Use or Disclosure of Protected Health Information in Research

Statement of Policy

Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting research in compliance with all applicable laws, regulations and WU policies. As part of this commitment, WU has adopted a policy to clearly define the circumstances under which Protected Health Information (PHI) may and may not be Used internally or Disclosed externally in connection with research activities. For purposes of this Policy, WU refers to Washington University, Barnes-Jewish Hospital and St. Louis Children’s Hospital.

Scope of Policy

This Policy covers all PHI, which is or may be created, Used or Disclosed by, through or during research activities. This Policy applies to all faculty, staff (including student employees), students, residents, post-doctoral fellows, and non-employees (including visiting faculty, courtesy, affiliate and adjunct faculty, industrial personnel, fellows, etc.) who conduct research, assist in the performance of research, or otherwise Use or Disclose PHI in connection with research activities at WU. In most cases, the prior review and approval of the Internal Review Board (IRB) will be required in the implementation of this Policy.

Policy

1) Research Use or Disclosure of PHI with Authorization

a) As a general rule, a researcher must obtain an Authorization from all participants in research prior to the internal Use or external Disclosure of PHI for any research related purpose that is not otherwise permitted or required under this Policy.

b) An additional, separate Authorization will be required if the research involves the Use or Disclosure of Psychotherapy Notes. See WU HIPAA Policy on Use or Disclosure of Psychotherapy Notes.

c) An Authorization for Research must be written in plain language, and must contain all of the following elements:

i) a specific and meaningful description of the information to be Used or Disclosed,

ii) the name or identification of the persons or class of persons authorized to make Disclosures of PHI and to Use the PHI for research-related purposes;

iii) the name or identification of the persons or class of persons authorized to receive Disclosures of the PHI and to Use the PHI for research-related purposes;

iv) a description of each purpose of the Use or Disclosure;

v) an expiration date or event, or a statement “end of research study” or “none” when appropriate (ex: for a research database);

vi) the Individual’s signature (or that of his/her authorized representative as determined by Missouri law) and date. (Note: if the Authorization is signed by an authorized representative, include a description of the representative’s authority under Missouri law to act for the Individual);

vii) a statement that the Individual may revoke the Authorization if done in writing to the researcher; however, the researcher may continue to Use and Disclose, for research integrity and reporting purposes, any PHI collected from the Individual pursuant to such Authorization before it was revoked.

viii) a statement that an Individual’s clinical Treatment may not be conditioned upon whether or not the Individual signs the Research Authorization. However, participation in research may be conditioned on a signed Authorization, including Treatment protocols (ex: Phase III clinical trials).

ix) a statement that information Disclosed under the Authorization could potentially be redisclosed by the recipient and would no longer be protected under HIPAA.

e) The Individual must be provided with a copy of the signed Authorization at the time of consent.

2) Procedure for Signing an Authorization

a) Adults

i) a competent Individual, 18 years of age or older, should always sign the Authorization to Use or Disclose his/her PHI. A person is competent if he/she has the general ability to understand the concept of release of his/her medical information.

ii) if an Individual is competent, but unable to sign the Authorization, the person witnessing the form may write in “Patient unable to sign due to ___[insert reason]_____________. Patient gave verbal permission.” The Authorization must be witnessed.

iii) if the Individual is not conscious, coherent or not competent for whatever reason, a legally recognized proxy must sign the Authorization. Missouri and Illinois law recognize the following order of persons capable to serve as proxies.
• Court appointed Guardian, or Proxy designated by Durable Power of Attorney;
• Spouse;
• Adult son or daughter;
• Adult brother or sister;
• Any adult grandchild of the Individual
• Either parent;
• Adult sibling;
• Adult relative by blood marriage; or
• Any other person authorized to provide Authorization.

b) Minors
i) any parent may sign for a minor child in his/her legal custody;

ii) any minor who has been lawfully married and any minor parent or legal custodian of a child may sign for him/herself, his/her child and any child in his/her legal custody;

iii) any minor may sign for him/herself in case of:
• Pregnancy, but excluding abortions;
• Venereal disease;
• Drug or substance abuse in accordance with Missouri law;

iv) any adult standing in loco parentis, whether serving formally or not, may sign for his/her minor charge in case of emergency in accordance with Missouri law; or

v) any guardian of the person may sign for his ward.

vi) During the absence of a parent so authorized and empowered, any adult may sign for his minor brother or sister.

vii) During the absence of a parent so authorized and empowered, any grandparent may sign for his minor grandchild.

viii)”Absence” as used in (vi) and (vii) above shall mean absent at the time when further delay occasioned by an attempt to obtain consent may jeopardize the life, health or limb of the person affected, or may result in disfigurement or impairment of faculties.

