CUNY Research and HIPAA after August 2002 Privacy Rule CUNY Research Training Session March 27, 2003 Presented by Mark Barnes

CUNY Research and HIPAAafter August 2002 Privacy Rule

CUNY Research Training Session

March 27, 2003

Presented byMark Barnes

9122071

2

CUNY Training Topics

• Overview of the HIPAA Privacy Regulations

• Who is a “Covered Entity” Under HIPAA and Who is Not

• Overview of CUNY Researcher’s Obligations if Research Involves a Covered Entity’s “Protected Health Information”

• The HIPAA Challenge for Researchers

• HIPAA Authorization for Research

• New HIPAA forms and IRB procedures for Research Without Authorization

• Impact of HIPAA on Exempt Research

• Impact of HIPAA on Database/Repository Research

• Accounting for Disclosures and Transition Rules• CUNY HIPAA contacts: Richard Malina ([email protected]) and

Jane Davis ([email protected])

9122071

3

Overview of HIPAA Privacy Regulations

• HIPAA = Health Insurance Portability and Accountability Act of 1996

• HIPAA required Congress to enact comprehensive health information privacy law by August 21, 1999; if Congress failed to act by that date, U.S. Department of Health and Human Services (HHS) was required to issue regulations addressing privacy of health information

• Proposed regulations published November 3, 1999 (64 Fed. Reg. 59918); HHS received approximately 53,000 comments

9122071

4

Overview of HIPAA Privacy Regulations (cont.)

• “Final” regulations published December 28, 2000 (65 Fed. Reg. 82462)

• Comment period was reopened and additional comments were received until March 30, 2001

• NPRM issued 3/27/02 to modify some essential provisions, including those relating to research. New 30-day comment period, ended April 26, 2002

• Final Rule issued August 14, 2002; compliance by April 14, 2003

• Civil and criminal penalties for violations

9122071

5

Who is a “Covered Entity” Under HIPAA?

• Health plans, health care clearinghouses, and health care providers that transmit health information electronically in a HIPAA transaction (e.g., billing) A Covered Entity and its employees, agents and professional

staff may not use/disclose health/mental health information for research without authorization or waiver of authorization (limited exceptions)

CUNY is not a Covered Entity, but CUNY researchers may obtain or use health/mental information from, or within, or as agents or employees of, a Covered Entity

9122071

6

Who is a “Covered Entity” Under HIPAA? (cont.)

• Examples:CUNY Faculty member with clinical

appointment at hospital or private clinical practice that is HIPAA-covered

CUNY student who works as intern or trainee at hospital or psychology practice or in social service agency setting that is HIPAA-covered

• Each must comply with HIPAA with respect to his/her activities in the Covered Entity setting, including research

9122071

7

Overview of CUNY Researcher’s Obligations if Research Involves a CE’s

PHI

• Even though CUNY itself is not a Covered Entity, CUNY research must comply with HIPAA when: CUNY Investigator accesses, obtains, or uses a CE’s

patient/client information for research CUNY Investigator creates health-related information

at CE’s site, enrolls a CE’s patients/clients in a study, or collaborates with a HIPAA-covered co-investigator

• Revised CUNY IRB application form now includes questions to elicit whether Covered Entities are involved in CUNY research

9122071

8

The HIPAA Challenge for Researchers

• The HIPAA Privacy Regulations establish a stringent and complex new regime that governs all uses and disclosures of “protected health information” (PHI)

9122071

9

The HIPAA Challenge for Researchers (cont.)

