Tulane Human Research Protection Program (“HRPP”)

Present By: Wade WootanDate: March 2010

ObjectivesReview applicable federal regulations

affecting privacy of research information Health Insurance Portability & Accountability Act

Privacy Regulations (HIPAA Privacy or HIPAA)Human subject protection regulations for

Department of Health & Human Services (DHHS) and the Food and Drug Administration (FDA)

Who must comply?What information is protected?What uses & disclosures are permitted?

Tulane HIPAA Policies, Procedures & Guidance

Research policies for HIPAASee Section 16 of Tulane’s HRPP Standard Operating

Policies (SOPs) found at http://tulane.edu/asvpr/irb/policies.cfm

HIPAA authorization form found on IRBNetTUMG HIPAA policies & forms found at

http://tulane.edu/counsel/upco/privacy-policies.cfm

HIPAA Privacy RulePurpose and Background Acknowledges that, in course of

conducting research, researchers may create, use, and/or disclose individually identifiable health information (IIHI)

Recognizes that research community has legitimate needs to use, access and disclose certain information to carry out a wide range of health research.

Establishes minimum standards for protecting the privacy of IIHI

Confers certain rights on patients/subjects, including rights to access and amend their health information and obtain a record of when and why their protected health information (PHI) was shared with others

Establishes conditions under which covered entities (CE) can provide researchers access to and use of PHI when necessary to conduct research.

If a treatment relationship exists, HIPAA If a treatment relationship exists, HIPAA Privacy is intended Privacy is intended neitherneither to limit access to limit access to to nornor quality of health care quality of health care

It also establishes penalties for covered It also establishes penalties for covered entities that fail to comply, including entities that fail to comply, including money fines and/or imprisonment.money fines and/or imprisonment.

Step-by-step analysisUse & Disclosure of Research Information:

•Accounting requirements for non-routine disclosures

To whom does the Privacy Rule apply? HIPAA Privacy Rule applies only to:

Covered entities (CE)(i.e., health care providers, health plans & health clearinghouses)

Who electronically transmit any health information that DHHS has adopted standards (eg, transaction & code sets , coordination of benefits, authorizations, etc)

Tulane elected to be a hybrid entity for HIPAA compliance purposes. This limits application of the Privacy Rule to only health care operations (i.e., areas that create, use and/or disclose IIHI & electronically bill Federal payors). The following components were designated by Tulane as health care operations covered by the Privacy Rule:

TUMG, its physicians, and clinicians TU employees & departments providing management, admin,

financial, legal and operational services to TUMG and use IIHI

As a matter of policy, Tulane’s HRPP standard operating policies (SOPs) apply HIPAA to human subjects research (See SOPs at section 16)

[see also “Designation of Healthcare Components & Hybrid Entities (TU P&P GC-101]

Tulane’s IRB serves as a Privacy Board for HIPAA compliance purposes as it applies to research

This is in addition to the IRBs role to safeguard the confidentiality rights of subjects involved in research under DHHS & FDA requirements

For healthcare, Tulane’s Privacy Officer is Glenda Folse and Security Officer is Leo Tran

Comparison—Privacy Rights Under HIPAA & Confidentiality Rights Under DHHS Regulations

Issue HIPAA Privacy Rule (45 CFR Part 160 & 164(A) & (E))

DHHS Protection of Human Subjects (45 CFR Part 46)

FDA Protection of Human Subjects (21 CFR Parts 50 and 56)

Purpose Establish Federal floor of privacy protections for most IIHI by establishing conditions for its use/disclosure by covered entities

--Protect rights & welfare of human subjects involved in research conducted or supported by DHHS--Not specifically a privacy regulation

--Protect rights, safety & welfare of subjects involved in clinical investigations regulated by FDA--Not specifically a privacy regulation

Scope Applies to HIPAA-defined CEs, regardless of source of funding

Applies to human subjects research conducted or supported by DHHS

--Applies to research involving products regulated by FDA--Federal funding not necessary for FDA regs to apply--If Federally funded, both DHHS & FDA regs apply

What health information is protected by the Privacy Rule?

