hipaa and research n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA and Research PowerPoint Presentation
Download Presentation
HIPAA and Research

Loading in 2 Seconds...

play fullscreen
1 / 26

HIPAA and Research - PowerPoint PPT Presentation

  • Uploaded on

HIPAA and Research. Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer. HIPAA and Research. Historically, the protection of human subjects in research has been presented as the responsibility of . . . PI

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA and Research' - ataret

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa and research

HIPAA and Research

Basics for IRB

Tim Atkinson

Director, Research and Sponsored Programs

Director, Institutional Review Board

Research Privacy Officer

hipaa and research1
HIPAA and Research

Historically, the protection of human subjects in research has been presented as the responsibility of . . .




hipaa and research2
HIPAA and Research

Also know as the . . .


… of human subjects protection.

Kick one leg out, the whole thing falls down.

hipaa and research3
HIPAA and Research

And OHRP shows up and makes us fix the leg to prop it back up . . .

hipaa and research4
HIPAA and Research

Or they make us get a new stool entirely . . .

hipaa and research5
HIPAA and Research

And informed consent has been somewhat taken for granted….

hipaa and research6
HIPAA and Research

. . . as the subject layer of protection.

hipaa and research7
HIPAA and Research

The subject is responsible for his or her own protection by means of effective informed consent. We reveal what will happen, and the subject decides yes or no to participate.

hipaa and research8
HIPAA and Research

And now, introducing . . .


Yet another opportunity for us to respect the subjects rights when we use their information for research.

hipaa and research9
HIPAA and Research
  • It is the policy of UAMS that investigators must certify in writing the following three elements when seeking information from RECORDS about the deceased:
  • (1) Seeks use and disclosure of PHI from RECORDS just for research on deceased individuals
  • (2) Will provide proof of death if RECORDS requests it, and
  • (3) That the PHI sought from RECORDS is solely for research and nothing else. For these purposes, PIs will sign a form with these certifications on it.
hipaa and research10
HIPAA and Research
  • Reviews Prepatory to Resarch :

Investigators must certify in writing the following three elements

  • (1) The PI seeks use and disclosure of PHI from RECORDS solely to review such information as necessary to prepare a research protocol or similar purposes prepatory to research
  • (2) PI shall not remove any PHI from RECORDS in the course of review (and will only collect de-identified data), and
  • (3) the PHI from RECORDS is necessary for research purposes. For these purposes, PI’s must fill out FORM E, as attached, and submit it to UAMS Medical Records before UAMS Medical Records can release the PHI to the ust ainvestigator. RECORDS mccount for these disclosures.
hipaa and research11
HIPAA and Research
    • HIPAA Research Authorization Vs. Informed Consent for Research
  • After April 14, 2003, all research projects that use or create PHI will require subjects to sign the usual IRB approved informed consent to participate in a research project form AND an patient authorization. The IRB will look for the usual informed consent AND the additional HIPAA Research Authorization as criteria for granting final approval for a research project. After April 14, 2003, if authorization is not included on projects using or creating PHI, then the IRB will cite this as a minor revision prior to granting final approval.
hipaa and research12
HIPAA and Research
    • Grandfathering HIPAA Research Authorization
  • Subjects consented prior to April 14, 2003 under projects already approved by the IRB do NOT have to sign authorization.
hipaa and research13
HIPAA and Research

To Request a waiver of authorization from the IRB the PI MUST:

(1) Provide a brief description of the PHI.

(2) Use the following methods to ensure minimal risk to privacy of individuals:

(a) Describe an adequate plan to protect the identifiers from improper use or disclosure.

(b) Describe an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research, unless there is a health or research justification for retaining the identifiers or retentions is required by law.

(c) Assure the IRB in writing that the PHI will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research as permitted by the HIPAA regulations.

hipaa and research14
HIPAA and Research

If the IRB grants the waiver the letter must state:

  • Name of the IRB and the FWA assurance number.
  • Date of action
  • A statement that the IRB determined that the waiver satisfies all the criteria listed above.
  • A brief description of the PHI for which use and disclosure has been determined to be necessary for research by the IRB. (Provided by the PI above).
  • The type of review administered under the common rule (expedited, full)
  • Signature of the chair or designee.
hipaa and research15
HIPAA and Research

HIPAA Research Authorization NOT required when data set is de-identified

Refer to UAMS De-Identification Policy to determine proper de-identification methods. Properly de-identified data would fall outside this policy.

hipaa and research16
HIPAA and Research

HIPAA Research Authorization is NOT required if the PI or PD uses a Limited Data Set and Signs a Limited Data Set Agreement.

The limited data set shall exclude the following identifiers:

  • Name
  • Street address
  • Telephone and fax numbers
  • Email addresses
  • Social Security number
  • Certifcate/License number
  • URLS and IP addresses
  • Full face photos and comparable images
hipaa and research17
HIPAA and Research

Limited Data set CAN have:

  • Admission date
  • Discharge date
  • Service dates
  • Date of death
  • Age (including 90 or over)
  • Five digit zip code
hipaa and research18
HIPAA and Research

Research on existing databases

  • Existing research databases must already have IRB approval. All new uses of existing databases, not yet approved by the IRB, must be submitted to the IRB for approval before the new use is started. The PI should approach the research using any of the above methods described under the previously described procedures.
hipaa and research19
HIPAA and Research

Collecting PHI for the sole purpose of creating a research database.

  • In order to collect PHI from RECORDS to create a database or to create a database using PHI during the course of treatment for the purpose of research, the PI must seek patient authorizations or seek a waiver of authorization from the IRB as previously described.
hipaa and research20
HIPAA and Research

Recruitment for Research under HIPAA.

What’s been said:

  • Researchers, physicians and investigators may not retrieve names from RECORDS to contact subjects without subject authorization or waiver of authorization as described.
hipaa and research21
HIPAA and Research

Important NOTES:

  • PI is responsible for research records (use and disclosure) where no medical record exists.
  • ORSP will be responsible for limited data set agreements in conjunction with UA legal.
hipaa and research22
HIPAA and Research

(1)Are you using protected health information defined by HIPAA?

No. HIPAA satisfied.

Yes. Goto Next Slide

hipaa and research23
HIPAA and Research

(2)Are you using de-identified subject data?

Yes: HIPAA satisfied

No: Goto Next Slide

hipaa and research24
HIPAA and Research

(3) Are you using a limited data set as defined by HIPAA?

Yes: A limited data set agreement is required prior to final IRB approval. If the limited data set agreement is not attached to the IRB submission, the IRB will cite you one minor revision. HIPAA Satisfied

No: Goto Next Slide

hipaa and research25
HIPAA and Research

(4) Additional HIPAA Subject Authorization Required. Please attach it in the documents section. The IRB will cite you one minor revision this form is not included during IRB review. HIPAA satisfied.