Email
page
Print
page
Using Health Data for Research
This document is intended to provide general guidance and standards regarding the handling of health information subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Because research activities vary, and because there may be circumstances where other state or federal laws apply, no document can address every issue or question. Questions pertaining to the information contained in this document, or the interaction of state and federal privacy laws may be addressed to David Hann, Coordinator, HSCL, at ext. 4-7429, or to Jane Rosenthal, HIPAA Coordinator, Lawrence Campus, at ext. 4-9528.
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") outlines the conditions under which an entity covered by HIPAA may use or disclose protected health information ("PHI") for "research" purposes. HIPAA defines "research" as a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizeable knowledge. PHI consists of information created or received by a health care provider, health plan or health care clearing house that relates to past, present or future physical or mental health of an individual. It may also include information about health care services or payment for health care services. The Privacy Rule governs PHI in any form: oral, written or electronic.
Under HIPAA, a covered entity may not use or disclose PHI for research unless the subject of the information has granted permission via a written authorization form, OR one of the following criteria is met: a) the information is completely "de-identified;" b) the information is compiled into a "Limited Data Set" and a Data Use Agreement is executed; c) the activity qualifies as "preparatory to research;" d) a waiver of the individual authorization requirement is obtained from an institutional review board (IRB) or privacy board; or d) the researcher is accessing information solely on decedents. Researchers on the Lawrence Campus must ensure that these requirements are met when engaging in research involving PHI. These requirements are addressed in more detail below.
As stated above, written Authorization from the patient/research subject is the default requirement for use or disclosure of that individual's PHI in research. The Authorization must be written in plain language and it must be study-specific. It must contain the following elements:
The authorization must be written in plain English and the research subject must receive a copy. Research subjects may revoke their privacy authorization at any time during the research. If permission is revoked, HIPAA allows continued use and disclosure of the information that was obtained prior to the revocation, to preserve the integrity of the study. For example, the researcher may use the information to account for study withdrawals, to report adverse events to the FDA, or to comply with study audits.
Under HIPAA, the required Authorization elements may be included in a separate document or incorporated into the Confidentiality section of the Consent document for the same research. After April 14, 2003 applications for new studies involving the use or disclosure of PHI should include the privacy Authorization form that the researcher proposes to use, or a Consent form incorporating each of the Authorization requirements, along with other HSCL application materials. All new subjects enrolled into previously approved studies on or after April 14, 2003 must also receive a valid privacy authorization if PHI is involved. Data from subjects who were enrolled prior to April 14, 2003 is "grandfathered" in. The HIPAA privacy authorization language is not required in those cases unless those subjects are re-consented after the compliance date. For a copy of a sample authorization form, or assistance in drafting an authorization form, you may contact David Hann, Coordinator, HSCL, at ext. 4-7429.
Certain research projects can be accomplished through the use of de-identified data. To qualify as being de-identified under HIPAA, the following data elements about the individual and the individual's relatives, employers, or household members must be removed:
A de-identified data set might include age, gender, ethnicity, marital status and relevant medical information, provided there are no identifying links to the source data. De-identified data is not subject to HIPAA's Privacy Rule. Thus, if a researcher receives only de-identified data or samples from an entity covered by HIPAA, the Privacy Rule's additional requirements do not apply.
If a researcher him/herself views records containing identifiable information and from those records extracts a de-identified data set, one of the other exceptions to the individual authorization requirement must be met. Alternatively, in some cases, the covered entity may be able to enter into a business associate agreement with the researcher to create a de-identified data set. HIPAA's requirements for business associate agreements must be met. For additional information regarding HIPAA's requirements for business associates, you may contact Jane Rosenthal, HIPAA Coordinator, Lawrence Campus, at ext. 4-9528.
Certain research projects require the use of data that does not meet HIPAA's standards for de-identification. HIPAA also permits research using a Limited Data Set, i.e. a data set in which direct identifiers have been removed but certain potential identifiers remain. To qualify as a Limited Data Set, the following direct identifiers of the individual or of relatives, employers, or household members of the individual must be removed:
A Limited Data Set is still considered to be PHI under the HIPAA. Prior to disclosing the Limited Data Set, the entity releasing the Limited Data Set and the researcher must execute a Data Use Agreement. The agreement must contain the following elements:
Unlike de-identified data, the Limited Data Set may include five-digit zip codes or any other geographic subdivisions, such as State, county, city, precinct and their equivalent geocodes. These geographic designations are permitted in order to support a range of research and public health activities, such as the analysis of local variations in disease burdens or statistics on the provision of health care services. Research employing a Limited Data Set is subject to human subjects regulations. The project must be approved by the HSCL prior to initiation. The proposed Data Use Agreement will have to be submitted with the HSCL application.
As in the case of de-identified data, a covered entity can hire the intended recipient of the Limited Data Set as the business associate for purposes of creating the Limited Data Set in accordance with the Privacy Rule's business associate requirements. That is, the covered entity may provide protected health information, including direct identifiers, to a business associate who is also the intended data recipient, to create a Limited Data Set of the information responsive to the recipient's request. HIPAA's requirements for business associate agreements must be met. For additional information regarding HIPAA's requirements for Business Associates, you may contact Jane Rosenthal, HIPAA Coordinator, Lawrence Campus, at ext. 4-9528.
HIPAA also permits a researcher to access PHI from a covered entity if he/she attests in writing that:
A copy of a sample PHI request form, which includes these written attestations, is included in Appendix III.
This exception to the written authorization requirement may be useful for examining medical records in order to formulate hypotheses, assess feasibility of a project, or determine availability of data. HIPAA permits researchers to review identifiable data in order to make these determinations; however, HIPAA requires that any information recorded in that review must meet de-identification standards. For example, researchers may not remove the subject's name and contact information from hospital premises.