• “Protected Health Information” (PHI) is any health information that:Is created by or received by a Covered Entity or

an employer; andRelates to the past, present, or future (e.g.,

genetic predisposition) physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

9122071

10


• “Protected Health Information” (PHI) is any health information that (cont.):Identifies the individual or with respect to

which there is a reasonable basis to believe the information can be used to identify the individual; and

Is electronically maintained or transmitted, or in oral or written form

9122071

11


• Basic Rule = No Use or Disclosure of PHI Except:

1. For treatment, payment and health care operations (“TPO”) Good faith effort to obtain patient

acknowledgement of receipt of notice of privacy practices required

Research is not TPO

9122071

12


• Basic Rule = No Use or Disclosure of PHI Except (cont.):

2. With written patient authorization (which must specify who can use/disclose the PHI, to whom the PHI may be disclosed, what PHI may be used/disclosed, the purpose of the use/disclosure, and the duration of the authorization, in the form of an expiration date or an event)

This is the primary method of HIPAA research compliance

9122071

13


• Basic Rule = No Use or Disclosure of PHI Except (cont.):

3. When a regulatory exception applies (e.g., public health reporting; in emergencies/ disasters, to identify patients or locate family members)

9122071

14


• De-identified data (under HIPAA) are not equivalent to “anonymous” data (under Common Rule)

• De-identified data are not PHI: Cannot have any of the following 18 HIPAA identifiers

1. Names2. Geographic subdivisions smaller than a State3. Dates (except year) directly related to patient4. Telephone numbers5. Fax numbers

9122071

15


• 18 HIPAA identifiers (cont.)6. E-mail addresses

7. Social security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers

13. Device identifiers and serial numbers

9122071

16


• 18 HIPAA identifiers (cont.)14. Web URLs15. Internet Protocol (IP) address numbers16. Biometric identifiers, including finger and voice

prints17. Full face photographic images and any comparable

images18. Any other unique identifying number, characteristic,

or code, except as permitted under HIPAA to re-identify data

9122071

17

HIPAA and Research

• HIPAA Privacy Regulations have many specialized rules and exceptions, including rules particularly applicable to research activities

• Under HIPAA “‘research’ means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” 45 C.F.R. § 164.501. Same definition as Common Rule, but note no “exemptions” available under HIPAA

9122071

18

“Exempt” Research must meet HIPAA Requirements

• If you are conducting research under an IRB exemption, and the research involves access to, or use of, patient information (including labeled or coded specimens) from a covered entity, your research will likely require HIPAA authorization or waiver of authorization (see 3/12/03 Schaffer memo)

• You must cease enrolling new subjects and collecting data on and after April 14, 2003 and submit an application for HIPAA waiver to the CUNY IRB for approval; you may also need waiver from CE’s IRB or Privacy Board

9122071

19

Research Activities/Clinical Trials Under HIPAA

• HIPAA requirements for research are applicable regardless of source of fundingIf FDA and/or HHS regulations are not

applicable to the research study at issue but the study involves PHI, the covered entity is still bound by HIPAA Privacy Regulations

9122071

20

Research Activities/Clinical Trials Under HIPAA (cont.)

• Research disclosure policies must be included in covered entity’s “Notice of Privacy Practices”

From Sample Notice of Privacy Practices:

“Research.

In most cases, we will ask for your written authorization before using your health information or sharing it with others in order to conduct research. However, under some circumstances, we may use and disclose your health information without your written authorization. To do this, we are required to obtain approval through a special process to ensure that research without your written authorization poses minimal risk to your privacy. Under no circumstances, however, would we allow researchers to use your name or identity publicly.

We may also release your health information without your written authorization to people who are preparing a future research project, so long as any information identifying you does not leave our facility. In the unfortunate event of your death, we may share your health information with people who are conducting research using the information of deceased persons, as long as they agree not to remove from our facility any information that identifies you.”

9122071

21

HIPAA: Patient Authorization for Research

• HIPAA will generally require express patient authorization for use or disclosure of PHI in research activities subject to several exceptions (discussed below)

• The CUNY IRB has a model HIPAA Authorization Form for use in research involving PHI (i.e., personal health or mental health information from a Covered Entity)

• All forms referenced in this presentation are available at www.cuny.edu on the Faculty and Staff page under “Research and Funding”

9122071

22

HIPAA: Patient Authorization for Research (cont.)

