1
2 NORTHWESTERN UNIVERSITY
3 HIPAA Research Policy
4 (Revised as of December 13, 2005)
5
6
7 INTRODUCTION AND BACKGROUND
8
9 Northwestern University is committed to conducting research in a manner consistent with all
10 applicable Northwestern University policies as well as with applicable laws and regulations,
11 including but not limited to, the Health Insurance Portability and Accountability Act 1 and its
12 accompanying privacy standards2 (collectively, “HIPAA”).
13
14 In general, Research is not an activity to which the HIPAA privacy standards apply.3 In
15 addition, Northwestern University Personnel do not engage in treatment activities even when
16 treatment is provided in conjunction with a Research study in which such Personnel may be
17 involved. Therefore, when conducting Research, Northwestern University Personnel are not
18 Providers that are subject to the HIPAA privacy standards and corresponding sanctions for
19 violation of those standards.
20
21 However, the HIPAA privacy standards do regulate a Provider Entity’s disclosure of individual
22 health information to Northwestern University (including members of its faculty and other
23 Northwestern University personnel) for use and disclosure of such health information in
24 connection with Research. In general, HIPAA requires a Provider to obtain the written
25 authorization of a research subject prior to disclosure of his or her individual health information
26 in connection with the Research. In addition, HIPAA (a) grants privacy boards such as the
27 Northwestern University Institutional Review Board (“IRB”) the authority to grant waivers of
28 that authorization requirement, and (b) provides exceptions to the authorization requirement for
29 use of certain types of individual health information.4
30
31 Accordingly, Northwestern University has adopted this policy to address the HIPAA privacy
32 obligations of Provider Entities relating to the disclosure of health information concerning
33 subjects participating in Research and the role of Northwestern University and the Northwestern
34 University IRB with respect to those obligations.
35
1
42 U.S.C. §§ 1320d-1329d-8.
2
45 C.F.R. 160-164.
3
65 Fed. Reg. 82568 (December 28, 2000).
4
These exceptions, which are addressed in further detail in this Policy, include individual health
information concerning decedents, individual health information that is either “de-identified”
within the meaning of HIPAA or part of a “limited data set” within the meaning of HIPAA, and
information used in connection with activities preparatory to research.
1
36 SCOPE OF POLICY
37
38 Subject to the transition provision stated below, this Policy applies to the creation, collection, use
39 or disclosure of all individual health information (whether identifiable or not) (“Information”) in
40 connection with Research activities in which Northwestern University Personnel are involved.
41
42 TRANSITION PROVISION
43
44 Northwestern University Personnel may continue to use and disclose Information concerning a
45 Research subject for a particular Research study, without obtaining the HIPAA authorization or
46 the IRB action required by this policy, regardless of when the information is created, collected or
47 received, if, prior to April 14, 2003, the Principal Investigator obtained, and has written
48 documentation of, any one of the following:
49
50 An authorization or other express legal permission from the Research subject to use or
51 disclose the Information for the Research study;
52 The Research subject’s informed consent to participate in the Research study; or
53 An IRB waiver of informed consent for the Research study.
54
55 If the Principal Investigator has such documentation for a Research subject, therefore, he or she
56 may create collect or receive Information concerning such subject in connection with the study
57 even after April 14, 2003. Note, however, that the Principal Investigators must obtain an
58 Authorization or other IRB action required by this policy for any subject for which the Principal
59 Investigator did not obtain such written documentation prior to April 14, 2003, even if the IRB
60 granted approval for the Research study prior to that date.
61
62 POLICY REQUIREMENTS
63
64 Use or Disclosure of Information With Authorization
65
66 1) Authorization Requirement
67
68 a) As a general rule, a Provider must obtain an Authorization from all Research subjects
69 prior to the internal use or external disclosure of Information for any Research-related
70 purpose that is not otherwise permitted or required under this Policy.
71
72 Note a special authorization form must be used for Research involving the use or
73 disclosure of Psychotherapy Notes or Information relating to HIV, mental health, genetic
74 testing, or drug or alcohol abuse.
75
76 The Authorization Templates Principal Investigator must use are attached to this Policy as
77 Exhibit A.
2
78
79 b) An authorization is not required for creation, collection, use or disclosure by
80 Northwestern University Personnel of Information Northwestern University Personnel
81 obtain directly from an individual (e.g., from an individual who contacts Northwestern
82 University Personnel directly in response to a general advertisement for Research study
83 participants.)
84
85 c) The Principal Investigator must complete the Authorization template and submit it to the
86 IRB for its prior review and approval. The Principal Investigator will also be responsible
87 for obtaining signed authorizations from the individual subjects participating in a
88 research study.
89
90 d) The IRB will provide a copy of the approved research Authorization to the Principal
91 Investigator.
92
93 e) The Principal Investigator must provide a copy of the signed Authorization for each
94 individual subject participating in the Research study to (1) the individual subject (or his
95 or her authorized representative) and (2) either the applicable Provider Entities or a
96 central repository the Provider Entities designate to receive copies of the Authorization
97 on their behalf.
98
99 2) Procedure for Signing an Authorization
100
101 a) Adults
102
103 (1) A competent individual, 18 years of age or older, should always sign the
104 authorization. A person is competent if he/she has the general ability to understand
105 the concept of release of his/her medical information.
106
107 (2) If an individual is competent, but unable to sign the authorization, the person
108 witnessing the form may write in “Subject unable to sign due to ___[insert
109 reason]_____________. Subject gave verbal permission.” The Authorization must
110 be witnessed.
