24.5(a) General Principles of HIPAA and PHI
The Privacy and Security Rule, at 45 CFR parts 160 and 164, establishes a category of health information, defined as protected health information (PHI), which a covered entity may use or disclose to others only in certain circumstances and under certain conditions. PHI is a subset of what is termed individually identifiable health information. With certain exceptions, individually identifiable health information becomes PHI when it is created or received by a covered entity.
The following policies, providing additional protections under federal Privacy Rules, apply to studies involving protected health information (PHI). They pertain to investigators seeking to obtain or create PHI from, or in association with, healthcare providers (“covered entities”), affiliated investigators and/or from or on behalf of a third party (e.g. an industry sponsor etc) for purposes such as:
- identifying and contacting individuals to enroll them in a research study
- creating, using and/or disclosing PHI within the context of a research study
The IRB shall review and approve studies involving PHI in accord with applicable federal, state and local laws, regulations and institutional policies on privacy, security and confidentiality including those promulgated under HIPAA.
All PHI created within a study protocol (such as when treatments are being compared), should be included in the subject’s medical record maintained by the covered entity.
24.5(b) Obtaining PHI to Prepare for Research – Participants not yet Identified
Investigators may wish to obtain and review information about potential participants to prepare for research. Examples of such preparatory activities include:
- developing a research protocol
- identifying potential research participants
- identifying potential clinical trial sites
HIPAA regulations limit but do not preclude the use and disclosure of PHI to prepare for research provided the activity has approval by:
- the covered entity in situations wherein the research preparatory activity is preliminary and does not yet involve a protocol; OR
- the IRB and the covered entity in situations wherein the research preparatory activity is defined by a protocol
This requirement for appropriate approval applies even to clinicians wanting to review records from their own patients for research purposes. IRB and/or the covered entity may approve activities preparatory to research only if investigators and/or sponsors respect these limitations [c.f 45 C.F.R. §§ 164.512(i)(1)(ii), 164.512(i)(2), 164.502(1)(i), 164.528].
Investigators seeking to obtain PHI within a protocol that is preparatory to research must submit to the HSRO a signed form entitled "Investigator Certification for Reviews Preparatory to Research" (HIPAA FORM 'E'). By submitting this Certification, the investigator must affirm that:
- access to the patient information is sought only to prepare for research; AND
- the requested information is necessary for this purpose; AND
- no patient information will be copied or removed from the premises of the covered entity during or following the review
NOTE -- If an electronic record is accessed remotely, the patient information may be viewed but may not be printed, copied, downloaded, or otherwise recorded for any research-related purpose
The IRB Chair or Chair designee shall review the Certification (HIPAA Form E) and may approve the activity on behalf of the IRB. IRB approval based on HIPAA Form E permits only limited access to PHI which may not be copied or removed from the covered entity. If not approved or upon reviewer decision, the Certification shall be forwarded to the convened IRB for its review and determination. These decisions shall be forwarded in writing to investigators by the HSRO. Investigators may not initiate activities permitted by HIPAA Form E until written confirmation of IRB approval is received.
It is possible that investigators may require disclosure of PHI beyond that permitted by HIPAA Form E to identify and contact potential study participants. To accomplish this, investigators must submit a "Partial Waiver of Authorization" form (HIPAA Form F) to the HSRO.
Note – if a "Partial Waiver of Authorization" form (i.e. HIPAA Form F) is submitted, investigators are not required to submit the "Investigator Certification for Reviews Preparatory to Research" (HIPAA Form E).
The IRB Chair or Chair designee shall review and may approve, on behalf of the IRB, the request for a Partial Waiver of Authorization. If not approved or upon reviewer decision, the request shall be forwarded to the convened IRB for its review and determination. These decisions shall be forwarded in writing to investigators by the HSRO. Investigators may not initiate activities permitted by the Partial Waiver of Authorization until written confirmation of IRB approval is received.
24.5 (c) Obtaining or Creating PHI to Conduct Research – Participants are Identified or Identifiable
This subsection applies to studies that obtain or create PHI to conduct research. It does not apply to studies that create “Research Related Health Information” (RHI). Although RHI may be personally identifiable, it is not considered PHI because it is created exclusively for the study and is not derived from a healthcare service event (i.e., the provision of health care or payment for care). Also unlike PHI, RHI shall not be added to the participant’s healthcare record within a covered entity.
Note – If a study involves both RHI and PHI, it falls under HIPAA regulations and related institutional policies
Unless the IRB approves otherwise, investigators must obtain written individual authorization from each participant (or the participant's legal representative) to access, create and/or disclose the participant’s PHI for research. The covered entity may disclose PHI to an investigator without patient authorization only if one of the follow applies:
- the IRB has approved a Waiver of Authorization; OR
- the IRB has approved that the study may use a Limited Data Set and there is a Data Use Agreement between the investigator and the covered entity; OR
- the covered entity has approved an activity or the IRB has approved a protocol as preparatory to research; OR
- the research is being conducted with PHI from decedents and Form D is provided; OR
- the IRB has approved that the study may use de-identified data.
