Investigator's Guide to HIPAA
- What is HIPAA?
- What is the Privacy Rule?
- What kinds of information does the Privacy Rule Protect?
- What types of research are subject to the Privacy Rule?
Privacy in Research
- How does the Privacy Rule affect research?
- How do Investigators access Protected Health Information in compliance with the Privacy Rule?
- Privacy in Research Flowchart (see also printable version)
- Does the study involve Protected Health Information?
- Research when Authorization is obtained
- Research when Authorization is not obtained
- Waiver of Authorization
- Preparatory Research
- How does the Privacy Rule affect patient recruitment?
- What do I need to know about a subject's ability to revoke authorization?
- What is a Business Associate Agreement and when do I need to have one?
- Special Considerations for Multi-site Research
- Special considerations for Research Databases
- Research Arising from Health Care Operations Activities
- Disclosure Tracking
- Notification of Privacy Practices (NPP)
- Who should I contact if I have questions?
- Glossary of HIPAA Terms
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was intended to improve the efficiency and effectiveness of the health care system. HIPAA has three main parts. The first, the "Administrative Simplification" provisions, include national standards for transactions of electronic patient health, administrative and financial data between health care providers and health plans. The second and third parts concern security and privacy, and protect the confidentiality and integrity of health information. This website focuses on the Privacy Rule, which has special regulations that particularly affect clinical research.
LLUAHSC entities that are covered entities under the Privacy Rule operate as an Organized Health Care Arrangement (OHCA). Under an OHCA, covered entities hold themselves out to the public as participating in a joint arrangement, in accordance with specifications in the Privacy Rule.
Entities participating in the OHCA are:
- Loma Linda University
- Loma Linda University Medical Center
- Loma Linda University Health Care (with affiliated clinical practice corporations), and
- Loma Linda Behavioral Medicine Center
One advantage of this arrangement is that health information that is protected under HIPAA regulations may be shared among these entities with much fewer restrictions than releasing information to external entities. This is discussed further below.
What is the Privacy Rule?
The HIPAA Privacy Rule establishes the conditions under which health information may be used or disclosed for research purposes. Research is defined in the Privacy Rule as "a systematic investigation, including research development, testing, and evaluation, designed to contribute to generalizable knowledge." The Privacy Rule strives to protect the privacy of health information, while at the same time ensuring that investigators will continue to have access to medical information necessary to conduct vital research.
Privacy is clearly a concern among research subjects. In a recent genetics study conducted at the National Institutes of Health, almost 32% of people who were eligible to take a test to determine risk for breast cancer declined doing so, most on the grounds of potential health insurance discrimination and loss of privacy. Therefore the Privacy Rule also defines the means by which individuals who are subjects in human studies research will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities.
The Privacy Rule does not directly regulate the conduct of research. Rather, the Privacy Rule regulates the handling of individually identifiable health information that is created or received in the course of a research study. The Privacy Rule thus works in conjunction with the other applicable federal regulations (i.e. Title 45, part 50, subpart A of the Code of Federal Regulations, also known as "The Common Rule;" and the FDA human subject protection regulations) to further strengthen the rights and protections of individuals who participate in human studies research. The intended result of the changes listed on this page is to increase confidence and willingness among individuals to participate in human studies research because they know that their health information will be protected.
The HIPAA Privacy Rule became final on August 14, 2002. The date by which all covered entities had to be in compliance was April 14, 2003. The final regulation text, published in the Federal Register, is available online.
The Office of Civil Rights (OCR) within the Department of Health and Human Services is the federal enforcement agency of the Privacy Rule. At Loma Linda University, the Institutional Review Board will serve as the Privacy Board.
The Office of Civil Rights mandates that the Privacy Board be responsible for determining whether or not a research study is subject to HIPAA privacy regulations. This means that investigators themselves may not decide whether their human research study is subject to HIPAA. OCR also authorizes the Privacy Board to approve waivers to Privacy Rule regulations on research studies.
What kinds of health information does the Privacy Rule protect?
The Privacy Rule protects health information, including demographic information, that:
- Is created or received by LLU and/or its affiliates,
- Relates to the past, present, or future physical or mental health, condition or treatment of an individual, and that
- Identifies the individual or may be reasonably used to identify the individual. Information that the Department of Health and Human Services (DHHS) feels can be used to identify individuals is listed in Table 1:
Table 1: Direct Identifiers (Also Known as "Safe Harbor" Data)
*The first 3 digits of the zip code are not considered identifiable if the geographic unit formed by combining all zip codes with the same 3 first digits contains > 20,000 residents according to the latest census information, or the first 3 digits for all such geographic units containing à20,000 residents is changed to 000.
