- Is my project research?
- Does my research require IRB approval?
- What is the IRB's authority?
- How long does IRB review take?
- What can I do to help the IRB process move quickly?
- What happens after I submit my IRB application?
- May I recruit participants for my study before IRB approval?
- May I advertise to recruit participants for my study?
- May I pay study participants?
- My project uses only medical records to collect data. Will I need IRB approval?
- What if my research involves other sites besides NYU, many with their own IRB?
- What is a cooperative agreement?
- What is a Federal Wide Assurance?
- What is the link between the grant proposal and the IRB application for funded projects?
- What is different about proposals going to the NIH?
- Do I need to work with the grants and contracts staff too?
- What is minimal risk?
- What is informed consent and when is it needed?
- What is assent and when is it needed?
- What if my study qualifies for exemption? Do I still need IRB approval?
- Do research subjects have to authorize the use or their protected health information?
- Must the IRB approve the separate authorization form or is the new HIPAA language included in the new consent form template?
- Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients?
- If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?
- Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?
- Do the HIPAA Privacy Rule’s requirements for authorization and the Common Rule’s requirements for informed consent differ?
- If research subjects’ consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?
- Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects?
- Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?
- Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) waiver of individual authorization?
- By establishing new waiver criteria and authorization requirements, hasn’t the HIPAA Privacy Rule, in effect, modified the Common Rule?
- Is documentation of Institutional Review Board (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual’s authorization?
What does the HIPAA Privacy Rule say about a research participant’s right of access to research records or results?
Are the HIPAA Privacy Rule’s requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?
- When is a researcher a covered health care provider under HIPAA?
- Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections?
- Can covered entities continue to disclose protected health information to the HHS Office for Human Research Protections for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR Part 46)?
In the clinical setting, it is important to make a distinction between research and practice. They are frequently carried out together. This is the case when a clinical research activity evaluates the safety and efficacy of a treatment. Practice includes interventions that can reasonably be expected to enhance the well-being of a person through diagnosis or treatment. In contrast, research involves testing a hypothesis and drawing conclusions. Usually the research activity is described in a formal plan (protocol) that identifies the objectives and procedures to reach the objectives.
In addition to clinical research, other types of research are also conducted at NYU. One is survey research, which involves interacting with individuals to gather information using questionnaires or interviews. Another involves the collection of data from identifiable private information sources, e.g., medical records, so that analysis of the data will yield conclusions. Yet another involves bench or laboratory research, e.g., the use of surgical and laboratory specimens that would otherwise be discarded.
Your project is most likely research if it contains any of the elements described above.
Does my research require IRB approval?
All research projects involving human subjects require IRB review and approval. A human subject is a living individual about whom the investigator collects data through direct intervention or interaction, or from sources such as medical records, clinical databases, billing records and pathologic or diagnostic tissue specimens. Data from these sources is called identifiable private information.
At NYU, human subjects are patients, families or other individuals, e.g., the patient’s classmates, who are asked to participate in a project. Staff members may also be subjects.
What is the IRB’s authority?
The IRB has the authority under federal regulation and institutional policy to approve, require the modification of or disapprove research activities being conducted at NYU. It also has the authority to suspend or terminate research that was previously approved in which unforeseen harm to subjects occurs, or that is not being conducted as approved by the IRB.
How long does IRB review take?
Because of funding agency requirements, we recommend that you allow 60 days for review. A well-prepared application will hasten the process. Many projects can be approved in less than 60 days if the application is complete and comprehensive.
What can I do to help the IRB process move quickly?
We recommend strongly that researchers consult with IRB staff before submitting an application. Pre-review can identify potential questions and issues that may arise during the review process. If you would like to have a pre-review done, send an e-mail request to the IRB office and attach the application to your message. The pre-review can also be done in person by appointment. Feel free to contact us to set one up.
What happens after I submit my IRB application?
When a new application is received in the IRB office it is screened for completeness and readiness for review. An IRB staff person contacts the researcher if additional information is needed. Once a completed application has been received, it is assigned for full, expedited or exempt review status, and IRB review can be scheduled. See categories of review for further details.
If your application requires review by the full IRB, a member of the IRB staff will contact you about a time for review, and the study will be added to the IRB meeting agenda. One member of the IRB is designated as primary reviewer for the study, and will lead the discussion during the meeting. It is possible that the primary reviewer will contact the principal investigator prior to the meeting with questions about the study.
