
  to use PHI for preparatory to research
  activities, the researcher must make certain
  written assurances to the covered entity
  (including that the researcher will not remove
  PHI from the covered entity)
• An approved form for making these written
  assurances can be found at www.wisc.edu/hipaa at
  the Research Guide link.

29
Preparatory to Research contd

• Note if, as part of preparatory to research
  activities, a researcher records individually
  identifiable information (i.e., includes
  identifiers in the data collected), this is
  considered research under the Common Rule, and
  may be done only pursuant to an IRB approved
  protocol. Otherwise, preparatory to research
  activity is generally not considered research
  under the Common Rule.

30
Accounting for Certain Disclosures

• Covered Entities are required under HIPAA to
  provide an accounting of certain disclosures of
  PHI made without the individuals authorization,
  upon the individuals request. With regard to
  research, this includes disclosures made
• Under waiver of authorization.
• As preparatory to research activities.
• As research involving decedents only.
• Covered Entity not required to account for
  disclosures of limited data sets.

31
Tips for Researchers Outside the Covered Entity

• Covered Entity will be most willing to disclose
  de-identified data to you (but may charge you to
  create the de-identified data).
• Covered Entity should be willing to disclose PHI
  to you pursuant to an authorization.
• Covered Entity will likely be willing to disclose
  PHI to you in the form of a limited data set (but
  may charge you to create the limited data set).
• Covered Entity may not be willing to disclose PHI
  to you under a waiver, as preparatory to
  research, or as decedent PHI due to the increased
  administrative burden of maintaining the
  accounting of the disclosure.

32
UW HCC/UW ACE Disclosures of PHI for Research

• At UW, we discourage study designs that require
  the disclosure of PHI under a waiver of
  authorization, as preparatory to research
  activities, or as decedent information.
• Please contact the IRB or the HIPAA Privacy
  Officer to discuss options if you think such a
  disclosure is necessary for your study.

33
Recruitment

• Many studies involve the use or disclosure of PHI
  in two phases of the research study
• 1. For recruitment of subjects (e.g. PHI for
  contacting subjects e.g., name, phone number,
  address, etc.)
• 2. For study data itself (e.g., PHI related to
  the study question e.g., diagnosis, treatment,
  etc.).

34
Contacting Potential Subjects

• Under HIPAA preparatory to research provisions, a
  Covered Entity can disclose PHI to outside
  researchers or permit its own researchers to use
  PHI without authorization to identify but not
  to contact - potential subjects.
• However, under a separate HIPAA provision, a
  Covered Entity can permit its own researchers to
  use PHI to contact subjects in order to obtain
  required authorizations (using PHI for this
  purpose is considered a health care operation
  under HIPAA).
• Note however that UW ethical guidelines would not
  permit a researcher not involved in the health
  care of a potential subject to make a cold
  contact related to research with that potential
  subject. Therefore at UW this provision only
  applies to researchers who are health care
  providers and who contact their own patients.

35
Contacting Potential Subjects contd.

• Researchers within the UW HCC/ACE who are also
  health care providers for their potential
  subjects are permitted to use PHI, without
  authorization, to contact these potential
  subjects to discuss research and obtain
  authorization for use of study data
• Researchers (within or outside of the UW HCC/ACE)
  who are not also health care providers must have
  health care providers make initial contact with
  potential subjects/patients. In such cases,
  health care providers may either
• Give to the potential subjects/patients contact
  information for researchers (so that potential
  subjects can directly contact researchers) or
• Obtain written authorization from potential
  subjects/patients to share their contact PHI
  directly with researchers (so that the
  researchers can contact the potential subjects).

36
Contacting Potential Subjects Contd.

• Note that contacting potential subjects for
  recruitment purposes is considered research under
  the Common Rule and may be done only pursuant to
  IRB approved protocol, even if this activity is
  considered a health care operation (not
  research), not requiring authorization, under
  HIPAA.

37
Differences between the Privacy Rule and the
Common Rule

• HIPAA does not permit authorization to be
  obtained for the use or disclosure of PHI for
  future, unspecified research Common Rule permits
  consent for future, unspecified research (e.g.,
  tissue bank)
• De-identification under the Privacy Rule is
  different from data recorded in such a manner
  that subjects cannot be identified under the
  Common Rule (exemption criteria)
• The Privacy Rule applies to identifiable health
  information of decedents Common Rule does not
  apply to decedents
• Privacy Rule has category of activity defined as
  preparatory to research Common Rule does not

38
Future, Unspecified Research

• Under HIPAA, creating a database (or tissue
  bank), that includes PHI, for future research is
  one research activity that must meet HIPAA
  requirements and actually using PHI from the
  database (or tissue bank) for a specific study is
  a second research activity that also must meet
  HIPAA requirements.

