Winthrop-University Hospital

Transcription

1 Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR (i), (a-c) and in connection with the implementation of the HIPAA Compliance Plan, Winthrop-University Hospital has developed and will implement this Policy for the application of HIPAA to all research activities. Winthrop- University Hospital currently relies upon two institutional review boards ( IRB(s) ), the Winthrop-University Hospital Institutional Review Board ( WUH IRB ) and the Western Institutional Review Board ( Western IRB ), to ensure that all human research projects conducted at Winthrop University Hospital are performed in compliance with the federal regulations (e.g., the Common Rule) and will continue to rely upon these two institutional review boards to ensure compliance with HIPAA as well. 1 This Policy is designed to ensure that any such research conducted at Winthrop-University Hospital under the authority of either the WUH IRB or the Western IRB will be conducted in full compliance with HIPAA. A General Application of HIPAA to Research. 2 HIPAA applies to all research studies which involve the use or disclosure of individually identifiable protected health information ( PHI ). HIPAA applies regardless of the source of funding for the research. Research studies affected by HIPAA include: (i) record research (i.e., research using previously existing PHI, such as research involving a review of previously created medical records or previously collected tissue specimens); (ii) research not involving research related treatment; and (iii) research involving treatment 3 of research participants such as clinical trials. 1 Note: The Western IRB reviews all human research studies which are sponsored by pharmaceutical companies and involve out patients of Winthrop-University Hospital. WUH IRB reviews all other human research studies. 2 Note: Research is defined, under HIPAA, as systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. 3 Note: Treatment is defined, under HIPAA, as the provision, coordination, or management of health care and related services by one or more health care providers, including (i) coordination or management of health care by a health care provider with a third party, (ii) consultation between health care providers relating to a patient, and (iii) the referral of a patient for health care from one health care provider to another.

2 When an investigator conducts a research study that is subject to both HIPAA and the Common Rule, the investigator must comply with the regulations under both laws. Additionally, where applicable, a research study must also comply with the Federal Drug Administration s human subjects regulations. Winthrop-University Hospital requires that any investigator conducting a research study involving the use or disclosure of PHI must ensure the receipt of a HIPAA authorization, approved by either the WUH IRB or the Western IRB, from each research participant prior to using or disclosing PHI for research purposes unless with prior review and approval by either the WUH IRB or the Western IRB one of the following five exceptions under which research can be conducted using PHI without first obtaining an authorization exists: a. the investigator is only conducting a review preparatory to future research; b. the research study uses only PHI of deceased individuals; c. the investigator uses only a limited data set in conducting the research study and obtains a data use agreement from all recipients of the limited data set; d. the investigator uses only de-identified PHI in conducting the research study; or e. the investigator obtains a waiver of the authorization requirement from the WUH IRB prior to commencing the research study. Note: If the research involves treatment of the patient, the patient will also need to receive a privacy notice and sign an acknowledgment, where applicable, as discussed in Section G below. Winthrop-University Hospital requires that, whenever PHI is being used or disclosed for research purposes pursuant to an exception from the authorization requirement by either the WUH IRB or the Western IRB, the investigator shall comply with Winthrop-University Hospital s minimum necessary policies, procedures and requirements. In order to comply with the minimum necessary requirements, the investigator shall make reasonable efforts to limit the uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the purpose(s) of the research study. (See Minimum Necessary Policy) B Research Authorization. In those instances where an investigator s research study does not fit into one of the exceptions to obtaining an authorization (as discussed in Section C through G below) and the investigator intends to use or disclose PHI during the conduct of his/her research study, the investigator should ensure that a valid, executed authorization is obtained from each research participant or his/her legally authorized representative. All research authorizations shall be reviewed and approved by either the WUH IRB or the Western IRB during the appropriate IRB s initial review of the investigator s research request (as discussed in Section H below) unless the investigator complies with one of the above-mentioned exceptions.

3 1 Requirements for All Authorizations. All research authorizations shall be written in plain language and contain at least the following: a. A meaningful and specific description of the individually identifiable health information to be used in the research study; b. A list of all persons (or classes of persons) who may use or disclose the individually identifiable health information; c. A list of the persons (or classes of persons) to whom the individually identifiable health information may be disclosed; d. The expiration date or event of the authorization. For research purposes this statement can be end of the research or none (especially with respect to research data bases, repositories); e. A statement that the research participant has a right to revoke the authorization at any time and a description of how to revoke the authorization; f. A statement noting that used or disclosed individually identifiable health information may be subject to re-disclosure and no longer protected by the law; g. The signature and date of the research participant or his/her authorized representative. If signed by an authorized representative, a statement of such representative s authority to act for the research participant; h. A statement of each purpose of the use or disclosure of the individually identifiable health information; and i. For research not involving research-related treatment: A statement that the research subject has right to refuse to sign the authorization without being denied treatment and that participation is conditioned on the research participant executing the authorization. The authorization should be witnessed by any competent adult, included in the research participant s medical record and each research participant should be provided with an executed copy. For a discussion of authorizations where Winthrop-University Hospital seeks an individual s written legal permission to obtain PHI about the individual from another covered entity that maintains the PHI to make a disclosure of the PHI, see Winthrop-University Hospital Policy on Authorizations for Uses and Disclosures of Patient Information. 2 For Studies which Include Treatment. Where the research study is, however, being conducted in connection with research-related treatment of the research participant, the research