The HIPAA requirement for patient/participant authorization is additional and independent to the Common Rule requirement for informed consent and is not affected by an IRB decision to waive informed consent. Investigators who access PHI generally must obtain both HIPAA authorization and informed consent from study participants.
The research authorization form (HIPAA-Form B) is different from the consent form. The authorization form (and the process by which authorization is obtained from participants) should be submitted with a study application for IRB review and approval which shall be based on HIPAA regulations and other applicable Florida and federal laws. The authorization document should describe who may receive, use, and disclose the participant’s PHI, the purposes for which the information may be used and disclosed, and the participant’s rights with respect to these uses and disclosures of his/her PHI.
Patient/participant authorization is study-specific and applies only to PHI for the IRB-approved study. Subsequent uses or disclosures of this information for other research purposes require a new authorization or waiver of authorization by the IRB.
PHI previously disclosed by a covered entity may be subsequently used for studies other than that originally approved by the IRB or disclosed to a third party sponsor. This requires either:
- a new, IRB approved HIPAA authorization; OR
- an IRB approved waiver of authorization with an IRB-approved informed consent document that defines that participants permit the use of this information for future, unspecified research activities
Authorization may not be combined with any other document, including the informed consent or an authorization to use or disclose the patient information for another study, or an authorization to place the information in a database or repository for future analysis that is not part of the original protocol (even if informed consent is obtained for both the initial and future analyses).
24.5(c)(1) Obtaining HIPAA Authorization
Authorization is the process through which participants allow investigators to access their protected health information (PHI). The authorization process is similar to that used to obtain informed consent. For each, investigators must be prepared to explain to potential research participants the purpose and meaning of the authorization form. The authorization must be in writing unless the IRB waives this requirement.
Information conveyed to participants in authorization forms and in the process of obtaining authorization must describe what PHI will be used in the research and the purpose of that PHI in the research and who may receive, use or disclose the information. Authorization must include an expiration date or event (if the information will be kept indefinitely, the authorization should state that there is no expiration date). Authorization forms and process must include the right to revoke or refusal to sign authorization and may include that the subject’s rights to access his/her PHI will be suspended while the study is in progress but will be reinstated at the conclusion of the study.
If individuals refuse to sign authorization, they may be excluded from the research and any treatment associated with the research.
Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization.
The authorization form must be signed and dated by the research participant or his or her legal representative. Generally, individuals who have appropriate authority to provide informed consent on behalf of an individual for participation in the research study may also provide authorization on behalf of that individual (note- specific details regarding signature by or for incapacitated or decisionally impaired adults, minors and vulnerable populations are included in the informed consent policies of the IRB. The policy on translations of informed consent documents and process shall also apply to translations of authorization documents and processes. The research participant must be given a copy of the signed authorization at the time of signature.
In a timely manner, investigators should place a copy of the signed authorization in the participant’s medical record. The covered entity must keep a copy of the signed authorization in the medical record for a minimum of six (6) years from (i) the signature date or (ii) when the participant’s information was last used or disclosed by the covered entity pursuant to the authorization, whichever is later.
24.5(c)(2) Waivers of Authorization
The IRB may waive the requirement for HIPAA research authorization by a determination that shall be made separately from a decision to waive informed consent. Investigators may request an authorization waiver in the initial study application; or investigators may submit an amendment requesting an authorization waiver if the waiver is being requested during an on-going study
Waivers of authorization are study-specific. The IRB may not approve a waiver request that will permit the use of PHI for any research purpose that is not part of the original study. The Privacy Rule requires that PHI made available under a waiver of authorization be the minimum necessary data for the research purpose. The IRB shall consider this standard when determining which, if any, of the direct or indirect patient identifiers included in the definition of patient information may be necessary to the research.
The IRB may approve waivers of authorization if studies satisfy each of the following waiver criteria of the Privacy Rule:
- The proposed use or disclosure of PHI involves no more that a minimal risk to participants’ privacy based on, at least, the following:
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research reason for retaining the identifiers or if keeping the identifiers is required by law; and
- adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for oversight of the research, or for other research for which authorization or waiver of authorization is obtained
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the PHI.
An investigator requesting a waiver of authorization must justify in the study application why a limited data set of patient information is not appropriate for the research purpose.
The IRB must document and retain copies for six years of all information that demonstrates that the Waiver of Authorization criteria were met. The covered entity must document and retain copies for six years of all IRB determination letters certifying approval of the Waiver of Authorization. The covered entity must provide an accounting or summary to the subject of any disclosures of PHI provided with a Waiver of Authorization.