HIPAA and Research. Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer. HIPAA and Research. Historically, the protection of human subjects in research has been presented as the responsibility of . . . PI
Basics for IRB
Director, Research and Sponsored Programs
Director, Institutional Review Board
Research Privacy Officer
Historically, the protection of human subjects in research has been presented as the responsibility of . . .
Also know as the . . .
… of human subjects protection.
Kick one leg out, the whole thing falls down.
And OHRP shows up and makes us fix the leg to prop it back up . . .
Or they make us get a new stool entirely . . .
And informed consent has been somewhat taken for granted….
. . . as the subject layer of protection.
The subject is responsible for his or her own protection by means of effective informed consent. We reveal what will happen, and the subject decides yes or no to participate.
And now, introducing . . .
Yet another opportunity for us to respect the subjects rights when we use their information for research.
Investigators must certify in writing the following three elements
To Request a waiver of authorization from the IRB the PI MUST:
(1) Provide a brief description of the PHI.
(2) Use the following methods to ensure minimal risk to privacy of individuals:
(a) Describe an adequate plan to protect the identifiers from improper use or disclosure.
(b) Describe an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research, unless there is a health or research justification for retaining the identifiers or retentions is required by law.
(c) Assure the IRB in writing that the PHI will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research as permitted by the HIPAA regulations.
If the IRB grants the waiver the letter must state:
HIPAA Research Authorization NOT required when data set is de-identified
Refer to UAMS De-Identification Policy to determine proper de-identification methods. Properly de-identified data would fall outside this policy.
HIPAA Research Authorization is NOT required if the PI or PD uses a Limited Data Set and Signs a Limited Data Set Agreement.
The limited data set shall exclude the following identifiers:
Limited Data set CAN have:
Research on existing databases
Collecting PHI for the sole purpose of creating a research database.
Recruitment for Research under HIPAA.
What’s been said:
(1)Are you using protected health information defined by HIPAA?
No. HIPAA satisfied.
Yes. Goto Next Slide
(2)Are you using de-identified subject data?
Yes: HIPAA satisfied
No: Goto Next Slide
(3) Are you using a limited data set as defined by HIPAA?
Yes: A limited data set agreement is required prior to final IRB approval. If the limited data set agreement is not attached to the IRB submission, the IRB will cite you one minor revision. HIPAA Satisfied
No: Goto Next Slide
(4) Additional HIPAA Subject Authorization Required. Please attach it in the documents section. The IRB will cite you one minor revision this form is not included during IRB review. HIPAA satisfied.