What is PHI? What is IIHI

Individually identifiable health information (IIHI)AND

Transmitted or maintained in any form or medium (i.e, oral, paper or electronic)

Information that relates to past, present or future physical or mental health or condition; healthcare; or payment for healthcare AND

Identifies an individual or can reasonably can be used to identifyAND

Created or received by a covered entity (healthcare provider, health plan, or clearinghouse)

Note: IIHI can include PHI created in research

The Privacy Rule applies to protected health information (PHI) created or maintained by a CE (and a CEs business associates)

18 Types of IIHI

More obvious identifiers1. Names2. Address3. SSN4. phone 5. Fax6. e-mail7. full face photo

Less obvious identifiers 8. any dates9. MRN10.health plan #11.account #’s12.license #13.VIN14.device #15.URL’s16.IP address 17.finger/voice print18.Any other unique

identifying numbers, characteristics or codes

Look for the existence of any one of the following:

Comparison—Definition of Individually Identifiable Information

Issue HIPAA Privacy Rule

DHHS Protection of Human Subjects

FDA Protection of Human Subjects

Identifiable Information

--Defines PHI as individually identifiable health information (IIHI) transmitted or maintained in any form or medium by a CE (or its BA)--See list of 18 types of IIHI

--Private information must be individually identifiable for obtaining it to constitute “research involving human subjects”--”Individually identifiable” means the identity of subject is or may be reasonably ascertained by investigator or associated with information

No definition of individually identifiable information

What is not covered under HIPAA?

De-identified health information (i.e, no IIHI) & thus not protected by HIPAA

Studies that do not involve health information or healthcare (e.g. anthropology)

IIHI held by anyone other than a CE (eg, an independent researcher)

De-Identifying PHICEs may use/disclose health information that is de-

Identified. Before disclosing, confirm de-ID through either:

By removing all 18 IIHI identifiers The CE does not have actual knowledge that info could be used alone or in

combination with other documents to identify an individual who is a subject of the info

OR

Statistical verification of de-ID; A person with appropriate knowledge of and experience with generally

accepted statistical and scientific principles and methods for rendering info not individually identifiable determines that risk is very small that info could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the info

Document the methods and results of the analysis justifying determination

164.514(b)

De-Identifying PHIStatistical Verification of De-IDDHHS guidance to generally accepted

statistical and scientific principles and methods: Statistical Policy Working Paper 22 - Report on Statistical

Disclosure Limitation Methodology (http://www.fcsm.gov/working-papers/wp22.html) (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget) and

Checklist on Disclosure Potential of Proposed Data Releases ( http://www.fcsm.gov/committees/cdac) (prepared by the Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget).

DHHS commentary to 45 CFR 164.514(b)

De-Identifying PHIRe-IdentificationQuestion: Can a code be used to re-ID

information that previously was de-ID?Answer: Yes.

A CE may assign a code or other means of record identification to allow de-identified information to be re-identified by the CE, provided that: The code or other means of record identification is not derived

from or related to info about the individual and is not otherwise capable of being translated so as to identify the individual; and

The CE does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

164.514(c) Re-Identification

De-IdentificationCoded data

Privacy Rule allows a CE to code data and then disclose it as “de-identified” The code is secured and not distributed with the dataCodes cannot be derived from IIHI (e.g. last 4 digits of

SSN)Common Rule considers coded data with

agreement/policy that PI can’t access code to not involve human subjects

When PI codes data it is not de-identified but it may be Common Rule exempt if PI does not hold the code

De-Identified vs AnonymousDe-identified health information is not

PHI and, thus, is not protected by Privacy Rule

“Anonymous” is a DHHS/IRB term. Identity of the subject may not readily

be ascertainedAnonymous can refer to fact that

identifying information was never collected If collected, anonymous data may or may

not be de-identified

How PHI can be used or disclosed?Use = Internal sharing,

exam, analysis of PHI within a CE

Disclosure = external release, transfer or divulging of PHI by a CE

If the Privacy Rule applies, then a CE can use/disclose PHI for: TPO: treatment, payment and

healthcare operations (TPO), even without subject permission

Research: With individual HIPAA authorization

[45 CFR 164.508] IRB approved waiver or alteration of

authorization [164.512(i)(1)(i)] Limited data sets with Data Use

Agreement [164.514] Preparatory to Research [164.512(i)

