The Health Insurance Portability and Accountability Act is a milestone in Federal efforts to facilitate the transfer of healthcare data in a growing age of electronic healthcare transactions. HIPAA, known as the “Privacy Rule,” was passed in 1996, and it requires UTHSC-H to adopt standards to protect a patient’s individually identifiable health information. Although the rule was not written with research in mind, it greatly impacts the manner in which UTHSC-H investigators may use or disclose a subject’s protected health information (PHI) for research purposes. All clinical investigators must comply with the Privacy Rule when any of their clinical trials involve medical treatments. In addition, if protected health information is requested from covered entities*, HIPAA rules apply. Failure to comply with HIPAA can result in costly civil, or even criminal, sanctions against an institution or independent investigative site. The CPHS is responsible for the review and approval of the use or disclosure of PHI.

Research conducted under the auspices of the UTHSC-H IRB (CPHS) that creates, uses, or discloses protected health information is subject to the HIPAA regulations. 

*Who is the covered entity?

• Health Plan
• Health Care Provider (specifically a provider who conducts certain financial and administrative transactions electronically (e.g. billing, funds transfer, insurance claims)
• Health Care clearing house – an organization that processes or facilitates the processing of health information in non-standard format to standard format or vice versa (e.g., a physician’s billing service)

Direct Identifiers

When developing research protocols, the investigator must take into consideration allowable use and disclosure of PHI under HIPAA.  The following identifiers are considered links to a particular individual or data that could enable individual identification:  

Permitted Use or Disclosure of PHI in Research

Investigators may create, use or disclose PHI for research purposes in four ways that are discussed below. They include:

• Obtaining authorization from the individual or his/her legally authorized representative;
• Obtaining a waiver of authorization from the CPHS;
• De-identifying the data; or
• Creating a limited data set. 

Authorization

There are additional requirements to be included in an informed consent document for studies involving the use or disclosure of Protected Health Information (PHI).

Authorization: A customized document that gives UT Health Science Center in Houston (UTHSC-H) permission to use specified protected health information (PHI) for a specific purpose, or to disclose PHI to a third party specified by the individual.

A legally effective authorization must include the following:

• A specific and meaningful description of the information to be used or disclosed;
  
• The name or identification of the persons or class of persons authorized to make disclosures of PHI and to use the PHI for research-related purposes;
  
• The name or identification of the persons or class of persons authorized to receive disclosures of PHI and to use the PHI for research-related purposes;
  
• An expiration date or specific length of time for approval (such as 5 years).
  
• A statement that the individual may revoke the authorization if requested in writing to the principal investigator. However, the investigator may continue to use and disclose, for research integrity and reporting purposes, any PHI collected from the individual, pursuant to such authorization before it was revoked;
  
• A statement that an individual’s clinical treatment may not be conditioned upon whether the individual signs the research authorization;
  
• A statement that information disclosed under the authorization could potentially be re-disclosed by the recipient and would no longer be protected under HIPAA; and
  
• Space for the individual’s signature (or that of his or her legally authorized representative) and date.

The UTHSCH-H approved HIPAA forms are located in iRIS to be completed and attached to each submission.

For more information regarding the HIPAA regulations, please see Chapter 7 of this handbook.

HIPAA regulations use the term “authorization” to describe the process through which a participant allows investigators to access PHI. An investigator must seek such authorization from the subject or his or her legally authorized representative to create, use or disclose PHI. Regulations require that a valid authorization contain the following elements:

• All of the health information contained within the authorization that may be used (within the covered entity) and disclosed (outside the covered entity). This includes standard PHI, as well as subjects’ history, physical findings, and laboratory test results. In addition to the study’s sponsor, others who will be receiving PHI directly from the site, such as the clinical research organization and central laboratories, as well as oversight agencies such as the CPHS, the FDA, and DSMBs must be listed.
  
• An expiration date, although in research, this date is allowed to be somewhat non-specific, such as “the end of the study” or “five years after the end of the study”.
  
• If banking samples for future research use, the details of this future use must be given as specifically as is known at the beginning of the study.
  
• A statement that the subject has the right to refuse to sign the authorization, in which case he/she should not be enrolled in the study.
  
• If later on in a trial other information is required that is not listed on the original authorization form, a new authorization most likely will be needed.
  
• Under HIPAA, subjects can still withdraw from a study verbally, however to revoke authorization requires a WRITTEN request from the subject. Researchers must honor this request, except to the extent they have already “relied on” the permission to use this information. For example, if researchers have already used a person’s PHI in the analysis of data, the analysis can be maintained. Researchers may also continue using and disclosing PHI that was obtained prior to the time the subject revoked his/her authorization, as necessary to maintain the integrity of the study.
  