**Although birth dates are considered to be identifiable, Ages 89 and under are not considered to be identifiable, including ages that are expressed in months, days, or hours.
Information that includes any one of the above criteria is classified as Individually Identifiable Health Information (IIHI). When IIHI is transmitted or stored in any medium by LLU and/or its affiliates, it becomes Protected Health Information (PHI) that is protected by the Privacy Rule.
Generally, PHI is transmitted/stored by an institution as part of a Designated Record Set that includes medical records, billing records, and any other record that is used to make decisions about the health care of an individual.
What types of research are subject to the Privacy Rule?
As a general rule, if your research uses PHI that is created or received by the Loma Linda University and/or its affiliates (e.g. medical or billing records), then it is subject to the Privacy Rule.
This may include, for example:
- Research that accesses PHI from a medical record, or creates PHI that will go back into a medical record, or
- Research that includes billable services to research subjects, such as clinical trials.
Research that may not be subject to the Privacy Rule is discussed below. For other types of research, the IRB/Privacy Board may waive some Privacy Rule requirements if specific criteria are met, as discussed below.
How does the Privacy Rule affect Research?
The Privacy Rule is extremely complex and required Loma Linda University to put into place a number of new policies and procedures. In practical terms, the major changes for investigators were:
- Application materials for research protocols that are submitted to the IRB/Privacy Board now contain questions relating to the privacy of study subjects. Investigators must explain what measures will be taken to protect the subjects' privacy and how protected health information is received and stored.
- For approved protocols, the approval notice issued by the IRB/Privacy Board contains information regarding the permitted uses and disclosures of PHI for the research study. If an investigator wishes to review currently existing medical records or records maintained in other databases at Loma Linda University and/or its affiliates, the IRB/Privacy Board approval notice serves as permission to do so. A copy of the approval notice may be attached to a Data Request Form(see also instructions) and submitted by the investigator to any one of the Certified Data Release Departments (CDRD) that have been certified by the Compliance Department to release protected health information. A CDRD is any department that may receive or fulfills requests for data sets/reports from other members of the institution. All entities with a database that is used for this purpose should become a Certified Data Release Department. Certification is obtained by fulfilling the educational requirements coordinated by Staff Development. See Special Consideration for Research Databasesfor more information.
- Informed consent documents now also include an authorization, to be signed by the study subject, which gives the investigator permission to use and share the subject's protected health information.
- Rigorous criteria are used by the IRB/Privacy Board to waive the requirement for informed consent and privacy authorization. Most research that is subject to the Privacy Rule will not qualify for a waiver.
If the authorization requirement is waived in a research study, the Privacy Rule requires that the investigator adhere to the Minimum Necessary Standard, which means that all reasonable efforts must be made to limit the use and disclosure of protected health information to the minimum amount necessary to accomplish the research.
The Privacy Rule also requires that all disclosures be trackedin research studies where authorization is not obtained. The purpose of this tracking requirement is to provide research subjects, upon their request, with a list of how protected health information was released to external entities without their knowledge. At LLU, a Disclosure refers to the release of protected health information to anyone or any entity outside of the OHCA as well as to external research collaborators and sponsors.
Tracking is not required when PHI is shared among those entities within the OHCA: Loma Linda University, Loma Linda University Medical Center, Loma Linda Behavioral Medicine Center, and Loma Linda University Health Care (including the affiliated physician practice groups), which the Privacy Rule refers to as a Use.
- In some cases, a Business Associate Agreement is needed between investigators and outside entities who are providing research-related services like consulting, statistical analysis, and subject screening, prior to those entities obtaining access to protected health information.
How do investigators access Protected Health Information in compliance with the Privacy Rule?
The IRB/Privacy Board, under the administration of the Vice President for Research Affairs, regulates access to PHI for research purposes.
There are SIX (6) METHODS to obtain PHI access for research, as shown in the Privacy in Research Flowchart (click the boxes for more information): (see also printable version)
Does the Study Involve Protected Health Information?
The IRB/Privacy Board, not the investigator, is responsible for determining whether or not a research study is subject to the Privacy Rule. The IRB/Privacy Board will make this determination based on information provided by the investigator on the IRB application for a research protocol. As discussed above, a research study is subject to the Privacy Rule if it uses protected health information that is created or received by the institution. This includes most research that involves:
- Access to patient medical records,
- Creation of new data that is put into patient medical records, or
- Billable services that may be recorded in billing records (e.g. clinical trials).
