Feature Article

Privacy and Confidentiality Requirements in the Use and Disclosure of Information for Research
March 2013 Issue

By Mary A. Banks, BS, BSN, and
Patricia A. Bass, JD, MPH
Authors has nothing to disclose with regards to commercial support.

PRINT | CLOSE WINDOW

• Introduction
• What approvals are needed to access, use and/or record data for research?
• When do HIPAA rules apply?
• Privacy, confidentiality, and minimizing risks
• HIPAA requirements
• Accessing PHI for Research without HIPAA Authorization
• Other types of HIPAA requests for data
• Institutional Permission
• HIPAA Security Rule
• Summary
• Additional Resources
• Quiz

The March 2013 CR TIMES Feature Article, “Privacy and Confidentiality Requirements in the Use and Disclosure of Health Information for Research”, consists of a new training module about protecting subjects’ privacy and the confidentiality of research data. Completion of this article and the associated “quiz” will be required for the BUMC human subjects protection recertification training cycle for 2013-2015. This module will be equivalent to completing 4 “regular” CR TIMES Feature Articles. There are 10 multiple-choice questions at the end of this Article instead of the usual 4 questions. Investigators must answer 7 out of 10 questions correctly to get “credit” for completing the module. So, for the 2013-2015 recertification cycle, investigators must accumulate 36 correct quiz answers from the CR TIMES Feature Articles published between September 2011 and February 2013, PLUS 7 correct quiz answers for the March 2013 Feature Article’s privacy and confidentiality module. Please see the “Dear IRB” questions in this issue for FAQs related to the human subjects protection recertification training at BUMC.

Introduction

Privacy and Confidentiality are related, but not identical. The latter relates to the containment of information within a defined circle.  Privacy, however, concerns the ethical and legal right of individuals to control the sharing of information about themselves. A central premise of receiving medical treatment is that individuals divulge their medical information for the purpose of receiving treatment. This idea is embodied in the Privacy Rule of HIPAA. The primary function of health information is treatment and its closely-allied purposes:  payment and health care operations.   The purpose of this module is to specifically address research uses and disclosures of health information.  It is important for all researchers to understand that research-specific permission is needed to access and use peoples’ health information for research. Having access to use health information for clinical care or billing purposes does not automatically permit use of that same information for research purposes.  This is the case even with individuals who are your own patients.

Start with the Recruitment Team: Organize and Train Appropriately

As part of their clinical role, hospital staff are granted access to patients’ protected health information (PHI) in their roles as treatment providers, or as individuals involved in the payment for treatment and the conduct of healthcare operations (TPO).  The role of researcher requires “special” permission along one of six basic pathways.  Some research may involve using two or more of the pathways in a single study.

Use or disclosure of individuals’ data for research often requires multiple levels of review and approval, depending on the amount of data being requested, identifiability and sensitivity of the information, the affiliations of the data recipients, and whether the individuals have authorized the use or disclosure of their information for research purposes.

Research that involves accessing, collecting, and/or recording data about research subjects usually requires the following approvals:   

• Ethical review and approval: The BUMC IRB is responsible for reviewing human subjects research under the applicable Health and Human Services (HHS 45 CFR 46) (sometimes referred to as the “Common Rule”) and, when applicable, under the Food and Drug Administration regulations  (FDA regulations 21 CFR Parts 50 and 56). 

• HIPAA and Privacy review: Most, but not all, human research conducted at Boston Medical Center or Boston University is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition, other state and federal privacy laws apply to “sensitive” types of information; e.g., HIV/AIDS; drug and alcohol abuse treatment; genetic testing, and psychotherapy treatment. At Boston Medical Center and Boston University Medical Campus, the BUMC IRB is responsible for reviewing the applicability of HIPAA and other privacy laws to determine what kind of HIPAA or other privacy law “approval” is required.  See the next section for more information about when the HIPAA rule applies to research.

• Institutional permissions: In addition to IRB approval and HIPAA/privacy law permission, any investigators who wish to access PHI directly from a covered entity (i.e., the institution holding the PHI) must obtain the permission of that entity to access their data.  More information about this will be provided later in this module.