(1)(ii)] Research of Decedents [164.512(i)(1)

(iii)] “Grandfathered” Research Required by Law [164.512]

HIPAA Authorization for Research Use & DisclosuresRequired Elements

A HIPAA Authorization is individual’s signed permission that contains: Specific information to be used/disclosed By whom and to whom (may be classes of persons) Purpose of use/disclosure

Be specific – cannot authorize future unspecified research How long the authorization is valid (“end of study” or “forever”

are okay if justified by research) Potential risks of re-disclosure (eg, if data shared with non-HIPAA

covered entity) Signed & dated Do not condition treatment on signing authorization Right of individual to revoke authorization (pro-actively)

Authorization may be combined with study informed consent. Tulane does not allow combination of HIPAA authorization with

any other consent/documents to avoid subject confusion

Comparison—Research permissionsIssue HIPAA Privacy

RuleDHHS Human Subjects Regs

FDA Human Subjects Regs

Permission for Research

Authorization Informed Consent (IC) IC

IRB/ Privacy Officer Duties

--CE must obtain authorization for research use/ disclosure of PHI unless HIPAA exception exists--Neither IRB nor Privacy Officer reviews authorization form

--IRB must ensure that IC is sought from & documented for each prospective subject per DHHS regs. --If DHHS regs. met, IRB may waive either obtaining IC or documented IC.--IRB must review/ approve HIPAA authorization form if combined with IC--Privacy Officer has no authority

--Same as DHHS requirements

IRB-approved waiver of HIPAA authorization

When de-identification is impractical or is not feasible for researchers to obtain signed authorizations for all PHI the researcher needs to obtain, the Privacy Rule permits obtaining IRB approval for waiver or alterations of the authorization requirement regarding uses & disclosures

Section 164.512(i); see also Use & Disclosure of PHI for Research (TU P&P GC-012)

IRB-approved waiver of authorization (cont.)IRB must determine

Minimal risk to privacyResearch couldn’t be conducted without access

and without waiverWritten assurance PHI won’t be re-disclosed or re-

used except as required/permitted by lawLimited to minimum necessary

IRB need only review request to waive or alter authorization (vs actual authorization)

IRB waiver of authorization documented in IRB approval letter

Partial waivers of Authorization & alterations to Authorization approved by IRB

Recruitment may require access to PHI but no patient contact

Phone eligibility screens where no written authorization possible

Can waive authorization for these initial research processes and then subjects consented later

No provisions for waiving documentation only

Q&A: Tissue banks & old tissue samples Question: We have a freezer full of old tissue blocks that have built up over the years and we want to use them

for our new research. Is this human subjects research & is a HIPAA authorization needed?

Answer: It depends if human subjects research exists. Look to investigator intent:

Systematic investigation On a living individual about whom the investigation is being conducted About whom the investigator conducting research obtains

Data through intervention or interaction with the individual; or Individually identifiable private information

That is designed To develop or contribute to “generalizable knowledge”

If human subjects research, then samples repository & IRB approved protocol regarding use & maintenance of samples

Was there consent/authorization to keep the samples when they were collected?

Was there informed consent/authorization for future activities? Is the proposed use consistent with any prior consent/authorization? Otherwise, access requires an IRB waiver for use or disclosure of

information

Comparison—Cooperative Research & Waiver/Alteration of HIPAA Authorization

HIPAA Privacy Rule

DHHS Protection of Human Subjects

FDA Protection of Human Subjects

--Requests to waiver or alter authorization requirement are reviewed/ approved by IRB--A CE may reasonably rely on IRB decision

--Each institution is responsible for safeguarding rights & welfare of human subjects & complying w/ DHHS protection of human subject regulations--With DHHS approval, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon review of another qualified IRB or make similar arrangements to avoid duplicative effort

Cooperative research/ multi-institution studies may use joint review, reliance upon review of another qualified IRB, or similar arrangement aimed at avoiding duplicative effort