• The CUNY IRB will review both the authorization and informed consent form with the protocol submission

• The investigator is primarily responsible for ensuring that the information in the authorization form is accurate and complete

9122071

23


CUNY IRB

HIPAA RESEARCH AUTHORIZATION

Subject/Client/Patient Name:_______________________ ID Number:_________________

Study:_______________________________________________________________________

IRB Protocol No. ________________

CUNY Institution:______________________

We understand that information about you and your health is personal. We are committed to protecting the privacy of that information. Federal regulations and our commitment to your privacy require that we obtain your written authorization before we may use or disclose your protected health information for the research purposes described below. This form provides that authorization and helps us make certain that you are properly informed of how this information will be used or disclosed. Please read the information below carefully before signing this form.

9122071

24


USE AND DISCLOSURE COVERED BY THIS AUTHORIZATION

___________ [CUNY Researcher] must answer these questions completely before providing this authorization form to you. DO NOT SIGN A BLANK FORM. You or your personal representative should read the descriptions below before signing this form.

What information will be used or disclosed for the research? The appropriate boxes should be checked below and the descriptions should be in enough detail so that you (or any organization that will use or disclose information pursuant to this authorization) can understand what information may be used or disclosed.

______Any medical, treatment, or research records held by __________ [list covered entity from whom records are sought] may be used and/or disclosed.

______The following information:

9122071

25


Who will disclose, receive, and/or use the information while it is in individually identifiable form? This research authorization form will authorize the following person(s), class(es) of persons, and/or organization(s) to disclose, use, and/or receive the information in connection with the research:

__________ [CUNY Principal Investigator] and his or her research staff, which may include _____________ [College] students

The following co-investigators [list names and institutions] and members of their research staffs: __________________________________________________________

Statisticians at the following institutions: ______________________________________ The members and staff of the _____________ [College] Institutional Review Board and

other CUNY officials and staff who oversee research Government authorities or agencies that oversee research The members and staff of the Institutional Review Boards at participating research sites

______________________________________________ [list each co-investigator’s site] Others (as described below):

If not specifically listed above, you also authorize the following persons or institutions that maintain records about you to disclose the information described above for the purpose of this research:

9122071

26


SPECIFIC UNDERSTANDINGS

By signing this research authorization form, you authorize the use and/or disclosure of your protected health information as described above. The purpose for the uses and disclosures you are authorizing is to conduct the research project explained to you during the informed consent process and to ensure that the information relating to that research is available to all parties who may need it for research purposes.

Many of the recipients listed in this form have legal or professional obligations to protect the confidentiality of your information. If, however, your information is disclosed to persons or organizations that are not required by state or federal law to protect the privacy of the information, such persons or organizations could reuse or redisclose the information without penalty under those laws. For this reason, it is the policy of the _____________ [College] IRB that investigators ask all recipients of your information to agree to treat your information as confidential.

You have a right to refuse to sign this authorization. Your health care, the payment for your health care, and your health care benefits will not be affected if you do not sign this form.

If you sign this authorization, you will have the right to revoke it at any time. However, your revocation would not apply to the extent that ____________________ [name covered entity] and the investigators in this research have already taken action based upon your authorization or need the information to complete analysis and reports of data for this research. This authorization will never expire unless and until you revoke it. To revoke this authorization, please write to _________________________ [insert the name and address of the CUNY Principal Investigator and the responsible person or department at the covered entity].

A copy of this form will be provided to you after you have signed it.

9122071

27


SIGNATURE

I have read this form and all of my questions about this form have been answered. I understand that, if I have questions about this form in the future, they will also be answered. By signing below, I acknowledge that I have read and accept all of the above.

_________________________________________

Signature of Subject or Personal Representative

_________________________________________

Print Name of Subject or Personal Representative

_________________________________________

Date

Description of Personal Representative’s Authority

CONTACT INFORMATION

The contact information of the subject or personal representative who signed this form should be filled in below.