Key Points:

• Some research, because of the type of data being used, requires that extra regulatory requirements under HIPAA be met in addition to IRB approval.  
• Those who have permission to access, use, and disclose data for TPO (treatment, payment and healthcare operations purposes) do NOT automatically have permission to access that same data for research.  The prohibition also applies to individuals who are your own patients.

When do HIPAA rules apply?

HIPAA “covered entities” are health plans, health care clearinghouses, and health care providers (institutions and individuals) that transmit health information electronically in connection with certain defined HIPAA transactions, such as billing or eligibility inquiries. Researchers as such are not covered entities, unless they are also health care providers and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a covered entity (e.g., a hospital or health insurer), then they must comply with that entity's privacy policies and procedures, including HIPAA.  Researchers who are not themselves covered entities, or who are not workforce members of covered entities, are indirectly affected by the Privacy Rule when they seek health information from a covered entity.

The HIPAA Privacy Rule establishes a category of health information, referred to as Protected Health Information (PHI), which may be used or disclosed to others only in certain circumstances or under certain conditions. PHI is a subset of individually identifiable health information (IIHI). With certain exceptions, the HIPAA Privacy Rule applies to IIHI created or maintained by a covered entity. Caveat: HIPAA distinguishes between use and disclosure of PHI.  Use means to share, employ, apply, utilize, examine, or analyze IIHI within the Covered Entity. Disclose means to release, provide access, or divulge IIHI OUTSIDE the Covered Entity.

At Boston Medical Center and Boston University Medical Campus:

• The main covered entities are Boston Medical Center and the BU Dental Plan.
• If research data is obtained directly from research subjects by investigators who are not part of the covered entity, then usually the HIPAA rule does not apply.  However, basic protections related to subject privacy and confidentiality still apply to ALL research subjects under the “Common Rule” even if the HIPAA regulations do not apply.

• Example:  Investigators from BU School of Public Health (not part of BMC covered entity) plan to obtain data about research subjects from BMC clinical and billing records (covered entity).  Since the research data are coming from the covered entity, HIPAA rules apply even though the researchers are not members of the covered entity.

Key Points

Privacy, confidentiality, and minimizing risks

Privacy
“Privacy  can be defined in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others." ⁽¹⁾  The gold standard for research privacy protection is the research subjects’ specific consent and authorization for the use of their data in research.  When subjects give specific consent and authorization for each use of their data, there is low risk to research privacy. Privacy risks increase when individuals’ private information is used for research without the subjects’ express consent and/or authorization. The risks increase even more when the data is sensitive and the data contain identifiers.    

Confidentiality
“Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure without permission." ⁽²⁾  In other words, confidentiality refers to how the private information that has been obtained will be used, stored, and transmitted. Protecting confidentiality refers to ensuring that research data are protected in ways that are consistent with the subjects’ expectations.  

Minimizing risks
Research risks go beyond physical risks.  Violations to subjects’ privacy or breaches in confidentiality can be quite serious and could result in criminal or civil liability for subjects or could cause damage to a subject’s financial standing, employability or reputation.  
 
In order to approve research, the IRB must make a number of determinations  in accordance with the Health and Human Services (HHS) “Common Rule” regulations and the FDA regulations. Two of these determinations relate specifically to privacy and confidentiality:  That risks to subjects (including risks to privacy and confidentiality) are minimized; and that there are adequate provisions within the research plan to protect the privacy of subjects and to maintain the confidentiality of the data.  These determinations, while not exactly the same as the regulations in the HIPAA Privacy Rule, are consistent with and overlap significantly with the Privacy Rule.  

In general, there are numerous ways that research can be designed and implemented to help ensure that risks to privacy and confidentiality are minimized and that subjects’ private information (including but not limited to health information) is protected.  Some of these include:

