UAMS ADMINISTRATIVE GUIDE

NUMBER: 3.1.27
DATE: 04/01/03
REVISION: 03/01/04

SECTION: ADMINISTRATION
AREA: GENERAL ADMINISTRATION
SUBJECT: HIPAA RESEARCH POLICY (Research alone OR combined with treatment)

 

SCOPE

All UAMS physicians, faculty, employees and students or other UAMS Workforce members performing research on human subjects (living or deceased), or conducting reviews of Protected Health Information preparatory to research.  For research conducted by UAMS workforce members in a non-UAMS physical location, such as Arkansas Children’s Hospital, the policies of that institution will apply. 

 

DEFINITIONS

 

For purposes of this Policy, the following definitions apply:

 

Database means the compilation of data in any form and maintained in any fashion, and includes, but is not limited to, spreadsheets, tables, or other data repositories maintained in any form.  This list is not intended to be all inclusive but, rather, a guideline.

Data Use Agreement is a written agreement between UAMS and the Limited Data Set recipient which establishes the permitted uses and disclosures of such information and certain administrative safeguards to protect the information.

De-Identified Information means information which does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.  UAMS may determine that health information is De-Identified if the following identifiers of the individual or of relatives, employers, or household members of the individual, are removed, and UAMS does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information:

•           Names;

•           All geographic subdivisions small than a state, including street  address, city,      county, precinct, and ZIP Code;

            •           All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of 90 or older;

            •           Telephone numbers;

•           Fax numbers;

•           Electronic mail address;

•           Social Security numbers;

•           Medical Record numbers;

•           Health Plan beneficiary numbers;

•           Account numbers;

•           Certificate/license numbers;

•           Vehicle identifiers and serial numbers, including license plate          numbers;

•           Device identifiers and serial numbers;

•           Web Universal Resource Locators (URLs);

•           Internet Protocol (IP) address numbers;

•           Biometric identifiers, including voice and finger prints; and

•           Full face photographic images and any comparable images.

 

Designated Record Set means, for purposes of Research, medical records about individuals used, in whole or in part, by or for UAMS to make treatment decisions about individuals, including any treatment information generated in the research context.

Disclosure means the release, transfer, provision of access to, or divulging of information in any manner (verbally or in writing) to persons or entities OUTSIDE of UAMS.

Limited Data Set means information that excludes the following direct identifiers of the individual and of relatives, employers, or household members of the individual:

•           Names;

•           Street or Postal address information (other than town, city, State and zip    code);

•           Telephone numbers;

•           Fax numbers;

•           Electronic mail address;

•           Social Security numbers;

•           Medical Record numbers;

•           Health Plan beneficiary numbers;

•           Account numbers;

•           Certificate/license numbers;

•           Vehicle identifiers and serial numbers, including license plate numbers;

•           Device identifiers and serial numbers;

•           Web Universal Resource Locators (URLs);

•           Internet Protocol (IP) address numbers;

•           Biometric identifiers, including voice and finger prints; and

•           Full face photographic images and any comparable images.

Pre-Research or Review Preparatory to Research means the review of information or records prior to obtaining patient authorization and consent or prior to obtaining an IRB Waiver of Authorization in which the review is solely to prepare a research protocol, to determine if a research project is feasible, or for similar purposes preparatory to research.

Principal Investigator (PI) or Investigator shall mean the UAMS Principal Investigator, researcher or the research team or study coordinators collectively.

Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual.  This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.

Research shall mean any research or systematic investigation on living or deceased human subjects (retrospective or prospective) seeking the use of PHI, including research development, testing, and evaluation, designed to contribute to generalizable knowledge. This includes research that is consistent with what the IRB currently reviews under the Common Rule. 

Workforce means UAMS physicians, faculty, employees, trainees, students, volunteers and other persons who conduct, in the performance of work for UAMS, is under the direct control of UAMS, whether or not they are paid by UAMS.

POLICY

It is the policy of UAMS to protect the privacy and confidentiality of medical records and information contained in the medical records of persons who are subjects of UAMS Research projects as required by law, including any and all Protected Health Information as defined by the HIPAA Privacy Regulations.  Protected Health Information of a Research subject, and the use or disclosure of such information, shall be governed by the UAMS Research Policy and any other applicable UAMS policies. 