The IRB agenda is mailed eight days in advance of the meeting date. Please go to the Meeting Schedule for this year’s dates. For all studies, within one to two weeks after IRB review, a letter is sent to the principal investigator documenting the IRB’s actions and recommendations. After addressing the IRB’s conditions for approval and submitting materials that respond to these concerns, the researcher will receive a copy of the final IRB approval. The research may proceed only after the study has received final approval.
May I advertise to recruit participants for my study?
The IRB must review and approve any materials you plan to use to recruit research participants before you begin contacting individuals. This includes advertisements that appear in the newspaper, on radio or television or on the Internet. Flyers, letters of approach and telephone scripts must also be approved.
Recruiting materials should provide basic information about the study, including the time involved, the primary purpose of the research, e.g., testing an experimental drug, and an overview of procedures and testing. They should fairly represent study participation. The materials should also describe potential benefits to participants and compensation when applicable.
May I pay study participants?
Whether or not individuals and families are paid for participating in research can depend on a number of factors, including availability of funds and the extent of effort on the part of study participants.
The IRB’s primary consideration in looking at remuneration plans involves the effect that coercion or undue inducement could have on a prospective participant’s ability to make an informed, voluntary choice about taking part in research. This is especially important when participation may include significant discomfort or the assumption of risk, and when involving children in a study.
In some instances researchers choose to offer non-monetary incentives, like gift certificates for toys or meals at a fast-food restaurant. If expenses for travel, lodging or meals are incurred the IRB will recommend that reimbursement be provided to participants.
If compensation or the use of incentives is to be part of your study, it is important to include specific information in the IRB application and to provide detailed information about payment, including terms, in the informed consent document. Procedures for payment or distribution of incentives should be established before the first participant is recruited.
My project uses only medical records to collect data. Will I need IRB approval?
Yes, use of medical records or clinical databases for research purposes requires IRB review. Generally, if you will be gathering information from sources that already exist (retrospective review) and need to collect identifiers like patient name and medical record number so the data can be linked to individuals, your project qualifies for expedited review. Please go to Expedited Review for more information.
What if my research involves other sites besides NYU, many with their own IRB?
If any part of the project includes NYU patients, families, staff (as research subjects) or facilities the NYU IRB reviews it. Dual IRB review may be required for other institutions. However, NYU IRB has several cooperative agreements with local IRBs that reduce the need for dual review.
What is a cooperative agreement?
A cooperative agreement is an agreement reached between NYU and another research institution to delineate the responsibilities of each institution with regard to IRB activities. NYU has not entered into cooperative agreements with any other institutions.
What is a Federal Wide Assurance?
A federal wide assurance (FWA) is an agreement between NYU and the Office for Human Research Protections (OHRP), acting on behalf of the Secretary of the U.S. Department of Health and Human Services. The agreement provides written assurance that the hospital will comply with federal laws and regulations as well as state and local laws regarding the protection of human subjects in research.
What is the link between the grant proposal and the IRB application for funded projects?
The funding agency often expects the IRB to review and approve the use of human subjects as described in the grant proposal. Before funding can take place, the agency requires certification of approval from the IRB. Except for proposals that are being submitted to the NIH, an IRB application must be pending approval in the IRB office before the grant proposal can be released to the funding agency. Most funding agencies, including federal agencies, allow 60 days for the IRB to notify the agency of final approval.
What is different about proposals going to the NIH?
Beginning with proposals submitted in June 2000, the National Institutes of Health (NIH) have revised the policy that requires IRB approval within 60 days of grant submission. IRB approval is no longer required before NIH peer review. Following peer review, those proposals that are likely to be funded based on the scores they receive need to proceed with IRB review and approval. No NIH grant award will be made without approval from the IRB.
If you submit a funding proposal to the NIH for research that will be based at NYU and involves human subjects, you will receive a letter from the Office of Research Administration. It will notify you that, if the score received during peer review indicates it will likely be funded, you will need to proceed with the IRB approval process. The IRB application will be due in the Office of Research Administration no less than 60 days before the NIH requires IRB certification.
There may be circumstances when the NIH requires, or you think it is desirable, to submit an IRB application before NIH peer review takes place. For example:
The research involves multiple sites.
