Skip to content Skip to sidebar Skip to footer

This Type of Storage Allows You to Upload and Store Documents on the Internet. Quizlet

National Institutes of Health


How Can Covered Entities Utilize and Disembalm Protected Health Information for Research and Comply with the Privacy Rule?


Key Points:
  • De-identified health information, equally described in the Privacy Rule, is non PHI, and thus is not protected past the Privacy Rule.
  • PHI may be used and disclosed for enquiry with an private's written permission in the form of an Authority.
  • PHI may be used and disclosed for research without an Authorization in limited circumstances: Under a waiver of the Potency requirement, equally a limited data set with a data use agreement, preparatory to enquiry, and for research on decedents' information.

The Privacy Rule describes the means in which covered entities tin can employ or disembalm PHI, including for enquiry purposes. In general, the Rule allows covered entities to utilise and disclose PHI for research if authorized to practise and then by the field of study in accordance with the Privacy Rule. In improver, in certain circumstances, the Rule permits covered entities to employ and disclose PHI without Authorization for sure types of enquiry activities. For example, PHI tin can be used or disclosed for research if a covered entity obtains documentation that an Institutional Review Board (IRB) or Privacy Board has waived the requirement for Authorisation or immune an alteration. The Rule also allows a covered entity to enter into a data employ understanding for sharing a limited data set. There are also carve up provisions for how PHI can exist used or disclosed for activities preparatory to research and for research on decedents' information.

It is important to note that there are circumstances in which health information maintained by a covered entity is not protected by the Privacy Dominion. PHI excludes health data that is de-identified co-ordinate to specific standards. Wellness data that is de-identified tin can be used and disclosed by a covered entity, including a researcher who is a covered entity, without Authorization or whatsoever other permission specified in the Privacy Rule. Under the Privacy Rule, covered entities may determine that wellness data is not individually identifiable in either of two means. These are described below.

De-identifying Protected Health Information Under the Privacy Rule

Covered entities may utilize or disclose health information that is de-identified without brake under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing sure pieces of information from each record every bit specified in the Rule.

The Privacy Rule allows a covered entity to de-place data past removing all eighteen elements that could be used to identify the private or the individual's relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity likewise must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the discipline of the information. Under this method, the identifiers that must be removed are the following:

  1. Names.
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, Naught Lawmaking, and their equivalent geographical codes, except for the initial iii digits of a Null Code if, co-ordinate to the electric current publicly available information from the Agency of the Demography:
    1. The geographic unit formed by combining all ZIP Codes with the same iii initial digits contains more than twenty,000 people.
    2. The initial 3 digits of a Cypher Code for all such geographic units containing 20,000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including twelvemonth) indicative of such age, except that such ages and elements may be aggregated into a unmarried category of age 90 or older.
  1. Telephone numbers.
  2. Facsimile numbers.
  3. Electronic mail addresses.
  4. Social security numbers.
  5. Medical tape numbers.
  6. Health program beneficiary numbers.
  7. Account numbers.
  8. Certificate/license numbers.
  9. Vehicle identifiers and serial numbers, including license plate numbers.
  10. Device identifiers and serial numbers.
  11. Web universal resource locators (URLs).
  12. Net protocol (IP) address numbers.
  13. Biometric identifiers, including fingerprints and voiceprints.
  14. Total-face photographic images and any comparable images.
  15. Whatsoever other unique identifying number, characteristic, or lawmaking, unless otherwise permitted past the Privacy Rule for re-identification.

Covered entities may also use statistical methods to found de-identification instead of removing all xviii identifiers. The covered entity may obtain certification by "a person with appropriate knowledge of and experience with generally accustomed statistical and scientific principles and methods for rendering data not individually identifiable" that there is a "very small" risk that the information could be used by the recipient to place the individual who is the subject of the information, alone or in combination with other reasonably available information. The person certifying statistical de-identification must document the methods used besides as the result of the analysis that justifies the determination. A covered entity is required to keep such certification, in written or electronic format, for at to the lowest degree half dozen years from the date of its creation or the date when it was concluding in effect, whichever is later.

Other Issues Relating to De-identification

Under the first method, unique identifying numbers, characteristics, or codes must be removed if the health information is to be considered de-identified. Yet, the Privacy Rule permits a covered entity to assign to, and retain with, the health information a code or other means of record identification if that code is not derived from or related to the information about the individual and could not exist translated to identify the individual. The covered entity may not apply or disclose the code or other means of record identification for any other purpose and may not disembalm its method of re-identifying the information. For example, a randomly assigned code that permits re-identification through a secured cardinal to that code would not make the information to which it is assigned PHI, because a random code would not be derived from or related to information about the individual and because the primal to that code is secure.