The IRB/Privacy Board may also apply Privacy Rule requirements to a research study if it determines that the study subjects might reasonably expect the Privacy Rule to protect the collected data, even if it is not officially PHI. In other words, the subjects' perception of whether or not their privacy rights are being protected is also important, and every effort must be made to assure subjects of full privacy protection.
If a research study is subject to the Privacy Rule, then it is the investigator's responsibility to choose the appropriate mechanism for accessing PHI in compliance with the Privacy Rule. In most cases, investigators will be required to obtain written authorization from subjects in human studies in order to use/disclose the subjects' PHI. This requirement will be waived only if the study meets stringent criteria. Alternatively, investigators may use health information in which identifiers have been reduced or eliminated.
Research when Authorization is obtained
Integration of Privacy Authorization With Informed Consent:
Current regulations require that a consent document address how confidentiality will be protected. The Privacy Rule imposes more specific requirements for authorization to use/disclose PHI.
Note: The State of California requires that the Privacy authorization be a separate document from informed consent, and to be in 14 point font.
- LLU Model Authorization form for Adults
- LLU Model Authorization form for Adults (Dependency Treatment)
- LLU Model Authorization form for Minors
- LLU Model Authorization form for Minors (Dependency Treatment)
- LLU Model Authorization form for Case Studies
- List of HIPAA Authorization Elements
- See also: What do I need to know about a subject's ability to revoke authorization?
- Minimum Necessary Standard does not apply: When written authorization for use/disclosure of PHI is obtained from research subjects, the Minimum Necessary standard does not apply. However, investigators are encouraged to limit PHI uses/disclosures to the minimum necessary to accomplish the research goals.
- Tracking of Disclosures is not required: When written authorization for use/disclosure of PHI is obtained from research study subjects, the tracking of disclosures is not required.
Research when Authorization is not obtained
Exceptions to the authorization requirement include either eliminating or reducingPHI from the research data set received for the research, or justifying to the IRB/Privacy Board that obtaining authorization is not feasible for the research purpose (i.e. obtaining a waiverfrom the IRB/Privacy Board).
PHI May be Reduced or Eliminated
Reducing or eliminating PHI from a data set used for research may curtail or eradicate Privacy Rule requirements for a research study.
Note: It is important to make the distinction between the elimination of PHI, and the common research practice of removing identifiers from data that is extracted from a medical record, resulting in "anonymous" data. The Privacy Rule applies to the records that the investigator sees and uses, not what is recorded in the investigator's records. Therefore, the de-identified or limited data set requirements described below apply to the data the investigator receives and uses in the research.
If no direct identifiers are needed to accomplish a research study, investigators are encouraged to use De-Identified Information, because research studies using de-identified information are not subject to the Privacy Rule.
The Privacy Rule's definition of "de-identification" goes well beyond that used traditionally under other federal regulations that apply to human studies research. Investigators will be required to provide documentation to the IRB/Privacy Board that all of the 18 elements listed in Table 1 that relate to an individual, or the individual's relatives or employer, will not be used.
If de-identified data is received from a person/entity outside the OHCA, the investigator must verify and document to the IRB/Privacy Board that all 18 data elements have been removed prior to receiving the data. In addition, investigators must ascertain that there is no other available information that could be used alone or in combination to identify an individual (e.g. a rare diagnosis, condition, treatment or procedure which would allow the individual to be identified.)
- Minimum Necessary Standard does not apply: Since de-identified data is not subject to the Privacy Rule, the Minimum Necessary standard does not apply if only de-identified data is used in the research.
- Tracking of Disclosures is not required: Since de-identified data is not subject to the Privacy Rule, the requirement to track disclosures does not apply if only de-identified data is used to conduct the research.
If only a limited number of direct identifiers are needed for a research study, investigators may use a Limited Data Set. This "middle" option between de-identified and fully identifiable information allows investigators to retain the following data elements in a data set:
- Town, city, state, and the 5-digit zip code (but not street address);
- Dates such as birth date, admission date, discharge date, and date of death; and
- Unique numbers, characteristics, and codes.
All other identifiers listed in Table 1are to be excluded in order to qualify as a Limited Data Set.
- Any recipient who receives protected health information under the limited data set provisions is required to sign a Data Use Agreement . This includes recipients both internal and external to LLU and its affiliates in the OHCA. The data use agreement generally describes the permitted uses and disclosures of the information and prohibits re-identifying or using the information to contact individuals. The required elements of a data use agreement are:
- The recipient will use the PHI contained in the data set only as permitted by the Privacy Rule;
- Limits will be placed on who can use or receive the data;
- The recipient agrees not to re-identify the data or to contact the research subjects;
- Appropriate safeguards will be used to prevent use/disclosure of the limited data set other than as permitted by the data use agreement and the Privacy Rule or as required by law.