• Ensuring that, whenever possible, informed consent is obtained from subjects and that the informed consent clearly describes the planned research uses of data and any associated potential risks associated with that use.
• Ensuring that, whenever possible, and when applicable, HIPAA authorization is obtained from subjects for research use of their PHI.
• Research data are de-identified to the extent possible to conduct the research.  This is particularly important when research data contain sensitive information.
• When subject consent/authorization cannot be obtained, use of subjects’ clinical data for research is limited to what is minimally necessary to conduct the research and does not represent greater than minimal risk to patients’ privacy and confidentiality.
• Ensuring that, whenever possible, research data collection forms do not contain identifiers that allow subjects to be readily identified.  Instead, when research data must be associated with individual subjects, the research data are “coded”.  This means that the data collection forms (CRFs) are identified by a unique study ID which is linked to identifiers via a master code/master key. The master code is stored separately from the research data, and access to the master code is limited to internal investigators who need it to conduct the research.  The master code is NOT released to anyone outside the institution (e.g., to sponsors, external investigators, etc.) without specific permission from the IRB.
• Research data are only collected by research staff trained in proper research procedures for obtaining, storing and transmitting of data.
• Whenever possible, research data that must be obtained from patients’ medical records without their specific consent and authorization, are provided by the covered entity (e.g., the Clinical Data Warehouse) rather than having researchers going through patient records themselves to collect research data.
• Clinical records are only accessed for research purposes by researchers who have the appropriate permission from the covered entity to do so.
• Data are stored and transmitted in a way that minimizes risks of breaches in confidentiality.
• Research data are not removed from the institution or released to those outside the institution without the required IRB approval and HIPAA review.  

  Key Points:

• Protection of privacy and confidentiality is required for all human research, whether or not the research is subject to the HIPAA privacy rule.
• Think of privacy as an individual’s right to control access to his/her private information.  Privacy protections include measures such as subjects granting informed consent and HIPAA authorization for the use of their data for research.
• Think of confidentiality protections as the security measures that are put in place to ensure that the research data is protected in a manner consistent with the expectations of the subject.  Specifically, confidentiality protections include a detailed plan for how data will be recorded, stored, transmitted and destroyed. 
• Whenever possible, research data that contain private/sensitive information must be “coded”, and the master code that links the data to subject identifiers must be stored separately and never released to outsiders without specific IRB approval.

HIPAA requirements

When research requires access to data that is protected under the HIPAA Privacy Rule, then additional regulatory requirements must be met. The following represents a general overview of the various types of “permissions” available for use of subjects’ PHI in research.  More detailed descriptions can be found on the BUMC HIPAA website.

Pathway 1- HIPAA Authorization
A valid HIPAA Authorization is a document, signed by an individual or his/her legally authorized representative (LAR), which allows a covered entity to use or disclose that individual’s PHI for purposes described in the authorization.  Obtaining authorization from each subject to use or disclose PHI for research is the “gold standard”. A HIPAA Authorization can be combined with the research informed consent document.  A valid HIPAA authorization must contain certain elements and statements including:

• A description of the PHI to be used or disclosed
• The names or identification of the person(s) authorized to use or disclose the research information, and those to whom the covered entity can disclose the information
• A description of the purpose(s) of each use/disclosure
• Authorization expiration date or statement that there is no expiration date.
• Signature of the adult individual or his/her legally authorized representative and the date
• Statements about individuals’ rights to revoke authorization and how to do it; whether research-related treatment can be conditioned on Authorization and consequences of refusing to sign the Authorization; and a statement about the potential risk that PHI will be re-disclosed by the recipient and no longer protected by the Privacy Rule.

BUMC has language for use in obtaining HIPAA Authorization.  Investigators can access this template via INSPIR (IRB electronic submission software) as part of the informed consent template.  The HIPAA Authorization must be modified to reflect the specifics of each individual research project.  The HIPAA Authorization, as a part of the informed consent document, requires approval by the IRB prior to use.  All HIPAA Authorizations at BUMC must have a currently active validation stamp.

Key Points:

• Obtaining individual’s specific permission, via a HIPAA Authorization, to use their PHI for research is the “gold standard”. 
• HIPAA Authorizations, by federal regulation, must include certain language and must be signed by the adult subject or his/her Legally Authorized Representative (LAR).

Accessing PHI for Research without HIPAA Authorization

Recognizing that while obtaining Authorization from subjects or their Legally Authorized Representatives (LAR) for use of their PHI for research is ideal, it is not always possible or reasonable. The federal rule allows for several other options for obtaining PHI for research. When the IRB reviews the research, it considers each of these options.  The goal is always to minimize the risks to subjects’ privacy and confidentiality; and, therefore, the IRB will approve the option that is less risky (contains the fewest identifiers) since limiting access to identifiable information to only what is minimally necessary to accomplish the goals of the research offers the best protections to subjects who have not specifically authorized the use of their data for research.

