|
|
 |
The Impact of HIPAA (Health Insurance Portability and Accountability Act) on Biomedical Research
Presented by: Sara H. Kiskaddon, J.D., Vice-Chair IRB at CCMC
The goals of this activity were to familiarize the researcher / educator with the various implications of HIPAA as it pertains to the process of informed consent and the protection of private health information.
Overview:
The specific requirements for a valid authorization are:
- The information obtained and disclosed
- Who may use or disclose the information
- Who may receive the information
- Purpose of the use of disclosure
- Expiration date or event
- Individual's signature and date
- Right to revoke authorization
- Right to refuse to sign authorization
- Re-disclosures not protected
Authorization Requirements:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use and disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
- Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
- The individual's right to revoke the authorization in writing and a description of how to revoke it and exceptions to the right to revoke or if appropriate, reference to the institution's privacy notice.
- The ability to condition research participation on the signing of an authorization.
- The authorization must be written in plain language.
- The individual must be provided with a copy of the signed authorization.
Use and Disclosure of Protected Health Information without an Authorization if one of the following:
- De-identified information
- Reviews preparatory to research
- Research on decedents' information
- Limited data sets
- Waiver of authorization
De-identified Information
- Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information (164.514(a)). De-identification may be achieved through; statistical determination or removal of specific identifiers
The limited data set may NOT include:
- Names
- Postal address information, other than town or city, state or zip code (Note: LIMITED DATA SETS can include city, state and zip code But DE-IDENTIFIED information cannot)
- Telephone numbers
- Fax numbers
- Electronic mail address
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers or serial numbers, including license plate numbers
- Device identifiers or serial numbers
- Web Universal Resource Locators (URL's)
- Internet Protocol (IP) addresses
- Biometrics identifiers, including finger and voice prints or
- Full face photographic images or any comparable images
The limited data set allows:
- Age (over 90 years) and Age in (months, days, hours)
- Dates (DO Birth, DO Admit, DO Discharge)
- Zip codes (5 digits)
- City and state
Waiver of Authorization Criteria:
- The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure; and
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for regaining the identifiers or such retention is otherwise required by law; and
- Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; and
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the protected health information.
Summarized by F. DiMario
|
