Document Sample
hipaa Powered By Docstoc
					Human Subjects Research Protections: Common Rule & the HIPAA Privacy Rule
BMI: 544 Fundamentals of Clinical Trials II September 13, 2007

Lisa A. Wilson University Legal Counsel University of Wisconsin Madison

Outline for Presentation
• Common Rule
 Federalwide Assurance (FWA)  Engagement in Research  Federal Regulations
• Exempt Research • Review by the IRB • Informed Consent (Waivers)

 Tissue Banking  Genetics Research

     Authorization Wavier of Authorization Preparatory to Research Research Using Decedents PHI Limited Data Set

• Navigating the OHRP Website

• • • • • • • • • • DHHS: Dept of Health and Human Services (Federal) OHRP: Office of Human Research Protections FWA: Federalwide Assurance IAA: IRB Authorization Agreement IIA: Individual Investigator Agreement HIPAA: Health Insurance Portability & Accountability Act PHI: Protected Health Information LDS: Limited Data Set DUA: Data Use Agreement HCC: Health Care Component

Federalwide Assurance (FWA)
• Institutions whose employees or agents “routinely” engage in federally supported human subjects research must submit FWA to OHRP. • Commitment by institution to comply with Terms of Assurance

Terms of Assurance
• Apply when research is supported by department or agency that has adopted the Common Rule • Require institution to follow Common Rule • Require institution to apply all subparts of Common Rule to all human subjects research supported by DHHS
 Subpart B: Protections for Pregnant Women, Fetuses, and Neonates  Subpart C: Protections for Prisoners  Subpart D: Protections for Children

Adoption of the Common Rule
• Partial list of federal departments or agencies: Department of Health and Human Services • Agencies within DHHS include CDC, CMS, NIH, SAMHSA (FDA) Department of Justice Department of Education Department of Agriculture Department of Veterans Affairs National Science Foundation

What Constitutes “Engagement”?
• OHRP guidance (draft) – Oct. 27. 2006 • Institution becomes “engaged” when employees:
Intervene or interact with living individuals for research; OR Obtain individually identifiable private information for research

Examples of Engagement
• Performing invasive or noninvasive procedures
 Drawing blood  Collecting specimens  Dispensing drugs  Administering other treatments  Employing medical technologies

• Manipulating the environment
 Presenting sensory stimuli  Orchestrating environmental events or social interactions  Making voice, digital, or image recordings

Examples of Engagement (cont’d)
• Interacting with individuals for research
Engaging in protocol-dictated communication or interpersonal contact Conducting interviews Obtaining informed consent

• Obtaining identifiable private information or identifiable biological specimens (directly or indirectly through code) for research purposes

Examples of Engagement (cont’d)
• Receiving direct DHHS award to conduct research, even if all activities done by subcontractor

Examples of Non-Engagement
• Consultant who does not obtain or possess identifiable private information
Can access identifiable information only while at site of engaged institution and only if activities reviewed by IRB

• Performing commercial or noncollaborative services typically performed by that institution for non-research purposes
Lab performs analysis of blood samples

Examples of Non-Engagement (cont’d)
• Informing prospective subjects about the availability of research
 providing prospective subjects with information about research (can include consent document) but not obtaining consent  Providing prospective subjects with contact information of investigators  Obtaining permission from prospective subjects for investigator to contact subject

• Permitting use of facility for interaction or intervention with subjects by researcher

Examples of Non-Engagement (cont’d)
• Releasing identifiable private information • Releasing information/specimen to investigator in non-identifiable form where obtained by institution for purpose other than investigator’s research • Receiving unidentifiable information or specimen for research where agreement exists prohibiting release of any identifying information to recipient

Cooperative Research
• Grant recipient or coordinating center must ensure that collaborators “engaged” in federally supported research are covered by FWA or Individual Investigator Agreement (IIA) • If collaborating institution has employees or agents that “routinely” engage in federally supported research, must have own FWA naming an IRB of record
 Dual IRB review  Unless IRBs decide to defer review to “avoid duplication of effort”
• IRB Authorization Agreement (IAA)

IRB Authorization Agreement (IAA)
• Agreement that permits one IRB to defer review to another IRB • Can indicate on agreement if deferral is for one protocol only or for many protocols • If research is federally funded, the deferring institution must name IRB accepting review on FWA as an “IRB of record” • IRB accepting deferral must know “local research context”

