HIPAA Research Policy

Title

University of North Carolina at Chapel Hill HIPAA Research Policy

Statement of Policy

This policy addresses access, disclosure and use of protected health information (defined below) for University research (including research in the School of Medicine, which is part of the UNC Health Care System HIPAA covered entity) in accord with the Privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If you are seeking individually identifiable health information for research use from clinical or other treatment, payment or healthcare operations records in the custody of health care providers, health plans or health care clearinghouses, this policy applies to your access to and use of that data for research whether or not you are a health care provider.

HIPAA requirements are additional to ethical and regulatory protections for human research subjects and do not supersede them. The HIPAA Privacy regulations are focused on health care consumer information protection. If a research study either uses or creates health care consumer information, HIPAA documentation requirements apply to those research uses of health care consumer information in addition to relevant privacy and confidentiality protections that are required by ethics and federal regulation for human research subject protection.

The University of North Carolina at Chapel Hill is committed to conducting research in compliance with all applicable laws, regulations and University policies. As part of this commitment, the University has adopted this policy to clearly define the circumstances under which protected health information may and may not be used internally or disclosed externally in connection with research activities, consistent with the requirements of HIPAA.

For more general information about HIPAA and definition of terms, refer to the University's Notice of Privacy Practices and other policies and information.

Scope of Policy

This Policy covers all access, use and disclosure of protected health information in all University research activities (including research conducted in the School of Medicine, which is part of the UNC Health Care System HIPAA covered entity). This Policy applies to all faculty, staff (including student employees), students, residents, post-doctoral fellows, and non-employees (including visiting faculty, courtesy, affiliate and adjunct faculty, industrial personnel, fellows, volunteers, etc.) who conduct research, assist in the performance of research, or otherwise use or disclose protected health information in connection with research activities at the University. Requirements under this Policy are in addition to (not a replacement for) other policies and regulations for human subjects research. In most cases, access, use and disclosure of protected health information in University research activities will require the prior review and approval of an Institutional Review Board (IRB).