Address: ________________________________________________________________________________________________________________________Telephone:___________________ (daytime)

_________________ (evening) Email Address (optional):____________________________

THE SUBJECT OR HIS OR HER PERSONAL REPRESENTATIVE MUST BE PROVIDED WITH A COPY OF THIS FORM AFTER IT HAS BEEN SIGNED.

9122071

28


• Revocation of Authorization: Cannot revoke authorization to the extent that action has been taken “in reliance” on the authorization Example: no requirement to re-identify and

separate out blinded information based upon patient’s revocation

9122071

29


• “Reliance” defined broadly under August 2002 Rule to include:Accounting for subject’s withdrawal from

studySupporting FDA applicationsReporting adverse events

9122071

30


• PHI From Other Covered Entities: Research authorization form should include

broad grant of access so that investigators may receive PHI from other covered entities who or which have treated the patient, when that PHI is required for the research

9122071

31


• Disclosing Who Will Receive PHI: HIPAA requires that study sponsors (where applicable)

and/or PIs, research staff (and other sites in cases of multi-center trials) or related entities all be named in the authorization form as parties to whom or to which PHI will be transferred, and by whom or by which that PHI may be used

The CUNY authorization form includes a checklist; investigator must specify others not listed

If not listed, may be unable to receive or use PHI

Parties to the ResearchDiagram of a Multi-Site Research Study:

Who is using, receiving, and/or disclosing the data?

Are the data identifiable? Is any site a Covered Entity?

OHRPSponsor

Consulting Statistician

Site #5Social Service Agency

Site #4Medical CenterSite #3

CommunityClinic

Site #1Psychology

Practice

CUNY-IRBCUNYStudent

RAs

CUNY PISite #2

PsychiatricHospital

Co-PI/MD

IRB #2

MDs

IRB #4

IRB #3

IRB #5

START

9122071

33


• Separate authorization form required for use/disclosure of “psychotherapy notes” Notes of treatment conversations maintained separate

from the medical/treatment record IRB may not waive authorization for use/disclosure General authorization form also may be advisable in

psychotherapy research

• Additional authorization language required by NYS law for disclosure of HIV-related information

9122071

34

HIPAA: Patient Authorization for Research

• CUNY model authorization also includes :Possibility of redisclosure of informationRight to refuse to sign and consequencesRight to revoke and limitations on that rightExpiration provision: authorization does not

expire; subject must revoke in writing

• Authorization is preferably separate from research informed consent

9122071

35


• Important that information presented to subjects in the informed consent process is consistent with what they are asked to authorize through the HIPAA authorization form

• “Confidentiality” section of informed consent should reference HIPAA authorization

• Use of another Covered Entity’s Authorization: If CUNY researcher is part of the CE (and thus liable for HIPAA

violations), the researcher must review the CE’s form thoroughly for the presence of all required elements

If CUNY researcher is not part of the CE, use the CE’s form unless clearly deficient

9122071

36

Use of PHI in Research Without Authorization

• Covered entity may use or disclose PHI for research purposes (and thus may permit CUNY researcher to use and disclose PHI for research purposes) without an individual’s authorization in the following circumstances:

9122071

37

Use of PHI in Research Without Authorization (cont.)

1. Purposes preparatory to research (i.e., to assess feasibility of research or formulate a research hypothesis), if the investigator (submits form) makes the following representations:

Use or disclosure sought solely to review PHI as necessary to prepare a research protocol (or for similar preparatory purposes)

No PHI will be removed from the covered entity by the researcher during the review

PHI for which use or access is sought is necessary for the research purposes

9122071

38


• Procedure for Review Preparatory to Research

Complete CE’s form containing researcher representations

Submit form to CE’s Privacy Officer for approval Provide copy of approved application to CE’s data

custodian (e.g., Medical Records)

9122071

39


2. Research on decedents’ information, if the investigator makes the following representations:

Use or disclosure sought solely for research on the PHI of decedents

Documentation, at the request of the covered entity, of the death of such individuals

PHI for which use or disclosure is sought is necessary for the research purposes

9122071

40


• Procedure for research on decedents’ information

Complete the CE’s form containing researcher representations

Submit completed form to CE’s Privacy Officer for approval

Present copy of completed form to CE’s data source (e.g., Medical Records).

