General University Reference Utility
The Milton S. Hershey Medical Center and the Pennsylvania State University ("PSU") College of Medicine have a duty to protect the confidentiality and integrity of an individual's health information as required by law, professional ethics, and accreditation requirements. The Health Insurance Portability and Accountability Act ("HIPAA") of 1996, and its implementing regulations known as the "Privacy Rule" include provisions that protect the privacy of individually identifiable health information, and govern how health information is used and disclosed, including use and disclosure for research purposes. The purpose of this policy is to set forth the requirements that will be applicable to research that is subject to HIPAA requirements.
In general, Protected Health Information ("PHI") which is utilized in research and produced by or obtained from health care providers such as physicians and hospitals, including The Milton S. Hershey Medical Center and its clinicians, will be subject to HIPAA rules applicable to obtaining, using and protecting such information. PHI is individually identifiable health information obtained or maintained by a health care provider who is covered by HIPAA or by a health plan.
Within The Milton S. Hershey Medical Center and the PSU College of Medicine this means that research will be subject to HIPAA rules if: (a) it uses PHI obtained or maintained by the hospital and physicians of The Milton S. Hershey Medical Center or other health care facility; (b) it uses PHI obtained or maintained by any of the administrative units of Penn State identified in Penn State Policy AD22; (c) it uses PHI created by a Penn State or Milton S. Hershey Medical Center researcher while in the course of providing medical treatment to an individual, or (d) it uses PHI collected by a health care provider of The Milton S. Hershey Medical Center even if collected only for research purposes.
The Milton S. Hershey Medical Center and the PSU College of Medicine researchers will also be subject to HIPAA rules if the research seeks to use PHI obtained from health care providers such as physicians, hospitals and nursing homes that are not affiliated with the University or The Milton S. Hershey Medical Center, or from health plans. In that case, use of PHI will be governed by this policy as well as any HIPAA policies of such other health care providers or health plans.
Not all individually identifiable health information is subject to HIPAA rules. Research that involves health information that is not obtained by or from a health care provider or a health plan is not subject to this policy. In that case, even though the research may be utilizing individually identifiable health information, that information is not PHI. For example, a Penn State researcher who is not a health care provider and who only gathers health information from human subjects for purposes of research is not subject to HIPAA rules. However, if the researcher is a licensed health care provider, even if personally identifiable health information is collected only for research purposes such health information becomes protected health information, subject to the HIPAA rules.
All research protocols involving human subjects must be submitted to the Human Subjects Protection Office, 90 Hope Drive, P.O. Box 855, Mail Code A115, College of Medicine, Milton S. Hershey Medical Center, Hershey, PA 17033, prior to the disclosure and use of PHI for review and a determination whether the protocol will be subject to HIPAA rules. If it is determined that the protocol is subject to HIPAA rules, the terms of this policy will apply to that protocol.
In order to utilize PHI in connection with research, researchers must: (a) obtain written authorization from the individual who is participating as a research subject in accordance with HIPAA standards for authorization; or, (b) obtain a waiver of the authorization requirement from the Institutional Review Board of The Milton S. Hershey Medical Center and The College of Medicine ("IRB") in accordance with HIPAA standards for such waivers; or, (c) obtain approval for such use as preparatory to research, or (d) obtain approval for such use as research on decedent's information.
PHI obtained in accordance with this policy may be used only by and disclosed only to the principal investigator and other employees or students of the University who are participating in the research through the express designation of the principal investigator, except that further disclosure may be made: (a) as specified in the authorization granted by the individual from whom PHI has been obtained as set forth in this policy, or (b) as required or permitted by the HIPAA rules or other law. Approval of the Privacy Officer is required for any disclosure request that is not within the scope of an authorization granted by the individual participating in research or as required or permitted by HIPAA rules and other law.
UTILIZATION OF PHI IN RESEARCH BY AUTHORIZATION:
If an authorization is required in order to utilize PHI in connection with research, the content of the authorization must comply with HIPAA rules.
Authorization may be obtained by the use of a separate authorization form that is reviewed with and signed by the individual participating in the research protocol. A template authorization form is available at http://www.pennstatehershey.org/web/irb/home and should be completed by the principal investigator and submitted for review and approval by the Human Subjects Protection Office.
