Human
Subject/Patient Policy
Use and Disclosure of Protected Health
Information for Research
SCOPE:
All Louisiana State University (LSU) System health care
components, facilities and providers, including but not
limited to health sciences schools, IRBs and/or Privacy
Boards established there under, hospitals, physician/faculty
practices, and clinics on the LSU Health Sciences Center New
Orleans Academic Campus.
Nota Bene: All LSU System health care facilities and
providers including, but not limited to hospitals, clinics,
and schools, etc. on the LSU Health Sciences Center New
Orleans Academic Campus, are referred to in this policy as
LSUHSC-NO.
RELATED POLICIES/DOCUMENTS:
Form: Authorization for Use and Disclosure of PHI for
Research
Form: Data Use Agreement
Form: Principal Investigator’s Certification of
De-Identification
Form: Principal Investigator’s Certification of Request for
Decedent’s Information
Form: Principal Investigator’s Certification of Review
Preparatory to Research
Form: Notice of Privacy Practices (available at all sites)
Policy: Minimum Necessary Standard for Use and Disclosure of
PHI
Policy: De-Identification of PHI
Policy: Limited Data Sets
Policy: Right of Access to PHI
Policy: Accounting of Disclosures of PHI
Policy: Use and Disclosure of Protected Health Information
for Facility Directory Purposes
Policy: Use and Disclosure of Protected Health Information
to Persons Involved in the Patient’s Care and for
Notification Purposes
PURPOSE:
To provide guidance for the use and disclosure of protected
health information (PHI), as described in the Health
Insurance Portability and Accountability Act (HIPAA) of
1996, for research purposes including:
-
Instances where a written authorization
is required before PHI may be used or disclosed;
-
Instances where written authorization
of the patient is not required before PHI may be used or
disclosed, but a review of the use or disclosure of PHI
must be performed and approved by a qualified board; and
-
Instances where written authorization
of the patient is not required before PHI may be used or
disclosed, but the researcher must provide written
assurances that the PHI will be protected.
DEFINITIONS:
Accounting of Disclosures - A research subject has the
right to receive a written accounting of certain
research disclosures of his/her PHI to individuals or
entities outside of the LSUHSC-NO health care
components. This right applies to all disclosures made
during research performed under a waiver of
authorization or involving deceased individuals. This
right includes any such disclosures during the six
years prior to the date on which the accounting is
requested after April 14, 2003. Note that disclosures
are not permitted under a preparatory to research
project nor is an accounting required when research is
pursuant to a HIPAA-compliant authorization or
involves de-identified data or limited data sets with
a data use agreement.
Authorization - A written
document completed and signed by the individual that
allows use and disclosure of PHI for specified
purposes other than treatment, payment or health care
operations.
Common Rule – The Federal
Policy for the Protection of Human Subjects that is
currently in effect, as described in 45 CFR part
46(A). The Common Rule provides protections for
individuals and establishes the role of Institutional
Review Boards (IRB) in achieving those protections.
De-identified Information
– Health information that does not identify an
individual and data from which there is no reasonable
basis to believe that the information can be used to
identify an individual. All identifiers have been
removed pursuant to federal Privacy Rule § 164.514 (b)
(2). De-identified information is not considered
protected health information (PHI) and is not subject
to the Health Insurance Portability and Accountability
Act (HIPAA). To de-identify information, you must
remove all of the following elements:
- Names
- All geographic
subdivisions smaller than a State including street
address, city, county, precinct, zip code, and their
equivalent geocodes, except for the initial three
digits of a zip code if, according to the current
publicly available data from the Bureau of the
Census: (initial 3 digits if geographic unit
contains less than 20,000 people, or any other
geographical codes).
- Dates (except for years)
- Birth Dates
- Admission Dates
- Discharge Dates
- Date of Death
- Ages >89 and all elements of
dates (including year) indicative of such age,
EXCEPT that such ages and elements may be
aggregated into a single category of >90
- Telephone Numbers / Fax Numbers
- E-mail Addresses / Web Universal
Resource Locators (URLs) / Internet Protocol (IP)
Address Numbers
- Social Security Numbers
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate / License Numbers
- Vehicle Identifiers and Serial Numbers
- Device Identifiers and Serial Numbers
- Biometric Identifiers (e.g. finger or voice prints)
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Designated
record set - A group of records regarding an
individual that are maintained by a LSU health care
component and that include medical and billing records
which are used in whole or in part to make decisions
about individuals.