- Minimum Necessary Standard applies: Limited Data Sets are subject to the Minimum Necessary standard. Investigators are to obtain only the identifying data elements that are necessary to accomplish the research goal if using a limited data set to conduct their research. This will be monitored by the IRB/Privacy Board and enforced through the provisions of the Data Use Agreement.
- Tracking of Disclosures is not required: Disclosures of Limited Data Sets are subject to provisions of the Data Use agreement, but not subject to the more general Privacy Rule requirements.
Whereas all or most direct identifiers are completely excluded from de-identified or limited data sets, coded data is linked to direct identifiers through the use of a code. As with de-identified data, coded data is not subject to the Privacy Rule. However, the code itself IS subject to the Privacy Rule because it can be used to re-identify study subjects. Therefore, codes are regulated at Loma Linda University in the following ways:
- When coded data is obtained internally from a Certified Data Release Department (CDRD): Requests for coded data with a re-identification key will be processed through the CDRD using a data request form (see also data request form instructions ). The re-identification key will be maintained by the CDRD and may be used to decode a research record if the IRB/Privacy Board grants permission to do so. Permission will be granted if decoding the record is essential to the healthcare of the individual or to the research project.
- When coded data is obtained from an external source (e.g. collaborators, sponsors, research tissue banks or other data repositories): When coded data is obtained from an external source, LLU investigators receiving the data will be required to sign a Code Access Agreement in which they will agree not to try to break the code in order to identify the study subjects.
- When coded data is sent to an external source: When LLU investigators send coded data to recipients that are external to the OHCA, those recipients will be required to sign a Code Access agreement in which they will agree not to try to break the code in order to identify the study subjects.
The IRB/Privacy Board may waive the requirement to obtain authorization to use/disclose PHI of research subjects only if the investigator provides documentation that ALL of the following conditions have been satisfied:
- The use/disclosure of the PHI involves no more than minimal risk to the privacy of the research subjects, based on the presence of at least the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law or for authorized oversight of the research project;
- The research could not be practicably conducted without the waiver; and
- The research could not be practicably conducted without access to and use of the PHI.
MINIMUM NECESSARY STANDARD APPLIES:
The use/disclosure of PHI subject to a waiver must be held to the minimum necessary to achieve the research purpose.
TRACKING OF DISCLOSURES IS REQUIRED:
Decedents' research is a special category of research that qualifies for a waiver of authorization. Under the Privacy Rule, the privacy rights of deceased individuals are protected as well as those of living individuals. However, the IRB/Privacy Board may waive the authorization requirement if the investigator provides documentation that:
- The PHI use/disclosure is being sought solely for research purposes;
- The PHI is necessary for the research purposes; and
- Provides documentation, upon request of the IRB, of the death of the individuals.
Reviewing patient records in order to design a research study, or to determine the feasibility of a research study, are examples of PHI access that is preparatory to research. This kind of records review is allowed without obtaining authorization or waiver of authorization from the IRB/Privacy Board.
For preparatory research, investigators may submit a Data Request form(see also Data Request instructions)directlyto a Certified Data Release Department. Instead of attaching a copy of the IRB/Privacy Board approval to the LLU Data Request Form, investigators will attach a Preparatory-to-Research Certification . The following requirements apply:
- A written attestation is provided by the investigator on the Certification For Access To Data Preparatory To Research form that:
- The PHI use/disclosure is being sought solely for purposes preparatory to research (e.g. to prepare a research protocol or determine feasibility of a research study);
- Access to the PHI is necessary for the research purpose; and
- No protected health information will be removed from the covered entity by the researcher in the course of the review (e.g. the investigator will not share PHI with any person or entity outside the OHCA).
- There is no limit on the number of records that a investigator can review preparatory to research. However, Loma Linda University policy specifies that data can be copied down from only 25 records for the investigator's use. For those 25 records, investigators may copy down only what is allowed for a Limited Data Set. No direct identifiers may be recorded by the investigator during reviews preparatory to research. The IRB/Privacy Board must review and approve requests to collect data from more than 25 records, or to collect more data than is allowed for a Limited Data Set.
- Minimum Necessary Standard applies: The use/disclosure of PHI under Preparatory Research must be held to the minimum necessaryto achieve the research purpose.
- Tracking of Disclosures is Required: Tracking will be requiredfor disclosures of PHI outside the OHCA.
