HIPAA

HIPAA Privacy Rule Guidance for Researchers

Table of Contents

   I.      What is the HIPAA Privacy Rule and How Does it Affect Researchers?

A. What is Protected Health Information?

  II.    How Can Researchers Use a HIPAA-Compliant Authorization to Obtain PHI?

A. Authorization Core Elements
B. Authorization Required Statements
C. Other Important Consideration

  • Can investigators restrict participants’ complete access to their medical record under certain circumstances?
  • Is an Authorization needed to obtain decedents’ PHI for research?

 III.    Model ‘Plain Language’ Authorization for Disclosure of PHI, to be Integrated within Research Consent Form

A. Required elements and examples of each
B. Example of HIPAA-compliant consent form language 

IV. How Can Researchers Obtain Medical Information About Patients to Identify and Recruit Potential Research Participants?

A. Defining the UPMC Hospital / Covered Entity Workforce
B. Reviewing medical records to identify potential subjects
C. Obtaining Limited Patient PHI and Contact Information from Referring Physician so that Researcher Can Subsequently Contact Patient to Describe Research Study
D. Obtaining Patient’s Written Authorization to Share Limited PHI and Contact Information For Recruitment when Researcher is not Part of Covered Entity
E. Requesting a Waiver of the Requirement for a Written Authorization to Share Contact Information For Recruitment when Researcher is not Part of Covered Entity

   V.     How Can Researchers Conduct Retrospective Medical Record Reviews without obtaining a Signed Authorization?

Study Type A: Retrospective study with no personal identifiers or linkage codes recorded by investigator
Study Type B: Medical Record review with personal identifiers and/or linkage codes recorded by investigator
Study Type C: Medical Record review using a UPMC-Certified Honest Broker System

  VI.     Activities Preparatory to Research

A. Preparing a research protocol and/or assisting in the development of a research hypothesis

 VII.    HIPAA Training Requirements

VIII.    Frequently Asked Questions

  IX.     Useful Resources

   X.     Model Forms / Templates

************************************************************************

I.  What is the HIPAA Privacy Rule and How does it Affect Researchers?

The Health Insurance Portability and Accountability Act (HIPAA) includes a Privacy Rule that provides Federal standards for safeguarding the privacy of individually identifiable health information that is held by a “covered entity” (in this case, UPMC).  Researchers are obligated to comply with the HIPAA Privacy Rule (hereafter referred to as HIPAA) when they access, use, disclose, and/or create “Protected Health Information” (PHI).  Ordinarily, researchers must obtain the patient’s written authorization or permission to access their PHI, but there are several circumstances where a waiver or an alteration of the authorization requirement can be granted by the University of Pittsburgh Institutional Review Board (for University or UPMC facilities), or by other IRBs or Privacy Boards (for facilities outside of the University or UPMC).  This includes all Oakland based UPMC hospitals, as well as Children’s Hospital of Pittsburgh and Magee- Women’s Hospital.. An up-to-date listing of which organizations are part of the UPMC covered entity can be found at Entities Covered by UPMC's Notice of Privacy Practices.   Check with the IRB if your study will take place in a facility where the University of Pittsburgh IRB is not the IRB of record.

Note that the HIPAA Privacy Rule makes fine distinctions between “protected health information,” “health information,” and “individually identifiable health information” (see the DHHS booklet, Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule, page 2, for those details). For the sake of clarification, we have abstracted elements from each of these definitions and will characterize Protected Health Information (PHI) in the following way:

A.  Protected Health Information

  • Is individually identifiable health information, whether oral or recorded in any form or medium (e.g., narrative notes; X-ray films or CT/MRI scans; EEG / EKG tracings, etc.), that may include demographic information, and
  • Is created or received by a ‘covered entity,’ that is, a health care provider, health plan, or health care clearinghouse, and
  • Relates to the past, present, or future physical or mental health or condition of an individual, to the provision of health care to that individual, and/or to payment for health care services and
  • Identifies the individual directly or contains sufficient data so that the identity of the individual can be readily inferred

Note that health information obtained by the researcher directly from the research subject (i.e. self report) solely for research purposes does not require the researcher to follow the HIPAA Privacy Rule because that information is not being obtained from a ‘covered entity’ (i.e., a health care provider [e.g., medical records; physician], health plan, or health care clearinghouse). On the other hand, if researchers are not obtaining medical record information but are placing research results into the subject’s medical record, HIPAA compliance is required. For clarity, several components of the University of Pittsburgh are considered to be covered entities that may be involved in research studies:  patient health care information from the School of Dentistry Clinics or from the Student Health Service; and some staff or student health information in HR/Benefits. 

Also note that individually identifiable health information that is held by anyone other than a covered entity (for example, by an independent researcher not subject to a business associate agreement), is not protected by the Privacy Rule. That information may be used or disclosed to other researchers without regard to the Privacy Rule, although ordinarily, any time identifiable research data are shared with other investigators, the research informed consent document signed by research subjects must clearly identify which researchers or organizations will be receiving the identifiable health information. Note that if the PHI was initially collected under a HIPAA authorization and subsequently shared with other investigators, those new investigators are bound by the scope of the original authorization.

II. How Can Researchers Use a HIPAA-Compliant Authorization to Obtain PHI? 

To access or use a person’s PHI from a covered entity, researchers must first obtain that person’s signed permission (‘Privacy Rule Authorization’) or a ‘waiver of authorization’ from the IRB.  The focus of this authorization is on what, how, why, and to whom PHI will be used and/or disclosed for research purposes.  Both the HIPAA Privacy Rule and the University of Pittsburgh IRB permit the required elements of the ‘Privacy Rule Authorization’ to be incorporated into the research consent form.  The Privacy Rule mandates that an Authorization contain the following specific core elements and required statements:

A.  Authorization Core Elements:

What will be disclosed? Include a description – as specific as possible – of the PHI that will be used or disclosed.

  • Example:  "We will collect information from your medical records about disorders related to diabetes (e.g., diagnosis of eye problems) or disorders that could affect your cognitive function (e.g., head injury)."

Why is this information needed by the investigators? Describe each purpose of the requested disclosure

  • Example: "We will use this information to determine whether people diagnosed with diabetes are also  more likely to have certain other conditions (like depression) or medical disorders (like liver kidney disease) that can affect the effectiveness of the study drug."

Who is requesting the PHI for research purposes? Ordinarily, this would be the researcher or the research team

  • Example:  ‘We are requesting your permission to review your medical records…"

Who will receive the PHI? Ordinarily, this would include the investigators and their research staff, but in addition, may include others.  Highlighted text in [brackets] should be modified, as appropriate to the details of your study.  Note: Investigators may incorporate this information in the section of the consent form that addresses who will have access to research data (for example: ‘Will anyone know that I am taking part in this study?’), or they may prepare a single paragraph that includes all required HIPAA elements.

  • Example:  "The investigators of this research project and their staff members will have access to this information.  In addition, authorized representatives from the University of Pittsburgh Office of Research Protections,[Sponsor Name], [the Food and Drug Administration – if applicable, orr any other entity that may access identifiable information], may review your health and research information for the purpose of monitoring this study. If this study utilizes UPMC health care services, add the following:  ‘Authorized representatives of the UPMC hospitals or affiliated health care providers may also have access to your health information to provide services and address billing and other operational issues."

How long is this Authorization valid? Researcher must specify when this authorization expires. It is permissible to indicate that this authorization expires at "the end of the study" or "is valid for an indefinite period of time."

  • Example: "Information may be obtained from your medical records and used by this research team for an indefinite period of time."

Dated signature of individual is required. A single signature and date line can be used if the Authorization is integrated into the Research Consent Form document – a procedure endorsed by the University of Pittsburgh IRB. Note: if the individual’s legally authorized representative (LAR) or proxy signs the Authorization, a description of the LAR’s authority to act for the individual must also be provided on the Authorization/Consent document.  Also note that studies that will require the use of a LAR or proxy must comply with the IRB policies on studies involving decisionally impaired persons and must follow the requirements for who can act as the proxy/LAR.
 
The time when signatures are obtained may need to be recorded. If the consent form will be placed in the UPMC medical record, the time each signature is obtained must be documented by the signatory on the consent form. This is a UPMC requirement.

B.  Authorization Required Statements:

Required: A statement of the individual’s right to revoke his/her Authorization and how to do so. Also, if applicable, state any exceptions to that right to revoke.  Note: This information may be integrated into section of the consent form that addresses the subject’s right to withdraw. The example below specifically makes reference to the authorization for use and disclosure of the subject’s medical record information, as well as any implications associated with the withdrawal of the authorization (e.g., in certain types of studies that require medical record information, the subject will not be able to participate in the study if the investigators cannot subject withdraws their authorization to use their medical record information).

  • Example:  May I withdraw, at a future date, my consent to participate in this study or share my medical record information with the investigators? "You have the right, at any time, to withdraw from participating in this study. You may also withdraw your permission to allow us to use and disclose health information from your medical records, but if you do, you will not be able to continue to participate in this study (only if applicable). To do so, you should provide the Principal Investigator with a written and dated notice of that decision.  Deciding not to participate or withdrawing from the study will not affect your current or future medical care or relationship with any UPMC-affiliated organization, with the University of Pittsburgh, or with any health care insurance provider, nor will you lose any benefits to which you might otherwise be entitled.  However, any identifiable information obtained from you before you withdraw from this study will continue to be used by the investigators, as described above."

Required: Statement indicating whether treatment, payment, enrollment, or eligibility of benefits is conditioned on signing this Authorization. Note: This information can be integrated into the ‘right to withdraw’ section, as illustrated above. 

  • Example: ‘Deciding not to participate or withdrawing from the study will not affect your current or future medical care or relationship with any UPMC-affiliated organization, with the University of Pittsburgh, or with any health care insurance provider, nor will you lose any benefits to which you might otherwise be entitled.’  

Required: A statement of the potential risk that PHI will be re-disclosed by a recipient. This may be a general statement that the Privacy Rule may no longer protect identifiable health information disclosed to other recipients (e.g., authorized representatives not part of the research team).  Ordinarily, such a statement would be inserted immediately after the listing of individuals or organizations (other than the researcher) who may have access to the subject’s PHI.  An example of a relevant statement is highlighted below.

  • Example: ‘The investigators of this research project and their staff members will have access to this information. In addition, authorized representatives from the University of Pittsburgh Office of Research Protections, and the National Institutes of Diabetes, Digestive and Kidney Diseases may review your health and research information for the purpose of monitoring this study. Authorized representatives of the UPMC hospitals or affiliated health care providers may also have access to this information to provide services and address billing and operational issues. Although all of those organizations have safeguards to protect your privacy, we cannot guarantee the confidentiality of your health information after it has been obtained by those organizations.’

C.  Other Important Considerations:

1.  Can investigators restrict participants’ complete access to their medical record information under certain circumstances?

The Privacy Rule ordinarily permits patients the right to inspect and obtain a copy of their health information, as contained in the medical records maintained by the covered entity. This means that if the researcher places research data into the medical record (e.g., results from a medical test conducted for research purposes), that information is available to the person if they request it.  One permitted exception to that occurs when the individual is participating in a clinical trial. In this situation, the Privacy Rule permits the person’s access to medical record information to be suspended while the clinical trial is in progress, but only if the research participant has agreed to this denial of access when they sign the written Research Consent Form to participate in the clinical trial. In addition, the participant must be informed, as part of the consent process, that their right to access their protected health information will be reinstated at the conclusion of the clinical trial.

Note:  If this denial of access is put in place, it is the principal investigator’s responsibility to clearly communicate this restriction to the involved covered entities (e.g., UPMC hospitals and/or affiliated health care providers). UPMC does not ordinarily permit investigators to include such restrictions, and the investigator must petition the UPMC Privacy Officer and provide to the IRB appropriate documentation that this request has been approved.

Example:  May I have access to my medical record information resulting from participation in this clinical trial?  ‘As part of this clinical trial, your health information from this research study may be placed in your medical record.  However, the scientific design of this clinical trial requires that we not share that medical information with you during the clinical trial.  Thus, you will not be able to obtain that information until the clinical trial has ended.’

2.  Is an Authorization needed to obtain decedents’ PHI for research?

While UPMC prefers that an authorization from the personal representative or next of kin is provided, the researcher seeking access to decedents’ PHI can access the information by providing the covered entity with a written statement that (1) the use and disclosure is sought solely for research on the PHI of decedents and (2) this PHI is necessary for the purpose of the research. At the request of the covered entity, the researcher must provide documentation of the death of those individuals whose PHI is being sought. Note that IRB oversight is not required for those studies in which all PHI and/or specimens are from decedents, but review is required by the Committee for Oversight of Research and Clinical Training Involving Decedents (CORID).  Note that studies that include PHI and/or specimens from BOTH decedents and living subjects will require IRB review.

III. Model ‘Plain Language’ Authorization for Disclosure of PHI, to be Integrated within Research Consent Form

Required Element Example of Text (either for inclusion in a hybrid ‘consent / authorization’ form or for a ‘stand-alone’ HIPAA authorization form)
Who is requesting the PHI for research? We are also requesting your authorization or permission to review your medical records.
Why is this information needed? To determine whether you meet the conditions for participation in this study, to compare your earlier test results to the findings from this study, and if possible, to use your previous exam results in place of, or in addition to, some of the exams needed for this study.
What will be disclosed? We will obtain the following information: your diagnosis, age, past medical history, diagnostic procedures, and results of any tissue biopsies or blood tests, including results of genetic tests that were already done as part of your standard evaluation at the Cancer Center.
Will research data be placed in the medical record? If yes, describe.

As part of this research study, some information that we obtain from you will be placed into your medical records held at UPMC, including the results of pregnancy tests (for women of childbearing potential) and other medical tests.

How long will this information be made available to the researchers? This identifiable medical record information will be made available to members of the research team for an indefinite period of time.
Who (other than the investigators) will receive the PHI, and how will they use it?  Note:  highlighted element must be included in every consent form. Your medical information, as well as information obtained during this research study, may be shared with other groups, possibly including authorized officials from the Food and Drug Administration, the Cancer Oncology Group, the National Cancer Institute, and the University of Pittsburgh Office of Research Protections, for the purpose of monitoring the study.  Authorized representatives of UPMC or affiliated health care providers may also have access to this information to provide services and address billing and operational issues.
Statement of the potential risk that PHI will be re-disclosed by a recipient: We will make every attempt to protect your privacy and the confidentiality of your records, as described in this document, but cannot guarantee the confidentiality of your research records, including information obtained from your medical records, once your personal information is disclosed to others outside UPMC or the University.
How long will this authorization be valid? This authorization is valid for an indefinite period of time.
Right to revoke authorization; how to revoke: However, you can always withdraw your authorization to allow the research team to review your medical records by contacting the investigator listed on the first page and making the request in writing. 
Implications of revocation of authorization If you do so, you will no longer be permitted to participate in this study.  Any information obtained from you up to that point will continue to be used by the research team.
Implications of not signing form Note: this need not be stated in the consent form but must be in the IRB application: subjects who do not sign this hybrid consent form (that includes the HIPAA authorization) cannot participate in the study
Signature line should include last phrase (highlighted here) By signing this form I consent to participate in this research study and provide my authorization to share my medical records with the research team.

By signing this form I consent to participate in this research study and provide my authorization to share my medical records with the research team.

From the IRB’s perspective, there are several different approaches to preparing a consent document.  The simplest is to have a single section, as presented below, that incorporates all of the HIPAA elements, but customized for this particular research study.  Note that we have highlighted (in bold) certain sections that we feel are key elements that the subject should be made aware of.  Although it is not required, the use of bolding may enhance participants’ comprehension.

Example of text: We are also requesting your authorization or permission to review your medical records to determine whether you meet the conditions for participation in this study, to compare your earlier test results to the findings from this study, and if possible, to use your previous exam results in place of, or in addition to, some of the exams needed for this study.  We will obtain the following information: your diagnosis, age, past medical history, diagnostic procedures, and results of any tissue biopsies or blood tests, including results of genetic tests that were already done as part of your standard evaluation at the Cancer Center.  As part of this research study, some information that we obtain from you will be placed into your medical records held at UPMC, including the results of pregnancy tests (for women of childbearing potential) and other medical tests.  This identifiable medical record information will be made available to members of the research team for an indefinite period of time.  Your medical information, as well as information obtained during this research study, may be shared with other groups, possibly including authorized officials from the Food and Drug Administration, the Cancer Oncology Group, the National Cancer Institute, and the University of Pittsburgh Office of Research Protections, for the purpose of monitoring the study. Authorized representatives of UPMC or affiliated health care providers may also have access to this information to provide services and address billing and operational issues.

We will make every attempt to protect your privacy and the confidentiality of your records, as described in this document, but cannot guarantee the confidentiality of your research records, including information obtained from your medical records  once your personal information is disclosed to others outside UPMC or the University.  This authorization is valid for an indefinite period of time.  However, you can always withdraw your authorization to allow the research team to review your medical records by contacting the investigator listed on the first page and making the request in writing.  If you do so, you will no longer be permitted to participate in this study.  Any information obtained from you up to that point will continue to be used by the research team. 

         By signing this form I consent to participate in this research study and provide my authorization to share my medical records with the research team.
                                                              *************

second approach, which may be somewhat more challenging for both the investigator and the IRB reviewer, but may produce a consent form that is easier to read from the subject’s perspective, is a consent document where these key elements are incorporated throughout the consent form, rather than in a single paragraph.  When investigators choose to utilize this ‘integrated’ approach, we recommend that they work closely with the IRB staff to ensure that they have addressed all of the necessary HIPAA elements, and that the reviewing IRB staff can find those elements in the document.  An example of this can be found in the Consent Form Suggested Wording guidance.

IV. How Can Researchers Obtain Medical Information About Patients to Identify and Recruit Potential Research Participants?

The HIPAA Privacy Rule permits access to PHI for the purpose of identifying potential research subjects under the ‘Preparatory to Research Exception.’  Similarly, the 2018 Common Rule removed the requirement for a ‘waiver of informed consent’ for screening, recruiting or determining eligiblity under certain circumstances [45 CFR 46.116(g)].

We describe three possible approaches to obtaining and using medical record information as part of the process of recruiting research subjects. 

First, researchers can review medical record information if they meet certain criteria (see ‘B. Reviewing Medical Records to Identify Potential Subjects’). 
 
Second, under certain circumstances (see ‘C. Obtaining Limited Patient PHI and Contact Information from Referring Physician’), researchers can receive, from a referring physician or health care provider, limited health and contact information about a patient who has expressed an interest to the health care provider about the possibility of learning more about a specific research study.  This permits the researcher to contact the patient directly and discuss the study in more detail.  After that contact has been made by the researcher, he or she will be in the position to obtain, if needed, the patient’s signed IRB-approved consent form and HIPAA authorization so that the researcher can review medical records and/or conduct appropriate screening tests. 

Each of these two situations must meet a very explicit requirement inherent in the ‘Preparatory to Research Exception’:  the PHI is not permitted to leave the covered entity.  This means that the researcher who is receiving PHI must be part of the same covered entity that holds the medical records (first approach) or is in the workplace of the referring clinician (second approach).

A third alternative permits the patient’s health care providers to share PHI and contact information with researchers who are not part of the ‘covered entity’ that holds the medical information. Note, however, this approach requires the signed authorization of the patient (see Section D, below). 

The requirements and limitations of each of these approaches is outlined below, in Parts B - D.

A.  Defining the UPMC Hospital/Covered Entity Workforce

UPMC legal counsel has advised that the following positions are considered to be part of the UPMC hospital/covered entity workforce.

  • appropriately credentialed UPMC-privileged professional or staff members who normally have access to medical record information by virtue of their patient care responsibilities
  • students in the health care professions (including medical students) who are reviewing medical records under the supervision of an appropriately credentialed UPMC professional
  • research personnel, employed by the University of Pittsburgh, who are working under the supervision of a physician or other health care professional who is a member of the UPMC hospital medical staff

An up-to-date listing of which organizations are part of the UPMC covered entity can be found at Entities Covered by UPMC's Notice of Privacy Practices

B.  Reviewing Medical Records to Identify Potential Subjects

No ‘waiver of HIPAA Authorization’ is required because the HIPAA Privacy Rule permits such activities under its ‘Preparatory to Research’ provision. Similarly, the 2018 Common Rule removed the requirement for a ‘waiver of informed consent’ for screening, recruiting or determining eligiblity.

45 CFR 46.116(g) Screening, recruiting, or determining eligibility: An IRB may approve a research proposal in which an investigator will obtain information or biospecimens for the purpose of screening, recruiting, or determining the eligibility of prospective subjects without the informed consent of the prospective subject or the subject's legally authorized representative, if either of the following conditions are met:

1. The investigator will obtain information through oral or written communication with the prospective subject or legally authorized representative, or

2. The investigator will obtain identifiable private information or identifiable biospecimens by accessing records or stored identifiable biospecimens.

This provision is only applicable to identify which patients to approach.  It cannot be used for medical record screening after the study has already been introduced to patients.

1.  Reviewing Medical Records for Recruitment
Principal Investigator:  Must be a Pitt or UPMC faculty or staff member
Medical Record Reviewer:  The person reviewing the medical records must be either (1) a UPMC-privileged professional or staff member who normally has access to medical record information by virtue of their patient care responsibilities, or (2) someone who is otherwise considered part of the UPMC covered entity workforce (including students in the health care professions, and certain research staff members who conduct the medical record review under the supervision of an appropriately credentialed UPMC professional).  The individual conducting the medical record review must be identified in the IRB application, as well as the appropriately credentialed UPMC professional who – if applicable – is supervising the student or staff member. Note:  the UPMC-privileged professional or staff member who is supervising the student’s review of medical records must be listed as a co-investigator.  The study PI need not have access to the medical records. 
Submission Requirements:  An expedited or full board PittPRO application needs to be completed and the procedures for reviewing medical records for recruitment should be incorporated into the “recruitment” section of the IRB application
Additional Information:  The ‘Preparatory to Research’ provision requires that the researcher include the following statements:  (1)  The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes (e.g., recruitment) preparatory to research, (2) the PHI will not be removed from the covered entity, and (3) the PHI is necessary for the research.  The IRB application should include those statements, as well as statements that information obtained as part of this review will not be reused or disclosed to others who are not part of the covered entity, and that all information will be destroyed immediately after it has been used for recruitment purposes. Records should be reviewed only to obtain the minimal information needed to identify potential subjects as part of an initial recruitment effort. 

C.  Obtaining Limited Patient PHI and Contact Information from Referring Physician so that Researcher Can Subsequently Contact Patient to Describe Research Study [‘Verbal Permission to Share Contact Information with Researcher’]

Physicians and treating clinicians may provide researchers (who are part of the same covered entity) with a patient’s contact information and limited PHI after the clinician has spoken with the patient about the research study and the patient has expressed a willingness to have the clinician share contact information and PHI with the researcher. This is not to determine the patient’s eligibility for a study, but merely to permit the researcher to discuss the study with the patient in more detail.  The PHI to be shared with the researcher should be limited to relevant information about the person’s medical diagnosis or condition. 

So long as both the referring clinician and the researcher are part of the same covered entity workforce, neither a waiver of the HIPAA Authorization requirement nor a waiver of informed consent is needed (because the clinician is not engaged in a human subject research activity).  However, the referring clinician must document that patient’s verbal permission to allow the clinician to share basic contact information with the researcher.  This must be described in the ‘Recruitment’ section of the IRB application. The documentation requirement can be met with, for example, a notation in the medical record by the clinician, or the completion by the clinician of a form or list indicating that the patient has been briefly apprised of the research and has given the clinician permission to share basic contact information (including diagnosis / condition) with the researcher.

2.  Verbal Permission to Share Patient’s Contact Information with Researcher for Subsequent Contact
​Principal Investigator: Must be a Pitt or UPMC faculty or staff member
Researcher Receiving Contact Information:  Must be a UPMC-privileged professional or staff member who is part of the same covered entity as the referring physician who is providing the patient’s contact information and limited medical information. Both the researchers receiving the information and the clinicians (or practice, or clinic) sharing the patient’s contact information must be identified in the IRB application. 
Submission Requirements:  An expedited or full board PittPRO application needs to be completed, and a description of the sharing process should be incorporated into the “recruitment” section of the IRB application. 

Additional Information: The recruitment section of the IRB protocol should describe how the clinicians will (a) briefly discuss the study with patients, (b) ask them whether they are interested in sharing their diagnosis and contact information with the researcher, (c) document the patient’s permission, and (d) provide the information to the researcher.  If other recruitment strategies will be used (e.g., review of medical records, as discussed in the previous section) that too should be incorporated into the ‘recruitment’ section.

Documentation of the patient’s verbal permission to share information is required and it is the clinician’s responsibility to ensure that this done, either by a notation in the medical record, or by completing some other form; this process should be described in the IRB application.

D.  Obtaining Patient’s Written Authorization to Share Limited PHI and Contact Information For Recruitment when the Researcher is not Part of the Covered Entity [‘Written Permission to Share Contact Information with Researcher’]

When a researcher is not part of the covered entity that holds medical record information for patients, the HIPAA Privacy Rules require that the clinician obtain the patient’s signed authorization to permit sharing of contact information (and limited PHI) with the researcher.  The requirements are summarized in the Table below, and a simplified template authorization ‘letter’ is provided in a link.

3.  Written Permission to Share Patient’s Contact Information with Researcher for Subsequent Contact
Principal Investigator: Must be a Pitt or UPMC faculty or staff member
Researcher Receiving Contact Information: Need not be a UPMC-privileged professional or staff member.   
Submission Requirements: An expedited or full board PittPRO application needs to be completed, and a description of the sharing process should be incorporated into the “recruitment” section of the IRB application, along with a copy of the ‘Written authorization form. Note:  the HIPAA Authorization will need to follow the requirements of the covered entity that the patient is being referred from. 
Additional Information: The recruitment section of the IRB application should describe how the clinicians will (a) discuss the study with patients, (b) ask them whether they are interested in sharing their diagnosis and contact information with the researcher, (c) document the patient’s permission by having them sign the ‘authorization form’ (which in our example is structured as a ‘dear patient’ letter), and (d) provide the information to the researcher. 

E.  Requesting a Waiver of the Requirement for a Written Authorization to Share Contact Information For Recruitment when Researcher is not Part of Covered Entity:  [‘Written Authorization to Share Waiver’]

Ordinarily, clinicians who seek to share a patient’s basic contact information with an investigator who is not part of the UPMC Covered Entity / Workforce can do so by asking the patient to review and sign a authorization letter (described above).  Unfortunately, there may be occasions where the contact between the clinician and the patient is not face-to-face, but will be limited to a telephone or web-based contact.  In that very limited situation, a waiver of written HIPAA Authorization to share contact information can be requested from the IRB.  This request must be incorporated into the ‘recruitment’ section and the waiver justified in PittPRO (Check "Waiver/Alteration of HIPAA in Study Scope #2).  It is strictly limited to those situations where the clinician (and/or his/her office staff) are telephoning the patient to describe their request for the patient’s authorization to share contact information with a non-UPMC researcher, or are interacting via the web (for example, through MyUPMC).  If the patient agrees, the clinician must document this in the patient’s record.  Note that this request is strictly limited to the sharing of basic contact information; detailed medical record information cannot be provided to the researcher. 

4.  Waiver of the Requirement for a Written Permission to Share Patient’s Contact Information with Researcher who is not Part of Covered Entity
Principal Investigator:  Must be a Pitt or UPMC faculty or staff member
Researcher Receiving Contact Information:  Is not a UPMC-privileged professional or staff member but is a member of the study team.  
Submission Requirements: An expedited or full board application needs to be completed, with the justification for this waiver addressed in PittPRO (Check "Waiver/Alteration of HIPAA" in Study Scope #2) and explained in the recruitment section.
Additional Information:  The recruitment section of the IRB application should describe how the clinicians will (a) discuss the study with patients over the phone [similar to that described in the ‘dear patient’ letter, as described above] or interact via a web-based system such as MyUPMC, (b) ask them whether they are interested in sharing their diagnosis and contact information with the researcher, (c) document the patient’s permission by making a notation in the patient’s record, and (d) provide the information to the researcher.  If other recruitment strategies will be used, those too should be incorporated into the ‘recruitment’ section.


V. How Can Researchers Conduct Retrospective Medical Record Reviews without obtaining a Signed Authorization? 

We identify three broad classes of retrospective medical review reviews, each of which requires a different application process to be fully consistent with all regulatory requirements.

Study Type A: Retrospective study with no personal identifiers or linkage codes recorded by investigator
Person Accessing the Medical Records:  Must be a UPMC-privileged professional or staff member who normally has access to medical record information by virtue of their patient care responsibilities.  Students in the health care professions (including medical students) can conduct these retrospective reviews under the supervision of an appropriately credentialed UPMC professional. 
Data:  Must be related in some way to UPMC staff’s patient care responsibilities.
Submission Process:  Exempt application “Secondary Research with Data or Specimens"

 

Study Type B: Medical Record Review with personal identifiers and/or linkage codes recorded by investigator
Person Accessing the Medical Records:  Must be a UPMC-privileged professional or staff member who normally has access to medical record information by virtue of their patient care responsibilities.  Students in the health care professions (including medical students) can conduct these reviews under the supervision of an appropriately credentialed UPMC professional. 
Data: Patient identifiers may be recorded in order to link patient information obtained from multiple databases, and/or to link existing patient information with new patient information. All medical record information must be related in some way to the UPMC staff’s patient care responsibilities.
Submission Process:  Expedited application that incorporates a ‘Waiver of HIPAA Authorization’ PittPRO (Check "Waiver/Alteration of HIPAA" and "Waiver/Alteration of Consent" in Study Scope #2)

 

Study Type C: Medical Record Review study using a UPMC-Certified Honest Broker System
Person Studying the Medical Records: An individual who does not qualify for access under any of the above cases must use a UPMC-certified honest broker who is not part of the research team. 
Data:  Must be de-identified (either HIPAA ‘safe harbor’ complete de-identification or, with appropriate justification, a ‘limited data set’).  All data need not be in existence at the time of this submission (use of honest broker permits this study to meet criteria for ‘no human subjects involvement’ [45 CFR 46.102.f]).
Submission Process:  Exempt application “Secondary Research with Data or Specimens"
Additional Information:  An Honest Broker Assurance Form must be uploaded into PittPRO. The certified honest broker must be part of UPMC and must be approved by both the UPMC Privacy Officer and the IRB. If investigators require dates and/or geographical data (e.g., city; ZIP code) from the medical record, a ‘limited data set’ can be requested by completing a ‘UPMC Data Use Agreement For Limited Data Sets[word]' and uploading it into the IRB application.

VI.    Activities Preparatory to Research

A.  Preparing a research protocol and/or assisting in the development of a research hypothesis by reviewing medical records

Investigators often need basic information from medical records as they begin to plan a research study (for example, answering a question like ‘how many patients have such and such a disease and meet certain other characteristics?’).  As long as this information is not used to recruit subjects directly, and as long as identifiable information is not recorded by the investigators, no IRB application is required (because this very limited ‘preparatory to research’ activity is not considered to be research according to 45 CFR 46.102d).  Nevertheless, investigators must complete the following form to obtain access to the medical records:  ‘UPMC HIPAA Research Agreement:  PHI Usage for Reviews Preparatory to Research.’ Email OSPARS@upmc.edu or phone (412) 647-4461 to obtain the required forms. This form should be submitted not to the IRB, but to the appropriate UPMC Health Information Management Department or the individual designated by the covered entity to receive such information to access PHI / Medical Records.

Note:  Researchers cannot remove any PHI from UPMC in the course of this medical record review.  Ordinarily, the kind of information obtained by an investigator during this activity would consist primarily of a summary of numbers of patients having certain characteristics (e.g., ‘85 male patients with type 2 diabetes, 45 to 60 years of age, diagnosed after the age of 40, and seen in the hospital in the past 3 years’).  This approach cannot be used for recruitment of subjects.  Recruitment activities require that investigators request a ‘Waiver of consent to review medical records for recruitment,’ as described above. 

VII.   HIPAA Training Requirements

Researchers who encounter protected health information must complete the Privacy & Information Security course through CITI.  The CITI Courses can be accessed through the Pitt CITI Portal at www.citi.pitt.edu.  This CITI course replaces the ISER HIPAA Researchers Privacy Requirements (formerly RPF Module 6).

It is the Principal Investigator’s responsibility to ensure that all research staff member who encounter PHI have completed the required training.  Failure to do so may result in the IRB immediately suspending study approval.

VIII.  Frequently Asked Questions

The complexity of HIPAA-related issues has led to multiple listings of ‘Frequently Asked Questions.’ 

Information relating to IRB review for exempt projects is available at Exempt Review 2018
 
NIH Frequently Asked Questions - HIPAA Privacy Rule for Researchers

IX.     Useful Resources

The following NIH webpage provides a wealth of information on the HIPAA Privacy Rule: http://privacyruleandresearch.nih.gov/

Of particular value is the NIH fact sheet titled “Institutional Review Boards and the HIPAA Privacy Rule” http://privacyruleandresearch.nih.gov/pdf/IRB_Factsheet.pdf

Also of value is a similar NIH booklet developed explicitly for researchers, titled “Protecting Personal Health Information in Research:  Understanding the HIPAA Privacy Rule.” http://privacyruleandresearch.nih.gov/pdf/HIPAA_Booklet_4-14-2003.pdf

The UPMC Policy and Procedure Manual (POLICY: HS-RS0001; INDEX TITLE:  Research) summarizes institutional policies relevant to the HIPAA Privacy Rule:  “Use and Disclosure of Protected Health Information (PHI) for Research Purposes Pursuant to the HIPAA Privacy Rules.” In addition, UPMC has policies specific to accessing ePHI for researchers, UPMC Policy HS-RS0005.

X.      Model Forms/Templates

2/24/2021