Presentation on theme: "1 HIPAA Enhancements to IRB Submissions John M. Falletta, MD Chairman, Institutional Review Board Duke University Health System Durham, NC."— Presentation transcript:
1 HIPAA Enhancements to IRB Submissions John M. Falletta, MD Chairman, Institutional Review Board Duke University Health System Durham, NC
2 HIPAA Health Insurance Portability and Accountability Act Protected Health Information (PHI) Individually identifiable health information
3 Treatment, Payment, or Operations (TPO) Education and Quality Improvement are Operations
4 HIPAA and Research HIPAA mandates that a privacy board ensure institutional compliance with HIPAA. For research involving humans receiving care at DUHS, this function is fulfilled by the IRB.
5 Definition of "Research” A systematic investigation designed to develop or contribute to generalizable knowledge. 45 CFR 46.102 (d) A systematic investigation designed to develop or contribute to generalizable knowledge. 45 CFR 46.102 (d)
6 Definition of "Human Subject” A living individual about whom an investigator...conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information. 45 CFR 46.102(f)
7 Definition of "Human Subject” Operational Change due to HIPAA An living individual about whom an investigator...conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.
8 Research Using Decedent PHI No longer “exempt from IRB review” Now covered as any other PHI IRB must be notified of research plans - Implementation requires response - IRB may require evidence of death of the subject
9 Items to Exclude for Deidentification NamesNames AddressAddress Zip code *Zip code * Dates except yearDates except year Telephone numbersTelephone numbers Fax numbersFax numbers Electronic mail addresses Social security numbers Medical Record Numbers Health plan beneficiary numbers Account numbers
10 Items to Exclude for Deidentification (cont.) Certificate/license numberCertificate/license number Vehicle identifiers and serial numbersVehicle identifiers and serial numbers Web Universal Resource Locators (URLs)Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbersInternet Protocol (IP) address numbers Biometric identifiers Full face photographic images Any other unique identifying number, characteristic or code
11 Anonymization versus HIPAA Deidentification The only setting where approval of IRB anonymization (unlinking) does not also confer approval of HIPAA deidentification is when the anonymized (unlinked) data contain dates (more specific than the year) of events, or full ZIP code or age of a subject over 90.
12 HIPAA Deidentification versus Anonymization The only setting where approval of HIPAA deidentification does not also confer approval of IRB anonymization (unlinking) is where a code with a key linking back to the subject is retained with the deidentified data without special provisions approved by the IRB.
13 Protocol Methods for Subject Accrual –Identifying Potential Subjects –Recruitment Methods for Protecting –Privacy of Subject –Confidentiality of Data Consent Form
14 Methods for Subject Accrual Identifying Potential Subjects (Reviews Preparatory to Research, Pre-Screening, Case Finding) Notification of IRB via letter or protocol description Request IRB waiver or alteration of consent
15 Methods for Subject Accrual (cont.) Notification of IRB of plans for identifying potential subjects Letter or p rotocol description to include specific information needed to prepare research protocol and/or identify potential subjectsLetter or p rotocol description to include specific information needed to prepare research protocol and/or identify potential subjects Implementation requires responseImplementation requires response Limitation - No PHI may be removed from DUHSLimitation - No PHI may be removed from DUHS
16 Methods for Subject Accrual (cont.) Implication - Notification of IRB (cont.) Useful for screening prior to protocol development to determine whether research is feasible.
17 Methods for Subject Accrual (cont.) Request IRB Waiver or Alteration of Consent in order to identify potential subjects Protocol description justifying waiver or alterationProtocol description justifying waiver or alteration Description of PHI needed Description of PHI needed Evidence that risks will be minimalEvidence that risks will be minimal Evidence that research is impractical without waiver for access to PHIEvidence that research is impractical without waiver for access to PHI
18 Implications - Waiver or Alteration of Consent Use to contact individuals who have left covered entityUse to contact individuals who have left covered entity Use if sponsor requires pre-screening logsUse if sponsor requires pre-screening logs IRB needs to know if sponsor gets PHI from pre-screeningIRB needs to know if sponsor gets PHI from pre-screening Identification removal requirement implies contract modifications with sponsorIdentification removal requirement implies contract modifications with sponsor
19 Note: May use/disclose data as described in IRB protocol. Other use requires IRB approvalOther use requires IRB approval Verbal consent allowed with IRB approvalVerbal consent allowed with IRB approval Implications - Waiver or Alteration of Consent (cont.)
