Research Protections Policies

RP07 HIPAA and Research at Penn State University (Formerly RA22)

Policy Status: 

Active

Policy Steward: 

Associate Vice President for Research, Director of the Office for Research Protections

Contents:

PURPOSE:

The Pennsylvania State University ("PSU") and The Milton S. Hershey Medical Center (HMC) have a duty to protect the confidentiality and integrity of an individual's health information as required by law, professional ethics, and accreditation requirements. The Health Insurance Portability and Accountability Act ("HIPAA") of 1996, and its implementing regulations known as the "Privacy Rule" include provisions that protect the privacy of individually identifiable health information, and govern how health information is used and disclosed, including use and disclosure for research purposes. The purpose of this policy is to set forth the requirements that will be applicable to research that is subject to HIPAA requirements.

BACKGROUND:

The Pennsylvania State University – “University” includes all colleges and campuses except The Milton S. Hershey Medical Center (HMC).

The University and HMC designated the University’s College of Medicine (COM) and HMC as an affiliated covered entity (ACE) for purposes of implementation of and compliance with obligations of the Privacy Rule and Security Rule. The Privacy Officer appointed by HMC shall by such appointment serve as the Privacy Officer on behalf of COM. The ACE agreement authorizes disclosure of protected health information by and between HMC and COM for purposes of treatment, payment and operations, and for purposes of research.

IRB Office:  For all campuses and colleges, except the College of Medicine (COM) and The Milton S. Hershey Medical Center (HMC): Office for Research Protections (ORP)

For Penn State College of Medicine (COM) and The Milton S. Hershey Medical Center (HMC):  Human Subjects Protection Office (HSPO)

RESEARCH AFFECTED BY HIPAA:

In general, research utilizing Protected Health Information ("PHI") which is obtained from (a) health care providers such as physicians and hospitals or (b) health plans, will be subject to HIPAA rules applicable to obtaining, using and protecting such information. "PHI" is individually identifiable health information created, obtained or maintained by a health care provider or by a health plan covered by HIPAA. A "health plan" is a plan that pays the cost of health care expenses.

Within the University and HMC, this means that research will be subject to HIPAA rules if: (a) it uses PHI obtained or maintained by any of the administrative units identified in Policy AD22; (b) it uses PHI obtained or maintained by the hospital and providers of The Milton S. Hershey Medical Center; or (c) it uses PHI created by a Penn State or Milton S. Hershey Medical Center researcher while in the course of providing health care to an individual. In addition, at HMC and COM, research will also be subject to HIPAA rules if it uses PHI collected by a health care provider of HMC even if collected only for research purposes.

University and HMC researchers will also be subject to HIPAA rules if the research seeks to use PHI obtained from health care providers, such as physicians, hospitals and nursing homes that are not affiliated with the University or HMC or from health plans. In that case, use of PHI will be governed by this policy as well as any HIPAA policies of such other health care providers or health plans.

Not all individually identifiable health information is subject to HIPAA rules. Research that involves health information that is not obtained by or from a health care provider or a health plan subject to HIPAA, also known as a covered entity, is not subject to HIPAA. Although not in scope of HIPAA, identifiable health information obtained by a non-HIPAA-covered researcher is still deserving of the same standard of protection as PHI, and these standards must be implemented by any PSU or HMC workforce member involved in human subjects research using individually identifiable health information.

REVIEW OF PROTOCOLS FOR HIPAA COMPLIANCE:

All research studies involving human subjects must be submitted to the Office for Research Protections (ORP), or the Human Subjects Protection Office (HSPO) in CATS IRB (irb.psu.edu) for review and a determination whether the protocol will be subject to HIPAA rules governing disclosure and use of PHI. If it is determined that the protocol is subject to HIPAA rules, the terms of this policy will apply to that study.

