HIPAA | Research | Mount Carmel Health


Some Phase I studies of healthy individuals — such as those done in a stand-alone, research-only environment — may escape the scope of HIPAA, but very little else does. HIPAA covers all research activities that use individually identifiable patient health information (PHI) about humans, as long as the information is collected in a setting related to the patient care process.

What makes information identifiable? Elements that make information individually identifiable include, but are not limited to the following:

  • Name
  • Addresses
  • Employers' names or addresses
  • Relatives' names or addresses
  • Dates
  • Telephone and fax numbers
  • E-mail addresses
  • Social Security number
  • Medical record numbers
  • Certificate numbers (including device serial numbers for implants)
  • Member or account numbers
  • Voiceprints
  • Fingerprints
  • Full face photos and comparable images
  • Any other characteristics that may be used, singly or in combination, to identify the individual

It is important for researchers to understand the difference between "use" and "disclosure." A "use" happens within a healthcare organization or other covered entity, and is under direct control of that organization. A nurse in a clinical care setting is using PHI. "Disclosure" happens when information is given to someone who is not part of the organization's work force. For example, when you show your source documentation to a monitor, you are disclosing that information, even if the monitor does not physically remove any PHI from the research site.

All healthcare entities must obtain patients' permission before using their PHI for certain purposes other than treatment, payment, and routine operations. This means that you need to obtain permission before using the PHI of the patient for most clinical research. Some hospitals and other covered entities will use a separate authorization to do this. However, the Mount Carmel IRB has chosen the simpler route of folding the authorization information into the "consent for research" or "informed consent" document already in use.

Whether you use a separate authorization or combine it with the consent:

  • You must list in the authorization all the health information you plan to use or disclose. This includes standard PHI as well as subjects' history, physical findings, and laboratory test results.

    If you find later on in a trial that you need to use a piece of information that you haven't listed, you'll probably need to obtain a new authorization.
  • You will need to list the people/organizations that may use or disclose the information. In most cases, this will be the principal investigator and his/her research team.
  • In addition to the study's sponsor you will need to list other individuals or organizations that will be receiving PHI directly from the site, such as the clinical research organization and central laboratories, as well as oversight agencies, such as the institutional review board or the FDA, or where applicable, the federal Office for Human Research Protections (OHRP).
  • You must provide a description of the purpose for the use and disclosure of the subject's PHI.
  • Under HIPAA, you must give subjects a date or event after which you agree to cease using their information. Some examples would be: "end of the study," "never," "15 years after the end of the study," or "the end of the study or when your child reaches age 21, whichever is later."
  • You must include a statement that the patient has the right to refuse to sign the authorization. This statement is the same as the one that current research regulations require.
  • Under HIPAA, subjects can still withdraw from the study verbally or by walking away. However, now you'll need to tell subjects that they must withdraw in writing to revoke your subsequent use or disclosure of their PHI. After a subject has revoked authorization to use the PHI, you can still use enough of it to inform the sponsor of the revocation. If you have already submitted data to the sponsor, you need not retrieve it.

    You can submit data you've already collected to the sponsor if it is necessary to "preserve the integrity of the study" — to support an FDA application, for instance.

You will find all of this information built into the sample informed consent form.

Changes to the Pre-screening Process

When searching for likely subjects for a study, investigators and coordinators usually review such documents as medical records, appointment logs, rounding lists, or procedure posting boards. In these cases, you're examining - and thus using and disclosing — PHI for purposes other than treatment, payment, or operations, and you are doing so without the patient's authorization.

Under HIPAA, you are still able to perform most of your current pre-screening activities. However, you now need to obtain formal permission from the organization where you're holding the trial or the IRB responsible for overseeing the project.

There are two ways of doing this: Through a "waiver of authorization" (similar to the "waiver of consent for research" under current regulations), or through a "review preparatory to research." The waiver of authorization can be granted by the IRB.

Waivers are required for most trials in which you plan to send pre-screening logs to a sponsor as part of the research study. Waiver requests must be completed, submitted to, and accepted by the IRB before you conduct any pre-screening activities. Waivers can be incorporated into the main research protocol, but must satisfy all of the following criteria:

  • The research could not feasibly be conducted without the waiver
  • The research could not feasibly be conducted without access to the PHI
  • The use or disclosure you plan involves no more than minimal risk to the subject's privacy, and includes:
    1. A plan to protect identifiers
    2. A plan to destroy identifiers at the earliest opportunity that's consistent with the goals of your study, unless there is a health or research justification for retaining them
    3. A written assurances that you won't reuse PHI

It also needs to satisfy two additional criteria, already required in current regulations:

  1. The rights or welfare of the subject will not be adversely affected by the waiver
  2. The risks are reasonable in relation to the anticipated benefits of the research

Using a waiver of authorization, your initial contact with the potential subject may come in person, after the patient has left the institution, or by mail or phone. You can also send the PHI to the trial's sponsor.

However under a waiver of authorization, you must destroy the identifiers, including dates and medical record numbers, at your earliest convenience (unless retention is required by law or there is some other sufficient justification for their retention).

If you do not plan to send logs to a sponsor after a trial, you can choose to complete a "review preparatory to research."ù This review should include all of the following information:

  • The title of, or reason for, the research
  • A list of the PHI you intend to use and your plans for pre-screening it
  • A statement that the use or disclosure is solely for the review
  • A statement that the PHI will not leave the healthcare facility during the course of the review
  • A statement that the PHI is necessary for the purposes of your research

With this method, you are not allowed to remove the pre-screening logs from the healthcare facility. You can still use them to contact the patient by mail or phone, since the disclosure is simply to the patient.

Review the HIPAA Compliance Worksheet for Research Protocols and Application for Waiver of Authorization.

Limited data sets in conjunction with a data use agreement allow you to send at least some individually identifiable information to sponsors for research purposes. The limited data set opinion may only be used for three purposes: (1) research; (2) public health; and (3) healthcare operations. It cannot be used for marketing.

By using limited data sets in conjunction with the data use agreement, you are able to submit pre-screening logs with certain specific information to a sponsor (though the information in the logs is still subject to the privacy rule and might still be subject to the IRB). This mechanism also allows you to disclose information to disease registries or studies operated by private organizations. You must remove direct identifiers from the data, but could include useful information such as complete dates, 5-digit zip codes, and geographic information other than street addresses — and the link field, as an encrypted identifier.

Identifiers that must be removed from a limited data set include the following:

  • Name
  • Street address or box number
  • Telephone or fax numbers
  • Vehicle identification and serial numbers
  • URLs, IP addresses, and e-mail addresses
  • Full-face photographs
  • Social security number
  • Medical record numbers
  • Health plan beneficiary numbers and other account numbers
  • Device identifiers and serial numbers
  • Biometric identifiers
  • Certificate or license numbers

The minimal necessary rules do apply to limited data set information, so consider carefully what information to include.

To ensure that there is a small likelihood of re-identification, you will need to have the recipient sign a data use agreement. The agreement should specify the following:

  • The person or organization to use or receive the data set
  • An explanation of how the recipient may use or disclose the data set
  • A statement that the recipient will not use or disclose the information except as permitted in the agreement
  • A statement that the recipient will use appropriate safeguards to protect the data from misuse or inappropriate disclosure
  • A statement that the recipient will report use or disclosure not permitted in the data use agreement
  • A statement that the recipient will ensure that its agents agree to the same restrictions and provisions
  • A statement that the recipient will not attempt to re-identify the PHI