111
112 (3) If the subject is not conscious, not coherent or not competent for whatever reason, a
113 legally authorized representative must sign the Authorization. Illinois law recognizes
114 the following, in order of priority, as individuals eligible to serve as the subject’s
115 legally authorized representative:
116
117 Court appointed Guardian, or Proxy designated by Durable Power of
118 Attorney;
119 Spouse;
3
120 Adult son or daughter;
121 Either parent;
122 Adult sibling; or
123 Adult relative by blood marriage.
124
125 b) Minors
126
127 (1) Any parent may sign for a minor child in his/her legal custody;
128
129 (2) Any minor who has been lawfully married and any minor parent or legal custodian of
130 a child may sign for him/herself, his/her child and any child in his/her legal custody;
131
132 (3) Any minor may sign for him/herself in case of:
133
134 Pregnancy, but excluding abortions;
135 Venereal disease;
136 Drug or substance abuse.
137
138 (4) Any adult standing in loco parentis, whether serving formally or not, may sign for
139 his/her minor charge in case of emergency.
140
141 IRB Approval of Uses and Disclosures of Information that Do Not Require Either the
142 Subject’s Authorization or the IRB’s Waiver of Authorization
143
144 1) Use and Disclosure of Decedent’s Information
145
146 a) Northwestern University Personnel may use and disclose a decedent’s Information for
147 Research without an Authorization or IRB waiver if all the following criteria are
148 satisfied:
149
150 (1) The use will be solely for Research on the Information of a decedent; and
151
152 (2) The Principal Investigator has documentation of the death of the individual about
153 whom information is being sought, and
154
155 (3) The Information sought is necessary for the purposes of the Research.
156
157 Note, however, that this exception may not be available for decedent Information that
158 contains Psychotherapy Notes or Information relating to HIV, mental health, genetic
159 testing, or drug or alcohol abuse
160
4
161 c) Uses or Disclosures of a decedent’s Information for Research purposes are subject to the
162 Minimum Necessary requirements outlined in HIPAA. When using or disclosing
163 Information or when requesting Information from one of the Provider Entities, reasonable
164 efforts must be made to limit Information to the minimum amount necessary to
165 accomplish the intended purpose of the use, disclosure or request.
166
167 d) Before Northwestern University Personnel may use decedent Information, the Principal
168 Investigator must provide the Northwestern University IRB with documentation
169 evidencing compliance with the above criteria and the Minimum Necessary standard, and
170 obtain the IRB’s approval to use the decedent’s information on that basis, using the forms
171 set forth in Exhibit B.
172
173 e) The Principal Investigator must provide a copy of the IRB approval form to either the
174 applicable Provider Entities or a central repository the Provider Entities designate to
175 receive copies of the form on their behalf.
176
177 2) Information Protected Under the Family and Educational Records Protection Act
178
179 a) HIPAA does not apply to Information that is contained within “education records”
180 covered by the Family and Educational Rights and Privacy Act of 1974 (“FERPA”) or to
181 “student health records” that are exempted from the coverage of FERPA.5 Education
182 records may be used or disclosed for Research purposes without obtaining either a
183 HIPAA Authorization or an IRB waiver. However, in the event the Investigator seeks to
184 use personally identifiable information contained within the student’s education record,
185 the Principal Investigator must secure a valid consent from the student.6
186
187 b) Before using Information contained within an education record, the Principal Investigator
188 shall provide the Northwestern University IRB with documentation evidencing that the
189 Information being used, disclosed or requested in connection with a Research study
190 qualifies as an “education record” covered by FERPA and obtain the IRB’s approval to
191 use such Information on the basis that 1) the Investigator has obtained the requisite
192 consent from the student under FERPA or 2) that consent is not required, using the form
193 set forth in Exhibit C. In the event that a student’s consent is required, the Principal
194 Investigator must obtain the consent of the student whose personally identifiable
195 information is being disclosed, using the form set forth in Exhibit D.
196
197 c) The Principal Investigator must provide a copy of the IRB approval form and the
198 individual consents to the Northwestern University representative or location designated
199 by the IRB.
200
5
20 USC sec. 1232g(a)(4)(A) (2002); 20 USC sec 1232g(a)(4)(B)(iv) (2002).
6
34 CFR sec. 99.30 (2002).
5
201 3) Review of Information Preparatory to Research
202
203 a) Northwestern University Personnel may use or disclose Information without an
204 Authorization or IRB waiver for the development of a Research protocol if the use or
205 disclosure satisfies all of the following criteria:
206
207 (1) The use or disclosure of Information is solely (i) to prepare a Research protocol
208 (including, without limitation, designing a study, assessing the feasibility of
209 conducting a study, assessment of whether a sufficient and appropriate subject pool
210 exists to support the study) and/or (ii) to contact individuals to enroll them in a study
211 as long as such Northwestern University Personnel are covered by a Business
212 Associate Agreement with the Provider Entity.
213
214 (2) The Principal Investigator shall not record or remove the Information from Provider
215 Entities; and
216
217 (3) The Information sought is necessary for the purposes of the Research; and
218
219 (4) The use or disclosure of Information is performed in accordance with any applicable
220 policies of the Provider Entity.
221
222 Note, however, that this exception may not be available for the use or disclosure of
223 Information that contains Psychotherapy Notes or Information relating to HIV, mental
224 health, genetic testing, or drug or alcohol abuse.
225
226 b) A Healthcare Professional, when acting as health care provider rather than as an
227 investigator, or a member of the Provider’s Workforce where the Healthcare Professional
228 practices, may, without a prior IRB approval of an exception to the Authorization or
229 waiver requirement, review, for purposes preparatory to Research (e.g., (i) to prepare a
230 Research protocol (including, without limitation, designing a study, assessing the
231 feasibility of conducting a study, assessment of whether a sufficient and appropriate
232 subject pool exists to support the study) and/or (ii) to identify and contact potential
233 research participants), Information in the medical records to which the Healthcare
234 Professional has access in the normal course of his or her own private medical/healthcare
235 provider practice or as a member of the Workforce of the practice of another Healthcare
236 Professional. Any such review preparatory to Research by anyone other than the
237 Healthcare Professional himself or herself or a member of the Workforce, are subject to
238 the IRB approval requirements of this Subsection 3.
