There are multiple federal regulations governing human subject protections in research activities. The majority of research is covered by three sets of regulations: the Health and Human Services, the Food and Drug Administration, and the Department of Education. There is a great deal of overlap in the relevant regulations, but they are not identical and in a limited range of cases important differences exist among them. The main federal office for providing guidance on the regulations is the Office of Human Research Protections (OHRP).
The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.
It is important to understand that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities. Grand Valley State University is not a covered entity but a hybrid entity. That is, certain components of GVSU are covered entities such as the student health center, the Counseling center and the nurse managed care clinics. The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.
PHI is health information transmitted or maintained in any form or medium that:
The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:
If your study uses these kinds of records, it is not subject to HIPAA. However, existing HRRC rules on informed consent and confidentiality still apply.
If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization (the most common and recommended means), you should be aware of the following:
For research uses and disclosures of PHI, the HRRC may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project. If a researcher has used or disclosed PHI for research with an IRB approval of waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for 6 years from the date of the closure of the study.
Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification OR by removing the 19 identifiers from each record as specified in the Rule.
Health-related information is considered PHI if any of the following are true:
It is not required to get the HIPAA Authorization at the time of consent, but it is the most practical time.
Data is considered de-identified under HIPAA when none of the following elements are present:
No. An Authorization differs from an informed consent in that an Authorization focuses on the privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of how the confidentiality of records will be protected, among other things.
(Approvals for waivers or alterations will be rare and in most cases researchers are advised to use an Authorization Form with their subjects to use/disclose PHI. HRRC approval is required for this Authorization Form - similar to consent forms.) The following criteria must be met to qualify for a waiver: The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;
The HRRC maintains the authority to make the final decision if a study meets the aforementioned criteria.
Yes. The minor's parent or legal guardian must sign a HIPAA authorization on the minor's behalf. You can use the same HIPAA authorization for minors that you would use for adults. HIPAA does NOT have an added assent requirement for minors.
Yes, but subjects must receive a signed copy of the authorization.
Yes, a subject can revoke his/her authorization at any time in writing. Data already collected under the authorization can be used to a limited extent if necessary to preserve the integrity of the research.