This HIPAA Research Policy is not intended to replace the applicable legal requirements or UAMS policies concerning compliance with professional ethics, the Common Rule, FDA regulations, or other applicable laws and policies.  The Principal Investigator (PI) or Project Director (PD) is responsible for obtaining IRB approval for all Research projects that use human subjects including Research projects that propose the use of an individual’s or Research subject’s PHI.  The PI must have the approval letter from the IRB before the project can begin. Please see IRB polices and procedures and the applicable regulations at http://www.uams.edu/ora/irb for the regulations and https://aria.uams.edu for submitting a human subjects protocol for review and approval by the IRB. 

UAMS Workforce working with human subjects for Research purposes must complete the required HIPAA Research Training along with the IRB Human Subjects Training. http://www.uams.edu/orc/Training/Training.htm. This includes the Principal Investigator, co-investigators and research staff including, but not limited, to research associates, research assistants and study coordinators.

PROCEDURES

A.        GENERAL:  Protected Health Information can be used or disclosed for Research purposes under the following circumstances and only in accordance with this policy:

1.                 Authorization:  The patient or the patient’s Legal Representative has authorized the use or disclosure in accordance with this policy;

2.                 IRB/Privacy Board Review:  An Institutional Review Board (IRB) has approved a Waiver of Authorization;

3.                 De-Identified Information:  The PHI is De-Identified;

4.                 Limited Data Set:  Only Limited Data Set information is used or disclosed, and UAMS enters into a Data Use Agreement with the Limited Data Set recipient prior to disclosure;

5.                 Pre-Research:  UAMS obtains from the researcher representations that the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;

6.                 Deceased Individuals:  UAMS obtains from the researcher representations that the use or disclosure is sought solely for research on the PHI of deceased individuals.

 

B.        RESEARCH COVERED BY THIS POLICY

1.                  This policy applies to all Research by UAMS Workforce that involves the use or disclosure of Protected Health Information regardless of the source of funding of the Research.

2.                  This policy applies to clinical trials, chart reviews, epidemiological studies, behavioral and social science studies, basic science research studies, and research that involves diagnosing or treating an individual as well as Research that involves neither diagnosis or treatment.

3.                  This policy applies to all Research activities, which includes, but is not limited to the following:

         The initial review of PHI for Pre-Research purposes such as to determine the feasibility of a study or to develop a research protocol;

         Research projects that involve the creation of a Database containing PHI;

         Research projects that involves the use of PHI from current Research Databases;

         Research projects that involve the addition of PHI to an existing Research Database;

         Research projects approved by the IRB that create PHI during the Research project;

         Research projects approved by the IRB that use existing PHI stored in any form;

         Recruiting patients to participate in a Research study;

         Enrolling patients into a Research study;

         Research projects with patient/subject authorization and consent;

         Conducting a Research study.

4.                  This policy applies all UAMS research activities that use or seek to use PHI about humans, regardless of the form in which the PHI is maintained (e.g., hard copy or electronic format).

 

C.        USES or DISCLOSURES OF PHI – In General

1.         General Requirements:  UAMS will protect the privacy of Research subjects and their PHI collected during a Research project.  UAMS will not use or disclose EXISTING PHI or PHI CREATED DURING A RESEARCH PROJECT, unless one of the following circumstances exist:

a.                   The subject signs both (1) a HIPAA Authorization for use and disclosure of PHI using the UAMS HIPAA Research Authorization Form or other form containing all the elements of a legally effective HIPAA authorization; AND (2) the informed consent to participate in research form approved by the IRB as required by UAMS policies.

You must give a copy of the signed Authorization and Informed Consent Forms and the UAMS Notice of Privacy Practices to the research subject.  Ask subject to sign Acknowledgment form.  See Notice of Privacy Practices Policy 3.1.21

b.       The IRB grants a waiver to the requirement of obtaining a signed HIPAA Research Authorization Form, or

c.         The IRB approved protocol uses properly De-identified PHI, or

d.                 The IRB approved protocol uses the Limited Data Set and the recipient (if recipient is not a member of the UAMS workforce) signs a Data Use Agreement with UAMS (or the entity that maintains the Designated Record Set).

2.         Minimum Necessary Applies:   PHI that is used or disclosed for Research purposes without a HIPAA-compliant Authorization should be limited to the minimum necessary to accomplish the purpose of the Research.  Minimum Necessary Policy, 3.1.25.