4 authorization may contain a statement that provision of the research-related treatment is conditioned on the research participant executing the authorization. Where a research study that includes treatment is being conducted as part of a clinical trial, the research participant can be denied the right to access the individually identifiable health information obtained in the course of that clinical trial (the Research Information ). In order to deny the research participant access to Research Information: a. The research authorization must contain a statement informing the research participant that he/she will be denied access to the Research Information during the course of the clinical trial. b. The research participant must agree to the denial of access to Research Information when he/she consents to participation in the clinical trial. c. The clinical trial must be ongoing when the request for access is made. The research participant must also be advised of his/her right to be provided access to the Research Information once the clinical trial is completed. The investigation must, however, maintain a high level of ethical consideration for the welfare of the research participants and provide access in the appropriate circumstances. While conducting a clinical trial, the investigator shall comply with the limited scope of permissible uses and disclosures for the Research Information. Additionally, the investigator shall be allowed certain disclosures of PHI relevant to a clinical trial, including disclosures to public health agencies, health oversight agencies and persons required or directed to report information to the Federal Drug Administration and the Office of Human Research Protection. Any such parties should be identified in the HIPAA authorization. Unless an investigator is conducting a review preparatory to a research study (discussed below), he/she must obtain an authorization prior to reviewing previously collected PHI in connection with treatment, to determine an individual s eligibility for participation in research. Since, however, Winthrop-University Hospital can disclose PHI to the individual who is the subject of the PHI, a Winthrop-University Hospital physician may discuss the option of enrolling in a research study without first obtaining a research authorization or waiver of the authorization requirement by either the WUH IRB or Western IRB. Once the PHI needs to be disclosed to a third-party investigator for the purposes of recruitment into the research study, Winthrop- University Hospital must obtain an authorization or waiver of authorization (as discussed in Section G below). Compound Authorizations. Generally, both the WUH IRB and Western IRB will require an authorization for the use or disclosure of PHI in a research study (e.g., research authorization) be combined with an informed consent document for the same research to create a compound authorization.

5 At times and only when approved by the WUH IRB or Western IRB, as appropriate, a research authorization may be separate from the Informed Consent document or an authorization combined with an authorization for a different purpose, except for an authorization for the disclosure of psychotherapy notes; provided, however, that with such a compound authorization, the provision of treatment of the research participant cannot be conditioned on the signing of authorization. For further discussion of compound authorizations, see Winthrop-University Hospital Policy on Authorizations for Uses and Disclosures of Patient Information. For Winthrop-University Hospital purposes, a research authorization should only be separate from an Informed Consent document in special circumstances as specifically approved by the WUH IRB or Western IRB, as appropriate, in connection with their review of the proposed research study, as discussed in Section I below. C Review Preparatory to Future Research. An investigator can conduct a review of PHI in preparation for future research without first obtaining a research authorization. Before conducting any such preparatory review, however, the investigator shall obtain approval from the WUH IRB, as described in this Section C. All such preparatory review requests shall be made in writing to the WUH IRB. Before approving any preparatory review request, the WUH IRB shall obtain from the investigator written and signed documentation of the following representations: 1 The use and disclosure of the individually identifiable health information is necessary to the future research. 2 The individually identifiable health information will be reviewed solely for the narrow purpose of preparing for the future research. 3 No individually identifiable health information will be removed from its source by the investigator in the course of the preparatory review (although information can be recorded in de-identified form). The purpose of each preparatory review shall be either to aid in the development of a research hypothesis and/or to aid the recruitment of research participants. All approvals of preparatory research shall be documented and if the preparatory review results in a disclosure of an individual s individually identifiable health information, it shall be tracked and documented as a disclosure. The WUH IRB shall rely on representations of the investigator that the review is being conduct solely in preparation for a research study. D Research Involving a Deceased Individual. An investigator can use and disclose PHI of a deceased person for research purposes without first obtaining a research authorization. Before conducting any such research study, however, the investigator must obtain approval from the WUH IRB. All such research requests shall be made in writing to the WUH IRB. Before approving any such research request, the WUH IRB shall obtain in writing from and signed by the investigator the following representations: 1 The use and disclosure of the individually identifiable health information contained in the medical records is necessary for research purposes.