20 Methods for Subject Accrual Recruitment Ads (content, style and placement/ publication)Ads (content, style and placement/ publication) Word of mouthWord of mouth Contact potential subjects who know PIContact potential subjects who know PI –Describe location and procedure Contact of potential subjects who are “strangers” (such as Other People’s Patients)Contact of potential subjects who are “strangers” (such as Other People’s Patients) –Describe location and procedure
21 Procedure for Contacting Other People’s Patients Obtain permission of the patient’s physicianObtain permission of the patient’s physician Provide IRB-approved study information (brief) to patient’s physician or other caregiver known to the patientProvide IRB-approved study information (brief) to patient’s physician or other caregiver known to the patient Caregiver provides patient with introduction to the study and the name of the investigator (staff member) who will contact the patientCaregiver provides patient with introduction to the study and the name of the investigator (staff member) who will contact the patient Investigator (staff member) contacts the patient about the studyInvestigator (staff member) contacts the patient about the study
22 Methods for Protecting Privacy of Subjects Privacy - the right to be left alone - the right to control personal information even after disclosing it - the right to control personal information even after disclosing it How will you minimize the risk of invasion of the subject’s privacy?
23 How will you minimize the risk of inappropriate disclosure of PHI? Methods for Protecting Confidentiality of Data
24 General Requirements for Informed Consent (45 CFR Part 46.116) Legally effective informed consent shall: 1. Be obtained from the subject or the subject's legally authorized representative; 2. Be in a language understandable to the subject or the representative;
25 General Requirements for Informed Consent (45 CFR Part 46.116) (cont.) 3. Be obtained under circumstances that provide the subject with the opportunity to consider whether or not to participate, and that minimize coercion influences; 4. Not include language through which subject is made to waive any of his legal rights or which releases the investigator, sponsor or institution from liability for negligence.
26 1. Statement that study involves research; explanation of purpose(s) and expected duration of participation; description of procedures and identification of experimental procedures. 2. Description of risks or discomforts to subject. Basic Elements of Informed Consent 45 CFR Part 46.116 (A) (cont.)
27 Basic Elements of Informed Consent 45 CFR Part 46.116 (A) (cont.) 3. Description of benefits to subject or to others. 4. Disclosure of alternative procedures, if appropriate. 5. Description of the extent to which confidentiality will be maintained.
28 Basic Elements of Informed Consent 45 CFR Part 46.116 (A) (cont.) 6. For research involving more than minimal risk, explanation as to whether compensation and medical treatments are available if injury occurs. 7. Explanation of whom to contact if questions arise about the research or the subjects' rights or whom to contact if research-related injury occurs.
29 Basic Elements of Informed Consent 45 CFR Part 46.116 (A) (cont.) 8. Statement that participation is voluntary, that refusal to participate involves no penalty or loss of benefits, and that subject may discontinue at any time.
30 Additional Elements of Informed Consent 45 CFR Part 46.116 (B) When required by the IRB, one or more of the following elements shall be provided to each subject: 1. Statement that procedure may involve unforeseeable risks; 2. Description of circumstances under which subject's participation may be terminated by the investigator without subject's consent;
31 Additional Elements of Informed Consent 45 CFR Part 46.116 (B) (cont.) 3. Additional costs to subject resulting from participation in research; 4. Consequences of subject's decision to withdraw from research; 5. Statement that significant new findings developed during research which may relate to subject's willingness to continue will be provided to subject; 6. Approximate number of subjects involved in study.
32 Consent Form All of the following information will be needed in each consent form.
33 Consent Form For early withdrawal from the study: If you agree to be in this study, you are free to change your mind. At any time you may withdraw your consent to be in this study and for us to use your data. If you withdraw from the study, you will continue to have access to health care at Duke.
34 Consent Form For early withdrawal from the study (cont.): If you do decide to withdraw, we ask that you contact Dr. [PI] in writing and let [him/her] know that you are withdrawing from the study. [His/her] mailing address is [address]. At that time we will ask your permission to continue using all information about you that has already been collected as part of the study prior to your withdrawal.
35 Consent Form Statement of Consent: You will be given a signed copy of this consent form. or “I have been told that I will be given a signed copy of this consent form.”
36 Consent Form Confidentiality: Study records that identify you will be kept confidential as required by law. You will not be identified by name in the study records. Your records will be assigned a unique code number. The key to the code will be kept in a locked file in Dr. [PI]’s office.
37 Consent Form Who will have access to study records and to whom information may be disclosed: Your records may be reviewed in order to meet federal or state regulations. Reviewers may include …, …, … and the Duke University Health System Institutional Review Board.
38 Consent Form Expiration date or event for the retention of records: The study results will be retained in your research record for at least six years or until after the study is completed, whichever is longer. At that time either the research information not already in your medical record will be destroyed or information identifying you will be removed from such study results at DUHS. Any research information in your medical record will be kept indefinitely.