Considerations of IRB when reviewing HIPAA requests for data without HIPAA Authorization:

• When possible, data should be stripped of all identifiers.
• When possible, research data should be released to investigators by the covered entity (e.g., the BMC Clinical Data Warehouse) rather than having investigators directly accessing subjects’ paper and electronic records to collect research data.
• Requested data sets that cannot be completely de-identified must include the minimum necessary identifiers/data to accomplish the research goals. The IRB protocol should clearly describe why the data is needed and how it will be used/analyzed.
• Access to sensitive data requires further restrictions when the data sets include HIPAA identifiers.    

There are three basic options (pathways) for obtaining IRB approval for accessing/collecting/recording PHI (as research data) about living subjects without HIPAA authorizations. Each of these options will be briefly described below. Additional information and the corresponding forms to be used at BUMC can be found on the BUMC HIPAA webpage.  In most instances, these types of requests are mutually exclusive, so in most cases only one type of HIPAA permission is needed for a single research project.

Pathway 2 - De-identified Data
HIPAA  “de-identified data” are datasets that have been stripped of all 18 HIPAA identifiers.  In order for a data set to be considered “de-identified”, none of the 18 HIPAA identifiers can be included in the data set.   Here are key points to remember about de-identified data and de-identified data sets:

• Obvious HIPAA identifiers include demographic information about individuals such as names, addresses (subdivisions smaller than state), telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, and health plan beneficiary numbers.
• Other, less obvious HIPAA identifiers, include any other unique account numbers, certificate or license numbers, vehicle identification numbers, medical device identification or serial numbers, personal website URLs, internet protocol (IP) addresses, fingerprints, voiceprints, or other biometric identifiers, and full-face photographic images.
• IMPORTANT information about dates: Dates beyond year (such as month/year or day/month/year) are HIPAA identifiers. This includes dates of birth or death, dates of procedures, dates of treatment, date of admission /discharge, etc.   If a data set contains these dates, then it cannot be called “de-identified”.    
• Ages beyond 89 are also HIPAA identifiers, so all ages over 89 and all elements of dates (including year) indicative of such age cannot be considered as part of a de-identified data set, except that such ages and elements may be aggregated into a single category of age 90 or older.
• Other unique identifying numbers, characteristics, or codes are considered HIPAA identifiers if they are created from other HIPAA identifiers.   So, a unique study ID that is linked to study data via a master code is not a HIPAA identifier unless the unique study ID is created from another identifier.
• Example: A unique study ID created in part from subject initials, birthdates, or Social Security number would be a HIPAA identifier. 
• Geographic subdivisions smaller than a state are considered HIPAA identifiers except for the initial three digits of the zip code if, according to the current publicly-available data. from the Census Bureau, the geographic unit contains more than 20,000 people.  This means, in most cases, demographics including city or zip code are considered HIPAA identifiers and cannot be included in a HIPAA de-identified data set.
• Patient initials are considered identifiers.
• As part of its review, the IRB will review the research data collection forms and compare them to the request for a De-identified Data set to ensure none of the data elements being collected are HIPAA identifiers.

Pathway 3 - Limited Data Set
A Limited Data Set (LDS) under HIPAA is very similar to a De-identified Data Set because most HIPAA identifiers must be stripped from the dataset. A common descriptive term for an LDS is “facially” de-identified because the data are not identifiable to the casual observer. The difference is that a few specific HIPAA identifiers can be included in an LDS, namely dates and some geo-location information. Here are a few key points about Limited Data Sets:

• A LDS must be stripped of all HIPAA identifiers noted above, except those related to ages, dates and locations as described below.  
• A LDS can include dates of admission, discharge and other services; dates of birth/death.
• A LDS can include ages of subjects (including those over 89).
• A LDS can include full five-digit zip codes and other geographic subdivisions such as county, city, precinct, and equivalent geo-code (except street address).
• A data set cannot be both a De-identified Data Set and a Limited Data Set:  It is either one or the other depending on the data elements included.  A LDS will only be approved when there is justification for why a de-identified data set can’t be used for the research).
• If an LDS is approved for use, it is REQUIRED that recipients of the data enter into a Data Use Agreement (DUA) with the “covered entity” for use of the LDS.   The DUA itself does not have to be submitted to the IRB, but it needs to be retained with the investigators’ study records. 
• If an LDS is obtained from the BUMC Clinical Data Warehouse, then a representative of the covered entity will sign the DUA on behalf of the “covered entity” (Boston Medical Center).  If an LDS is obtained from the BU Dental Records, then the Dental School Privacy Officer or Data Administrator will sign the DUA on behalf of that covered entity.

