demystifying privacy issues in research michelle colvard, mph, chrc corporate responsibility officer...

Demystifying Privacy Issues in Research

Michelle Colvard, MPH, CHRCCorporate Responsibility Officer for Research CHI St. Luke’s Health System

NCURA Region VApril 20, 2015

2/

Conflict of Interest Disclosure

The presenter has no real or apparent conflicts of interest to report.

Copyright © 2015 Catholic Health Initiatives

Copyright © 2015 Catholic Health Initiatives 3/

Objectives

At the conclusion of this presentation, attendees will be able to:

• Explain how the OHRP and HIPAA regulations fit together to protect the privacy of research participants.

• Identify when research data is truly de-identified.• Analyze when a waiver of authorization / consent is required.• Analyze the elements that must be included in a request for a

waiver of authorization / consent. • Determine justifications that may be appropriate for granting a

waiver of authorization / informed consent.

4/

Applicable Research Regulations


HSR

45 CFR 46HHS - OHRP

21 CFR 5021 CFR 56

FDA

ICH GCPFDA (E6)

Texas Medical Privacy

Act

Privacy Rule

(HIPAA)HHS - OCR

4

5/

Research

RESEARCH is a systematic investigation…

including research development, testing, and evaluations

• designed to develop or contribute to generalizable knowledge.


OHRP Definition (45 CFR 46)

6/

A living individual about whom an investigator conducting research obtains:

(1) data through intervention or interaction with the individual, - OR -(2) identifiable private information….

Private information must be individually identifiable (i.e., subject’s identity can be readily ascertained by the investigator or associated with the information).


Human SubjectsOHRP Definition (45 CFR 46)

7Catholic Health Initiatives /

HIPAA and OHRP Regulations in Research


How they fit together


HIPAA and OHRP

• The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes.

§45 CFR 164

• The OHRP also requires that research participants’ rights and welfare are protected – including the right to privacy.

§45 CFR 46

• Differences between the two regulations

• Role of the IRB


OHRP - Human Subjects Research Regulations

Private information includes information which the individual can reasonably expect will not be made public (e.g., a medical record).

Individually identifiable means the identity of the subject is or may readily be ascertained by the investigator or associated with the information.

45 CFR 46


HIPAA Privacy Rule

Health Information +

Individually Identifiable Health Information =

Protected Health Information (PHI)

Individually Identifiable Health Information: • Any info in the medical record that can be used to identify an

individual… and

• that was created, used, or disclosed in course of providing health care service (e.g., diagnosis or treatment). Applies to past, present, or future health care or condition of an individual.

Health Information

Individually Identifiable

Data

Researcher

45 CFR 164


18 HIPAA Identifiers

(1) Names (including initials);(2) Street address, city, county, precinct, zip code*, and equivalent geo-codes(3) ALL elements of dates (except year) for dates directly related to an individual and all ages over 89 (this would include procedure dates, date of admission, date of lab work, etc.)(4) Telephone numbers;(5) Fax numbers;(6) Electronic mail addresses;(7) Social security numbers;(8) Medical record numbers;

(9) Health plan ID numbers;(10) Account numbers;

(11) Certificate/license numbers;(12) Vehicle identifiers and serial numbers, including license plate numbers;(13) Device identifiers/serial numbers;(14) Web addresses (URLs);(15) Internet IP addresses;

(16) Biometric identifiers, incl. finger and voice prints;(17) Full face photographic images and any comparable images; and(18) Any other unique identifying number, characteristic, or code.


HIPAA Applies to the Covered Entity.

Covered Entity is a health plan, health care clearinghouse, and any health care provider who transmits health information in electronic form in connection with specified transactions.

The Covered Entity is responsible to assure its workforce members follow the HIPAA’s Privacy and Security Rules.

Examples of Covered Entities:• A CHI hospital• A clinic• A medical practice• Researchers may be a Business Associate


HIPAA: What is the Difference Between Use and Disclosure?

