As Part of a Research Study a Physician Plans to Review

How Can Covered Entities Use and Disclose Protected Health Data for Research and Comply with the Privacy Rule?

---

Key Points:

• De-identified health information, equally described in the Privacy Rule, is not PHI, and thus is not protected by the Privacy Rule.
• PHI may be used and disclosed for research with an individual'due south written permission in the form of an Authority.
• PHI may be used and disclosed for research without an Authorization in limited circumstances: Under a waiver of the Potency requirement, as a limited data ready with a information apply agreement, preparatory to research, and for research on decedents' information.

---

The Privacy Rule describes the ways in which covered entities tin use or disembalm PHI, including for research purposes. In general, the Dominion allows covered entities to use and disclose PHI for research if authorized to practice and so by the subject in accordance with the Privacy Rule. In addition, in certain circumstances, the Rule permits covered entities to use and disclose PHI without Authority for certain types of inquiry activities. For example, PHI tin can be used or disclosed for research if a covered entity obtains documentation that an Institutional Review Lath (IRB) or Privacy Lath has waived the requirement for Authorization or allowed an alteration. The Rule as well allows a covered entity to enter into a data use understanding for sharing a limited data set. At that place are too separate provisions for how PHI can be used or disclosed for activities preparatory to research and for research on decedents' data.

It is important to note that in that location are circumstances in which health information maintained by a covered entity is not protected past the Privacy Rule. PHI excludes health information that is de-identified according to specific standards. Health information that is de-identified tin can be used and disclosed by a covered entity, including a researcher who is a covered entity, without Authorization or any other permission specified in the Privacy Rule. Under the Privacy Rule, covered entities may determine that wellness information is non individually identifiable in either of two means. These are described below.

De-identifying Protected Health Data Nether the Privacy Rule

Covered entities may use or disclose wellness data that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health data must determine that the data has been de-identified using either statistical verification of de-identification or by removing certain pieces of data from each record as specified in the Rule.

The Privacy Rule allows a covered entity to de-identify data past removing all 18 elements that could be used to identify the individual or the private's relatives, employers, or household members; these elements are enumerated in the Privacy Dominion. The covered entity also must accept no actual knowledge that the remaining data could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following:

Names. All geographic subdivisions smaller than a country, including street address, metropolis, county, precinct, Nothing Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available information from the Bureau of the Census: The geographic unit formed past combining all Zero Codes with the aforementioned three initial digits contains more than than 20,000 people. The initial three digits of a ZIP Lawmaking for all such geographic units containing 20,000 or fewer people are changed to 000. All elements of dates (except year) for dates direct related to an individual, including nascence date, access date, belch appointment, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a unmarried category of age ninety or older.

Phone numbers. Facsimile numbers. Electronic mail addresses. Social security numbers. Medical record numbers. Health plan beneficiary numbers. Account numbers. Certificate/license numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locators (URLs). Internet protocol (IP) accost numbers. Biometric identifiers, including fingerprints and voiceprints. Total-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

Covered entities may likewise utilise statistical methods to establish de-identification instead of removing all 18 identifiers. The covered entity may obtain certification by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" that in that location is a "very small" risk that the information could be used past the recipient to place the individual who is the subject of the data, alone or in combination with other reasonably available data. The person certifying statistical de-identification must document the methods used besides as the effect of the analysis that justifies the determination. A covered entity is required to go on such certification, in written or electronic format, for at least 6 years from the appointment of its creation or the date when information technology was final in effect, whichever is later.

Other Problems Relating to De-identification

Under the first method, unique identifying numbers, characteristics, or codes must be removed if the wellness data is to be considered de-identified. Even so, the Privacy Dominion permits a covered entity to assign to, and retain with, the health information a code or other ways of record identification if that code is not derived from or related to the data about the individual and could non be translated to identify the individual. The covered entity may not employ or disclose the code or other means of record identification for any other purpose and may non disembalm its method of re-identifying the information. For case, a randomly assigned code that permits re-identification through a secured fundamental to that code would not brand the information to which it is assigned PHI, considering a random code would not be derived from or related to data about the individual and considering the key to that code is secure.

A covered entity is permitted to de-identify PHI or engage a business organisation associate to de-identify PHI. For example, a researcher may be a covered entity him/herself performing, or may be hired as a business associate to perform, the de-identification. In about cases, the covered entity must have a written contract with the business associate containing the provisions required by the Privacy Rule before it provides PHI to the business associate. In improver, a covered entity, if a hybrid entity, could designate in its wellness intendance component(s) portions of the entity that deport business acquaintance-similar functions, such equally de-identification.

De-identifying PHI co-ordinate to Privacy Dominion standards may enable many research activities; yet, the Privacy Rule recognizes that researchers may demand access to and generate identifiable health information during the course of research. Where PHI is needed for inquiry activities, the Privacy Rule permits its utilize and disclosure if certain standards are met. These standards are discussed in the post-obit sections.

Potency for Research Uses and Disclosures

One way the Privacy Rule protects the privacy of PHI is by generally giving individuals the opportunity to agree to the uses and disclosures of their PHI by signing an Authorization grade for uses and disclosures not otherwise permitted by the Dominion. The Privacy Rule establishes the right of an individual, such as a research discipline, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in improver to the informed consent to participate in research required nether the HHS Protection of Human being Subjects Regulations and other applicable Federal and Land police.

Area of Stardom	HIPAA Privacy Rule	HHS Protection of Human being Subjects Regulations Title 45 CFR Part 46	FDA Protection of Homo Subjects Regulations Title 21 CFR Parts 50 and 56
Permissions for Inquiry	Authorization	Informed Consent	Informed Consent
IRB/Privacy Board Responsibilities	Requires the covered entity to obtain Authorisation for research utilize or disclosure of PHI unless a regulatory permission applies. Considering of this, the IRB or Privacy Board would only see requests to waive or alter the Potency requirement. In exercising Privacy Rule potency, the IRB or Privacy Board does not review the Authorization class.	The IRB must ensure that informed consent will be sought from, and documented for, each prospective subject field or the bailiwick'southward legally authorized representative, in accordance with, and to the extent required by, HHS regulations. If specified criteria are met, the IRB may waive the requirements for either obtaining informed consent or documenting informed consent. The IRB must review and corroborate the Authorization form if it is combined with the informed consent document. Privacy Boards have no authority nether the HHS Protection of Human Subjects Regulations.	The IRB must ensure that informed consent volition be sought from, and documented for, each prospective subject field or the subject's legally authorized representative, in accordance with, and to the extent required past, FDA regulations. If specified criteria are met, the requirements for either obtaining informed consent or documenting informed consent may exist waived. The IRB must review and approve the Authorization course if it is combined with the informed consent certificate. Privacy Boards accept no say-so nether the FDA Protection of Homo Subjects Regulations.

Elements of an Authorization

A valid Privacy Rule Authorisation is an individual's signed permission that allows a covered entity to utilise or disclose the individual's PHI for the purposes, and to the recipient or recipients, equally stated in the Authorization. When an Authorization is obtained for research purposes, the Privacy Dominion requires that it pertain simply to a specific research study, not to nonspecific research or to time to come, unspecified projects. The Privacy Dominion considers the creation and maintenance of a research repository or database every bit a specific research action, but the subsequent utilize or disclosure by a covered entity of data from the database for a specific enquiry written report will crave separate Authorization unless the PHI use or disclosure is permitted without Authorization (discussed later in this section). If an Authorization for enquiry is obtained, the actual uses and disclosures made must be consistent with what is stated in the Authorization. The signed Authorization must be retained by the covered entity for half dozen years from the engagement of creation or the date it was last in effect, whichever is later.

An Dominance differs from an informed consent in that an Authorization focuses on privacy risks and states how, why, and to whom the PHI will exist used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of the written report and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things. An Authorization tin be combined with an informed consent document or other permission to participate in research. Whether combined with an informed consent or carve up, an Say-so must comprise the following specific core elements and required statements stipulated in the Rule:

Authorization Core Elements:

• A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful mode.
• The names or other specific identification of the person or persons (or course of persons) authorized to make the requested use or disclosure.
• The names or other specific identification of the person or persons (or form of persons) to whom the covered entity may brand the requested use or disclosure.
• A description of each purpose of the requested use or disclosure.
• Dominance expiration date or expiration event that relates to the individual or to the purpose of the employ or disclosure ("stop of the research report" or "none" are permissible for enquiry, including for the creation and maintenance of a research database or repository).
• Signature of the individual and engagement. If the individual's legally authorized representative signs the Potency, a description of the representative's authority to act for the individual must likewise exist provided.

Authorization Required Statements:

• A statement of the individual'due south right to revoke his/her Authorization and how to practice so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.
• Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Potency, including enquiry-related treatment and consequences of refusing to sign the Potency, if applicable.
• A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general argument that the Privacy Rule may no longer protect wellness information disclosed to the recipient.