Pathway 4 - Waiver of HIPAA Authorization
In some instances, investigators need to obtain PHI about research subjects that include one or more HIPAA identifiers that are beyond what is allowed in an LDS.  When it is not possible to obtain HIPAA Authorization from the subjects, then the IRB may be able to approve a Waiver of HIPAA Authorization. This HIPAA waiver allows investigators to access/use data with some HIPAA identifiers for research.  A Waiver of Authorization is not needed if only a De-identified Data Set or a Limited Data Set is needed. Here are a few key points about HIPAA Waivers of Authorization:

• The Waiver must clearly specify all the data points that are being requested.
• In order to approve a Waiver, the IRB must be able to determine that the research use of PHI does not represent greater than minimal risk to privacy.
• In order to make the minimal risk determination, the IRB must find that there exists:
• An adequate plan to protect PHI identifiers from improper use & disclosure
• An adequate plan to destroy identifiers at the earliest opportunity, consistent with the research
• Adequate written assurances the PHI will not be re-used or disclosed to any other entity or person(s)
• The IRB must also determine: 
• That the research could not be done without the requested health information.
• That it would not be practical to obtain signed authorizations from the research subjects.
• That the specific elements of health information that are requested are not more than the minimum necessary to accomplish the goals of the study.  (Therefore, it must be clear to the IRB why and how the data elements being requested are necessary to conduct the research.)
• The minimal risk determination will often be affected by the sensitivity of the information. Identifiable research data that contains especially sensitive information (e.g., alcohol and drug use/treatment; psychiatric illness; HIV and sexually transmitted diseases, etc.) may not qualify for a HIPAA Waiver of Authorization. 

Key Points:

• A de-identified data set cannot contain any of the 18 HIPAA identifiers.
• Dates are HIPAA identifiers, so a data set that contains dates such as subjects’ birthdates, dates of procedures, dates of admission, etc. is NOT a de-identified data set.
• A Limited Data set (LDS) is like a de-identified dataset in that it must be stripped of most HIPAA identifiers. A LDS can contain dates, and some location information (e.g., zip codes, city, etc.)
• Investigators who obtain an LDS must sign a Data Use Agreement (DUA) with the covered entity.
• A HIPAA Waiver of Authorization is needed for investigators to obtain PHI about subjects when HIPAA Authorization cannot be obtained, and the dataset contains other identifiers beyond a LDS.
• HIPAA Waivers must be approved by an IRB and can only be approved if certain criteria are met, including that the research does not represent greater than minimal risk to privacy.

Other types of HIPAA requests for data

There are a few other research-related circumstances that require specific consideration under the HIPAA rule.  These will be briefly described here, but additional details and the associated forms can be found on the BUMC HIPAA webpage.

Pathway 5 – Preparatory to Research (“Prep to Research”)
Under the HIPAA rule, investigators who are part of the covered entity are allowed to gain access to PHI in order to identify potentially eligible subjects.  Under the HIPAA Prep to Research, investigators may NOT remove PHI from the covered entity or any of the covered entity’s data sources, including medical records and electronic records. A researcher who is not a part of the covered entity may not use the Prep to Research provision to access PHI.   Prep to Research cannot be used to collect research data.  It is only used to identify potentially eligible subjects who would meet certain criteria:

• A Prep to Research can only be used by those who are members of the covered workforce.
• A Prep to Research must be limited to the minimum necessary information needed.
• PHI obtained via a Prep to Research cannot be released outside the covered entity.
• Prep to Research information must be destroyed once the recruitment has been completed.
• Investigators who receive health information under a Prep to Research and disclose any of that information to other investigators, institutions, or agencies, must keep an accounting of disclosures.  It is the investigator’s responsibility to provide this record of disclosures and retain this information for up to six years.
• Example:  Under an approved Prep to Research, Dr. Curious, a BMC physician/investigator (member of the covered workforce), can look through his patients’ clinical records to obtain the contact information of patients with diagnosis X in order to contact them for study recruitment.  Dr. Curious is not allowed, under the HIPAA Prep, to allow his research assistant, who is not part of the covered workforce, to look through medical records to collect the data.  Dr. Curious can give the student a list potentially eligible subjects and their contact information, but this “list” should not contain any PHI; and Dr. Curious must track this disclosure.