(NOTE: records that are strictly
research records that are kept separately are not part
of the designated record set.)
Individually Identifiable Health
Information - Information, including
demographic information, that:
- Is created or received by a
healthcare provider, health plan, employer, or
healthcare clearinghouse.
- Relates to the past, present, or
future physical or mental condition of an
individual, the provision of healthcare to an
individual, or the past, present or future payment
for the provision of healthcare to an individual
- Identifies the individual (or
there is a reasonable basis to believe the
information can be used to identify the individual)
Limited data
set - means PHI that excludes the following
direct identifiers of the patient, or of the patient’s
relatives, employers, or household members:
- names
- postal address information, other
than town or city, state, or zip code
- telephone numbers
- FAX numbers
- Electronic mail addresses
- Medical record numbers, including
prescription numbers and clinical trial numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial
numbers, including license plate numbers
- Device identifiers and serial
numbers
- Web Universal Resource Locators
(URLs)
- Internet Protocol (IP) address
numbers
- Biometric identifiers, including
finger and voice prints
- Full face photographic images and
any comparable images
(NOTE that this list of identifiers
is not the same as that for de-identified
information).
Protected Health Information
(PHI) - means individually identifiable health
information, whether oral or written, that is
transmitted by electronic media; maintained in any
medium; or transmitted or maintained in any other
form. PHI excludes individually identifiable health
information in student education records covered by
the Family Educational Rights and Privacy Act (FERPA)
and records held by a covered entity in its role as
employer.
Research - A systematic
investigation, including research development,
testing, and evaluation, designed to develop or
contribute to generalizable knowledge, including
research studies that involve treatment.
Research databases - PHI
collected and maintained solely for research purposes
is a research database. In contrast, PHI collected and
maintained solely for treatment, payment, and
operations is not a research database.
POLICY:
All LSUHSC-NO health care components within the scope
of this policy that participate in research in which
patients’ protected health information (PHI) is used
or disclosed, will have procedures in place to assure
PHI is used or disclosed in accordance with applicable
state and federal laws, regulations, and rules.
Researchers should be guided by the following
principles:
-
A researcher has the obligation
to identify when the intended use or disclosure of
PHI is for research, as defined above.
-
Individual authorization is
generally required to request, access, review, use
or disclose PHI for research purposes, except in
limited circumstances described in the sections,
below. Authorizations forms must be reviewed by the
IRB and/or Privacy Board.
-
In those research circumstances
where an individual authorization is excepted (i.e.
preparatory to research, research on decedents, or
under a waiver of authorization) satisfaction of the
LSUHSC-NO IRB policies and procedures must be met
prior to such activities.
-
Each LSUHSC-NO health care
component engaged in research activities will
establish administrative and management
infrastructure to implement this policy.
-
These provisions are intended to
supplement, rather than replace, the existing IRB
policies and procedures.
PROCEDURE:
| 1.0 |
Use of an
Institutional Review Board (IRB) and/or Privacy
Board |
| 1.1 |
Any
LSUHSC-NO health care component which participates
in and provides data for research projects shall
use an IRB of record for the purposes of
minimizing risks, and an IRB of record and/or
Privacy Board for the purposes of minimizing
privacy risks, to research participants. The
purpose and functions of an IRB are as described
in 45 CFR part 46 (A) (the Common Rule). |
| 1.2 |
The IRB
and/or Privacy Board will conduct reviews and
approvals of uses and disclosures of PHI and
waivers or alterations of an authorization to use
or disclose PHI for research purposes. |
| 2.0 |
Receipt and
Processing of Research Requests |
| 2.1 |
LSUHSC-NO
health care components may use or disclose PHI for
research regardless of the source of funding. The
research may be conducted either with a patient’s
authorization or without the patient’s
authorization in limited circumstances and under
certain conditions. |
| 2.2 |
Requests for
use of patients’ PHI in research projects will be
submitted in writing to the IRB and/or Privacy
Board. The research request must describe with
sufficient specificity the PHI
necessary, as well as
how it will be used for the research. |
| 2.3 |
The IRB
and/or Privacy Board will evaluate the request to
determine whether the health care component will
grant access to patients’ PHI. Based on the type
of research, the required uses and disclosures of
PHI, and assurances provided by the principal
investigator, the IRB and/or Privacy Board will
determine the necessity for authorizations,
waivers, or alterations of authorizations. |
|
2.4 |
The IRB and/or Privacy