Recruitment practices often require access to identifiable health information by the principal investigator and his/her research staff. However, the Privacy Rule does not stand alone in recruitment oversight, but builds on other federal regulations that apply to human studies research (i.e. the Common Rule and the FDA regulations) as well as local IRB restrictions. The following recruitment practices are approved at Loma Linda University based on the amalgamation all of these regulatory forces:
How may investigators search for potential research subjects?
- A treating physician who is also an investigator may review medical records of his/her own patients to find potential research subjects.
- A treating physician may share de-identified information with an investigator to determine a patient's eligibility for a study, provided that HIPAA requirements for de-identificationare met. In order for the patient to be identified to the investigator (non-treating practitioner) an approved IRB protocol must specify and approved method for contacting patients.
- An investigator may review medical records or other databases under preparatory research provisionsto find potential research subjects. This option is only available to investigators inside the OHCA, and the Privacy Rule prohibits releasing this information outside the OHCA. While it is true that the Office of Civil Rights allows contact of potential research subjects through preparatory research provisions, this practice is prohibited at Loma Linda University because it stands opposed to privacy protections enforced by the Common Rule. If an investigator wishes to contact an individual that has been found preparatory to research, a recruiting plan for contacting individuals must be submitted with the IRB application.
- The investigator may apply to the IRB/Privacy Board for a partial waiver of authorizationfor recruitment purposes. The Privacy Rule requirements and conditions for a waiverfor apply.
How may investigators contact potential research subjects?
The Privacy Rule augments existing federal and local IRB requirements that relate to contacting potential research subjects. As a general rule, the initial contact should not be made by someone with whom the potential research subject has had no prior clinical contact. Therefore, an investigator and his/her staff must either allow a potential research subject to initiate the contact, or work together with medical staff with whom the patient is familiar (e.g. the patient's treating physician) to make the first contact. The following is guidance for Privacy Rule-compliant methods of contacting potential study subjects. It is not meant to be all-inclusive. A recruitment plan, including the methods of contacting potential subjects, should be submitted to the IRB/Privacy Board as part of the protocol application.
- The potential research subject may initiate the contact by responding to an IRB-approved advertisement or similar recruitment notice.
- A treating physician who is also an investigator may talk directly to the patient about recruitment into a research trial.
- If the treating physician is not the investigator, the treating physician must get an authorization to refer the patient to the investigator. The investigator may then rely on the authorization to contact the individual. The investigator will then obtain a second authorization from the patient to participate in the research.
- If approved by the IRB, a treating physician and investigator may co-sign a recruitment letter to patients.
- An investigator may contact potential research subjects if granted a partial waiver of authorizationfor recruitment purposes from the IRB/Privacy Board. Investigators inside or outside the OHCA may use this option. The Privacy Rule requirements and conditions for a waiverfor apply.
What do I need to know about a subject's ability to revoke an authorization to use his or her protected information?
An individual always has the right to revoke consent to participate in the research. The Privacy Rule now requires that a research subject have the ability to revoke a previously signed authorization for investigators to use or disclose his/her protected health information for research. Investigators must honor this request, except to the extent they have already "relied on" the permission.
As an example, if investigators have already included a subject's protected information in the analysis of the data, the analysis can be maintained. In addition, investigators may continue using and disclosing protected health information that was obtained prior to the time the subject revoked his/her authorization, as necessary to maintain the integrity of the research study.
However, investigators may not use or disclose additional information that they have not yet accessed at the time the authorization is being withdrawn, except for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations. If a subject revokes authorization to use his/her protected information, HIPAA permits you to withdraw them from the study, including any treatment component (subject, of course, to any other professional standards that would prompt their continuation, such as the medical need for them to taper off a study drug).
Business Associates are discussed in depth in the "HIPAA & You" Privacy and Security Training manual. For research, it is important to remember that a Business Associate is an individual or entity outside of the OHCAthat:
- Performs or assists employees of the OHCA (including investigators, physicians and other employees) in performing any function or activity that involves use or disclosure of Protected Health Information, and
- Acts on behalf or at the request of an investigator who works for the OHCA as broadly defined above.
Who are considered to be Business Associates?
A third party that is asked to perform a function on the investigators' behalf that is not itself research may be a business associate if it receives, or analyzes or processes protected health information.
The following are all likely to be Business Associates:
- A consultant or contractor that analyzes data or performs lab tests on identifiable tissue samples;
- A software installer who has access to PHI during the installation;
- A research institution or investigator performing part of the research under a subcontract with LLU or its affiliates;
- A web hosting or data storage company that an investigator (rather than the sponsor) has engaged;
- Third parties that handle billing for a research study on an investigator's behalf; and
- A third party that handles recruitment and screening that an investigator (rather than the sponsor) has engaged.
