Use and Disclosure of Individual Health Information for Research (HIPAA)

The University will strive to comply at all times with the rules governing the use or disclosure of individual health information for research purposes. These rules include the federal regulations under HIPAA and Minnesota state law to the extent state law provisions are more protective of individuals' privacy rights in research settings.

Health information will be used or disclosed for research purposes only if one of the following conditions is met: (1) the individuals who are the subject of the protected health information provide appropriate Authorization for the use or disclosure (see Administrative Procedure: Obtaining Individual Authorization for Research); (2) the Institutional Review Board ("IRB") has approved a waiver of the need to obtain Authorization from the individual(s) (see Administrative Procedure: Obtaining IRB Waiver or Alteration ); (3) the IRB has approved an alteration of the individual Authorization requirement and the use or disclosure is in accordance with the approved alteration (see Administrative Procedure: Obtaining IRB Waiver or Alteration ); (4) the information is part of a limited data set and the researcher has signed a data use agreement (see Administrative Procedure: Creating and Disclosing a Limited Data Set for Research); (5) the information is de-identified data (see Administrative Procedure: De-identifying Data for Research). Uses and disclosures for research must be in accordance with any waiver, alteration, data use agreement or authorization applicable to the research.

Reviews of individual health information for activities preparatory to research (see Administrative Procedure : Disclosing Individual Health Information for Activities Preparatory to Research) and reviews of decedents' health information (see Administrative Procedure: Using Individual Health Information of Decedents in Research) will be conducted in compliance with applicable state and federal laws.

Health care components and researchers from health care components who disclose individual health information for research purposes pursuant to an IRB waiver or alteration will make a record of these disclosures to the extent required by HIPAA and will provide an accounting of disclosures at the request of the individual (see Administrative Procedure: Recording and Providing an Accounting of Research Disclosures by Researchers).

Researchers and other persons who in good faith report suspected violations of state or federal law committed by others are protected from retaliation.

• To assure that all research conducted at the University of Minnesota is performed in a manner that protects privacy of individual health information and complies with all rules governing the use or disclosure of individual health information.
• To assure protection and confidentiality of individually identifiable health information of subjects of research conducted at the University.

• Obtaining Individual Authorization for Research
• Obtaining IRB Waiver or Alteration
• Creating and Disclosing a Limited Data Set for Research
• De-identifying Data for Research
• Disclosing Individual Health Information for Activities Preparatory to Research
• Using Individual Health Information of Decedents in Research
• Recording and Providing an Accounting of Research Disclosures by Researchers

 

There are no forms for this policy.

 

Subject	Contact	Phone	Fax/Email
Primary Contact(s)	Ross Janssen	612-626-5844	janss006@umn.edu
Policy	Privacy Officer	612-624-7447	privacy@umn.edu
	IRB	612-626-5654	perke001@umn.edu
Procedural Questions	IRB	612-626-5654	perke001@umn.edu

HIPAA:

Health Insurance Portability and Accountability Act of 1996, a federal law related to the privacy of health information.

IRB:

Institutional Review Board, also known as Human Subjects Committee.

PHI:

Protected Health Information, individual health information covered by HIPAA.

Activities Preparatory to Research:

Activities performed in anticipation of research or to establish the feasibility of research where access to information may be granted for the purpose of the review, but no identifying information may be taken away in any form from the health care component.

Authorization:

Document by which the individual agrees that certain PHI may be used or disclosed for research purposes.

Data Use Agreement:

Written agreement between a covered entity or health care component and a researcher requesting a disclosure of PHI contained in a limited data set. Data use agreements must meet the requirements of Administrative Procedure: Creating and Disclosing a Limited Data Set for Research.

De-identified Data:

Data that does not identify an individual and reasonably cannot be used to identify an individual. Health information must be de-identified using Administrative Procedure: De-identifying Data for Research.

Disclosure:

To release, transfer, provide access to, or divulge PHI outside the University health care component. Disclosure also includes providing information or access to another person for purposes other than the original research purpose for which the information was released.

External Researcher:

Any researcher who is not an employee, credentialed staff member, or an individual affiliated through a formal affiliation agreement with the covered entity or health care component that is the holder of the PHI. External researchers, in addition to meeting HIPAA requirements, must meet Minnesota authorization requirements for the following: activities preparatory to research; research using individual health information of decedents; or when obtaining an IRB alteration of the HIPAA individual authorization requirements. Minnesota authorization requirements for external researchers are found in Appendix A.

Health Care Component:

Unit(s) of the University that provide health care or are part of the health plan and are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.

Individual:

The person who is the subject of PHI.

Individual Health Information:

Protected health information covered by HIPAA and health records protected under Minnesota state law.

Internal Researcher:

Any researcher who is internal to the covered entity or health care component that is the holder of the PHI through status as an employee, credentialed staff member, or an individual affiliated through a formal affiliation agreement.

Institutional Review Board (IRB):

Committee that has been formally designated as required by federal regulations to review and monitor research involving human subjects and to assure that appropriate steps are taken to protect the rights and welfare of humans participating as subjects in the research.

Limited Data Set:

A subset of individual health information that has had certain direct identifiers removed, but does contain other PHI that could potentially identify the individual, and is used for a specific research purpose. A limited data set is not considered de-identified data. Please see Administrative Procedure: Creating and Disclosing a Limited Data Set for Research.

Privacy Officer:

Person and associated office designated by the University to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.