The above information sets forth HIPAA's requirements in this area. It should be noted that the standards of a particular covered entity or the HSCL may be more restrictive. Questions regarding HSCL's standards in this area, or whether a particular review "preparatory to research" requires HSCL approval, should be directed to David Hann, Coordinator, HSCL, at ext. 4-7429.
Some research projects do not involve written consent from the research subject. The HSCL may approve a waiver of written consent if the risk is minimal, informed consent is not practicable and a waiver of consent does not adversely affect the rights of the subject. For these studies the researcher may apply also for a waiver of the privacy authorization requirements under HIPAA if the research meets the following criteria.
The researcher must apply for the Waiver of Authorization on the appropriate HSCL form. See Appendix III. If the waiver is approved, the researcher must submit the form indicating such approval to the covered entity holding the PHI, for example the hospital holding the medical records, prior to receiving the PHI. A Copy of a blank approval form is included in Appendix III.
Studies that are exempt under HSC standards may require a HIPAA waiver if the researcher must access PHI to perform the data collection, however, if the holder of the record performs the data extraction and delivers only de-identified information to the researcher, no HIPAA waiver is required. Retrospective medical chart reviews generally will require a waiver of the privacy authorization since the researcher has access to the full identifiable medical record.
In order to access medical records on decedents, HIPAA requires a researcher to provide a covered entity with written assurances that the information is being sought solely for research on decedents, and is necessary for research purposes. The covered entity has a right to require documentation of the death of the individuals. A copy of a sample PHI request form, which includes these written attestations, is included in Appendix III.
Starting April 14, 2003, HIPAA requires covered health care providers to provide their patients with a Notice of Privacy Practices (PHI). For certain studies involving clinical interventions, the research visit may be the first occasion of health care or treatment requiring provision of an PHI. Researchers involved in the provision of health care and/or clinical research must check with their Department/facility to determine whether they are subject to the PHI requirements. If so, delivery of the PHI should accompany the signing of the Privacy Authorization. Acknowledgements of the receipt of the PHI should be retained. Questions regarding this requirement may be addressed to Jane Rosenthal, HIPAA Coordinator, Lawrence Campus, at ext. 4-9528.
Health care professionals involved in the treatment of a patient are allowed to discuss with their patient the option of enrolling in a research study, without obtaining prior authorization from the patient. For example, a healthcare provider could give his or her patient a researcher's contact information, so that the patient can initiate contact with the researcher. However, if the health care provider shares the patient information with a researcher not involved in the patient's care, some form of privacy permission must be in place, either through written authorization from the patient or an HSC waiver of the authorization for recruitment activity. The written permission or waiver allows the researcher to view the patient's PHI in order to make determinations about study eligibility. Once a potential research subject has been identified, the researcher should follow appropriate ethical standards about contacting the patient. The initial contact should come from someone who is known to a patient as having legitimate knowledge of his or her health status. In some cases, the researcher would still need to obtain a HIPAA compliant privacy authorization covering use and disclosure of the PHI collected for research purposes.
HIPAA specifies three ways in which protected health information can be compiled for a research data repository:
Prospective collection of data or tissue samples for a research repository generally requires informed consent and a privacy authorization. Researchers should note that if approval is granted for the general purpose of constructing and maintaining the repository, then subsequent studies of the material also will require HSC review. Depending on the nature of the subsequent study, the HSC will determine whether consent/privacy authorization is required or if the consent/privacy authorization requirement is waived. Re-analysis of data for purposes other than those authorized also will require another patient authorization, unless the IRB or a Privacy Board waives the requirement.
When conducting research involving the use or disclosure of PHI without an individual privacy authorization, HIPAA requires that the researcher request and maintain only the minimum necessary PHI to accomplish the research purpose. For example, access to an entire medical record should not be requested if a portion of the records, e.g., those generated during a limited time period, would be sufficient. The entity disclosing the PHI to the researcher may reasonably rely on the researcher's representation that the information being requested is indeed the minimum necessary.
In addition, University researchers are responsible for designating personnel who need access to study files that contain identifiable data. Access should be commensurate with the role on the research project. Access must be limited to the minimum level of PHI appropriate to the job function.
Special requirements pertain to research ongoing on April 14, 2003. As mentioned above, if the researcher has already enrolled all subjects and the protocols do not require their re-consent, then the researcher does not need to do anything. He or she can use or disclose their PHI in ways that were communicated during the consent process. If the researcher will be enrolling new subjects into an already approved protocol after April, 14, 2003, the subjects must sign a HIPAA privacy authorization, or informed consent document incorporating the new privacy Authorization requirements, prior to study participation (unless one of the above exceptions to authorization applies). Researchers who are engaged in research that involves reviewing and gathering PHI, e.g. from medical records or tissue specimens, and have been given an IRB waiver of consent, must ask for a waiver of HIPAA authorization requirements to continue collecting PHI after April 14, 2003.
Under HIPAA, covered entities are required to provide patients (on request) with an accounting of certain disclosures of the patient's PHI. Disclosures made under a waiver of authorization, for activities preparatory to research, or for studies on decedents must be tracked in the medical record and accounted for if requested. Among the types of disclosures that are exempt from this accounting requirement are research disclosures made pursuant to an individual's authorization and disclosures of the Limited Data Set to researchers with a Data Use Agreement.
Researchers involved in a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, may be subject to this requirement. For additional information regarding these requirements, you may contact Jane Rosenthal, HIPAA Coordinator, Lawrence Campus, at ext. 4-9528.
Questions? Please contact:
Mary Denning
785-864-7429 | mdenning@ku.edu
Coordinator |Human Subjects Committee of
Lawrence (HSCL)
