for Investigators using Health information for Research Purposes
Federal regulations concerning the use and disclosure of an individual's
health information impact research. The provisions
of the Privacy Rule of the Health
Insurance Portability and Accountability Act (HIPAA), which took effect on
April 14, 2003, are complex and offer
several options for researchers. This worksheet will assist you in selecting
the appropriate HIPAA option to generate/acquire health information for use in
research conducted by investigators at UB.
Federal regulations concerning the use and disclosure of an individual's health information impact research. The provisions of the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), which took effect on April 14, 2003, are complex and offer several options for researchers. This worksheet will assist you in selecting the appropriate HIPAA option to generate/acquire health information for use in research conducted by investigators at UB.
Unless otherwise noted, this worksheet will direct you to the appropriate HIPAA forms that must a) be included in your submission package to the UB IRB in order to obtain approval of your proposed research protocol, and b) be provided to third party entities, when appropriate, in order to have permission to receive information in their possession needed to perform your research.
Important notes (do not skip over; revised 9/11/2008):
This form has three sections
HIPAA Applicability test
1.1 PROVISION OF HEALTH CARE: Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Is the provision of
health care a component of your proposed research study?
Is the provision of
health care a component of your proposed research study?
1.2 USE OF
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION:
1.2 USE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION:This is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Demographic information covers not only the individual, but also relatives, employers, or household members associated with the individual.
Will any aspect of the proposed research study be exposed to, collecting or utilizing Individually Identifiable Health Information?
> If you answered NO both to Questions 1.1 AND 1.2, stop here. You do not need to answer any additional questions. HIPAA does not apply to your research study and you do not need to take any additional action to bring your research into compliance with UB's human subjects research policy addressing the HIPAA Privacy Rule.
1.3 Will collection of Individually Identifiable Health Information occur exclusively outside of the United States and its territories?
> If you answered YES to Question 1.3, stop here. You do not need to answer any additional questions. HIPAA does not apply to your research study and you do not need to take any additional action to bring your research into compliance with UB's human subjects research policy addressing the HIPAA Privacy Rule.
HIPAA Transition Provisions Applicability test
2.1 PROTOCOL APPROVAL DATE: Was your research protocol approved by the UB IRB before 4/14/2003.
> If the answer is NO, HIPAA applies to your research protocol. Proceed to question 3.1 below.
2.2 WAIVER OF INFORMED CONSENT: Was your research protocol granted a Waiver of Informed Consent by the UB IRB before 4/14/2003?
> If the answer is YES, stop here. HIPAA transition provisions permit you to continue to acquire Individually Identifiable Health Information for your research protocol using that waiver. You will need to provide a copy of this waiver to any health care provider, health plan, or health care clearing house that requests you to document the HIPAA mechanism that permits you to continue to receive information in a HIPAA appropriate way.
2.3 INFORMED CONSENT: If your protocol uses an informed consent, will you be consenting or re-consenting any subjects after 4/14/2003?
the answer is NO, stop here.
transition provisions in this situation permit you to continue to collect and
use Individually Identifiable Health Information on previously consented
subjects without additional restrictions. Otherwise, HIPAA applies to
your protocol. Proceed to question 3.1 below to
identify the HIPAA information release mechanism(s) appropriate to your
HIPAA Applies to your research activity
Determine the appropriate HIPAA information permission mechanism
3.1. REVIEWS PREPARATORY TO RESEARCH: Activities which require Individually Identifiable Health Information in the possession of a health care provider, health plan, or health care clearing house as part of the preparation of a research protocol can use the "reviews preparatory to research" mechanism to view the information on the premises of these entities. Note that the reviews preparatory to research mechanism can not be used to remove any individually identifiable health information from these entities. In addition, it can only be used for study recruitment activities by researchers who also have staff privileges at the covered entity.
PHI Provided by Covered Entity:
you are seeking "on premises" individually identifiable
health information that is held by a HIPAA covered entity and
> PHI Provided or created by a non-Covered Entity: If you are seeking "on premises" individually identifiable health information that is not held by a HIPAA covered entity, or you will be creating the data yourself and you seek this information only for purposes associated with reviews preparatory to research, go here to acquire the proper form and for additional details associated with the "reviews preparatory to research" mechanism. Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.
3.2 RESEARCH ON DECEDENTS: Does your research protocol require Individually Identifiable Health Information of deceased individuals?
> Please complete and submit the "REQUEST TO RECEIVE PROTECTED HEALTH INFORMATION REQUIRED TO PERFORM RESEARCH ON DECEDENTS" available here. You do not need to answer any additional questions on this worksheet if no aspect of your research involves provision of health care to, or the Individually Identifiable Health Information of, living individuals. Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION - IDENTIFIERS: If
you answered YES to question 1.2 (USE OF
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION), review
the demographic information categories below that could be associated with the
health information of subjects in your study. For the purposes of HIPAA,
these demographic categories must be considered not only
with respect to the research subject, but also with respect to relatives, employers, or
household members associated with the subject .
if you will be using information described in any of the following categories.
information smaller than a State except for the initial 3 digits of a zip
code, including street address, city, county and precinct.
elements of dates (except year)
for dates directly related to an individual, including birth date, admission
date, discharge date, date of death, etc. and all ages 89 or over and all
elements of dates (including year) indicative of such age.
plan beneficiary numbers
/ license numbers
identifiers and serial numbers, including license plate numbers
identifiers and serial numbers
Universal Resource Locators (URLs)
Protocol (IP) address numbers
identifiers, including finger and voice prints
face photographic images and any comparable images
18. _____ Any other unique identifying number, characteristic, code, re-identification algorithm or general knowledge that the information collected in your protocol could be used alone or in combination with other available information to identify an individual who is a subject of the information. NB: Tissue samples that are not associated with any of the above identifiers are not in and of themselves considered Individually Identifiable Health Information. However, genetic sequences derived from tissue samples are considered Individually Identifiable Health Information.
If you are not using (or receiving, or encountering) any of these
individual demographic identifiers in any aspect of the protocol, your research information is
considered "de-identified." De-identified information is not
subject to the HIPAA Privacy Regulations.
Please complete and submit the "Certification of
(.pdf) Form as part of your submission to the IRB.
You do not need to answer any additional questions on this worksheet.
3.4. TYPE OF
you checked off any of the individual demographic identifiers (1-18) listed above
in 3.3, please consider the
type of research that you are conducting (check all [3.4.a, 3.4.b] that apply):
a. ______ Any research (funded or unfunded) where the research subject will be able to sign an informed consent, e.g., a Clinical Trial (check and complete ALL [3.4.a.i, 3.4.a.ii] that apply):
Records Research or related research (funded or unfunded) where it is not practicable to obtain a subject's signed informed consent
If you propose to conduct medical records research where no research subjects are being consented because it would not be practicable for you to obtain signed consent, you may be able to qualify for both a waiver of informed consent and a waiver of authorization from the IRB.
> Complete the "Waiver of Authorization for Use of Individually Identifiable Health Information" (.doc) (.pdf) and submit with your application for IRB approval. Be sure to complete this worksheet again for any other uses of individually identifiable health information planned for your study.
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.