 

D.         GRANDFATHERING HIPAA RESEARCH AUTHORIZATION – Ongoing Research at Time of April 14, 2003  

UAMS may continue to use and disclose PHI created or received before and after April 14, 2003, for Research purposes if UAMS has obtained or received any one of the following prior to April 14, 2003:

•           A HIPAA Research Authorization received prior to April 14, 2003, from the patient to use or disclose their PHI for Research purposes; or               

•           The informed consent of the patient received prior to April 14, 2003, to participate in the Research; or

•           An IRB-approved waiver of informed consent for the Research in accordance with the Common Rule and received prior to April 14, 2003.

This includes permissions, consents or waivers that allowed future unspecified Research. 

Exception to Grandfathering – When Authorization Required.  If the protocol was approved by the IRB prior to April 14, 2003, but the protocol required that informed consent and subjects would be enrolled after April 14, 2003, a protocol revision must be submitted to the IRB adding a separate HIPAA-compliant Research Authorization or amending the informed consent to include the elements of a HIPAA-compliant Research Authorization for subjects enrolled after April 14, 2003. 

E.        RESEARCH ON INFORMATION OF A DECEASED PERSON

1.         General Requirements:  A UAMS HIPAA Research Authorization Form is not required when conducting Research of PHI on the deceased.  The information requested, however, should be the minimum necessary to accomplish the purposes of the Research. Minimum Necessary Policy, 3.1.25  The information requested must be solely for Research on the PHI of decedents and not, for example, for Research of living relatives of decedents.  Upon request of UAMS, documentation of the deaths of the study subjects will be provided.  No Authorization or alteration or waiver of Authorization by an IRB or Privacy Board is needed for use or disclosure of PHI for Research only on the PHI of deceased persons, if these conditions are met, and the Investigator completes a Certification as described below.

2.         Certification by Investigator:  A Certification by the Investigator is required in which Investigators must certify in writing the following when requesting PHI on deceased individuals: (1) The investigator seeks use and disclosure of PHI for research on deceased individuals; (2) the investigator will provide proof of death if requested; and (3) the investigator seeks PHI solely for Research and nothing else.

For these purposes, PIs will complete and sign a Certification for Use and Disclosure of Protected Health Information of Deceased Individuals Form and present it to the custodian of the records being requested before the custodian can release the PHI to the investigator.

 

F.         REVIEW PREPARATORY TO RESEARCH:

1.         Pre-Research or Review Preparatory to Research means the review of information or records prior to obtaining patient authorization and consent or prior to obtaining an IRB Waiver of Authorization in which the review is solely to prepare a research protocol, to determine if a research project is feasible, or for similar purposes preparatory to research.  For example, a review to design a research study, to formulate hypotheses, or to assess the feasibility of conducting a study.

Note:  Preparatory to Research activities may include activities to identify prospective Research subjects, but it does not include contacting patients, contacting potential subjects, or recruitment of subjects in any manner. 

 

2.         Authorization:  A UAMS HIPAA Research Authorization Form or other HIPAA Authorization form is not required when conducting Pre-Research or Review Preparatory to Research.

 

3.         Minimum Necessary:  The information requested for review must be the minimum necessary to accomplish the purpose of the Pre-Research. Minimum Necessary Policy, 3.1.25.  In addition, a Certification by the Investigator is required as described below.

 

4.         Certification by Investigator Required: When undertaking “Pre-Research” or a “Review Preparatory to Research,” investigators must have a current written certification on file signed by the investigator that includes the following representations:

a.      The PI seeks use or disclosure of PHI solely to review such information as necessary to prepare a Research protocol or similar purposes Preparatory to Research; and

b.      PI shall not remove any PHI from UAMS premises in the course of such review; and

c.       The use or disclosure of PHI is necessary for Research purposes.

For these purposes, PIs must fill out a Reviews Preparatory to Research Form, (please print from Word File Icon located at the top of this document) attached, and submit it to the custodian of the records being requested before the custodian can release the PHI to the investigator.  Annual renewals are required.  See Paragraph 5 below.

            5.         Re-Certification Required:  On an annual basis, PIs must re-new their individual certifications regarding Reviews Preparatory to Research.

6.         PHI May Not Leave UAMS Premises:  PHI that is being reviewed for Pre-Research purposes must not leave the UAMS premises in the course of such review.

G.        IRB APPROVAL OF RESEARCH

The Principal Investigator (PI) or Project Director (PD) is responsible for obtaining IRB approval for all Research projects that use human subjects or which otherwise propose the use of an individual’s PHI.  The PI must have the approval letter from the IRB before the project can begin. Please see IRB polices and procedures at www.uams.edu\ora\hrac for the regulations and visit https://aria.uams.edu for submitting a human subjects protocol for review and approval by the IRB. 