A covered entity is permitted to de-identify PHI or engage a business associate to de-identify PHI. For example, a researcher may be a covered entity him/herself performing, or may exist hired equally a business associate to perform, the de-identification. In most cases, the covered entity must have a written contract with the business associate containing the provisions required past the Privacy Dominion earlier it provides PHI to the business organisation associate. In improver, a covered entity, if a hybrid entity, could designate in its wellness care component(southward) portions of the entity that acquit concern associate-like functions, such equally de-identification.

De-identifying PHI co-ordinate to Privacy Rule standards may enable many enquiry activities; however, the Privacy Rule recognizes that researchers may demand access to and generate identifiable health data during the course of research. Where PHI is needed for research activities, the Privacy Rule permits its use and disclosure if sure standards are met. These standards are discussed in the post-obit sections.

Authorization for Inquiry Uses and Disclosures

One way the Privacy Rule protects the privacy of PHI is by generally giving individuals the opportunity to agree to the uses and disclosures of their PHI by signing an Authorization form for uses and disclosures non otherwise permitted past the Dominion. The Privacy Rule establishes the correct of an individual, such every bit a research subject, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in addition to the informed consent to participate in inquiry required under the HHS Protection of Human Subjects Regulations and other applicable Federal and State police force.

Surface area of Stardom HIPAA Privacy Rule HHS Protection of Human Subjects Regulations
Title 45 CFR Function 46
FDA Protection
of Human Subjects Regulations
Championship 21 CFR Parts 50 and 56
Permissions for Research Say-so Informed Consent Informed Consent
IRB/Privacy Lath Responsibilities Requires the covered entity to obtain Authorization for inquiry use or disclosure of PHI unless a regulatory permission applies. Considering of this, the IRB or Privacy Board would only come across requests to waive or modify the Authorization requirement. In exercising Privacy Rule potency, the IRB or Privacy Lath does non review the Authorization course. The IRB must ensure that informed consent will exist sought from, and documented for, each prospective subject area or the subject'southward legally authorized representative, in accordance with, and to the extent required by, HHS regulations. If specified criteria are met, the IRB may waive the requirements for either obtaining informed consent or documenting informed consent. The IRB must review and approve the Authorisation course if it is combined with the informed consent certificate. Privacy Boards have no say-so nether the HHS Protection of Human Subjects Regulations. The IRB must ensure that informed consent volition be sought from, and documented for, each prospective subject or the subject'southward legally authorized representative, in accordance with, and to the extent required past, FDA regulations. If specified criteria are met, the requirements for either obtaining informed consent or documenting informed consent may be waived. The IRB must review and corroborate the Authorization form if information technology is combined with the informed consent document. Privacy Boards have no potency under the FDA Protection of Human being Subjects Regulations.

Elements of an Authorisation

A valid Privacy Dominion Say-so is an private's signed permission that allows a covered entity to utilize or disembalm the individual'due south PHI for the purposes, and to the recipient or recipients, as stated in the Authorization. When an Dominance is obtained for enquiry purposes, the Privacy Rule requires that it pertain but to a specific research study, non to nonspecific research or to future, unspecified projects. The Privacy Dominion considers the creation and maintenance of a inquiry repository or database every bit a specific research activity, but the subsequent use or disclosure past a covered entity of data from the database for a specific research study will require divide Authorization unless the PHI apply or disclosure is permitted without Authority (discussed later in this section). If an Authorization for research is obtained, the bodily uses and disclosures made must be consistent with what is stated in the Authorization. The signed Authorization must be retained by the covered entity for vi years from the appointment of cosmos or the date it was last in effect, whichever is later.

An Authorization differs from an informed consent in that an Authority focuses on privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other paw, provides inquiry subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things. An Say-so can be combined with an informed consent document or other permission to participate in research. Whether combined with an informed consent or split up, an Authorization must incorporate the following specific core elements and required statements stipulated in the Rule:

Authorization Core Elements:

  • A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
  • The names or other specific identification of the person or persons (or course of persons) authorized to make the requested utilize or disclosure.
  • The names or other specific identification of the person or persons (or course of persons) to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested employ or disclosure.
  • Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure ("end of the inquiry study" or "none" are permissible for research, including for the cosmos and maintenance of a research database or repository).
  • Signature of the private and date. If the individual's legally authorized representative signs the Authorization, a clarification of the representative'southward say-so to act for the individual must besides exist provided.

Potency Required Statements:

  • A argument of the individual'due south correct to revoke his/her Authorization and how to do and so, and, if applicable, the exceptions to the right to revoke his/her Say-so or reference to the corresponding department of the covered entity's notice of privacy practices.
  • Whether treatment, payment, enrollment, or eligibility of benefits tin exist conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Say-so, if applicative.
  • A statement of the potential risk that PHI will exist re-disclosed past the recipient. This may be a general statement that the Privacy Dominion may no longer protect health data disclosed to the recipient.