3) Waiver of Authorization by IRB

a) In some circumstances, Research Authorizations otherwise required under this Policy may be waived or altered by the IRB, provided the following criteria are satisfied and documented:
i) the Use or Disclosure of PHI involves no more than a minimal risk to the privacy of Individuals, based on the presence of at least the following elements:
• An adequate plan to protect the identifiers from improper Use and Disclosure:
• An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
• Adequate written assurances that the PHI will not be reused or Disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the Use or Disclosure of PHI would be permitted by this Policy;

ii) the research could not practicably be conducted without the Waiver; and

iii) the research could not practicably be conducted without access to and Use of the PHI.

b) A request for Waiver of Authorization must be completed by the researcher and submitted to the IRB for prior review and approval.

c) The IRB shall maintain the following documentation about the Waiver:
i) a statement identifying the IRB and the date on which the Waiver request was approved;
ii) a statement that the IRB determined that the Waiver satisfied the criteria for Waiver;
iii) a statement that the Waiver has been reviewed and approved under either normal or expedited review procedures; and
iv) the documentation is signed by the IRB chair or his/her designee.

d) Uses or Disclosures of PHI made pursuant to a Waiver are subject to the Minimum Necessary rules. See WU HIPAA Policy on Minimum Necessary Request, Use or Disclosure of Protected Health Information.

4) Use and Disclosure of PHI for the Purpose of Contacting and/or Recruiting Potential Research Participants.

a) Physicians, and other Health Care Providers, may contact their own patients for purposes of recruiting them to participate in a research study without an Authorization.

b) Employees of WU Business Unit may Use PHI maintained by that Business Unit to contact prospective research subjects with the prior review and approval of the IRB.

c) Individuals responding to an advertisement regarding participation in a research study may be given an explanation of the study (including, but not limited to, the name of the principal investigator and description of the study) prior to obtaining an Authorization.

d) An Authorization must be obtained from an Individual who has indicated interest in participating in a research study prior to asking the Individual any screening questions that involve PHI.

e) All other Uses and Disclosures of PHI for the purpose of contacting and/or recruiting potential research participants may require an Authorization or Waiver.

5) Use and Disclosure of PHI without Authorization Preparatory to Research.

a) Researchers may Use or Disclose PHI without an Authorization or IRB Waiver for the development of a research protocol, provided that the researcher documents that all the following criteria are satisfied:
i) the Use or Disclosure of PHI is solely to prepare a research protocol;
ii) the researcher shall not record or remove the PHI from WU, except in accordance with the WU HIPAA Policy on Security Measures Required to Comply with Privacy Policies; and
iii) the PHI sought is necessary for the purposes of the research.

b) The researcher will provide documentation to the data custodian that all of the above criteria are satisfied in accordance with the data management registration process of the particular Business Unit.

c) Uses or Disclosures of PHI preparatory to research are subject to the Minimum Necessary rules. See WU HIPAA Policy on Minimum Necessary Request, Use or Disclosure of Protected Health Information.

6) Use and Disclosure of Decedent’s PHI without Authorization

a) Researchers may Use and Disclose a decedent’s PHI for research without an Authorization or IRB Waiver, provided that the researcher documents that all the following criteria are satisfied:

i) the Use will be solely for research on the PHI of a decedent; and
ii) the researcher has documentation of the death of the Individual about whom information is being sought, and
iii) the PHI sought is necessary for the purposes of the research.

b) The researcher will provide documentation to the data custodian that all of the above criteria are satisfied in accordance with the data management registration process of the Business Unit.

c) Uses or Disclosures of a decedent’s PHI for research purposes are subject to the Minimum Necessary rules. See WU HIPAA Policy on Minimum Necessary Request, Use or Disclosure of Protected Health Information.