Pathway 6 – Decedent Research
There are times when researchers wish to access PHI about individuals but cannot obtain HIPAA Authorization because the individuals are deceased.  In this instance, investigators can request access to this PHI using the HIPAA Decedent Research process.

• Investigators submit the Decedent Research form to the BUMC IRB office for review.
• In most cases, the IRB only reviews research proposals that involve “living” subjects; however, in this instance, the BUMC IRB is responsible for reviewing and approving HIPAA Decedent Research requests.
• In order for these requests to be approved, the investigator must confirm that:
• The information being requested will be used solely for research purposes.
• The PHI is the minimum necessary for the purpose of the research.
• The individuals whose information is being requested are, in fact, deceased (covered entity can require confirmation).
• If an investigator receives health information under Decedent Research and discloses any of that information to other investigators, institutions, or agencies, then the investigator is responsible for keeping an accounting of disclosures.

Partial HIPAA Waiver

Under the federal research regulations, there is an option that allows for obtaining “verbal consent” in certain situations under the Waiver of Documentation of Consent.  There is no equivalent “Waiver of Documentation of HIPAA Authorization” provision under the HIPAA Privacy Rule.  However, the IRB/Privacy Board, under its authority to approve HIPAA Waivers, can, under certain circumstances, waive the requirement that subjects’ or their LARs sign the HIPAA authorizations.  These situations are frequently referred to as “Partial HIPAA Waivers”.

• With a Partial HIPAA Waiver, subjects must still be provided with HIPAA Authorization information; however, a signed HIPAA authorization form does NOT have to be collected from the subjects.
• Partial HIPAA Waivers are most often used in situations where verbal consent (telephone consent) is being obtained to collect PHI from subjects as part of screening.
• The IRB can only approve a Partial HIPAA Waiver if the research involving the PHI represents not greater than minimal risk to the subjects.

Key Points:

• A HIPAA Prep to Research can be used by members of the covered workforce to identify potentially eligible subjects.   PHI cannot be released outside the covered entity.
• A HIPAA Decedent Research form is used to obtain PHI about deceased individuals.
• A Partial HIPAA Waiver is used in some situations when subjects will be provided with HIPAA Authorization information, but subjects’ signatures cannot be obtained.  A Partial Waiver is frequently used in situations involving telephone screening.

Institutional Permission

In many instances, researchers from Boston Medical Center or Boston University are members of the covered workforce of the entity (BMC) from which they wish to obtain PHI.  As such, they may have credentials from that entity to access that entity’s patient records. Others, because their role does not require access credentials or because they are not members of the covered entity’s workforce, do not have credentials to access patients’ clinical records.  For those people without access credentials, in addition to IRB approval, these researchers will need to obtain credentials from the covered entity to be able to directly access paper and/or electronic records.

• Example: A student or faculty member from BU School of Public Health (not part of the BMC covered entity) wants to directly access BMC medical records to obtain research data.  Even if the IRB has approved the collection of clinical data from the medical record for research and approved the HIPAA form, this researcher will need to obtain additional permission from the BMC Privacy & Security Officer before he/she can directly access patient’s medical records. (Note: This additional permission is not required if the researcher is obtaining PHI from the BMC Clinical Data Warehouse and not by directly accessing patients’ records.)

• Example: A BMC physician/researcher wishes to review individual BU dental records to obtain some additional clinical information about the research subjects in his study.  BMC clinicians are not part of the BU Dental workforce; and, therefore, would need to obtain permission from the BU Dental Privacy Officer before directly accessing BU dental records.

• Example:  BMC investigators have obtained BUMC IRB approval to obtain clinical data from subjects’ medical records. A subject has been treated at BMC and Sunnyside Hospital.  The BUMC IRB cannot grant approval for the BMC investigators to directly access clinical records at Sunnyside Hospital. Additional permission from the Sunnyside Hospital would also be required. (Note: Sunnyside Hospital may NOT allow external investigators to directly access their patients’ medical records.  They may, instead, require that an “internal” Sunnyside investigator be added to the study to access the Sunnyside medical records; or they may require use of a mechanism similar to the BMC  Clinical Data Warehouse to release their patient data.)