239
240 c) Uses or Disclosures of Information preparatory to Research are subject to the Minimum
241 Necessary rules. When using or disclosing Information or when requesting Information
6
242 from a Provider Entity, reasonable efforts must be made to limit Information to the
243 minimum necessary to accomplish the intended purpose of the use, disclosure or request.
244
245 d) Prior to using Information for such purposes, the Principal Investigator shall adhere to
246 any and all applicable policies or guidelines in effect at the Provider Entities regarding
247 the Uses or Disclosures of Information preparatory to Research.
248
249
250 4) “De-Identified” Health Information
251
252 a) De-identified health information is exempt from HIPAA and may be used or disclosed
253 for Research purposes without an Authorization or IRB waiver pursuant to the standards
254 set forth in Exhibit F attached to this Policy.
255
256 b) The de-identified information may be assigned a “re-identification code” that can be
257 affixed to the Research record that will permit the information to be re-identified if
258 necessary, provided that the key to such a code is not accessible to the Northwestern
259 University Personnel requesting to use or disclose the de-identified health information.
260
261 c) Prior to use of de-identified Information by Northwestern University Personnel, the
262 Principal Investigator shall provide the Northwestern University IRB with written
263 certification that the Information being used, disclosed or requested in connection with a
264 Research study has been de-identified pursuant to Exhibit F and documentation
265 evidencing compliance with the Minimum Necessary standard, and obtain the IRB’s
266 approval to use such Information on that basis, using the forms set forth in Exhibit G
267 attached to this Policy.
268
269 d) The Principal Investigator must provide a copy of the IRB approval form to either the
270 applicable Provider Entities or a central repository the Provider Entities designate to
271 receive copies of the form on their behalf.
272
273 5) Limited Data Set
274
275 a) Northwestern University Personnel may use or disclose a Limited Data Set for any
276 Research purpose without an Authorization or Waiver of Authorization.
277
278 Note, however, that this exception may not be available for the use or disclosure of a
279 Limited Data Set that contains Psychotherapy Notes or Information relating to HIV,
280 mental health, genetic testing, or drug or alcohol abuse.
281
282 b) A “Limited Data Set” is defined as Information that may include any of the following
283 direct identifiers:
7
284
285 i) Town, city, State and zip code;
286 ii) All elements of dates directly related to an individual, including birth date, admission
287 date, discharge date, and date of death.
288
289 c) A Limited Data Set must exclude all of the following direct identifiers of the individual
290 or of the individual’s relatives, employers, or household members of the individual as set
291 forth in Exhibit H.
292
293 b) Uses or Disclosures of Information included in a Limited Data Set are subject to the
294 Minimum Necessary rules. When using or disclosing Information or when requesting
295 Information from a Provider Entity, reasonable efforts must be made to limit Information
296 to the minimum necessary to accomplish the intended purpose of the use, disclosure or
297 request.
298
299 c) Prior to use of a Limited Data Set by Northwestern University Personnel, the Principal
300 Investigator shall provide the IRB with certification that the Information being used,
301 disclosed or requested is a limited data set pursuant to Exhibit H and documentation
302 evidencing compliance with the Minimum Necessary standard, and obtain the IRB’s
303 approval to use the Information on that basis, using the forms set forth in Exhibit I
304 attached to this Policy.
305
306 f) The Principal Investigator must provide a copy of the IRB approval form to either the
307 applicable Provider Entities or a central repository the Provider Entities designate to
308 receive copies of the form on their behalf.
309
310 g) Northwestern University Personnel may thereafter use the approved Limited Data Set
311 only pursuant to an executed Data Use Agreement in substantially the form attached
312 hereto as Exhibit J.
313
314 IRB Waiver of Authorization
315
316 1) In general, the IRB may waive, in whole or in part, the HIPAA Authorizations otherwise
317 required under this Policy for the Use or Disclosure of Information for a Research study if
318 the Principal Investigator provides the IRB with documentation demonstrating that such Use
319 or Disclosure satisfies the criteria set forth in Exhibit K. Note, however, that no full or
320 partial waiver of the Authorization requirement is available for use or disclosure of
321 Information relating to AIDS/HIV, mental health, substance abuse or genetic testing.
322 Therefore, an authorization must be obtained for such uses and disclosures using the
323 special authorization forms attached to this policy.
324
325 2) Notwithstanding the foregoing, no full or partial waiver of the Authorization requirement is
8
326 necessary for Use or Disclosure of Information for Recruitment activities involving actual
327 contact with individuals to enroll them in the study by any person who is a member of a
328 Provider’s Workforce or by Northwestern University Personnel covered by a Business
329 Associate Agreement with the Provider. Note, however, that in such cases, any applicable
330 IRB Informed Consent requirements must still be satisfied.
331
332 3) Unless covered by the paragraph 2 above, the Principal Investigator must complete a request
333 for Waiver of Authorization and submit the request to the IRB for prior review and approval.
334 If the request is for a waiver to permit Northwestern University Personnel not covered by a
335 Business Associate Agreement with the Provider to undertake research activities including
336 actually contacting individuals to enroll them in the study without obtaining the prior
337 authorization of the subjects, the Principal Investigator should use the Waiver of
338 Authorization Form in Exhibit L attached hereto.
339
340 4) A Healthcare Professional, when acting as health care provider rather than as an investigator,
341 may, without a prior Authorization, IRB waiver of the Authorization, or IRB approval of an
342 exception to the Authorization or waiver requirement, review, for Recruitment purposes,
343 Information in the medical records to which the Healthcare Professional has access in the
344 normal course of his or her own private medical/healthcare provider practice or as a member
345 of the Work Force of the practice of another Healthcare Professional. Any such review by
346 anyone other than the Healthcare Professional himself or herself, members of the Healthcare
347 Professional’s own Workforce or any Northwestern University Personnel covered by a
348 Business Associate Agreement, are subject to the provisions of paragraphs 1 and 3 above that
349 require either an authorization or a waiver of authorization.