The Privacy Rule does not specify who may draft the Authorization, and then a researcher could typhoon it regardless of whether the researcher is a covered entity. Nevertheless, in order to have a Privacy Rule-compliant Authorization, it must be written in apparently linguistic communication and incorporate the cadre elements and required statements, and a signed re-create must exist provided to the individual signing it if the covered entity itself is seeking the Authorisation. The companion slice Sample Potency Language contains language that illustrates the inclusion of core elements and required statements.

Note: If an Say-so permits disclosure of the individual's PHI to a person or organization that is not a covered entity or a business organisation associate acting on behalf of a covered entity (such every bit a sponsor or funding source of the research), the Privacy Rule does not continue to protect the PHI disclosed to such entity. However, other applicable Federal and State laws between the disclosing covered entity and the PHI recipient may institute continuing protections for the disclosed information. Under the HHS Protection of Human Subjects Regulations or the FDA Protection of Man Subjects Regulations, an IRB may impose further restrictions on the use or disclosure of research information to protect subjects.

An Authorization for research uses and disclosures need not have a fixed expiration date or land a specific expiration event; the form can list "none" or "the end of the research projection." Nonetheless, although an Say-so for research uses and disclosure need not elapse, a enquiry subject has the right to revoke, in writing, his/her Authorization at whatsoever time. The individual's revocation is effective, except to the extent that the covered entity has taken action in reliance upon the Say-so prior to revocation. For example, a covered entity is not required to retrieve information that it disclosed under a valid Authorization before learning of the revocation. And the preamble to the Privacy Dominion states that, for research uses and disclosures, the reliance exception would allow the continued use and disclosure of PHI already obtained with an Say-so to the extent necessary to protect the integrity of the research—for case, to business relationship for a discipline's withdrawal from the research study, to acquit investigations of scientific misconduct, or to written report agin events.

Waiver or Alteration of the Potency Requirement

Many health research projects and protocols cannot be undertaken using health information that has been de-identified. Likewise, it may non be feasible for a researcher to obtain a signed Authorization for all PHI the researcher needs to obtain for the inquiry study. In other cases, a researcher may make up one's mind that consents obtained prior to April fourteen, 2003, that permit the utilise and disclosure of information obtained from inquiry subjects are inadequate, insufficient, or restrict the research protocol or process such that an Authorization may exist necessary to permit the PHI use or disclosure for the research.

To address these and other situations that may arise in the grade of a research project or protocol, the Privacy Rule contains criteria for waiver or alterations of Authorizations past an IRB or another review torso called a Privacy Board. Many of the provisions were modeled on the HHS Protection of Human Subjects Regulations. The Privacy Dominion does non change current requirements that specify when researchers must submit protocols to the IRB for review and approval, and obtain informed consent documents. The Privacy Rule adds to such requirements only when a researcher requests a waiver or an alteration of Authorization. If a covered entity has used or disclosed PHI for inquiry with an IRB or Privacy Board approval of waiver or alteration of Potency, documentation of that blessing must exist retained by the covered entity for 6 years from the date of its creation or the date information technology was last in effect, whichever is after.

For enquiry uses and disclosures of PHI, an IRB or Privacy Board may approve a waiver or an alteration of the Say-so requirement in whole or in part. A complete waiver occurs when the IRB or Privacy Board determines that no Authorization will exist required for a covered entity to use and disclose PHI for a particular research project. A partial waiver of Say-so occurs when an IRB or Privacy Lath determines that a covered entity does non need Authorization for all PHI uses and disclosures for research purposes, such as disclosing PHI for research recruitment purposes. An IRB or Privacy Lath may also approve a asking that removes some PHI, but not all, or alters the requirements for an Say-so (an amending).

The Privacy Rule does non alter IRB membership requirements, jurisdiction on matters concerning the protection of man subjects, or other procedural IRB matters. The Privacy Rule states that the required documentation must point that the IRB followed normal or expedited procedures in reviewing and approval the waiver or alteration. Thus, an IRB'due south authorization to act on waiver or amending requests under the Privacy Rule is in addition to the other authorities derived from the HHS Protection of Human Subjects Regulations and other applicable statutes and regulations. The process and criteria for obtaining a waiver of Authorization nether the Privacy Dominion is similar to the process and criteria for waiving informed consent in the HHS Protection of Man Subjects Regulations. Additional information on the Privacy Rule and IRBs tin exist found in the companion piece entitled Institutional Review Boards and the HIPAA Privacy Rule.