H.        REQUIRED HIPAA RESEARCH AUTHORIZATION
 

1.                  HIPAA Research Authorization vs. Informed Consent for Research

All Research projects that use or create PHI will require subjects to sign the usual IRB-approved Informed Consent to participate in a Research project, AND a form similar to the UAMS HIPAA Research Authorization Form as attached, as long as the form contains all the elements of a legally effective HIPAA authorization. The IRB will look for the usual Informed Consent AND the additional HIPAA Research Authorization (example UAMS HIPAA Research Authorization Form) as required by this policy as criteria for granting final approval for a Research project. Beginning April 14, 2003, if the legally effective HIPAA authorization elements are not present in projects using or creating PHI, then the IRB will cite this as a minor revision prior to granting final approval.

2.        HIPAA Research Authorization Combined with Informed Consent for Research

a.         Combination of UAMS HIPAA Research Authorization Form and Informed Consent Form:  UAMS prefers, but will not require, the HIPAA Research Authorization to be a form separate from the Informed Consent form.  The HIPAA Research Authorization and the Informed Consent may be combined. 

b.                 UAMS HIPAA Research Authorization Form: Example of HIPAA Research Authorization:

PIs and PDs shall use nothing less than the elements of the UAMS HIPAA Research Authorization Form, but may modify it to make it more stringent if the project dictates it. Researchers are encouraged to modify the form relative to their Research project, but are not authorized to delete any of the required elements presented in the form. The authorization form MUST be submitted to the IRB as an update for approval by expedited review.

I.          WAIVER OF  HIPAA RESEARCH AUTHORIZATION

            1.         Waiver of HIPAA Research Authorization:

If it would be impractical to re-consent or obtain a UAMS HIPAA Research Authorization Form to do the research project, then the PI can request a waiver of the additional HIPAA Research Authorization as described by this policy.  PIs or PDs must submit their requests for a waiver of authorization to the IRB in writing and must include the following explicit protocol elements for the waiver of authorization to be considered by the IRB:

a.         Provide a brief description of the Protected Health Information to be used.

b.         Use the following methods to ensure minimal risk to privacy of individuals:

(i)         Describe an adequate plan to protect the identifiers from improper use or disclosure.

(ii)        Describe an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of Research, unless there is a health or research justification for retaining the identifiers or retentions is required by law.

(iii)       Assure the IRB in writing that the PHI will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the Research project, or for other Research as permitted by the HIPAA regulations.

c.          Certify in writing that Research cannot practicably be carried out without the waiver.

d.         Certify in writing that Research cannot practicably be conducted without access or use of the PHI.

e.          The IRB approval letter MUST contain the following information if a waiver is granted by the IRB:

(i)        Name of the IRB and the FWA assurance number.

(ii)               Date of action.

(iii)             A statement that the IRB determined that the waiver satisfies all the criteria listed above.

 (iv)     A brief description of the PHI for which use and disclosure has been determined to be necessary for Research by the IRB. (Provided by the PI above).

(v)            The type of review administered under the Common Rule.

(vi)      Signature of the chair or chair’s designee authorized to sign.

 

J.        WHEN AUTHORIZATION IS NOT REQUIRED

1.         HIPAA Research Authorization is NOT Required When Information is De-Identified.

a.        De-Identified Information means information which does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.  UAMS may determine that health information is De-Identified if the following identifiers of the individual and of relatives, employers, or household members of the individual, are removed, and UAMS does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information:

•           Names;

•           All geographic subdivisions smaller than a state;

•           All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of 90 or older;

•           Telephone numbers;

•           Fax numbers;

•           Electronic mail address;

•           Social Security numbers;

•           Medical Record numbers;

•           Health Plan beneficiary numbers;

•           Account numbers;

•           Certificate/license numbers;

•           Vehicle identifiers and serial numbers, including license       plate numbers;

•           Device identifiers and serial numbers;

•           Web Universal Resource Locators (URLs);

•           Internet Protocol (IP) address numbers;

•           Biometric identifiers, including voice and finger prints;

•           Full face photographic images and any comparable images; and

•           Any other unique identifying number, characteristic or         code.

