HIPAA and Privacy in Research

Ascension Wisconsin is committed to providing access for use and disclosure of individuals' protected health information (PHI) that is involved in a research project in a manner consistent with federal and state privacy regulations.

The HIPAA Privacy Rule contains provisions that apply to research involving the use or disclosure of Protected Health Information (PHI). PHI is health information that is individually identifiable.

PHI may only be used for research when accessed through specific mechanisms; the details of which are described below. Health information may be used for research without any of the above requirements if the information is de-identified (see below).


All researchers conducting research at Ascension Wisconsin should be aware of the importance of protecting patient information, and should be sensitive to the laws and regulations designed to safeguard PHI.

 


SOP: Use of PHI for Research

NIH: Clinical Research and the HIPAA Privacy Rule

Mechanisms to Access, Use and Disclose PHI

  •   De-Identified Information

    The HIPAA rules do not apply to de-identified health information.  (In some cases, IRB review is not required either.  If you are doing a project with de-identified health information/specimens, you can submit a Request for Determination via the eIRB to see whether you project needs IRB oversight.) 

    To de-identify subject information for a research purpose, investigators must remove all of the following identifiers of the subject and the subject’s relatives, employers, or household members:

    • Names;
    • Geographic Subdivisions smaller than a state, except for the first three digits of the zip code;
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all elements of date (including year) for those over 89;
    • Telephone numbers;
    • Fax numbers;
    • Electronic mail addresses;
    • Social security numbers;
    • Medical record numbers;
    • Health plan beneficiary numbers;
    • Account numbers;
    • Certificate/license numbers;
    • Vehicle identifiers and serial numbers including license plate numbers;
    • Device identifiers and serial numbers;
    • Web Universal Resource Locaters (URLs);
    • Internet Protocol (IP) address numbers;
    • Biometric identifiers, including finger and voiceprints;
    • Full-face photographic images and any comparable images; and
    • Any other unique identifying number, characteristic or code, including any code that includes or is derived from any of the identifiers on this list.

    In addition to the removal of the identifiers listed above, the investigators must not have actual knowledge that the remaining information could be used alone, or in combination with other information, by a recipient to identify the subject.

    Alternatively, investigators who believe that a data set is de-identified despite containing one or more of the identifiers in the above list may obtain an expert determination by a qualified statistician confirming that the risk of identifying individuals in the data set is “very small.”  More information about this method of de-identification is available from HHS.

  •   Obtaining Authorization

    A HIPAA authorization is different from informed consent, but they often go hand in hand. Informed consent seeks to provide subjects with information about the procedures and risks involved in a research activity so they may make an informed, voluntary decision as to whether to participate. Authorization, on the other hand, focuses specifically on the use of private health information. A HIPAA authorization must contain certain elements and statements, as well as a subject’s signature and date, to be valid.

    Ascension requires the use or a stand-alone HIPAA document (not incorporated into the consent form), which is available on the IRB website. By signing an IRB-approved consent and authorization form, subjects document their consent to be in the study as well as their authorization to use and disclose their PHI for the study. 

  •   Waiver of Authorization

    HIPAA allows investigators to use or disclose PHI for research purposes without subjects’ authorization when the IRB has approved a waiver of authorization. To approve such a waiver, the investigator must establish:

    • That the research could not practicably be conducted without the waiver;

    • That the research could not practicably be conducted without access to and use of the PHI;

    • That the use or disclosure of the PHI involves no more than minimal risk to the privacy of the subjects as a result of:

    • An adequate plan to protect the PHI from improper use and disclosure;

    • An adequate plan to destroy any identifiers contained in the PHI at the earliest opportunity consistent with the research; and

    • Adequate written assurances that the PHI will not be reused or re-disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted.

    The IRB uses the Waiver or Alteration of HIPAA Authorization section in the IRB application, to document these requirements.  If you are requesting a waiver of authorization, or a waiver or alteration of certain elements of a valid authorization (such as a signature – see the form for more details), include this form in your IRB application.  The waiver may apply to the whole study, or it may apply to one portion of the study, such as recruitment by phone where subjects will later be asked to sign an authorization.  Regardless, the PHI collected under the waiver must be the “minimum necessary”  in order to accomplish the research purpose.  Disclosures of PHI under a waiver must be tracked (see Accounting of Disclosures section below).

    Examples of research protocols that may qualify for waiver of authorization include:

    • Records-based research that requires access to existing patient records

    • Minimal risk interview or survey research 

  •   Research Involving Only Decedent Information

    HIPAA allows investigators to use or disclose PHI of decedents for research purposes without the authorization of the subject and without a waiver of authorization from the IRB when Ascension Wisconsin obtains the appropriate certifications from the investigator. 

    To approve such use and disclosure, the investigator must represent and agree to the following:

    • The use or disclosure of PHI is sought solely for research on the protected health information of decedents (not, e.g., for research on living relatives of decedents);

    • The decedents’ PHI is necessary for the research purposes; and

    • Upon the request of the IRB, the investigator will provide documentation of the death of the individuals.

    To apply for approval to use and disclose decedents’ information for research purposes, investigators must submit to the IRB under "Other IRB Determination" submission, completing the Decedents section. More information is on the IRB website. 

  •   Activities Preparatory to Research

    Accessing and using PHI for activities involved in preparing for research may be conducted without an individual’s authorization or a waiver of authorization if the investigator provides certain assurances.  Such activities include accessing medical records to determine if a sufficient sample size can be obtained or to compile a recruitment list for a study. 

    The required assurances for activities preparatory to research are:

    • The access to and use of PHI is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;

    • The PHI will not be removed from OHSU in the course of review; and

    • The PHI for which use or access is requested is necessary for the research.

