HIPAA
 Home Contacts Site Map
HIPAA worksheet
Up HIPAA worksheet Data Extraction / Business Associates Identifiers UB Research FAQ Authorizations Waiver of Authorization Review Prep to Research Research on Decedents Transition Provisions Limited Datasets

HIPAA WORKSHEET:

Guidance for Investigators using Health information for Research Purposes  
(Last updated: March 08, 2010 11:59 AM )

Federal regulations concerning the use and disclosure of an individual's health information impact research.  The provisions of the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), which took effect on April 14, 2003, are complex and offer several options for researchers. This worksheet will assist you in selecting the appropriate HIPAA option to generate/acquire health information for use in research conducted by investigators at UB.

Unless otherwise noted, this worksheet will direct you to the appropriate HIPAA forms that must a) be included in your submission package to the UB IRB in order to obtain approval of your proposed research protocol, and b) be provided to third party entities, when appropriate, in order to have permission to receive information in their possession needed to perform your research.

Important notes (do not skip over; revised 9/11/2008):

  1. This worksheet should be used for new and existing protocols which will use or come in contact with individually identifiable health information after 4/14/2003.
     

  2. This worksheet will help you establish the permissions which allow you to receive information provided to you by a HIPAA covered entity if required by your study.  It does not address the issues associated with actually obtaining or extracting that information from a covered entity.  Once you have the permission(s) established, see the Data Extraction page to determine ways you might go about obtaining the information from a covered entity, if applicable to your study.

  3. For protocols that must adhere to UB HIPAA policies, this form is set up assuming information from your research project is coming from a single source within a single entity for all subjects in your protocol.  If the information you require comes from multiple sources and/or if information comes from different places for different subjects and to different members of your research team, you should utilize this worksheet to analyze what permissions are required for each piece of information you will receive.

    IMPORTANT: You should be able to identify a HIPAA mechanism that permits you to receive or acquire every piece of individually identifiable health information your study comes in contact with after 4/14/2003.  Be sure to consider various aspects of your protocol such as subject recruitment, different arms of the study (some which may be in direct contact with subjects and some which may only entail chart reviews), different data being provided by different sites, different people engaged in the collection process, etc., when performing this analysis.  This process may require you to utilize multiple HIPAA permission mechanisms for your study.

    Example: A study will identify subjects from chart review in a hospital.  Investigators will contact and perform an intervention on one set of subjects and compare outcomes of the intervention group to a matched population of subjects who will be identified and have their outcomes obtained through retrospective chart review.

    This protocol might require a) partial waiver of authorization to permit subject identification and recruitment for both subject groups (3.4.a.i below), b) HIPAA authorization (as well as informed consent) for the arm where subjects receive the intervention (3.4.a.ii below),  c) a waiver of authorization to receive medical chart outcomes for the non-intervention subjects (3.4.b below).

    These permissions together permit you to receive the data from a covered entity for this particular study.  Separately, your employer (SUNY, RF, UBF, etc.,) may need to implement a Business Associate Contract to permit you to enter the covered entity and extract this information from their records if the covered entity does not have the resources to provide you with the information you are requesting (see note 2 above).   Also, the covered entity may have implemented policies beyond HIPAA's requirements, e.g., they may require the initial subject contact in the recruitment phase occur through the subject's primary care provider in the hospital.  Policies such as this vary from institution to institution.

  4. HIPAA requires that New York State law take precedence whenever it affords more privacy protections to the research subject.  NYS law speaks specifically to these specialized forms of Protected Health Information (this list is not complete): Cancer Information, Communicable Diseases generally, HIV/AIDS, Tuberculosis, Sexual Abuse, Incident Reporting, Drug Abuse, Births and Deaths, Early Intervention Services, Genetic Information, Alcoholism, Substance Abuse and Mental Health.  You must be sure that, as in the past, the additional requirements of NYS law that extend privacy protections beyond the floor established by HIPAA are met when performing such research.

  5. This worksheet is only applicable to the University at Buffalo research community and is tailored to the covered function declaration of the University and its associated HIPAA policies.  If you are not a researcher at the University at Buffalo, consult with the appropriate HIPAA privacy officer for guidance on research.