b.         Requirements for Use/Disclosure:  Prior patient Authorization is not required for the use or disclosure of properly De-Identified information as defined in this Policy.  Refer to UAMS De-Identification Policy, 3.1.31 to determine proper de-identification methods. Also refer to UAMS Request for Data Extract Policy, 3.1.29.  If the PI or other researcher will receive PHI, prior to its being De-Identified, however, the PI/researcher must submit a research protocol to the IRB that includes a description of the health information sought and an explanation of how the information will be De-Identified.

c.          Codes Used to Re-identify the Information.  UAMS may assign to, and retain with, the De-Identified Information, a code or other means of record re-identification as long as that code is not derived from or related to the information about the individual and is not otherwise capable of being translated to identify the individual.  For example, a social security number would not be a permissible “code.”  A randomly assigned re-identification code, however, would be permissible because it would not be related to information about the individual. UAMS may not disclose its method of re-identification or use or disclose its code for other purposes.  Any codes used to render the information re-identifiable must be kept confidential and held to the same level of privacy as all other PHI pursuant to the policies and procedures of UAMS and the HIPAA regulations.

2.                 HIPAA Research Authorization is NOT Required for Use/Disclosure of Limited Data Set Information and As Long As Recipient Signs a Limited Data Set Agreement Prior to Disclosure.

a.         Limited Data Set means information that excludes the following direct identifiers of the individual and of relatives, employers, or household members of the individual:

•           Names;

•           Street or Postal address information (other than town, city, State and zip code);

•           Telephone numbers;

•           Fax numbers;

•           Electronic mail address;

•           Social Security numbers;

•           Medical Record numbers;

•           Health Plan beneficiary numbers;

•           Account numbers;

•           Certificate/license numbers;

•           Vehicle identifiers and serial numbers, including license       plate numbers;

•           Device identifiers and serial numbers;

•           Web Universal Resource Locators (URLs);

•           Internet Protocol (IP) address numbers;

•           Biometric identifiers, including voice and finger prints; and

•           Full face photographic images and any comparable images.

If the information is necessary for the Research, the Limited Data Set CAN include:

•           Geographic identifiers, such as town, city, county, State, and five-digit zip code

(but not street name, street address, or post office box)

•           All elements of dates

•           Admission dates

•           Discharge dates

•           Service dates

•           Date of birth and date of death

•           Age (including 90 or over)

•           Other unique codes or identifiers not listed above as a          direct identifier

b.         Requirements for Use/Disclosure:  Prior patient Authorization is not required for the use or disclosure of “Limited Data Set” information as defined in this Policy, as long as a Data Use Agreement is entered with the recipient of the information if the recipient is not a member of the UAMS Workforce and the use or disclosure is for one of the following purposes:

           i.          For the purposes of Research; or

ii.          For the purposes of public health activities (not already allowed under HIPAA and the UAMS Use and Disclosure of PHI Policy, 3.1.28), such as disease registries maintained by UAMS, private organizations, other universities, or other types of studies undertaken by the private sector or nonprofit organizations for public health purposes); or

iii.         For the purposes of UAMS Health Care Operations as defined in the UAMS Use and Disclosure of PHI Policy, 3.1.28 and the HIPAA regulations.

c.       Data Use Agreement Required:  If the Limited Data Set information is to be disclosed outside UAMS, a Data Use Agreement must be entered with the recipient of the Limited Data Set information.  Please contact the UAMS Research Privacy Officer when a Data Use Agreement is needed.  All Data Use Agreements require the signature of the UAMS Research Privacy Officer and the authorized representative of the Limited Data Set recipient prior to disclosure

d.        Minimum Necessary Applies:   The Limited Data Set information being used or disclosed must be the minimum necessary to accomplish the purpose of the Research.  UAMS Minimum Necessary Policy, 3.1.25.

e.         Refer to UAMS De-Identification Policy, 3.1.31 to determine proper use/disclosure of Limited Data Set information, and also refer to the UAMS Request for Data Extract Policy, 3.1.29.

 

K.       USE of PHI in EXISTING DATABASES or CREATING A NEW DATABASE

1.        Research on Existing Databases:  For use or disclosure of PHI for Research purposes from an existing database maintained by UAMS, UAMS must have one of the following:

  Obtain the required HIPAA Research Authorizations in accordance   with this Policy; or

Obtain an IRB Waiver of Authorization; or

Use or disclose PHI for Pre-Research purposes in accordance with            this Policy; or

Use or disclose PHI for Research on decedents’ PHI in accordance            with this Policy; or

 Use or disclose only the Limited Data Set information and enter                  into a Data use Agreement with the recipient in accordance with                    this Policy; or

Use or disclose PHI based on permission obtained prior to April               14, 2003 in accordance with the “Grandfathering” section of this Policy.

