Guidelines on Usage of Protected Health Information
If, on the other hand, the researcher wants to obtain the subject’s blood pressure from a physician, the physician’s ability to disclose the information is governed by the Privacy Rule. Similarly, a physician sending a "medical clearance" form for a study participant to a researcher would be subject to HIPAA. However, if the physician gave the medical clearance form to the study participant, and the study participant delivered it to the researcher, the disclosure would NOT be subject to HIPAA.
- Every subject has signed an Authorization for the CE to release the PHI to the researcher
- An Institutional Review Board (IRB) has granted the research a Waiver of Authorization
- The researcher De-identifies the health information to HIPAA standards
Hospitals and other large CEs may require the researcher to use their standard agency authorization form. Researchers are advised to contact CEs and determine this before investing time in creating an authorization form specific to their research study.
An authorization must be written in plain language and include the following elements according to Federal Law 45 CFR 164.508:
- Description of information to be disclosed
- Specification of persons or class of persons authorized to disclose the information
- Specification of who (name or class of persons) that disclosure can be made to
- Purpose for which disclosed data would be used
- Expiration date for authorization
- Statement of right to revoke authorization and method to revoke
- Statement that person can inspect or copy PHI to be disclosed
- Whether PHI disclosure is linked to remuneration or benefit for CE
- Statement that disclosed information may be re-disclosed and will no longer be protected by HIPAA
- Signed and dated by individual/guardian. (If the guardian signs, include a description of guardian’s authority to act for individual.)
View sample authorization form. (open Word Document)
An IRB can grant waiver of authorization (45 CFR 164.512(i)) for a research study if it determines that the waiver criteria under 45 CFR 164.512(i)(2)(ii) are met.(A) The use or disclosure of protected health information (PHI) involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements.
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this HIPAA and approved by the IRB;
(C) The research could not practicably be conducted without access to and use of the PHI.
Covered Entities (CEs) with their own IRBs may require that the waiver be granted by the agency IRB, rather than UNC Charlotte’s IRB. Researchers are advised to contact CEs and determine this before applying for a Waiver of Authorization from the UNC Charlotte IRB. After determining this, if you still wish to request a Waiver of Authorization from the UNC Charlotte IRB, you may do so as part of your protocol application submission
Health information that cannot be traced to an individual is not subject to the HIPAA Privacy Rule (45 CFR 164.514). The Covered Entity (NOT the UNC Charlotte IRB) must make this determination. The determination can be made through either of the following:
expert opinion, or
removal of identifying information
Expert opinion must be rendered by a person with expertise in methodology for de-identifying PHI. The expert must determine that risk of identification is very small and must document his/her methodology and analysis.
The CE must NOT have actual knowledge that the disclosed information could be used to identify the subject and MUST REMOVE all identifiers of subjects, and their relatives, employers, and household members.
HIPAA REQUIRES REMOVAL OF
- Geographic subdivisions smaller than state
- All dates related to the subject (e.g. birth date) [Exception: Birth year and age (if under 89) may be retained.]
- Telephone, fax, e-mail, SSNs
- Medical record and health plan numbers
- Account numbers
- Certificate and license numbers
- VIN and license plate numbers
- Device identifiers and serial numbers
- URLS and IP addresses
- Fingerprints, voice prints, etc
- Any other identifiers
Since the Covered Entity must make the determination that data have been sufficiently de-identified, the role of the UNC Charlotte IRB is education and advice. The UNC Charlotte IRB can assist researchers in deciding which data must be removed in order for the data to be considered de-identified.