Use occurs within the covered entity.

Research example:

A study coordinator employed by the covered entity accesses medical records and/or clinic schedules to look for potential subjects to enroll into his/her study – but the PHI does not leave the covered entity.


HIPAA: What is the Difference Between Use and Disclosure?

Disclosure occurs when the PHI moves outside the covered entity.

Research Examples:

• Study coordinator or investigator who is employed by a physician practice obtains names/PHI from EMR at Covered Entity, and takes the information back to his/her office or enters the PHI into his/her employer’s computer.

• Study coordinator who is not a workforce member looks at PHI from medical record or EMR.


What does HIPAA require?

“Exception” statute – in order to look at, touch/pick up, share, or disclose patient information, you must meet a HIPAA exception OR have the patient’s permission using a form called the Authorization.

The purpose for accessing the information determines which exception is used.

Copyright © 2015 Catholic Health Initiatives /

HIPAA Exceptions for Use or Disclosure of PHI

• Treatment, Payment, or Operations (TPO)

• Public Health Activities• Report Abuse & Neglect• Health Oversight

Activities• Legal Proceedings• Law Enforcement

• 16

• Information about Decedents

• Organ and Tissue Donation

• Research• Avert Serious Threat• Specialized Government

Functions• Workers Compensation

Covered entities may use or disclose PHI for…


Protected Health Information in Research

Using and disclosing PHI for research activities, including screening for potential participants, is different than for treatment, payment, and healthcare operations.

Considerations

Copyright © 2015 Catholic Health Initiatives 18Catholic Health Initiatives /

How can research participants’ PHI be used in research under HIPAA?

De-Identified Data (no PHI at all)

Obtain Patient Authorization (Informed Consent)

Alteration of Authorization / Informed Consent• Complete waiver• Partial waiver

Limited Data Set

Preparatory to Research

Decedents’ Information



De-Identified Data (no PHI at all)


Alteration of Authorization / Informed Consent• Complete waiver• Partial waiver

Limited Data Set



20/

De-Identified Data, Coded Data, and Anonymous Data

De-identified:• The data is stripped of all

subject identifiers, including all 18 HIPAA identifiers (no PHI). No reasonable basis to identify an individual.


Youkeepusingthatword.Idonotthinkitmeans

whatyouthinkitmeans.

21/


Coded data:• Stripped of all direct subject identifiers (such as name or

SS#) or any other identifying information that would enable the investigator to readily ascertain an individual’s identity. May include limited HIPAA identifiers (will be subject to HIPAA).

• Each record is instead assigned its own study ID or code. A key to decipher the code exists, but is kept separately.

• Coded data is subject to OHRP and requires IRB review UNLESS…


22/

Coded Data may be exempt from IRB review under 45 CFR 46.102 (f) IF:

1) The private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals,

AND

2) The investigators cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain. This generally requires:

• Agreement between investigators and key holder not to break the code,• IRB-approved written policies to prohibit release of key to investigators, or• Other legal requirements prohibiting release of key to investigators


23/

Coded Research Data Example

• Crosswalk Table (Research Codes + PHI)

• Coded Data with No PHI


ParticipantID Number

Participant Name

Address Telephone SSN Admission Date

Date of Discharge

DOB

10001 John Smith 403 Plum Street, Louisville,KY 40202

502-666-6666

555-55-5555

Dec 75

10002 Ophelia Doe 600 Sixth Street, Lexington,KY 40505

859-999-9999

666-66-6666

Nov 81

10003 Justin Tyme 100 Walnut Avenue,Novgorod, KY 40699

859-888-8888

111-11-1111

Oct 82

10004 Mary Laffer 26 Clown Avenue,Lexington, KY 40509

859-777-7777

999-99-9999

Sep 86

Participant Number

Gender Age Length of Stay(Days)

Variable 1 Variable 2 Variable 3

10001 M 35 2 2 2 1110002 F 29 1 1 5 1310003 M 28 4 2 4 1510004 F 24 10 1 7 13

24/


Anonymous data:• De-identified AND no one, not even the researcher, can

connect the data to the individual who provided it. Not possible to know whether a particular individual even participated in the study.

