 |
| Q. |
What is PHI? |
| A. |
Protected or personal health
information (PHI) is any information in the medical record
or designated record set that can be used to identify an individual
and that was created, used, or disclosed in the course of providing
a health care service such as diagnosis or treatment. HIPAA
defines
18
specific identifiers that create PHI when linked to health
information. In addition to the required CHR approval, HIPAA
authorization is required for research studies that use, create,
or disclose PHI that will be entered in to the medical record
or will be used for healthcare services, such as treatment,
payment or operations.
For example, PHI is used in any research
study that will access the medical record, such as for records
review or recruitment
purposes. Also, studies that create new medical information
because a health care service is being performed as part
of research,
such as diagnosing a health condition or a new drug or
device for treating a health condition, create PHI that will
be
entered into the medical record. For example, sponsored clinical
trails
that submit data to the U.S. Food and Drug Administration
involve PHI and are therefore subject to HIPAA regulations. However, without the 18 identifiers, health information is
not considered to be PHI. For example, a dataset of vital
signs by
themselves do not constitute protected health information.
However, if the vital signs dataset includes medical record
numbers, then
the entire dataset must be protected since it contains an
identifier. These identifiers can include anything that
can be used to identify
an individual such as private information, facial images,
fingerprints, and voiceprints. These can be associated
with medical records,
biological specimens, biometrics, data sets, as well as direct
identifiers of the research subjects in clinical trials.
|
|
| Q. |
What is not PHI? (Research health
information or RHI) |
| A. |
In contrast, some research
studies use data that is person-identifiable because it includes
personal
identifiers such as name, address. However, it is not considered
to be PHI because the data are not associated with or derived
from a healthcare service event (treatment, payment, operations,
medical records), not entered into the medical records, nor
will the subject/patient be informed of the results. Research
health
information (RHI) that is kept only in the researcher’s
records is not subject to HIPAA but is regulated by other human
subjects protection regulations.
An example of this would be a study of brain imaging in schizophrenia
designed to correlate imaging patterns with participant symptoms,
where appropriately consented participants provide facts
about their medical history as part of their voluntary
participation
in the study, and the results of the research will not be
entered into their medical record, e.g. the medical record
will not be
accessed. Some genetic basic research can also fall into
this category such as the search for potential genetic
markers or
promoter control elements. In contrast, genetic testing for
a known disease that is considered to be part of diagnosis,
treatment
and health care would be considered to use PHI and therefore
subject to HIPAA regulations.
|
|
| Q. |
Do all human
research studies use PHI? |
|
| A. |
No. Some research
studies do not collect PHI for their project or for the recruitment
of their research subjects. For example, anonymous surveys and
observational studies that do not collect identifiers do not
use PHI. Another example would be non-medical studies that recruit
subjects through advertisements or flyers where no PHI was accessed
for recruitment or collected for the study. If your study does
not use PHI, then it will not be affected by the new HIPAA regulations. |
|
| Q. |
How do I get approval
to use and disclose PHI from research subjects at UCSF? |
|
| A. |
PHI can be accessed by one or
both methods: |
|
| |
• |
Individual Authorization signed by research
subject (or legal representative) |
|
| |
• |
Waiver of consent/Authorization (CHR approved) |
|
| Q. |
What is the subject’s
authorization? What do I use at UCSF, SFVAMC, and other institutions
or for sponsors? |
|
| A. |
The subject’s
authorization for release of personal health information is
a required supplement to the standard Informed Consent Form.
It does not change any of the information or permissions described
in the Informed Consent Form. This form describes the different
ways that the researcher, research team and the research sponsor
may use the subject’s personal health information (PHI)
for the research study. The subject grants their permission
to access their information when they sign this subject authorization
form. Alternatively, in lieu of obtaining individual subject
authorizations, HIPAA allows the CHR to grant a waiver
of authorization to the investigator.
The University of California
has developed this authorization form and it is located on
the CHR website as the “Authorization
for Release of Personal Health Information for Research (Spanish
version).” All UCSF-affiliated research investigators
obtaining subject authorization to use PHI in their studies
must complete
and use this form (exceptions noted below) without altering
the standard text in the form. Note: the CHR recommends
the use of
the separate Subject Authorization form rather than combining
the authorization language into the informed consent document.
