These procedures will explain the use and disclosure of Protected Health Information (“PHI”) in research in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), its implementing regulations at 45 CFR Parts 160 and 164 (“Privacy Rules”) and the University of the Pacific HIPAA Policy and Procedure.

These procedures only cover the requirements of the HIPAA privacy rules. Additional steps may be required under the Common Rule and other federal and state laws regarding human subject’s research.

These procedures apply only to patient information maintained by the University Health Care Components.

Contents

Definitions. 1

Use and Disclosure of PHI in Research. 2

  1. De-identification. 2
  2. Research Use and Disclosure with Individual Authorization. 2

III.    Exceptions to Patient Authorization. 3

  1. Preparatory to Research. 3
  2. Limited Data Sets with a Data Use Agreement 3
  3. Documented Institutional Review Board (IRB) Approval of a Waiver or an Alteration. 4
  4. Research on PHI of Decedents. 5

Accounting for Research Disclosures. 5

Documentation. 6

Definitions

Component HIPAA Privacy Liaison (“Liaison”): a designated employee within the University Health Care Component responsible for implementation and oversight of the University HIPAA Policy and Procedures.

Protected Health Information (PHI): individually identifiable health information, except for records covered by the Family Educational Rights and Privacy Act “FERPA” or those in employment records.

Research: defined by the HIPAA Privacy Rule at 45 CFR 164.501 as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

University Health Care Components: designated areas of the University which conduct HIPAA covered functions (see Statement of Hybrid Designation).

Use and Disclosure of PHI in Research

The University of the Pacific is a hybrid entity, as such HIPAA requires separation between those components covered by HIPAA (University Health Care Components) and the rest of the university. Research activities that are not performed at or within one of the University Health Care Components are considered external with regards to conditions for use and disclosure of PHI.

All researcher requests for PHI must be limited to the minimum necessary to complete the research.

Patient information that falls under the definition of PHI can be used for research in the following ways:

  1. After de-identification (making it no longer PHI)
  2. With appropriate patient authorization
  • Under one of the research exceptions to patient authorization

I. De-identification

Researchers may use or disclose health information for research purposes which has been de-identified in accordance with the Privacy Rule. The Rule allows for two methods of de-identification:

  • Expert Determination requires a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
    1. Applying such principles and methods,
    2. determining that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
    3. documenting the methods and results of the analysis that justify such determination.
  • The “Safe Harbor” method requires the removal of 18 identifiers of the patient and their relatives, employers, or household members (See University HIPAA procedures)

Additionally, a University Health Care Component may use PHI for the purposes of de-identification and may disclose PHI to a researcher or external party for the purpose of de-identification with a business associate agreement (See University HIPAA procedures).

De-identified patient information can be used freely without regard to any of the provisions below.

II. Research Use and Disclosure with Individual Authorization

Researchers are permitted to use or disclose protected health information for research purposes when a research participant authorizes the use or disclosure of information about him or herself.

The Privacy Rule has a general set of authorization requirements that apply to all uses and disclosures, including those for research purposes. The special provisions that apply to research authorizations are:

  • An authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the “end of the research study”.
  • An authorization for the use or disclosure of protected health information for a research study may be combined with a consent to participate in the research, or with any other legal permission related to the research study.
  • An authorization for the use or disclosure of protected health information for a research study may be combined with an authorization for a different research activity, provided that, if research-related treatment is conditioned on the provision of one of the authorizations, such as in the context of a clinical trial, then the compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the unconditioned research activity.
  • An authorization may be obtained from an individual for uses and disclosures of protected health information for future research purposes, so long as the authorization adequately describes the future research such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for the future research purposes.

Researchers should use the form “Institutional Review Board HIPAA Authorization Form” and delete the appropriate sections according to the details of their study.

III. Exceptions to Patient Authorization

The Privacy Rule sets out limited circumstances under which researchers can use or disclose PHI without obtaining patient authorization:

  1. Preparatory to Research
  2. Limited Data Sets with a Data Use Agreement
  3. Documented IRB approval of a waiver or an alteration

a. Preparatory to Research

For activities involved in preparing for research, the University Healthcare Components may allow a researcher to use or disclose PHI without the patient's authorization, a waiver or an alteration, or a data use agreement.