The Privacy Dominion does not specify who may draft the Authorisation, and then a researcher could draft it regardless of whether the researcher is a covered entity. However, in order to have a Privacy Rule-compliant Authorization, it must exist written in plain language and contain the core elements and required statements, and a signed copy must be provided to the private signing it if the covered entity itself is seeking the Potency. The companion piece Sample Authorization Language contains language that illustrates the inclusion of core elements and required statements.

NOTE: If an Say-so permits disclosure of the private'southward PHI to a person or organization that is not a covered entity or a business associate acting on behalf of a covered entity (such equally a sponsor or funding source of the research), the Privacy Rule does not continue to protect the PHI disclosed to such entity. Withal, other applicable Federal and State laws between the disclosing covered entity and the PHI recipient may establish continuing protections for the disclosed information. Under the HHS Protection of Homo Subjects Regulations or the FDA Protection of Human Subjects Regulations, an IRB may impose further restrictions on the utilise or disclosure of enquiry information to protect subjects.

An Authorisation for inquiry uses and disclosures need not have a fixed expiration date or state a specific expiration event; the grade can list "none" or "the stop of the research project." However, although an Authorization for enquiry uses and disclosure need non expire, a research subject has the right to revoke, in writing, his/her Authorisation at any time. The individual's revocation is effective, except to the extent that the covered entity has taken action in reliance upon the Authorization prior to revocation. For example, a covered entity is not required to call up information that it disclosed nether a valid Authorization earlier learning of the revocation. And the preamble to the Privacy Rule states that, for enquiry uses and disclosures, the reliance exception would permit the connected use and disclosure of PHI already obtained with an Authorization to the extent necessary to protect the integrity of the research—for instance, to account for a subject'south withdrawal from the research study, to conduct investigations of scientific misconduct, or to written report agin events.

Waiver or Alteration of the Say-so Requirement

Many health research projects and protocols cannot be undertaken using wellness information that has been de-identified. Also, it may not be feasible for a researcher to obtain a signed Authorization for all PHI the researcher needs to obtain for the research written report. In other cases, a researcher may determine that consents obtained prior to April xiv, 2003, that permit the use and disclosure of information obtained from research subjects are inadequate, insufficient, or restrict the research protocol or procedure such that an Authorization may be necessary to permit the PHI apply or disclosure for the research.

To accost these and other situations that may ascend in the course of a research projection or protocol, the Privacy Dominion contains criteria for waiver or alterations of Authorizations by an IRB or another review body called a Privacy Board. Many of the provisions were modeled on the HHS Protection of Man Subjects Regulations. The Privacy Rule does non alter electric current requirements that specify when researchers must submit protocols to the IRB for review and approval, and obtain informed consent documents. The Privacy Rule adds to such requirements just when a researcher requests a waiver or an alteration of Dominance. If a covered entity has used or disclosed PHI for research with an IRB or Privacy Board blessing of waiver or alteration of Authorisation, documentation of that approval must be retained by the covered entity for six years from the appointment of its cosmos or the engagement it was final in upshot, whichever is later on.

For research uses and disclosures of PHI, an IRB or Privacy Lath may approve a waiver or an alteration of the Authorization requirement in whole or in office. A complete waiver occurs when the IRB or Privacy Lath determines that no Authorisation will exist required for a covered entity to utilize and disclose PHI for a particular inquiry project. A partial waiver of Authorization occurs when an IRB or Privacy Board determines that a covered entity does not need Potency for all PHI uses and disclosures for research purposes, such every bit disclosing PHI for research recruitment purposes. An IRB or Privacy Lath may also corroborate a request that removes some PHI, merely not all, or alters the requirements for an Authorisation (an alteration).

The Privacy Rule does non change IRB membership requirements, jurisdiction on matters concerning the protection of human subjects, or other procedural IRB matters. The Privacy Rule states that the required documentation must point that the IRB followed normal or expedited procedures in reviewing and approval the waiver or amending. Thus, an IRB'southward authority to deed on waiver or amending requests under the Privacy Rule is in addition to the other authorities derived from the HHS Protection of Man Subjects Regulations and other applicable statutes and regulations. The process and criteria for obtaining a waiver of Authorization under the Privacy Rule is similar to the procedure and criteria for waiving informed consent in the HHS Protection of Human Subjects Regulations. Boosted information on the Privacy Rule and IRBs can be constitute in the companion piece entitled Institutional Review Boards and the HIPAA Privacy Rule.