Authorization may also be obtained by including the requisite information in an Informed Consent Form to be used with the protocol. Model provisions for inclusion of an authorization with the Consent Form are available at http://www.pennstatehershey.org/web/irb/home. The Human Subjects Protection Office will review the authorization provisions as part of its review of the Informed Consent Form.
Copies of the authorization as signed by the individual participating in the research protocol must be retained by the principal investigator for six years.
UTILIZATION OF PHI IN RESEARCH WITH A WAIVER OF AUTHORIZATION:
If a research protocol proposes to obtain and use PHI in research without an authorization, the principal investigator must submit a request for a waiver of the authorization requirement to the IRB.
Approval of a waiver of authorization by the Milton S. Hershey Medical Center, Penn State College of Medicine IRB is necessary in order to obtain access to PHI maintained by the Hospital and physicians of The Milton S. Hershey Medical Center.
Approval of a waiver of authorization by the Penn State IRB is necessary in order to obtain access to PHI maintained by all units identified in Penn State Policy AD22.
In order to obtain access to PHI maintained by any other health care provider based upon a waiver of authorization, approval of the IRB of The Milton S. Hershey Medical Center and College of Medicine will be required. In addition, depending upon the policies of such other health care providers, it may be necessary to obtain approval of the waiver from another IRB or privacy board.
An application must be in writing and be submitted prior to review of the protocol by the IRB. An application form for this purpose is available at http://www.pennstatehershey.org/web/irb/home. Review of waiver requests by the IRB will be in accordance with the process applicable to either full or expedited review as would be otherwise applicable to the protocol.
An application for waiver will be approved only if the IRB concludes that the criteria in the HIPAA rules have been satisfied. These include:
- The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- an adequate plan to protect the identifiers from improper use and disclosure;
- an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted under the HIPAA Privacy Rule.
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the PHI.
REVIEWS PREPARATORY TO RESEARCH:
Because it may be necessary for a researcher to obtain access to and review PHI in order to prepare a research protocol, HIPAA rules allow such review upon compliance with specified criteria. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study, or to identify potential subjects for a study. An application for review of PHI preparatory to research must be submitted to the Human Subjects Protection Office, and approved by the IRB under expedited review. An application form is available at http://www.pennstatehershey.org/web/irb/home.
The IRB may only approve such applications if it is satisfied that all of the following requirements are satisfied:
- The use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research;
- No PHI will be removed in any manner, including by means of copying or notes, from the patient records of The Milton S. Hershey Medical Center or other original source of PHI; and
- The PHI for which access is sought is necessary for the research purpose.
PHI OF DECEDENTS:
The HIPAA Privacy Rule protects the PHI of persons who have died. Because it may be necessary for a researcher to obtain access to and review the PHI of decedents, HIPAA rules allow such review upon compliance with specified criteria. An application for the use of a decedent's PHI for purposes of research must be submitted to the Human Subjects Protection Office, and approved by the IRB under expedited review. An application form is available at http://www.pennstatehershey.org/web/irb/home.
The IRB may only approve such applications if it is satisfied that all of the following requirements are satisfied:
- A representation from the researcher that the use or disclosure sought is solely for research on the PHI of decedents.
- Adequate documentation as specified by the IRB, of the death of such individuals.
- A representation from the researcher that the PHI for which use or disclosure is sought is necessary for the purposes of the proposed research.
TRACKING OF DISCLOSURES:
HIPAA rules require that a record be made of a disclosure of any personally identifiable information that is made without an authorization by the research participant. Therefore, tracking of disclosures will have to be undertaken for all disclosures if a waiver of authorization, an approval for review preparatory to research or an approval for the use of a decedent's PHI is obtained for purposes of research, and for any disclosures not previously specified in a signed authorization document. For purposes of this policy, "disclosure" means the release, transfer, provision of access to, or divulging in any other manner of PHI to any person, whether or not employed by The Milton S. Hershey Medical Center or PSU, who is not participating in carrying out the research protocol.
The following information about any disclosure must be recorded and made available to the individual who is the subject of the PHI upon request:
- Date of disclosure;
- Name of person/entity that received the PHI;
- Description of what PHI was disclosed;
- Brief statement regarding the purpose of the disclosure.
