 |
|
| THE HUMAN RESEARCH PROTECTION PROGRAM | ||||||||||||
|
THE COMMITTEE ON HUMAN RESEARCH BRIEF GUIDE TO IMPLEMENTATION OF HIPAA AND THE PRIVACY RULE WHAT IS HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The intention of HIPAA is to protect patients from inappropriate disclosures of “Protected Health Information” (PHI) that can cause harm to a person’s insurability, employability, etc. WHAT IS PHI? PHI is information that can be linked to a particular person and that is created, used, or disclosed in the course of providing a health care service (i.e., diagnosis or treatment). PHI can be any information, whether spoken, written or electronically stored, including text, video, audio, or images. WHAT IS THE “PRIVACY RULE” AND WHEN MUST WE ENFORCE IT? The Privacy Rule is a nickname for DHHS’ regulation, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The privacy provisions of HIPAA apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The DHHS Office for Civil Rights (OCR) is responsible for implementing and enforcing the Privacy Rule, effective April 14, 2003. WHAT DOES THE PRIVACY RULE HAVE TO DO WITH RESEARCH? HIPAA affects only that research which uses, creates, or discloses PHI. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research. In general, there are two types of human research that would involve PHI:
WHAT IS THE IRB’S ROLE? The IRB will act as a Privacy Board (required by HIPAA) to review the use and disclosure of PHI and to determine whether 1) the subjects should sign a UCSF Subject Authorization for Release of PHI for Research (Spanish version) in addition to the consent to participate in research, or 2) if a Waiver of Authorization may be granted (analogous to a Waiver of Consent under the Common Rule). WHAT WILL RESEARCHERS HAVE TO DO DIFFERENTLY? New Protocols: If researchers are using PHI (according to the definitions on the CHR website), researchers will need to complete and submit the HIPAA Supplement along with their full or expedited, new or renewal application. They will also have to decide if they will be asking subjects to sign an authorization for access to their medical records or whether they are asking the CHR to grant a waiver of authorization, or both. If they are requesting a waiver of consent for screening, recruitment or the conduct of the study, then they should also complete the Waiver of Consent/Authorization form and submit a copy along with the application. If they are asking subjects to sign a Subject Authorization, researchers can download the standard UCSF Subject Authorization from the CHR HIPAA website, complete the form and submit a copy along with the application. The CHR Approval Letters will indicate whether Subject Authorization and/or a Waiver is required. If applying for exempt certification, submit the exempt application only as the HIPAA forms do not apply. Existing Protocols: Subjects enrolled prior to April 14 are “grandfathered in,” meaning their existing consents are HIPAA compliant. New subjects enrolled April 14th or after must sign an Authorization unless a waiver of consent has been granted. Do not submit any HIPAA forms to the CHR until the time of renewal or a modification of the consent form is requested. *With thanks to UC Irvine for sharing this form. |
||||||||||||