CUNY Research and HIPAA after August 2002 Privacy Rule CUNY Research Training Session March 27, 2003

1
CUNY Research and HIPAAafter August 2002
Privacy RuleCUNY Research Training
SessionMarch 27, 2003

• Presented by
• Mark Barnes

2
CUNY Training Topics

• Overview of the HIPAA Privacy Regulations
• Who is a Covered Entity Under HIPAA and Who is
  Not
• Overview of CUNY Researchers Obligations if
  Research Involves a Covered Entitys Protected
  Health Information
• The HIPAA Challenge for Researchers
• HIPAA Authorization for Research
• New HIPAA forms and IRB procedures for Research
  Without Authorization
• Impact of HIPAA on Exempt Research
• Impact of HIPAA on Database/Repository Research
• Accounting for Disclosures and Transition Rules
• CUNY HIPAA contacts Richard Malina
  (Richard.Malina_at_mail.cuny.edu) and Jane Davis
  (Jane.Davis_at_mail.cuny.edu)

3
Overview of HIPAA Privacy Regulations

• HIPAA Health Insurance Portability and
  Accountability Act of 1996
• HIPAA required Congress to enact comprehensive
  health information privacy law by August 21,
  1999 if Congress failed to act by that date,
  U.S. Department of Health and Human Services
  (HHS) was required to issue regulations
  addressing privacy of health information
• Proposed regulations published November 3, 1999
  (64 Fed. Reg. 59918) HHS received approximately
  53,000 comments

4
Overview of HIPAA Privacy Regulations (cont.)

• Final regulations published December 28, 2000
  (65 Fed. Reg. 82462)
• Comment period was reopened and additional
  comments were received until March 30, 2001
• NPRM issued 3/27/02 to modify some essential
  provisions, including those relating to research.
  New 30-day comment period, ended April 26, 2002
• Final Rule issued August 14, 2002 compliance by
  April 14, 2003
• Civil and criminal penalties for violations

5
Who is a Covered Entity Under HIPAA?

• Health plans, health care clearinghouses, and
  health care providers that transmit health
  information electronically in a HIPAA transaction
  (e.g., billing)
• A Covered Entity and its employees, agents and
  professional staff may not use/disclose
  health/mental health information for research
  without authorization or waiver of authorization
  (limited exceptions)
• CUNY is not a Covered Entity, but CUNY
  researchers may obtain or use health/mental
  information from, or within, or as agents or
  employees of, a Covered Entity

6
Who is a Covered Entity Under HIPAA? (cont.)

• Examples
• CUNY Faculty member with clinical appointment at
  hospital or private clinical practice that is
  HIPAA-covered
• CUNY student who works as intern or trainee at
  hospital or psychology practice or in social
  service agency setting that is HIPAA-covered
• Each must comply with HIPAA with respect to
  his/her activities in the Covered Entity setting,
  including research

7
Overview of CUNY Researchers Obligations if
Research Involves a CEs PHI

• Even though CUNY itself is not a Covered Entity,
  CUNY research must comply with HIPAA when
• CUNY Investigator accesses, obtains, or uses a
  CEs patient/client information for research
• CUNY Investigator creates health-related
  information at CEs site, enrolls a CEs
  patients/clients in a study, or collaborates with
  a HIPAA-covered co-investigator
• Revised CUNY IRB application form now includes
  questions to elicit whether Covered Entities are
  involved in CUNY research

8
The HIPAA Challenge for Researchers

• The HIPAA Privacy Regulations establish a
  stringent and complex new regime that governs all
  uses and disclosures of protected health
  information (PHI)

9
The HIPAA Challenge for Researchers (cont.)

• Protected Health Information (PHI) is any
  health information that
• Is created by or received by a Covered Entity or
  an employer and
• Relates to the past, present, or future (e.g.,
  genetic predisposition) physical or mental health
  or condition of an individual the provision of
  health care to an individual or the past,
  present, or future payment for the provision of
  health care to an individual and

10
The HIPAA Challenge for Researchers (cont.)

• Protected Health Information (PHI) is any
  health information that (cont.)
• Identifies the individual or with respect to
  which there is a reasonable basis to believe the
  information can be used to identify the
  individual and
• Is electronically maintained or transmitted, or
  in oral or written form

11
The HIPAA Challenge for Researchers (cont.)

• Basic Rule No Use or Disclosure of PHI Except
• For treatment, payment and health care
  operations (TPO)
• Good faith effort to obtain patient
  acknowledgement of receipt of notice of privacy
  practices required
• Research is not TPO