350
351 5) The Principal Investigator must provide a copy of the IRB approval form to either the
352 applicable Provider Entities or a central repository the Provider Entities designate to receive
353 copies of the form on their behalf.
354
355 6) Uses or Disclosures of Information made pursuant to a Waiver are subject to the Minimum
356 Necessary requirements outlined in HIPAA. When using or disclosing Information or when
357 requesting Information from one of the Provider Entities, reasonable efforts must be made to
358 limit Information to the minimum amount of Information necessary to accomplish the
359 intended purpose of the use, disclosure or request.
360
361 Revocation of Authorization
362
363 1) As a general rule, an individual may revoke his/her Authorization, in writing to the Principal
364 Investigator, at any time. See Sample Revocation attached as Exhibit M to this policy.
365
366 2) The revocation will be applicable to the protocol or protocols specified by the individual.
367 However, Northwestern University Personnel may continue to use and disclose, for Research
9
368 integrity and reporting purposes, any Information collected about the individual pursuant to a
369 valid Authorization before it was revoked.
370
371 3) The Principal Investigator shall forward a copy of the written revocation to (a) the individual
372 subject (or his or her authorized representative) and (b) either the applicable Provider Entities
373 or a central repository the Provider Entities designate to receive copies of the revocation on
374 their behalf. The Principal Investigator shall also keep copies of all revocations of
375 Authorizations for a specific protocol, and report them to the IRB at the time of continuing
376 review.
377
378 Maintaining the Research Record
379
380 1) The Principal Investigator in a Research study shall be responsible for ensuring that all
381 Information created in the course of the Research study is maintained in Research records
382 that are owned by Northwestern University and that are separate from the medical records
383 maintained by Providers concerning treatment provided to the Research subjects.
384
385 2) The Principal Investigator shall also work with the Providers who are providing treatment in
386 connection with the Research study to incorporate promptly into the Research subjects’
387 medical records the Information concerning such treatment.
388
389 Individual’s Rights With Regard To Their Information
390
391 1) Access to Research Information
392
393 a) As a general rule, individuals who participate in Research have a right to access their
394 own Information that is maintained by a Provider (or a third party the Provider retains to
395 provide services to or perform functions for the Provider) in the medical records the
396 Provider generates in the course of treating the individuals.
397
398 b) However, individuals participating in a Research study that includes treatment
399 (i.e., clinical trials) may be denied access to the Information generated in their medical
400 records in connection with treatment provided as part of a Research study, provided
401 that:
402
403 (1) The Information was obtained in the course of the Research;
404 (2) The individual agreed to the denial of access in the applicable Authorization;
405 (3) The Research study has not been completed; and
406 (4) The individual’s rights to access such Information are reinstated once the Research
407 study has ended and the Research Authorization has expired.
408
10
409 3) In addition, Information generated in the course of the Research that is not included in the
410 medical record is not subject to the access requirement.
411
412 2) Accounting of Disclosures
413
414 a) As a general rule, an individual must be provided with an accounting of all disclosures of
415 his/her Information used for Research purposes, unless such disclosure was made
416 pursuant to an Authorization, or is part of De-Identified Information or a Limited Data
417 Set used pursuant to a Data Use Agreement.
418
419 b) The Providers shall use the forms the Principal Investigator obtains from the
420 Northwestern University IRB approving the (1) use of Information pursuant to a whole or
421 partial waiver of the Authorization requirement, or (2) the use of decedent information,
422 and (c) the use of Information in preparation of a Research study protocol, to track
423 disclosures of Information that are subject to the HIPAA accounting requirement.
424
425
426
11
427 DEFINITIONS
428
429 Authorization is the written confirmation that a Research subject has voluntarily agreed,
430 pursuant to an Authorization in substantially the form required by this Policy, to permit the use,
431 sharing, copying and release of his or her current and future health information related to a
432 particular Research study, after having been apprised of the types of persons permitted to make
433 such uses and releases of health information, their rights in connection with that information and
434 the potential risks relevant to the subject’s decision to permit use and release of health
435 information.
436
437 Business Associate Agreement is an agreement entered into by Northwestern University as a
438 entity engaged in Research and a Provider Entity, where Northwestern University performs such
439 activities as to aid in study Recruitment on behalf of the Provider Entity.
440
441 Disclosure means the release, transfer, provision of access to, or divulgence in any other manner,
442 of information to any organization external to the entity holding the information.
443
444 Healthcare Professional means a physician, nurse, nutritionist, therapist or other individual who
445 is both trained in a particular area of health care delivery and directly involved in the delivery of
446 clinical care to patients.
447
448 HIPAA means the Health Insurance Portability and Accountability Act of 1996 and the privacy
449 regulations promulgated under the Act.
450
451 Information (“Information”) means individual health information (whether identifiable or not)
452 transmitted or maintained in any form or medium.
453
454 Northwestern University shall include all operations of Northwestern University, including,
455 without limitation, all Northwestern University controlled research centers and institutes.
456
457 Northwestern University Personnel shall include all faculty, staff (including student
458 employees), students, residents, post-doctoral fellows, and non-employees (including visiting
459 faculty, courtesy, affiliate and adjunct faculty, industrial personnel, fellows, etc.).
460
461 Provider or Provider Entity means any health care provider that is a “Covered Entity” within
462 the meaning of HIPAA, including, without limitation, the following: (1) any provider Covered
463 Entity Components of Northwestern University, (2) Northwestern Memorial Hospital (“NMH”);
464 (3) The Rehabilitation Institute of Chicago (“RIC”); (4) Northwestern Memorial Faculty
465 Foundation (“NMFF”); (5) other McGaw affiliated hospitals and health care facilities; and
466 (6) physicians acting as health care providers not as a researcher.