9122071

41


3. Covered Entities may use or disclose “limited data set” without authorization or waiver

• A “limited data set” under HIPAA is PHI (not considered de-identified under HIPAA), but uses are restricted to:

Research Operations Public health purposes

• Limited data sets may include dates of treatment, addresses (but not specific street address), birth dates

• 16 HIPAA “direct identifiers” must be removed• Data Use Agreement required

9122071

42


• If investigators are conducting research that may be performed using a limited data set, they should contact the IRB office of the CE regarding gaining access to the LDS

• The IRB office of the CE will work with the investigator to execute a Data Use Agreement

9122071

43


4. Waiver of an authorization or an alteration of authorization is approved upon a signed, documented determination by the IRB in accordance with criteria required by HIPAA (discussed below)

• The CUNY IRB will review HIPAA waiver and alteration requests for CUNY research using PHI

9122071

44

IRB Approval of Waiver of Authorization

• Waiver or alteration determination by IRB may be done on “expedited review” basis (in accordance with Common Rule and/or FDA requirements for expedited review by an IRB)

• Expedited review most likely to be used in cases of research involving retrospective chart reviews; IRBs should refrain, for first few months of compliance, from using expedited reviews here

• IRB may partially waive authorization to allow use of PHI to recruit study subjects (but this would not serve as a waiver of authorization for the conduct of the study; need to either get authorization or a second IRB waiver)

9122071

45

IRB Approval of Waiver of Authorization (cont.)

• IRB written documentation must indicate that the waiver of patient authorization satisfies the three criteria set forth in Final Rule

• Final Rule Waiver Criteria:1. Use or disclosure involves no more than minimal risk

to privacy of the subject based on, at least Adequate plan to protect the information from improper use

and disclosure Adequate plan to destroy identifiers Written assurances that the PHI will not be disclosed further

than set forth in the waiver

9122071

46


• Final Rule Waiver Criteria (cont.):

2. The research could not practicably be conducted without the waiver or alteration

3. The research could not practicably be conducted without access to and use of the PHI

9122071

47


• 3 waiver criteria track aspects of HHS Common Rule’s requirements for waiving patient informed consent Minimal risk No adverse effects Research not possible without waiver

• In HIPAA, 3 waiver criteria relate only to privacy (“minimal risk” refers to privacy risk only), not to all research risk

9122071

48


• Procedure for seeking waiver or alteration of authorization: Complete CUNY waiver application and include with

protocol submission to CUNY IRB Present signed documentation of IRB waiver approval

to data source (e.g., Medical Records) to obtain PHI for the research

Data source may rely upon CUNY IRB waiver or require review by its own IRB/PB

9122071

49


CUNY Application for Waiver:

Please Complete the Following:

TO: Chair, _____________ [College] IRB

FROM: __________________________(Investigator Name)__________________________(CUNY Institution/Department)__________________________(Investigator's Telephone Number)

DATE: ____________________________PROJECT: _________________________

PURPOSE OF STUDY: [Give a brief description of the study and attach a copy of the full protocol to this Request Form.]

DESCRIPTION OF PROTECTED HEALTH INFORMATION THAT IS NEEDED FOR THIS STUDY: .

9122071

50


WHO ARE THE INDIVIDUALS OR ENTITIES COVERED UNDER HIPAA THAT WILL BE CREATING, MAINTAINING, USING OR PROVIDING THE PROTECTED HEALTH INFORMATION?:

WHO WILL HAVE ACCESS TO THE PROTECTED HEALTH INFORMATION?: [Describe each person and organization by name or category. Examples include the research sponsor, the investigator, the research staff, and all research monitors.]