Privacy Boards are new, alternative review boards authorized by the Privacy Dominion to review requests for alteration or waiver of a research Authorization. If a covered entity is to use or disclose PHI on the basis of a waiver or an alteration of Authorization from a Privacy Board, the Board must be established in accordance with Section 164.512(i) of the Privacy Rule. These provisions country that:

• Members must have varying backgrounds and appropriate professional competencies every bit necessary to review the effect of the research protocol on individuals' privacy rights and related interests.
• Each Board must have at least one fellow member who is not affiliated with the covered entity or with any entity conducting or sponsoring the research and who is non related to any person who is affiliated with such entities.
• Members may non have conflicts of involvement regarding the projects they review.

Additional data on the Privacy Rule and Privacy Boards tin exist constitute in the companion piece entitled Privacy Boards and the HIPAA Privacy Rule.

Documentation of the waiver or alteration of Authorization must include a statement identifying the IRB or Privacy Board that made the approval and the appointment of blessing. Amid other things, the documentation must also include statements that the IRB or Privacy Lath has determined that the waiver or alteration of Authorization, in whole or in part, satisfies the post-obit criteria:

1. The employ or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
1. An adequate plan to protect health data identifiers from improper use and disclosure.
2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to exercise and so).
3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the utilize or disclosure of the PHI would be permitted under the Privacy Rule.
2. The research could not practicably be conducted without the waiver or alteration.
3. The research could not practicably be conducted without admission to and employ of the PHI.

The Privacy Rule does non crave an IRB or Privacy Board to review the class or content of the Authorization a researcher or covered entity intends to use, or the proposed uses and disclosures of PHI made co-ordinate to an Authority. Under the Privacy Rule, an IRB or Privacy Board need but review requests to waive or change the Authorization requirement.

Many enquiry projects take place at multiple sites and/or crave the use and disclosure of PHI created or maintained by more than ane covered entity (collectively, multisite projects). Often, different IRBs are involved in multisite project reviews. The aforementioned situation is expected to occur with Privacy Boards. In some circumstances, Privacy Boards and IRBs will coexist. Where these boards coexist, the Privacy Rule does non require approval of a waiver or an alteration of Authorization past both bodies because a covered entity may rely on a waiver or an amending of Authorization canonical by any IRB or Privacy Board, without regard to the location of the approver.

HHS has stated (65 Federal Annals 82692, December 28, 2000) that a covered entity'south responsibility is to "obtain the documentation that i [emphasis added] IRB or privacy board has approved the alteration or waiver of Authorization." Consequently, the Privacy Dominion allows a waiver or an alteration of Authority obtained from a single IRB or Privacy Board to be used to obtain PHI in connectedness with a multisite project. Nonetheless, HHS besides recognizes that "covered entities may elect to crave duplicate IRB or Privacy Board reviews earlier disclosing [PHI] to requesting researchers" (67 Federal Register 53232, August 14, 2002). While the Privacy Rule does non address potential splits between IRBs and Privacy Boards, HHS "strongly encourages researchers to notify IRBs and privacy boards of whatsoever prior IRB or privacy board review of a research protocol" (65 Federal Register 82692, December 28, 2000).

Area of Stardom	HIPAA Privacy Rule	HHS Protection of Human Subjects Regulations Title 45 CFR Function 46	FDA Protection of Human being Subjects Regulations Championship 21 CFR Parts 50 and 56
Review of Cooperative Research	Requests to waive or modify the Authorisation requirement are reviewed and canonical by an IRB or Privacy Lath. The Privacy Rule permits a covered entity to reasonably rely on the determination of an IRB or Privacy Board, if the covered entity obtains appropriate documentation of such determination.	Each institution is responsible for safeguarding the rights and welfare of human subjects and for complying with the HHS Protection of Human Subjects Regulations. With the blessing of HHS, an institution participating in a cooperative project may enter into a joint review system, rely upon the review of another qualified IRB, or make similar arrangements for fugitive duplication of effort.	Cooperative inquiry/multi-institutional studies may use joint review, reliance upon the review of another qualified IRB, or similar arrangements aimed at avoiding duplication of effort.
Waivers of Potency or Informed Consent Requirements	Allows waiver or alteration of Authorization when IRB or Privacy Board deems the following criteria are met: (1) Use or disclosure involves no more than minimal gamble to the privacy of individuals because of the presence of at least the following elements: (a) An adequate programme to protect health information identifiers from improper use or disclosure, (b) an adequate plan to destroy identifiers at the earliest opportunity absent a wellness or research justification or legal requirement to retain them, and (c) adequate written assurances that the PHI will not be used or disclosed to a third political party except as required by law, for authorized oversight of the research report, or for other inquiry uses and disclosures permitted past the Privacy Rule; (2) enquiry could not practicably be conducted without the waiver or amending; and (3) research could not practicably exist conducted without admission to and use of PHI.	Permits an IRB to waive some or all of the elements of informed consent, or to waive the requirement to obtain informed consent, provided the IRB finds and documents that (1) the research involves no more than minimal risk to the subjects; (two) the waiver or alteration will not adversely affect the rights and welfare of the subjects; (3) the inquiry could not practicably be carried out without the waiver or amending; and (4) whenever appropriate, the subjects will exist provided with additional pertinent information afterwards participation. Permits an IRB to waive the requirement for the investigator to obtain a signed consent for some or all of the subjects if it finds either (1) that the only tape linking the subject and the research would be the consent document and the master gamble would exist potential harm resulting from a alienation of confidentiality; or (2) that the research presents no more than minimal take chances of harm to subjects and involves no procedures for which written consent is normally required outside of the inquiry context.	Permits FDA to waive the IRB review requirement. Permits an IRB to approve a clinical investigation without subjects' informed consent in certain circumstances specified in 21 CFR 50.23 and 21 CFR 50.24. These include (1) circumstances in which firsthand use of the examination commodity is, in the investigator's opinion, required to preserve the life of the bailiwick, and time is not sufficient to obtain informed consent; (2) circumstances when the U.South. President may waive informed consent for military personnel for administration of an investigational product to members of the armed services; and (3) circumstances involving emergency research.

