HIPAA
|
|
HIPAA
WORKSHEET: Guidance
for Investigators using Health information for Research Purposes Unless otherwise noted, this worksheet will direct you to the appropriate HIPAA forms that must a) be included in your submission package to the UB IRB in order to obtain approval of your proposed research protocol, and b) be provided to third party entities, when appropriate, in order to have permission to receive information in their possession needed to perform your research. Important notes (do not skip over; revised 9/11/2008):
This form has three sections
HIPAA Applicability test1.1 PROVISION OF HEALTH CARE: Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. Will any aspect of the proposed research study be exposed to, collecting or utilizing Individually Identifiable Health Information? YES
_____
NO _____ > If you answered NO both to Questions 1.1 AND 1.2, stop here. You do not need to answer any additional questions. HIPAA does not apply to your research study and you do not need to take any additional action to bring your research into compliance with UB's human subjects research policy addressing the HIPAA Privacy Rule. 1.3 Will collection of Individually Identifiable Health Information occur exclusively outside of the United States and its territories?
YES
_____
NO _____ > If you answered YES to Question 1.3, stop here. You do not need to answer any additional questions. HIPAA does not apply to your research study and you do not need to take any additional action to bring your research into compliance with UB's human subjects research policy addressing the HIPAA Privacy Rule.
HIPAA Transition Provisions Applicability test2.1 PROTOCOL APPROVAL DATE: Was your research protocol approved by the UB IRB before 4/14/2003. YES
_____
NO _____ > If the answer is NO, HIPAA applies to your research protocol. Proceed to question 3.1 below. 2.2 WAIVER OF INFORMED CONSENT: Was your research protocol granted a Waiver of Informed Consent by the UB IRB before 4/14/2003? YES
_____
NO _____ > If the answer is YES, stop here. HIPAA transition provisions permit you to continue to acquire Individually Identifiable Health Information for your research protocol using that waiver. You will need to provide a copy of this waiver to any health care provider, health plan, or health care clearing house that requests you to document the HIPAA mechanism that permits you to continue to receive information in a HIPAA appropriate way. 2.3 INFORMED CONSENT: If your protocol uses an informed consent, will you be consenting or re-consenting any subjects after 4/14/2003? YES
_____
NO _____ >
If
the answer is NO, stop here.
HIPAA
transition provisions in this situation permit you to continue to collect and
use Individually Identifiable Health Information on previously consented
subjects without additional restrictions. Otherwise, HIPAA applies to
your protocol. Proceed to question 3.1 below to
identify the HIPAA information release mechanism(s) appropriate to your
protocol. HIPAA Applies to your research activityDetermine the appropriate HIPAA information permission mechanism3.1. REVIEWS PREPARATORY TO RESEARCH: Activities which require Individually Identifiable Health Information in the possession of a health care provider, health plan, or health care clearing house as part of the preparation of a research protocol can use the "reviews preparatory to research" mechanism to view the information on the premises of these entities. Note that the reviews preparatory to research mechanism can not be used to remove any individually identifiable health information from these entities. In addition, it can only be used for study recruitment activities by researchers who also have staff privileges at the covered entity. >
PHI Provided by Covered Entity:
If
you are seeking "on premises" individually identifiable
health information that is held by a HIPAA covered entity and > PHI Provided or created by a non-Covered Entity: If you are seeking "on premises" individually identifiable health information that is not held by a HIPAA covered entity, or you will be creating the data yourself and you seek this information only for purposes associated with reviews preparatory to research, go here to acquire the proper form and for additional details associated with the "reviews preparatory to research" mechanism. Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study. 3.2 RESEARCH ON DECEDENTS: Does your research protocol require Individually Identifiable Health Information of deceased individuals? >
Please complete and submit the "REQUEST
TO RECEIVE PROTECTED HEALTH INFORMATION REQUIRED TO PERFORM RESEARCH ON
DECEDENTS" available here.
You do not need to answer any additional questions on this worksheet if
no aspect of your research involves provision of health care to, or the
Individually Identifiable Health Information of, living individuals. Be sure to complete this worksheet again for any other
uses of individually identifiable health information planned for your study. 3.3.
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION - IDENTIFIERS: If
you answered YES to question 1.2 (USE OF
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION), review
the demographic information categories below that could be associated with the
health information of subjects in your study. For the purposes of HIPAA,
these demographic categories must be considered not only
with respect to the research subject, but also with respect to relatives, employers, or
household members associated with the subject Determine
if you will be using information described in any of the following categories. 2.
_____ Geographic
information smaller than a State except for the initial 3 digits of a zip
code, including street address, city, county and precinct. 3.
_____ All
elements of dates (except year)
for dates directly related to an individual, including birth date, admission
date, discharge date, date of death, etc. and all ages 89 or over and all
elements of dates (including year) indicative of such age. 4.
_____ Telephone
numbers 5.
_____ Fax
numbers 6.
_____ Electronic
mail addresses 7.
_____ Social
security numbers 8.
_____ Medical
record numbers 9.
_____ Health
plan beneficiary numbers 10.
_____ Account
numbers 11.
_____ Certificate
/ license numbers 12.
_____ Vehicle
identifiers and serial numbers, including license plate numbers 13.
_____ Device
identifiers and serial numbers 14.
_____ Web
Universal Resource Locators (URLs) 15.
_____ Internet
Protocol (IP) address numbers 16.
_____ Biometric
identifiers, including finger and voice prints 17.
_____ Full
face photographic images and any comparable images 18.
_____ Any
other unique identifying number, characteristic, code, re-identification
algorithm or general knowledge that the information collected in your protocol
could be used alone or in combination with other available information to
identify an individual who is a subject of the information. >
If you are not using (or receiving, or encountering) any of these
individual demographic identifiers in any aspect of the protocol, your research information is
considered "de-identified." De-identified information is not
subject to the HIPAA Privacy Regulations.
Please complete and submit the "Certification of
De-Identification" (.doc)
(.pdf) Form as part of your submission to the IRB.
You do not need to answer any additional questions on this worksheet.
3.4. TYPE OF
RESEARCH: If
you checked off any of the individual demographic identifiers (1-18) listed above
in 3.3, please consider the
type of research that you are conducting (check all [3.4.a, 3.4.b] that apply): a. ______ Any research (funded or unfunded) where the research subject will be able to sign an informed consent, e.g., a Clinical Trial (check and complete ALL [3.4.a.i, 3.4.a.ii] that apply):
b.
______ Medical
Records Research or related research (funded or unfunded) where it is not practicable to obtain a subject's signed informed consent
If you propose to conduct medical records research where no
research subjects are being consented because it would not be practicable for
you to obtain signed consent, you may be able to qualify for both a waiver of
informed consent and a waiver of authorization from the IRB. > Complete the "Waiver of Authorization for Use of Individually Identifiable Health Information" (.doc) (.pdf) and submit with your application for IRB approval. Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study. |
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.
|