Recruiting Into Research and HIPAA Privacy Protections Answers

HIPAA protects a category of information known as protected health information (PHI). PHI covered under HIPAA includes:

When required, the information provided to the data subject in a HIPAA disclosure accounting …

HIPAA includes in its definition of “research,” activities related to …

Recruiting into research …

Under HIPAA, “retrospective research” (a.k.a., data mining) on collections of PHI generally …

When required the information provided to the data subject in a HIPAA

Under HIPAA, “retrospective research” (a.k.a., data mining) on collections of PHI generally …

HHS has reiterated in its guidance that use or disclosure of PHI for retrospective research studies may be done only with patient authorization — or with a waiver, alteration, or exception determination from an IRB or Privacy Board. However, remember that you generally cannot proceed on your own without some approval from an IRB, Privacy Board, or other designated governing entity.

A covered entity may use or disclose PHI without an authorization, or documentation of a waiver or an alteration of authorization, for all of the following EXCEPT:

If the data in question meet the definition of PHI and are being used for purposes that fall within HIPAA’s definition of research, HIPAA generally requires explicit written authorization (consent) from the data subject for research uses. However, HIPAA provides several alternatives that can bypass such authorizations:
The research involves only minimal risk.
The research is used solely for activities preparatory to research.
Only deceased persons’ information is used.
Only de-identified data is used.
Only a “limited data set” is used, under an approved “data use agreement.”
It is “grandfathered” research where all legal permissions were in place before HIPAA took effect.

If you’re unsure about the particulars of HIPAA research requirements at your organization or have questions, you can usually consult with:

If you are unsure about the particulars, consult with your organization’s IRB, Privacy Board, or privacy official. For data security issues, consult with your organization’s security official. Consulting with an experienced colleague can always be helpful, but their advice is not authoritative. Do not assume that a representative of the funder will know all the rules, or that the generic advice of a professional association will be applicable to your organization’s particular rules.

HIPAA’s protections for health information used for research purposes…

Under HIPAA, a “disclosure accounting” is required:

HIPAA’s relatively new data-focused protections, which took effect starting in 2003, supplement Common Rule and FDA protections; they are not a replacement. Institutional Review Board (IRB) protocol reviews using Common Rule and FDA criteria remain as before, including aspects related to data protection. IRBs may have the responsibility for addressing HIPAA’s additional requirements in their reviews when those apply; or some responsibilities may be given to another kind of body that HIPAA permits (a Privacy Board) or to an institutional official that HIPAA requires (a privacy officer). These federal standards complement states’ and accreditation bodies’ requirements.

In addition to being limited to external disclosures, disclosure accounting is not required for disclosures made under authority of a consent/authorization, on the theory that the data subjects are aware of what they have expressly permitted for that research. Neither is an accounting required for disclosures to the data subject directly about him/herself. Nor is it required for limited data set disclosures subject to a data use agreement. Nor, finally, is any accounting required for de-identified information that no longer qualifies as PHI.

A HIPAA authorization has which of the following characteristics:

Authorizations are required unless the proposed use meets one of the exceptions listed in the HIPAA regulation. It is never at the researcher’s discretion. When they are required, authorizations must be: In “plain language” so that individuals can understand the information contained in the form, and thus able to make an informed decision. Executed in writing, and signed by the research subject (or an authorized personal representative). Authorizations must include a specific description of the PHI to be used or disclosed, the name(s) or other identification of persons involved in the research, and description of each purpose of the requested use or disclosure. Authorizations can be combined with other documents and can always be revoked by the data subject.

HIPAA includes in its definition of “research,” activities related to:

Like the Common Rule, HIPAA defines research as a “systematic investigation, including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge” (Protection of Human Subjects 2018; Security and Privacy 2013).

The HIPAA “minimum necessary” standard applies…

Uses and disclosures of data for research that are allowed to bypass the authorization requirement are still subject to the “minimum necessary” standard – that is, the uses/disclosures must be no more than the minimum required for the described research purpose. A covered entity may rely on a researcher’s documentation – or the assessment of an IRB or Privacy Board – that the information requested is the minimum necessary for the research purpose. By contrast, research information obtained using an authorization is not bound by the minimum necessary standard – on the theory that the data subject has given explicit permission in accordance with the signed authorization. However, be aware that while HIPAA may not require a minimum necessary justification at all times, an IRB’s evaluation of risks and burdens on human subjects arguably does.

It is still permissible under HIPAA to discuss recruitment into research with patients for whom such involvement might be appropriate. This common practice is considered to fall within the definition of treatment, at least when the conversation is undertaken by one of the patient’s healthcare providers. If the contact will be made by someone other than the patient’s healthcare provider, permission will be required.

Where fewer than 50 subjects’ records are involved, the listing must be more specific and detailed, commensurate with the requirements for other kinds of PHI disclosure accounting, including: specific date(s) of disclosures; names of entities to which PHI was disclosed; description of the PHI involved in the disclosure; and purpose of the disclosure.