2.         Collecting PHI for Sole Purpose of Creating Research Database.   Prior to creating a database containing PHI for the purpose of Research, the PI must seek the patient/subject HIPAA Authorizations required under this policy, or seek a Waiver of Authorization from the IRB as described in this Policy.

L.        RECRUITMENT:   The IRB must approve all recruitment plans prior to the recruiting activity taking place, and the following are examples:

1.         Physicians or their clinical staff may identify potential Research subjects from their own patients and contact the patients directly regarding their own IRB approved Research study. 

2.         Clinical staff, directly involved in patient care, can inform their patients of Research studies and give the patients contact information about Research studies for which they may qualify.

3.         A researcher can provide IRB approved flyers and handouts to other physicians or care providers for an IRB approved Research study.  These care providers can hand out the flyers and inform subjects to contact the researcher directly for information about the study.

4.         IRB Approved Recruitment advertisements can be posted whereby potential subjects can initiate contact with the researcher.

5.         Clinical care providers may send a letter or other type of mailing informing their patients of a Research study and provide contact information for the researcher.  Initial contact should always be made by a care provider.

6.         A researcher can ask care providers to inform their patients of a potential Research study.  The researcher should provide the care provider with a Recruitment HIPAA Authorization form that the patient completes to give their permission for the Researcher to contact them regarding the study.  The care providers ask their patients if they would like to be contacted to learn more about the study, the patient completes the form if interested and the care provider then forwards these forms to the researcher.  The researcher may then contact the potential subject. 

 

M.       TREATMENT RECORDS AND THE DESIGNATED RECORD SET:  A Designated Record Set means, for purposes of Research, medical records about individuals used, in whole or in part, by or for UAMS to make treatment decisions about individuals, including any treatment information generated in the research context.  Documents containing the subject’s PHI in the course of Research and used in Research to make treatment decisions about the subject should be duplicated and the original record provided to the UAMS Health Information Management (HIM)/Medical Records Department for inclusion in the subject’s medical record.

 

N.        ACCOUNTING FOR DISCLOSURES

1.         Accounting Required:  An accounting for disclosures is a method of documenting and tracking disclosures made by UAMS (both oral and written) of PHI to non-UAMS employees or other persons or entities outside UAMS.  An example is an oral or written disclosure of PHI to comply with reporting requirements to the Arkansas Department of Health. 

UAMS must account for “Disclosures” as defined herein, and in the HIPAA Privacy Regulations, for disclosures made without the individual’s Authorization, such as:

a.         Disclosures of PHI made under an IRB waiver of authorization; and

b.        Disclosures of PHI for Research on the deceased.

 See”Exceptions” below.

2.         Accounting Form:  All such disclosures must be documented and accounted for by the PI who disclosed the PHI, or who is in charge of the project in which the PHI was disclosed, using the Accounting For Disclosures Form attached to the UAMS Accounting of Disclosures Policy, 3.1.26, or other method of documenting the disclosure, and including the information required in the UAMS Accounting for Disclosures of PHI Policy, 3.1.26. After completing the Form or documenting the disclosure, the Form or documentation must be provided to the UAMS Health Information Management Department (a/k/a UAMS Medical Records Department), Slot #524.   Copies may be maintained by the PI.

3.         Multiple Disclosures to Same Person or Entity: When multiple disclosures of PHI are made to the same person or entity for a single purpose, the accounting for such disclosures may consist of the information required for an accounting for the first disclosure, plus the number or frequency of disclosures, and the date of the last disclosure during the time period covered by the request. 

4.         EXCEPTIONS - Accounting is Not Required:  UAMS is NOT required to account for disclosures of the PHI of individual subjects only if the following can be documented:

a.                   A valid HIPAA Research Authorization Form was signed by the individual who is the subject of the PHI being disclosed prior to the disclosure; or

b.                   Only De-Identified Information is being disclosed pursuant to the UAMS De-Identification Policy; or

c.                   Only Limited Data Set information is being disclosed and a Data Use Agreement was entered into with the recipient of the information, as described in this policy and the UAMS De-Identification Policy.