Individual Investigator Agreement (IIA)
• Other institution has no FWA and no IRB of record
Institution’s employees or agents should not be routinely engaged in federally supported research

• IIA allows collaborating investigators to be covered under FWA-holding institution

“Common Rule” 45 CFR 46, Subpart A
• Exempt research • Definitions (affecting IRB review) • IRB review
 Expedited review  Criteria for approval
• Informed consent • Wavier of informed consent • Waiver of documentation of informed consent

• Required reporting • Tissue banking • Genetic research

Exempt Research: 45 CFR 46.101
• Sec. 46.101(b)(1) Research in commonly accepted educational settings, involving normal educational practices
– Research on instructional strategies – Research on effectiveness of techniques, curricula or classroom management

Exempt Research (cont’d)
• Sec. 46.101(b)(2) Research involving use of educational tests, surveys, interviews, observations unless
– Data is identifiable (directly or indirectly) AND – Disclosure could reasonably place subjects at risk of criminal or civil liability or be damaging to financial standing, employability or reputation

(NOTE: exemptions for surveys and interviews do not apply to children)

Exempt Research (cont’d)
• Sec. 46.101(b)(4) Research involving the collection or study of existing data, documents, records, or specimens if:
-- Publicly available, OR -- Information is recorded in such a manner that subjects cannot be identified directly or through a link

Example: retrospective medical record review where no identifiable information is recorded

Definitions Affecting IRB Review: 45 CFR 46.102
• “Research” means a systematic investigation, including research development, testing and evaluation, designed to contribute to generalizable knowledge
 Generally excludes QI, QA, case report

• “Human subject” means a living individual about whom an investigator obtains:
 Data through interaction or intervention OR  Identifiable private information

Coded Specimens
• OHRP guidance – August 10, 2004 • Research on coded specimens does not constitute “human subjects” research if:
 Specimens not collected specifically for current research project  Investigator cannot ascertain identity of donors because:
• Key to decipher code destroyed before research; • Agreement between investigator and key holder that key will never be disclosed • IRB-approved written policies for repository that prohibits access to key

Expedited Review: 45 CFR 46.110
• Expedited review requirements:
 No more than minimal risk and appearing on list created by DHHS OR  Minor changes in previously approved research

• Expedited review may be done by chairperson or one or more committee members • All the same power as full IRB except cannot disapprove research (requires full IRB)

Expedited Review (cont’d)
DHHS list of expedited categories (applies to research that does not qualify for an exemption) can be found at:

IRB Review of Research: 45 CFR 46.109
• Informed consent document must comply with sec. 46.116 (consent regulations) • Documentation of informed consent unless waived • Continuing review at least annually, or sooner if appropriate (substantive and meaningful)

Criteria for IRB Approval: 45 CFR 46.111
• To approve, ALL the following must be satisfied:
 Risks to subjects minimized  Risks reasonable in relation to benefits  Selection of subjects is equitable  Informed consent sought from subject or LAR (unless waiver conditions met)  Informed consent documented (unless waiver of documentation conditions met)  Adequate data monitoring to ensure safety  Adequate provisions to protect privacy

• When vulnerable subjects included, safeguards in place to protect rights and welfare

General Requirements of Informed Consent: 45 CFR 46.116
• Must obtain legally effective IC of subject or LAR • Sufficient opportunity to decide whether to participate • Must minimize coercion or undue influence • No exculpatory language through which subject waives or appears to waive rights or releases liability • Information provided in language subject can understand (8th grade reading level) • Must use written consent form signed by subject (unless IRB waives documentation)

Exculpatory Language
• OHRP guidance – November 15, 1996 • Frequently arises in sponsor informed consent document in form of ownership of tissue/specimens or resulting commercial products • OK: There are no plans to provide financial compensation to you if commercial products are developed • Not OK: You give up all claim to personal benefit if commercial products are developed • OK: You authorize the use of your tissue samples for the research described above • Not OK: You relinquish all right, title and interest in your tissue samples used for the research described above

Basic Elements of Informed Consent: 45 CFR 46.116(a)
• Elements of IC that shall be included:
Statement that the study involves research Explanation of the research Expected duration of subject’s participation Description of procedures to be followed Identification of procedures that are experimental

Basic Elements of Informed Consent (cont’d)
Description of reasonably foreseeable risks Description of benefits to subject or others Disclosure of appropriate alternative procedures or treatment, if any Extent to which confidentiality of subject records will be maintained For more than minimal risk, whether any compensation or medical treatments will be provided, what they are, or where to obtain further information