467
12
468 Recruitment of subjects for a research study includes (1) review of Information for the purpose
469 of identifying specific individuals to enroll as study participants, and (2) actually contacting such
470 individuals to enroll them in the study. Recruitment does not include review of Information for
471 purposes of ascertaining whether or not a sufficient and appropriate pool of subjects exists to
472 support the Research Study.
473
474 Research means a systematic investigation, including research development, testing and
475 evaluation, designed to develop or contribute to generalizable knowledge.
476
477 Use means, with respect to individually identifiable health information, the sharing, employment,
478 application, utilization, examination, or analysis of such information within an entity that holds
479 such information.
480
481 Workforce means employees, volunteers, trainees, and other persons whose conduct, in the
482 performance of work for a Provider Entity, is under the direct control of such Entity, whether or
483 not they are paid by the Provider Entity.
484
485
486
13
487 EXHIBIT A
488
489 HIPAA REQUIRED ELEMENTS OF AN AUTHORIZATION
490
491
492 Under HIPAA, researchers must obtain written authorization from subjects before using or
493 collecting protected health information. An Authorization should be obtained in writing from
494 prospective subjects.
495
496 Under HIPAA, the following core elements and statements must be included in the authorization
497 document. Attached is a template authorization form for your guidance.
498
499 A description of the individually identifiable protected health information (PHI) to be
500 used/disclosed in a specific and meaningful fashion (e.g., list the types of data to be collected
501 from the medical record);
502
503 The name of the person(s) or class of persons to whom the covered entity may make the
504 requested use or disclosure (i.e., researchers must list all of the entities [by name or by class]
505 that might have access to the study’s PHI such as the IRB, NU representatives, sponsors,
506 Food and Drug Administration, data safety and monitoring board or any others given
507 authority by law);
508
509 A description for each purpose of the requested use or disclosure (e.g., list reasons why the
510 PHI is collected such as to be able to conduct the research and to ensure that the research
511 meets legal, institutional, or accreditation requirements; list purpose of research);
512
513 An expiration date or an expiration event that relates to the use or disclosure (i.e., length of
514 time researchers plan to maintain the data). The statement “end of research study”, “none”,
515 or similar language is sufficient;
516
517 A description of how the individual may revoke the authorization and the exceptions to the
518 revocation. The subjects must be told how they can withdraw. Any request for revocation
519 must be in writing. Also, the subjects should be told that if they do revoke, they can no
520 longer participate in research, but researchers may use the PHI already obtained to maintain
521 the integrity of the study.
For studies conducted under the oversight of the NU OSRP, a researcher can obtain PHI without authorization only
if the data (PHI) is de-identified, is part of a limited data set, is decedent information or an IRB approved Waiver of
Authorization is obtained.
PHI: individually identifiable health information transmitted or maintained in any form (electronic means, on
paper, or through oral communication) that relates to the past, present or future physical or mental health or
conditions of an individual; the provision of health care to an individual, or the past, present or future payment for
the provision of health care to an individual.
14
522
523 A statement that a subject’s treatment, payment or enrollment in any health plan or their
524 eligibility for benefits will not be affected if they refuse to sign the authorization;
525
526 A statement that the subject may not participate in a research study if they refuse to sign the
527 authorization;
528
529 An explanation that information disclosed pursuant to the authorization may no longer be
530 protected when re-disclosed by the recipient (i.e., if the researchers disclose the information
531 collected to a third party, then the HIPAA protections may no longer be in place);
532
533 A signature of the individual and date. If a personal representative signs the authorization, a
534 description of the representative’s authority must be provided;
535
536 Optional item: Under HIPAA, subjects have the right to access their PHI. In research, this
537 right can be suspended while the research is in progress. However, subjects must be told in
538 the authorization that this right has been suspended and the conditions of the suspension must
539 be listed. The subjects should also be informed that their right to access the PHI will be
540 reinstated at the conclusion of the research study.
541
542 The authorization must be written in plain language;
543
544 The subject must be given a copy of the signed authorization.
15
545
546 EXHIBIT A
547
548 HIPAA Authorization form
549 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAAAuthorization.doc
550
551
552 HIPAA Sensitive Authorization form
553 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAASensitive.doc
554
555
556
557 EXHIBIT B
558
559 HIPAA Exception form (Section 9)
560 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAAException.doc
561
562
563 EXHIBIT C
564
565 Coming soon
566
16
567
568 Exhibit D
569
570 Student Consent to the Release of Education Records to a Third
571 Party
572
573
574 The Family Educational Rights and Privacy Act of 1974 (“FERPA”) allows students at an institution of higher
575 education to control outside access to their education records. Without a student’s written consent, Northwestern
576 University may not disclose information from a student’s education records to outside third parties except as
577 provided under FERPA. Generally, a student must authorize the release of personally identifiable information
578 contained within his/her education records. To do so, the following release must be completed.
579
580
581
582
583
584 Student’s Name: __________________________________________
585
586
587
588 I hereby consent to the release of personally identifiable information contained within my education record,
589 including _______________________________________________________.
590
591
592 I understand that this information is being disclosed to _________________________________
593 _____________________________________________ for research purposes. I understand that pursuant to this
594 release, the information specified above will only be released to the above referenced individual and that there shall
595 be no further disclosure of the information contained in my education record.