6 2 The use or disclosure is sought solely for research of individually identifiable health information of deceased persons. Before approving any such research request, the WUH IRB may request documentation of the death of each research subject from the investigator. All approvals of research studies involving deceased persons shall be documented and each disclosure of an individual s PHI shall be tracked and documented. The WUH IRB may rely on representations of the investigator that the research solely involves deceased person(s). E Limited Data Sets. Where, in conducting a research study, an investigator uses health information to create a limited data set, the investigator will not be required to obtain a research authorization provided the investigator obtains a data use agreement from any intended recipient of the limited data set. Before utilizing a limited data set in connection with a research study, the investigator should consult Winthrop-University Hospital Policy on Deidentifying and Re-identifying Patient Health Information and Creation of a Limited Data Sets regarding the method and means he/she intends to employ in creating the limited data set. The investigator must also utilize only a Winthrop-University Hospital approved form of data use agreement in connection with the disclosure of the limited data set and must obtain approval of the WUH IRB prior to using the limited data set. 1 A limited data set is a set of protected health information from which all of the following direct identifiers of the individual and relatives, employers, or household members of the individual have been removed: a. Names; b. Postal address information, other than town or city, State, and zip code; c. Telephone numbers; d. Fax number; e. Electronic mail addresses; f. Social security numbers; g. Medical records numbers; h. Health plan beneficiary numbers; i. Account numbers; j. Certificate or license numbers; k. Vehicle identifiers or serial numbers, including license plate numbers; l. Device identifier or serial number;

7 m. Web universal resource locators (URL s); n. Internet protocol (IP) address numbers; o. Biometric identifiers, including finger and voice prints; and p. Full face photographic images. 2 The data use agreement will list the purposes for which the recipient of the limited data set can use the patient information and provide the WUH IRB and Winthrop-University Hospital with satisfactory assurance that the recipient of the limited data set will only use or disclose the patient information for the purposes listed. Each data use agreement must contain the following: a. A statement indicating whether the limited data set was created for research, public health or health care operations; b. A statement of the purposes for which the recipient can use or disclose the patient information being provided in the limited data set. These purposes must be consistent with the reason the data use set was originally created in (1); c. A list of the names of all individuals or entities being provided permission to receive the limited data set under the data use agreement; d. A statement that the recipient agrees not to use or further disclose the patient information in the limited data set other than as agreed to in the data use agreement or as requirement by the law; e. A statement that the recipient agrees to use appropriate safeguards to prevent the use or disclosure of the patient information in the limited data set in any manner other than as agreed to in the data use agreement; f. A statement that the recipient agrees to report to the WUH IRB if it becomes aware of any use or disclosure of the patient information in the limited data set outside of the agreed upon uses in the limited data set; g. A statement that the recipient agrees to ensure any agents, including any subcontractors, who it provides the limited data set to will follow the same restrictions and conditions with respect to the use, disclosure and protection of the data use set; h. A statement that the recipient agrees to not identify the information in the limited data set or attempt to contact the individuals; and i. A statement that Winthrop-University Hospital can terminate the data use agreement and use of the limited data set by the recipient if it becomes aware of any pattern of behavior or activity or practice of the recipient which materially breaches or violates the data use agreement. The statement should further indicate Winthrop-University

8 Hospital will report any such breach or violation to the Secretary of the Department of Health and Human Services. Winthrop-University Hospital requires that the investigator continue to comply with the Hospital's minimum necessary policies, procedures and requirements in using and disclosing the patient information included in the limited data set. F De-identified Information. Where, in conducting a research study, an investigator uses health information that has been rendered not individually identifiable or de-identified, the investigator will not be required to obtain a research authorization. The goal of de-identification of health information is to reduce the possibility that the de-identified information can be cross-referenced with other identifiable information in order to link a de-identified health record with an individual. 1 Health information may be determined to not be individually identifiable or deidentified health information if the investigator removes the identifiers of the individual or the relatives, employers, or household members of the individual that are specified below from the health information. 2 In order to de-identify health information, all of the following specified information must be removed from the research records: a. Names; b. All geographic subdivisions small than a state, except for 3-digit zip codes (e.g., address); c. All elements of dates except the year (e.g. birth date, admission date, discharge date, date of death and all ages over 89); d. Telephone numbers; e. Fax numbers; f. Electronic mail addresses; g. Social security numbers; h. Medical records numbers; i. Health plan beneficiary numbers; j. Account numbers; k. Certificate or license numbers; l. Vehicle identifiers or serial numbers, including license plate numbers;

