HIPAA rules require that a record be made of a disclosure of any personally identifiable information that is made without an authorization by the research participant. Therefore, tracking of disclosures will have to be undertaken for all disclosures if a waiver of authorization, an approval for review preparatory to research or an approval for the use of a decedent’s PHI is obtained for purposes of research, and for any disclosures not previously specified in a signed authorization document.
Because it may be necessary for a researcher to obtain access to and review PHI in order to prepare a research study, HIPAA rules allow such a review upon compliance with specified criteria. An application for review of PHI preparatory to research must be submitted to the IRB for review and approval.
An application for the use of PHI from decedents must be submitted to the IRB prior to engaging in the research. In order to gain access to the PHI, the principal investigator needs to demonstrate that the use or disclosure being sought is solely for research on the PHI of decedents, adequate documentation of the death of such individuals, and that the PHI for which use or disclosure is sought is necessary for the purposes of the proposed research.
A HIPAA Waiver of Authorization can be obtained from the IRB if access to patient data is needed for recruitment purposes. Describe the need in the “HIPAA Research Authorization and/or Waiver or Alteration of Authorization” section of the protocol template or the protocol site addendum. This section is reviewed by the IRB. If a full or partial waiver is granted, access to identifiable patient data to determine if a patient may be a potential research subject will be authorized. IRB approval is confirmed by issuance of the IRB approval memo for the study.
In general, before any patient information can be used for a research purpose, the patient must sign and date a study-specific consent form that includes the HIPAA authorization elements or a separate HIPAA authorization form which recites the patient’s privacy rights. This is true whether or not the patient is seen by the researcher/physician for medical care. Patient information cannot be used for research-related purposes without a signed patient authorization.
If a patient’s record is reviewed for a treatment purpose (e.g., to view lab results or consult with a referring provider) the research-related rules do not apply. However, once a patient’s medical information is viewed for a research-related activity (e.g., to screen for eligibility or review, to review a unique case for possible study, or to collect data) the research-related HIPAA rules apply. For example, if a provider is reviewing a patient’s lab report for regular care, this access would be for treatment purposes and the research-related rules would not apply.
When an established patient is being considered for participation in a research study by a clinician involved in the patient’s care, the HIPAA rules can be confusing. HIPAA applies when a provider is reviewing a patient’s medical record for both treatment and research purposes. In general, under the HIPAA privacy rules, a patient’s medical information may be accessed for a treatment, payment or operational purpose without obtaining prior written consent. Access to a patient’s medical record for any other purposes may require additional steps to be in compliance with privacy laws and rules.
Penn State has developed an Electronic Regulatory Binder (eReg Binder) that can be uploaded to Research Electronic Data Capture (REDCap) as a project that investigators can use to stay in compliance with documentation requirements for good clinical practice and federal regulations. The eReg Binder is an online "filing cabinet" for all study documents and conforms to the ICH GCP guideline.
Penn State has approved Federal Wide Assurances with the Department of Health & Human Services. Penn State's two IRBs are also registered with the Department of Health & Human Services.