39
Future, Unspecified Research contd.

• In practice, researchers often will obtain
  authorization for the creation of a database (or
  tissue bank), but will have to obtain separate
  authorization, or more likely, a waiver of
  authorization (or use a limited data set only) to
  use PHI from the database (or tissue bank) in a
  specific study.

40
Differences Between Identifiers under the HIPAA
and under the Common Rule

• In general, HIPAA has a broader definition of
  identifiers and includes elements that usually
  have not been considered identifiers under the
  Common Rule, e.g.
• Dates related to the subject (e.g., birth, death,
  admission, discharge) also age over 89
• Zip code
• Therefore, a researcher can have study data that
  are considered unidentifiable under the Common
  Rule (and meet criteria for exemption), but not
  de-identified under the HIPAA Privacy Rule.
• E.g., a data set that includes date of admission
  generally would be considered unidentifiable
  under the Common Rule, but identifiable under
  HIPAA.

41
Tips for USE of PHI (from UW ACE/HCC) for Research

• If you are required to get consent under the
  Common Rule, also obtain authorization under the
  Privacy Rule (the forms can be combined into one,
  requiring a single signature)
• If you are applying for waiver of consent under
  the Common Rule, also apply for waiver of
  authorization under the Privacy Rule (usually if
  your study meets the conditions for one, your
  study will meet the conditions for the other)

42
Recommendations for Use of PHI (from UW HCC/ACE)
for Research contd.

• If you are not required to obtain consent under
  the Common Rule (because your research is found
  to be exempt or not human subjects research or
  because you obtained consent for this type of
  research previously)
• then you want to find a way to avoid having to
  obtain authorization under HIPAA.

43
Recommendations contd.

• Use de-identified data
• Use a limited data set (and file a data use
  agreement)
• Apply for waiver of authorization from IRB (if
  conditions for waiver are met)

44
Example Exempt under Common Rule Section
46.101(b)(4)

• Research involving existing data, if the
  information is recorded in such a manner that
  subjects cannot be identified, directly or
  through identifiers linked to the subjects (e.g.,
  data is collected from a medical records without
  Common Rule identifiers or a code link)
• To avoid requirement for written authorization
  under the Privacy Rule
• Use de-identified data (as defined under HIPAA)
  or
• Use a limited data set (and file a data use
  certification) or
• Apply for a waiver of authorization (if
  conditions are met).

45
Example Exempt Under Common Rule Section
46.101(b)(2)

• Research involving survey or interview procedures
  and information is recorded in such a manner that
  subjects cannot be identified, directly or
  through identifiers linked to subjects
• To avoid requirement for written authorization
  under the Privacy Rule
• Collect only de-identified data (as defined under
  HIPAA) or
• Collect only limited data set (and file data use
  agreement) or
• Apply for altered authorization (altered to
  remove requirement of signature on authorization
  form)(unlikely such research would qualify for
  full waiver of authorization since there is
  contact with subject)

46
Obtaining PHI for Research from UW HCC/ACE

• If researcher has access to paper medical records
  or WISCR or other electronic medical record
  system for clinical purposes, researcher is still
  not permitted to use this PHI for research
  purposes unless researcher has met HIPAA and
  Common Rule requirements for doing so.
• If researcher does not have access to paper
  records or WISCR or other electronic medical
  record system for clinical purposes, unlimited
  access generally will not be granted for research
  purposes, even if research is approved by IRB.
  Researcher will need to work with holder of the
  medical record (e.g., UWHC or UWMF) so that only
  records needed for research can be made available.

47
A Word About the HIPAA Security Rule

• Applies to electronically stored or transmitted
  PHI, including PHI stored or transmitted for
  research.
• Requirements of Security Rule are in addition to
  those of the Privacy Rule.
• Prescribes technical, physical, and
  administrative safeguards for electronic PHI.
• Applies to electronic PHI databases stored or
  transmitted for research.
• UW-Madison has a HIPAA Security Officer (Judy
  Caruso in DoIT) and Best Practice Guidelines for
  compliance with the Security Rule (at
  www.wisc.edu/hipaa ).
• Best Advice consult with your units information
  systems staff when deciding how to store and/or
  transmit electronic PHI.

48
QUESTIONS???

• Consult with IRB staff
• Consult UW-Madison HIPAA Website
• www.wisc.edu/hipaa
• www.wisc.edu/hipaa/researchguide
• Contact UW-Madison HIPAA Privacy Officer
• Rebecca Hutton, JD, MS
• 608-263-7400
• rchutton_at_vc.wisc.edu
• Office of Administrative Legal Services, Room
  361, Bascom Hall