Go to USC home page USC Logo Office of Research Compliance (ORC)
UNIVERSITY OF SOUTH CAROLINA
Human Subjects Training | SAM | OFFICE OF RESEARCH |

HUMAN SUBJECTS

FORMS

INVESTIGATOR'S HANDBOOK

RESEARCH RESOURCES

NEWS AND UPDATES

ORC (Home Page)

USC NEWS
RELATED SITES
USC  THIS SITE

  

GENERAL QUESTIONS
1.  Who must comply with the HIPAA Privacy Rule?

The HIPAA Privacy Rule applies to a "covered entity" that uses or discloses "protected health information.
2.   What is a covered entity?

A covered entity is

(1) a health plan

(2) a healthcare clearinghouse, or

(3) a healthcare provider

that transmits any health information in electronic form in connection with healthcare transactions.  In general, a researcher is a covered entity when he or she provides health care that is billed to an insurance plan in addition to conduction research.

The USC School of Medicine Specialty Clinics and our affiliated hospitals are "covered entities".
3.  What is protected health information (PHI)?

PHI is individually identifiable health information, such as patient charts and medical billing and insurance records.  In general, PHI is health information that contains any of the 18 direct individual identifiers that are listed in the HIPAA definition of de-identified date.  All 18 identifiers are listed in response to Question #7.
4.  As a site that sees patients as well as research subjects, am I covered under HIPAA?

Generally, Yes.  HIPAA applies to all healthcare providers that use or disclose PHI and bill for payment by electronic transfer of data.
5.  As a site that only conducts research, am I covered under HIPAA?

Any site that uses or discloses PHI and meets the definition of a "covered entity" is covered by HIPAA.  Generally, if PHI is not used or disclosed for purposes of healthcare treatment, payment or other healthcare operations, the site is not a covered entity.  However, even when a site is not a covered entity, if it receives PHI from a covered entity, its use of the data may be restricted by the HIPAA privacy rules.
6.  What is a hybrid entity?

A single legal entity that performs both covered and non-covered functions may choose to be a hybrid entity, for example, a university may have a medical center, which would be covered, and liberal arts schools, which would not.  If the entity declares itself to be a hybrid entity, it must define and designate the parts of the entity that engage in HIPAA-covered functions.  Only those designated parts of the entity need comply with HIPAA.  However, any disclosure (transfer) of protected health information (PHI) between the covered functions and the non-covered functions within the same entity must follow the HIPAA Privacy Rule for use and disclosure of PHI.  *USC is a "hybrid entity" with covered components.
7.  What is de-identified data?

De-identified data has all of the following 18 individual identifiers removed:

  • Names
  • Geographic subdivisions smaller than State (e.g., cities, streets, counties)
  • All elements of dates (except year) for dates directly related to an individual, e.g., birthday, date of death, date of hospitalization

◊ Note: All ages over 89 must be aggregated into a single category called "age 90 or older"

  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code, except as permitted by the provision for re-identification.

 
8.  Does HIPAA have a provision for tracking de-identified data?

Yes.  The process is called re-identification, and constitutes the assignment of a random code to each individual in the data set.  This process may be used to allow traceability of the data as long as the code key is kept securely by the investigator and the identity of the study subjects is not disclosed to the user(s) of the data.  The code may not be derived from information about the individual and may not be otherwise capable of being translated so as to identify the individual.
9.  How does HIPAA affect study subject Informed Consent documents?

The HHS/FDA rules require an informed consent document.  HIPAA requires an individual authorization agreement whish contains specific additional elements for use and disclosure of PHI in prospective research.  In addition to an informed consent form, all subjects enrolled on or after the compliance date, April 14, 2003, must also sign a HIPAA authorization agreement.  The authorization agreement can be a separate document or it can be combined with the informed consent document for the research project.
10.  What are the elements that must be included in the authorization agreement?

A brief description of each element follows.  Some of the explanations required are met in current informed consent documents that are well-written and complete.  Others require additional specific wording to be added, either in the informed consent document or in a stand-alone authorization agreement.