However, the researcher must provide written representations that;

  • the use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purpose preparatory to research,
  • the PHI will not be removed from the University Healthcare Component in the course of review (e.g., physically taken out of a facility, or downloaded and retained on the researcher’s device),
  • the PHI for which access is requested is necessary for the research.

b. Limited Data Sets with a Data Use Agreement

A University Healthcare Component may disclose a limited data set to a researcher for research provided a data use agreement is in place.

A Limited Data Set is protected health information that excludes the following direct identifiers of the patient or their relatives, employers or household members:

  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Email addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plates;
  • Device identifiers and serial numbers;
  • URLs;
  • IP addresses;
  • Biometric identifiers;
  • Full face photographs or comparable images

Limited data sets are still considered PHI and are not de-identified. To receive the limited data set the researcher must enter into a data use agreement with the University.

The data use agreement must:

  • Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Privacy Rule if done by the University; 
  • Limit who can use or receive the data; and 
  • The require the researcher to agree to the following:
    • Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law; 
    • Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement; 
    • Report to the University any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware; 
    • Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
    • Not to identify the information or contact the patient. 

c. Documented Institutional Review Board (IRB) Approval of a Waiver or an Alteration

For research purposes the University IRB may approve a waiver or an alteration of the authorization requirement in whole or in part.

  • A complete waiver means the IRB has determined that no authorization will be required to use and disclose PHI for a particular research project.
  • A partial waiver of authorization occurs when the IRB determines that the researcher does not need an authorization for all PHI uses and disclosures for research purposes, such as disclosing PHI for research recruitment purposes.
  • The IRB may also approve an alternation request that removes some PHI, but not all, or alters the requirements for an authorization.

Documentation of the waiver or alteration of authorization must include the following:

  • A statement of IRB approval and the date of approval.
  • Statements that the IRB has determined that the waiver or alteration of authorization satisfies the following criteria:
  • The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
    1. An adequate plan to protect health information identifiers from improper use and disclosure
    2. An adequate plan to destroy identifiers at the earliest opportunity
    3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the privacy rule.
  • The research could not practically be conducted without the waiver or alteration.
  • The research could not practically be conducted without access to and use of PHI.

 

  • A brief description of the PHI for which use or access has been determined to be necessary by the IRB;
  • A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and 
  • The signature of the chair or other member, as designated by the chair, of the IRB.

IV. Research on PHI of Decedents

To use or disclosure PHI of decedents for research, researchers are not required to obtain authorizations from the personal representative or next of kin, a waiver or an alteration, or a data use agreement. However, researchers seeking access to decedents PHI must present;

  • written representations that the use and disclosure is sought solely for research on the PHI of decedents,
  • written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and
  • documentation of the death of the individuals who PHI is sought.

Accounting for Research Disclosures

The Privacy Rule gives patients the right to receive an accounting of certain disclosures of PHI made by the University that occurred during the six years prior to the patient’s request for an accounting. The accounting must include specified information regarding each disclosure. A more general accounting is permitted for subsequent multiple disclosures to the same person or entity for a single purpose.

Among the types of disclosures that are exempt from this accounting requirement are:

    • Research disclosures made pursuant to a patient’s authorization; 
    • Disclosures of a limited data set to researchers with a data use agreement.

 

The Privacy Rule allows for a simplified accounting of disclosures of PHI for research purposes without the patient’s authorization that involve at least 50 records. Under this simplified accounting provision, Component HIPAA Liaisons may provide patients with a list of all protocols for which the patient’s PHI may have been disclosed, including the following information;

  • Name of the research activity
  • A plain language description of the research, purpose, and criteria for selecting records
  • A description of the type of PHI disclosed
  • The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period;
  • The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and
  • A statement that the patient's PHI may or may not have been disclosed

If the patient is provided with this simplified accounting provision and if it is reasonably likely that the PHI of the patient was disclosed for the research the Office of Sponsored Programs will, at the request of the patient, assist in contacting the entity that sponsored the research and the researcher.

Documentation

Documentation and written assurances will be maintained by the Institutional Review Board where approval has been sought. Otherwise documentation regarding disclosures will be maintained by the University Health Care Component.