Title: Human Subjects Research Under the HIPAA Privacy Rule and the Common Rule
1Human Subjects Research Under the HIPAA Privacy
Rule and the Common Rule
- Rebecca Hutton, JD, MS
- UW-Madison HIPAA Privacy Officer
- December 2, 2008
2Two Main Sources of Federal Regulation of Human
Subjects Research
- Common Rule in effect in present form since
early 1990s, established IRBs and the requirement
for informed consent for participation in
research - HIPAA Privacy Rule in effect since April, 2003,
and Security Rule, in effect since April,
2005,cover use and disclosure of individually
identifiable health information (called protected
health information or PHI), including use and
disclosure for research, by covered entities
(i.e., most health care providers and health
insurers)
3Important Definitions in HIPAA
- Protected Health Information
- Individually identifiable information created or
received by a covered entity in any form
(written, electronic or spoken) that relates to - 1) past, present, or future physical or mental
health or condition of an individual or - 2) provision of health care to an individual or
- 3) past, present, or future payment for the
provision of health care to an individual.
4Individually Identifiable
- Any of the following data elements relating to an
individual, alone or in conjunction with health,
health care, or billing information, constitutes
Protected Health Information when held by a
Covered Entity
5Identifiers
- 1. Name
- 2. Geographic subdivisions smaller than state
(i.e., county, town or city, street address, - and zip code)
- 3. All elements of dates (except year) for dates
directly related to individual - (e.g. dates of birth, death, admission, and
discharge) also all ages over 89 - 4. Phone numbers
- 5. Fax numbers
- 6. E-mail addresses
- 7. Social security number
- 8. Medical record number
- 9. Health plan beneficiary number
- 10. Account numbers
- 11. Certificate/license number
- 12. Vehicle identifiers and serial numbers
- 13. Device identifiers and serial numbers
- 14. URLs
- 15. Internet protocol addresses
- 16. Biometric identifiers (e.g., fingerprints)
- 17. Full face photographic and an comparable
images
6De-Identification
- Requires removal of all identifiers
- Resulting data is not Protected Health
Information and not subject to HIPAA
7Coded Data
- De-identified data can include a code to permit
the Covered Entity to re-identify the data but - Code cannot be derived from any information about
the individual (e.g., cannot be initials or
subset of social security number). - Code cannot be used for any other purpose (e.g.,
cannot be pathology identification number). - Key to code cannot be available to those using
the de-identified data for research.
8Coded Data contd
- Code key can be used by others (not part of
research team) within Covered Entity to audit
data for accuracy, for example.
9Covered Units at UW-Madison(the UW Health Care
Component)
- Units that provide health care or have staff that
provide health care (e.g. clinical departments of
UWSMPH, State Lab of Hygiene) - Units that use identifiable health information to
provide services to HIPAA covered health care
provider units (e.g., Office of Administrative
Legal Services)
10Complete Listing
- A complete listing of all units in the UW health
care component (UW HCC) can be found at the
UW-Madison HIPAA website at www.wisc.edu/hipaa
(in Policy 1.1 in the Privacy Manual).
11UW Affiliated Covered Entity
- Many of the units of the UW HCC are also part of
an organizational arrangement that includes UWHC
and UW Medical Foundation, called the UW
Affiliated Covered Entity or UW ACE. The UW ACE
is considered to be a single covered entity under
HIPAA. - The UW HCC units that are part of the UW ACE can
be found in Policy 1.2 of the Privacy Manual at
www.wisc.edu/hipaa .
12Privacy Rule and Common Rule
- Main purpose of research provisions of Privacy
Rule is to protect the privacy of research
subjects by informing them in detail about what
PHI is required for the research, where it comes
from, and where it will be sent. - Common Rule focuses on informing subjects about
the risks and benefits of the research study.
13Privacy Rule andCommon Rule contd.
- Requirements of the Privacy Rule are in addition
to requirements of the Common Rule - Research that is exempt (or not human subjects
research) under the Common Rule is still subject
to the Privacy Rule no use/disclosure of PHI by
a covered entity is exempt from the Privacy
Rule.
14Three Ways to Be Affected by HIPAA as a
Researcher at UW
- 1. You are within a UW HIPAA covered unit
yourself (then all of your activities, including
your research, involving PHI will be covered by
all HIPAA provisions) or - 2. You are not within a UW HIPAA covered unit
yourself, but you are part of a research team for
a study headed by a principal investigator who is
within the UW HIPAA covered entity (then your
activities in connection with that study will be
covered by HIPAA) or - 3. You are not within a UW HIPAA covered unit
yourself, but you need PHI from a covered entity
(e.g., UWHC) for a research study (then the
covered entity will be required to comply with
HIPAA in disclosing the PHI to you).