Privacy Boards are new, alternative review boards authorized by the Privacy Rule to review requests for alteration or waiver of a research Authorization. If a covered entity is to use or disclose PHI on the basis of a waiver or an amending of Authorization from a Privacy Lath, the Board must be established in accordance with Section 164.512(i) of the Privacy Rule. These provisions state that:

  • Members must accept varying backgrounds and appropriate professional competencies as necessary to review the consequence of the research protocol on individuals' privacy rights and related interests.
  • Each Lath must take at to the lowest degree ane member who is not affiliated with the covered entity or with any entity conducting or sponsoring the inquiry and who is not related to any person who is affiliated with such entities.
  • Members may not have conflicts of involvement regarding the projects they review.

Additional information on the Privacy Dominion and Privacy Boards can be found in the companion piece entitled Privacy Boards and the HIPAA Privacy Rule.

Documentation of the waiver or alteration of Authority must include a statement identifying the IRB or Privacy Board that made the approval and the date of approval. Amongst other things, the documentation must also include statements that the IRB or Privacy Lath has determined that the waiver or amending of Authorization, in whole or in part, satisfies the post-obit criteria:

  1. The use or disclosure of the PHI involves no more than than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
    1. An adequate program to protect health information identifiers from improper use and disclosure.
    2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to practice so).
    3. Adequate written assurances that the PHI volition not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the inquiry study, or for other inquiry for which the use or disclosure of the PHI would be permitted under the Privacy Dominion.
  2. The research could not practicably be conducted without the waiver or alteration.
  3. The research could not practicably be conducted without access to and use of the PHI.

The Privacy Rule does not require an IRB or Privacy Board to review the form or content of the Potency a researcher or covered entity intends to utilize, or the proposed uses and disclosures of PHI made co-ordinate to an Authorization. Under the Privacy Dominion, an IRB or Privacy Lath need only review requests to waive or modify the Authority requirement.

Many research projects take place at multiple sites and/or crave the use and disclosure of PHI created or maintained by more than one covered entity (collectively, multisite projects). Frequently, different IRBs are involved in multisite projection reviews. The aforementioned situation is expected to occur with Privacy Boards. In some circumstances, Privacy Boards and IRBs volition coexist. Where these boards coexist, the Privacy Rule does not crave blessing of a waiver or an alteration of Authorization by both bodies because a covered entity may rely on a waiver or an alteration of Say-so approved by whatever IRB or Privacy Board, without regard to the location of the approver.

HHS has stated (65 Federal Register 82692, Dec 28, 2000) that a covered entity's responsibility is to "obtain the documentation that ane [accent added] IRB or privacy board has approved the alteration or waiver of Potency." Consequently, the Privacy Rule allows a waiver or an alteration of Say-so obtained from a single IRB or Privacy Lath to be used to obtain PHI in connection with a multisite project. However, HHS also recognizes that "covered entities may elect to require indistinguishable IRB or Privacy Board reviews before disclosing [PHI] to requesting researchers" (67 Federal Register 53232, August fourteen, 2002). While the Privacy Rule does not accost potential splits betwixt IRBs and Privacy Boards, HHS "strongly encourages researchers to notify IRBs and privacy boards of any prior IRB or privacy lath review of a research protocol" (65 Federal Register 82692, December 28, 2000).

Area of Distinction HIPAA Privacy Dominion HHS Protection of Human Subjects Regulations
Title 45 CFR Part 46
FDA Protection
of Man Subjects Regulations
Title 21 CFR Parts 50 and 56
Review of Cooperative Research Requests to waive or alter the Authorization requirement are reviewed and approved by an IRB or Privacy Board. The Privacy Rule permits a covered entity to reasonably rely on the decision of an IRB or Privacy Board, if the covered entity obtains appropriate documentation of such determination. Each institution is responsible for safeguarding the rights and welfare of human subjects and for complying with the HHS Protection of Human Subjects Regulations. With the approval of HHS, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon the review of another qualified IRB, or make similar arrangements for avoiding duplication of effort. Cooperative research/multi-institutional studies may use articulation review, reliance upon the review of another qualified IRB, or similar arrangements aimed at avoiding duplication of effort.
Waivers of Authorisation or Informed Consent Requirements Allows waiver or alteration of Authorization when IRB or Privacy Board deems the following criteria are met: (1) Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the post-obit elements: (a) An adequate programme to protect health information identifiers from improper use or disclosure, (b) an acceptable plan to destroy identifiers at the primeval opportunity absent a health or inquiry justification or legal requirement to retain them, and (c) adequate written assurances that the PHI volition not exist used or disclosed to a third party except every bit required by law, for authorized oversight of the enquiry report, or for other research uses and disclosures permitted by the Privacy Rule; (ii) inquiry could non practicably be conducted without the waiver or alteration; and (iii) research could non practicably be conducted without access to and use of PHI. Permits an IRB to waive some or all of the elements of informed consent, or to waive the requirement to obtain informed consent, provided the IRB finds and documents that (one) the enquiry involves no more than minimal risk to the subjects; (2) the waiver or alteration volition not adversely affect the rights and welfare of the subjects; (3) the research could not practicably exist carried out without the waiver or alteration; and (4) whenever appropriate, the subjects will exist provided with additional pertinent information after participation.