Express Data Ready and Information Employ Agreement

The Privacy Rule permits a covered entity, without obtaining an Authorization or documentation of a waiver or an amending of Authority, to employ and disclose PHI included in a express data set. A covered entity may use and disclose a limited data set for research activities conducted by itself, another covered entity, or a researcher who is non a covered entity if the disclosing covered entity and the limited data prepare recipient enter into a data employ agreement. Express data sets may be used or disclosed simply for purposes of research, public health, or wellness care operations. Because limited data sets may contain identifiable information, they are still PHI.

Limited Data Set up - Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of inquiry, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authority for its use and disclosure, with a data apply agreement. Information Utilise Agreement - An understanding into which the covered entity enters with the intended recipient of a express data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.

A express data set is described as health information that excludes sure, listed direct identifiers (see below) just that may include urban center; state; ZIP Lawmaking; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. The direct identifiers listed in the Privacy Rule's limited data set provisions employ both to information about the private and to information about the private's relatives, employers, or household members. The following identifiers must be removed from health information if the data are to authorize as a express data set:

Names. Postal address information, other than boondocks or city, state, and Naught Code. Telephone numbers. Fax numbers. Electronic mail addresses. Social security numbers. Medical record numbers. Health program beneficiary numbers. Business relationship numbers.

Document/license numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and series numbers. Web universal resource locators (URLs). Internet protocol (IP) address numbers. Biometric identifiers, including fingerprints and voiceprints. Full-face photographic images and whatever comparable images.

A information employ agreement is the means past which covered entities obtain satisfactory assurances that the recipient of the express information set will use or disclose the PHI in the data set only for specified purposes. Even if the person requesting a limited data gear up from a covered entity is an employee or otherwise a member of the covered entity's workforce, a written information use understanding meeting the Privacy Rule'south requirements must be in place betwixt the covered entity and the express data set recipient.

The Privacy Rule requires a data utilize understanding to comprise the post-obit provisions:

• Specific permitted uses and disclosures of the limited data set past the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disembalm the information in a way that, if done by the covered entity, would violate the Privacy Dominion).
• Identify who is permitted to employ or receive the limited information set.
• Stipulations that the recipient will
• Non use or disclose the information other than permitted by the understanding or otherwise required past police.
• Use appropriate safeguards to prevent the use or disclosure of the data, except every bit provided for in the agreement, and require the recipient to written report to the covered entity whatsoever uses or disclosures in violation of the agreement of which the recipient becomes enlightened.
• Agree any amanuensis of the recipient (including subcontractors) to the standards, restrictions, and weather condition stated in the data use understanding with respect to the data.
• Not identify the information or contact the individuals.

If a covered entity is the recipient of a express data fix and violates the information use understanding, it is deemed to accept violated the Privacy Rule. If the covered entity providing the limited data set knows of a design of activity or exercise by the recipient that constitutes a material breach or violation of the information use agreement, the covered entity must have reasonable steps to correct the inappropriate activity or practice. If the steps are not successful, the covered entity must discontinue disclosure of PHI to the recipient and notify HHS.

Department 164.512 of the Privacy Rule also establishes specific PHI uses and disclosures that a covered entity is permitted to make for research without an Authorization, a waiver or an alteration of Authorization, or a information apply agreement. These express activities are the use or disclosure of PHI preparatory to inquiry and the use or disclosure of PHI pertaining to decedents for research.