  • The authorization must be written in plain language;
  • Each purpose of the requested use or disclosure must be described;
  • The information to be used or disclosed must be identified in a specific and meaningful fashion;
  • The name of the person(s) authorized to make the requested use or disclosure;
  • The name of the person(s) to whom the requested use or disclosure is made
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization;
  • The covered entity must provide the individual with a copy of the signed authorization;
  • Signature of the individual patient and date;
  • The potential for information disclosed to pursuant to the authorization to be redisclosed by the recipient and no longer be protected by this rule;
  • There must be an expiration date or an expiration event for the authorization.  For research, a statement "end of research study", "none", or similar language is sufficient;
  • The individual's right to revoke the authorization in writing;
  • If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual;
  • For studies that involve treatment decisions, a notice that the individual's right of access to PHI contained in the study records has been suspended until the study is completed.

 
11.  Does HIPAA require changes in the informed consent interview process?

Yes.  When the HIPAA authorization agreement is combined with the informed consent elements, the interview for the study must explain and discuss, all of the HIPAA authorization elements in addition to the informed consent elements.
12.  Can study subjects withdraw from the study without exercising their right of formal Revocation of Authorization under HIPAA?

Yes.  The right of study subjects to withdraw from the study at any time for any reason under the Common Rule (HHS and FDA regulations) has not changed.  They can do so by giving verbal notice to the study staff or by simply not reporting for their scheduled visits.  That right is not affected by HIPAA.

However, if the subject wished to revoke (cancel) the "HIPAA Authorization," as well as withdraw from the study, the revocation must be done in writing to the clinical investigator.

The PHI collected in the study up to the time of Revocation of Authorization can be used or disclosed under the terms of the Authorization Agreement, as needed for orderly withdrawal of the subject and to preserve the integrity of the research data.  However, no further PHI can be collected from the study subject or obtained from his/her medical records.
13.  Must all subjects be re-consented with HIPAA-compliant wording after the compliance date, April 14, 2003?

The HIPAA Privacy Rule requires a written authorization agreement to be explained and signed for all new subjects enrolling in studies on or after April 14, 2003.

Already enrolled subjects are "grandfathered," in that informed consent documents signed prior to April 14, 2003 that do not contain the required HIPAA authorization elements remain valid for continued participation in the study after that date.  However, if new information requires re-consenting of already-enrolled subjects after April 14, 2003, the HIPAA authorization elements must be included in the revised informed consent document, or they must be included in a separate authorization agreement that is explained and agreed to before continuing with the study.
14.  Is recruitment of research subjects considered marketing or a health care operation under HIPAA?

Research recruitment is neither a marketing nor a health care operations activity, but is a separate category in the HIPAA Privacy Rule.

15. May a physician discuss a research study with his/her patients without first obtaining permission under the HIPAA Privacy Rule?

Health care providers who are covered entities and who have a direct treatment relationship with patients may discuss with them the option of enrolling in a clinical trial without either prior patient authorization, or an IRB or Privacy Board waiver of patient authorization.

However, a covered entity may not disclose an individual's PHI to a third party for purposes of recruitment in a research study unless the disclosure follows the HIPAA Privacy Rule.  Generally, one of the following must be met:

  • a signed authorization agreement from that individual patient;
  • a waiver of authorization by an IRB or Privacy Board; or
  • the use is within the scope of "review preparatory research," as discussed below.

16. How does the provision for "review preparatory research" help a researcher recruit study subjects?

A health care provider that is a covered entity may permit access to medical records containing PHI by an outside researcher for the purpose of developing a protocol or determining whether enough possibly eligible candidates are present.  The researcher may review the records without patient authorization or IRB/Privacy Board waiver of authorization.  However, the researcher may not contact the prospective subjects directly or remove PHI from the site.  "Removal" includes telephone, fax, electronic transmission, as well as physical removal.

17. Do research study sites need to have a Business Associate Agreement with the IRB?

Generally, no.  A Business Associate Agreement (BAA) is a means of assuring protection of PHI when it is disclosed to an entity that performs a service for a covered entity.  Examples are accounting or billing services, attorneys and consultants.

Sponsors, contract research organizations and IRBs generally do not need BAAs because the privacy of the PHI they use and disclose is adequately protected by other parts of the privacy rule.  These include:

  • a HIPAA authorization agreement;
  • IRB or Privacy Board waiver of authorization;
  • de-identification of the data;
  • disclosure of a Limited Data Set;
  • review preparatory to research; and
  • review of PHI of decedents.