However, investigators have the option to use the combined
consent/authorization if they choose (see consent form samples
on CHR HIPPA web page).
For the San Francisco Veterans Administration
Medical Center
(VAMC) investigators, a VAMC-specific
authorization will
be required in order to access the medical records at the VAMC.
Therefore,
investigators may need to have two authorizations depending
upon which medical records are being accessed.
Also, other non-affiliated medical centers and institutions
may require you to use their version of the authorization
form to
access their medical records. The authorization form originates
from the covered entity that owns the PHI (usually medical
records) for which you are requesting access. However,
smaller clinics
have been accepting the UCSF authorization in lieu of their
own. You should determine in advance what the HIPAA authorization
requirements would be for medical records access. Most
affiliates, institutions, and medical centers will have
HIPAA information
on either their IRB, medical records or HIPAA website.
Clinical trial sponsors may want researchers to use the
sponsor’s
authorization form. At UCSF, research investigators will only
be allowed to use one form (with the exception of the VAMC).
If researchers wish to use their Sponsor’s authorization,
they must submit it to the CHR for review. This will delay approval
as these forms are legal documents representing UC and therefore
require careful review by the Privacy Board (at UCSF, this is
the CHR)
|
| Top
of page |
| Q. |
Can I obtain verbal authorization? |
|
| A. |
Yes, but only if you have a CHR-approved
waiver of authorization which waives the HIPAA requirement for
a written authorization. You will not need to amend your informed
consent phone scripts with HIPAA authorization language. |
|
| Q. |
What is the waiver
of authorization? How do I request a waiver? |
|
| A. |
TA waiver of authorization may
be granted in situations where an individual’s authorization
to access their PHI will not be obtained. There are several types
of research studies that may a need a waiver of authorization
such as: |
|
| |
• |
Reviews of medical records for data collection
(chart reviews) |
|
| |
|
Access to databases that have protected health
information in them |
|
| |
• |
Screening and recruitment purposes |
|
| |
• |
Studies that enroll subjects with verbal consent |
|
| |
For example, studies that access
clinical databases, hospital medical records, appointment logs,
and other similar databases to identify potential subjects
for recruitment purposes may need a waiver of authorization.
In these situations, a researcher is examining PHI without
a subject’s authorization for purposes other than healthcare
treatment, payment, or operations. If the clinic has does not
have a CHR-approved recruitment protocol, then for recruitment
purposes, each research study will have to obtain a CHR-approved
waiver of authorization to screen the clinic’s records
for subjects. If these potential subjects are then later enrolled
in research studies, they must sign both the informed consent
and the authorization forms or the combined consent/authorization.
At UCSF, the CHR, as the Privacy Board for research, is
allowed to grant a waiver of authorization if it can certify
that the research meets the following criteria:
|
|
| |
• |
The research could not be practicably conducted
without access to the PHI. |
|
| |
• |
The research could not practicably be conducted
without the waiver. |
|
| |
• |
The research poses minimal risk to a subject’s
privacy and includes a written assurance that the PHI will not
be reused or disclosed, an adequate plan to protect the information
from improper use or disclosure, and a plan to destroy the identifiers
at the earliest opportunity unless there is a justification for
retaining them. |
|
| |
The CHR will also expect the research
to satisfy the current human subject protection regulations including
that the waiver will not adversely affect the rights and welfare
of the subject and that the risks are reasonable in relation
to the anticipated benefits of the research. Requests for waiver
of authorization must be submitted to the CHR and be approved
prior to accessing the health information. The CHR form for a
Waiver
of Consent/Authorization for Minimal Risk Studies is located
on the CHR web site. A copy must be submitted with the research
application. |
| Top
of page |
| Q. |
Will I be able to review medical
records for research purposes? How do I get access after April
14, 2003? |
|
| A. |
You will be able to do medical
records reviews under HIPAA for research purposes as long as
you have obtained some form of PHI authorization. Health Information
Management Services (HIMS) will require that you show proof of
this authorization before they give you access to medical records.
