Title: HIPAA and the Common Rule
1HIPAA and the Common Rule
- Christina Solis, JD
- Elisa Fallows, MS
- UTHSC-H Legal Affairs and Institutional
Compliance - 2004 Mini-Ethics Course
2Impact of the Privacy Rule
- Does not reduce the effect of the Common Rule or
FDA regulations. - Mandates more protections to ensure privacy of
subjects and confidentiality of data. - Requires action whenever any PHI is used for
research.
3Definition of Research
- A systematic investigation designed to develop
or contribute to generalizable knowledge. - 45 CFF 46.102(d) and 45 CFR 164.501
4Definition of Human Subject
- A living individual about whom an investigator
conducting research obtains (1) data through
intervention or interaction with the individual,
or (2) identifiable private information. - 45 CFR 46.102(f)
5Definition of Human Subject Operational Change
due to Privacy Rule
- A living individual about whom an investigator
conducting research obtains (1) data through
intervention or interaction with the individual,
or (2) identifiable private information
6Regarding Research, the Privacy Rule Applies to
- Ascertainment of Potential Subjects
- Recruitment of Subjects
- Consent/Authorization Process
- Study Amendments
- Data Management
- Decedent Research
- Reuse of data for another study
7Research Provisions
- Covered entities may use and disclose PHI for
research - With individual authorization, or
- Without individual authorization under limited
circumstances - 45 CFR 164.508, 164.512(i)
8Relationship to other Research Rules
- The Privacy Rule does not override the Common
Rule or FDAs human subject protection
regulations.
9Ascertainment/Recruitment of Potential Subjects
- Via Review of PHI
- Notification of a Review Preparatory to Research
- Description Justifying a Waiver of Authorization
- Via Ad
10- If PHI or other identifiable private information
is to be recorded during the ascertainment/recruit
ment process, consent of the potential subject,
or IRB approval of a Waiver of Consent, must be
obtained. - (DHHS NIH Common Rule Guidance 8/03)
11Ascertainment/Recruitment Satisfying Both Rules
- Via a Review of Preparatory to Research
- Do not record PHI, or
- Record PHI and obtain Common Rule IRB waiver of
consent, or - De-identify PHI, then deal with the Common Rule.
- If the data now retains a link to subject
identity, the Common Rule still applies. - If the data does not retain any identifying link
(data anonymized or unlinked), the Common Rule
does not apply.
12Ascertainment/Recruitment Satisfying Both Rules
- Via Waiver of Authorization
- Do not record PHI usually not useful or
practical, or - Record PHI and obtain IRB Waiver of Consent
- De-identify PHI usually not useful or practical
13Exception from Requirement for Informed Consent
- An IRB may waive consent requirement or alter
consent element if it finds and documents that - (1) Research involves no more than minimal risk
- (2) Rights and welfare of subjects will not be
adversely affected - (3) Research could not be practicably be carried
out without waiver or alteration and - (4) When appropriate, the subjects will be
provided pertinent information after
participation.
14Reducing the Impact
- Ensure that Information Associated with
Data/Samples is Modified so it does not relate to
a Human Subject and either does not involve PHI
or is presented as a limited data/sample set.
15- An Activity does not prompt the Common Rule or
Privacy Rule Considerations Requiring IRB Review
when - The activity is not research OR
- The research does not involve a human subject AND
- The research does not involve PHI.
16Examples of how can a PI doing research reduce
the impact of the Common Rule and the Privacy Rule
- Modify information associated with the
Data/Samples so the information does not relate
to a Human Subject, and the information does
not involve PHI or PHI is presented as a limited
data set.
17How to modify data/samples so the information
does not relate to a human subject
- Anonymize (unlink) the data/samples.
- Establish conditions whereby subject identity
cannot be readily ascertained.
18Anonymize (unlink) the data/samples
- Remove all identifiers or codes that directly or
indirectly link a particular data point or sample
to an identifiable person. - These data/samples then become irreversibly
unlinked from any subject identifiers.
19- Modify Information Associated with the
Data/Samples so the Information does not relate
to a Human Subject, and The INFORMATION DOES
NOT INVOLVE PHI or PHI is Presented as a Limited
Data Set.
20Modify Information Associated with the
Data/Samples so the information does not involve
PHI
- Remove health information
- De-identify data/samples
21Information is health information when it
- Relates to ones physical or mental health or
condition or - Related to ones health care OR
- Relates to ones payment for health care.
- 45 CFR160.103
22Items to Exclude for De-identification 45 CFR
64.514(b)(2)
- ? Names ? E-mail address
- ? Addresses ? SS
- ? Zip codes ? Medical Record
- ? Dates except years ? Health plan beneficiary
s - ? Telephone s ? Account s
- ? Fax s ? Certificate/license s
- ? VIN s ? Device ID serial s
- ? URLs ?Full face photo images
- ? biometric identifiers ? internet protocol
address s - ? any other unique identifying , characteristic
or code
23Modify information associated with the
data/samples so the information does not related
to a human subject, and the information does
not involve PHI or PHI IS PRESENTED AS A LIMITED
DATA SET
- Establish a limited data set with a data/sample
use agreement. - Remove direct personal identifiers.
- Remove postal address information other than town
or city, state or zip code. - Note Event dates, any age and an identifying
code related to the person are permitted.
24Anonymization vs HIPAA De-identification
- The only setting where IRB approval of
anonymization (unlinking) does not also confer
approval of HIPAA de-identification is when the
anonymized (unlinked) health information contains
an event date more specific than the year, or a
geocode more specific than a state or 3 digit zip
code, or a subjects specific age is over 89 years
(instead state as 90 years)
25HIPAA De-identification vs Anonymization
- The only setting where IRB approval of HIPAA
de-identification does not also confer approval
of anonymization (unlinking) is when a code with
a key linking back to the subject is retained
with the de-identified data.
26Approach to satisfy both
- Establish conditions so the identity of a
research subject cannot readily be ascertained. - Establish a limited data/sample set and a
data/sample use agreement.