• No identifying information is collected from the individual.

• Example: Participation in an online survey that can’t be linked in any way to the study.


25/

Polling Question

A study has assigned a code to each research subject and no names are collected. The study staff are only collecting the laboratory test scores and procedure dates from the medical record.

Does this study uses coded information, de-identified data, or anonymized data?


26/

Polling Question

A study has assigned a code to each research subject and no names are collected. The study staff are only collecting the laboratory test scores and procedure dates from the medical record.

Does this study uses coded information, de-identified data, or anonymized data?

A. The study uses coded information. The data is not completely de-identified nor anonymized.




De-Identified Data (no PHI)


Waiver or Alteration of Authorization / Informed Consent• Complete waiver• Partial waiver

Limited Data Set








Limited Data Set




Waivers

Federal Privacy Rule (HIPAA) vs. OHRP• Federal Privacy Rule (HIPAA) grants an IRB the authority

to approve a Waiver of Authorization in research. §45 CFR 164.512(i)(1)(i)

• The OHRP grants the IRB the authority to approve a Waiver of Informed Consent in research

§45 CFR 46.116(d)

• Different requirements to satisfy these two regulations.

Waiver of Authorization vs. Informed Consent


Waiver of Informed Consent (OHRP)

OHRP permits an IRB to alter some or all of the elements of informed consent, or to waive the requirements to obtain informed consent (§45 CFR 46.116(d) if:

• The research involves no more than minimal risk to the subjects

• The waiver or alteration will not adversely affect the rights or welfare of the subjects.

• The research could not be practicably*carried out without the waiver or alteration

• Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

45 CFR 46 (Human Subjects Research regulations)

http://www.hhs.gov/ohrp/humansubjects/guidance/45cfr46.html

http://www.hhs.gov/ohrp/humansubjects/guidance/45cfr46.html


Waiver of Authorization (HIPAA)

Requirements under HIPAA for a waiver of authorization :

1. Use/disclosure involves no more than minimal risk to subject’s privacy, based on:

a) plan to protect identifiers b) plan to destroy identifiersc) assurances PHI will not be reused and/or

disclosed

2. Research could not practicably*be conducted without the waiver

3. Research could not practicably*be conducted without access/use of PHI.

IRB must document these findings. 45 CFR 164.512(i)(1)(i)

Privacy Regulations


Polling Question

True or False:

A researcher is required to justify to the IRB why it’s not practical to obtain informed consent from the study participants.


Polling Question

True or False:

A researcher is required to justify to the IRB why it’s not practical to obtain informed consent from the study participants.

False. A researcher is required to justify to the IRB why it’s not practicable to conduct the research without the waiver, and why it’s not practicable to conduct the research without access to / use of PHI. However, inability to obtain informed consent from the study participants may be a consideration.


Waiver of Authorization (HIPAA)

“Practicable”: Capable of being accomplished or put into practice. In other words, “possible”.

This term does not mean “practical”!

Privacy Regulations


Tips for Submitting Waiver RequestsWhat the heck is the IRB looking for, anyway?


Waiver Justifications

1. Human subjects research studies involving patients are generally subject to both HIPAA and OHRP requirements.

2. This means that you must answer questions sufficiently to justify both a waiver of informed consent (OHRP), AND a waiver of authorization (HIPAA).


Waiver Tip #1

Before you submit your waiver request, make sure that you’ve completely described all PHI and any other identifiable information that you’ll need for the study.

• Review the 18 HIPAA identifiers and note to the IRB those to be collected. Remember that dates, IP addresses, and Medical Record numbers are HIPAA identifiers.

• Can you collect study data in such a way that you’re no longer collecting HIPAA identifiers?

• Describe the data. Are you only using existing data, or are you using both existing and prospective data?