DESCRIBE THE RISKS TO PRIVACY INVOLVED IN THIS STUDY: What identifiers will be observed, collected and stored? [Please indicate on Attachment 2 which identifiers will be

observed, collected and stored, and which identifiers will not be needed for your research.]

Who will have access to identified information?

How will access to study data be controlled?

Who will monitor access to study data?

Where will identified information be stored?

.

9122071

51


PLAN FOR DESTROYING IDENTIFIERS: [Describe how, by whom and when identifiers will be destroyed.]

IF ALTERATION OF CUNY’S STANDARD HIPAA AUTHORIZATION FORM (INSTEAD OF A WAIVER) IS REQUESTED, EXPLAIN HOW THE FORM OF AUTHORIZATION WOULD BE ALTERED AND ATTACH THE FORM OF AUTHORIZATION THAT YOU WOULD PROPOSE TO USE:

EXPLAIN WHY THE STUDY PRESENTS NO MORE THAN A "MINIMAL RISK" TO PRIVACY:

IMPRACTICABILITY OF OBTAINING AUTHORIZATION: [Describe why it would be impracticable to obtain each subject’s authorization for use and/or disclosure of his or her data or to obtain authorization by using CUNY’s standard HIPAA Authorization form.]

IMPRACTICABILITY OF THE RESEARCH WITHOUT PHI: [Describe why the research could not practicably be carried out without the use of PHI.]

.

9122071

52


.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *INVESTIGATOR'S ASSURANCES:

I will not use the protected health information (“PHI”) for which I have requested this Waiver or Alteration of HIPAA Authorization other than as described in this application form, or disclose the PHI to any person or entity other than those listed above, except as required by law, for authorized oversight of this research study, or as specifically approved for use in another study by an IRB. I also assure the IRB that the PHI for which I have requested this waiver or alteration is the minimum amount of PHI necessary for the research purpose described in this application.____________________________Signature of Investigator____________________________Date

CUNY IRB Action:

Waiver/Alteration Request Approved

Waiver/Alteration Request Denied

Approval Deferred Pending the Following Actions:

9122071

53

Recruitment of Study SubjectsUsing PHI from Covered Entities

• Reviewing PHI to Identify SubjectsTreating providers may review their own

patients’/clients’ records to decide whether patients/clients would be eligible for a certain research study

Investigators who are not members of a patient’s/client’s treatment team must apply to the IRB for limited waiver of authorization in order to review PHI to identify potential research subjects and record the potential subjects’ name and contact information

9122071

54

Recruitment of Study Subjects Using PHI from Covered Entities

(cont.)

• Reviewing PHI to Identify Subjects (cont.)If investigator is conducting “review

preparatory to research” (permitted without authorization) and would like to record the contact information of potential research subjects identified during the review, the investigator should apply to the IRB for a limited waiver of authorization prior to conducting the review preparatory to research

9122071

55

Recruitment of Study Subjects Using PHI from Covered Entities

(cont.)• Contacting Potential Research Subjects

Treating providers may always have a conversation with their own patients/clients regarding enrolling in research involving treatment

Investigators who are not part of the patient/client’s treatment team must: Obtain a partial waiver of authorization from the IRB to recruit subjects

(if not previously done) or Enlist the patient/client’s treating provider to contact the patient/client

about enrolling in the study If treating provider agrees to assist in recruitment process,

proposed recruitment letter (to be signed by treating provider) must be included in submission to IRB; required by Common Rule

9122071

56

Databases and Tissue Banks

• Many Covered Entities and researchers maintain databases into which PHI is placed, processed, stored

• Databases may be created not for specific research projects, but as resources for future unspecified research

• Tissue banks and other specimen repositories may be similarly created and maintained

9122071

57

Databases and Tissue Banks (cont.)

• Is patient authorization or IRB waiver required for these activities? Health care operations? Research?