596
597
598 I understand that I am entitled to a copy of the records disclosed pursuant to this release upon request.
599
600
601
602
603 _____________________________________________ _____________________
604 Student’s Signature Date
605
606
607
17
608
609
610 EXHIBIT E
611
612 HIPAA Exception form (section 7)
613 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAAException.doc
614
615
616
617
18
618
619
620
621
622
623 EXHIBIT F
624
625 DE-IDENTIFICATION STANDARDS
626
627 De-Identification. For research where no individually identifiable information is required, De-
628 identified Data may be used provided that one of the following two methods are satisfied:
629
630 1. Statistical Certification: obtain statistical certification from a person having
631 appropriate knowledge and experience with generally accepted statistical and
632 scientific principles and methods for rendering information not individually
633 identifiable that there exists only a very small risk that an anticipated recipient could
634 identify the subject using the information alone or in combination with other available
635 information; or
636
637 2. Strip Identifiers. The following Identifiers must be removed to satisfy the
638 requirements of the De-Identification safe harbor:
639
640 Names
641 All geographic subdivisions smaller than a State, including street address, city,
642 county, precinct, zip code, and their equivalent geocodes, except for the initial
643 three digits of a zip code if, according to the current publicly available data from
644 the Bureau of the Census
645 The geographic unit formed by combing all zip codes with the same three initial
646 digits contains more than 20,000 people
647 The initial three digits of a zip code for all such geographic units containing
648 20,000 or fewer people is change to 000
649 All elements of dates (except year)
650 for dates directly related to an individual, including birth date, admission date,
651 discharge date, date of death;
652 and all ages over 89 and all elements of dates (including year) indicative of
653 such age, except that such ages and elements may be aggregated into a single
654 category of age 90 or older;
655 Telephone numbers
656 Fax numbers
657 Electronic mail addresses
658 Social security numbers
659 Medical record numbers
660 Health plan beneficiary numbers
661 Account numbers
19
662 Certificate/license number
663 Vehicle identifiers and serial numbers, including license plate numbers
664 Device identifiers and serial numbers
665 Web Universal Resource Locators (URLs)
666 Internet Protocol (IP) address numbers
667 Bio-metric identifiers, including finger and voice prints
668 Full face photographic images and any comparable images; and
669 Any other unique identifying number, characteristic, or code; except as permitted
670 by paragraph (c) of this section
671
672
673
20
674
675
676
677
678 EXHIBIT G
679
680
681 HIPAA Exception form (section 6)
682 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAAException.doc
683
21
684
685
686
687
22
688 EXHIBIT H
689
690 LIMITED DATA SET STANDARDS
691
692 Limited Data Sets. For research activities and health care operations that only require limited
693 identifiable information, Limited Data Sets may be used, provided that the following
694 requirements are satisfied:
695
696 Strip Identifiers. The following Identifiers must be removed to satisfy the requirements of
697 the Limited Data Set safe harbor:
698
699 Names;
700 Postal address information, other than town and city, State, and zip code;
701 Telephone numbers;
702 Fax numbers;
703 Electronic mail addresses;
704 Social security numbers;
705 Medical record numbers;
706 Health Plan beneficiary numbers;
707 Account numbers;
708 Certificate/license numbers;
709 Vehicle identifies and serial numbers, including license plate numbers;
710 Device identifiers and serial numbers;
711 Web Universal Resource Locators (URLs);
712 Internet Protocol (IP) address numbers;
713 Biometric identifiers, including finger and voice prints; and
714 Full face photographic images and any comparable images.
715 Note: May assign any code to re-identify
716
717 Data Use Agreement. The Data Use Agreement must address the following:
718
719 Establish the permitted uses and disclosures of such information by the limited
720 data set recipient, consistent with paragraph (e)(3) of this section. The data use
721 agreement may not authorize the limited data recipient to use or further disclose
722 the information in a manner that would violate the requirements of this subpart, if
723 done by the covered entity;
724 Establish who is permitted to use or receive the limited data set; and
725 Provide that the limited data set recipient will:
726
727 Not use or further disclose the information other than as permitted by the
728 data use agreement or as otherwise required by law;
729 Use appropriate safeguards to prevent use or disclosure of the information
730 other than as provided for by the data use agreement;
23
731 Report to the covered entity any use or disclosure of the information not
732 provided for by its data use agreement of which it becomes aware;
733 Ensure that any agents, including a subcontractor, to whom it provided the
734 limited data set agrees to the same restrictions and conditions that apply to
735 the limited data set recipient with respect to such information; and
736 Not identify the information or contact the individuals
737
738
24
739
740 EXHIBIT I
741
742
743
744 HIPAA Exception form (section 8)
745 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAAException.doc
746
747
748 and Description of Limited Data Set and Activities - Addendum to HIPAA Application for
749 Exception Form and to the Master Data Use Agreement)
750
751 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAALimitedDataSet.doc
752
753
754
755
756 Please call the Office for the Protection of Research Subjects (312-503-3259) prior
757 completing a HIPAA Exception under the Limited Data Set.
758
759
760
25
761
762
763 EXHIBIT J
764
765
766
767 DATA USE AGREEMENT
768
769 THIS DATA USE AGREEMENT (“Agreement”) is entered into effective as of the date set forth in Section
770 VI.A (“Effective Date”), by and between ________________________________________, on behalf of itself, its
771 subsidiaries and affiliates (collectively, “Covered Entity”), and Northwestern University, including without
772 limitation all of its research centers and institutes (hereinafter, “NU”).
773
774 W H E R E A S:
775
776 (a) The Covered Entity and NU collaborate with one another in connection with research involving
777 the use of protected health information (“PHI”) that is regulated by the Health Insurance Portability and
778 Accountability Act of 1996 and the privacy regulations promulgated thereunder (collectively, “HIPAA”);
779
780 (b) From time to time, such research will be conducted using PHI disclosed by Covered Entity to NU
781 in a form that constitutes a “limited data set” as defined under HIPAA; and
782
783 (c) The parties wish to enter into this Data Use Agreement for the purposes of establishing a
784 consistent set of terms and conditions that will govern the use and disclosure of any limited data set disclosed by
785 Covered Entity to NU in connection with such research and that will meet the Covered Entity’s HIPAA obligations
786 with regard to such use and disclosure when the Covered Entity has not obtained from the individuals whose PHI is
787 included in the limited data set an authorization that covers the creation, use and disclosure of the limited data set.