Waiver Tip #2

Don’t request access to more PHI than you actually need to conduct the study!

• “Minimum necessary” standard must be followed. • If de-identified data can feasibly be used to fulfill the

research objectives (e.g., age, length of stay) then a waiver likely can’t be justified.

39/

Waiver Tip #3

If you will be using / collecting PHI or identifiable information at any point for your study, don’t say there is “no risk” for participants.

There is always the risk of breach of confidentiality and other privacy concerns with research that uses PHI.

If you don’t properly protect against this risk, you no longer have a minimal risk study!



Waiver Tip #4

Show that your use and disclosure of the PHI will not result in more than minimal risk to privacy of the subject.

1. How will subject identifiers be protected? • How will data be stored? • Can you code the data? Where will you store the code key?

2. What is the plan to destroy the identifiers ASAP?

3. Will the PHI data ever be made available to anyone other than the study personnel (e.g., to study sponsors)?


“This retrospective study involves the collection of PHI to ensure data integrity. Identifiers collected are name, date of birth, and medical record number. The data will be stored electronically in a CHI St. Luke’s secure network folder (or encrypted computer) and will only be accessible to the research team and qualified clinical care givers. All members of the research team are part of CHI St. Luke’s Health System workforce. No data will be disclosed for this activity. The information collected does not include information that may be damaging to the individual should it be wrongfully disclosed. The master list containing PHI will be destroyed upon the completion of data collection. Therefore, this study is considered no more than minimal risk due to these steps designed to protect the participants from a breach of confidentiality.”

Example


“This is a retrospective chart review and involves the use of PHI to ensure data integrity and to match mother/infant pairs in the database. Name, date of birth and medical record number, and dates of service will be collected, and used to generate a database that contains only de-identified data. Data sheets used in the collection of PHI and generation of the database will be destroyed after generation of the database. All data analysis will be performed using only the de-identified database. No data will be disclosed from the study. The information collected from the charts would not be expected to be damaging should wrongful disclosure occur. The database will be maintained in a password protected file on a computer with limited access. Because of these steps, a waiver of informed consent will not present greater than minimal risk to the participants. ”

Example


Waiver Tip #5

Explain why the research could not practicably be conducted without the waiver. 45 CFR 46.116(d)(3)

• Additional time, costs, or difficulty associated with the informed consent process are not generally by themselves adequate justification for a waiver.

• If patients will be contacted at any point during the study, then why can’t authorization / informed consent be obtained?


Waiver Tip #5 (continued)

Consider statistical justifications for needing the waiver:

• Research validity (to avoid data skew or selection bias)• Loss of statistical power or meaningfulness.• Extremely large numbers of patients needed in order

to obtain the needed results, and it would be impossible to contact everyone in time to conduct the study (i.e., the research would not be possible).

(Continued)


Waiver Tip #5 (continued)

Consider ethical justifications for needing the waiver:

• If the ICF would be the only linkage to PHI• If contacting subjects could introduce risk of emotional

harm in an otherwise minimal risk study (e.g., child’s death could create emotional risk by contacting parents)

• Secondary subjects are involved, and could be dangerous to obtain authorization (e.g., minimal risk studies of child or spousal abuse)

(Continued)


“The waiver is necessary because it would not be practicable to collect the needed data. Due to the retrospective nature of this data collection, the records are old enough that some subjects are likely to have moved or died making it difficult or impossible to obtain consent. It is likely that we would not be able to locate 100% of the sample. This would lead to inadequate data sampling, which would introduce bias, such as selection bias of only studying patients with reliable telephone access, or selection bias of only including patients who are still alive. Such bias would render the data useless.”

“This research study requires comparing all emergency room admissions last year for head trauma to determine if the severity of injury had an impact on length of stay. All patients with a head trauma last year must be included in the data set to ensure valid data. Many of these patients will have left the hospital without ability for us to contact them, or are now deceased. Requiring written informed consent would limit the data set to individuals we are able to contact which would potentially skew the data (e.g., selection bias).”