9 m. Device identifier or serial number; n. Web universal resource locators (URL s); o. Internet protocol (IP) address numbers; p. Biometric identifiers, including finger and voice prints; q. Full face photographic images; and r. Other unique identifying number, characteristics, or code (e.g. tissue or DNA samples), excluding a re-identification code created as provided below. Other identifying information which the investigator should also consider removing includes family information, employment information, race, religion and ethnic information, and medical diagnosis that directly or indirectly identifies an individual. Before deciding to deidentify health information in connection with a research study, the investigator should consult Winthrop-University Hospital Policy on De-identifying and Re-identifying Patient s Health Information and Creation of Limited Data Sets regarding the method and means he/she intends to employ in performing the de-identification and obtain the approval of the WUH IRB. Additionally, the investigator may create a code that allows him/her to re-identify health information, provided that: The code is not derived from or related to information about the individual; The code is not capable of being translated so as to identify the individual; and The code or mechanism for re-identification is not used for any other purpose than reidentification of the health information. Before deciding to re-identify health information in connection with a research study, the investigator should consult Winthrop-University Hospital Policy on De-identifying and Re-identifying Patient s Health Information and Creation of Limited Data Sets regarding the method and means he/she intends to employ in performing the reidentification and obtain the approval of the WUH IRB. Any re-identification code should comply with Winthrop-University Hospital Policy on De-identifying and Reidentifying Patient s Health Information and Creation of Limited Data Sets and should be approved by the WUH IRB. G Alteration or Waiver of Authorization. An investigator may obtain an alteration or waiver of the authorization requirement for the use and disclosure of individually identifiable health information. The investigator must obtain either the WUH IRB or the Western IRB approval of any such alteration or waiver request. All such alteration or waiver requests shall be made in writing to the WUH IRB or the Western IRB. In connection with a request for approval of an alteration or a waiver of the authorization requirement for proposed research, the WUH IRB or

10 the Western IRB shall consider whether the proposed research study satisfies the following criteria: 1 The use or disclosure of individually identifiable health information will involve no more than a minimal risk to the privacy of the research participants based on the presence of the following elements: a. An adequate plan exists to protect the identifiers from improper use and disclosure; b. An adequate plan exists to destroy the identifiers at the earliest opportunity consistent with conduct of the research unless there is a health or research justification that makes retention necessary or such retention is otherwise required by law; and c. There are adequate written assurances that the individually identifiable health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the proposed research, or for other research for which use or disclosure of individually identifiable health information is permitted by HIPAA. 2 The proposed research study could not practicably be conducted without waiver or alteration of authorization. 3 The proposed research study could not practicably be conducted without access to and use of the individually identifiable health information. 4 Upon any approval of an alteration or waiver request, the WUH IRB shall prepare a written approval statement which: a. Identifies the WUH IRB or the Western IRB, as appropriate; b. Indicates the date on which the alteration or waiver of authorization was approved; c. States that the WUH IRB or the Western IRB, as appropriate has determined the alteration or waiver of authorization for the proposed research study satisfies all the criteria listed above; d. provides a brief description of the individually identifiable health information for which use or access has been determined by the WUH IRB or the Western IRB, as appropriate, to be necessary; and e. specifies whether action was taken by the WUH IRB or Western IRB under normal or expedited review procedures. This written approval statement will be signed by Chairman of the WUH IRB or Western IRB or his/her designee. The WUH IRB and Western IRB regularly approve conducting research through the waiver of the authorization requirement. As a result, Winthrop University Hospital routinely