Activities Preparatory to Research

For activities involved in preparing for research, covered entities may use or disembalm PHI to a researcher without an private'due south Dominance, a waiver or an alteration of Authorization, or a data apply agreement. Still, the covered entity must obtain from a researcher representations that (one) the employ or disclosure is requested solely to review PHI as necessary to ready a enquiry protocol or for similar purposes preparatory to research, (2) the PHI will non be removed from the covered entity in the course of review, and (3) the PHI for which use or access is requested is necessary for the research. The covered entity may permit the researcher to make these representations in written or oral form.

According to HHS guidance on the Privacy Rule,

The preparatory to research provision permits covered entities to utilize or disembalm protected health information for purposes preparatory to research, such as to assistance report recruitment. However, the provision at 45 CFR 164.512(i)(1)(two) does non permit the researcher to remove protected health data from the covered entity'due south site. As such, a researcher who is an employee or a member of the covered entity's workforce could use protected health information to contact prospective research subjects [emphasis added]. The preparatory research provision would allow such a researcher to place prospective research participants for purposes of seeking their Authorization to use or disembalm protected wellness information for a research report.

Under the preparatory to research provision, a covered entity may permit a researcher who works for that covered entity to use PHI for purposes preparatory to inquiry. A covered entity may also permit, equally a disclosure of PHI, a researcher who is not a workforce member of that covered entity to review PHI (within that covered entity) for purposes preparatory to research. Inside a hybrid entity, the situation is similar. A covered entity that is a hybrid entity may permit a researcher within its wellness care component to use, without an private's Authorization, PHI for activities preparatory to research. A covered entity may also permit a researcher who is outside the hybrid entity's health care component to review PHI within that health intendance component without an private'south Authorization for purposes preparatory to inquiry.

Researchers should notation that any preparatory inquiry activities involving human subjects research as defined past the HHS Protection of Human Subjects Regulations, which are not otherwise exempt, must be reviewed and approved by an IRB and must satisfy the informed consent requirements of HHS regulations.

Research on Decedents' Protected Health Information

To utilise or disclose PHI of the deceased for research, covered entities are not required to obtain Authorizations from the personal representative or next of kin, a waiver or an alteration of the Potency, or a data employ agreement. Withal, the covered entity must obtain from the researcher who is seeking access to decedents' PHI (1) oral or written representations that the utilize and disclosure is sought solely for enquiry on the PHI of decedents, (2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the inquiry purposes, and (three) documentation, at the request of the covered entity, of the death of the individuals whose PHI is sought past the researchers.

Other Uses and Disclosures of Protected Health Information

Some of the PHI uses and disclosures that are permitted under the Privacy Rule at Section 164.512 without Authorization, waiver or amending of Authority, or information use agreement are summarized below. Covered entities seeking to use and disclose PHI for these or other purposes permitted under Section 164.512 should consult the Privacy Rule for information on the relevant implementation requirements.

Among other limited purposes, a covered entity may use or disclose PHI without an Authorisation, as follows:

• To the extent the use or disclosure is required by law and complies with, and is express to, the relevant requirements of such police. For instance, a covered entity may disclose, without Dominance, PHI to cancer registries if the disclosure (or reporting) is required by law. In add-on, a covered entity may disclose to the Federal Government, without Authorization, PHI associated with data first produced under a Federal award in accordance with 45 CFR 74.36³ .
• For disclosure to a public wellness dominance that is authorized by law to collect or receive the information for purposes of preventing or controlling affliction, injury, or inability. Activities included hither are reporting disease, injury, and vital events, such as birth or death, as well as conducting public health surveillance, investigations, and interventions. For example, a covered entity may disclose PHI, without Authorisation, related to an adverse event to NIH or FDA equally public wellness authorities. Boosted guidance on the use and disclosure of PHI for public wellness purposes is bachelor at: Centers for Disease Control and Prevention (2003). HIPAA Privacy Rule and Public Health Guidance from CDC and the U.Due south. Section of Health and Human Services. Morbidity and Mortality Weekly Report, 52.
• To a person subject to the jurisdiction of the FDA with respect to an FDA-regulated production or activity for which that person has responsibility, for purposes related to the quality, prophylactic, or effectiveness of the FDA-regulated product or activity (including, simply not limited to, adverse outcome reporting; FDA-regulated product tracking; postal service-marketing surveillance; and enabling product recalls, repairs, replacements, or lookback). For example, a covered entity may disclose agin event/safety reports to sponsors of investigational new products.
• To health oversight agencies for oversight activities authorized by law that are necessary, for case, for the appropriate oversight of government-regulated programs. For case, because Role for Human Inquiry Protections (OHRP) is a wellness oversight agency under the Privacy Rule, a covered entity may disembalm PHI, without Authorization, to OHRP for purposes of determining compliance with the HHS Protection of Homo Subjects Regulations.