Example


Waiver Tip #6

Explain why the research could not practicably be conducted without access to the PHI. 45 CFR 46.116(d)(3)

• Is the information you need only found in the medical record?

• Can the research question be answered usingde-identified data?

• Do you need Medical Record #s for matching purposes?


Waiver Components

IRB Must Document (under HIPAA)…

• Identity of the approving IRB• Approval statement/date/review process• Description of the PHI for which use or access has

been has been determined necessary• Statement that waiver application satisfies waiver

criteria to reflect that the research use/disclosure of PHI will involve no more than minimal risk to subject’s privacy

• Signature of IRB Chair


ConsiderationsEnsure the HIPAA Privacy Rule requirements are satisfied when researchers access PHI to identify / screen / recruit subjects prior to obtaining individuals’ authorizations

(i.e., looking through medical records, clinic schedules)






Limited Data Set




Preparatory to Research (PTR)

• To prepare a grant application• To write a research protocol• Determine study feasibility

CE must obtain assurances from researcher that s/he represents:

• The information will not be removed from the CE.• Use or disclosure is sought solely to prepare research

protocol.• The PHI is necessary for the research purpose.


Preparatory to Research (PTR)

• PTR can be used to aid in study recruitment in an IRB-approved study, but participants cannot be contacted.

• PHI accessed by PTR must not “leave” the CE.

• Researchers must be workforce members of the Covered Entity.


ConsiderationsA “Preparatory to Research Representation” is much more restrictive than a “Partial Waiver of Authorization” when identifying / screening / recruiting for potential research subjects.


“Preparatory to Research” vs. Waiver

Partial Waiver is much less limiting than the Preparatory to Research provision:• Allows researchers who are not members of covered

entity to access data for preparatory to research purposes.

• Permits researchers to remove PHI from the Covered Entity (e.g., to be stored elsewhere).

• PHI can be used to contact a prospective research subject.


Polling Question

A research nurse is employed by the hospital where s/he is identifying potential subjects to enroll in a clinical trial. Which statement is correct?

A. The investigator must either obtain a partial waiver of authorization OR submit a preparatory to research (PTR) provision prior to accessing PHI to identify potential subjects.

B. A research nurse who is employed by the hospital does not need a partial waiver nor a PTR provision.


Polling Question

A study sponsor is concerned that study recruitment is low, and wants access to the list of patients who are approached for consenting/screening. Can the sponsor see the patient list? A. Yes. The sponsor can see the list because the consent

form permits sponsors to access to participants’ PHI.B. No. The sponsor cannot see the list without a partial

waiver or a PTR provision approved by the IRB.C. No. The sponsor cannot see the patient list without a

partial waiver approved by the IRB.


Best Practices

1. Every study that uses PHI to identify/screen/recruit has either a partial waiver or a PTR.

2. A partial waiver of authorization allows investigators greater flexibility for researchers than a PTR.• PHI collected pursuant to PTR cannot be shared with a

study sponsor.• PHI collected with partial waiver may be able to be

shared if approved by IRB / Privacy Board.

3. Make this part of your study start-up routine / plan / dialog.


Best Practices

4. Submit Preparatory to Research and Partial Waiver requests up front with the IRB application to avoid delays in research. Determine which you need to meet your research purpose.

5. Ensure that you’ve correctly used the term “de-identified” in your protocol and in any waiver request. Do not confuse de-identified data with “coded data”.

6. Remember the difference between retrospective research and prospective data. Remember that “existing data” means “already on the shelf”.

Michelle ColvardResearch Corporate Responsibility Officer CHI St. Luke’s Health [email protected]

Want more info?

mailto:[email protected]

demystifying privacy issues in research michelle colvard, mph, chrc corporate responsibility officer...

Documents

research research

research copyright

catholic health initiatives9

catholic health initiatives7

catholic health initiatives1

research data

research chi

health care service