• HIPAA: HHS opines that the development of such databases/banks is research for HIPAA purposes and requires authorizations or waivers

• Common Rule: Should also therefore have IRB approval, because definitions of “research” in HIPAA and Common Rule are coterminous

9122071

58


• CUNY researchers creating databases of PHI or specimen banks/tissue repositories with PHI attached must cease compiling PHI on and after April 14, 2003 until they submit a protocol to the CUNY IRB specifying conditions under which data/specimens are accepted to the database/bank and shared with third-parties; research may resume once approval is granted

• Protocol must include CUNY authorization form or application for IRB waiver of authorization

9122071

59


• If database/bank is not maintained by the covered entity (e.g., covered entity is disclosing information to non-covered database/bank off-site), then authorization must indicate potential for PHI to be re-disclosed without penalty under HIPA

9122071

60


• Per 3/12/03 memorandum from Vice Chancellor Schaffer (http://www.rfcuny.org/ResCompliance/HIPAA_Memo.html), CUNY investigators should review existing databases and tissue banks to determine whether PHI collection is ongoing and HIPAA compliance is necessary

• Databases/tissue banks maintained by a CE may not require authorization if one purpose is “operations”

• If CUNY investigators wish to conduct specific research on information or samples stored in a database or tissue bank, they must obtain IRB approval of research protocol and authorization or waiver from IRB

9122071

61

Accounting for Research Disclosures

• HIPAA generally requires Covered Entities to “account” for disclosures of PHI at the request of the patient/client

• Final Rule waives accounting for all disclosures made pursuant to a patient authorization (this includes research authorizations)

9122071

62

Accounting for Research Disclosures (cont.)

• If a Covered Entity discloses PHI for research purposes pursuant to a waiver of authorization or for another purpose where authorization is not required (e.g. review preparatory to research, research on decedents’ PHI) the Covered Entity must account for each disclosure

• Accounting will include CUNY investigator’s name, contact information, purpose of disclosure, and date

9122071

63

Transition Issues

HIPAA Transition Provisions • Certain research that began prior to HIPAA’s

compliance date is “grandfathered” and does not require authorization from subjects who were enrolled prior to April 14, 2003 if:

Subjects gave express legal permission for use/disclosure of health information

Subjects gave general informed consent IRB waived informed consent requirement

9122071

64

Transition Issues

For studies approved prior to April 14, 2003 but continuing to enroll subjects on and after after April 14, 2003, HIPAA authorization is required for new subjects

All studies approved and commencing enrollment of subjects on and after April 14, 2003 must comply with HIPAA in all respects

If grandfathered subject is re-consented for any reason on and after April 14, 2003, investigator must obtain authorization as well as new consent

If investigator begins to consent subjects in a study that received IRB waiver of informed consent prior to April 14, 2003, authorization must be obtained

9122071

65

Transition Issues

• As discussed previously, prior to April 14, 2003: Exempt protocols must receive HIPAA

authorization/waiver (or suspend activity until authorization/waiver is obtained)

Research database/repository compilation will need IRB-approved protocol, informed consent (or IRB waiver) and HIPAA authorization (or IRB waiver)

• Research not meeting these requirements must be suspended on April 14, 2003, pending compliance

9122071

66

Practical Compliance Issues for Implementing HIPAA in the Research Context

• Some parties to the research will not be covered by HIPAA, but CUNY is concerned about their handling of research subject data

• CUNY IRB has a model “Subject Information Confidentiality Agreement” to protect subjects’ information that has been disclosed to non-covered investigators and others involved in the research

• Investigator should have this form signed by each non-CUNY person or entity to which research subjects’ personal data are disclosed

9122071

67

Practical Compliance Issues for Implementing HIPAA in the Research Context (cont.)