12
The HIPAA Challenge for Researchers (cont.)

• Basic Rule No Use or Disclosure of PHI Except
  (cont.)
• With written patient authorization (which must
  specify who can use/disclose the PHI, to whom the
  PHI may be disclosed, what PHI may be
  used/disclosed, the purpose of the
  use/disclosure, and the duration of the
  authorization, in the form of an expiration date
  or an event)
• This is the primary method of HIPAA research
  compliance

13
The HIPAA Challenge for Researchers (cont.)

• Basic Rule No Use or Disclosure of PHI Except
  (cont.)
• When a regulatory exception applies (e.g., public
  health reporting in emergencies/ disasters, to
  identify patients or locate family members)

14
The HIPAA Challenge for Researchers (cont.)

• De-identified data (under HIPAA) are not
  equivalent to anonymous data (under Common
  Rule)
• De-identified data are not PHI Cannot have any
  of the following 18 HIPAA identifiers
• Names
• Geographic subdivisions smaller than a State
• Dates (except year) directly related to patient
• Telephone numbers
• Fax numbers

15
The HIPAA Challenge for Researchers (cont.)

• 18 HIPAA identifiers (cont.)
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers

16
The HIPAA Challenge for Researchers (cont.)

• 18 HIPAA identifiers (cont.)
• Web URLs
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice
  prints
• Full face photographic images and any comparable
  images
• Any other unique identifying number,
  characteristic, or code, except as permitted
  under HIPAA to re-identify data

17
HIPAA and Research

• HIPAA Privacy Regulations have many specialized
  rules and exceptions, including rules
  particularly applicable to research activities
• Under HIPAA research means a systematic
  investigation, including research development,
  testing, and evaluation, designed to develop or
  contribute to generalizable knowledge. 45
  C.F.R. 164.501. Same definition as Common
  Rule, but note no exemptions available under
  HIPAA

18
Exempt Research must meet HIPAA Requirements

• If you are conducting research under an IRB
  exemption, and the research involves access to,
  or use of, patient information (including labeled
  or coded specimens) from a covered entity, your
  research will likely require HIPAA authorization
  or waiver of authorization (see 3/12/03 Schaffer
  memo)
• You must cease enrolling new subjects and
  collecting data on and after April 14, 2003 and
  submit an application for HIPAA waiver to the
  CUNY IRB for approval you may also need waiver
  from CEs IRB or Privacy Board

19
Research Activities/Clinical Trials Under HIPAA

• HIPAA requirements for research are applicable
  regardless of source of funding
• If FDA and/or HHS regulations are not applicable
  to the research study at issue but the study
  involves PHI, the covered entity is still bound
  by HIPAA Privacy Regulations

20
Research Activities/Clinical Trials Under HIPAA
(cont.)

• Research disclosure policies must be included in
  covered entitys Notice of Privacy Practices
• From Sample Notice of Privacy Practices
• Research.
• In most cases, we will ask for your written
  authorization before using your health
  information or sharing it with others in order to
  conduct research. However, under some
  circumstances, we may use and disclose your
  health information without your written
  authorization. To do this, we are required to
  obtain approval through a special process to
  ensure that research without your written
  authorization poses minimal risk to your privacy.
  Under no circumstances, however, would we allow
  researchers to use your name or identity
  publicly.
• We may also release your health information
  without your written authorization to people who
  are preparing a future research project, so long
  as any information identifying you does not leave
  our facility. In the unfortunate event of your
  death, we may share your health information with
  people who are conducting research using the
  information of deceased persons, as long as they
  agree not to remove from our facility any
  information that identifies you.

21
HIPAA Patient Authorization for Research

• HIPAA will generally require express patient
  authorization for use or disclosure of PHI in
  research activities subject to several exceptions
  (discussed below)
• The CUNY IRB has a model HIPAA Authorization Form
  for use in research involving PHI (i.e., personal
  health or mental health information from a
  Covered Entity)
• All forms referenced in this presentation are
  available at www.cuny.edu on the Faculty and
  Staff page under Research and Funding

22
HIPAA Patient Authorization for Research (cont.)

• The CUNY IRB will review both the authorization
  and informed consent form with the protocol
  submission
• The investigator is primarily responsible for
  ensuring that the information in the
  authorization form is accurate and complete