Minimum Necessary Brake

With some exceptions, the Privacy Rule imposes a minimum necessary requirement on all permitted uses and disclosures of PHI by a covered entity. This means that a covered entity must use policies and procedures, or criteria it has adult, to limit certain uses or disclosures of PHI, including those for enquiry purposes, to "the information reasonably necessary to reach the purpose [of the sought or requested utilise or disclosure]." For uses and routine and recurring disclosures of and requests for PHI, the covered entity must develop policies and procedures (which may be standard protocols) to reasonably limit such uses, disclosures, and requests to the minimum necessary to accomplish the purpose of the employ or disclosure. For nonroutine disclosures and requests, a covered entity must review each disclosure or request individually against criteria information technology has developed.

At that place are several exceptions to the minimum necessary requirements that may affect researchers (Sections 164.502(b) and 164.514(d) of the Privacy Rule). The minimum necessary standard does non apply to the following:

• Uses and disclosures made with an individual'due south Authorisation.
• Disclosures to, or requests by, a wellness care provider for treatment.
• Disclosures to the private.
• Uses or disclosures required by law.
• Disclosures to HHS for purposes of determining compliance with the Privacy Rule.
• When required for compliance with other HIPAA rules (eastward.g., to fill out required or situationally required information fields in standard transactions).

Unless otherwise excepted, covered entities are required to implement policies and procedures or establish criteria that limit the PHI used, disclosed, or requested to the minimum amount reasonably necessary to achieve the purposes (e.g., necessary for the specific research) for which disclosure is sought. These covered entity policies and procedures will apply to researchers who are members of the covered entity'southward workforce and may apply to concern assembly.

The Privacy Rule does not require a covered entity to independently determine, in all instances, whether a request for PHI meets the minimum necessary requirement. As relevant here, the Privacy Rule permits the covered entity to rely, when reasonable, on a asking for disclosure of PHI as the minimum necessary when making permitted disclosures to public officials, disclosing data requested by another covered entity, or when disclosing PHI to researchers who take documentation of an IRB or Privacy Board waiver or alteration of Say-so or certain other representations permitted past the Privacy Dominion, which are discussed in item in related publications, Institutional Review Boards and the HIPAA Privacy Dominion and Privacy Boards and the HIPAA Privacy Rule.

How Are Research Subjects' Rights Affected past the Privacy Rule?

---

Key Points:

• The Privacy Dominion provides individuals with certain rights well-nigh how their health information is used and disclosed every bit well equally how they can gain access to health records and information about when their PHI was released without their permission.
• The Privacy Rule describes how covered entities can implement these rights while maintaining the integrity of the research projection.

---

In addition to establishing conditions for the use and disclosure of PHI, the Privacy Rule establishes certain rights of individuals with respect to their health data. Covered entities must provide individuals with written notice of the entity'southward privacy practices and the individual's privacy rights. In addition, the Dominion permits individuals to gain access to, request amendment of, asking restrictions on, and asking confidential communication of certain records related to their wellness care. Individuals are also given the right to request and receive a written account from a covered entity of when and why their PHI has been disclosed without their Potency, except under limited circumstances. Individuals as well accept the right to mutter to the covered entity and to the Secretary of Wellness and Human Services if they believe a violation of the Privacy Dominion has occurred. This document discusses an individual's rights to access PHI and receive an accounting of PHI disclosures.

Admission to Protected Health Information

With few exceptions, the Privacy Dominion guarantees individuals admission to their medical records and other types of health information to the extent the information is maintained by the covered entity or its business associate within a designated record set. Research records maintained by a covered entity may be part of a designated record set if, for instance, the records are medically related or are used to make decisions most research participants.

In well-nigh cases, patients or inquiry subjects tin can have access to their health information in a designated record set at a convenient time and place. One exception, among others, is during a clinical trial, when the individual'due south right of access can be suspended while the inquiry is in progress if, in consenting to participate in research including handling, the private agreed to the temporary denial of access. The covered entity, however, must inform the individual that the right to access his/her wellness records in the designated record set will be restored upon determination of the clinical trial.

Designated Record Set - A group of records maintained by or for a covered entity that includes (1) medical and billing records nigh individuals maintained by or for a covered wellness care provider; (2) enrollment, payment, claims adjudication, and example or medical direction record systems maintained past or for a health programme; or (3) used, in whole or in part, by or for the covered entity to make decisions almost individuals. A tape is any item, collection, or grouping of information that includes PHI and is maintained, nerveless, used, or disseminated by or for a covered entity.