    To apply for approval to use and disclose PHI for activities preparatory to research, investigators must complete the IRB application section. More information is on the IRB website. 

    It is important that no PHI leave Ascension Wisconsin when accessed under the Prep to Research provision.  If disclosure outside Ascension Wisconsin is needed, investigators must obtain signed authorization from the individuals or a waiver of authorization from the IRB.

  •   Limited Data Sets and Data Use Agreements

    A Limited Data Set (LDS) may be accessed from existing records and used by Ascension Wisconsin investigators without authorization from the subject and without a waiver of authorization from the IRB.  Disclosures of PHI in an LDS do not need to be tracked in an accounting of disclosures.

    An LDS may include ONLY indirect identifiers, including:

    • State;
    • ZIP Code;
    • Elements of date; and other numbers,
    • Characteristics, or codes not listed as direct identifiers

    Ascension Wisconsin investigators may not receive an LDS from a non-Ascension Wisconsin investigator under a DUA unless the DSU site is signed by the Ascension Wisconsin Institutional Official.  Iinvestigators may NOT sign DUAs on behalf of Ascension Wisconsin.

  •   Business Associate Agreements

    A Business Associate (BA) is a person or entity that performs a function for or on behalf of Ascension Wisconsin involving the use or disclosure of PHI from Ascension Wisconsin patients or research subjects.

    In general, sponsors, federal agencies or research collaborators (co-investigators at other institutions) will not be BAs. Examples of BAs in research include:

    • A company that bills subjects or their insurance carriers for standard care procedures;

    • A company that provides telephone screening services for prospective research subjects; or

    • A clerical service that transcribes or processes research data containing PHI.

    Questions about whether an entity involved in a research study is a BA should be directed to the IRB and Contract Specialists. Ascension Wisconsin investigators may not establish BA Agreements (BAAs) on their own.  Disclosures of PHI to Business Associates must be tracked (see Accounting of Disclosures section below).

Other Issues to Consider 

  •   Accounting of Disclosures

    When disclosure of PHI is made without an individual’s authorization, the covered entity must keep a record that the information left the institution.

    Ascension Wisconsin patients and research subjects have a right to receive an accounting of disclosures of their PHI that have been made over the six years prior to the request. A “disclosure” is defined as the release, transfer, provision of access to or divulging in any other manner of PHI outside of Ascension Wisconsin. In general, this right applies to disclosures that the individual may not have known about or authorized.

    For research, the right generally applies to:

    • Disclosures made pursuant to an IRB waiver of authorization;
    • Disclosures made pursuant to a Representation for Research Involving Only Decedents’ Information (a decedent’s Personal Representative may request this information); and
    • Disclosures made to Business Associates.

    These type of disclosures must be tracked in the medical record., and the process may vary depending on Ministry and record used.

    Other types of research disclosures do not require an accounting. However, documentation of authorization may still need to be included in the medical record such as, a subject’s signed authorization or a limited data set with a data use agreement.

  •   Minimum Necessary Standard

    Investigators may use or disclose only the PHI necessary for the protocol.

    • For research employing a subject’s authorization, the authorization will define the PHI to be used or disclosed.

    • For research employing a waiver of authorization, the investigator must specify in the waiver request what PHI will be used and represent that it is the minimum necessary for the protocol.

    • For recruitment and screening activities conducted before authorization is obtained, the screening must be limited to questions/items related to inclusion/exclusion criteria of a specified protocol. The investigator must specify how collected information will be protected and/or destroyed.

  •   Notice of Privacy Practices & Subject Right to Amend PHI 

    Notice of Privacy Practices

    All individuals who receive care at Ascension Wisconsin must receive a Notice of Privacy Practices (NPP) that contains an effective date.

    Many research subjects receive routine clinical care at Ascension Wisconsin  and will already have received an NPP prior to becoming a research subject. Subjects who have received a currently effective NPP do not need to receive another NPP when they enter a research protocol.

    Research subjects who have not previously been treated at Ascension Wisconsin  may need to receive an NPP if the research provides standard care along with the experimental procedures. For example, a clinical trial that provides standard tests that the subject would receive even if he/she were not in the research protocol may generate bills to the subject or the subject’s insurance carrier for that standard care. These subjects must receive an NPP.

    If an Ascension Wisconsin research subject has not previously received a currently effective NPP, the investigator must provide one and obtain the subject’s signed acknowledgment that it has been received.

    In general, NPPs must be provided to research subjects if clinical treatment that is standard care will be provided in the protocol, even if there will be no bill for this treatment (i.e., treatment purpose) or if a bill for clinical services will be generated (i.e., payment purposes).

    Human subjects research that would not require provision of the NPP would include protocols that involve no treatment intervention, such as interview-based research or records reviews.

     

    Subjects' Rights to Access and Amend PHI

    HIPAA allows individuals to review and request amendment of any information that is contained in their Designated Record Set (DRS).  A clinical research record is not a DRS but may generate information that is entered into the DRS. For example, a protocol might involve blood tests and imaging studies that are part of standard care and that the subject would be receiving even if he/she were not in the study. This information is normally entered into the subject’s medical record as well as the research record. Once it is entered into the medical record, it becomes part of the DRS.

    While this subject would not have a right to access his/her research record, he/she could request access to the DRS. However, the investigator could delay access to the DRS until the end of the study if such access would violate a double blind protocol or otherwise be disallowed by the protocol for scientific reasons. The investigator must advise subjects of the possibility of such a delay in the research authorization.  The IRB’s template forms include language that addresses this.