The research is controversial.
You anticipate the IRB process will be extensive or lengthy.
IRB certification is required by the NIH before peer review because of timing or funding considerations.
Do I need to work with the grants and contracts staff too?
All local research institutions have a grants and contracts office that requires institutional review and sign-off of funding proposals, only one part of which is IRB approval. To ensure approval, it is important that the appropriate grants and contracts staff be involved from the outset. Here at NYULMC, we have two separate offices to assist you based on the funding type for your project. For further information about studies involving grants, please contact The Sponsored Programs Administration Office at http://www.med.nyu.edu/spa/. If you are completing a Clinical Trial/sponosred study, please contact the Office for Clinical Trial at http://www.med.nyu.edu/oct.
What is minimal risk?
The federal regulations define minimal risk as follows: The probability and magnitude of harm or discomfort anticipated by participating in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.
Procedures that may involve a small degree of risk for a healthy child may involve a higher risk to a child with an illness or a condition. For example, obtaining blood samples from a hemophiliac child may involve higher risk than venipuncture involving a child without such a condition. On the other hand, children who suffer from chronic illness may not be as traumatized by invasive procedures as comparatively healthy children who have not had as much exposure to medical care.
The definition of minimal risk is an important criterion used in approving research with children. Please see Regulations for Research with Children for more information.
What is informed consent and when is it needed?
In almost all cases, consent must be obtained from the research participants or their legally authorized representatives (parents or guardians) before participation in research begins.
The informed consent process is a basic ethical obligation for researchers. It consists of providing adequate information to the subject about the study, giving the subject the opportunity to consider options, responding to questions the subject may have and ensuring that the subject or the legal representative (parent or guardian) understands the information. In addition, the process includes obtaining the subject’s voluntary agreement to participate in the research, indicated by the subject’s signature on the written consent document. After the subject’s signature is obtained the informational process should continue as the situation or the subject may require, both during and after the study.
The IRB may approve a waiver of consent in limited circumstances. Consent may be waived if the IRB determines:
That no more than minimal risk to research participants would be involved.
That the rights or welfare of participants would not be adversely affected.
That the research could not be practicably conducted without a waiver.
Additionally, regulations require that if appropriate there be a plan to provide research results to subjects after conclusion of the study. For further information about informed consent, go to Consent Form Preparation.
What is Assent and when is it needed?
Because children have not yet attained legal age, the parent or legal guardian is asked to give permission for participation whenever a child is asked to take part in research. Federal regulations require, however, that children be asked to provide assent, or agreement to participate in the research, whenever they are capable of doing so. Age, maturity and psychological state need to be taken into account when determining whether to ask for assent.
Out of respect for developing persons, it is important to involve children in the decision-making process whenever possible. Though they may not be able to give legal consent, they have the ability to assent or to dissent. It is important to keep in mind that a child’s failure to object to participation should not automatically be construed as assent. Assent implies the affirmative agreement of the child.
Usually children who are age seven and older are asked to sign an assent form, which is written in language appropriate to the ages and conditions of study participants. The assent form should include a description of the study and describe the inconveniences and discomforts subjects may experience.
Generally, children age 14 and older are asked to read and sign the informed consent form if it is written at a reading level that is appropriate to the child. For further information go to Assent Form Preparation.
What if my study qualifies for exemption? Do I still need IRB approval?
Although the IRB currently reviews all research involving human subjects, the regulations provide that certain human research activities, detailed below, may be eligible for a determination of “exempt” status by the IRB.
A Principal Investigator may request exemption from review by submitting an Application for Exemption from Review. A Principal Investigator must obtain such a determination from the IRB prior to initiating the study. See the discussion on Exemption from IRB Review in the Policies and Procedures for more information on the IRB’s procedure for conducting such review.
An exemption from IRB review does not equate to an exemption from the HIPAA requirement for authorization or waiver of authorization when the research involves a covered entity’s protected health information. Researchers who receive an exemption determination but whose research involves protected health information must still submit a HIPAA authorization form (or a request for waiver of HIPAA authorization), or, if applicable, HIPAA forms for conducting research involving decedents’ information or research using a limited data set. Researchers who wish to review protected health information (e.g., medical records) to prepare a research protocol must submit the appropriate HIPAA form for IRB approval.