This form has three sections

bullet

1) HIPAA Applicability test - is HIPAA something that you need to address as part of your research project?

bullet

2) HIPAA Transition Provisions Applicability test - special provisions apply to research begun before 4/14/2003

bullet

3) HIPAA Information Permission mechanism - determining the appropriate HIPAA mechanism required for the information you wish to utilize based on the nature of your research protocol.

HIPAA Applicability test

1.1  PROVISION OF HEALTH CARE: Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. 

Is the provision of health care a component of your proposed research study? 

 YES   _____                                                      NO  _____

1.2  USE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION:  This is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.  Demographic information covers not only the individual, but also relatives, employers, or household members associated with the individual.  (see question 3.3. below for a list of individual demographic identifiers specifically defined by HIPAA).

Will any aspect of the proposed research study be exposed to, collecting or utilizing Individually Identifiable Health Information?

YES   _____                                                      NO   _____

> If you answered NO both to Questions 1.1 AND 1.2, stop here. You do not need to answer any additional questions.  HIPAA does not apply to your research study and you do not need to take any additional action to bring your research into compliance with UB's human subjects research policy addressing the HIPAA Privacy Rule.

1.3 Will collection of Individually Identifiable Health Information occur exclusively outside of the United States and its territories?  

YES   _____                                                      NO   _____

> If you answered YES to Question 1.3, stop here. You do not need to answer any additional questions.  HIPAA does not apply to your research study and you do not need to take any additional action to bring your research into compliance with UB's human subjects research policy addressing the HIPAA Privacy Rule.

 

HIPAA Transition Provisions Applicability test

2.1  PROTOCOL APPROVAL DATE: Was your research protocol approved by the UB IRB before 4/14/2003.

YES   _____                                                      NO   _____  

> If the answer is NO, HIPAA applies to your research protocol.  Proceed to question 3.1 below.

2.2  WAIVER OF INFORMED CONSENT: Was your research protocol granted a Waiver of Informed Consent by the UB IRB before 4/14/2003?

YES   _____                                                      NO   _____  

> If the answer is YES, stop here.  HIPAA transition provisions permit you to continue to acquire Individually Identifiable Health Information for your research protocol using that waiver.  You will need to provide a copy of this waiver to any health care provider, health plan, or health care clearing house that requests you to document the HIPAA mechanism that permits you to continue to receive information in a HIPAA appropriate way.

2.3  INFORMED CONSENT:  If your protocol uses an informed consent, will you be consenting or re-consenting any subjects after 4/14/2003?

YES   _____                                                      NO   _____  

> If the answer is NO, stop here.  HIPAA transition provisions in this situation permit you to continue to collect and use Individually Identifiable Health Information on previously consented subjects without additional restrictions.  Otherwise, HIPAA applies to your protocol.  Proceed to question 3.1 below to identify the HIPAA information release mechanism(s) appropriate to your protocol.

HIPAA Applies to your research activity

Determine the appropriate HIPAA information permission mechanism

3.1. REVIEWS PREPARATORY TO RESEARCH: Activities which require Individually Identifiable Health Information in the possession of a health care provider, health plan, or health care clearing house as part of the preparation of a research protocol can use the "reviews preparatory to research" mechanism to view the information on the premises of these entities.  Note that the reviews preparatory to research mechanism can not be used to remove any individually identifiable health information from these entities.  In addition, it can only be used for study recruitment activities by researchers who also have staff privileges at the covered entity.

> PHI Provided by Covered Entity: If you are seeking "on premises" individually identifiable health information that is held by a HIPAA covered entity and
    _____ a) you have staff privileges within that entity
    _____ b) you seek this information only for purposes associated with reviews preparatory to research
    _____ c) you will not need to remove any of the information from the covered entity
go here to acquire the proper form and for additional details associated with the "reviews preparatory to research" mechanism.  Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.

> PHI Provided or created by a non-Covered Entity: If you are seeking "on premises" individually identifiable health information that is not held by a HIPAA covered entity, or you will be creating the data yourself and you seek this information only for purposes associated with reviews preparatory to research, go here to acquire the proper form and for additional details associated with the "reviews preparatory to research" mechanism.  Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.

3.2 RESEARCH ON DECEDENTS: Does your research protocol require Individually Identifiable Health Information of deceased individuals?

> Please complete and submit the "REQUEST TO RECEIVE PROTECTED HEALTH INFORMATION REQUIRED TO PERFORM RESEARCH ON DECEDENTS" available here.  You do not need to answer any additional questions on this worksheet if no aspect of your research involves provision of health care to, or the Individually Identifiable Health Information of, living individualsBe sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.