If a research protocol requires multiple disclosures to the same outside party over a period of time, the following information is adequate:
- For the first disclosure, all of the above must be recorded;
- For subsequent disclosures, tracking can refer to the initial record of disclosure and should include the frequency, periodicity or the number of disclosures that will be made; and
- The date of the last disclosure must be documented.
Large Studies: When tracking is required and involves the disclosure of PHI from more than 50 people, HIPAA rules allow a modified tracking method. In this instance it is unnecessary to maintain a list of the specific persons about whom PHI has been disclosed, but the following information must be available upon the request of any individual whose information may have been included:
- The name and description of all protocols involving 50 or more people for which authorization has been waived, including the purpose of these and criteria for selecting records;
- Brief descriptions of types of PHI disclosed;
- Dates or time periods during which disclosures occurred;
- Contact information (name, address, telephone number) for sponsors and recipient researchers; and
- Statement that a specific individual's PHI may or may not have been disclosed for a particular protocol or research activity.
In addition, the researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual's PHI was disclosed to them.
Tracking information as required by HIPAA rules must be maintained by the principal investigator at least six years, and made available to the Privacy Officer.Note: PHI obtained in connection with research cannot be re-disclosed unless specific authorization has been granted by the individual from whom the PHI was obtained or as required or permitted by HIPAA rules or other law. Prior approval by The Milton S. Hershey Medical Center/PSU College of Medicine Privacy Officer is required for any disclosure of PHI not within the scope of an authorization.
REVOCATION OF AUTHORIZATION BY PARTICIPANT:
HIPAA rules allow a subject to revoke a prior authorization to use or disclose PHI for purposes of research. Researchers must honor this request, except to the extent the researcher has already relied on the authorization. Researchers may continue utilizing PHI that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. In addition, use or disclosure of identifiable information previously obtained is permitted for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations when required by law.
Researchers are responsible for ensuring that data containing PHI is securely protected from unauthorized disclosures. Researchers must take precautions to securely maintain and dispose of PHI. (See related policies AD20, AD23.) Additionally, researchers are responsible for ensuring secure transfer of data containing PHI. When transmitting data electronically, researchers should ensure that 1) the data is securely encrypted; 2) that the receiver of the data is the individual for whom it is intended; and 3) the data remains secure until it is received by the intended receiver. Questions about the security of electronic data transfers may be directed to the Information Security Officer at (717) 531-5904.
When sending data containing PHI via ground mail services, researchers must also assure the security of the information until it arrives in the hands of the intended receiver. Hard copy documents containing PHI should be sent 1) using an insured carrier; 2) with a receiving signature required; and 3) by a carrier with package tracking services.
RESEARCH COMMENCED PRIOR TO APRIL 14, 2003:
An authorization is not required under the HIPAA rule as to subjects who were enrolled in a research protocol before April 14, 2003 and who have signed a Common Rule-compliant informed consent form. Even if subjects enrolled before April 14, 2003 continue with research procedures after that date, authorization will not be required.
An authorization will be required for any subject enrolled in a study on or after April 14, 2003, even if the study was approved by the IRB prior to that date. Therefore, if all subjects were enrolled prior to April 14, 2003, there is no need for an authorization for those subjects. However, authorization will be required for any new subjects after April 14, 2003, either in the form of a separate authorization document or a modified informed consent form that includes the required authorization language.
WAIVER OF CONSENT APPROVED BY IRB PRIOR TO APRIL 14, 2003:
If researchers are conducting a study under an IRB-approved waiver of consent obtained prior to April 14, 2003, they should continue protecting the privacy of subjects' information, but do not need to re-apply to the IRB. Ongoing studies for which the IRB approved a waiver of informed consent before April 14, 2003 are grandfathered under the HIPAA rule. Although a new waiver is not required, it is important to note that the individual rights provided by the Privacy Rule go into effect as of April 14, 2003. As a result, any disclosure of PHI made pursuant to a waiver of authorization must be tracked as noted above.
For questions, additional detail, or to request changes to this policy, please contact the Office of the Associate Vice President for Research, Director of the Office for Research Protections.
Other Policies in this Manual and at the Hershey Medical Center may have specific application and should be referred to especially;
AD20 - Computer and Network Security,
AD22 - Health Insurance Portability and Accountability Act (HIPAA)
AD23 - Use of Institutional Data
RP07 - HIPAA and Research at Penn State University (Formerly RA22)
Most recent changes:
Revision History (and effective dates):