For multi-site research or research requiring use/disclosure of PHI created or maintained by multiple CEs or where multiple IRBs may be involved, review by 1 IRB is okay

Comparison—Waivers of Authorization or IC Requirements

HIPAA Privacy Rule DHHS Protection of Human Subjects

FDA Protection of Human Subjects

Allows waiver or alteration of authorization when IRB or Privacy Officer/Privacy Board deems following are met:a.Use/disclosure involves no more than minimal risk to privacy because the following exist:1.Adequate plan to protect IIHI from improper use or disclosure2.An adequate plan to destroy IIHI at earliest opportunity absent health or research justification or legal req. to keep them3.Adequate written assurances that PHI will not be used or disclosed to 3rd party except as req’d by law, for authorized oversight of research of other permitted uses or disclosuresb.Research could not practicably be conducted without waiver or alteration; ANDc. Research could not practicably be conducted w/o access to & use of PHI

Permits IRB to waive some/all elements of IC, or to waive need to obtain IC, if IRB finds & documents :a.Research involves no more than minimal risk to subjectb.Waiver or alteration will not adversely affect rights or welfare of subjectsc.Research could not practically be carried out w/o waiver or alterationd.When appropriate, subjects will be given pertinent info after participation

--Permits FDA to waive IRB review requirement--Permits IRB to approve clinical investigation w/o subjects’ IC in certain circumstances (see 21 CFR 50.23 & 21 CFR 50.24). These include:a.Immediate use of test article is, in investigator’s opinion, needed to preserve life of subject & in sufficient time exists to get ICb.Emergency research

Limited Data SetsBackground

Privacy Rule permits disclosure of limited data sets (“almost” identified) by a CE and researcher to another researcher for research, public health or healthcare operations

Receiving researcher must have a signed Data Use Agreement with CE

No need for authorization or IRB waiver

Does not require accounting for disclosures

Limited Data Sets 16 Identifiers (versus 18 IIHI)

More obvious identifiers1. Names2. Address (except town, city,

state & zip)3. SSN4. phone 5. Fax6. e-mail7. full face photo

For a limited data set to exist, remove the following IIHI:

Limited Data Sets Data Use AgreementsBecause limited data sets contain IHI (ie,

potentially 2 categories), they are PHI and a Data Use Agreement is required under the Privacy Rule

A Data Use Agreement is a way for a CE to set boundaries for the use and disclosure of limited data sets for researchers for PHI they received

Limited Data Sets Elements to Include in Data Use Agreements

1. Establish permitted use/disclosure of limited data set by recipient, consistent with purpose of research; no use/ disclosure by recipient that would violate Privacy Rule if done by disclosing CE; and

2. Limit who can use/disclose PHI received; and

3. Recipient stipulates Not to use/disclose info other than as

permitted by data use agreement or as required by law

Use safeguards to prevent use/disclosure of info not allowed by data use agreement

Report to CE any use/disclosure of info not allowed by data use agreement

Ensure that any agent’s/contractors of recipient who receive info agree to data use agreement requirements

Not identify the info or contact the subjects

When to use Data Use Agreements?Use Data Use Agreements if limited data

set recipient/researcher:Is an employee or workforce member of

another covered entityIs another covered entity“Internal” data use scenario where recipient is

TU employee or not part of TUMG

[See TU Data Use Agreement Policy (GC-018)]

Preparatory to ResearchAn investigator may use/disclose PHI to

prepare a research protocol, design a study, assess study feasibility, grant prep, etc

Investigator must certify (orally/writing) that:Use/disclosure of PHI is solely preparatory to

research, PHI will not be removed from CE, and PHI sought is necessary for research

Research of DecedentsAn investigator may use/disclose PHI of

decedent for researchInvestigator must certify that:

Use/disclosure of PHI is solely to research PHI on decedent,

PHI sought is necessary, & Proof of death (if CE requests proof of death)

