Johns Hopkins Bloomberg School of Public Health



Johns Hopkins School of Public Health IRB Policy on The Use of Protected Health Information in ResearchThe Health Insurance Portability and Accountability Act (HIPAA) protects individually identifiable health information, or Protected Health Information (PHI), held by health insurance plans, healthcare providers, and health care facilities in the United States (“covered entities”), including covered entities within Johns Hopkins Medicine. Johns Hopkins School of Public Health (JHSPH) research investigators seeking to access or obtain PHI from a covered entity, in identifiable, De-identified or Limited Data Set form, must satisfy HIPAA requirements and comply with this policy on use of PHI in research.Section 1:JHSPH IRB as HIPAA Privacy Board.The JHSPH IRB is authorized to serve as a HIPAA Privacy Board for the Johns Hopkins Medicine covered entities. As such, the JHSPH IRB may approve HIPAA Privacy Authorizations, Requests to access PHI as Preparatory to Research, Waivers and/or Alterations of HIPAA Privacy Authorizations, and Requests to use Decedent PHI for research purposes, for PHI obtained from one of the Johns Hopkins Medicine covered entities. In addition, other covered entity providers may authorize the JHSPH IRB to perform these functions in specific studies. In all cases, JHSPH researchers must comply with the HIPAA policies of the covered entity provider that discloses the PHI for research purposes.Section 2:JHSPH IRB Review of HIPAA Applications.JHSPH researchers seeking to use PHI for research purposes from a covered entity must describe in the JHSPH HIPAA Application Form the PHI required for research, where it will come from, how the PHI will be obtained, who will have access to the PHI, and how identifiers will be protected and eventually destroyed. The JHSPH IRB may review HIPAA Applications that require use of PHI at convened meetings or by using an expedited review procedure when the data protections minimize the risk to the privacy of the individuals who are the subject of the PHI for which the use and disclosure is sought. The expedited reviewer will be an IRB Chair or one or more members of the Privacy Board designated by the Chair.Section 3:JHSPH IRB Review of HIPAA Privacy Authorizations.A.The JHSPH IRB requires that JHSPH researchers seek written HIPAA Privacy authorization from each subject or the subject’s authorized representative prior to participation in any research activity that involves the disclosure and use of the subject’s PHI (i.e., identifiable medical record information) maintained by a covered entity, or for the placement of the research data in the subject’s medical record. When researchers seek to access, use and/or disclose PHI for research purposes, the research consent may include all the necessary elements of that required HIPAA Privacy authorization, thereby alleviating the need for a separate document. To aid researchers in the development of this combined consent/authorization document, a template with authorization language is available on the JHSPH IRB website. B.Regulatory Requirements. The elements required in a HIPAA Privacy Authorization include the following:1.A specific description of PHI that will be collected for research and the purpose of collecting this information;2.A specific description of any research-derived information that will be placed in the individual’s medical record;3.The person or class of persons who may use or disclose the PHI collected for research;4.The person or class of persons to whom PHI collected for research may be re-disclosed and the purpose of such re-disclosure;5.The expiration date of the authorization;6.Consequences to the individual of a refusal to sign the authorization; and7.The individual’s right to revoke authorization and consequences of such revocation.C.PHI obtained for research purposes with a HIPAA Privacy Authorization, or through one of the permissible mechanisms noted below, is no longer covered by HIPAA once it leaves the covered entity. Such research data is still considered “sensitive private information” that requires appropriate protection and data security, and may be used only in accordance with any HIPAA compliant authorization signed by a research participant, approved study protocol, and Data Use Agreement, as applicable.Section 4:JHSPH IRB Review of Waivers of HIPAA Privacy Authorizations.A.The JHSPH IRB may waive or alter the HIPAA Privacy authorization requirement for research studies that include PHI from one of the Johns Hopkins Medicine covered entities under 45 CFR 164.508(c) and 45 CFR 164.512 (i)(2)(ii).? In granting an alteration or waiver of HIPAA authorization, the IRB must determine that the alteration or waiver, in whole or in part, satisfies each of the following criteria:The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:(a) An adequate plan to protect the identifiers from improper use and disclosure;(b)An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law;(c)An adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted (i.e., under the HIPAA regulations); and(d)The research could not practicably be conducted without the waiver or alteration.2. The research could not practicably be conducted without access to the use of the PHI.B.Documentation of the IRB’s approval of an alteration or waiver of HIPAA Privacy authorization must include:1.A statement that the alteration or waiver of authorization has been reviewed under either full-board or expedited review procedures;2.A statement that the IRB has determined that the alteration or waiver, in whole or in part, satisfies each of the waiver criteria under 45 CFR 164.512(i)(2)(ii);3.A statement identifying the date on which the alteration or waiver of authorization was approved;4.A brief description of the protected health information for which use or access has been determined to be necessary by the IRB; and5.The documentation of the alternation or waiver of authorization must be signed by the IRB Chair or other IRB member, as designated by the IRB Chair.Section 5: Accessing PHI to Identify Potential Participants, and Possibly Contact Them, for Research Recruitment Purposes.A.Obtaining or accessing PHI for recruitment purposes of a non-Johns Hopkins Medicine HIPAA covered entity must comply with the requirements of that non-Johns Hopkins Medicine entity.B.Access to electronic health records to identify potential participants is a “disclosure” under HIPAA, but is permissible without authorization or waiver through certain specific mechanisms. Mechanisms for accessing PHI from a Johns Hopkins Medicine covered entity to identify potential participants vary depending upon whether the access involves a covered entity’s defined “HIPAA Workforce Member.” HIPAA Workforce members at Johns Hopkins Medicine include the following groups:1.Appropriately credentialed Johns Hopkins Health Systems (JHHS)-privileged professional or staff members who normally have access to medical record information by virtue of their patient care responsibilities (“credentialed JHHS workforce member”);2.Students in the health care professions (including students at the Johns Hopkins University School of Medicine (SOM), Johns Hopkins University School of Nursing (SON), and Johns Hopkins School of Public Health) who are accessing PHI under the direction of a credentialed JHHS workforce member, and who have signed a HIPAA Workforce Member Agreement as part of patient care responsibilities or an IRB approved research project. The HIPAA Workforce Member Agreement must be completed, uploaded into the IRB protocol, and a copy sent to the Johns Hopkins Privacy Office;3.Research personnel, employed by the Johns Hopkins University, who are working under the direction of a credentialed JHHS workforce member, and who have signed a HIPAA Workforce Memorandum of Understanding (“MOU”) with the Johns Hopkins Privacy Office to serve as an Honest Broker to produce De-identified Data Sets or Limited Data Sets; and4.Research personnel, employed by the Johns Hopkins University, who are working under the direction of a credentialed JHHS workforce member on a research project, and who have signed a HIPAA Workforce Member Agreement as part of an IRB approved research project. The HIPAA Workforce Member Agreement must be completed, uploaded into the IRB protocol, and a copy sent to the Johns Hopkins Privacy Office.C.Access to and Use of PHI to Identify Potential Participants that Qualifies as “Preparatory to Research”.1.HIPAA permits members of the covered entity to access PHI for certain tasks that are deemed “preparatory to research”. The JHSPH IRB may approve access to PHI without a HIPAA Authorization for the limited purpose of identifying potential participants under the “preparatory to research” exception if certain conditions are met. The researcher must fit within one of the definitions of a HIPAA Workforce Member outlined above, and must include the description of the plan to access PHI for this purpose in the research application. (See: .) Preparatory to research activities to identify potential participants require the following:(a)Researchers who are also HIPAA Workforce Members may access PHI for the “minimum necessary” information needed to identify potential subjects and to contact them in alignment with the recruitment plan outlined in the IRB application. This typically includes name and contact information (e.g., address may be accessed only if you plan to mail material; telephone number may be accessed only if you plan to call, etc.).(b)The “Preparatory to Research” request must specify that the proposed use of PHI will be to identify potential participants only “within the covered entity”; the PHI will not be removed from the covered entity except as permitted under 45 CFR 164.502(a)(1)(i), and if electronic, may not go outside the Johns Hopkins Medicine firewall; and the PHI is necessary for the recruitment activity approved by the IRB. It must also state that the PHI will not be reused or disclosed to others who are not part of the recruitment plan described in the protocol, and that all information will be destroyed immediately after it has been used for recruitment purposes.