The following are not considered to be Business Associates:
- Outside investigators and coordinating or statistical centers participating in multi-site research;
- Research sponsors; and
- CROs (Contract Research Organizations), monitors and data warehouses that are engaged by a sponsor rather than the investigator at LLU and/or affiliates, even if the investigator will receive or have access to the work product.
The Privacy Rule requires the institution to enter into a specific form of Business Associate Agreement with any business associate prior to disclosure of PHI. Business Associate Agreements must include:
- Restrictions on how PHI may be used or disclosed;
- A promise that the Business Associate will protect the PHI;
- A promise that the Business Associate will return the PHI at the end of the contract; and
- An assurance that the Business Associate will make PHI available as needed for federal or state law compliance
Be aware that if research is being conducted in collaboration with another institution, a carefully worded Memorandum of Understanding may be sufficient. Instructions regarding Business Associate Agreements can be found on the Privacy in Research website or in the "HIPAA & You" Security and Training manual. For more information regarding Business Associate Agreements, contact Tonya Okon (558-6453, or ext. 66453).
Investigators often engage in collaborative relationships with individuals or entities outside of the OHCA. Since April 14, 2003, the sharing of PHI outside of the OHCA constitute a "disclosure" which is subject to the HIPAA Privacy Rule. When information is shared among multiple sites, the Privacy Rule may present issues that do not arise in other research contexts. Investigators involved in multi-center research projects may want to consider the following:
- The privacy authorization should list the sites and sponsor (if any) that may be involved in the research and to which subjects' identifiable health information may be disclosed, and for what purposes the information will be disclosed.
- The sites should develop a cooperative mechanism for protecting subjects' individual rights as provided by the Privacy Rule. Specifically sites must be able to: 1) obtain identifiable health information from one another to respond to a subject's request to inspect or copy the information; 2) inform one another of amendments to a subject's health information; and 3) in waivered studies, advise one another (and the sponsor, if any) of a subject's request to receive an accounting of disclosures.
- The investigator should determine whether any relationships with outside sites or entities with which identifiable information will be shared are Business Associate relationships requiring Business Associate Agreements.
- If research data can be de-identifiedor meet the criteria for a limited data setbefore it is disclosed to other sites or entities, then the disclosure is not subject to Privacy Rule requirements. Disclosure of a limited data set would require a data use agreement.
Any institutional entity that maintains a database with PHI that could be shared or disclosed to others should become a Certified Data Release Department (CDRD). For further questions concerning research databases, contact the Office of Research Affairs (x44426).
If you review records from your database preparatory to research, regulations require that you make certain attestations regarding the preparatory work. This information is captured in the form Certification for Access to Data Preparatory to Research. You must complete this form as well as describe the data you are referencing in the preparatory research. This can be accomplished by completing the appropriate sections of the Data Request Form(see also: instructions) used by the CDRD. This information must be maintained in your department for at least six years after the information is accessed.
LLU general counsel has made the determination that if data is collected for QI/QA reasons under peer review, information pertaining to this quality review process and its outcome is confidential and is protected and considered non-discoverable under California State Law, Evidence Code 1157. Therefore, any information under 1157 protection may NOT be used for research because of the legal protections surrounding that information.
However, there may be information collected for other health care operations activities that do not fit under the 1157 protection. For research use of data collected for health care operations purposes prior to IRB approval that is not under the Evidence Code 1157, the IRB may allow the use of the data. In order for the IRB to consider the request, the investigator must submit documentation from the appropriate healthcare operations committee to verify that: 1) the data were collected for health care operations activities; and 2) are not subject to Evidence Code 1157.
A case report on one or two patients is generally not considered research. However, any PHI disclosed in case reports is subject to the Privacy Rule. Therefore, if a unique case is described that may identify an individual to the general public simply by describing the disease or the unique treatment received, authorizationfrom the patient is required prior to disclosing the information as part of a published article, meeting abstract, or any other form of public presentation.
IRB-approved recruitment practicesshould be followed in order to contact a patient or patients to acquire their authorization for disclosure of information for a case report. For example, if the case is being researched or presented by someone other than the treating physician, then the initial contact should be made by, or at least in collaboration with, the clinical department that treated the patient and with whom the patient is familiar.
If patient authorization is not possible, a waiver of authorizationmay be submitted to the IRB/Privacy Board.
Tracking will be required for disclosures of PHI outside the OHCAunder 3 conditions:
- For Preparatory Research ,
- For research when a Waiver of Authorization is obtained, and
- For research on Decedents (a special class of research that qualifies for a waiver).