“Grandfathered” ResearchUnder the Privacy Rule’s transition

provisions, a CE may use/disclose PHI for research purposes if one of the following was obtained before the 4/14/2003 HIPAA Privacy compliance deadline:Individual authorization or other express legal

permission to use/disclose PHI for research; Subject provided IC to participate in research;

orIRB waiver of IC

Required by LawPrivacy Rules permits use/disclosure of PHI required by law

(Federal or State), even if no express individual permission exists. Examples include a CE disclosing PHI (as legally required): To cancer registries (or other registries) To public health authorities re. preventing or controlling disease,

injury or disability or public health surveillance, investigations and interventions

To a person subject to FDA jurisdiction (eg, a sponsor) re. FDA-regulated product/ activity for which that person has responsibility re. QA, safety or effectiveness of FDA-regulated product/ activity Includes adverse event reporting; FDA-product tracking; post-market

surveillance; & enabling product recalls, repairs, replacements, etc To health oversight agencies (eg, Federal, State, accreditation, etc)

Certificates of Confidentiality (CoC)BackgroundCoCs are issued by NIH,

FDA & CDC to protect identifiable information on IRB-approved research from forced disclosure

Protect against subpoena, court order or request from any Federal, State or local proceeding (ie, civil, criminal, administrative, legislative, etc)

Allow investigators & others with access to research records to not disclosure information that could ID research subjects if the disclosure could have adverse consequences for subjects (eg, subject’s financial standing, employability, insurability, reputation, etc)

[42 USC 241(d) (with DHHS authority delegated to respective Federal agencies)]

Certificates of Confidentiality (CoC) Adverse Consequences

Examples of research with potential adverse consequences for subjects:Collecting genetic informationCollecting information on psychological well-being of

subjectsCollecting information on sexual attitudes, preferences

or practicesCollecting data on substance abuse or other illegal risk

behaviorsStudies where subjects may be involved in litigation

related to exposures under study (eg, breast implants, environmental or occupational exposures)

Certificates of Confidentiality (CoC) Potential RecipientsIssued for single, well-defined research projectsCoCs granted to Institutions based on PI’s

applicationMay be issued for cooperative multi-site projects

Must have a coordinating center or “lead” institution responsible for ensuring that all institutions conform to application assurances

Lead institution can apply on behalf of all associated institutions

Certificates of Confidentiality (CoC) AssurancesLead institution is responsible for ensuring that

all institutions conform to application assurances & agree to:Protect against compelled disclosure and support/defend

authority of CoC against legal challengesComply with Federal regs re. human subject protectionNo represent the CoC as an endorsement of the study by

Federal Government or use/coerce participationInform subjects re. existence of CoC, its protections &

limitations

Certificates of Confidentiality (CoC) Limits of Protection

CoC protects data maintained during any time the CoC is in effect

Protects that data in perptuity Does not eliminate need to

disclosure to Government for study audits & investigations

Does not protect against disclosures reportable by law: Child/elder abuse Threat of harm to self/others Communicable diseases

CoC does not eliminate need for data security, which is essential to protection of research subjects’ privacy

Researchers should safeguard research data & findings from unauthorized use & disclosures

Projects Not Eligible for CoCNot researchNot collecting personally identifiable

informationNo IRB review/approvalCollecting information that, if disclosed,

would not significantly harm or damage subject

Minimum NecessaryPrivacy Rule limits the non-routine use,

disclosure, or requesting of PHI to the minimum amount of info necessary to accomplish the purpose of the use or disclosure.

Non-routine disclosures do not include the following :De-identified informationLimited data set information Made pursuant to a HIPAA authorizationFor TPOIf required by law

[See Minimum Necessary Standard (TU GC-005)]

Accounting for Non-Routine Disclosures HIPAA requires accounting for:

Non-routine disclosures AND Disclosures of PHI involving 50 or more subjects on a study.

The accounting may provide: Name of protocol or other research activity; Description of research protocol or other research activity, including the

purpose of research and criteria for selecting particular records; Brief description of type of PHI disclosed; Date or period of time during which such disclosures occurred, or may

have occurred; Name, address, and phone of research sponsored and of researcher to

whom the information was disclosed; and Statement that the PHI of the individual may or may not have been

disclosed for a particular protocol or other research activity.

164.528(b)

Recap