Policy

  1. Definitions
    1. Research: HIPAA defines research as "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge." Any project involving PHI where one of the primary goals is generalizable knowledge, with or without publication or public presentation, is considered research. In contrast to research use of PHI, requests for access, use and disclosure of PHI for purposes of treatment, payment or healthcare operations are governed by a different set of rules.
    2. Protected Health Information ("PHI"): HIPAA defines protected health information ("PHI") as individually identifiable health condition, health care and health care payment information, including the demographic data that is a potential identifier of the individual, maintained in the records of health care providers and health plans and health care clearinghouses for treatment, payment and healthcare operations purposes. PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act ("FERPA").
    3. Covered Entity: This is the term that the HIPAA regulations use to describe the businesses in the health care industry that are subject to HIPAA regulations. Specifically, covered entities are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with the following transactions: health care claims or encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment or disenrollment or eligibility information re health plans, health plan premium payments, referral certification and authorization, first report of injury, or health claims attachments.
  2. Responsibilities with respect to this Policy
    1. University Principal Investigator is responsible for:
      1. Accurate and complete representation of the study's use and disclosure of PHI and data privacy practices to the IRB.
      2. Compliance of all research study team members with this policy in accessing and using PHI for research. Although an investigator or a research study team member may have access to PHI for her/his clinical roles, PHI may not be transferred from clinical or other health care provider records to research use except as described in Sections III and IV below.
      3. Compliance of all research study team members with the PHI access procedures of any Covered Entity from whose records the University researcher seeks PHI for research.
      4. Compliance of all research study team members in using and disclosing PHI only in accord with the terms and conditions of the permissions under which the PHI was received for research, which may include: informed consent, authorization, IRB waiver of informed consent, IRB waiver of authorization, limited waiver of authorization, data use agreement, sponsored research agreement, or access for review preparatory to research or solely for decedents.
    2. University Research Study Team Member is responsible for:
      1. Compliance with this policy in accessing and using PHI for research. Although a research study team member may have access to PHI for her/his clinical roles, PHI may not be transferred from clinical or other health care provider records to research use except as described in Sections III and IV.
      2. Compliance with the PHI access procedures of any Covered Entity from whose records the University researcher seeks PHI for research.
      3. Use and disclosure of PHI only in accord with the terms and conditions of the permissions under which the PHI was received for research, which may include: informed consent, authorization, IRB waiver of informed consent, IRB waiver of authorization, limited waiver of authorization, data use agreement, sponsored research agreement, or access for review preparatory to research or solely for decedents.
    3. University Research Data Custodian is any individual responsible for the processing and storage of University research study data and/or for administration of controls on access to the University research study data. In that capacity, this individual is responsible for:
      1. Compliance with the University's Information Security Policy in maintenance, transmission and disclosure of PHI in the research data set.
      2. Administration of access control that is in accord with the terms and conditions of the permissions under which the PHI was received for research, which may include: informed consent, authorization, IRB waiver of informed consent, IRB waiver of authorization, limited waiver of authorization, data use agreement, sponsored research agreement, or access for review preparatory to research or solely for decedents.
    4. University Privacy Officer is responsible for:
      1. Assistance to the IRBs in resolving human subjects research review or performance issues related to HIPAA privacy regulations.
      2. Assistance to Covered Entities in obtaining information required for their compliance with HIPAA regarding UNC-Chapel Hill research access and use of PHI in the Covered Entities' designated record sets.
      3. Service as the University's contact person for all patient requests for further information about research projects listed in an accounting of disclosures of the patient's PHI. The University's Privacy Officer, rather than the patient or the covered entity, will make contact with the
        University's IRBs and researchers as necessary and will be responsible for the University's response to the request.
      4. University response to complaints of privacy violations in the conduct of University research.
    5. The University Institutional Review Board will perform the following HIPAA review and approval responsibilities within the larger context of its responsibilities for the protection of human research participants which include review of privacy and confidentiality issues broader than those covered by HIPAA:
      1. Review and approval of all authorization documents used by University researchers in the informed consent process for University research.
      2. Review and approval of all waivers of authorization, included limited waivers of authorization, for access, use and/or disclosure of PHI for University research purposes.
    6. University PHI Data Custodian is any individual responsible for the processing and storage of a covered university unit's PHI data and/or for administration of controls on access to that PHI data. With respect to this policy, this role is responsible for:
      1. Compliance with the University's Information Security Policy and the University's Privacy of Protected Health Information Policy in maintenance, transmission and disclosure of PHI data in this individual's custody.
  3. HIPAA-Compliant Research Access and Use of PHI from a covered entity's treatment, payment or health care operations records
    HIPAA permits the access, disclosure and use of PHI from a covered entity's treatment, payment or health care operations records for research purposes in the following ways:
    • The signed authorization of the patient whose individually identifiable PHI is sought; or
    • Waiver by an IRB or a Privacy Board, consistent with specified criteria, of the authorization requirement for use of individually identifiable PHI; or
