Category: Privacy

Date: March 2003

Reviewed/Revised: April 2013

Definitions

Research: Research is defined as systematic investigation, including the research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge (45 CFR § 164.501).

Treatment: Treatment is defined as the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Policy

It is the policy of EVMS Medical Group to abide by the use and disclosure rules set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, with revisions of August 14, 2002. Under the Privacy Rule, EVMS Medical Group researchers are permitted to use and/or disclose protected health information in the course of conducting research with an individual authorization, or without individual authorization under limited circumstances.

Minimum Necessary: When using or disclosing PHI or when requesting PHI from another covered entity, EVMS Medical Group researchers must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard DOES NOT apply to research for which a subject has signed an authorization to use or disclose the PHI.

Minimum necessary standards DO apply to:

  1. Research conducted with a waiver of authorization;
  2. Research involving PHI of decedents;
  3. Use of PHI preparatory to research;
  4. Limited data set research

Procedure

A. Research use and or disclosure without authorization

To use or disclose protected health information without authorization by the research participant, EVMS Medical Group must obtain one of the following:

  1. Documentation that an alteration or waiver of authorization has been approved by an Institutional Review Board (IRB).
  2. Attestation from the researcher, in writing, that the use or disclosure of PHI is solely to prepare a research protocol or purposes preparatory to research, that PHI will not be removed, and representation that access sought is necessary for research purposes.
  3. Attestation from the researcher, in writing, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for research, and documentation of the death of the individuals.
  4. An EVMS IRB determines that the data is recorded in such a manner that it meets the criteria for "de-identified data" or a "limited data set".
    EVMS Medical Group may also disclose PHI without subject authorization or a waiver of authorization if the disclosure is to a:

  5. public health authority that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability;
  6. public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
  7. person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purposes of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity. Such purposes include to:
    1. collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
    2. track FDA-regulated products;
    3. enable product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
    4. conduct post marketing surveillance. 

1. Waiver of authorization

EVMS Medical Group will release and/or permit access to PHI for research purposes pursuant to a waiver of authorization by an EVMS IRB, provided it has obtained documentation of all of the following:

  • A statement that the alteration or waiver was approved by the IRB, as stipulated by the Privacy Rule.
  • A statement identifying the IRB and the date on which the alteration or waiver was approved;
  • A statement that the IRB has determined that the alteration or waiver satisfies the following criteria:
    1. The use and disclosure of PHI involves no more than minimal risk to the privacy of an individual, based on, at least, the presence of the following elements:
      1. an adequate plan to protect the identifiers from improper uses and disclosures;
      2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law;
      3. an adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, for other research for which the use or disclosure of PHI would not be permitted by this subpart;
    2. The research could not practicably be conducted without the waiver or alteration; and
    3. The research could not practicably be conducted without access to and use of the PHI.
  • A brief description of the PHI for which use or access has been determined to be necessary by the IRB;
  • A statement that the alteration or waiver or authorization has been reviewed and approved under either full board review or expedited review procedures as stipulated by the Privacy Rule; and
  • The signature of the chair or other designee of the IRB.

 2. Preparatory to research

Disclosure is permitted without a patient authorization or a waiver of authorization for review of PHI, when necessary to prepare a research protocol or for similar purposes preparatory to research.

  • A Researcher must provide representations to an EVMS IRB that:
    1. use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
    2. no PHI will be removed from EVMS Medical Group by the researcher in the course of the review;
    3. the PHI for which use or access is sought is necessary for the research purposes.
  • EVMS Medical Group requires that researchers submit an application form to the IRB with representation that all of the above criteria apply to the project.

3. Decadent research

  • A Researcher must provide representations to an EVMS IRB that:
    1. use or disclosure sought is solely for research on the PHI of decedents;
    2. documentation, at the request of EVMS Medical Group, of the death of the such individuals; and
    3. the PHI for which use or disclosure is sought is necessary for the research purposes.
  • EVMS Medical Group requires researchers to submit an application form to the IRB for decedent research.