THE CITY UNIVERSITY OF NEW YORKSUBJECT INFORMATION CONFIDENTIALITY AGREEMENT

Name:____________________________________Position:__________________________________

I recognize that, in the course of my participation as an investigator, co-investigator, or an agent or contractor of an investigator conducting CUNY human subjects research, I may gain access to subject information, including information about health, mental health, medical care, or payment for health care, that must under law must be treated as confidential and disclosed only under limited conditions. I agree that:

I will keep confidential all information to which I gain access that is or can be identified to a particular subject (described in this agreement as “information”).

I will access and use information only in connection with a research protocol that has received CUNY Institutional Review Board approval, or for reviews preparatory to research for which I have received authority to conduct from the entity or individual maintaining the information.

9122071

68


I will not redisclose information except to the extent required by applicable laws, including but not limited to federal laws governing drug and alcohol treatment programs and state laws governing HIV information, or as permitted under the terms of a research subject's written authorization or an IRB’s waiver of the authorization requirement.

I will not discuss information in public places or outside of work.

I will access information only concerning subjects for whom IRB approval has been given, and will not access information for other individuals, except during a review preparatory to research with the approval of the entity or individual maintaining the information.

I will take all reasonable and necessary precautions to ensure that the access and handling of information are conducted in ways that protect subject confidentiality to the greatest degree possible. This includes maintaining such information in secured and locked locations.

I understand that it is my obligation and responsibility to maintain the confidentiality of all subjects’ information. Improper disclosure or misuse of such information, whether intentional or due to neglect on my part, may be a breach of privacy and/or confidentiality and a violation of federal regulations, which could result in the loss of my continued access to subjects’ information or other penalties for myself or my institution.

Signature:__________________________ Date:______________________________

9122071

69


• Investigators should contact the IRB office with any questions about the following HIPAA-related issues: Deciding what is a research use of PHI versus an internal health

care operations use; QA vs. research Access to decedent’s PHI (investigator representations required) Access to PHI for reviews preparatory to research (investigator

representations required) Validating that information has been adequately de-identified for

use and disclosure without authorization Reviewing and approving limited data sets Executing data use agreement (to have access to limited data set) Approving required elements are included in research

authorization form

9122071

70

Planning HIPAA-Compliant Research

• Points to consider: Is PHI from a HIPAA-covered entity necessary for the research?

If so, need either authorization or IRB waiver of authorization. Will the research require a waiver of authorization to access

existing PHI? If so, application to IRB or PB required. Who must access the PHI to perform the research?

All entities/categories of persons must be listed in authorization. Secondary analyses and unanticipated data sharing require new

authorization or waiver May I look at a CE’s records to recruit patients/clients?

If treating provider, yes. If not treating provider, must obtain IRB partial waiver and follow

CUNY recruitment policies

9122071

71

CUNY Case Studies

• CUNY researcher studying implantable hearing device and testing subjects at CUNY

• Obtains info from the treating provider about implant settings (unique for each patient) and results of provider’s audiological examDoes this research involve PHI? (A: yes)What does HIPAA require? (A: authorization)

9122071

72

CUNY Case Studies

• CUNY graduate student reviewing nursing home charts to prepare a research protocol

• Research will involve chart review; no consent to be obtainedDoes this research involve PHI? (A: yes)What does HIPAA require? (A: representations

to the nursing home for a review preparatory to research, IRB waiver of authorization for the research)

9122071

73

CUNY Case Studies

• CUNY researcher conducts cancer study involving medical chart review and recruitment of patients for collection of original psychological data

• Patient names replaced (by investigator) with linking codes What does HIPAA require?

A: representations to the provider to conduct a review preparatory to research, partial IRB waiver of authorization for recruitment (consistent with CUNY IRB policies), and HIPAA authorization obtained with informed consent

CUNY Research and HIPAAafter August 2002 Privacy Rule

CUNY Research Training Session

March 27, 2003

Presented byMark Barnes

Documents

CUNY Research and HIPAA after August 2002 Privacy Rule CUNY Research Training Session March 27, 2003 Presented by Mark Barnes