Board chair, or designee, will notify the requestor of
denial or approval and under what circumstances the approval
is made. The IRB action on the request will be maintained by
the Research Office with other documents related to that
protocol. |
|
2.5 |
LSUHSC-NO health care components are responsible for adhering to the requirements for providing an accounting of disclosures for research purposes. The principal investigator may be required to provide the facility with information necessary to construct an accounting of disclosures. The Researcher’s contact information will be provided to patients whose health information was used in their research with a waiver of authorization, if the patient so requests. See Policy on Accounting of Disclosures of Protected Health Information for further information. |
|
2.6 |
Authorizations are
obtained in addition to the IRB approved documents for the
research, and a copy is placed on the participant’s medical
record along with the IRB-approved documents. A signed copy of the authorization must be given to the participant. |
|
3.0 |
Research That Does Not Require Authorization But Does
Require IRB and/or Privacy Board Review |
|
3.1 |
LSUHSC-NO health care
components may use or disclose PHI for research purposes in
certain circumstances without obtaining the patient’s
written authorization or providing an opportunity for the
patient to agree or object. |
|
3.2 |
Reviews Preparatory to Research under Privacy Rule
164.512(i)(1)(ii). The principal investigator shall
submit to the IRB and/or Privacy Board Chair, or designee, a
Principal Investigator’s Certification of Review Preparatory
to Research form for review and approval which describes the
research and contains written representations that:
|
3.2.1 |
Use or disclosure
is sought solely to review PHI as necessary to prepare a
research protocol or for similar purposes preparatory to
research; |
|
3.2.2 |
No PHI is to be
removed from the LSUHSC-NO health care components and/or
performance sites by the principal investigator or other
researchers working with or under his/her direction
during the course of the review, and; |
|
3.2.3 |
The PHI for which
use or access is sought is necessary for research
purposes. The principal investigator must identify the
minimum necessary PHI for the access request or must
justify access to the entire medical record, if
necessary. See Policy on Minimum Necessary Standard for
Use and Disclosure of PHI. |
|
3.2.4 |
If IRB policies are more
restrictive than HIPAA, you must follow the IRB
policies. |
|
|
3.3 |
Research on Decedent’s Information under Privacy Rule
164.512 (i) (1) (iii).
The principal investigator shall submit to the IRB and/or
Privacy Board Chair, or designee, a Principal Investigator’s
Certification of Requisition for Research on Decedent’s
Information form which describes the research, including:
|
3.3.1 |
Written
representations that the use or disclosure is sought
solely for research on the PHI of decedents; |
|
3.3.2 |
Documentation of
the death of such individuals, if requested by the IRB
and/or Privacy Board Chair, or designee; and |
|
3.3.3 |
Representation
that the PHI for which use or disclosure is sought is
necessary for the research purposes. |
|
|
3.4 |
Waiver of Authorization.
|
3.4.1 |
Approval of Waiver of
Authorization. LSUHSC-NO health care components
may use or disclose PHI for research if it obtains IRB
approval of an alteration to or waiver, in whole or in
part, of the individual’s authorization required for use
or disclosure of PHI. |
|
3.4.2 |
Documentation of Waiver Approval.
For a use or disclosure of PHI to be permitted based on
documentation of approval of an alteration or waiver, as
described above, the documentation must include all of
the following:
|
3.4.2.1 |
Identification and date of
action. A statement identifying the IRB
and/or Privacy Board and the date on which the
alteration or waiver of authorization was approved. |
|
3.4.2.2 |
Waiver criteria. A
statement that the IRB and/or Privacy Board has
determined that the alteration or waiver, in whole
or in part, of authorization satisfies the following
criteria:
-
The use or
disclosure of PHI involves no more than minimal
risk to the individuals based on, at least, the
presence of the following elements:
-
There is
an adequate plan to protect the identifiers from
improper use and disclosure;
-
There is
an adequate plan to destroy the identifiers at
the earliest opportunity consistent with conduct
of the research, unless there is a health or
research justification for retaining the
identifiers, or such retention is otherwise
required by law; and
-
There is
an adequate plan to destroy the identifiers at
the earliest opportunity consistent with conduct
of the research, unless there is a health or
research justification for retaining the
identifiers, or such retention is otherwise
required by law; and
-
There are
adequate written assurances that the PHI will
not be reused or disclosed to any other person
or entity, except as required by law, for
authorized oversight of the research study, or
for other research for which the use or
disclosure of PHI is permitted;
-
The
research could not practicably be conducted
without the alteration or waiver; and
-
The
research could not practicably be conducted
without access to and use of the PHI.