POLICY:

In order to utilize PHI in connection with research, researchers must (a) obtain written authorization from the individual who is participating as a research subject in accordance with HIPAA standards for authorization, (b) obtain a waiver of the authorization requirement from the appropriate Institutional Review Board (IRB) in accordance with HIPAA standards for such waivers, or (c) submit requests for approval to use PHI for activities preparatory to research or to use the PHI of decedents in research.

PHI obtained in accordance with this policy may be used only by and disclosed only to the principal investigator and other members of the research team, except that further disclosure may be made (a) as specified in the authorization granted by the individual from or about whom PHI has been obtained as set forth in this policy, or (b) as required or permitted by the HIPAA rules or other law. Approval of the appropriate Privacy Officer is required for any disclosure request that is not within the scope of an authorization granted by the individual participating in research or as required or permitted by HIPAA rules and other law.

UTILIZATION OF PHI IN RESEARCH BY AUTHORIZATION:

If an authorization is required in order to utilize PHI in connection with research, the content of the authorization must comply with HIPAA rules.

Authorization may be obtained by the use of a separate authorization form, which is reviewed with and signed by the individual participating in the research protocol. A template authorization form is available in CATS IRB (irb.psu.edu) and should be completed by the principal investigator and submitted with the CATS IRB (irb.psu.edu) submission for review by the IRB.

Authorization may also be obtained by including the requisite information in an Informed Consent Form to be used for the study. Model provisions for inclusion of an authorization with the Informed Consent Form are available in CATS IRB (irb.psu.edu). The IRB will review the authorization provisions as part of its review of the Informed Consent Form.

Copies of the authorization, whether separate from or included in the Informed Consent Form,  signed by the individual participating in the research protocol must be retained by the principal investigator for a minimum of six years after the completion of the research.

In the event a principal investigator leaves the University or HMC prior to the end of the six-year requirement, the investigator will contact the appropriate IRB office and make arrangements for ongoing retention of required research documents at the University or HMC.

UTILIZATION OF PHI IN RESEARCH WITH A WAIVER OF AUTHORIZATION:

If a research protocol proposes to obtain and use PHI in research without an authorization, the principal investigator must submit a request for a waiver of authorization to the appropriate IRB office. The request for a waiver of the authorization must be included in the protocol provided in the CATS IRB (irb.psu.edu) submission.  The request for a waiver of authorization will then be reviewed by the appropriate IRB.

Approval of a waiver of authorization by the COM IRB is necessary in order to obtain access to PHI maintained by the Hospital and providers of The Milton S. Hershey Medical Center.

Approval of a waiver of authorization by the Penn State IRB is necessary in order to obtain access to PHI maintained by all administrative units identified in Penn State Policy AD22.

In order to obtain access to PHI maintained by any other health care provider based upon a waiver of authorization, approval of the Penn State or COM IRB will be required. In addition, depending upon the policies of such other health care providers, it may be necessary to obtain approval of the waiver from another IRB or privacy board.

An application for waiver will be approved only if the IRB concludes that the criteria in the HIPAA rules have been satisfied. These include:

  1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
    1. an adequate plan to protect the identifiers from improper use and disclosure;
    2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted under the HIPAA Privacy Rule.
  2. The research could not practicably be conducted without the waiver or alteration; and
  3. The research could not practicably be conducted without access to and use of the PHI.

REVIEWS PREPARATORY TO RESEARCH:

Because it may be necessary for a researcher to obtain access to and review PHI in order to prepare a research protocol, HIPAA rules allow such review upon compliance with specified criteria. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study, or to identify potential subjects for a study. A request for review of PHI preparatory to research must be submitted to the IRB Office, and approved by the IRB. Request forms are available on the respective IRB Office websites: http://www.research.psu.edu/orp/humans and http://www.pennstatehershey.org/web/irb/home.

The IRB may only approve such requests if the researcher provides the following representations in the request form:

  1. The use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research;
  2. No PHI will be removed in any manner, including by means of copying or notes, from the original source of the PHI, to include patient records of The Milton S. Hershey Medical Center; and
  3. The PHI for which access is sought is necessary for the research purpose.