• The right of the patient to access PHI may be temporarily suspended while the research is in progress, as long as it states in the authorization that the subject will not receive the requested information until the study has ended.
  
• Language regarding potential adverse events, and accessing records from the treating facility (should it become necessary), should be included in the authorization.

In most cases, the authorization template will be available in iRIS or can be obtained from the covered entity (health plan, health care provider, or a health care clearinghouse) from which you will be obtaining the Protected Health Information.

The authorization form will be tailored by you to be specific to your study, and the completed form MUST be included in your CPHS application packet. The CPHS must approve this authorization form, in addition to the informed consent document.

It must be noted that HIPAA requirements pertain to the use and disclosure of PHI from the covered entity to other entities; therefore, revisions to meet sponsor requirements are not permitted.

Waiver of Authorization

Under certain conditions, the CPHS may approve access to use or disclosure of PHI without obtaining authorization from the subject. The following conditions must be met before the CPHS may grant the waiver of authorization:

1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
   •An adequate plan to protect health information identifiers from improper use and disclosure;
   • An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research; and
   •Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
   
2. The research could not practicably be conducted without the waiver or alteration of authorization; and
   
3. The research could not practicably be conducted without access to and use of the PHI.

“Minimum Necessary” Standard - HIPAA has established that use/disclosure of PHI in situations other than treatment, payment or healthcare operations must be kept to the minimum necessary to meet the need of the research project. In keeping with this approach, PHI collected during research under a “Waiver of Authorization” can only be used or disclosed to the extent that it is the minimum necessary.

De-identified Data

Under HIPAA regulations, information is considered to be “de-identified” if all of the identifiers have been removed and there is no reasonable basis to believe that the remaining information could be used to identify a person. In order for an investigator to create a de-identified data set, he or she must agree to the same conditions as those involved in “preparatory to research” described below.

An investigator may also choose to use the “statistical method” as a mechanism for creating a de-identified data set. The CPHS may determine that health information is de-identified if an independent, qualified statistician:

• Determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and
  
• Documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk.

Note: the expert may not be the researcher or anyone directly involved in the research study.

Limited Data Set

As an alternative to using fully de-identified information, HIPAA makes provisions for the creation of a limited data set which requires the removal of 16 direct identifiers but allows for the inclusion of dates, geographic location (not as specific as street address) and any other code or characteristic not explicitly excluded. This should be considered a “one-time use” data set. Limited data sets require a Data Use Agreement between the institution and the investigator and are most often utilized for retrospective chart reviews. Because much of the retrospective research meets the criteria for exemption under category (b)(4) described in Chapter 3, the Statement of Affirmation is included as part of the Request for Exemption application. For investigators who are disclosing a limited data set, an agreement must be reviewed by CPHS. The covering entity will likely provide a template agreement, however, the UT HIPAA Officer would also be able to supply this.

The Data Use Agreement establishes who is permitted to use or receive the limited data set and requires that the recipient agree to the following:

• Not to use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
  
• Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
  
• Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
  
• Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
• Not to identify the information or contact the individuals.

Reviewing PHI Preparatory to Research

The HIPAA Privacy Rule allows investigators to review PHI at their sites to help design a research study, assess the feasibility of conducting a study, or screen records for recruitment. Neither an authorization nor a waiver is required for these purposes. However, if an investigator is screening records that belong to another organization other than his/her own practice, then he/she is not allowed to contact the potential subjects associated with those records.

These activities must be still be reviewed by the CPHS. To request approval, submit a request in iRIS that states:

• The use or disclosure of the PHI is sought solely for the purpose of preparing the research protocol;
  
• The PHI will not be removed from the covered entity; and
  
• The PHI is necessary for the purpose of the research study.

In most instances, this type of research will still be reviewed under the guidelines for expedited review. iRIS will guide the investigator through a series of questions to indicate which HIPAA form to complete, based on the answers given; iRIS will also indicate if the investigator is exempt from HIPAA.

Tracking Requirements for Disclosures of PHI

The Privacy Rule requires that an investigator granted a “Waiver of Authorization” for a research project track any disclosures of this information, and subjects may ask investigators to provide them with a list of all possible disclosures of their PHI for research purposes.  UTHSC-H does not offer a process to track the disclosures so investigators must arrange for personnel to track them.

HIPAA Exemptions

At least one HIPAA-related form must be filled out and approved by CPHS for EACH current and new research study including those exempt from HIPAA, for which an investigator is required to complete the form entitled "Studies Exempt from HIPAA".