 


Please print form from Word  File (click icon at the top of document)

 

UNIVERSITY OF ARKANSAS FOR MEDICAL SCIENCES

HIPAA RESEARCH AUTHORIZATION

  

STUDY TITLE:                              

Title

 

PRINCIPAL INVESTIGATOR:   

Name

Address

Phone

 

CO-INVESTIGATORS:                 
Name

                                                                                                                                                                                                                                         Address

                                                                                                                                                                                                                                           Phone

 

STUDY SPONSOR:                        
Name

The word “you” means both the person who takes part in the research, and the person who gives permission to be in the research.  This form and the research consent form need to be kept together.

We are asking you to take part in the research described in the consent form.  To do this research, we need to collect health information that identifies you. We may collect the following information from your medical record: <list specific information that will be recorded>. This information will be used for the purpose of <list purpose of study>We will only collect information that is needed for the research.  Participating in this research study will create the following new health information: <list information that will be created>.  For you to be included in this research, we need your permission to collect, create and share this information. 

We will, or may, share your health information with people at the University of Arkansas for Medical Sciences (UAMS) who help with the research or things related to the research process, such as the study staff, the UAMS Institutional Review Board and the research compliance office at the University of Arkansas for Medical Sciences.  We may share your information with the following  researchers outside of the University of Arkansas for Medical Sciences: <list who>.  We may also share your information companies that pay for all or part of the research or who work with us on the research, such as the Sponsor listed above, or their legally authorized representative, or anyone who might purchase those companies at a later date.  Additionally, we may need to share your health information with people outside of UAMS who make sure we do the research properly, such as the Office of Human Research Protections or the Food and Drug Administration. We believe that those involved with research understand the importance of preserving the confidentiality of your health information.   However, some of the people outside of UAMS may share your health information with someone else. If they do, the same laws that UAMS must obey may not apply to others to protect your health information.

This authorization to collect, use and share your health information expires at the end of the research.

If you sign this form, you are giving us permission to create, collect, use and share your health information as described in this form.  You do not have to sign this form.  However, if you decide not to sign this form, you cannot be in the research study.  You need to sign this form and the research consent form if you want to be in the research study.  We cannot do the research if we cannot collect, use and share your health information.

If you sign this form but decide later that you no longer want us to collect or share your health information, you must send a letter to the person and the address listed by “Principal Investigator” on the first page of this form. The letter needs to be signed by you, should list the “Study Title” listed on this form, and should state that you have changed your mind and that you are revoking your “HIPAA Research Authorization”.   You will need to leave the research study if we cannot collect and share any more health information.  However, in order to maintain the reliability of the research, we may still use and share your information that was collected before the Principal Investigator received your letter withdrawing the permissions granted under this authorization.

During the course of the study, you may be denied access temporarily to certain medical information about you that is study related.  However, the Principal Investigator and staff will not automatically deny a request, but will consider whether it is appropriate under the circumstances to allow access.  If access is denied during the study, once the study is completed, you will be able to request access to the information again. 

If you decide not to sign this form or change your mind later, this will not affect your current or future medical care at the University of Arkansas for Medical Sciences. 

SIGNATURE, DATE, AND IDENTITY OF PERSON SIGNING

The health information about ______________ can be collected and used by the researchers and staff for the research study described in this form and the research consent form. 

Signature:________________________________________           
 

Date:_____________

Print name:_______________________________________

 

Relationship to participant:___________________________

 

The researcher will give you a signed copy of this form.

UAMS DATA USE AGREEMENT FOR THE LIMITED DATA SET

 

This Data Use Agreement (“DUA”) is made effective this ____day of ________, 20__, (“Effective Date”) by and between University of Arkansas For Medical Sciences (“Covered Entity”) with offices at ___________________________________________, and ______________________________________________________ (“RECIPIENT”), with offices at _________________________________________________; individually, a “Party” and collectively, the “Parties”.

UAMS is a Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”); and

            UAMS is providing RECIPIENT with a Limited Data Set of Protected Health Information (“PHI”) as defined in HIPAA, thus rendering RECIPIENT a “Limited Data Set Recipient” as defined in HIPAA;

The Parties agree to the provisions of this DUA in order to address the requirements of HIPAA and to protect the interest of both Parties.

1.                 DEFINITIONS:  Except as otherwise defined, any terms in this DUA shall have the definitions set forth in HIPAA.  In the event of any inconsistency between the provisions of this DUA and mandatory provisions of HIPAA, as amended, the HIPAA definition shall control.  Where provisions of this DUA are different than those mandated in HIPAA, but are nonetheless permitted by HIPAA, the provisions of this DUA shall control.