PHI OF DECEDENTS:

The HIPAA Privacy Rule protects the PHI of persons who have died.  Because it may be necessary for a researcher to obtain access to and review the PHI of decedents, HIPAA rules allow such review upon compliance with specified criteria. A request for the use of a decedent’s PHI for purposes of research must be submitted to the IRB office and approved by the IRB prior to engaging in research with the PHI of decedents. Request forms are available on the respective IRB office websites: http://www.research.psu.edu/orp/humans and http://www.pennstatehershey.org/web/irb/home

The IRB may only approve such requests if the researcher provides the following representations in the request form:

  1. The use or disclosure is sought solely for research on the PHI of decedents.
  2. The PHI for which use or disclosure is sought is necessary for the purposes of the proposed research.
  3. At the request of the covered entity, documentation of the death of the individuals whose PHI is sought by the researchers will be provided.

ACCOUNTING OF DISCLOSURES OF PHI:

The HIPAA Privacy Rule permits individuals to obtain a record of certain disclosures of their PHI by covered entities or their business associates, including certain disclosures made by researchers who must comply with the Rule. Upon receiving an individual's request, a covered entity must account for disclosures of that individual's PHI made during the six years prior to the request, unless a particular disclosure or type of disclosure is excluded from this accounting requirement in Section 164.528(a) of the Privacy Rule. For example, an accounting is not needed when the PHI disclosure is made: (1) For treatment, payment, or health care operations; (2) Under an authorization for the disclosure; (3) To an individual about himself or herself; or (4) As part of a limited data set under a data use agreement.  For purposes of this policy, “disclosure” means the release, transfer or divulging of information in any other manner outside the entity holding the information.

Standard accounting includes, for each disclosure, the following information:

  1. Date of disclosure;
  2. Name and address, if known, of person/entity that received the PHI;
  3. Description of what PHI was disclosed; and
  4. Brief statement regarding the purpose of the disclosure.

Multiple disclosures accounting is permissible if multiple disclosures of PHI have been made to the same person or entity for a single purpose under Sections 164.502(a)(2)(ii) or 164.512 of the Privacy Rule. For each disclosure, the following must be included:

  1. The date of the initial disclosure was made during the accounting period.
  2. The name and, if know, address of the person or entity receiving the PHI.
  3. A brief description of the PHI disclosed.
  4. A brief statement of the reason for the disclosure.
  5. The frequency, periodicity, or number of the disclosures made during the accounting period.
  6. The date of the last such disclosure during the accounting period.
  7. The date of the last disclosure must be documented.

Large Studies with Waiver: HIPAA rules allow a modified tracking method for research that involves the disclosure of PHI from more than 50 people and for which authorization has been waived. In this instance it is unnecessary to maintain a list of the specific persons about whom PHI has been disclosed, but the following information must be available upon the request of any individual whose information may have been included.

  1. The name of the protocol or research activity;
  2. A plain-language description of the research protocol or activity, purpose of the research, and criteria for selecting particular records;
  3. Brief descriptions of types of PHI disclosed;
  4. Dates or time periods during which disclosures occurred, including the date of the last disclosure during the accounting period;
  5. Contact information (name, address, telephone number) for sponsors and recipient researchers; and
  6. Statement that a specific individual's PHI may or may not have been disclosed for a particular protocol or research activity.

In addition, the researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual's PHI was disclosed to them.

The principal investigator must maintain all accounting of disclosure information for no less than six years. The information must be made available to the appropriate Privacy Office as needed.

REVOCATION OF AUTHORIZATION BY SUBJECT:

HIPAA rules allow a subject to revoke a prior authorization to use or disclose PHI for purposes of research. Subjects’ requests for the revocation of authorization must be requested in writing to the principal investigator. Researchers must honor this request, except to the extent the researcher has already relied on the authorization. Researchers may continue utilizing PHI that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. In addition, use or disclosure of identifiable information previously obtained is permitted for purposes such as accounting for the subject's withdrawal, reporting adverse events or complying with investigations.