788
789 NOW THEREFORE, in consideration of the foregoing and of the representations, warranties and covenants set
790 forth below, the parties hereby agree as follows:
791
792 I. SCOPE AND PURPOSE OF DISCLOSURE
793 For each research study involving the disclosure of a limited data set to
794 NU for which the Covered Entity has not obtained, from the individuals whose PHI is
795 included in the limited data set, an authorization that covers the creation, use and
796 disclosure of the limited data set, Covered Entity and NU will develop an exhibit, in the
797 form attached hereto as Exhibit A, that will become a part of this Agreement. Such
798 Exhibit will set forth both: (1) a detailed description of the limited data set that will be
799 used in connection with that study, including, without limitation, the particular elements
800 of PHI that will be used (each such limited data set shall be considered a “Limited Data
801 Set” covered by this Agreement); and (2) a detailed description of the applicable research
802 study and the nature of the intended uses and disclosures of the limited data set in
803 connection with that study (all of which shall be considered “Activities” covered by this
804 Agreement). Such Exhibits shall be numbered, sequentially, beginning with Exhibit A-1.
805 Each such Limited Data Set (a) shall not include any identifiers other than those HIPAA
806 permits a limited data set to include, and (b) shall include only the minimum necessary
807 PHI required for the Activities for which the Limited Data Set will be used.
26
808
809 II. OWNERSHIP
810 NU acknowledges that each Limited Data Set disclosed under this
811 agreement and all PHI included therein shall be and remain the sole property of Covered
812 Entity.
813 III. CREATION OF THE LIMITED DATA SET
814 Covered Entity will be the party creating the Limited Data Set. If NU,
815 rather than the Covered Entity or a third party on behalf of Covered Entity, creates the
816 Limited Data Set, then NU and the Covered Entity will have to enter into a separate
817 Business Associate Agreement that allows NU to create the Limited Data Set.
818 IV. OBLIGATIONS AND ACTIVITIES OF NU AS DATA RECIPIENT
819 NU, as the recipient of each Limited Data Set, provides the following satisfactory assurances, as required
820 by 45 C.F.R. § 164.514(e)(4) or any future corresponding provision of HIPAA.
821
822 A. Safeguards. NU may use and disclose each Limited Data Set only for the applicable Activities or
823 as otherwise permitted or required by law. NU agrees to maintain each Limited Data Set in strict
824 confidence and to use appropriate safeguards to prevent the improper use or disclosure of the
825 Limited Data Set. NU agrees not to use any Limited Data Set in such a way as to reveal identifiers
826 other than those included in the Limited Data Set and not to contact any subject of the Limited
827 Data Set. NU shall limit the use or disclosure of the Limited Data Set to only those entities,
828 individuals or classes of individuals who perform, or assist NU in the performance of, the
829 Activities.
830
831 1. Prior to disclosing any Limited Data Set to another entity or entities or to
832 individuals other than NU Personnel (collectively, “Third Parties”), NU shall
833 require such Third Parties to join as a party to this Agreement for the Limited
834 Data Set and Activities set forth in the applicable Exhibit A by executing a
835 Joinder Agreement in substantially the form attached hereto as Exhibit B. NU
836 shall provide Covered Entity with a copy of each Joinder Agreement promptly
837 following its execution at the Covered Entity’s request. For purposes of this
838 Section, “NU Personnel” shall mean all faculty, staff (including student
839 employees), students, residents, post-doctoral fellows, and non-employed
840 individuals (including visiting faculty, courtesy, affiliate and adjunct faculty,
841 industrial personnel, fellows), agents and vendors who conduct research under
842 NU’s direct supervision and on NU’s behalf.
843 2. NU will take all reasonable steps necessary to make NU Personnel to whom it
844 discloses a Limited Data Set in accordance with this Agreement aware of the
845 provisions of this Agreement relating to the confidentiality and safeguarding of
846 the Limited Data Set.
847 B. Reporting of Disclosures of PHI. If NU becomes aware of any use or disclosure of Limited Data
848 Set in violation of this Section IV by NU or Third Parties, then NU shall immediately report such
27
849 use or disclosure to Covered Entity. NU shall, to the extent practicable, mitigate any harmful effect
850 that is known to NU of a use or disclosure of PHI by NU in violation of this Agreement.
851
852 C. Failure to Maintain Confidentiality. It is understood and agreed that money damages will not be a
853 sufficient remedy for any breach of this Agreement and that Covered Entity shall be entitled to
854 specific performance and injunctive or other equitable relief, in addition to all other remedies
855 available at law or equity, as a remedy for any such breach.
856
857 D. Disclosure Pursuant to Subpoena, Judicial Order, Etc. In the event NU receives a subpoena or
858 other validly issued administrative or judicial process requesting disclosure of a Limited Data Set,
859 NU shall promptly notify Covered Entity to allow Covered Entity time to challenge such
860 disclosure. Unless the demand shall have been timely limited, quashed or extended, NU may
861 disclose PHI included in a Limited Data to the extent required by law.
862
863 V. INDEMNIFICATION
864 NU shall indemnify, defend and hold harmless Covered Entity, and its trustees, officers, directors,
865 employees and agents, from and against any claim, cause of action, liability, damage, cost or expense
866 (including, without limitation, reasonable attorney’s fees and court costs) arising out of or in connection
867 with any use or disclosure of all or part of the Limited Data Set in violation of this Agreement by NU or a
868 Third Party.
869
870 VI. TERM AND TERMINATION
871 A. The provisions of this Agreement shall be effective as of the later of April 14, 2003 or the
872 provision of the first Limited Data Set by Covered Entity to NU, and shall remain in
873 effect unless terminated by the parties pursuant to the terms of this Agreement.