15Example 1.
- You have an appointment within the Department of
Medicine of the UW School of Medicine and Public
Health - All of your activities, including research,
involving PHI are covered by HIPAA
16Example 2
- You have an appointment in the UWSMPH Department
of Population Health Sciences (not covered by
HIPAA, so not within the UW HCC), but you are key
personnel on a research study with a PI from the
Department of Medicine that involves PHI - Your activities involving PHI for that study are
covered by HIPAA you must complete HIPAA
training, safeguard PHI in compliance with HIPAA,
and follow the other rules of HIPAA in using and
disclosing the PHI for that study.
17Example 3
- You have an appointment in the UWSMPH Department
of Population Health Sciences and are the PI on a
study your study needs PHI from the UWHC - UWHC, as a HIPAA covered entity, will be required
to comply with HIPAA in disclosing the PHI to you.
18More Definitions
- USE Means, with respect to PHI, the sharing,
employment, application, utilization,
examination, or analysis of such information
within an entity that maintains such information. - DISCLOSURE Means the release, transfer,
provision of - access to, or divulging in any other manner of
PHI - outside the entity holding the information
19Examples
- If you are an employee of the UW HCC/ACE and need
PHI from the UW HCC/ACE, the UW HCC/ACE will have
to follow the requirements of HIPAA in permitting
you to USE PHI. - If you are an employee of the UW HCC/ACE and you
need PHI from a non-UW covered entity (e.g. St.
Marys Hospital), that covered entity will be
required to follow the requirements of HIPAA in
DISCLOSING PHI to you. - If you are not an employee of the UW HCC/ACE and
you need PHI from any covered entity (including
the UW HCC/ACE), that covered entity will need to
follow the requirements of HIPAA in DISCLOSING
PHI to you.
20How To Obtain PHI for Research under HIPAA
- 1. Obtain written authorization from the subject
or - 2. Obtain an IRB approved waiver of authorization
or - 3. Limit your analysis to a Limited Data Set
and enter into a Data Use Agreement with the
HIPAA covered unit holding the PHI or - 4. If your study involved decedents only,
complete a certification form for research on PHI
of decedents.
21Written Authorization
- Required elements are specified by the Privacy
Rule - Approved research Authorization template can be
found at Health Sciences IRB website or
www.wisc.edu/hipaa at Research Guide link. - You can combine the Authorization form with the
Consent form into a single form, with a single
signature.
22Conditions for Approval of Waiver of
Authorization by IRB
- Research cannot practicably be conducted without
access to and use/disclosure of PHI (i.e.,
identifiable health information is required for
the research) - Research cannot practicably be conducted without
waiver (i.e., it is impracticable to obtain
authorization) and - Use/disclosure of PHI involves no more than
minimal risk to privacy of subjects, based on
existence of - Adequate plan by PI to protect identifiers from
improper use and disclosure - Adequate plan by PI to destroy identifiers at the
earliest opportunity consistent with conduct of
research and - Adequate written assurance by PI that PHI will
not be reused or disclosed except as required by
law or for authorized oversight of research.
23Note Regarding Waiver
- Generally, it is impracticable to obtain
authorization only in the case of retrospective
record review (and not always then) - Waiver will not be granted when there will be
contact with subjects - This is similar to criteria for waiver of
informed consent requirement under the Common
Rule
24Altered Authorization
- HIPAA permits the IRB to approve an altered
authorization, i.e., one that does not contain
all of the required elements. - Common example Data are being collected via a
telephone call and obtaining a signature would be
difficult. In that case, a phone script
containing all of the other elements of
authorization would be required but no signed
authorization form. - It must be impracticable to obtain the element in
order for the IRB to approve an authorization
without the element.
25Limited Data Sets
- Limited data sets exclude the direct identifiers
specified under the Privacy Rule, but may include
the following indirect identifiers dates related
to the subject and elements of address, including
zip code - Limited data sets may be used/disclosed by the
covered entity for research with a data use
agreement. A data use agreement is a legal
contract and requires legally binding signature
(for UW, generally from Research and Sponsored
Programs) when data are coming from or going to a
non-UW-Madison entity. - Covered entities do not have to account for
disclosures of limited data sets. - Approved data use agreement form can be found at
www.wisc.edu/hipaa at the Research Guide link.
26Decedent PHI
- Covered entity may use or disclose PHI for
research involving decedents only with a
certification by the researcher that - Use/disclosure is sought solely for research on
PHI of decedents - Documentation of death of subjects will be
provided upon request of covered entity - Use/disclosure of this PHI is necessary for the
research - An approved form for use of decedent PHI can be
found at www.wisc.edu/hipaa at the Research Guide
link.
27Preparatory to Research Activities
- Under HIPAA, a covered entity may permit its
researchers to use or it may disclose to outside
researchers, PHI for the purpose of certain
activities that take place for the preparation of
a protocol (e.g., identifying the number of
eligible subjects, developing eligibility
criteria) without subject authorization - Includes identifying but not contacting
specific subjects for possible recruitment
28Preparatory to Research Activities contd
- In order for a covered entity to disclose PHI to
outside researchers or to allow its researchers
to use PHI for preparatory to research
activities, the researcher must make certain
written assurances to the covered entity
(including that the researcher will not remove
PHI from the covered entity) - An approved form for making these written
assurances can be found at www.wisc.edu/hipaa at
the Research Guide link.
29Preparatory to Research contd
- Note if, as part of preparatory to research
activities, a researcher records individually
identifiable information (i.e., includes
identifiers in the data collected), this is
considered research under the Common Rule, and
may be done only pursuant to an IRB approved
protocol. Otherwise, preparatory to research
activity is generally not considered research
under the Common Rule.
30Accounting for Certain Disclosures
- Covered Entities are required under HIPAA to
provide an accounting of certain disclosures of
PHI made without the individuals authorization,
upon the individuals request. With regard to
research, this includes disclosures made - Under waiver of authorization.
- As preparatory to research activities.
- As research involving decedents only.
- Covered Entity not required to account for
disclosures of limited data sets.
31Tips for Researchers Outside the Covered Entity
- Covered Entity will be most willing to disclose
de-identified data to you (but may charge you to
create the de-identified data). - Covered Entity should be willing to disclose PHI
to you pursuant to an authorization. - Covered Entity will likely be willing to disclose
PHI to you in the form of a limited data set (but
may charge you to create the limited data set). - Covered Entity may not be willing to disclose PHI
to you under a waiver, as preparatory to
research, or as decedent PHI due to the increased
administrative burden of maintaining the
accounting of the disclosure.
32UW HCC/UW ACE Disclosures of PHI for Research
- At UW, we discourage study designs that require
the disclosure of PHI under a waiver of
authorization, as preparatory to research
activities, or as decedent information. - Please contact the IRB or the HIPAA Privacy
Officer to discuss options if you think such a
disclosure is necessary for your study.
33Recruitment
- Many studies involve the use or disclosure of PHI
in two phases of the research study - 1. For recruitment of subjects (e.g. PHI for
contacting subjects e.g., name, phone number,
address, etc.) - 2. For study data itself (e.g., PHI related to
the study question e.g., diagnosis, treatment,
etc.).
34Contacting Potential Subjects
- Under HIPAA preparatory to research provisions, a
Covered Entity can disclose PHI to outside
researchers or permit its own researchers to use
PHI without authorization to identify but not
to contact - potential subjects. - However, under a separate HIPAA provision, a
Covered Entity can permit its own researchers to
use PHI to contact subjects in order to obtain
required authorizations (using PHI for this
purpose is considered a health care operation
under HIPAA). - Note however that UW ethical guidelines would not
permit a researcher not involved in the health
care of a potential subject to make a cold
contact related to research with that potential
subject. Therefore at UW this provision only
applies to researchers who are health care
providers and who contact their own patients.
35Contacting Potential Subjects contd.
- Researchers within the UW HCC/ACE who are also
health care providers for their potential
subjects are permitted to use PHI, without
authorization, to contact these potential
subjects to discuss research and obtain
authorization for use of study data - Researchers (within or outside of the UW HCC/ACE)
who are not also health care providers must have
health care providers make initial contact with
potential subjects/patients. In such cases,
health care providers may either - Give to the potential subjects/patients contact
information for researchers (so that potential
subjects can directly contact researchers) or - Obtain written authorization from potential
subjects/patients to share their contact PHI
directly with researchers (so that the
researchers can contact the potential subjects).
36Contacting Potential Subjects Contd.
- Note that contacting potential subjects for
recruitment purposes is considered research under
the Common Rule and may be done only pursuant to
IRB approved protocol, even if this activity is
considered a health care operation (not
research), not requiring authorization, under
HIPAA.
37Differences between the Privacy Rule and the
Common Rule
- HIPAA does not permit authorization to be
obtained for the use or disclosure of PHI for
future, unspecified research Common Rule permits
consent for future, unspecified research (e.g.,
tissue bank) - De-identification under the Privacy Rule is
different from data recorded in such a manner
that subjects cannot be identified under the
Common Rule (exemption criteria) - The Privacy Rule applies to identifiable health
information of decedents Common Rule does not
apply to decedents - Privacy Rule has category of activity defined as
preparatory to research Common Rule does not
38Future, Unspecified Research
- Under HIPAA, creating a database (or tissue
bank), that includes PHI, for future research is
one research activity that must meet HIPAA
requirements and actually using PHI from the
database (or tissue bank) for a specific study is
a second research activity that also must meet
HIPAA requirements.
39Future, Unspecified Research contd.
- In practice, researchers often will obtain
authorization for the creation of a database (or
tissue bank), but will have to obtain separate
authorization, or more likely, a waiver of
authorization (or use a limited data set only) to
use PHI from the database (or tissue bank) in a
specific study.
40Differences Between Identifiers under the HIPAA
and under the Common Rule
- In general, HIPAA has a broader definition of
identifiers and includes elements that usually
have not been considered identifiers under the
Common Rule, e.g. - Dates related to the subject (e.g., birth, death,
admission, discharge) also age over 89 - Zip code
- Therefore, a researcher can have study data that
are considered unidentifiable under the Common
Rule (and meet criteria for exemption), but not
de-identified under the HIPAA Privacy Rule. - E.g., a data set that includes date of admission
generally would be considered unidentifiable
under the Common Rule, but identifiable under
HIPAA.
41Tips for USE of PHI (from UW ACE/HCC) for Research
- If you are required to get consent under the
Common Rule, also obtain authorization under the
Privacy Rule (the forms can be combined into one,
requiring a single signature) - If you are applying for waiver of consent under
the Common Rule, also apply for waiver of
authorization under the Privacy Rule (usually if
your study meets the conditions for one, your
study will meet the conditions for the other) -
42Recommendations for Use of PHI (from UW HCC/ACE)
for Research contd.
- If you are not required to obtain consent under
the Common Rule (because your research is found
to be exempt or not human subjects research or
because you obtained consent for this type of
research previously) - then you want to find a way to avoid having to
obtain authorization under HIPAA.
43Recommendations contd.
- Use de-identified data
- Use a limited data set (and file a data use
agreement) - Apply for waiver of authorization from IRB (if
conditions for waiver are met)
44Example Exempt under Common Rule Section
46.101(b)(4)
- Research involving existing data, if the
information is recorded in such a manner that
subjects cannot be identified, directly or
through identifiers linked to the subjects (e.g.,
data is collected from a medical records without
Common Rule identifiers or a code link) - To avoid requirement for written authorization
under the Privacy Rule - Use de-identified data (as defined under HIPAA)
or - Use a limited data set (and file a data use
certification) or - Apply for a waiver of authorization (if
conditions are met).
45Example Exempt Under Common Rule Section
46.101(b)(2)
- Research involving survey or interview procedures
and information is recorded in such a manner that
subjects cannot be identified, directly or
through identifiers linked to subjects - To avoid requirement for written authorization
under the Privacy Rule - Collect only de-identified data (as defined under
HIPAA) or - Collect only limited data set (and file data use
agreement) or - Apply for altered authorization (altered to
remove requirement of signature on authorization
form)(unlikely such research would qualify for
full waiver of authorization since there is
contact with subject)
46Obtaining PHI for Research from UW HCC/ACE
- If researcher has access to paper medical records
or WISCR or other electronic medical record
system for clinical purposes, researcher is still
not permitted to use this PHI for research
purposes unless researcher has met HIPAA and
Common Rule requirements for doing so. - If researcher does not have access to paper
records or WISCR or other electronic medical
record system for clinical purposes, unlimited
access generally will not be granted for research
purposes, even if research is approved by IRB.
Researcher will need to work with holder of the
medical record (e.g., UWHC or UWMF) so that only
records needed for research can be made available.
47A Word About the HIPAA Security Rule
- Applies to electronically stored or transmitted
PHI, including PHI stored or transmitted for
research. - Requirements of Security Rule are in addition to
those of the Privacy Rule. - Prescribes technical, physical, and
administrative safeguards for electronic PHI. - Applies to electronic PHI databases stored or
transmitted for research. - UW-Madison has a HIPAA Security Officer (Judy
Caruso in DoIT) and Best Practice Guidelines for
compliance with the Security Rule (at
www.wisc.edu/hipaa ). - Best Advice consult with your units information
systems staff when deciding how to store and/or
transmit electronic PHI.
48QUESTIONS???
- Consult with IRB staff
- Consult UW-Madison HIPAA Website
- www.wisc.edu/hipaa
- www.wisc.edu/hipaa/researchguide
- Contact UW-Madison HIPAA Privacy Officer
- Rebecca Hutton, JD, MS
- 608-263-7400
- rchutton_at_vc.wisc.edu
- Office of Administrative Legal Services, Room
361, Bascom Hall