DATA SECURITY:

Researchers are responsible for ensuring that data containing PHI or other sensitive data is securely protected from unauthorized disclosures. Researchers must take precautions to securely maintain and dispose of PHI, as described in Policy AD22. (See related policies AD20 and AD23.) Additionally, researchers are responsible for ensuring secure transfer of data containing PHI. When transmitting data containing PHI or other sensitive data electronically, researchers must ensure that 1) appropriate technical safeguards have been implemented, such as secure data encryption; 2) that the receiver of the data is the individual for whom it is intended; and 3) the data remains secure until it is received by the intended receiver; 4) where an encryption key is used, it is shared with the intended receiver by a separate method from the data transfer. Questions about the security of electronic data transfers may be directed to The Office of Information Security at HIPAA-compliance@psu.edu or the HMC Information Technology Technical Support Center (IT-TSC) at (717) 531-6281.

When sending data containing PHI or other sensitive data via ground mail services, researchers must also assure the security of the information until it arrives in the hands of the intended receiver. Hard copy documents containing PHI or other sensitive data should be sent 1) using an insured carrier; 2) with a receiving signature required; and 3) by a carrier with package tracking services. When sending PHI or other sensitive data stored on electronic media (i.e. USB flash drives, memory cards, DVDs, CDs), appropriate technical safeguards must be implemented, such as data encryption.   If the principal investigator or designee is unsure whether appropriate technical safeguards are in place, he or she must engage the assistance of the IT-TSC by calling 717-531-6281.

RESEARCH COMMENCED PRIOR TO APRIL 14, 2003:

An authorization is not required under the HIPAA rule for subjects who were enrolled in a research protocol before April 14, 2003 and who have signed a Common Rule-compliant informed consent form. Even if subjects enrolled before April 14, 2003 continue in the research after that date, authorization will not be required.

An authorization will be required for any subject enrolled in a study on or after April 14, 2003, even if the study was approved by the IRB prior to that date. Therefore, if all subjects were enrolled prior to April 14, 2003, there is no need for an authorization for those subjects. However, authorization will be required for any new subjects after April 14, 2003, either in the form of a separate authorization document or a modified informed consent form, which includes the required authorization language.

WAIVER OF CONSENT REQUIREMENT BY IRB PRIOR TO APRIL 14, 2003 GRANDFATHERED:

If researchers are conducting a study under an IRB-approved waiver of consent obtained prior to April 14, 2003, they should continue protecting the privacy of subjects' information, but do not need to re-apply to the IRB. Ongoing studies for which the IRB approved a waiver of informed consent before April 14, 2003 are grandfathered under the HIPAA Privacy rule. Although a new waiver is not required, it is important to note that the individual rights provided by the Privacy Rule go into effect as of April 14, 2003. As a result, any disclosure of PHI made pursuant to a waiver of authorization must be tracked as noted above.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact the Office of the Associate Vice President for Research, Director of the Office for Research Protections.

CROSS REFERENCES:

Other Policies may have specific application and should be referred to, especially;

AD20 - Computer and Network Security,

AD22 - Health Insurance Portability and Accountability Act (HIPAA)

AD23 - Use of Institutional Data

Effective Date: January 13, 2017
Date Approved: January 13, 2017
Date Published: January 13, 2017

Most recent changes:

  • January 13, 2017 - This policy combines and replaces the former RP07 (for PSU) and RP08 (for Hershey Medical Center and College of Medicine) with a single policy. 

Revision History (and effective dates):

  • June 8, 2015 - This policy was previously a Research Administration policy, Policy RA22. It has been moved from the Research Administration section to the Research Protections section to reflect the reorganization, and links/cross references have been edited as appropriate.
  • April 9, 2003 - New Policy.