Research may be exempt from review when the only involvement of human subjects in the research falls into one of the following categories:
• Research conducted in established or commonly accepted educational settings, involving normal educational practices, such as (i) research on regular and special education instructional strategies, or (ii) research on the effectiveness of or the comparison among instructional techniques, curricula, or classroom management methods.
• Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behavior unless: (i) information obtained is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and (ii) any disclosure of the human subjects’ responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability, or reputation. However, when a study involves children being interviewed, questioned or surveyed, that study must be reviewed by the IRB and may not be exempt. Similarly, studies involving children and observation of public behavior in which the Principal Investigator (or other investigator) participates in the activities being observed must be reviewed by the IRB.
• Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures (e.g. anonymous questionnaire), interview procedures, or observation of public behavior that is not otherwise exempt if: (i) the human subjects are elected or appointed public officials or candidates for public office; or (ii) federal statute(s) require(s) without exception that the confidentiality of the personally identifiable information will be maintained throughout the research and thereafter.
• Research, involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.
• Research and demonstration projects which are conducted by or subject to the approval of department or agency heads, and which are designed to study, evaluate, or otherwise examine: (i) public benefit or service programs; (ii) procedures for obtaining benefits or services under those programs; (iii) possible changes in or alternatives to those programs or procedures; or (iv) possible changes in methods or levels of payment for benefits or services under those programs.
• Taste and food quality evaluation and consumer acceptance studies, (i) if wholesome foods without additives are consumed or (ii) if a food is consumed that contains a food ingredient at or below the level and for a use found to be safe, or agricultural chemical or environmental contaminant at or below the level found to be safe, by the Food and Drug Administration or approved by the Environmental Protection Agency or the Food Safety and Inspection Service of the U.S. Department of Agriculture.
Anonymous data are data that have been stripped of ready identifiers, including linking codes. Data may be anonymized to render a protocol eligible for IRB exemption if the investigator or data source strips the data of ready identifiers. The investigator or data source who anonymizes the data must be someone who has prior authorization to access the data (e.g., a hospital or treating physician). Importantly, however, anonymized data are not automatically considered de-identified data under the Privacy Rule.
Under the Privacy Rule, a covered entity may share data without restriction only if the data have been “de-identified.” De-identified data may contain linking codes if such codes are not derived from any identifier (e.g., SSN or Medical Record number) and are not used for any other purpose, provided that the covered entity does not disclose the code key to the researcher or anyone else. Although de-identified data may contain linking codes that meet the above criteria, a de-identified data set may not contain any of the 18 identifiers listed in the Privacy Rule. Researchers may not de-identify protected health information used in research for the purpose of using or disclosing the de-identified data to parties not identified in the authorization form, waiver application, or data use agreement, without the written approval of the NYU IRB.
The Privacy Rule permits a covered entity to disclose a limited data set to a researcher without authorization or waiver if the researcher has signed a data use agreement containing certain required elements. Limited data sets are not de-identified data, but permit the researcher to receive certain identifiers that must be otherwise be removed to render data de-identified (the identifiers permitted in a limited data set are listed in the Privacy Rule). Researchers who are seeking a limited data set from a covered entity should submit a signed copy of the covered entity’s data use agreement form to the NYU IRB along with the research protocol.
What Does HIPAA stand for and what is HIPAA anyway?
No, it is not short for girl hippopotamus! The mnemonic HIPAA stands for the Health Insurance Portability & Accountability Act of 1996. HIPAA is also referred to as the Kennedy-Kassebaum Act or The Privacy Rule.
Do research subjects have to authorize the use or their protected health information?
Yes, subject must authorize the use or disclosure of their protected health information (PHI). PHI stands for "Protected Health Information". Protected Health Information relates to past, present, or future health, health care, or payment for health care that identifies the individual directly of indirectly.
Must the IRB approve the separate authorization form or is the new HIPAA language included in the new consent form template?
The IRB has created a new consent/authorization template that is available online.
The title of the document is, “Informed Consent Form to Participate and Authorization of Research.” It contains all of the required consent document elements as well as the new HIPAA requirements.