If investigators receive information internally from a Certified Data Release Department (CDRD)that will be disclosed outside the OHCA, the CDRD will be responsible for tracking disclosures. However, investigators will be responsible for tracking disclosures made from their own data repositories.
The Disclosure Tracking System (DTS) is a web-based application that serves as a central repository for disclosures that are subject to the accounting requirement of the Privacy Rule. Information for using the DTS is found in the "HIPAA & You" Privacy And Security training manual and the LLUMC VIP page http://wisdom.mc.llumc.edu/hipaa/ .
The Privacy Rule requires that all patients receive a NPP and that an acknowledgement of this must be signed by the patient and put in the patient's medical record for any visits after April 14, 2003. In general, a patient receives the NPP during their normal course of care.
However, investigators must be aware that in certain circumstances (such as recruiting patients from outside sources) patients may not receive the NPP through the regular course of treatment. If you have patients who will not be receiving the NPP, the forms are available on the HIPAA website and must be given to patients and the patient must sign an acknowledgement form. A list of locations from which a NPP can be obtained is in the "HIPAA & You" Training and Security manual, available from the Compliance department, or from the VIP HIPAA website at : http://wisdom.mc.llumc.edu/hipaa/.
For Questions regarding:
- Policies relating to privacy in research, suggested revisions to the Researcher's Guide to HIPAA
- How to complete the required forms for authorization, waivers, status of requests submitted to the Privacy Board
Linda Halstead, MA
Director, Research Affairs -- Research Protection Programs
- Research related privacy complaints or compliance with privacy or other research related regulatory requirements
General questions about privacy/HIPAA compliance at Loma Linda University
LLU HIPAA/Privacy page
(inc. Privacy Officer contact information)
Accounting of Disclosures —Under some circumstances, the HIPAA Privacy Rule gives individuals the right to request an accounting of disclosures of PHI over the previous 6 years (although no accounting of disclosures is required prior to April 14, 2003). This right applies to: 1) Disclosures that are unauthorized because a Waiver of Authorization has been obtained, 2) Preparatory Research , 3) Decedents' Research , and 4) Disclosures mandated by law. This right does not apply to: 1) Disclosures made at the request of the individual, 2) Disclosures that are Authorized by the individual, 3) Limited Data Sets , and De-identified data .
Authorization —A document, signed by a subject in human study research, that designates permission to the investigator to use and disclose the subject's Protected Health Information .
Business Associate —A person/entity external to LLU and its affiliates that: 1) receives PHI from LLU or a LLU investigator, and 2) performs a service on behalf of LLU or a LLU investigator. Business Associates may include: web-hosting/data storage companies, third party billing companies, consultants, and third parties hired to screen potential subjects. Business Associates generally do not include: research collaborators, sponsors, research coordinating and statistical centers. Business Associates who receive PHI will be required to sign a Business Associate Agreement .
Business Associate Agreement — An agreement that dictates how a Business Associate will handle PHI received from LLU and its affiliates, including: restrictions on use/disclosures of the PHI, a promise to protect the PHI, a promise to return the PHI at the end of the contract, and an assurance to make the PHI available for federal or state law compliance.
Certified Data Release Department (CDRD) — Departments or other entities of LLU and its affiliates that: 1) store data, and 2) are certified by either the Compliance Office or the LLU IRB to review and process requests to obtain access to PHI from researchers. Requests to the CDRD are made using a Data Request Form .
Code Access Agreement — An agreement that prohibits the breaking of a code to Coded Data in order to identify and contact individuals participating in human studies research.
Coded Data — Data that is separated from direct identifiers through use of a code. Investigators will be required to sign Code Access Agreement when they: 1) receive coded data from an external entity to LLU and its affiliates, or 2) send coded data to an external entity to LLU and its affiliates. Data may be decoded when necessary for healthcare operations, i.e. to benefit the health of the patient.
Data Use Agreement — An agreement that describes the permissible uses/disclosures by an investigator of PHI within a Limited Data Set and prohibits re-identifying or using the PHI to contact individuals.
Decedents' Research — Deceased individuals are afforded the same privacy rights as living individuals under HIPAA. The LLU IRB may grant a waiver to do decedents' research, provided that the required representations are made by the researcher.
De-Identified Data — Data in which all Direct Identifiers has been removed. De-identified data is not subject to HIPAA.