    • Review of PHI solely in preparation for research, without collecting the PHI for research use; or
    • Complete de-identification of the PHI; or
    • Conversion of the PHI to a "limited data set" devoid of specified facial identifiers together with execution of a data-use agreement with specified provisions covering use and disclosure of the limited data set; or
    • Use of PHI solely of decedents; or
    • Transition provisions as described in IV below.
    1. Research Use or Disclosure of PHI With Authorization (may include any and all
      individual identifiers)
      1. As a general rule, a researcher must obtain an Authorization from all participants in research prior to the internal use or external disclosure of PHI for any research related purpose that is not otherwise permitted or required under this Policy.
      2. The IRB will provide an Authorization template that complies with HIPAA requirements. The researcher must complete the Authorization template and submit it to the IRB for its prior review and approval.
      3. An Authorization must be written in plain language, and must contain all
        of the following elements:
        1. A specific and meaningful description of the information to be used or disclosed,
        2. The name or identification of the persons or class of persons authorized to make disclosures of PHI and to use the PHI for research-related purposes;
        3. The name or identification of the persons or class of persons authorized to receive disclosures of the PHI and to use the PHI for research-related purposes;
        4. A description of each purpose of the use or disclosure (for example, a specific research study);
        5. An expiration date or event, or a statement "end of research study" or "none" when appropriate (for example, for a research database);
        6. The individual's signature (or that of his/her authorized representative) and date. (Note: if the Authorization is signed by an authorized representative, include a description of the representative's authority to act for the individual);
        7. A statement that the individual may revoke the authorization if done in writing to the principal investigator; however, the researcher may continue to use and disclose, for research integrity and reporting purposes, any PHI collected from the individual pursuant to such Authorization before it was revoked.
        8. A statement that an individual's clinical treatment may not be conditioned upon whether or not the individual signs the research Authorization. However, participation in research may be conditioned on a signed Authorization, including treatment protocols (ex: Phase III clinical trials).
        9. A statement that information disclosed for research use under the Authorization could potentially be redisclosed by the recipient and would no longer be protected under HIPAA.
      4. Authorization for Use for Psychotherapy Notes in Research
        1. An authorization is always required for access, disclosure or use of Psychotherapy notes for research purposes. An authorization for access, use or disclosure of Psychotherapy Notes for research may not be combined with any other authorization except another authorization for access, disclosure or use of the Psychotherapy Notes.
      5. Procedure for Signing an Authorization
        1. Adults: A competent individual, 18 years of age or older, should always sign the authorization to use or disclose his/her PHI. A person is competent if he/she has the general ability to understand the concept of release of his/her medical information. If the patient is not conscious, coherent or not competent for whatever reason, a legally recognized proxy, such as a legal guardian, must sign the Authorization.
        2. Minors: Any parent or legal guardian may sign an authorization for a minor child in his/her legal custody. Note that HIPAA does not require that an assent document specifically for research participation include any version of a HIPAA authorization. For guidance on the larger issue of informed consent or assent for research participation of minors, contact the IRB.
        3. The individual must be provided with a copy of the signed Authorization.
      6. Individual's Access to Research Information
        1. As a general rule, individuals who participate in research have a right to access their own PHI that is maintained in a Designated Record Set of a Covered Entity. Designated Record sets are those that are used to make treatment, payment and healthcare operations decisions about individuals. In general, research data sets are not among the "Designated Record Sets" of a Covered Entity. However, the Covered Entity's Designated Record Sets include the individual's medical records, payment records, etc. All data about an individual that is generated in clinical research and entered into the individual's medical or financial records at the Covered Entity are that individual's PHI. See University policy on "Accessing, Inspecting and Obtaining a Copy of Health Information."
        2. Individuals participating in research protocols that include treatment (for example, a placebo controlled clinical trial) may be temporarily denied access to their PHI obtained in connection with that research protocol, provided that:
          1. The PHI was obtained in the course of the research;
          2. The individual agreed to the denial of access in the Research Authorization;
          3. The research remains in process; and
          4. The individual's rights to access such PHI are re-instated once the research study has concluded.
      7. Individual's Revocation of Authorization.
        1. As a general rule, an individual may revoke his/her Authorization, in writing to the Principal Investigator, at any time.
        2. The revocation will be applicable to the protocol or protocols specified by the individual. However, the researcher may continue to use and disclose, for research integrity and reporting purposes, any PHI collected about the individual pursuant to a valid Authorization before it was revoked.
        3. The Principal Investigator shall maintain a copy of each written revocation and shall report them to the IRB at the time of continuing review.
      8. A limited waiver of authorization may be required to contact and recruit study participants, as described in III(B)(4).
    2. Waiver of Authorization by IRB (for research access, use or disclosure of individually identifiable PHI)
      1. In some circumstances, authorizations for research use of PHI may be waived by the IRB, provided the following criteria are satisfied and documented (generally in addition to satisfaction of waiver of informed consent requirements pursuant to 45 CFR 46.116):
        1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on the presence of at least the following elements:
          1. An adequate plan to protect the identifiers from improper use and disclosure:
          2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by
            law; and
          3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by this Policy.
        2. The research could not practicably be conducted without the waiver; and
        3. The research could not practicably be conducted without access to and use of the PHI.
      2. A request for Waiver of Authorization must be completed by the researcher and submitted to the IRB for prior review and approval. The IRB shall maintain documentation of the request and its approval.
      3. Uses or Disclosures of PHI made pursuant to a Waiver are subject to the Minimum Necessary rules; see University Policy on Minimum Necessary Request, Use or Disclosure of Protected Health Information Policy.
      4. Limited Waiver of Authorization Solely for the Purpose of Prescreening, Contacting and/or Recruiting Potential Research Participants. Since a researcher cannot practicably obtain a potential research participant's authorization for review of PHI in advance of contacting the potential participant, the IRB may issue a limited waiver of authorization permitting specified access and use of PHI solely for prescreening and recruitment contact pursuant to an approved protocol.
        1. IRB approval of a limited waiver of authorization will be in accord with the criteria for a waiver of authorization as applied to the prescreening, contact and recruitment procedures described in the protocol and IRB application.
        2. Physicians and other health care professionals who have a direct treatment relationship with an individual may review that individual's PHI for eligibility with respect to a research protocol and may initiate a discussion with the individual about potential participation as a research subject in a protocol relevant to the treatment relationship. This scenario does not require an Authorization or a Waiver of Authorization.
        3. Individuals responding to an advertisement or otherwise initiating contact and indicating interest in participating in a research study may be given an explanation of the study (including, but not limited to, the name of the principal investigator and description of the study) without Authorization or Waiver of Authorization; however, either their authorization or a waiver of authorization is required to review their PHI in health care records to determine potential eligibility.
    3. Access to PHI solely for Preparation for Research
      1. Researchers may access PHI with individual identifiers in the records of Covered Entities without an Authorization or IRB Waiver of Authorization for the purposes of development of a research protocol or assessment of feasibility of a research protocol, provided that the researcher documents to the satisfaction of the Covered Entity's PHI data custodian (e.g. the medical records manager) that all the following criteria are satisfied:
        1. The use or disclosure of PHI is solely to prepare or assess feasibility of a research protocol;
        2. The researcher shall not record individually identifiable PHI or remove PHI from the records reviewed (for example, researcher may review identifiable PHI but may only record aggregate data or individual data that does not include any individual identifiers);
        3. The PHI sought is necessary for the purposes of the research; and
        4. "Preparatory to research" does not include patient contact or recruitment.
    4. Use or Disclosure of "De-Identified" Health Information.
      The HIPAA definition of completely de-identification protected health information is not the same as what many researchers have been accustomed to consider "anonymized" data. The completely de-identified form of data defined in HIPAA may not be adequate for many research studies. Its advantage is that it presents no risk of privacy violation and therefore requires relatively little documentation for research access or use and is not subject to any restrictions on downstream use and disclosure.
      1. Individual health information that conforms to the HIPAA definition of "de-identified" is exempt from HIPAA and may be used or disclosed for research purposes without an Authorization or Waiver of Authorization or Data Use Agreement.
      2. Researchers must provide documentation to the IRB that the health information has been de-identified by one of the following two methods:
        1. Statistical Method. The IRB may determine that health information is de-identified for purposes of this Policy, if an independent, qualified statistician:
          • Determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and
          • Documents the methods and results by which the health information is de-identified and the expert makes his/her determination of risk. Note: the expert may not be the researcher or anyone directly involved in the research study.
          • Data configurations that meet this criteria also are likely to meet the criteria for an IRB waiver of authorization, which may be more practical to obtain that this expert certification.
        2. Removal of All Identifiers. Identifiers concerning the individual and the individual's employer, relatives and household members that must be removed include: names; geographic subdivisions smaller than a state; zip codes; all elements of dates except year directly related to an individual, including birth or death or dates of health care services or health care claims; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images; and any other number, characteristic or code that could be used to identify the individual. Note, that although a de-identified data set cannot contain a birth date, it may contain the individual's age expressed in years, months, days, or hours, as appropriate, except for individuals who are aged 90 years or more. For persons aged 90 years and above, the age in a de-identified data set can only be stated as being within the category of age 90 or above.
      3. Re-identification Code. The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to use or disclose the de-identified health information.
    5. Research Use of a Limited Data Set
      A limited data set as defined in HIPAA is described below. Although it is nearly de-identified, the geographic data and dates that may be included make this data adequate for a broader array of research studies than completely de-identified data.
      1. A researcher may use or disclose a Limited Data Set for any research purpose without an Authorization or IRB Waiver of Authorization.
      2. A "Limited Data Set" contains PHI that is nearly de-identified. HIPAA defines a Limited data Set as PHI that may include any of the following direct identifiers:
        1. State, county, city, town, census track, precinct, zip code or any other geocodes above the level that would identify an individual household;
        2. All elements of dates directly related to an individual, including birth date, admission date, discharge date, dates of health care procedures or other services, and date of death.