The IRB has also created an addendum research authorization form. This form can be used as a supplemental attachment to your current consent document. Simply download the form, read the instructions, complete the form as indicated, print your document and begin using the form immediately. We only require that you submit one copy to the IRB for filing purposes. You will have to conform to the full consent/authorization template if you require any modifications to the consent or when your study is up for continuing review.
It is not expected that the Privacy Rule will hinder medical research. Indeed, patients and health plan members may be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected. For example, in genetic studies conducted at the National Institutes of Health, nearly 32 percent of eligible people offered a test for breast cancer risk declined to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason.
The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information. The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the Rule’s requirements for research uses and disclosures are too burdensome and will choose to limit researchers’ access to protected health information.
We believe few providers will take this route, however, because the Common Rule includes similar, and more rigorous requirements, that have not impaired the willingness of researchers to undertake Federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires an Institutional Review Board (IRB) review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use or disclosure of protected health information for research purposes is to be altered or waived. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)
If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?
Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. An individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. For research uses and disclosures, this reliance exception at 45 CFR 164.508(b)(5)(i) permits the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study.
For example, the reliance exception would permit the continued use and disclosure of protected health information to account for a subject’s withdrawal from the research study, as necessary to incorporate the information as part of a marketing application submitted to the Food and Drug Administration, to conduct investigations of scientific misconduct, or to report adverse events.
However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)
Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?
Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). NYUSOM policy stipulates that the research obtain IRB approval before accessing existing databases or repositories even if those databases were created prior to the compliance date.
Do the HIPAA Privacy Rule’s requirements for authorization and the Common Rule’s requirements for informed consent differ?
Yes. Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information.
For this reason, there are important differences between the Privacy Rule’s requirements for individual authorization, and the Common Rule’s and FDA’s requirements for informed consent. However, the Privacy Rule’s authorization elements are compatible with the Common Rule’s informed consent elements. Thus, both sets of requirements can be met by use of a single, combined form, which is permitted by the Privacy Rule.
For example, the Privacy Rule allows the research authorization to state that the authorization will be valid until the conclusion of the research study, or to state that the authorization will not have an expiration date or event. This is compatible with the Common Rule’s requirement for an explanation of the expected duration of the research subject’s participation in the study. It should be noted that where the Privacy Rule, the Common Rule, and/or FDA’s human subjects regulations are applicable, each of the applicable regulations will need to be followed. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)
If research subjects’ consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?
Yes. If informed consent or reconsent (e.g.., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research. (Source) The revised informed consent document may be combined with the authorization elements required by 45 CFR 164.508.
Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects?
Under the HIPAA Privacy Rule, IRBs and Privacy Boards must use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule’s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks.
While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants’ privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the DHHS will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)
Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?
No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)
Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) waiver of individual authorization?
Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB waiver. (Source)
By establishing new waiver criteria and authorization requirements, hasn't the HIPAA Privacy Rule, in effect, modified the Common Rule?
No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.
Is documentation of Institutional Review Board (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual’s authorization?
No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.
What does the HIPAA Privacy Rule say about a research participant’s right of access to research records or results?
With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a "designated record set." A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider’s medical records and billing records, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.
While it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule’s permitted exceptions applies.
One of the permitted exceptions applies to protected health information created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual’s access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial. (Source)
Are the HIPAA Privacy Rule’s requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?
Yes. The Privacy Rule does not require clinical laboratories that are also covered health care providers to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to "authorized persons," as defined primarily by State law. The individual who is the subject of the information is not always included as an authorized person. Therefore, the Privacy Rule includes an exception to individuals’ general right to access protected health information about themselves if providing an individual such access would be in conflict with CLIA.
In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories, if they are also a covered health care provider, to provide individuals with access to protected health information because doing so may result in the research laboratory losing its CLIA exemption. (Source)
When is a researcher a covered health care provider under HIPAA?
A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. See 45 CFR 160.102, 160.103.
For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf. For further assistance in determining covered entity status, see the "decision tool" . (Source)
Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections?
Yes. The Office for Human Research Protections is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the Office for Human Research Protections either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b). (Source)
Can covered entities continue to disclose protected health information to the HHS Office for Human Research Protections for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR Part 46)?
Yes. The Office for Human Research Protections is a health oversight agency under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to the Office for Human Research Protections for such compliance investigations either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for health oversight activities as permitted at 45 CFR 164.512(d). (Source)