(c)Once a potential recruitment candidate is identified, the actual attempt to contact that candidate must be made by verbal or written communication from one of the patient’s/candidate’s Johns Hopkins treating clinicians following the process set forth in Sub-Section D below, unless the IRB has made or makes a specific determination that that approach by the treating physician is impracticable and grants a corresponding HIPAA waiver. D.Use of PHI by HIPAA Workforce Members for Actual Recruitment Contact with Potential Participant within the Covered Entity; with Verbal Authorization, and No Signed HIPAA Authorization or Waiver. 1.When both a clinician and a researcher are HIPAA Workforce Members, a clinician who has a treatment relationship with the patient may obtain verbal permission from his/her patient to share contact information with a researcher so that the researcher may directly contact that patient and inform him/her about a study. The verbal authorization mechanism requires the following:(a)The clinician must note the verbal permission in the medical record and provide the researcher only with minimum necessary PHI (about diagnosis or condition) and patient contact information. The researcher may contact the potential participant directly to discuss the study once this verbal permission has been secured.(b)This verbal contact by the clinician must occur “within the covered entity”. E.Use of PHI for Recruitment Purposes with Verbal Authorization and with IRB Approved Alteration of Consent/Authorization Documentation for Recruitment. 1.When the researcher is not a Johns Hopkins Medicine HIPAA Workforce Member, the researcher may obtain IRB approval to waive the signature requirement for the consent/authorization form (officially, an alteration of the documentation requirement) and then request that clinicians who have treatment relationships with qualifying patients obtain verbal permission from his/her patient to share contact information with the researcher [outside of the covered entity] so that the researcher may contact the patient to explain the study. The verbal authorization mechanism requires the following:(a)The clinician must note the verbal permission in the medical record and provide the researcher only with limited PHI (about diagnosis or condition) and patient contact information. The researcher may contact the potential participant directly to discuss the study once this verbal permission has been secured. The researcher must seek a signed consent/authorization if the patient decides to join the study. Section 6:Creation of a De-Identified Data Set or Limited Data Set for Research Purposes.A.De-identified Data: The HIPAA privacy rule allows researchers access to patient health information that has been de-identified through removal of 18 identifiers. Under this condition the JHSPH IRB (Privacy Board) may approve the use/disclosure of data/information without an individual's authorization if it determines that health information is not individually identifiable. To meet this condition, all of the 18 elements of identifiers must be removed before the data is released to the researcher. B.Limited Data Set: The HIPAA privacy rule makes provisions for researchers to obtain without a HIPAA Authorization a "limited data set" for research purposes. A Limited Data Set is patient health information that has been de-identified in accordance with the HIPAA privacy rule requirements in footnote 3 below, except that the following potentially identifying information may be included: admission, discharge, and service dates; dates of birth and, if applicable date of death; age, including age 90 or over; and five digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes except street addresses.C.JHSPH researchers who are not Johns Hopkins HIPAA Workforce Members who seek to obtain a De-identified Data Set or Limited Data Set from a Johns Hopkins Medicine covered entity must use a JHHS Privacy Office-certified Honest Broker to create the De-identified or Limited Data Set (requires a Data Use Agreement between the Johns Hopkins Privacy Office and Johns Hopkins University Research Administration, and the researcher must submit a PHIRST application for an exempt study), and the Honest Broker must sign the IRB Application., and the Honest Broker must sign the IRB Application.Section 7:Use of Decedent Information for Research Purposes.JHSPH researchers must obtain approval from the JHSPH IRB prior to accessing and using PHI from people who are deceased. JHSPH researchers seeking decedent PHI from one of the Johns Hopkins Medicine covered entities must qualify as a Johns Hopkins HIPAA Workforce Member, and should submit to the JHSPH IRB HIPAA Form 5, “Representations Form for Research Involving Only Decedents’ Information” available on this page:() ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download