 4. De-identified or limited data set

  • De-Identified Information (Safe Harbor) may be used and disclosed without being subject to the HIPAA Privacy Rule.
    1. In order for information to be considered "de-identified", it must not include the following direct identifiers of the individual or the relatives, employers, or household members of the individual:
      1. names;
      2. all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
        1. the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
        2. the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
      3. all elements of dates (except year) for dates relating directly to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
      4. telephone and fax numbers;
      5. electronic mail addresses;
      6. social security numbers;
      7. medical record numbers;
      8. health plan beneficiary numbers;
      9. account numbers;
      10. certificate/license numbers;
      11. vehicle identifiers and serial numbers, including license plate numbers;
      12. device identifiers and serial numbers;
      13. Web Universal Resource Locators (URLS);
      14. Internet Protocol (IP) address numbers;
      15. biometric identifiers, including finger and voice prints;
      16. full face photographic images and any comparable images; and
      17. any other unique identifying number, characteristic, or code.

EVMS Medical Group may assign a code or other means of record identification to allow de-identified information to be re-identified by EVMS Medical Group, as long as the code is not derived from, or related to, information about the subject. HMAC (hash message authentication code) cannot be used as a re-identification code. Privacy Rule does not restrict linkage of PHI inside EVMS Medical Group.

Information may also be considered as de-identified only if:

  1. a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;
  2. applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
  3. documents the methods and results of the analysis that justify such determination.

Limited data sets for research

  • EVMS Medical Group uses and discloses only a limited data set;
  • EVMS Medical Group obtains a Data Use Agreement from the data recipient; and
  • the data used or disclosed does not include the following direct identifiers of the individual or the relatives, employers, or household members of the individual:
    1. name;
    2. postal address information, other than town, city, state, or zip code;
    3. fax numbers;
    4. electronic mail addresses;
    5. social security numbers;
    6. medical record numbers;
    7. health plan beneficiary numbers;
    8. account numbers;
    9. certificate/license numbers;
    10. vehicle identifiers and serial numbers, including license plate numbers;
    11. Web Universal Resource Locators (URLs);
    12. Internet Protocol (IP) address numbers;
    13. biometric identifiers, including finger and voice prints; and
    14. full face photographic images and any comparable images.

B. RESEARCH USE/DISCLOSURE WITH INDIVIDUAL AUTHORIZATION:

The Privacy rule permits EVMS Medical Group to use and disclose PHI for research purposes when a research participant authorizes the use and disclosure of his or her information.

  1. The authorization must be written and include the following elements:
    • a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
    • the name or other specific identification of the person(s) or class of persons authorized to make the use or disclosure of PHI;
    • the name of the person(s) or class of persons to whom EVMS Medical Group is authorized to make the disclosure;
    • a description of each purpose of the use or disclosure;
    • an expiration date or an expiration event that relates to the individual or the stated purpose of the use or disclosure. The statement "end of research study", "none", or similar language is sufficient if the authorization is for a use or disclosure of PHI for research, including the creation and maintenance of a research database or research repository;
    • the individual's signature and date; and
    • if signed by a legally authorized representative, a description of his or her authority to act for the individual.
  2. The authorization must also include statements concerning:
    • The individual's right to revoke the authorization in writing and either:
      • the exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
      • reference to the EVMS Medical Group Privacy Notice.
    • The consequences to the individual of a refusal to sign the authorization for use or disclosure of PHI for research purposes. EVMS Medical Group may condition the provision of research-related treatment on the provision of authorization by a subject.
    • The potential for information covered by an authorization to be re-disclosed by the recipient and no longer protected by the Privacy Rule.
  3. At EVMS Medical Group the authorization for research purposes may be incorporated into the Subject Consent Form and submitted to the IRB or Privacy Board for review and approval.
  4. The authorization must be written in plain language.
  5. EVMS Medical Group must provide the individual with a copy of his/her signed authorization.