11 uses and discloses individually identifiable health information for research purposes without obtaining an authorization and Winthrop-University Hospital is required to include a statement in its general HIPAA Notice advising patients of this practice. H HIPAA Notice. HIPAA requires that each patient receive a written notice that describes Winthrop University Hospital s privacy practices, the patient s individual rights under HIPAA, and the types of uses of PHI that may be made. Where a patient participating in a research study is receiving treatment, investigators shall use the appropriate Winthrop-University Hospitaldesignated HIPAA Privacy Notice form for healthcare services provided by Winthrop University Hospital personnel and/or, as applicable, the privacy notice developed for any facility or organized healthcare arrangement involved in the treatment of the patient (e.g., a hospital, clinic or physician office). Each investigator shall also make a good faith attempt to obtain an acknowledgment of the privacy notice from the research participant prior to commencing treatment. If this acknowledgment does not cover the investigator or the investigator is providing healthcare services outside of Winthrop University Hospital, the investigator should obtain a separate acknowledgment as well. In either case, where the investigator cannot obtain an acknowledgment executed by the participant in the clinical trial, such failure shall be documented by the investigator in the appropriate medical record, along with the reason for the failure (e.g., the research participant refused to execute the acknowledgment). I WUH IRB Review. As a Privacy Board for Winthrop University Hospital under HIPAA, the WUH IRB meets the composition requirements under the Common Rule. The WUH IRB will also follow the voting requirements of the Common Rule or the expedited review procedures of the Common Rule. Under Winthrop University Hospital policy, all investigators interested in conducting human research studies, except those human research studies sponsored by pharmaceutical companies and involving outpatients of Winthrop University Hospital, are required to submit their research requests to the WUH IRB for review and approval. In connection with HIPAA, the WUH IRB shall include in its review of each research request or proposed research study, which already includes a review of the protocol and informed consent form to be used in connection with the proposed research study, a review of each of the following, where applicable, (i) the research authorization, (ii) the HIPAA notice and acknowledgment, (iii) requests for the alteration or waiver of authorization, (iv) requests to conduct preparatory research reviews; (v) methods of creating a limited data set or de-identifying information; (vi) a data use agreement; and (vii) requests to conduct research involving a deceased individual s health information. In any event however, all, requests to (i) conduct preparatory research reviews; (ii) review methods of creating a limited data set or de-identifying information; (iii) review a data use agreement; and (iv) conduct research involving a deceased individual s health information shall be reviewed by the WUH IRB and not the Western IRB. Whenever possible, the WUH IRB shall ensure that an investigator use the standard WUH IRB Consent form language which includes the information required by HIPAA and the HIPAA compliant notice and acknowledgment approved by Winthrop University Hospital. For HIPAA purposes, Winthrop University Hospital shall rely on the WUH IRB s representation that a research protocol meets HIPAA documentation and minimum necessary requirements (where applicable).

12 J Western IRB Review. As a Privacy Board for Winthrop University Hospital under HIPAA, the Western IRB meets the composition requirements under the Common Rule. The Western IRB will also follow the voting requirements of the Common Rule or the expedited review procedures of the Common Rule. Under Winthrop University Hospital policy, all investigators interested in conducting human research studies, which involve outpatients of Winthrop University Hospital and are sponsored by pharmaceutical companies, are required to submit their research requests to the Western IRB for review and approval. In connection with HIPAA, the Western IRB shall include in its review of each research request or proposed research study, which already includes a review of the protocol and informed consent form to be used in connection with the proposed research study, a review of each of the following, where applicable, (i) the research authorization, (ii) the HIPAA notice and acknowledgment, and (iii) requests for the alteration or waiver of authorization. Whenever possible, the Western IRB shall ensure that an investigator use the standard Winthrop University Hospital Consent form language, which includes the information required by HIPAA. The Western IRB shall always ensure the investigator utilizes the HIPAA compliant notice and acknowledgment approved by Winthrop University Hospital. For HIPAA purposes, Winthrop University Hospital shall rely on the Western IRB s representation that a research protocol meets HIPAA documentation and minimum necessary requirements (where applicable). K Training. All members of the research workforce of Winthrop University Hospital shall participate in a HIPAA training program. The HIPAA training program for members of the research workforce of Winthrop University Hospital shall include both HIPAA basics training and research specific training. HIPAA basics training shall cover general privacy and general security requirements under HIPAA and shall be conducted as described in [Insert Name of Winthrop University Hospital Policy on Training]. 1 Research Specific Training. The research specific portion of the HIPAA training for the research workforce shall include: a. The research specific HIPAA rules and processes discussed under this Policy; b. Policies and procedures for the management of information collected by the research workforce when conducting research; c. Compliance procedures; d. Policies and procedure for the maintenance of research information, including both paper and computer electronic records; and e. Policies and procedures regarding computer security. 2 WUH IRB. Members of the WUH IRB shall undergo the same training as the researchers. In addition, they shall be trained in their specific responsibilities under HIPAA including: a. The specific elements of a HIPAA authorization;

13 b. The necessary additions to consents and notices under HIPAA; c. The elements to be reviewed when considering an alteration or waiver of authorization; d. The other exceptions to authorization including reviews preparatory to research and research involving deceased individuals; e. The steps necessary to de-identify information under HIPAA; and f. The steps necessary to create a limited data set for research purpose and the requirements of a data use agreement. 3 Western IRB. Members of the Western IRB shall conduct training sufficient to ensure they are competent to perform these specific responsibilities under HIPAA and meet the nursing requirements of HIPAA.