Any quality assurance or auditing activities of prospective studies performed by the IRB as part of its study oversight are also covered by the HIPAA Authorization Agreement, since they are part of the IRB's routine and expected activities.  So, no Business Associate Agreement or additional contract or agreement is needed for those IRB activities required by the regulations or guidance.

Generally, where a written confidentiality agreement existed between a covered entity and an entity that provided a service to the covered entity, the agreement should be rewritten to include the BAA required elements.

18. What is a Data Use Agreement?

A covered entity must have a Data Use Agreement with the researcher in order to provide a Limited Data Set to the researcher (defined in Questions #19 and 20).  The Data Use Agreement defines the purposes for which the data will be used and obtains assurances from the researcher that it will not be redisclosed, except under the same restrictions and conditions.  It also requires assurance the researcher will not attempt to identify or contact the individuals whose PHI is contained in the LDS.

19. What is a Limited Data Set (LDS)?

A limited data set is PHI that has all direct identifiers removed.  The LDS was specifically designed for research use.  Authorization or waiver of authorization is not required, however a Data Use Agreement is required.

20. What are the elements of a LDS?

A Limited Data Set may contain any health information except for certain direct identifiers of individuals or relatives, employers, or household members of the individuals.  Note: This list of elements is not the same as the list under de-identified data.

The direct identifiers that must be removed from an LDS are:

  • Names
  • Postal address information, other than city, State, and zip code
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs (web addresses)
  • IP address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographs

21. What happens when a subject cannot provide consent on his/her own behalf but has a caregiver, relative or another person who has the formal authority to do so?

That individual must sign and indicate in writing how they have authority to act on behalf of the individual who is the subject (for example: healthcare power of attorney, including power of attorney for research; court order, or next-of-kin when allowed by applicable (state) law).

22. Does HIPAA require anything different in reporting Adverse Events and Serious Adverse Events to the IRB?

No.  Reporting of adverse events to the IRB is part of the routine reporting that is generally covered by the HIPAA authorization Agreement.

23. Does HIPAA affect reporting of Adverse Events and Serious Adverse Events to FDA?

Reporting of adverse events and serious adverse events with respect to an FDA-regulated product is specifically exempted by section 164.512(b) of the HIPAA Privacy Rule.  The reporting must be to FDA or an entity responsible for reporting the event to GDA.

Covered entities may disclose PHI, without authorization, to a person who is subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility for the purpose of activities related to the quality, safety, or effectiveness of the product.  For this reporting, HIPAA defines "person" as an individual, institution or corporation.

Such purposes include, but are not limited to, the following:

  • to collect or report adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations,
  • to track FDA-regulated products,
  • to enable product recalls, repairs, or replacement, or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are the subject of lookback), and
  • to conduct post-marketing surveillance.

24. How does HIPAA affect reporting of adverse events of a study to the sponsor?

  1. Reporting of adverse events to FDA is allowed without authorization or waiver.  Reporting can be made to a person subject to the jurisdiction of FDA when that person has responsibility for the quality, safety, or effectiveness of FDA regulated products.
  2. Reporting without authorization of the study subject is limited to safety, effectiveness, or quality of the FDA regulated product.  Disclosures to measure the effectiveness of a marketing campaign, for example, are not included.
  3. The regulation states reporting should be made to a responsible person.  "Person" is not limited to an individual, but includes a partnership, corporation, or association.
  4. Foreign public health authorities are not specifically included in the Rule's definition of "public health authority."  The U.S. Department of Health and Human Services (including NIH and FDA) appears to have left the door open to future modification of the rule if experience shows lack of such inclusion is a serious problem.
  5. The reports of adverse events may be made to an authority that is authorized to receive or collect such reports for forwarding to FDA, such as the sponsor of the study or manufacturer of the product.
  6. The reports of adverse events can be made to a private database for tracking products pursuant to FDA direction or requirements for post-marketing surveillance to comply with FDA requirements or direction.

 

 

RETURN TO TOP
USC LINKS: DIRECTORY MAP EVENTS VIP
SITE INFORMATION
Columbia, SC 29208 • 803-777-6421 • Webmaster © 2002 University of South Carolina Board of Trustees