|
|
3.4.2.3 |
Protected health information needed. A
brief description of the PHI for which
use or access has been determined to
be necessary and without which the
research could not practicably be
conducted as determined by the IRB
and/or Privacy Board; |
|
3.4.2.4 |
Review and
approval procedures. A
statement that the alteration or
waiver of authorization has been
reviewed and approved by the IRB
following the requirements of the
Common Rule, including the normal
review procedures described in
applicable federal policies including
the Department of Health and Human
Services (DHHS) regulations (45 CFR
part 46.108(b)) or equivalent
regulations of another federal agency,
or the expedited review procedures
described in applicable federal
policies including DHHS regulations
(45 CFR part 46.110) or equivalent
regulations of another federal agency;
and |
|
3.4.2.5 |
Required
signature. The documentation of
the alteration or waiver of
authorization must be signed by the
IRB chair or designee. |
|
|
|
4.0 |
Research
That Requires Authorization For Use and Disclosure
of PHI |
| 4.1 |
If any
LSUHSC-NO health care component uses or discloses
PHI for the purpose, in whole or in part, of
research involving human subjects that component
must obtain an authorization for the use or
disclosure of such information. See Form:
Authorization to Use and Disclose PHI for Research
which is required unless IRB approval has been
granted for an alteration. |
|
4.2 |
Any LSUHSC-NO health care component may condition the provision of
research-related treatment on provision of an authorization for the use and
disclosure of PHI for such research. Ordinary (non-research) patient care may
NOT be conditioned on participation in the research or provision of an
authorization to use and disclose PHI. |
| 4.3 |
For the uses and disclosures to be permitted, the
authorization must be valid and contain the following core
elements and required statements:
| 4.3.1 |
A description of the information to be used or
disclosed that identifies the information in a specific
and meaningful manner. |
| 4.3.2 |
The name or other specific identification of the
person(s), or class of persons, authorized to make the
requested use or disclosure. |
| 4.3.3 |
The name or other specific identification of the
person(s), or class of persons, to whom the facility may
make the requested use or disclosure. |
| 4.3.4 |
A description of each research purpose of the
requested use or disclosure. |
| 4.3.5 |
A statement that the facility may condition
research-related treatment on the provision of the
individual’s signature of authorization and in the event
conditioning is required; make a further specification
of the consequences to the individual of a refusal to
sign the authorization. |
| 4.3.6 |
An expiration date or an expiration event that
relates to the individual or the purpose of the use or
disclosure. The statement “end of the research study,”
“none,” or similar language is sufficient if the
authorization is for a use or disclosure of PHI for
research in which the end date is not known, uncertain
or as in the event of the creation and maintenance of a
research database or research repository, an expiration
date is not applicable. |
| 4.3.7 |
State that the individual has the right to revoke
the authorization in writing, except to the extent that
the healthcare component has taken action in reliance
thereon; or to the extent that information in this
section is included in the Notice of Privacy Practices,
a reference to the facility’s Notice. |
| 4.3.8 |
A statement that information used or disclosed
pursuant to the authorization may be subject to
re-disclosure by the recipient and no longer protected
by the HIPAA regulations. |
| 4.3.9 |
The individual’s signature and date; if the
authorization is signed by a personal representative of
the individual, a description of such representative’s
authority to act for the individual must be documented.
|
| 4.3.10 |
A copy of the signed authorization must be provided
to the patient or his/her personal representative. |
|
| 5.0 |
Revocation of Authorization To Use And Disclose PHI For
Research |
| |
| 5.1 |
An individual may revoke an authorization at any
time. The revocation must be in writing, submitted to
the Primary Investigator or Co/Sub-Investigator, and
specify which authorization is revoked. |
| 5.2 |
Any records custodian receiving the request to
revoke an authorization must discontinue any further
release of the individual’s PHI as permitted by the
initial authorization. However, the revocation does not
apply to actions already taken in reliance on the
initial authorization. |
|
| 5.3 |
As appropriate, the Primary Investigator or his/her
designee and/or any records custodian will notify other
health care components of the LSUHSC-NO or its business
associates that may have relied upon the authorization of
the revocation. |
| 5.4 |
The LSUHSC-NO health care component is permitted to
continue using and disclosing PHI that was obtained prior to
the time the individual revoked his/her authorization, as
necessary to maintain the integrity of the research study.