Direct Identifiers — Data elements that could be used to identify an individual. These include: 1.Names, 2.Geographic subdivisions smaller than a state (except the first three digits of zip code), 3.All elements of dates (except year) for dates that are directly related to an individual, including dates of admission, discharge, birth, death, and all ages over 89; 4.Telephone numbers, 5.Fax numbers, 6.Electronic mail address, 7.Social security numbers, 8.Medical record numbers, 9.Health plan beneficiary numbers, 10.Account numbers, 11.Certificate/license numbers, 12.Vehicle identification and serial numbers, including license plate numbers, 13.Device identifiers and serial numbers, 14.Web URLs, 15.Internet protocol (IP) addresses, 16.Biometric identifiers, including fingerprints and voice recordings, 17.Full-face photos and comparable images, and18.Any other unique number, characteristic, code that could reasonably used to identify an individual.
Disclosure of PHI — The release of PHI to anyone or any entity outside of Loma Linda University and its affiliates in the OHCA . See Use of PHI for a listing of job categories included in the use category. Release of PHI to anyone else (such as colleagues or research collaborators at another institution) would be a Disclosure.
HIPAA [pr: hip'-ah]— The Health Insurance Portability and Accountability Act of 1996. A federal law that was designed to allow portability of health insurance between jobs. The Privacy Rule is the component of HIPAA that protects personally identifiable health information.
Individually Identifiable Health Information (IIHI) —A subset of health information, created or received, that identifies an individual or can reasonably be used to identify an individual because it includes Direct Identifiers .
Limited Data Set (LDS) —A set of data that may be used for research without authorization or waiver of authorization. Only the following Direct Identifiers may be retained in a LDS: 1) Town, city, state and zip code (but not street address); 2) all dates such as birth dates, admission and discharge dates, and date of death; and 3) Unique numbers, characteristics, and codes. Recipients of a LDS must sign a Data Use Agreement .
Minimum Necessary — A HIPAA Privacy Rule standard requiring that investigators use or disclose only the minimum amount of PHI that is necessary to accomplish the intended purpose. The Minimum Necessary standard applies when a Waiver of Authorization has been obtained, Preparatory Research , Decedents' Research , and Limited Data Sets . It does not apply to uses/disclosures of PHI that are Authorized or to De-identified data .
Notice of Privacy Protections (NPP) — The Privacy Rule requires that all patients visiting this institution after April 14, 2003, receive a NPP that tells them how their health information will be used. An acknowledgement of this must be signed by the patient and put in the patient's medical record. In general, a patient will receive the NPP during their normal course of care. However, investigators are responsible for providing the NPP and receiving back a copy of the signed acknowledgement if the individual does not get it from any other source, e.g. if he/she is responding to a recruitment ad, etc. A list of locations from which a NPP can be obtained is in the "HIPAA & You" Training and Security manual, available from the Compliance department, or from the VIP HIPAA website at: http://wisdom.mc.llumc.edu/hipaa/.
Organized Health Care Arrangement (OHCA) — Covered entities under the Privacy Rule that participate in a joint arrangement to comply with the Privacy Rule. All entities under this arrangement may use the same Notice of Privacy Protections , the same mechanism to provide an Accounting of Disclosures to a patient or study subject upon request. Sharing of Protected Health Information within the OHCA is considered a Use [See Use of PHI ], while sharing information outside the OHCA is considered a Disclosure [See Disclosure of PHI ]. LLUAHSC entities under the OHCA are: Loma Linda University, Loma Linda University Medical Center, Loma Linda University Health Care and the affiliated clinical practice corporations, and Loma Linda University Behavioral Medicine Center
Preparatory Research — Data or records review that is performed in order to design or to determine the feasibility of a research study. Preparatory research is allowed without authorization or waiver of authorization, provided that the required representations are made by the investigator. Investigators may review an unlimited number of records; however, information may be copied by the investigator from only 25 records without IRB approval. Requests to copy information from more than 25 records must be submitted to the IRB. From these 25 records, investigators may only copy for their own use data elements that are allowed for a Limited Data Set .
Privacy Board — A committee authorized by the HIPAA Privacy Rule to approve a Waiver of Authorization and monitors the use and disclosures of PHI collected in human studies research. At LLU, the Institutional Review Board serves as the Privacy Board.
Protected Health Information (PHI) — Individually Identifiable Health Information that is transmitted or maintained in any form.
Use of PHI — The sharing of PHI within Loma Linda University and its affiliates in the OHCA . If a person is a student, employee, faculty member, member of the medical staff, either part time or full time, and information is given to them, it is considered a use.
Waiver of Authorization —The requirement to obtain Authorization from human study subjects may be waived by the Privacy Board if specific criteria are met. Investigators should be aware that more stringent conditions [See Minimum Necessary ] and record-keeping conditions [See Accounting of Disclosures ] apply when authorization is not obtained.