2.                  USE OR DISCLOSURE:  RECIPIENT shall have the right to use all PHI provided to it by UAMS for the Research, Public Health or Health Care Operations purposes of:

[INSERT THE “USES OF THE DATA” TO BE PROVIDED BY UAMS TO RECIPIENT.]

and any other purpose in satisfaction of a judgment of a court of law or pursuant to any Federal or State law or regulation applicable to such PHI.

3.         RESTRICTIONS ON USE:  RECIPIENT agrees to not use or further disclose the PHI other than is permitted by this DUA, or as otherwise required by law.  RECIPIENT shall use appropriate safeguards to protect the PHI from misuse or inappropriate disclosure and shall prevent any use or disclosure of the PHI other than as provided in this DUA.  RECIPIENT shall not attempt to identify the individuals to whom the PHI pertains, or attempt to contact such individuals.

4.                   REPORTING:  RECIPIENT shall report to UAMS any use or disclosure of the PHI not provided for in this DUA of which RECIPIENT is or becomes aware.  RECIPIENT will take reasonable steps to limit any further such use or disclosure.

5.                   TERMINATION:  This Agreement and all obligations hereunder, shall be effective on the Effective Date first set forth above and shall continue as long as RECIPIENT retains the data, unless otherwise terminated by applicable law or regulation.  RECIPIENT may terminate this Agreement by returning or destroying the PHI.  Should RECIPIENT commit a material breach of this Agreement, which breach is not cured within thirty (30) days after RECIPIENT receives notice of such breach from the Covered Entity, then the Covered Entity may discontinue disclosure of PHI and report the breach to the appropriate Privacy Officer at UAMS.

6.                   RECIPIENT AS A COVERED ENTITY:  RECIPIENT acknowledges that if it is, itself, a covered entity as defined in HIPAA, then breach of this DUA will be treated as noncompliance with 45 CFR 164.514(e).

IN WITNESS WHEREOF, the Parties have executed this Data Use Agreement as of the day and year first set forth above.

Covered Entity (Covered Entity)                                          

Limited Data Set Recipient        

                                                                                            

                                                  

 

__________________________                           _________________________

Signature                                                                 Signature

___________________________                        _________________________

Name                                                                       Name

___________________________                        _________________________

Title                                                                         Title


 

UAMS CERTIFICATION

FOR USE OR DISCLOSURE OF PROTECTED

HEALTH INFORMATION FOR THE PURPOSE OF REVIEW PREPARATORY TO RESEARCH (45 CFR 164.512(i)(1)(ii))

 

Name(s) and Address(es) of Investigator(s):

 

Name(s) and Address(es) of Covered Entity(ies) Where Protected Health Information is Located:

In accordance with 45 CFR 164.512(i)(1)(ii), the undersigned investigator(s) hereby certify(ies) that:

1. Said investigator(s) seek the use or disclosure of Protected Health Information (as defined in 45 CFR 164.501) located at the Covered Entity(ies), as defined in 45 CFR 160.102, named above solely to review such information as necessary to prepare a research protocol or for similar purposes preparatory to research;

2. Said investigator(s) shall not remove any Protected Health Information from the Covered Entity(ies) named above in the course of the review (and shall record only de-identified Protected Health Information); and

3. The Protected Health Information located at the Covered Entity(ies) named above is necessary for the research purposes of said investigator(s).

Signature(s) of Investigator(s):

________________________

Name

________________________

Signature

________________________

Date

 
UAMS CERTIFICATION FOR USE OR DISCLOSURE OF
PROTECTED HEALTH INFORMATION OF DECEASED INDIVIDUALS
(45 CFR 164.512(i)(1)(iii))

Name(s) and Address(es) of Investigator(s):

Name(s) and Address(es) of Covered Entity(ies) Where Protected Health Information is Located:

In accordance with 45 CFR 164.512(i)(1)(iii), the undersigned investigator(s) hereby certify(ies) that:

1. Said investigator(s) seek the use or disclosure of Protected Health Information (as defined in 45 CFR 164.501) located at the Covered Entity(ies), as defined in 45 CFR 160.102, named above solely for research on the Protected Health Information of decedents;

2. Said investigator(s) shall, if requested, provide the Covered Entity(ies) named above with documentation of the death of the individuals for whose Protected Health Information said investigators seek use or disclosure; and

3. The Protected Health Information of decedents located at the Covered Entity(ies) named above is necessary for the research purposes of said investigator(s).

Signature(s) of Investigator(s):

 

__________________________
Name

__________________________
Signature

__________________________
Date