Procedure for Confidentiality of Data; HIPAA Authorization and Waiver - IRB PRO112

Abstract:
This procedure indicates the responsibilities of the investigator, ORIB and IRB for ensuring confidentiality of health information and data. Included in this document are definitions of private information and protected health information.
Effective Date:
4/26/2010
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

HRPP Document: PRO112
Effective Date: 3/30/07
Revision Date: 1/25/10, 4/26/10
Subject: Procedure for Confidentiality of Data; HIPAA Authorization and Waiver

DEFINITION

Private Information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.

Protected Health Information refers to individually identifiable health information meeting the definition of protected health information under HIPAA privacy regulations at 45 CFR 160.103.

PROCEDURE

Investigator Responsibilities

The Investigator:

  • At the time of initial review by convened or expedited procedures—Completes the FOR200 Human Subjects Protocol (HSP) describing:
    • Any risks to disclosure of identifiable private information of participants and proposed provisions to protect the participant’s identity during the course of the research (e.g., will participants be approached in a public place to participate, designation markings on files or accounts to indicate that the individual is a research participant);
    • Strategies for maintaining the confidentiality of identifiable private information collected during the course of the research (i.e., how identifiable private information will be handled, used/managed and/or disclosed);
    • The methods of accessing, storing, and safeguarding the data
    • Whether a Certificate of Confidentiality for research will be sought from an appropriate federal agency (See Certificates of Confidentiality Kiosk).
  • Meets the additional requirements for maintaining confidentiality under the regulations at 28 CFR 512 (see GUI341) for research being conducted within the BOP;
  • Meets the additional requirements for maintaining confidentiality under the regulations at 28 CFR 46 (see GUI341) for research being sponsored by the DOJ/NIJ;
  • Maintains employee confidentiality statements by the National Institute of Justice, if applicable.
  • Submits the following HIPAA-related materials, if applicable:
    • HIPAA authorization, if applicable;
    • Request and justification for waiver (in whole or in part) or alteration of HIPAA authorization for the data being collected for the research;
    • Copies of any HIPAA privacy notices, authorizations, and/or waivers from non-UAB designated performance sites for IRB review.
  • At the time of submission of continuing review—Includes:
    • Changes to the protocol involving acquisition, use, or disclosure of identifiable private information or maintaining confidentiality of the data;
    • Any problems encountered in the research specifically related to preserving identifiable private information or maintaining confidentiality of the data;
  • Submits modifications to the research related to acquisition, use, and disclosure of identifiable private information and maintaining confidentiality for review and approval prior to initiation of the changes unless change is immediately necessary to protect from an immediate hazard to the participant’s privacy and confidentiality;
  • Submits problems that require prompt reporting after the problem has been identified (see POL006 UAB Policy to Ensure Prompt Reporting of Unanticipated Problems Involving Risks to Subjects or Others to the IRB).

OIRB Responsibilities

The Senior Staff:

  • At the time of initial, continuing, or modification review, if appropriate—Evaluates the HSP to determine if the following information is sufficient for presentation to the IRB for review:
    • Provisions for protecting the identifiable private information (data) of participants;
    • Provisions for maintaining the confidentiality of private information collected during the course of the research;
    • Methods to access, store, use, and safeguard data;
    • Whether a certificate of confidentiality is proposed;
    • HIPAA authorization or a HIPAA waiver (in whole or in part) for the data being collected for the research;
    • Copies of privacy notices and/or HIPAA authorizations/waivers from non-UAB designated performance sites.
  • Insures that documentation of HIPAA waivers include the following:
    • An identification of the IRB issuing the waiver and the date the waiver was approved;
    • A statement that the IRB has determined the criteria for a waiver is satisfied under the regulations;
    • A brief description of the PHI for which use or access has been determined to be necessary by the IRB for the research to be practicably conducted;
    • A statement that the waiver has been issued under either convened or expedited review; and
    • The signature of the Chair or designee.
  • Requests information/materials that were not included or addressed;
  • Forwards reports of problems regarding confidentiality that require prompt reporting (see POL006) to the Chair and to the convened IRB.

IRB Responsibilities

The IRB or Experienced IRB reviewer for expedited review at the time of initial, continuing, or modification review:

  • Reviews the proposed research and approves only if there are adequate provisions to maintain the confidentiality of identifiable data;
  • Determines whether subjects have the ability to choose the purposes for use of identifiable private information including disclosure;
  • May request that the investigator apply for a Certificate of Confidentiality from the appropriate NIH agency;
  • Determines, for waivers or alteration of HIPAA authorization, the following:
    • The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
      • An adequate plan to protect the identifiers from improper use and disclosure;
      • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
      • Adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted.
    • The research could not practicably be conducted without the waiver or alteration; and
    • The research could not practically be conducted without access to and use of the PHI.

Approved on April 26, 2010, by:

Ferdinand Urthaler, MD
IRB Chair

Sheila Deters Moore, CIP
OIRB Director