7) Use or Disclosure of “De-Identified” Health Information

a) De-identified health information is exempt from HIPAA and may be Used or Disclosed for research purposes without an Authorization or IRB Waiver.

b) Researchers must provide documentation to the IRB that the health information has been de-identified by one of the following two methods:

i) Statistical Method. The IRB may determine that health information is de-identified for purposes of this Policy, if an independent, qualified statistician certifies:
• The risk of re-identification of the data, alone or in combination with other data, is very small; and
• Documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. Note: the expert may not be the researcher or anyone directly involved in the research study.

ii) Safe Harbor Method (Removal of All Identifiers). Identifiers concerning the Individual and the Individual’s employer, relatives and household members that must be removed include: names; geographic subdivisions smaller than a state; zip codes; dates directly related to an Individual; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images; and any other number, characteristic or code that could be used to identify the individual.

c) Re-identification Code. The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to Use or Disclose the de-identified health information.

8) Limited Data Set

a) A researcher may Use or Disclose a Limited Data Set for any research purpose without an Authorization or Waiver of Authorization.

b) A “Limited Data Set” is defined as PHI that may include any of the following direct identifiers:

i) town, city, State and zip code;
ii) all elements of dates directly related to an Individual, including birth date, admission date, discharge date, and date of death.

c) A Limited Data Set must exclude all of the following direct identifiers of the Individual or of the Individual’s relatives, employers, or household members of the Individual: names; postal address information other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; Health Plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other number, characteristic or code that could be used to identify the individual.
.
d) A Limited Data Set may be Used or Disclosed only if there is a Data Use Agreement between WU and the recipient of the Limited Data Set.

9) Individual’s Access to Research Information.

a) As a general rule, Individuals who participate in research have a right to access their own PHI that is maintained in a Designated Record Set. See WU HIPAA Policy on Access by Individuals to Protected Health Information.

b) However, Individuals participating in research protocols that include Treatment (i.e.: clinical trials) may be denied access to their PHI obtained in connection with that research protocol, provided that:

i) the PHI was obtained in the course of the research;
ii) the Individual agreed to the denial of access in the Research Authorization;
iii) the research remains in process; and
iv) the Individual’s rights to access such PHI are re-instated once the research study has ended and the Research Authorization has expired.

10) Individual’s Revocation of Research Authorization

a) As a general rule, an Individual may revoke his/her Authorization, in writing to the researcher, at any time.

b) The revocation will be applicable to the protocol or protocols specified by the Individual. However, the researcher may continue to Use and Disclose, for research integrity and reporting purposes, any PHI collected about the Individual pursuant to a valid Authorization before it was revoked.

c) The researcher shall forward a copy of the written revocation to the Privacy Liaison of the Business Unit. The researcher shall also keep copies of all revocations of Authorizations for a specific protocol and report them to the IRB at the time of continuing review.

11) Accounting of Disclosures

a) As a general rule, an Individual must be provided with an accounting of all Disclosures of his/her PHI for research purposes, unless such Disclosure was made pursuant to an Authorization, or is part of a Limited Data Set. See WU HIPAA Policy on Accounting for Disclosures of Protected Health Information.

b) The data custodian must keep records of all disclosures of PHI in the following circumstances:

i) Disclosures pursuant to an IRB waiver;
ii) Disclosures of PHI used in preparation of a research protocol; and
iii) Disclosure of a decedent’s PHI used for research.

c) A simplified accounting procedure may be used if the research Disclosure involves the PHI of more than 50 people. Under the simplified accounting procedure:

i) the Individual must be provided a list of research protocols in which the Individual’s PHI may have been used.

ii) the list must provide the following:

  •  The name of the protocol or other research activity;
  •  A description of the purpose of the study and the type of PHI Disclosed; and
  • The timeframe during which such Disclosures occurred.

iii) upon request, the Privacy Officer, or his/her designee, will assist the Individual in contacting those researchers to whom it is likely that the Individual’s PHI was actually Disclosed.

12) Notice of Privacy Practices

If not previously made available, a Notice of Privacy Practices must be provided to a research participant when an Authorization is obtained. See WU HIPAA Policy on Notice of Privacy Practices.

13) Transition Provision

Researchers may continue to Use and Disclose PHI created or received before and after April 13, 2003, if the researcher has obtained any one of the following prior to such date:
• An Authorization or other express legal permission from an Individual to Use or Disclose the PHI for research;
• The Individual’s Informed Consent to participate in the research; or
• An IRB Waiver of Informed Consent for the research.

Note, however, that a researcher must obtain an Authorization in the event Informed Consent is sought after April 13, 2003, even if a Waiver of Informed Consent was obtained prior to April 13, 2003.

Creation Date: December 10, 2002
Implementation Date: April 14, 2003
Last Revision Date: April 30, 2014