This proof can be one of the following: |
|
| |
• |
Copy of CHR approval letter with statement
of Waiver of Authorization of individual consent |
|
| |
• |
Copy of CHR approval letter with statement
that Individual Subject Authorization will be obtained |
|
| |
• |
Copy of CHR approval letter with statement
that a Data Use Agreement will be used (not available yet) |
|
| |
• |
Copy of Exempt Certification Form certified
by the CHR |
|
| Q. |
Is
CHR approval required for decedent research at UCSF? |
|
| A. |
It depends on whether PHI will
be accessed and/or whether State, county, or local death data
files will be accessed, as both the Federal and State privacy
laws apply. Even if PHI will not be recorded for research purposes,
the following will apply:
| CHR Requirements for Decedent research |
| Access to or Use of Medical Records |
Use of PHI from State, County, Local Death Data Files |
HIPAA Authorization |
CHR Application
|
| NO |
NO |
None |
None |
| NO |
YES |
Waiver |
Expedited* |
| YES |
Either YES or NO |
Waiver
|
Expedited* |
See Decedent section of Medical
Records Review guidance.
|
| |
|
| Q. |
What is de-identified data? |
|
| A. |
HIPAA allows the patient information
to be "…used and disclosed freely, without being
subject to the Privacy Rule's protections" if has been
de-identified. De-identified PHI has all identifying information
removed but the data could be re-identified if necessary, usually
through means of a code. This code cannot be derived from any
of the elements removed during de-identification. For example,
a unique code cannot be created using the last four digits
of a social security number.
However, the UC
authorization for release of personal health information form does allow for the use of initials, date of
birth and dates of medical care as “personally unidentified
study data”. Typically, this type of data is used in case
report forms (CRF) for quality control purposes where the CRF
is verified with the source documents, especially for sponsors.
There are two acceptable methods for creating de-identified
data (PHI) including the removal of 18
primary and secondary identifiers from the dataset, or, using statistical methods of verifying
that the data could not be used to re-identify a research
subject. Additionally, the researcher must not have actual
knowledge
that the research subject could be re-identified from the
remaining identifiers in the PHI used in the research study.
Note that although the Privacy Rule (HIPAA) allows the unrestricted
use of deidentified data, UCSF requires all human subjects
research to be reviewed by the Committee for Human Research.
You will
still have to submit your research protocol to the CHR
for both evaluation for human subjects research and the
protection
of
privacy. For example, straightforward database studies
that only utilize de-identified data will probably qualify
as
Exempt or
Expedited studies.
|
| Top
of page |
| Q. |
What specific identifiers must
be removed
to create de-identified data? |
|
| A. |
The 18 identifiers that must
be removed for de-identification include:
| 1. |
Names; |
|
| 2. |
All geographical subdivisions smaller
than a State, including street address, city, county,
precinct, zip code, and their equivalent geocodes, except
for the initial three digits of a zip code, if according
to the current publicly available data from the Bureau
of the Census: (1) The geographic unit formed by combining
all zip codes with the same three initial digits contains
more than 20,000 people; and (2) The initial three digits
of a zip code for all such geographic units containing
20,000 or fewer people is changed to 000. |
|
| 3. |
All elements of dates (except year)
for dates directly related to an individual, including
birth date, admission date, discharge date, date of death;
and all ages over 89 and all elements of dates (including
year) indicative of such age, except that such ages and
elements may be aggregated into a single category of
age 90 or older; |
|
| 4. |
Phone numbers; |
|
| 5. |
Fax numbers; |
|
| 6. |
Electronic mail addresses; |
|
| 7. |
Social Security numbers; |
|
| 8. |
Medical record numbers; |
|
| 9. |
Health plan beneficiary numbers; |
|
| 10. |
Account numbers; |
|
| 11. |
Certificate/license numbers; |
|
| 12. |
Vehicle identifiers and serial numbers,
including license plate numbers; |
|
| 13. |
Device identifiers and serial numbers; |
|
| 14. |
Web Universal Resource Locators (URLs); |
|
| 15. |
Internet Protocol (IP) address numbers; |
|
| 16. |
Biometric identifiers, including finger
and voice prints; |
|
| 17. |
Full face photographic images and
any comparable images; and |
|
| 18. |
Any other unique identifying number,
characteristic, or code (note this does not mean the
unique code assigned by the investigator to code the
data) |
|
|
|
| Top
of page |
| Q. |
What is the statistical method
of de-identification? |
|
| A. |
A statistical expert must certify
that the risk is "very small" that anyone could re-identify
the research subjects from the PHI identifiers used in the study.