Basic Elements of Informed Consent (cont’d)
Whom to contact for answers about research and subject’s rights Whom to contact in event of injury Statement that participation is voluntary Statement that refusal to participate will not result in penalty or loss of benefits Statement that subject may withdraw at anytime

Additional Elements of Informed Consent: 45 CFR 46.116(b)
• When appropriate, the following elements shall also be provided:
 Statement that procedure or treatment may involve risks to subjects (or to embryo or fetus) which are unforeseeable  Circumstances under which investigator may terminate subject’s participation  Additional costs to subjects of participation  Consequences of subject’s withdrawal  Approximate number of subjects  Statement that new findings affecting willingness to participate will be communicated to subject

Waiver of Informed Consent: 45 CFR 46.116(d)
• Under the Common Rule, IRB may approve consent form that waives some elements, or may approve waiver of IC altogether when:
 Research involves no more than minimal risk  Waiver will not adversely affect rights and welfare of subjects  Research could not practicably be carried out without the waiver  Subjects will be provided with additional pertinent information

Examples of Waiver of IC
• Retrospective records review:
 Large number of subjects  Dating back a long time  Subjects likely to be lost to follow up or deceased

Waiver of Documentation of Informed Consent: 45 CFR 46.117(c)
• •

Subject still gives informed consent, but does not sign the consent form Usually subject gets “information sheet” with all required elements for informed consent IRB must find the following:  Only record linking subject and research is consent document, and principal risk of harm is breach of confidentiality; OR  Research involves minimal risk and no procedures for which written consent normally required outside research context

Examples of Waiver of Documentation of IC

• •

Subject participation involves only completion of survey Phone screen Subject participation is blood draw only and no identifiers are attached to sample provided

Photo courtesy of Michael Foster Rothbart, UW-Madison

Research Databases and Tissue Banks
• Federal guidance clarifies that creation of research databases/banks = research • Need consent of subject to participate in database/bank AND to participate in any subsequent research using information/specimens from database/bank • Need authorization for use of any PHI included in bank AND for use of any PHI in subsequent research using information/specimen from database/bank

Research Databases and Tissue Banks (con’t.)
• Common Rule allows for consent for future unspecified research
consider subsequent use of data when reviewing consent form

• HIPAA does not allow authorization for future unspecified research • Subsequent use of information/specimen from database/bank may qualify for waiver of consent and authorization

Genetics Studies
• Breach of confidentiality can cause substantial harm to subjects • Informed consent must clearly explain risks of genetic testing:
 Loss of insurance, loss of employment, psychological effects, harm to familial relationships

• Tight safeguards in place to protect against breach • Consider Certificate of Confidentiality • Consider whether test result should be disclosed to subjects (experimental?)

Required Reporting: 45 CFR 46.103
• Investigators must report to the IRB, and IRB must then report to OHRP, FDA and funding agency:
Unanticipated problems involving risks to subjects or others (“adverse event” is FDA term) Serious or continuing noncompliance with regulations or IRB determinations Suspension or termination of IRB approval

Required Reporting (cont’d)
• Possible consequences of unanticipated problems or serious/continuing noncompliance:
 Suspension/termination of IRB approval  Remediation such as further training  Report to IRB re why event happened and how to prevent  Data destruction (only in cases where research could not have been ethically or legally approved)  Cannot claim research done with IRB approval

Navigating the OHRP Website

Health Insurance Portability and Accountability Act (HIPAA): 45 CFR Parts 160 and 164

Protected Health Information (PHI)
Information that:
 Relates to past, present or future:
• Physical or mental health condition • Provision of health care • Payment for provision of health care
Photo courtesy of Jeff Miller, UW-Madison

 Identifies the individual or could reasonably be used to identify the individual  Is recorded in any medium  Is maintained by a “covered entity” (CE)

What is a “Covered Entity”?
• A health care provider that transmits health information electronically • Health plans • Health care clearing house

The University of WisconsinMadison
• A “covered entity” • But, a “hybrid entity”
 A single legal entity with covered and noncovered functions  Only those departments in the Health Care Component (HCC) must comply with the Privacy Rule

Photo courtesy of Jeff Miller, UW-Madison

Affiliated Covered Entities (ACE)
• UW HCC • University of Wisconsin Hospital and Clinics (UWHC) • University of Wisconsin Medical Foundation (UWMF)

