protocol associated with your HIPAA submission possibly Decedent by tW51w6

VIEWS: 5 PAGES: 5

									Introduction
Are you confused about which HIPAA form to submit? Are you
frustrated by having your subjects sign two forms: the IRB
Consent Form and HIPAA Authorization Form? Do you question
why the HIPAA and IRB offices are separate?
 
 In response to
these questions, BU/BMC is implementing new HIPAA policies
that will help alleviate these concerns.

The HIPAA Privacy Rule went into effect in 2003. This article will
review the requirements of HIPAA, provide a decision algorithm for
determining the types of HIPAA forms required at BU/BMC for a
given study, and explain other changes related to the implementation of
HIPAA.

The purpose of the HIPAA Privacy Rule was to protect the privacy
of people’s health information, at a time when many insurers were
transmitting such information electronically. Part of the Rule
pertained to the use and disclosure (sharing) of health information
for “payment, treatment, and operations.” More pertinent to
research was the portion of the Rule that dealt with the use and
disclosure of health information for research purposes.

TAKE HOME LESSON #1: HIPAA HAS DIFFERENT
REQUIREMENTS FOR RESEARCH THAN FOR CLINICAL
SITUATIONS.


The protections of the HIPAA Privacy Rule are additive to the
protections to privacy and confidentiality already in effect in the
Common Rule (IRB regulations), that derive from the Belmont
Principles. For an extensive discussion of these protections that
have been in place since 1981, see the Clinical Research Times
May 2004 Feature Article entitled, “Privacy and Confidentiality:
It’s More Than HIPAA”. Many feel that the HIPAA Privacy
Rule’s protections are redundant (AAMC), but the law’s
requirements actually give research subjects much more
information about who can see their protected health information
(PHI), how private it will be kept, and for how long. It also
requires subjects to be told when the information won’t be kept
private, and gives subjects the right to know whether they can have
access to their data collected in the research. This article is not
intended to be a complete training about HIPAA. If you are not
familiar with the Rule’s application to research, please see
BU/BMC’s extensive information on its web site
(www.bumc.bu.edu/hipaa) and the links to federal guidances.

HIPAA RESEARCH DECISION ALGORITHM

There are some research situations where HIPAA may not apply,
other situations where it will always apply, and still others where
“it depends.” These fine distinctions associated with HIPAA make
understanding the Rule all the more challenging. Please view the
HIPAA Research Decision Algorithm, which should help clarify
whether or not HIPAA pertains to your study, how to proceed if
you are collecting identified data, de-identified, or limited data,
and help you determine which HIPAA form(s) should be submitted
to the BU/BMC IRB. Several of the boxes are linked to definitions
and helpful web sites. Once you work your way through the
decisions, you will end up at one or more HIPAA form(s) that are
required for your study.

The HIPAA Research Decision Algorithm is correct for almost all
studies, but there will be exceptions. If you have questions, please
contact the IRB office.

DOES HIPAA APPLY TO MY STUDY OR NOT?


HIPAA applies if you are a member of the “workforce of a covered
entity” and you need “protected health information” for your research.
BU/BMC has determined that if the principal investigator of a study is
a member of the workforce of a covered entity, then all of the research
staff members are also considered workforce members for that
particular study. To determine whether your study entails protected
health information and for a list of the 18 HIPAA identifiers, please see
the HIPAA web site.

If your study requires information from medical records, whether
or not the subjects are also your patients, HIPAA applies.

IF HIPAA APPLIES TO MY STUDY, WHAT FORM(S) DO I
NEED?
 
 If you have determined that HIPAA applies to your
study, then work your way through the HIPAA Research Decision
Algorithm. Remember to follow each path, since you may need
more than one form.

HIPAA AUTHORIZATION LANGUAGE: The language
required for HIPAA authorization should be included in the
informed consent form, rather than in a separate document.

OTHER HIPAA FORMS

• HIPAA WAIVER OF AUTHORIZATION

• HIPAA DEIDENTIFIED DATA

• HIPAA LIMITED DATA SET

• HIPAA PREPARATORY TO RESEARCH

• HIPAA DECEDENT RESEARCH


The HIPAA forms listed above have not changed since their initial
implementation. However, the process for submission of these
documents has changed—the principal investigator needs to attach
these HIPAA forms in Section S but does not need to sign them.
By submitting the form as an attachment to a protocol, the PI is
attesting to the statement above the signature line.

If there is no research protocol associated with your HIPAA
submission (possibly Decedent Research or Preparatory to
Research), then you will continue to fax or mail the paper form to
the IRB office after the PI has signed it. A signature is required for
the paper forms.

OTHER HIPAA SIMPLIFICATIONS

When the HIPAA Privacy Rule went into effect several years ago,
investigators asked the IRB why such high specificity was
necessary for the HIPAA Authorization Form. From the feedback
we received, this high specificity frequently confused subjects. For
this reason, we will begin a new approach allowed by the Rule of
listing classes or groups, rather than specific items. For example,
rather than listing every diagnostic test needed from a medical
record, the authorization is simply for “information from your
hospital or office health records at BU/BMC or elsewhere. This
information is reasonably related to the conduct and oversight of
the research study.” Or rather than listing every outside lab where
blood samples might be sent, the authorization is for “people or
groups that we hire to do certain work for us, such as data storage
companies or laboratories.” In this way, information is being
provided on the groups or classes of PHI used or disclosed and to
whom it might be disclosed.

REMINDER FOR HIPAA COMPLIANCE


The HIPAA Privacy Rule provides the research subject with the
right to know who, what, when and where his/her PHI was used
without his/her authorization. Therefore, if HIPAA applies to your
study and you used a Waiver of Authorization, Preparatory to
Research, or Decedent Research, you must account for the
disclosures. Please see the appropriate section of the HIPAA web
site for more information. For a review of the April 2003
presentations about HIPAA in Research, you may see the HIPAA
and Research Presentation on the HIPAA site.


 HIPAA INTEGRATION INTO THE IRB OFFICE

To streamline and fully integrate the HIPAA and IRB processes,
the IRB office has assumed responsibility for review and approval
of all HIPAA documentation. The IRB Analysts will include
HIPAA forms in their review and approval process for their
assigned protocols. General questions regarding HIPAA can be
directed to the IRB office.

								
To top