Protected Health Information ("PHI"):

Health information transmitted or maintained in any form or medium that:

1. Identifies or could be used to identify an individual;
2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

The following records are exempted from the definition of PHI:

1. Student records maintained by an educational institution;
2. Treatment records about post-secondary students meeting the requirements of 20 U.S.C. 1232(a)(4)(B)(iv); and
3. Employment records held by a covered entity in its role as employer.

Research:

Systematic investigation, including development, testing and evaluation designed to develop or contribute to generalizable knowledge.

Security Officer:

Person and associated office designated by the University to develop and implement policies and procedures and to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.

Use:

To employ, apply, utilize, examine or analyze PHI maintained within the health care component of the University.

Researchers / Persons with Access Rights and Responsibilities

Certain members of the University community require access to individual health information in the course of carrying out research. Persons with access have a responsibility to understand their obligation to protect the privacy of individual health information that has been entrusted to them and are responsible for complying with all relevant IRB procedures, University of Minnesota policies and procedures, as well as all current state and federal laws.

Researchers / Persons with access are responsible for the following:

• Comply with all University policies and procedures and state and federal laws related to privacy of individual health information in research.
• Every faculty member, employee, trainee, student, vendor and volunteer at the University conducting human subjects research will maintain privacy of all individual health information entrusted to them.
• Complete all required training on policies, procedures and state and federal laws related to privacy of individual health information in research.
• Use or disclose individual health information only as permitted or required by the University or health care component policies and procedures or state and federal law.
• Request access to or access information only as necessary to perform their research related function.
• Exercise reasonable diligence and common sense in any discussion or use of individual health information in research.
• Researchers who hold PHI and are in a covered health care component must keep an accounting of certain disclosures made for purposes other than the original research purpose for which the information was obtained.
• Researchers who find violations in their own research must notify the IRB for advice/direction on how to mitigate the breach and any resulting harm to research subjects.
• Consequences of Violations: Alleged policy violations will be referred to the appropriate University investigative or disciplinary units. Depending on the nature and severity of the offense, policy violations may result in restrictions on research privileges, University disciplinary action, up to and including termination of student and/or employee status and referral for criminal prosecution.

IRB Rights and Responsibilities

• Review and act on all research proposals involving PHI to determine that PHI is used in manner permitted by HIPAA.
• Review and act on all requests for waiver or alteration of the individual authorization requirements for research purposes. The review will be conducted under a full convened review or expedited review procedures as governed by federal regulations at 45 C.F.R. §§46.108(b) and 46.110.
• Develop internal policies and procedures for review and granting of waiver or alteration of individual authorizations in accordance with §164.512(i).
• Maintain ongoing communication with the Privacy Officer.
• Maintain ongoing communication with the Security Officer.
• Provide documentation to the person requesting waiver or alteration and maintain documentation of the waiver or approval for at least 6 years after completion of the study.
• Respond to requests for further information regarding practices related to privacy of individual health information in research or refer such requests to the Privacy or Security Officer where appropriate.
• Process or refer as appropriate complaints received related to the privacy of individual health information in research.

University Rights and Responsibilities

The University is responsible for taking measures to assure that the privacy of individual health information used or disclosed in the course of performing research at the University is protected in accordance with all applicable state and federal laws. When the University becomes aware of prohibited uses or disclosures of individual health information, either through routine administrative activities or from a complaint, it is the University's responsibility to investigate as needed and to take necessary actions to end and/or prevent the violation.

Individual health care components within the University may define additional conditions and procedures related to the privacy of individual health information in research. Such additional conditions and procedures must be consistent with this overall policy and with IRB rules but may provide additional detail, guideline, and/or restrictions.

Roles and Responsibilities for specific University entities and persons are defined in greater detail below.

Vice President for Research

• Assure that the IRB establishes and implements procedures to carry out its responsibilities under this policy.
• Serve as a liaison to faculty on research matters that involve PHI.
• Establish a procedure for reporting research related complaints to the IRB and/or the Privacy Officer.
• Assure that appropriate sanctions are imposed against researchers who fail to comply with the research related University policies and procedures and state and federal law.
• Assure that institutional agreements related to research administration conform to HIPAA.

Privacy Officer

• Implement training programs for workforce members who access or handle PHI for research purposes.
• Maintain ongoing communication with the IRB regarding research use of PHI.
• Respond to research related complaints regarding policies, procedures and practices related to privacy of health information.
• Document all complaints received related to privacy of PHI in research and the disposition of any such complaints.
• Report complaints related to privacy of individual health information in research to the IRB as appropriate.
• Respond to requests for further information regarding practices related to privacy of protected health information in research or refer such requests to the IRB where appropriate.

Security Officer

• Implement training programs for workforce members who access or handle PHI for research purposes.
• Maintain ongoing communication with the IRB regarding research use of PHI.
• Respond to research related complaints regarding policies, procedures and practices related to security of health information.
• Document all complaints received related to security of PHI in research and the disposition of any such complaints.
• Report complaints related to security of individual health information in research to the IRB as appropriate.
• Respond to requests for further information regarding practices related to security of protected health information in research or refer such requests to the IRB where appropriate.

• Minnesota Authorization Requirements for External Researchers

 

There is no FAQ for this policy.

Policies:

• Board of Regents Policy: Protection of Individual Health Information
• Administrative Policy: Administration and Oversight for Protection of Individual Health Information
• Administrative Policy: Protection of Health Information by University Health Care Components
• Administrative Policy: Reporting and Notifying Individuals of Security Breaches

State of Minnesota:

• Minnesota Statute on Access to Health Records

Federal:

• Office of Civil Rights

Amended:

September 2005 - Added Security Officer responsibilities to responsibilities section. Defined Security Officer in definitions section.

Effective:

May 2006