23
HIPAA Patient Authorization for Research (cont.)
CUNY IRB HIPAA RESEARCH AUTHORIZATION Subject/Cl
ient/Patient Name_______________________ ID
Number_________________ Study___________________
__________________________________________________
__ IRB Protocol No. ________________
CUNY Institution______________________ We
understand that information about you and your
health is personal. We are committed to
protecting the privacy of that information.
Federal regulations and our commitment to your
privacy require that we obtain your written
authorization before we may use or disclose your
protected health information for the research
purposes described below. This form provides
that authorization and helps us make certain that
you are properly informed of how this information
will be used or disclosed. Please read the
information below carefully before signing this
form.
24
HIPAA Patient Authorization for Research (cont.)

• USE AND DISCLOSURE COVERED BY THIS AUTHORIZATION
• ___________ CUNY Researcher must answer these
  questions completely before providing this
  authorization form to you. DO NOT SIGN A BLANK
  FORM. You or your personal representative should
  read the descriptions below before signing this
  form.
• What information will be used or disclosed for
  the research? The appropriate boxes should be
  checked below and the descriptions should be in
  enough detail so that you (or any organization
  that will use or disclose information pursuant to
  this authorization) can understand what
  information may be used or disclosed.
• ______Any medical, treatment, or research records
  held by __________ list covered entity from whom
  records are sought may be used and/or disclosed.
  
• ______The following information

25
HIPAA Patient Authorization for Research (cont.)

• Who will disclose, receive, and/or use the
  information while it is in individually
  identifiable form? This research authorization
  form will authorize the following person(s),
  class(es) of persons, and/or organization(s) to
  disclose, use, and/or receive the information in
  connection with the research
• __________ CUNY Principal Investigator and his
  or her research staff, which may include
  _____________ College students
• The following co-investigators list names and
  institutions and members of their research
  staffs _________________________________________
  _________________
• Statisticians at the following institutions
  ______________________________________
• The members and staff of the _____________
  College Institutional Review Board and other
  CUNY officials and staff who oversee research
• Government authorities or agencies that oversee
  research
• The members and staff of the Institutional Review
  Boards at participating research sites
  ______________________________________________
  list each co-investigators site
• Others (as described below)
• If not specifically listed above, you also
  authorize the following persons or institutions
  that maintain records about you to disclose the
  information described above for the purpose of
  this research

26
HIPAA Patient Authorization for Research (cont.)

• SPECIFIC UNDERSTANDINGS
• By signing this research authorization form, you
  authorize the use and/or disclosure of your
  protected health information as described above.
  The purpose for the uses and disclosures you are
  authorizing is to conduct the research project
  explained to you during the informed consent
  process and to ensure that the information
  relating to that research is available to all
  parties who may need it for research purposes.
• Many of the recipients listed in this form have
  legal or professional obligations to protect the
  confidentiality of your information. If,
  however, your information is disclosed to persons
  or organizations that are not required by state
  or federal law to protect the privacy of the
  information, such persons or organizations could
  reuse or redisclose the information without
  penalty under those laws. For this reason, it is
  the policy of the _____________ College IRB
  that investigators ask all recipients of your
  information to agree to treat your information as
  confidential.
• You have a right to refuse to sign this
  authorization. Your health care, the payment for
  your health care, and your health care benefits
  will not be affected if you do not sign this
  form.
• If you sign this authorization, you will have the
  right to revoke it at any time. However, your
  revocation would not apply to the extent that
  ____________________ name covered entity and
  the investigators in this research have already
  taken action based upon your authorization or
  need the information to complete analysis and
  reports of data for this research. This
  authorization will never expire unless and until
  you revoke it. To revoke this authorization,
  please write to _________________________ insert
  the name and address of the CUNY Principal
  Investigator and the responsible person or
  department at the covered entity.
• A copy of this form will be provided to you after
  you have signed it.

27
HIPAA Patient Authorization for Research (cont.)

• SIGNATURE
• I have read this form and all of my questions
  about this form have been answered. I understand
  that, if I have questions about this form in the
  future, they will also be answered. By signing
  below, I acknowledge that I have read and accept
  all of the above.
• _________________________________________
• Signature of Subject or Personal Representative
• _________________________________________
• Print Name of Subject or Personal Representative
• _________________________________________
• Date
• Description of Personal Representatives
  Authority
• CONTACT INFORMATION
• The contact information of the subject or
  personal representative who signed this form
  should be filled in below.
• Address ____________________________________
  __________________________________________________
  __________________________________Telephone______
  _____________ (daytime)
• _________________ (evening) Email Address
  (optional)____________________________
• THE SUBJECT OR HIS OR HER PERSONAL REPRESENTATIVE
  MUST BE PROVIDED WITH A COPY OF THIS FORM AFTER
  IT HAS BEEN SIGNED.

28
HIPAA Patient Authorization for Research (cont.)

• Revocation of Authorization Cannot revoke
  authorization to the extent that action has been
  taken in reliance on the authorization
• Example no requirement to re-identify and
  separate out blinded information based upon
  patients revocation

29
HIPAA Patient Authorization for Research (cont.)

• Reliance defined broadly under August 2002 Rule
  to include
• Accounting for subjects withdrawal from study
• Supporting FDA applications
• Reporting adverse events

30
HIPAA Patient Authorization for Research (cont.)

• PHI From Other Covered Entities
• Research authorization form should include broad
  grant of access so that investigators may receive
  PHI from other covered entities who or which have
  treated the patient, when that PHI is required
  for the research

31
HIPAA Patient Authorization for Research (cont.)

• Disclosing Who Will Receive PHI
• HIPAA requires that study sponsors (where
  applicable) and/or PIs, research staff (and other
  sites in cases of multi-center trials) or related
  entities all be named in the authorization form
  as parties to whom or to which PHI will be
  transferred, and by whom or by which that PHI may
  be used
• The CUNY authorization form includes a checklist
  investigator must specify others not listed
• If not listed, may be unable to receive or use
  PHI

32
Parties to the Research

• Diagram of a Multi-Site Research Study
• Who is using, receiving, and/or disclosing the
  data?
• Are the data identifiable? Is any site a Covered
  Entity?

Sponsor
OHRP
Consulting Statistician
IRB 4
Site 5 Social Service Agency
Site 4 Medical Center
IRB 5
Site 3 Community Clinic
CUNY-IRB
CUNY Student RAs
IRB 3
IRB 2
Site 2 Psychiatric Hospital
Co-PI/ MD
Site 1 Psychology Practice
CUNY PI
MDs
START
33
HIPAA Patient Authorization for Research (cont.)

• Separate authorization form required for
  use/disclosure of psychotherapy notes
• Notes of treatment conversations maintained
  separate from the medical/treatment record
• IRB may not waive authorization for
  use/disclosure
• General authorization form also may be advisable
  in psychotherapy research
• Additional authorization language required by NYS
  law for disclosure of HIV-related information

34
HIPAA Patient Authorization for Research

• CUNY model authorization also includes
• Possibility of redisclosure of information
• Right to refuse to sign and consequences
• Right to revoke and limitations on that right
• Expiration provision authorization does not
  expire subject must revoke in writing
• Authorization is preferably separate from
  research informed consent

35
HIPAA Patient Authorization for Research (cont.)

• Important that information presented to subjects
  in the informed consent process is consistent
  with what they are asked to authorize through the
  HIPAA authorization form
• Confidentiality section of informed consent
  should reference HIPAA authorization
• Use of another Covered Entitys Authorization
• If CUNY researcher is part of the CE (and thus
  liable for HIPAA violations), the researcher must
  review the CEs form thoroughly for the presence
  of all required elements
• If CUNY researcher is not part of the CE, use the
  CEs form unless clearly deficient

36
Use of PHI in Research Without Authorization

• Covered entity may use or disclose PHI for
  research purposes (and thus may permit CUNY
  researcher to use and disclose PHI for research
  purposes) without an individuals authorization
  in the following circumstances

37
Use of PHI in Research Without Authorization
(cont.)

• Purposes preparatory to research (i.e., to assess
  feasibility of research or formulate a research
  hypothesis), if the investigator (submits form)
  makes the following representations
• Use or disclosure sought solely to review PHI as
  necessary to prepare a research protocol (or for
  similar preparatory purposes)
• No PHI will be removed from the covered entity by
  the researcher during the review
• PHI for which use or access is sought is
  necessary for the research purposes

38
Use of PHI in Research Without Authorization
(cont.)

• Procedure for Review Preparatory to Research
• Complete CEs form containing researcher
  representations
• Submit form to CEs Privacy Officer for approval
• Provide copy of approved application to CEs data
  custodian (e.g., Medical Records)

39
Use of PHI in Research Without Authorization
(cont.)

• Research on decedents information, if the
  investigator makes the following representations
• Use or disclosure sought solely for research on
  the PHI of decedents
• Documentation, at the request of the covered
  entity, of the death of such individuals
• PHI for which use or disclosure is sought is
  necessary for the research purposes

40
Use of PHI in Research Without Authorization
(cont.)

• Procedure for research on decedents information
• Complete the CEs form containing researcher
  representations
• Submit completed form to CEs Privacy Officer for
  approval
• Present copy of completed form to CEs data
  source (e.g., Medical Records).