Accounting of Disclosures of Protected Health Information

The Privacy Rule permits individuals to obtain a record of certain disclosures of their PHI by covered entities or their business associates, including certain disclosures made by researchers who must comply with the Rule. This is known as an accounting of disclosures. It is important to emphasize the difference between a utilise and a disclosure of PHI. In general, the utilise of PHI means communicating that information inside the covered entity. A disclosure of PHI means communicating that information to a person or entity exterior the covered entity, or the communication of PHI from a health care component to a not-health intendance component of a hybrid entity. The Privacy Rule restricts both uses and disclosures of PHI, merely it requires an accounting only for sure PHI disclosures. Upon receiving an individual's asking, a covered entity must account for disclosures of that individual'southward PHI fabricated on or after the covered entity's compliance date (for most entities, April 14, 2003), unless a particular disclosure or type of disclosure is excluded from this accounting requirement in Section 164.528(a) of the Privacy Rule. For example, an accounting is non needed when the PHI disclosure is fabricated:

Bookkeeping of Disclosures - Information that describes a covered entity's disclosures of PHI other than for treatment, payment, and health care operations; disclosures fabricated with Say-so; and sure other limited disclosures. For those categories of disclosures that need to be in the bookkeeping, the bookkeeping must include disclosures that have occurred during the 6 years (or a shorter time period at the request of the individual) prior to the date of the asking for an accounting. All the same, PHI disclosures made before the compliance engagement for a covered entity are not part of the accounting requirement. Use - With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or assay of such data within the entity or health intendance component (for hybrid entities) that maintains such data. Disclosure - The release, transfer, access to, or divulging of information in any other mode outside the entity belongings the information.

• For treatment, payment, or health intendance operations.
• Nether an Dominance for the disclosure.
• To an private about himself or herself.
• As part of a limited data ready under a data use agreement.
• Prior to the compliance engagement.

An individual'south right to receive an bookkeeping of disclosures (unless an exception applies) starts with the covered entity'southward compliance engagement and goes dorsum half dozen years from the date of the request, not including periods prior to the compliance date. A covered entity must therefore go on records of such PHI disclosures for 6 years.

The Privacy Rule allows three methods for bookkeeping for research-related disclosures that are made without the individual's Authorization or other than a limited data set: (1) A standard arroyo, (2) a multiple-disclosures approach, and (3) an alternative for disclosures involving 50 or more individuals. Any arroyo is selected, the accounting is made in writing and provided to the requesting private. Accounting reports to individuals may include results from more than one accounting method.

Standard Accounting

Standard accounting includes, for each disclosure, the following information:

• The date the disclosure was fabricated.
• The proper name and, if known, accost of the person or entity receiving the PHI.
• A brief clarification of the PHI disclosed.
• A cursory statement of the reason for the disclosure.

Multiple Disclosures Accounting

Multiple disclosures bookkeeping is permissible if the covered entity has made multiple disclosures of PHI to the same person or entity for a unmarried purpose under Sections 164.502(a)(2)(ii) or 164.512 of the Privacy Rule. For each disclosure, the following must be included:

• The date the initial disclosure was made during the accounting period.
• The proper noun and, if known, address of the person or entity receiving the PHI.
• A brief description of the PHI disclosed.
• A brief statement of the reason for the disclosure.
• The frequency, periodicity, or number of the disclosures made during the accounting period.
• The date of the final such disclosure during the accounting flow.

Culling Accounting

If a covered entity has made disclosures regarding 50 or more individuals for a detail research project under Section 164.512(i) of the Privacy Rule, the accounting may exist limited to the following data:

• The name of the protocol or research activity.
• A evidently-language description of the inquiry protocol or action, purpose of the research, and criteria for selecting particular records.
• A description of the type of PHI disclosed.
• The date or menstruation of time during which the disclosure(s) occurred or may take occurred, including the engagement of the last disclosure during the accounting period.
• The name, address, and telephone number of the entity that sponsored the research and of the researcher who received the PHI.
• A statement that the private's PHI may or may not have been disclosed for a item protocol or inquiry action.

If the covered entity uses the alternative accounting method, it must, if requested to by the individual, assist the private in contacting the inquiry sponsor and the researcher. Such help, however, is limited to those situations in which there is a reasonable likelihood that the individual's PHI was actually disclosed for the research protocol or action.

morrisonretak1953.blogspot.com

Source: https://privacyruleandresearch.nih.gov/pr_08.asp

Share this post