Covered Entity Use/Disclosure of PHI
A covered entity may use or disclosure of PHI:
 Without an authorization:
 For treatment  For payment  For health care operations (e.g. accreditation, training, underwriting, other)

 With an authorization  As otherwise permitted by certain sections of the Privacy Rule

Use v. Disclosure
• A “use” involves sharing of PHI within the HCC or within the ACE • A “disclosure” involves sharing of PHI outside the HCC or ACE

Research Use/Disclosure of PHI
• Research is not treatment, payment or a health care operation • Use and/or disclosure of health information for research:
 De-identified  Authorization  IRB approval of altered/waiver of authorization  Limited data set (used with Data Use Agreement)  Certification for use of decedents’ PHI  Certification for activities preparatory to research

Identifiers Under the Privacy Rule
• • • • • • • • • • • • • • • • • • Names Geographic subdivisions smaller than a State (street address, city, county, zip) All elements of dates (except year) (birth date, admission date, discharge date) Telephone numbers Fax numbers E-mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers (including license plate) Device identifiers and serial numbers Web URL’s IP address numbers Biometric identifiers, including finger and voice prints Full face photographic images Any other unique identifying number, characteristic, or code

Authorization vs. Consent
• Authorization
HIPAA Privacy Rule: 45 CFR §164.508 Patient authorizes the use or disclosure of PHI for research

• Consent
Common Rule: 45 CFR §46.116 Patient consents to voluntary participation in the research study

Authorization Core Elements: 45 CFR 164.508
• Description of PHI to be used/disclosed
 Must identify info in specific and meaningful fashion

• • • •

Person authorized to disclose Person permitted to use PHI Purpose for the disclosure Expiration date or event
• “End of research” or “none”

• Signature and date

Authorization Required Statements 45 CFR 164.508
• Consequences of refusal to sign
no participation in research

• Potential for disclosed PHI to be redisclosed by recipient and no longer subject to the Privacy Rule • Right to revoke, how, exceptions

Revoking the Authorization
• May revoke in writing at any time • May not collect, use or disclose additional data after revocation • Revocation may have limited effect
• Not effective where action taken in reliance upon authorization prior to revocation • May use/disclose PHI obtained pursuant to authorization to the extent necessary to “preserve the integrity of the research study.”*
*Preamble to HIPAA

Wavier/Altered Authorization vs. Consent
• Authorization: 45 CFR



 Risk to subjects privacy is minimal  Research cannot be practicably conducted without the use of PHI  Research cannot be practicably conducted without the waiver or alteration

Consent: 45 CFR 46.116  Research involves no more than minimal risk to the subjects  Research could not practicably be carried out without the waiver or alteration.  Waiver or alteration will not adversely affect the rights and welfare of the subjects  Whenever appropriate, subjects will be provided with additional pertinent information after participation.

Waiver vs. Altered Authorization
• Waiver of Authorization
IRB waives the requirement for subject authorization for all uses/disclosures of PHI for a particular research protocol

• Altered Authorization
The IRB may require the researcher to obtain permission from subjects for use of their PHI, but may allow the researcher to omit some of the required elements of an authorization.

When is a Waiver Appropriate?
• Examples:
Retrospective Chart Review
• Large number of subjects • Records from a long time ago • Large proportion of subjects are lost to follow-up

When is Alteration Appropriate?
• Examples:
When seeking a waiver of documentation of informed consent
• Signature on survey is only record linking subject to research

Phone screen

Limited Data Set: 45 CFR 164.514
• All identifiers removed except:
Dates City, state, zip Other unique identifying number, characteristic or code

• Must enter into Data Use Agreement with covered entity

Certification for Use of Decedents’ PHI: 45 CFR 164.512
• Representation that use or disclosure sought is solely for research on the PHI of decedents • Representation that the PHI is necessary for the research • CE may request documentation of death

Certification for Activities Preparatory to Research: 45 CFR 164.512
• Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes • No PHI is removed from the CE by researcher in course of review • The PHI for which use or access is sought is necessary for the research purposes

Guidance on Preparatory to Research Activities
• Preparing a research protocol • Identification of study participants who would meet eligibility requirements • Assisting in development of research hypothesis

HIPAA Privacy Rule Websites for the Researcher
• UW HIPAA website
• • Training program, research guide, privacy manual

• U.S. Department of Health and Human Services website