• Typically the institution’s Privacy/Security Officer is responsible for maintaining and controlling access to the entity’s protected health information (PHI).  

• FERPA: There are additional regulatory requirements that must be met when a research project involves obtaining research data from students’ educational records.  More information about FERPA can be found at ed.gov.

Key Points:

• Each covered entity has the responsibility for protecting the confidentiality of the PHI that it creates or maintains.
• Individuals who are not part of a particular covered entity must obtain specific permission from that covered entity, in addition to IRB approval, prior to directly accessing patients’ records held by that covered entity.  
• IRB review of all research must include a determination that the research plan includes sufficient privacy and confidentiality protections.

HIPAA Security Rule

In addition to protecting research subjects’ privacy, the HIPAA rule also addresses the security of the data.  There are three basic objectives of the HIPAA security rule. The first objective involves protecting the confidentiality of the data/information against unauthorized access, uses (inside the covered entity) and disclosures (outside the covered entity).  The second is to protect the data integrity from alteration and destruction. The third objective relates to accessibility of data to authorized individuals.

The options for storage of research data are varied and include, but are not limited to, paper documents and files, personal computers, smart phones and devices, USB drives, memory cards, CDs, DVDs, tapes, digital cameras, emails, files on home computers, etc.  There are a number of safeguards that can be used to help protect the security of research data including, but not limited to:

• Password protection for accessing electronic records
• Only placing research data on password-controlled computers/devices
• Using secure remote access
• Virus protection software, and backup and recovery programs for computers
• Ensuring that when PHI is stored on computers/devices not owned or controlled by BU or BMC , that storage practices are compliant with BU/BMC HIPAA security policies
• Ensuring that portable devices containing PHI are secured at all times to protect against damage or theft
• Technical safeguards and facilities safeguards are in place such as use of password controls, encryption of data, controlling access to research areas with key and key cards, securing all research files in locked offices or file cabinets, etc.  
• Reporting security breaches (see below)

Reporting of security breaches

Any incident that involves a violation of a research subject’s privacy or a breach to confidentiality must be viewed as an “unanticipated problem (UP) involving risks to subjects or others”.  These UPs must be reported immediately (as soon as they are identified) to the IRB and to the Privacy/Security Officer of the covered entity.  The most immediate issue will be to limit, as much as possible, any damages resulting from the breach.

Key Points:

• Protecting the confidentiality of research subjects’ private information requires that  certain measures be utilized for accessing records, storing, and transmitting research data.
• Research plans must include details of facilities safeguards and technical safeguards for ensuring the confidentiality of the data.
• Use of another person’s authorization to access clinical records, or allowing someone else to use your authorization to obtain research data from clinical records, are serious violations of institutional policy and confidentiality protections.
• Any violation of subject privacy (e.g., obtaining PHI without appropriate HIPAA Authorization or Waiver or other process) or breach in confidentiality (e.g., theft of a laptop with PHI) is considered an Unanticipated Problem in research (UP) and must be reported immediately to the IRB and the covered entity’s Privacy Officer. 

Additional questions

BUMC investigators who are unsure about which HIPAA approvals are necessary for their research proposal can contact the BUMC Clinical Research Resources Office (CRRO) for advice. 

Summary

This module represents an overview of the basic issues related to protecting subjects’ privacy and confidentiality in research.  Included is an overview of the federal requirements for research under HIPAA.   Additional information can be found in the resources listed below.

Additional Resources

1. IRB Guidebook, Part III.D, Department of Health and Human Services, Office for Human Research Protections.
2. BUMC HIPAA webpage at www.bumc.bu.edu/hipaa
3. Federal code of regulations HHS and FDA for research
4. Federal HIPAA Privacy Rule
5. NIH’s website about HIPAA Privacy Rule.

This Quiz applies to the current recertification period from July 1, 2013 to June 30, 2015. This quiz is a requirement for recertification as the Privacy and Confidentiality training module.

Click here, close this window, and login to My Account if you are
a BUMC researcher and would like to take the quiz now.

Close Window