874 B. Covered Entity may terminate this Agreement with respect to a particular Limited Data
875 Set upon material breach of Section IV of this Agreement by NU or a Third Party with
876 respect to such Limited Data Set. Covered Entity shall provide NU with written notice of
877 the existence of an alleged breach. Covered Entity shall then elect either to take steps to
878 cure the alleged breach or to afford NU at least thirty (30) days in which to cure the
879 alleged breach. Covered Entity will inform NU of its election in the written notice. If
880 Covered Entity elects to allow NU to cure the breach and NU effects a cure within thirty
881 (30) days of its receipt of written notice, this Agreement shall remain in force with
882 respect to the particular Limited Data Set. If Covered Entity elects to allow NU to cure
883 and NU fails to effect a cure within such 30-day period, this Agreement shall terminate at
884 the end of the 30-day period with respect to the particular Limited Data Set. If Covered
885 Entity elects to take steps to cure the allege breach and effects a cure, Covered Entity may
886 elect, but is not required, to keep this Agreement in force. If in such case Covered Entity
887 elects not to keep the Agreement in force, it shall so notify NU and such notice shall
888 include the effective date of the termination of the Agreement with respect to the
889 particular Limited Data Set. If Covered Entity fails to cure the alleged breach within the
890 30-day period following written notice, this Agreement shall terminate at the end of that
891 30-day period with respect to the particular Limited Data Set.
28
892 C. Upon termination of this Agreement with respect to a particular Limited Data Set, NU
893 shall promptly return to Covered Entity that Limited Data Set and any and all documents,
894 records, notes, communications, writing, charts, or other recorded matter of any kind
895 relating to that Limited Data Set.
896 D. Either party may terminate this Agreement in its entirety in the event of a material breach
897 of the Agreement (other than a breach covered under subsection B of this Section VI) that
898 remains uncured by the breaching party for more than thirty (30) days following receipt
899 of notice of the breach and intent to terminate from the non-breaching party. Such
900 termination shall take effect as of the end of the thirty-day cure period.
901 E. Either party may terminate this Agreement in its entirety, without cause, by giving One
902 Hundred Eighty (180) days’ prior written notice to the other party, provided, however,
903 that, with respect to one or more particular Limited Data Sets being used for a Research
904 Study as of the date of such termination, the Agreement shall remain in full force and
905 effect with respect to the applicable limited data set(s) until the completion of the
906 applicable Research Study or Studies.
907 VII. MISCELLANEOUS
908 A. The terms of Section(s) II, IV, V, and VI.E of this Agreement shall survive termination of this
909 Agreement.
910
911 B. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA.
912
913 C. There are no intended third party beneficiaries to this Agreement. Without in any way limiting the
914 foregoing, it is the parties’ specific intent that nothing contained in this Agreement gives rise to any
915 right or cause of action, contractual or otherwise, in or on behalf of the individuals whose PHI is used
916 or disclosed pursuant to this Agreement.
917
918 D. No provision of this Agreement may be waived or amended except by an agreement in writing signed
919 by the waiving party. A waiver of any term or provision shall not be construed as a waiver of any
920 other term or provision and shall only apply to the specific time or circumstances set forth in the
921 written waiver. The parties agree to take such reasonable steps as are necessary to amend this
922 Agreement from time to time for Covered Entity to comply with the requirements of HIPAA.
923
924 E. The persons signing below have the right and authority to execute this Agreement.
925
926 F. Terms not defined herein shall have the meaning set forth in HIPAA.
927
928 G. This Agreement shall be construed in accordance with and governed by the laws of the State of
929 Illinois; provided, however, that the conflicts of law principles of the State of Illinois shall not apply to
930 the extent that they would operate to apply the laws of another state.
931
932
933 IN WITNESS WHEREOF, this Agreement has been executed by the parties as of the Effective Date.
934
935
936 ________________________________ ________________________________
29
937 NORTHWESTERN UNIVERSITY COVERED ENTITY
938
939 By: ________________________________ By:________________________________
940
941 Name: ______________________________ Name: _____________________________
942
943 Title: _______________________________ Title: ______________________________
944
945 Date: ____________________________ ___Date: ____________________________
946
947
948
30
949
950 EXHIBIT K
951
952
953 HIPAA CRITERIA FOR IRB WAIVER OF
954 HIPAA AUTHORIZATION AND
955 DOCUMENTATION OF THE WAIVER
956
957
958
959 CRITERIA FOR IRB WAIVER OF HIPAA AUTHORIZATION FOR RESEARCH
960
961
962
963 1. The use or disclosure of Information involves no more than a minimal risk to the privacy of
964 individuals, based on the presence of at least the following elements:
965
966 An adequate plan to protect the identifiers from improper use and disclosure;
967
968 An adequate plan to destroy the identifiers at the earliest opportunity consistent with the
969 conduct of the Research, unless there is a health or Research justification for retaining the
970 identifiers or such retention is otherwise required by law; and
971
972 Adequate written assurances that the Information will not be reused or disclosed to any
973 other person or entity, except as required by law, for authorized oversight of the Research
974 project, or for other Research for which the use or disclosure of Information would be
975 permitted by this Policy;
976
977 2. The Research could not practicably be conducted without the waiver; and
978
979 3. The Research could not practicably be conducted without access to and use of the
980 Information.
981
982
983
984 CRITERIA FOR DOCUMENTATION OF THE IRB WAIVER OF AUTHORIZATION
985
986 1. A statement identifying the IRB and the date on which the waiver request was approved;
987
988 2. A statement that the IRB determined that the waiver request satisfied the criteria for waiver;
989
990 3. A statement that the waiver has been reviewed and approved under either normal or
991 expedited review procedures; and
992
993 4. The documentation is signed by the IRB chair or his/her designee.
994
995
996
31
997
998
999 EXHIBIT L
1000
1001
1002 Waiver of Authorization form
1003 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAAWaiver.doc
1004
32
1005 EXHIBIT M
1006
1007
1008 Revocation
1009
1010 http://www.northwestern.edu/research/OPRS/irb/hipaa/docs/HIPAARevocation.doc
1011 ___________________________________
1012
33