          and must exclude all other direct identifiers listed in III(D)(2)(b) above.
      3. A Limited Data Set may be used or disclosed only if there is a Data Use Agreement between the entity providing the data and the recipient of the limited data set. The entity receiving the data may create the limited data set on behalf of the entity providing the data.
    6. Use and Disclosure of Decedent's Individually Identifiable PHI Without Authorization
      1. Researchers may use and disclose a decedent's individually identifiable PHI for research without an Authorization or IRB Waiver, provided that the researcher documents that all the following criteria are satisfied:
        1. The use will be solely for research on the PHI of a decedent; and
        2. The researcher has documentation of the death of the individual about whom information is being sought, and
        3. The PHI sought is necessary for the purposes of the research.
      2. The researcher will provide documentation to the data custodian that all of the above criteria are satisfied in accordance with the data management registration process of the individual business unit.
      3. Uses or Disclosures of a decedent's PHI for research purposes are subject to the Minimum Necessary rules, see University Policy on Minimum Necessary Request, Use or Disclosure of Protected Health Information Policy.
  4. Transition Provisions for PHI Access and Use for Research in Progress
    For research involving PHI and carried out according to a protocol reviewed and approved by the IRB prior to April 14, 2003:
    1. A research study may continue to use or disclose the PHI created or received prior to April 14, 2003 without HIPAA documentation.
    2. A research study operating under a waiver of informed consent approved by the IRB prior to April 14, 2003, may continue to create, receive, use, and disclose PHI for the study after April 14, 2003, without an IRB Waiver of Authorization
      unless the research study subsequently seeks informed consent, in which case an authorization would be required together with the informed consent.
    3. If the protocol approved by the IRB before April 14, 2003, required the obtaining of an informed consent, then with respect to any individual who has executed informed consent before April 14, 2003, no additional authorization is required to create, receive, use and disclose that individual's PHI for the approved study.
    4. For any research participant for which informed consent is required, any informed consent or reconsent obtained on or after April 14, 2003, must include an authorization for use or disclosure of the subject's PHI. If the research has been previously approved but will be enrolling participants on or after April 14, 2003, the researcher must submit a protocol revision to the IRB in order to include an individual authorization with any informed consent obtained on or after April 14, 2003.
  5. Maintenance and Transmission of PHI Accessed and Used in Research
    1. Technical maintenance and transmission of research data that include PHI either disclosed to the researcher from the records of a Covered Entity or created during health care provided within the research protocol, must be handled in compliance with the University's Information Security Policy.
    2. For research data that include PHI that has been either disclosed to the researcher from the records of a Covered Entity or created during health care provided within the research protocol, administration of access control must be in accord with the terms and conditions of the permissions under which the PHI was received for research, which may include: informed consent, authorization, IRB waiver of informed consent, IRB waiver of authorization, limited waiver of authorization, data use agreement, sponsored research agreement, or access for review preparatory to research or solely for decedents
  6. Disclosure from Research Data Set that includes PHI
    1. Disclosure within the performance of the study:
      1. To other investigators or research teams or to outside providers of support services for the research study:
        1. PHI in research data acquired on or after April 14, 2003, may only be shared with others in accord with the agreement for acquiring the PHI, i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed or transferred among the individuals or roles identified as receiving access to the PHI in the authorization, waiver of authorization or data use agreement.
        2. In the event that the investigators wish to share research data that includes PHI with an individual who is not among the persons or roles identified in the applicable authorization or waiver of authorization, contact the IRB for review of the revision to the protocol.
        3. In the event that the investigators wish to share research data that includes PHI with an individual who is not among the persons or roles identified in the applicable data use agreement, contact the Office of University Counsel for assistance in executing an appropriate agreement for the disclosure.
      2. To research sponsors:
        1. If the PHI requested by the sponsor is beyond what was stated in the authorization or waiver or authorization and the protocol includes an FDA regulated product or activity for which the sponsor is responsible, HIPAA permits PHI to be disclosed to the sponsor for quality, safety or effectiveness purposes without further authorization or waiver of authorization.
        2. If the PHI requested by the sponsor is beyond what was stated in the authorization or waiver or authorization and the protocol does not include an FDA regulated product or activity for which the sponsor is responsible, contact the University Privacy Officer for assistance.
    2. In publications or public presentations:
      Identifiable personal information from research may not be included in presentations or publications of any type unless explicitly permitted by either the individual's authorization or the IRB's waiver of authorization and in accord with the terms and conditions of all existing agreements governing how that individual's information may be used including: the terms and conditions of IRB approval of the research protocol, the authorization or waiver of authorization, the informed consent or waiver of informed consent, any data use agreement that has been executed, etc.
    3. Disclosure (or reanalysis) for other studies:
      1. HIPAA requires that authorizations, waivers of authorization, and data use agreements for use of PHI in research must be specific to a research study. PHI obtained for research on or after April 14, 2003, under an authorization or a waiver of authorization or a data use agreement for one study or for collection in a data registry or repository, may only be used in another research study under an authorization, waiver of authorization or data use agreement specific to that second study. For many secondary
        analyses, an IRB waiver of authorization may be the most appropriate and practical HIPAA-compliant approach.
      2. Beyond HIPAA application, pursuant to federal regulation of human subjects research and to University policy regarding human subjects research, each new University research study that meets the definition of human subjects research must be approved the University IRB.
100% helpful - 1 review
Print Article

Details

Article ID: 132094
Created
Thu 4/8/21 9:23 PM
Modified
Tue 7/23/24 9:54 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Institutional Privacy Office
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Chief Privacy Officer and Associate University Counsel
Next Review
Date on which the next document review is due.
09/30/2021 12:00 AM
Last Review
Date on which the most recent document review was completed.
07/14/2020 4:27 PM
Last Revised
Date on which the most recent changes to this document were approved.
04/04/2003 12:00 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
07/14/2020 4:27 PM
Origination
Date on which the original version of this document was first made official.
04/04/2003 12:00 AM