41
Use of PHI in Research Without Authorization
(cont.)

• Covered Entities may use or disclose limited
  data set without authorization or waiver
• A limited data set under HIPAA is PHI (not
  considered de-identified under HIPAA), but uses
  are restricted to
• Research
• Operations
• Public health purposes
• Limited data sets may include dates of treatment,
  addresses (but not specific street address),
  birth dates
• 16 HIPAA direct identifiers must be removed
• Data Use Agreement required

42
Use of PHI in Research Without Authorization
(cont.)

• If investigators are conducting research that may
  be performed using a limited data set, they
  should contact the IRB office of the CE regarding
  gaining access to the LDS
• The IRB office of the CE will work with the
  investigator to execute a Data Use Agreement

43
Use of PHI in Research Without Authorization
(cont.)

• Waiver of an authorization or an alteration of
  authorization is approved upon a signed,
  documented determination by the IRB in accordance
  with criteria required by HIPAA (discussed below)
• The CUNY IRB will review HIPAA waiver and
  alteration requests for CUNY research using PHI

44
IRB Approval of Waiver of Authorization

• Waiver or alteration determination by IRB may be
  done on expedited review basis (in accordance
  with Common Rule and/or FDA requirements for
  expedited review by an IRB)
• Expedited review most likely to be used in cases
  of research involving retrospective chart
  reviews IRBs should refrain, for first few
  months of compliance, from using expedited
  reviews here
• IRB may partially waive authorization to allow
  use of PHI to recruit study subjects (but this
  would not serve as a waiver of authorization for
  the conduct of the study need to either get
  authorization or a second IRB waiver)

45
IRB Approval of Waiver of Authorization (cont.)

• IRB written documentation must indicate that the
  waiver of patient authorization satisfies the
  three criteria set forth in Final Rule
• Final Rule Waiver Criteria
• Use or disclosure involves no more than minimal
  risk to privacy of the subject based on, at least
• Adequate plan to protect the information from
  improper use and disclosure
• Adequate plan to destroy identifiers
• Written assurances that the PHI will not be
  disclosed further than set forth in the waiver

46
IRB Approval of Waiver of Authorization (cont.)

• Final Rule Waiver Criteria (cont.)
• The research could not practicably be conducted
  without the waiver or alteration
• The research could not practicably be conducted
  without access to and use of the PHI

47
IRB Approval of Waiver of Authorization (cont.)

• 3 waiver criteria track aspects of HHS Common
  Rules requirements for waiving patient informed
  consent
• Minimal risk
• No adverse effects
• Research not possible without waiver
• In HIPAA, 3 waiver criteria relate only to
  privacy (minimal risk refers to privacy risk
  only), not to all research risk

48
IRB Approval of Waiver of Authorization (cont.)

• Procedure for seeking waiver or alteration of
  authorization
• Complete CUNY waiver application and include with
  protocol submission to CUNY IRB
• Present signed documentation of IRB waiver
  approval to data source (e.g., Medical Records)
  to obtain PHI for the research
• Data source may rely upon CUNY IRB waiver or
  require review by its own IRB/PB

49
IRB Approval of Waiver of Authorization (cont.)

• CUNY Application for Waiver
• Please Complete the Following
• TO Chair, _____________ College IRB
• FROM __________________________
• (Investigator Name)
• __________________________
• (CUNY Institution/Department)
• __________________________
• (Investigator's Telephone Number)
• DATE ____________________________
• PROJECT _________________________
• PURPOSE OF STUDY Give a brief description of
  the study and attach a copy of the full protocol
  to this Request Form.
• DESCRIPTION OF PROTECTED HEALTH INFORMATION THAT
  IS NEEDED FOR THIS STUDY
• .

50
IRB Approval of Waiver of Authorization (cont.)

• WHO ARE THE INDIVIDUALS OR ENTITIES COVERED UNDER
  HIPAA THAT WILL BE CREATING, MAINTAINING, USING
  OR PROVIDING THE PROTECTED HEALTH INFORMATION?
• WHO WILL HAVE ACCESS TO THE PROTECTED HEALTH
  INFORMATION? Describe each person and
  organization by name or category. Examples
  include the research sponsor, the investigator,
  the research staff, and all research monitors.
• DESCRIBE THE RISKS TO PRIVACY INVOLVED IN THIS
  STUDY
• What identifiers will be observed, collected and
  stored? Please indicate on Attachment 2 which
  identifiers will be observed, collected and
  stored, and which identifiers will not be needed
  for your research.
• Who will have access to identified information?
• How will access to study data be controlled?
• Who will monitor access to study data?
• Where will identified information be stored?
• .

51
IRB Approval of Waiver of Authorization (cont.)

• PLAN FOR DESTROYING IDENTIFIERS Describe how,
  by whom and when identifiers will be destroyed.
  
• IF ALTERATION OF CUNYS STANDARD HIPAA
  AUTHORIZATION FORM (INSTEAD OF A WAIVER) IS
  REQUESTED, EXPLAIN HOW THE FORM OF AUTHORIZATION
  WOULD BE ALTERED AND ATTACH THE FORM OF
  AUTHORIZATION THAT YOU WOULD PROPOSE TO USE
• EXPLAIN WHY THE STUDY PRESENTS NO MORE THAN A
  "MINIMAL RISK" TO PRIVACY
• IMPRACTICABILITY OF OBTAINING AUTHORIZATION
  Describe why it would be impracticable to obtain
  each subjects authorization for use and/or
  disclosure of his or her data or to obtain
  authorization by using CUNYs standard HIPAA
  Authorization form.
• IMPRACTICABILITY OF THE RESEARCH WITHOUT PHI
  Describe why the research could not practicably
  be carried out without the use of PHI.
• .

52
IRB Approval of Waiver of Authorization (cont.)

• 
  
• INVESTIGATOR'S ASSURANCES
• I will not use the protected health information
  (PHI) for which I have requested this Waiver or
  Alteration of HIPAA Authorization other than as
  described in this application form, or disclose
  the PHI to any person or entity other than those
  listed above, except as required by law, for
  authorized oversight of this research study, or
  as specifically approved for use in another study
  by an IRB. I also assure the IRB that the PHI
  for which I have requested this waiver or
  alteration is the minimum amount of PHI necessary
  for the research purpose described in this
  application.
• ____________________________
• Signature of Investigator
• ____________________________
• Date
• CUNY IRB Action
• Waiver/Alteration Request Approved
• Waiver/Alteration Request Denied
• Approval Deferred Pending the Following Actions

• .

53
Recruitment of Study SubjectsUsing PHI from
Covered Entities

• Reviewing PHI to Identify Subjects
• Treating providers may review their own
  patients/clients records to decide whether
  patients/clients would be eligible for a certain
  research study
• Investigators who are not members of a
  patients/clients treatment team must apply to
  the IRB for limited waiver of authorization in
  order to review PHI to identify potential
  research subjects and record the potential
  subjects name and contact information

54
Recruitment of Study Subjects Using PHI from
Covered Entities (cont.)

• Reviewing PHI to Identify Subjects (cont.)
• If investigator is conducting review preparatory
  to research (permitted without authorization)
  and would like to record the contact information
  of potential research subjects identified during
  the review, the investigator should apply to the
  IRB for a limited waiver of authorization prior
  to conducting the review preparatory to research

55
Recruitment of Study Subjects Using PHI from
Covered Entities (cont.)

• Contacting Potential Research Subjects
• Treating providers may always have a conversation
  with their own patients/clients regarding
  enrolling in research involving treatment
• Investigators who are not part of the
  patient/clients treatment team must
• Obtain a partial waiver of authorization from the
  IRB to recruit subjects (if not previously done)
  or
• Enlist the patient/clients treating provider to
  contact the patient/client about enrolling in the
  study
• If treating provider agrees to assist in
  recruitment process, proposed recruitment letter
  (to be signed by treating provider) must be
  included in submission to IRB required by Common
  Rule

56
Databases and Tissue Banks

• Many Covered Entities and researchers maintain
  databases into which PHI is placed, processed,
  stored
• Databases may be created not for specific
  research projects, but as resources for future
  unspecified research
• Tissue banks and other specimen repositories may
  be similarly created and maintained

57
Databases and Tissue Banks (cont.)

• Is patient authorization or IRB waiver required
  for these activities?
• Health care operations?
• Research?
• HIPAA HHS opines that the development of such
  databases/banks is research for HIPAA purposes
  and requires authorizations or waivers
• Common Rule Should also therefore have IRB
  approval, because definitions of research in
  HIPAA and Common Rule are coterminous

58
Databases and Tissue Banks (cont.)

• CUNY researchers creating databases of PHI or
  specimen banks/tissue repositories with PHI
  attached must cease compiling PHI on and after
  April 14, 2003 until they submit a protocol to
  the CUNY IRB specifying conditions under which
  data/specimens are accepted to the database/bank
  and shared with third-parties research may
  resume once approval is granted
• Protocol must include CUNY authorization form or
  application for IRB waiver of authorization

59
Databases and Tissue Banks (cont.)

• If database/bank is not maintained by the covered
  entity (e.g., covered entity is disclosing
  information to non-covered database/bank
  off-site), then authorization must indicate
  potential for PHI to be re-disclosed without
  penalty under HIPA

60
Databases and Tissue Banks (cont.)

• Per 3/12/03 memorandum from Vice Chancellor
  Schaffer (http//www.rfcuny.org/ResCompliance/HIPA
  A_Memo.html), CUNY investigators should review
  existing databases and tissue banks to determine
  whether PHI collection is ongoing and HIPAA
  compliance is necessary
• Databases/tissue banks maintained by a CE may not
  require authorization if one purpose is
  operations
• If CUNY investigators wish to conduct specific
  research on information or samples stored in a
  database or tissue bank, they must obtain IRB
  approval of research protocol and authorization
  or waiver from IRB

61
Accounting for Research Disclosures

• HIPAA generally requires Covered Entities to
  account for disclosures of PHI at the request
  of the patient/client
• Final Rule waives accounting for all disclosures
  made pursuant to a patient authorization (this
  includes research authorizations)

62
Accounting for Research Disclosures (cont.)

• If a Covered Entity discloses PHI for research
  purposes pursuant to a waiver of authorization or
  for another purpose where authorization is not
  required (e.g. review preparatory to research,
  research on decedents PHI) the Covered Entity
  must account for each disclosure
• Accounting will include CUNY investigators name,
  contact information, purpose of disclosure, and
  date

63
Transition Issues

• HIPAA Transition Provisions
• Certain research that began prior to HIPAAs
  compliance date is grandfathered and does not
  require authorization from subjects who were
  enrolled prior to April 14, 2003 if
• Subjects gave express legal permission for
  use/disclosure of health information
• Subjects gave general informed consent
• IRB waived informed consent requirement

64
Transition Issues

• For studies approved prior to April 14, 2003 but
  continuing to enroll subjects on and after after
  April 14, 2003, HIPAA authorization is required
  for new subjects
• All studies approved and commencing enrollment of
  subjects on and after April 14, 2003 must comply
  with HIPAA in all respects
• If grandfathered subject is re-consented for any
  reason on and after April 14, 2003, investigator
  must obtain authorization as well as new consent
• If investigator begins to consent subjects in a
  study that received IRB waiver of informed
  consent prior to April 14, 2003, authorization
  must be obtained

65
Transition Issues

• As discussed previously, prior to April 14, 2003
• Exempt protocols must receive HIPAA
  authorization/waiver (or suspend activity until
  authorization/waiver is obtained)
• Research database/repository compilation will
  need IRB-approved protocol, informed consent (or
  IRB waiver) and HIPAA authorization (or IRB
  waiver)
• Research not meeting these requirements must be
  suspended on April 14, 2003, pending compliance

66
Practical Compliance Issues for Implementing
HIPAA in the Research Context

• Some parties to the research will not be covered
  by HIPAA, but CUNY is concerned about their
  handling of research subject data
• CUNY IRB has a model Subject Information
  Confidentiality Agreement to protect subjects
  information that has been disclosed to
  non-covered investigators and others involved in
  the research
• Investigator should have this form signed by each
  non-CUNY person or entity to which research
  subjects personal data are disclosed

67
Practical Compliance Issues for Implementing
HIPAA in the Research Context (cont.)

• THE CITY UNIVERSITY OF NEW YORK
• SUBJECT INFORMATION CONFIDENTIALITY AGREEMENT
• Name____________________________________
• Position__________________________________
• I recognize that, in the course of my
  participation as an investigator,
  co-investigator, or an agent or contractor of an
  investigator conducting CUNY human subjects
  research, I may gain access to subject
  information, including information about health,
  mental health, medical care, or payment for
  health care, that must under law must be treated
  as confidential and disclosed only under limited
  conditions. I agree that
• I will keep confidential all information to which
  I gain access that is or can be identified to a
  particular subject (described in this agreement
  as information).
• I will access and use information only in
  connection with a research protocol that has
  received CUNY Institutional Review Board
  approval, or for reviews preparatory to research
  for which I have received authority to conduct
  from the entity or individual maintaining the
  information.

68
Practical Compliance Issues for Implementing
HIPAA in the Research Context (cont.)

• I will not redisclose information except to the
  extent required by applicable laws, including but
  not limited to federal laws governing drug and
  alcohol treatment programs and state laws
  governing HIV information, or as permitted under
  the terms of a research subject's written
  authorization or an IRBs waiver of the
  authorization requirement.
• I will not discuss information in public places
  or outside of work.
• I will access information only concerning
  subjects for whom IRB approval has been given,
  and will not access information for other
  individuals, except during a review preparatory
  to research with the approval of the entity or
  individual maintaining the information.
• I will take all reasonable and necessary
  precautions to ensure that the access and
  handling of information are conducted in ways
  that protect subject confidentiality to the
  greatest degree possible. This includes
  maintaining such information in secured and
  locked locations.
• I understand that it is my obligation and
  responsibility to maintain the confidentiality of
  all subjects information. Improper disclosure
  or misuse of such information, whether
  intentional or due to neglect on my part, may be
  a breach of privacy and/or confidentiality and a
  violation of federal regulations, which could
  result in the loss of my continued access to
  subjects information or other penalties for
  myself or my institution.
• Signature__________________________
  Date______________________________

69
Practical Compliance Issues for Implementing
HIPAA in the Research Context (cont.)

• Investigators should contact the IRB office with
  any questions about the following HIPAA-related
  issues
• Deciding what is a research use of PHI versus an
  internal health care operations use QA vs.
  research
• Access to decedents PHI (investigator
  representations required)
• Access to PHI for reviews preparatory to research
  (investigator representations required)
• Validating that information has been adequately
  de-identified for use and disclosure without
  authorization
• Reviewing and approving limited data sets
• Executing data use agreement (to have access to
  limited data set)
• Approving required elements are included in
  research authorization form

70
Planning HIPAA-Compliant Research

• Points to consider
• Is PHI from a HIPAA-covered entity necessary for
  the research? If so, need either authorization
  or IRB waiver of authorization.
• Will the research require a waiver of
  authorization to access existing PHI? If so,
  application to IRB or PB required.
• Who must access the PHI to perform the research?
• All entities/categories of persons must be listed
  in authorization.
• Secondary analyses and unanticipated data sharing
  require new authorization or waiver
• May I look at a CEs records to recruit
  patients/clients?
• If treating provider, yes.
• If not treating provider, must obtain IRB partial
  waiver and follow CUNY recruitment policies

71
CUNY Case Studies

• CUNY researcher studying implantable hearing
  device and testing subjects at CUNY
• Obtains info from the treating provider about
  implant settings (unique for each patient) and
  results of providers audiological exam
• Does this research involve PHI? (A yes)
• What does HIPAA require? (A authorization)

72
CUNY Case Studies

• CUNY graduate student reviewing nursing home
  charts to prepare a research protocol
• Research will involve chart review no consent to
  be obtained
• Does this research involve PHI? (A yes)
• What does HIPAA require? (A representations to
  the nursing home for a review preparatory to
  research, IRB waiver of authorization for the
  research)

73
CUNY Case Studies

• CUNY researcher conducts cancer study involving
  medical chart review and recruitment of patients
  for collection of original psychological data
• Patient names replaced (by investigator) with
  linking codes
• What does HIPAA require?
• A representations to the provider to conduct a
  review preparatory to research, partial IRB
  waiver of authorization for recruitment
  (consistent with CUNY IRB policies), and HIPAA
  authorization obtained with informed consent

74
CUNY Research and HIPAAafter August 2002
Privacy RuleCUNY Research Training
SessionMarch 27, 2003

• Presented by
• Mark Barnes