They must document the methods used to determine that data has
been rendered de-identified. A statistical expert is someone
with "appropriate knowledge and experience with statistical
and scientific principles and methods for rendering information
not individually identifiable". |
| Top
of page |
| Q. |
What is a limited dataset? |
|
| A. |
A limited dataset is a limited
set of identifiable information in which most of the identifiers
for the individual, the individual’s relatives, employers
and household members have been removed. The only allowable
health information identifiers are:
|
|
| |
• |
5 digit zip
code (the 4 digit extension is not allowed) |
|
| |
• |
dates of birth, death, admission, discharge |
|
| |
• |
all geographic subdivisions other than street
address |
|
| |
The advantages of using a limited
dataset include that the disclosures are not subject to HIPAA
accounting requirements and that an individual’s authorization
does not need to be obtained. However, you may be asked to
sign a Data Use Agreement by the purchasing or contracts office
of
the university or other covered entities to give assurances
that the information will be protected.
The CHR will review your Expedited
Application and Waiver
of Consent/Authorization application for satisfactory assurances
on the appropriate use of the limited data set and that all
applicable
humans subject protection regulations have been satisfied.
As in all human subjects research, CHR approval must be
in place
before the limited data set is released to the investigator.
|
|
| Q. |
Do I need a Business Associate
Attachment (BAA) for my research? |
|
| A. |
Maybe. If your research project
will contract a vendor outside of UCSF for a research service
and the vendor may see identifiable personal health information,
then that vendor must have a BAA with UCSF before they begin
the service. Typically, these types of vendor services are
used in research studies that will contract for data analysis,
data entry, and consultations to review data. Equipment repair
vendors that service machines that have PHI stored on them,
such as digital imaging or filmless x-rays, will all need to
have BAA in place.
Note, that the BAA is between the vendor and UCSF, not between
the vendor and you as the investigator. If your project will
need this type of research service, you should contact your
Purchasing Officer who then will negotiate the BAA on your
behalf with the
vendor. BAA forms are located on the UCSF
HIPAA website.
|
|
| Q. |
Does HIPAA apply to my international
study? |
|
| A. |
No. U.S. Federal laws do not apply
to studies conducted overseas or in foreign countries. The standard
methods of protecting confidentiality and privacy for research
in human subjects still apply and you should have these in place.
However, the research subjects do not need to sign an authorization
to allow access to their PHI. |
|
| Q. |
Do I have to modify my currently
approved CHR study? |
|
| A: |
Research studies that have both
CHR approval and signed informed consent documents prior to April
14, 2003 can continue to use the PHI already collected without
revising their documents until their next annual renewal of the
project. However, any new subjects enrolled after April 14, 2003
and before the annual renewal date must sign an Authorization
form in addition to the informed consent document when they are
enrolled.
This is also true for studies that obtained CHR approval
of waiver of consent prior to April 14, 2003. These studies
may continue
without obtaining authorization. However, if at any time
during the transition period these projects change such
that informed
consent will be obtained, then PHI individual authorizations
must also be obtained.
Note that the subjects authorizations can be separate documents
(recommended) or the investigator can use a combined informed
consent/authorization document if it has been approved by
the CHR prior to obtaining signed consent. If at any time
during
the transition period (between April 14, 2003 and the next
annual renewal date) a modification is made to the informed
consent
document, then the investigator can either include HIPAA
compliant language within the informed consent document or
investigators
may opt to continue to use two separate forms. |
| Top
of page |
| Q. |
Can databases or registries be
created under HIPAA? Can I create
a research database without obtaining an authorization from every
single research subject? |
|
| A. |
Yes. HIPAA allows
for the creation of databases for research purposes. A research
database can be created without obtaining individual authorizations
but only with a CHR approved Waiver of Authorization. The proposal
to the CHR must meet all of these waiver criteria, some of which
you may already include as part of the confidentiality discussion
in your research proposal. These criteria include: |
|
| |
1. |
The study represents minimal risk to the privacy
of the individual |
|
| |
2. |
The study could not practicably be done without
access to PHI |
|
| |
3. |
The study could not practicably be done without
a waiver of authorization |
|
| |
The "minimal risk" criteria
must include all of the following three elements: |
|
| |
• |
An adequate plan to protect the identifiers
from improper use and disclosure; |
|
| |
• |
An adequate plan to destroy the identifiers
at the earliest opportunity consistent with the conduct of the
research, unless there is a health or research justification
for retaining the identifiers (or is required by law), and |
|
| |
• |
An adequate written assurance that the PHI
will not be reused or disclosed to anyone else (except for research
oversight, other research studies approved to use the PHI, or
as required by law) |
|
| |
The PHI maintained
in the research database may be disclosed for future research
studies if the investigator either obtains an individual's
authorization or a CHR approved Waiver of Authorization. The
CHR will post further guidance when the Federal and University
of California policies become available.
|
| Top
of page |
| Q. |
How do I protect
the PHI in my study? |
|
| A. |
Investigators are advised to analyze
the flow of PHI through their research projects and develop security
policies for both electronic and hard copy PHI. Any type of physical
or electronic storage may be used. Simple steps may be all that
are required to accomplish the goals of tracking, recovery, and
security.
A tracking system is necessary to account for how the PHI
is stored, used, and shared, e.g. flow of PHI through your
project. A recovery plan simply means having the capability to recover
data if you lose your primary database for both your research
and for HIPAA accountability of any PHI disclosures.
A security system that prevents inadvertent disclosure, loss
or theft of PHI from your project is required. For example,
acceptable security for an isolated computer system or data
system could
include the following:
|
|
| |
• |
Data is kept in locked file cabinet |
|
| |
• |
Data is kept in locked office or suite |
|
| |
• |
Data is stored on a secure network |
|
| |
• |
Electronic data are protected with a password
(computer, PDA, laptop) |
|
| |
• |
Electronic data are protected with automatic
logoff (computer, PDA, laptop) |
|
| |
• |
Data is coded; data key is kept separately
and securely |
|
| |
• |
Data will be de-identified per HIPAA definition |
|
| |
However, there are more serious
issues for securing electronic data transmission as almost every
form of Internet, intranet, and ftp does not protect PHI. All
electronic data should be scanned by anti-virus software both
before sending and receiving encrypted data. Any use of the Internet
to transmit data must be scrutinized very carefully as very few
systems are behind firewalls or within secure zones.
By establishing one protection system and policy for all
of the PHI in a research project, it will be easier to
train personnel,
insure compliance with HIPAA, and maintain the integrity
of the datasets. At UCSF, ITS will provide future guidance
and currently
offers the following on the Information Security website
located at
http://isecurity.ucsf.edu/ : |
|
| |
• |
Free anti-virus software (available now) |
|
| |
• |
Any UCSF affiliate may use this anti-virus
software |
|
| |
• |
Multi-platform security software |
|
| |
• |
Private firewall software for PCs (in future) |
|
| |
• |
Security information and tools |
| |
| Q. |
What is a breach
of security? What should I do if PHI may have been disclosed
to unauthorized
individuals? |
|
| A. |
A breech of security refers
to any unauthorized access to PHI and usually related to electronic
files or devices that contain PHI. Common examples include
the
use of electronic storage devices without password protection,
sending email with PHI outside of the UCSF intranet or to the
wrong person; a laptop/PDA/electronic storage device with PHI
is stolen or lost, and other similar situations.
Investigators, staff and other individuals who are concerned
that there may have been a breech of security for their research
files should contact the CHR immediately. They will work
with you to assess the situation to determine who else may
need
to be notified, as there are two HIPAA security officers
(medical center and campus) as well as a UCSF Privacy Officer.
As HIPAA security polices and procedures are developed, guidelines
will be posted on the websites for UCSF HIPAA
Implementation and the CHR. Please see the FAQ above for protecting your
PHI above as well as consult with your department’s IT staff
for guidance to protect electronic devices. |
| |
|
|