Permits an IRB to waive the requirement for the investigator to obtain a signed consent for some or all of the subjects if it finds either (1) that the only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality; or (2) that the research presents no more than minimal risk of harm to subjects and involves no procedures for which written consent is normally required outside of the research context.

Permits FDA to waive the IRB review requirement.

Permits an IRB to approve a clinical investigation without subjects' informed consent in sure circumstances specified in 21 CFR l.23 and 21 CFR 50.24. These include (1) circumstances in which immediate use of the exam commodity is, in the investigator'southward opinion, required to preserve the life of the subject, and time is not sufficient to obtain informed consent; (ii) circumstances when the U.S. President may waive informed consent for military personnel for assistants of an investigational production to members of the armed forces; and (three) circumstances involving emergency research.


Express Information Fix and Data Utilize Understanding

The Privacy Rule permits a covered entity, without obtaining an Authorization or documentation of a waiver or an alteration of Authorization, to use and disembalm PHI included in a limited data set. A covered entity may apply and disclose a limited data fix for research activities conducted past itself, another covered entity, or a researcher who is not a covered entity if the disclosing covered entity and the limited data set recipient enter into a data use agreement. Limited data sets may be used or disclosed only for purposes of research, public wellness, or wellness intendance operations. Considering limited data sets may contain identifiable information, they are all the same PHI. Limited Information Set - Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public wellness, or wellness intendance operations, without obtaining either an individual's Authorisation or a waiver or an alteration of Potency for its use and disclosure, with a information use agreement.

Data Use Agreement - An understanding into which the covered entity enters with the intended recipient of a limited data set up that establishes the means in which the information in the express data ready may be used and how it will be protected.

A express data set is described as health information that excludes certain, listed direct identifiers (see beneath) but that may include urban center; state; Nothing Code; elements of appointment; and other numbers, characteristics, or codes not listed equally direct identifiers. The direct identifiers listed in the Privacy Dominion's limited data set provisions apply both to information about the private and to information well-nigh the individual'southward relatives, employers, or household members. The post-obit identifiers must be removed from health information if the data are to qualify as a limited data set:

  1. Names.
  2. Postal accost information, other than boondocks or city, state, and ZIP Code.
  3. Telephone numbers.
  4. Fax numbers.
  5. E-mail addresses.
  6. Social security numbers.
  7. Medical record numbers.
  8. Health programme beneficiary numbers.
  9. Account numbers.
  1. Certificate/license numbers.
  2. Vehicle identifiers and serial numbers, including license plate numbers.
  3. Device identifiers and serial numbers.
  4. Spider web universal resource locators (URLs).
  5. Internet protocol (IP) address numbers.
  6. Biometric identifiers, including fingerprints and voiceprints.
  7. Full-face photographic images and whatever comparable images.

A data use agreement is the ways by which covered entities obtain satisfactory assurances that the recipient of the limited data set will employ or disclose the PHI in the data prepare only for specified purposes. Even if the person requesting a limited information set from a covered entity is an employee or otherwise a fellow member of the covered entity's workforce, a written data utilise understanding meeting the Privacy Rule's requirements must exist in identify between the covered entity and the limited data prepare recipient.

The Privacy Rule requires a data utilise agreement to contain the following provisions:

  • Specific permitted uses and disclosures of the limited information set by the recipient consistent with the purpose for which it was disclosed (a information employ understanding cannot authorize the recipient to use or further disclose the information in a style that, if done by the covered entity, would violate the Privacy Rule).
  • Place who is permitted to apply or receive the express data fix.
  • Stipulations that the recipient will
    • Not utilise or disclose the information other than permitted past the agreement or otherwise required by law.
    • Utilize appropriate safeguards to prevent the use or disclosure of the data, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes enlightened.
    • Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
    • Not identify the data or contact the individuals.

If a covered entity is the recipient of a limited data set and violates the data use agreement, it is deemed to have violated the Privacy Dominion. If the covered entity providing the express data set knows of a pattern of activity or practice by the recipient that constitutes a material breach or violation of the data use understanding, the covered entity must accept reasonable steps to right the inappropriate activity or practice. If the steps are non successful, the covered entity must discontinue disclosure of PHI to the recipient and notify HHS.

Section 164.512 of the Privacy Dominion also establishes specific PHI uses and disclosures that a covered entity is permitted to make for research without an Dominance, a waiver or an alteration of Dominance, or a data use agreement. These limited activities are the use or disclosure of PHI preparatory to enquiry and the use or disclosure of PHI pertaining to decedents for enquiry.

Activities Preparatory to Research

For activities involved in preparing for research, covered entities may use or disembalm PHI to a researcher without an private'due south Authorization, a waiver or an amending of Authorization, or a data employ agreement. However, the covered entity must obtain from a researcher representations that (one) the use or disclosure is requested solely to review PHI every bit necessary to fix a enquiry protocol or for like purposes preparatory to research, (2) the PHI will non exist removed from the covered entity in the course of review, and (iii) the PHI for which utilize or admission is requested is necessary for the research. The covered entity may allow the researcher to make these representations in written or oral form.

Co-ordinate to HHS guidance on the Privacy Dominion,

The preparatory to research provision permits covered entities to employ or disclose protected health information for purposes preparatory to research, such as to help study recruitment. However, the provision at 45 CFR 164.512(i)(1)(2) does non permit the researcher to remove protected health information from the covered entity's site. As such, a researcher who is an employee or a member of the covered entity's workforce could utilize protected wellness information to contact prospective research subjects [accent added]. The preparatory research provision would allow such a researcher to identify prospective inquiry participants for purposes of seeking their Authority to use or disclose protected health information for a research study.

Under the preparatory to research provision, a covered entity may let a researcher who works for that covered entity to use PHI for purposes preparatory to research. A covered entity may also permit, equally a disclosure of PHI, a researcher who is not a workforce member of that covered entity to review PHI (within that covered entity) for purposes preparatory to research. Within a hybrid entity, the situation is similar. A covered entity that is a hybrid entity may permit a researcher within its health care component to use, without an individual's Authorization, PHI for activities preparatory to enquiry. A covered entity may as well permit a researcher who is exterior the hybrid entity'south health intendance component to review PHI inside that health care component without an private's Authorization for purposes preparatory to research.

Researchers should note that any preparatory research activities involving human subjects research as defined past the HHS Protection of Human Subjects Regulations, which are not otherwise exempt, must be reviewed and canonical by an IRB and must satisfy the informed consent requirements of HHS regulations.

Enquiry on Decedents' Protected Health Information

To use or disclose PHI of the deceased for research, covered entities are not required to obtain Authorizations from the personal representative or next of kin, a waiver or an alteration of the Authorization, or a data use agreement. However, the covered entity must obtain from the researcher who is seeking admission to decedents' PHI (one) oral or written representations that the apply and disclosure is sought solely for enquiry on the PHI of decedents, (2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and (three) documentation, at the request of the covered entity, of the death of the individuals whose PHI is sought by the researchers.

Other Uses and Disclosures of Protected Health Information

Some of the PHI uses and disclosures that are permitted under the Privacy Rule at Department 164.512 without Authorisation, waiver or alteration of Potency, or data use understanding are summarized below. Covered entities seeking to use and disembalm PHI for these or other purposes permitted nether Section 164.512 should consult the Privacy Dominion for information on the relevant implementation requirements.

Amid other limited purposes, a covered entity may use or disclose PHI without an Authorization, as follows:

  • To the extent the use or disclosure is required by law and complies with, and is limited to, the relevant requirements of such law. For instance, a covered entity may disembalm, without Authorization, PHI to cancer registries if the disclosure (or reporting) is required by law. In addition, a covered entity may disclose to the Federal Government, without Authorisation, PHI associated with data start produced under a Federal honor in accordance with 45 CFR 74.36iii .
  • For disclosure to a public health authority that is authorized by law to collect or receive the information for purposes of preventing or controlling disease, injury, or inability. Activities included here are reporting disease, injury, and vital events, such as birth or death, likewise as conducting public health surveillance, investigations, and interventions. For example, a covered entity may disclose PHI, without Say-so, related to an adverse event to NIH or FDA as public health regime. Additional guidance on the use and disclosure of PHI for public health purposes is available at: Centers for Disease Control and Prevention (2003). HIPAA Privacy Dominion and Public Health Guidance from CDC and the U.S. Department of Health and Human Services. Morbidity and Bloodshed Weekly Report, 52.
  • To a person subject field to the jurisdiction of the FDA with respect to an FDA-regulated production or activity for which that person has responsibility, for purposes related to the quality, safety, or effectiveness of the FDA-regulated product or activeness (including, simply non limited to, adverse upshot reporting; FDA-regulated product tracking; post-marketing surveillance; and enabling product recalls, repairs, replacements, or lookback). For example, a covered entity may disclose adverse event/safety reports to sponsors of investigational new products.
  • To health oversight agencies for oversight activities authorized past law that are necessary, for example, for the appropriate oversight of government-regulated programs. For example, because Role for Human Research Protections (OHRP) is a health oversight agency under the Privacy Rule, a covered entity may disclose PHI, without Authorization, to OHRP for purposes of determining compliance with the HHS Protection of Human Subjects Regulations.

Minimum Necessary Restriction

With some exceptions, the Privacy Rule imposes a minimum necessary requirement on all permitted uses and disclosures of PHI by a covered entity. This means that a covered entity must employ policies and procedures, or criteria information technology has developed, to limit certain uses or disclosures of PHI, including those for inquiry purposes, to "the information reasonably necessary to accomplish the purpose [of the sought or requested apply or disclosure]." For uses and routine and recurring disclosures of and requests for PHI, the covered entity must develop policies and procedures (which may exist standard protocols) to reasonably limit such uses, disclosures, and requests to the minimum necessary to achieve the purpose of the apply or disclosure. For nonroutine disclosures and requests, a covered entity must review each disclosure or request individually against criteria it has developed.

There are several exceptions to the minimum necessary requirements that may bear on researchers (Sections 164.502(b) and 164.514(d) of the Privacy Rule). The minimum necessary standard does not apply to the following:

  • Uses and disclosures fabricated with an private's Authorization.
  • Disclosures to, or requests by, a health intendance provider for treatment.
  • Disclosures to the individual.
  • Uses or disclosures required past police.
  • Disclosures to HHS for purposes of determining compliance with the Privacy Rule.
  • When required for compliance with other HIPAA rules (eastward.1000., to fill out required or situationally required data fields in standard transactions).

Unless otherwise excepted, covered entities are required to implement policies and procedures or found criteria that limit the PHI used, disclosed, or requested to the minimum corporeality reasonably necessary to attain the purposes (eastward.g., necessary for the specific enquiry) for which disclosure is sought. These covered entity policies and procedures will utilize to researchers who are members of the covered entity'south workforce and may utilize to business associates.

The Privacy Rule does non require a covered entity to independently decide, in all instances, whether a request for PHI meets the minimum necessary requirement. As relevant here, the Privacy Rule permits the covered entity to rely, when reasonable, on a asking for disclosure of PHI as the minimum necessary when making permitted disclosures to public officials, disclosing information requested by another covered entity, or when disclosing PHI to researchers who take documentation of an IRB or Privacy Board waiver or alteration of Authorization or certain other representations permitted by the Privacy Rule, which are discussed in detail in related publications, Institutional Review Boards and the HIPAA Privacy Rule and Privacy Boards and the HIPAA Privacy Dominion.

How Are Research Subjects' Rights Affected by the Privacy Dominion?


Key Points:
  • The Privacy Rule provides individuals with certain rights about how their health information is used and disclosed as well as how they can gain access to health records and information about when their PHI was released without their permission.
  • The Privacy Rule describes how covered entities can implement these rights while maintaining the integrity of the enquiry project.

In addition to establishing atmospheric condition for the use and disclosure of PHI, the Privacy Rule establishes certain rights of individuals with respect to their health data. Covered entities must provide individuals with written find of the entity's privacy practices and the individual'south privacy rights. In addition, the Dominion permits individuals to gain admission to, request amendment of, request restrictions on, and request confidential communication of sure records related to their health care. Individuals are also given the right to asking and receive a written account from a covered entity of when and why their PHI has been disclosed without their Authorisation, except under limited circumstances. Individuals also accept the right to complain to the covered entity and to the Secretary of Wellness and Human Services if they believe a violation of the Privacy Rule has occurred. This certificate discusses an individual's rights to access PHI and receive an accounting of PHI disclosures.

Access to Protected Wellness Data

With few exceptions, the Privacy Rule guarantees individuals admission to their medical records and other types of health information to the extent the information is maintained by the covered entity or its business acquaintance within a designated record set. Enquiry records maintained by a covered entity may be part of a designated record set if, for case, the records are medically related or are used to make decisions about enquiry participants.

In about cases, patients or research subjects can have admission to their health information in a designated record gear up at a convenient time and place. One exception, among others, is during a clinical trial, when the individual'southward right of access tin be suspended while the enquiry is in progress if, in consenting to participate in research including treatment, the private agreed to the temporary denial of admission. The covered entity, nonetheless, must inform the individual that the correct to access his/her health records in the designated record set will exist restored upon determination of the clinical trial. Designated Record Fix - A group of records maintained by or for a covered entity that includes (1) medical and billing records nigh individuals maintained by or for a covered wellness intendance provider;
(2) enrollment, payment, claims arbitrament, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions almost individuals. A record is any item, drove, or grouping of information that includes PHI and is maintained, nerveless, used, or disseminated past or for a covered entity.

Accounting of Disclosures of Protected Health Information

The Privacy Dominion permits individuals to obtain a record of certain disclosures of their PHI past covered entities or their business assembly, including certain disclosures fabricated by researchers who must comply with the Rule. This is known as an bookkeeping of disclosures. It is of import to emphasize the difference betwixt a utilise and a disclosure of PHI. In general, the employ of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity exterior the covered entity, or the advice of PHI from a health intendance component to a non-health intendance component of a hybrid entity. The Privacy Rule restricts both uses and disclosures of PHI, but it requires an accounting only for certain PHI disclosures.

Upon receiving an private'due south asking, a covered entity must account for disclosures of that private's PHI fabricated on or later on the covered entity's compliance date (for most entities, April 14, 2003), unless a particular disclosure or type of disclosure is excluded from this accounting requirement in Section 164.528(a) of the Privacy Rule. For example, an bookkeeping is not needed when the PHI disclosure is made:

Accounting of Disclosures - Information that describes a covered entity's disclosures of PHI other than for treatment, payment, and wellness intendance operations; disclosures fabricated with Potency; and certain other limited disclosures. For those categories of disclosures that need to exist in the bookkeeping, the bookkeeping must include disclosures that accept occurred during the six years (or a shorter fourth dimension period at the request of the private) prior to the engagement of the request for an accounting. However, PHI disclosures made before the compliance date for a covered entity are not part of the bookkeeping requirement.

Use - With respect to individually identifiable health information, the sharing, employment, awarding, utilization, test, or analysis of such information within the entity or health intendance component (for hybrid entities) that maintains such information.

Disclosure - The release, transfer, admission to, or divulging of data in any other manner outside the entity holding the information.

  • For treatment, payment, or health care operations.
  • Under an Authority for the disclosure.
  • To an individual about himself or herself.
  • As part of a express data prepare under a information use understanding.
  • Prior to the compliance date.

An individual'due south right to receive an bookkeeping of disclosures (unless an exception applies) starts with the covered entity'due south compliance date and goes back 6 years from the date of the request, not including periods prior to the compliance date. A covered entity must therefore keep records of such PHI disclosures for 6 years.

The Privacy Rule allows three methods for accounting for inquiry-related disclosures that are made without the private's Authorization or other than a limited data set: (i) A standard approach, (2) a multiple-disclosures approach, and (3) an culling for disclosures involving fifty or more individuals. Whatsoever arroyo is selected, the accounting is made in writing and provided to the requesting individual. Accounting reports to individuals may include results from more than one accounting method.

Standard Bookkeeping

Standard accounting includes, for each disclosure, the following information:

  • The date the disclosure was fabricated.
  • The name and, if known, address of the person or entity receiving the PHI.
  • A brief description of the PHI disclosed.
  • A brief statement of the reason for the disclosure.

Multiple Disclosures Accounting

Multiple disclosures bookkeeping is permissible if the covered entity has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections 164.502(a)(ii)(ii) or 164.512 of the Privacy Rule. For each disclosure, the following must be included:

  • The engagement the initial disclosure was made during the bookkeeping period.
  • The name and, if known, address of the person or entity receiving the PHI.
  • A brief description of the PHI disclosed.
  • A brief argument of the reason for the disclosure.
  • The frequency, periodicity, or number of the disclosures made during the accounting period.
  • The appointment of the last such disclosure during the accounting catamenia.

Alternative Accounting

If a covered entity has made disclosures regarding fifty or more than individuals for a detail inquiry projection nether Department 164.512(i) of the Privacy Dominion, the accounting may be limited to the post-obit information:

  • The name of the protocol or inquiry activeness.
  • A manifestly-language description of the inquiry protocol or activity, purpose of the enquiry, and criteria for selecting item records.
  • A description of the type of PHI disclosed.
  • The date or period of time during which the disclosure(s) occurred or may have occurred, including the appointment of the last disclosure during the accounting period.
  • The name, address, and telephone number of the entity that sponsored the enquiry and of the researcher who received the PHI.
  • A statement that the private's PHI may or may non take been disclosed for a particular protocol or inquiry activeness.

If the covered entity uses the alternative accounting method, information technology must, if requested to by the individual, assist the individual in contacting the research sponsor and the researcher. Such assistance, however, is express to those situations in which there is a reasonable likelihood that the private's PHI was actually disclosed for the inquiry protocol or activity.

weirphey1937.blogspot.com

Source: https://privacyruleandresearch.nih.gov/pr_08.asp

Post a Comment for "This Type of Storage Allows You to Upload and Store Documents on the Internet. Quizlet"