HIPAA Core Policy: Use & Disclosure of Identifiable Health Information for Research

HIPAA Core Policy: Use & Disclosure of Identifiable Health Information for Research

Abstract:
This policy establishes guidelines for the use and disclosure of identifiable health information for purposes of research by UAB/UABHS Covered Entities in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Alabama state law.
Effective Date:
9/23/2013
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish guidelines for the use and disclosure of identifiable health information for purposes of research by UAB/UABHS (“UAB”) Covered Entities in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Alabama state law.


2. PHILOSOPHY: UAB values and promotes business practices respecting the confidentiality of health information.


3. APPLICABILITY: This standard applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, and other UAB entities that may be added from time-to-time) and to the following UABHS Covered Entities: University Hospital, The Kirklin Clinic, The Kirklin Clinic at Acton Road, Callahan Eye  Hospital, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time-to-time). For purposes of this standard, UAB and UABHS Covered Entities shall be collectively referred to as “UAB.”


4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.

Authorization: A document that is required to be signed by the patient to use and disclose specified protected health information for specified purposes. It may be required in some circumstances in order to conduct research.

4.1. Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the UAB Covered Entity holding the information.

4.2. Protected Health Information (“PHI”): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered or excepted by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.3. Use: The sharing, employment, application, utilization, examination, or analysis of PHI  within an entity that maintains the PHI.


5. POLICY STATEMENTS:

5.1. Use and Disclosure of PHI for Research – General Rule

5.1.1. UAB Covered Entities will only use or disclose PHI for research in accordance with the requirements set forth in this standard.

5.2. Research Use – Use and Disclosure Without Patient Authorization

5.2.1. UAB Covered Entities may use and disclose PHI for research by obtaining IRB consent, but without obtaining patient Authorization, under any one of the following circumstances:

5.2.1.1. Reviews preparatory to research – The researcher must document  each of the following:

5.2.1.1.1. use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;

5.2.1.1.2. no PHI is to be removed from UAB by the researcher in the course of the review; and

5.2.1.1.3. the PHI for which use or access is sought is necessary for the research purposes.

5.2.1.2. Decedent’s information:

5.2.1.2.1. Researchers may use the PHI of a deceased individual 50 years after the death of the individual without any HIPAA authorization or waiver.

5.2.1.2.2. Researchers may use decedent information that is less than 50 years from the date of the death of the individual if the researcher documents the following:

5.2.1.2.2.1. Use or disclosure is solely for research on the  PHI of decedents

5.2.1.2.2.2. at the request of the UAB Covered Entity, documentation of the death of the individuals; and

5.2.1.2.2.3. the PHI for which use or access is sought is necessary for the research purposes.

5.2.1.3. Limited Data Set – The researcher may use a Limited Data Set for research if the researcher enters into a Data Use Agreement.

5.2.1.3.1. A Limited Data Set is PHI that excludes the following:

5.2.1.3.1.1. names

5.2.1.3.1.2. postal address information, other than town or city, State, and zip code;

5.2.1.3.1.3. telephone numbers;

5.2.1.3.1.4. fax numbers

5.2.1.3.1.5. electronic mail addresses

5.2.1.3.1.6. social security numbers

5.2.1.3.1.7. medical record numbers

5.2.1.3.1.8. health plan beneficiary numbers

5.2.1.3.1.9. account numbers

5.2.1.3.1.10. certificate/license numbers

5.2.1.3.1.11. vehicle identifiers and serial numbers, including license plate numbers

5.2.1.3.1.12. device identifiers and serial numbers

5.2.1.3.1.13. web universal resource locators (URLs)

5.2.1.3.1.14. internet protocol (IP) address numbers

5.2.1.3.1.15. biometric identifiers, including finger and voice prints; and

5.2.1.3.1.16. full face photographic images and any comparable images

5.2.1.3.2. The researcher must sign a Data Use Agreement.

5.2.1.4. De-identified Information – The researcher may use De-identified Health Information for research. For purposes of this standard, “de-identified health information” means health information that does not contain any of the following:

5.2.1.4.1. names

5.2.1.4.2. all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the Bureau of Census the geographic unit formed by combining all zip codes with the  same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or few people is changed to 000;

5.2.1.4.3. all elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

5.2.1.4.4. telephone numbers;

5.2.1.4.5. fax numbers

5.2.1.4.6. electronic mail addresses

5.2.1.4.7. social security numbers

5.2.1.4.8. medical record numbers

5.2.1.4.9. health plan beneficiary numbers

5.2.1.4.10. account numbers

5.2.1.4.11. certificate/license numbers

5.2.1.4.12. vehicle identifiers and serial numbers, including license plate numbers

5.2.1.4.13. device identifiers and serial numbers

5.2.1.4.14. web universal resource locators (URLs)

5.2.1.4.15. internet protocol (IP) address numbers

5.2.1.4.16. biometric identifiers, including finger and voice prints;

5.2.1.4.17. full face photographic images and any comparable images; and

5.2.1.4.18. any other unique identifying number, characteristic or code

5.2.1.5. IRB approval of a waiver of patient authorization – A UAB Covered Entity may use or disclose PHI for research if it has obtained documentation of ALL of the following from the UAB IRB:

5.2.1.5.1. A statement that the waiver was approved by the UAB IRB or other IRB approved by UAB IRB.

5.2.1.5.2. A statement identifying the IRB and the date on which the waiver was approved

5.2.1.5.3. A statement that the IRB has determined that the waiver satisfies the following criteria:

5.2.1.5.3.1. the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals based on the presence of the following elements:

5.2.1.5.3.1.1. there is an adequate plan to protect the identifiers from improper use and disclosure

5.2.1.5.3.1.2. there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law

5.2.1.5.3.1.3. there are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by law.

5.2.1.5.3.2. the research could not practicably be conducted without the alteration or waiver

5.2.1.5.3.3. the research could not practicably be conducted without access to and use of the PHI

5.2.1.5.4. A brief description of the PHI for which use or access has been determined to be necessary by the IRB

5.2.1.5.5. A statement that the waiver of authorization has been reviewed and approved under either normal or expedited review procedures

5.2.1.5.6. The signature of the Chair or other member, as designated by the chair, of the IRB.

5.3. Research Use – Use and Disclosure With Patient Authorization

5.3.1. UAB Covered Entities may use and disclose PHI for research by obtaining the individual’s signed Authorization on the approved UAB form.

5.3.2. Compound Authorizations

5.3.2.1. The Authorization form may be combined with any other type of written permission for the same or another research study, such as,

5.3.2.1.1. With the Informed Consent document to participate in the research.

5.3.2.1.2. With another Authorization for the same research study.

5.3.2.1.3. With an Authorization for the creation or maintenance of a research database or repository.

5.3.2.2. If the Authorization form contains one research study that is not conditioned on participation in another study, as well as a study that is conditioned on another study, then the Authorization form must clearly let the patient know the difference between the two Authorizations and identify the research study that is not conditioned on participation in any other study.

5.3.2.3. Research involving Psychotherapy Notes cannot be combined with any other Authorizations.

5.3.2.4. The Authorization form may permit future research if the Authorization adequately describes the future research such that it would be reasonable for the individual to expect that his/her PHI could be used or disclosed for that purpose and that the Authorization informs the individual if sensitive research, such as stem cell research or research that may go against some religious convictions, may be a possibility.

5.4. Each UAB Covered Entity shall develop processes and policies to implement the standards of this standard.


6. REFERENCES: None


7. SCOPE: This policy applies to all UAB Covered Entities and to UABHS Covered Entities identified in Section 3.


8. ATTACHMENTS: Note: All HIPAA forms may be found at the UAB/UABHS HIPAA website at www.HIPAA.uab.edu.


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.