HIPAA Core Policy: Use & Disclosure of Identifiable Health Information for Research   

 

 

Abstract: 
This policy establishes guidelines for the use and disclosure of identifiable health information for purposes of research by UAB/UABHS Covered Entities in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and Alabama state law.

Effective Date: 8/22/2019

 

Review/Revised Date: 4/27/2022

 

Category: Ethics and Integrity

 

Policy Owner: Provost

Policy Contact: Chief Privacy Officer

 

   
 
 

1. PURPOSE: To ensure that UAB covered entities implement and maintain policies for the use and disclosure of identifiable health information for purposes of research in compliance with all Health Insurance Portability and Accountability Act (“HIPAA”) regulations and Alabama state law.

2. PHILOSOPHY: UAB values and promotes business practices respecting the confidentiality of health information.

3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, An Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., and Valley Foundation. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164. The following definitions are relevant to this policy: Authorization: A document that is required to be signed by the patient to use and disclose specified protected health information for specified purposes. It may be required in some circumstances in order to conduct research and may be combined with the informed consent for these purposes. Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the UAB Covered Entity holding the information. Protected Health Information (“PHI”): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered or excepted by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer. Research: Any activity meeting the definition of human subjects’ research under the 45 CFR 46 or a “clinical investigation” under 21 CFR 50. Use: The sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains the PHI.

5. POLICY STATEMENTS:

A. Use and Disclosure of PHI for Research – General Rule
UAB Covered Entities will only use or disclose PHI for research in accordance with the requirements set forth in this policy.

B. Research Use – Use and Disclosure Without Patient Authorization

1. UAB Covered Entities may use and disclose PHI for research, but without obtaining patient Authorization, under any one of the following circumstances:

a. Reviews preparatory to research – The researcher must agree to and document each of the following statements:

1) the use or disclosure is to the researcher solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
2) no PHI will be removed from UAB by the researcher in the course of the review; and
3) the PHI for which use or access is sought is necessary for the research.

b. Decedent’s information:

1) Researchers may use the PHI of a deceased individual 50 years after the death of the individual without any HIPAA authorization or waiver.
2) Researchers may use decedent information that is less than 50 years from the date of the death of the individual if the researcher agrees to and documents the following:

a) use or disclosure is solely for research on the PHI of decedents
b) at the request of the UAB Covered Entity, provides documentation of the death of the individuals; and
c) the PHI for which use or access is sought is necessary for the research purposes.

c. Limited Data Set – A Limited Data Set for research must be accompanied by a Data Use Agreement.

1) A Limited Data Set is PHI that excludes the following:

a) names
b) postal address information, other than town or city, State, and zip code;
c) telephone numbers;
d) fax numbers
e) electronic mail addresses
f) social security numbers
g) medical record numbers
h) health plan beneficiary numbers
i) account numbers
j) certificate/license numbers
k) vehicle identifiers and serial numbers, including license plate numbers
l) device identifiers and serial numbers
m) web universal resource locators (URLs)
n) internet protocol (IP) address numbers
o) biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images

2) The researcher who is receiving a Limited Data Set, as well as an authorized representative of the researcher’s institution, must sign a Data Use Agreement.

d. De-identified Information – For purposes of this policy, “de-identified health information” means health information that does not contain any of the following:

1) names
2) all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the Bureau of Census the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
3) all elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4) telephone numbers;
5) fax numbers
6) electronic mail addresses
7) social security numbers
8) medical record numbers
9) health plan beneficiary numbers
10) account numbers
11) certificate/license numbers
12) vehicle identifiers and serial numbers, including license plate numbers
13) device identifiers and serial numbers
14) web universal resource locators (URLs)
15) internet protocol (IP) address numbers
16) biometric identifiers, including finger and voice prints;
17) full face photographic images and any comparable images; and
18) any other unique identifying number, characteristic or code

e. Institutional Review Board (IRB) approval of a waiver of patient authorization – A UAB Covered Entity may use or disclose PHI for research if it has obtained documentation of ALL of the following from the UAB IRB:

1) A statement that the waiver was approved by the UAB IRB or another IRB as permitted by the UAB IRB.
2) A statement identifying the IRB and the date on which the waiver was approved
3) A statement that the IRB has determined that the waiver satisfies the following criteria:

a) the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals based on the presence of the following elements:

1. there is an adequate plan to protect the identifiers from improper use and disclosure
2. there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law
3. there are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by law.

b) the research could not practicably be conducted without the alteration or waiver
c) the research could not practicably be conducted without access to and use of the PHI

1. A brief description of the PHI for which use or access has been determined to be necessary by the IRB
2. A statement that the waiver of authorization has been reviewed and approved under either normal or expedited review procedures
3. Approval letter from the IRB for the research

C. Research Use – Use and Disclosure With Patient Authorization

1. UAB Covered Entities may use and disclose PHI for research by obtaining the individual’s signed Authorization on the approved UAB Authorization form.
2. Compound Authorizations

a. The Authorization form may be combined with any other type of written permission for the same or another research study, such as,

1) With the Informed Consent document to participate in the research.
2) With another Authorization for the same research study.
3) With an Authorization for the creation or maintenance of a research database or repository.

b. If the Authorization form contains one research study that is not conditioned on participation in another study, as well as a study that is conditioned on another study, then the Authorization form must clearly let the individual know the difference between the two Authorizations and identify the research study that is not conditioned on participation in any other study. The individual may not be required to participate in unconditioned research but be given the opportunity to opt in to unconditioned research activities.
c. An Authorization for research involving Psychotherapy Notes cannot be combined with any other Authorizations.
d. The Authorization form may permit future research if the Authorization adequately describes the future research such that it would be reasonable for the individual to expect that his/her PHI could be used or disclosed for that purpose and that the Authorization informs the individual if sensitive research, such as stem cell research or research that may go against some religious convictions, may be a possibility.

D. Each UAB Covered Entity shall develop procedures to implement this policy.

6. REFERENCES: None

7. SCOPE: This policy applies to all UAB Covered Entities and to UAB Medicine Enterprise Covered Entities identified in Section 3.

8. ATTACHMENTS: Note: HIPAA forms may be found at the UAB/UAB Medicine Enterprise HIPAA website at www.HIPAA.uab.edu.