3.3.  INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION - IDENTIFIERS: If you answered YES to question 1.2 (USE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION), review the demographic information categories below that could be associated with the health information of subjects in your study.  For the purposes of HIPAA, these demographic categories must be considered not only with respect to the research subject, but also with respect to relatives, employers, or household members associated with the subject.

Determine if you will be using information described in any of the following categories.

1.       _____  Names

2.       _____  Geographic information smaller than a State except for the initial 3 digits of a zip code, including street address, city, county and precinct.

3.       _____  All elements of dates (except  year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, etc. and all ages 89 or over and all elements of dates (including year) indicative of such age.

4.       _____  Telephone numbers

5.       _____  Fax numbers

6.       _____  Electronic mail addresses

7.       _____  Social security numbers

8.       _____  Medical record numbers

9.       _____  Health plan beneficiary numbers

10.    _____  Account numbers

11.    _____  Certificate / license numbers

12.    _____  Vehicle identifiers and serial numbers, including license plate numbers

13.    _____  Device identifiers and serial numbers

14.    _____  Web Universal Resource Locators (URLs)

15.    _____  Internet Protocol (IP) address numbers

16.    _____  Biometric identifiers, including finger and voice prints

17.    _____  Full face photographic images and any comparable images

18.    _____  Any other unique identifying number, characteristic, code, re-identification algorithm or general knowledge that the information collected in your protocol could be used alone or in combination with other available information to identify an individual who is a subject of the information. NB: Tissue samples that are not associated with any of the above identifiers are not in and of themselves considered Individually Identifiable Health Information.  However, genetic sequences derived from tissue samples are considered Individually Identifiable Health Information.

> If you are not using (or receiving, or encountering) any of these individual demographic identifiers in any aspect of the protocol, your research information is considered "de-identified." De-identified information is not subject to the HIPAA Privacy Regulations.  Please complete and submit the "Certification of De-Identification" (.doc) (.pdf) Form as part of your submission to the IRB.  You do not need to answer any additional questions on this worksheet.

3.4.   TYPE OF RESEARCH:  If you checked off any of the individual demographic identifiers (1-18) listed above in 3.3, please consider the type of research that you are conducting (check all [3.4.a, 3.4.b] that apply):

a.  ______  Any research (funded or unfunded) where the research subject will be able to sign an informed consent, e.g., a Clinical Trial (check and complete ALL [3.4.a.i, 3.4.a.ii] that apply):

bullet

(i)______ If you will need individually identifiable health information maintained by a health care provider, health care plan, or health care clearing house in order to identify subjects to recruit for the research project, but subjects will be able to sign an informed consent/authorization at time of enrolment, then you should request a partial waiver for recruitment purposes.

> Complete the "Request for Partial Waiver of the Authorization for Use of Individually Identifiable Health Information for Study Recruitment" (.doc) (.pdf) and submit with your application for IRB approval.  Tailor the waiver to the specific purpose of identifying subjects for the purposes of subject recruitment.  NB: actual recruitment of subjects under these circumstances must be performed by an individual with a direct treatment relationship to the subject.  The investigator may not contact subjects directly using information obtained from a health care provider, health care plan, or health care clearing house if the investigator is not a health care provider in a direct treatment relationship with the potential research subject.  You should include your plans to address this requirement in your waiver application.  Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.

 

bullet

(ii)______ If you are proposing to conduct a clinical trial or its equivalent, where research subjects will be able to sign an informed consent to participate in the research study, then, under the HIPAA Privacy regulations, research subjects must now, in addition to the traditional informed consent, authorize the use and disclosure of their individually identifiable health information.

> Use the "Authorization for Use and Disclosure Of Individually Identifiable Health Information" template and associated guidelines to prepare your authorization form and include with your submission packet to the IRB.  Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.

b.  ______ Medical Records Research or related research (funded or unfunded) where it is not practicable to obtain a subject's signed informed consent 

If you propose to conduct medical records research where no research subjects are being consented because it would not be practicable for you to obtain signed consent, you may be able to qualify for both a waiver of informed consent and a waiver of authorization from the IRB.

> Complete the "Waiver of Authorization for Use of Individually Identifiable Health Information" (.doc) (.pdf) and submit with your application for IRB approval.   Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.

This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter