Panel Discussion: Research Privacy and HIPAA
October 18, 2011

Questions:

1. If somebody is included in I2B2, have they also given permission for study teams to look at their PHI?  About thirty percent of the people included in I2B2 have given permission for study teams to access their PHI; this information, however, may only be used for screening purposes.
   
   
2. What should the study team do if a person calls them and says that they want to be in a study? Put them on the screening log.  If you have a Waiver of HIPAA Authorization, you may proceed to screening; if you do not have a Waiver of HIPAA Authorization, you will need to obtain a written authorization from the potential subject.  Note: HIPAA Authorization is incorporated into IRBMED’s Informed Consent Document templates.
   
   
3. Does a study team need to obtain a Waiver of HIPAA Authorization prior to accessing information in UMClinicalTrials.org?  No; if a subject is included in a voluntary registry and has indicated that it is permissible to look at their records, there is no need to get a Waiver of HIPAA Authorization.  Additionally, UMClinicalTrials.org is an approved project that has continuing approval from IRBMED.
   
   
4. One of the criteria for approving a Waiver of HIPAA Authorization for decedents is that the investigator can provide proof of death if requested.  How would the study team provide proof?  Death notices and death certificates are a matter of public record; perhaps the easiest method, however, would be the Social Security Death Index (SSDI).
   
   
5. Are biometric identifiers protected under HIPAA?  HIPAA does not address biometric identifiers specifically, but because they contain identifiable information, they need to be protected, just like any other form of PHI.  Genetic information is considered identifiable under HIPAA. 
   
   
6. If a CT Scan were stripped of identifiers, can it be shared?  Generally, if the CT Scan is stripped of all identifiers, it would be considered de-identified.  But, this is relative.  For instance,  if the patient’s condition is so unique—if there are only a small number of people in the US or in the world with the condition—that patient’s CT scan image(s) may be considered identifiable. 
   
   
7. What is a Data Use Agreement? It is an agreement governing the exchange of data between persons or entities when one of the parties is outside of the Covered Entity.  The agreement will outline the purpose for the exchange and provide security safeguards.  See http://www.med.umich.edu/i/policies/umh/01-04-342.htm on Limited Data Sets.
   
   
8. Is the Privacy Board a stopping point in eResearch similar to ancillary committees?  No.  Privacy Board exists within IRBMED and is not considered an ancillary committee within eResearch.  When a project is submitted to Privacy Board for consideration, it will appear as “Core Committee Review” in eResearch just as it would be a submission going to full board.
   
   
9. Is the Privacy Board new?  No.  Privacy Board has been in existence since 2003.  Privacy Board applications were previously a separate paper document that were submitted via mail or fax.  The Privacy Board function has since been incorporated into the eResearch system and has been brought up to speed substantially in the last year and a half.
   
   
10. If using EMERSE or I2B2, do I need to include that in my eResearch application?  Applications should include all sources that will be utilized as part of the project.  If you decide to use additional sources after an application has been approved, you should submit an amendment to add the source.  Before using the additional source, you must have IRB approval.
    
    
11. How often does Privacy Board meet?  Unlike the five IRBMED Boards, Privacy Board does not have formal meetings; everything is conducted electronically.  One of the benefits of this process is that turnaround times for Privacy Board submissions are generally much quicker.
    
    
12. Are Data Use Agreements required for sharing data sets between departments?  Data Use Agreements are not necessary when data is being shared within the Covered Entity; they are required only when information will be shared with persons or entities that are not part of the Covered Entity.
    
    
13. How is Certification Preparatory to Research distinct from recruitment activities?  Certification Preparatory to Research applications are designed to assess feasibility of a project.  Essentially, the purposes of these projects is to help the investigator to determine whether conducting a larger investigation would be possible by finding out how many potential subjects would be available.  Importantly, however, an investigator may not record PHI nor use the findings for recruiting. 
    
    
14. Is a Data Use Agreement required for de-identified materials?  No.  The purpose of a Data Use Agreement is to outline how PHI will be used, transferred, and kept secure.  Data that is de-identified does not include PHI, so no agreement is necessary.
    
    
15. How do I report a potential privacy breach?  Actual or suspected privacy breaches will need to be reported to both IRBMED and the Compliance Office.

You can notify compliance directly at 734-615-4400 or email at Compliance-Group@med.umich.edu.  Additional information is available on the Compliance Office website.

For the IRBMED, you will need to submit an ORIO detailing the incident and acknowledging that you have alerted the Compliance Office.  You will need to include the name of the person you spoke with, the date that you contacted them, and a summary of what you were told.  Depending on the circumstances and whether there is any corrective action that needs to be taken, you may have to submit an additional ORIO as follow up.  The IRB Board will determine if there needs to be any form of subject notification.

16. How can I secure my electronic records?  If you are part of the Medical School, you may contact MSIS; they will assist you with encryption programs.  If you are not part of the Medical School, you may contact MCIT.  Notably, iPads can not be encrypted.  See www.med.umich.edu/isecure and related Information Security FAQs for additional information, including encryption.

Importantly, if you do experience a breach and it is reported out, the more layers of protection you provided helps show that proper precautions were taken to safeguard the information.  Additionally safeguards may include locked cabinets, locked offices, and passwords.

17. Does a study team need to report the loss of paper materials?  Yes, if the materials in question included subject identifiers.  The unauthorized or accidental disclosure of PHI must be reported to the Compliance Office and to IRBMED regardless of the media (paper, electronic, verbal, etc.).
    
    
18. When submitting an ORIO about a potential breach, should the subject’s name(s) be included:  No.  PHI should never be included in any eResearch submission (application, continuing review, amendment, ORIO) nor should it be included in any posted correspondence within the eResearch system.  Once information is included into eResearch, it can not be deleted.
    
    
19. With our last IRB submission, we included a request for a partial waiver of consent in order to access medical chart data for prospective subjects before the screening visit at which time the consent form/HIPAA Authorization was signed.  It looks like eResearch now has separate sections for partial waiver of consent and partial waiver of HIPAA Authorization.  Do we need to request both or just the latter in order to have similar medical chart access for an upcoming study?  Whenever a request is made for a Waiver of Consent or a Waiver of Documentation of Consent, there must be a simultaneous request for a Waiver of HIPAA Authorization.
    
    
20. There is still a lot of confusion in some clinics about what is allowable under HIPAA in terms of screening for recruitment of subjects.  Is it OK to look over patient appointment logs to find patient names and then look them up in the electronic medical record to see if they meet the basic criteria for the study and then ask the clinician if the potential subject may be approached to participate?  No.  Whenever PHI is being accessed for research purposes, HIPAA applies.  In this scenario, the patient appointment logs and the electronic record are being accessed for subject recruitment activities.  Before any such access may be made, there must either be a signed HIPAA Authorization or an approved Waiver of HIPAA Authorization.
    
    
21. Is it OK to keep lists of potential subjects and approach them for participation in various studies?  No.  In order to access an individual’s PHI, you must first obtain either a written authorization or be granted a Waiver of Authorization.  In the absence of either of these, PHI may not be access or recorded for research purposes
    
    
22. Is it OK to keep lists of patients who have declined participation so they aren’t repeatedly approached?  No.  In order to access an individual’s PHI, you must first obtain either a written authorization or be granted a Waiver of Authorization.  In the absence of either of these, PHI may not be access or recorded for research purposes.
    
    
23. Is it OK to share information via email?  Email is not generally considered a secure method of data sharing.  The better option would be to send the data as an encrypted attachment and then to send the encryption key separately.  Notably, encryption is a safe harbor under the HITECH Act.  Note: You will also need to be sure that it is permissible to share the data in question.
    
    
24. Scenario: An IRB approved study allows for verbal consent for subject enrollment.  The subjects are mailed a consent form and the study coordinator phones the subject a few weeks later.  The study coordinator explains the study over the phone, which involves Quality of Life questionnaires that are completed by a survey team that completes the study through an interactive voice response system (IVRS).  The subject agrees to verbal consent, they are asked to sign the Consent form which includes HIPAA Authorization.  The study coordinator needs to enter the subject’s PHI contact information into a secure (password protected) website, in order to register the subject and have the survey tam initiate the phone contacts for the Quality of Life questionnaires. 

Does the study coordinator need to wait until the subject’s consent form (with HIPAA Authorization) is returned to the site in order to enter the necessary PHI onto the secure website?  Yes.  If for some reason you did not receive the signed ICD back from the subject, then the subject has not consented to participate in the research. 

Importantly: This scenario presents confusion as to what constitutes “verbal consent.”  Verbal consent is generally a term associated with having a Waiver of Documentation of Consent.  Under a Waiver of Documentation, there is not written instrument signed by the subject.  When there is no written document because the study team has obtained either a Waiver of Documentation or a Waiver of Consent, there must also be a Waiver of HIPAA Authorization.

This scenario, however, does have a written document that is signed and returned.  The process used here is a variant of standard consent procedures.

25. If a potential subject signs an ICD and returns it via fax, is that sufficient?  Yes.  An ICD requires a written signature; a faxed copy is sufficient.  Whenever possible, however, it would be best to obtain the original signature. 

Update Approved by IRBMED Chairs and Director: November 10, 2011
Website Updated: January 4, 2012