For example, use or disclosure of PHI to account for a
subject’s withdrawal from the study, as necessary to
incorporate the information as part of a marketing
application submitted to the FDA, to conduct investigations
of scientific misconduct, or to report adverse events.
However, the health care component is not permitted to
continue disclosing additional PHI to a researcher or to use
for its own research purposes information not already
gathered at the time the individual withdraws the
authorization. |
| 6.0 |
Document Retention and Production Fees
|
|
6.1 |
All LSUHSC-NO health care components must retain
documentation of IRB and/or Privacy Board decisions; waivers
and alterations of authorizations; research authorizations;
and informed consents. |
| 6.2 |
This documentation must be retained for six years from
the date of their creation or the date when they last
were in effect, whichever is later. Authorizations and
any associated waivers, alterations, informed consents,
restrictions or revocations should be included in the
patient’s medical record and/or research record. |
| 6.3 |
Any LSUHSC-NO health care component IRB and/or Privacy Board
may establish a fee schedule to compensate for the use of
facilities, personnel time, software, hardware or other
equipment for:
| 6.3.1 |
Reviewing requests for research information
(Application Fee) |
| 6.3.2 |
Generating the information required (including
personnel time, and computer system usage) |
| 6.3.3 |
Aggregating data/information |
| 6.3.4 |
Other specified activities related to processing
the request for research information, or any costs
related to participating in the research. |
|
|
| 7.0 |
Other Considerations for Handling PHI Related to
Research |
| |
| 7.1 |
A LSUHSC-NO health care component may use or
disclose PHI for retrospective research studies only if
such use or disclosure is made either with patient
authorization or a waiver of patient authorization
pursuant to the IRB and/or Privacy Board. |
|
| 7.2 |
Research recruitment is neither marketing nor a health
care operations activity. Treating physicians and patients
may continue to discuss the option of enrolling in a
clinical trial without patient authorization and without an
IRB waiver of authorization. If a researcher without an
independent treatment relationship with a patient wants to
recruit that patient, an authorization is required and must
be obtained by the treating physician. An authorization or a
waiver is required if the health care component wants to
disclose the PHI to a third party, outside of the covered
entity or LSUHSC-NO health care components, for purposes of
recruitment in a research study. |
| 7.3 |
The health care component may disclose PHI to a registry
for research purposes, including those sponsored by academic
and non-profit organizations, if such disclosure: is
required by law, made pursuant to an IRB waiver of
authorization, made pursuant to the individual’s
authorization, or consists only of a Limited Data Set. See
Policy on Limited Data Set and Policy on Use and Disclosure
for Which an Authorization Is Not Required. |
| 7.4 |
The patient may inspect or obtain copies of his/her PHI
to be used and disclosed for research purposes unless an
individual’s access to protected health information created
or obtained by any LSUHSC-NO health care component in the
course of research that includes treatment of the individual
may be temporarily suspended for as long as the research is
in progress. Denial of access based on a research
restriction is allowed if:
| 7.4.1 |
The individual has agreed to the denial of access
when consenting to participate in the research that
includes treatment, and |
| 7.4.2 |
The LSU System health care component engaged in
research has informed the individual that the right of
access will be reinstated upon completion of the
research. |
|
| 7.5 |
Additional information that may be provided to the
patient at the time the request for authorization is offered
for signature to use and disclose PHI for research purposes
includes, but is not limited to:
| 7.5.1 |
A statement that the patient may refuse to sign the
authorization; |
| 7.5.2 |
A description of the extent to which such PHI will
be used or disclosed to carry out treatment, payment, or
health care operations; |
| 7.5.3 |
A description of any PHI that will not be used or
disclosed. |
|
| 7.6 |
A LSUHSC-NO health care component may not include a
limitation affecting its right to make a use or disclosure
that is required by law, or (A) is necessary to prevent or
lessen a serious and imminent threat to the health or safety
of a person or the public; and (B) is to a person or persons
reasonably able to prevent or lessen the threat, including
the target of the threat. |
| 7.7 |
If a LSUHSC-NO health care component has provided or
intends to provide the individual with the Notice of Privacy
Practices, the authorization must refer to the Notice and
state that the statements made regarding research and
authorization within the Notice are binding. Performance
sites are responsible for providing the Notice of Privacy
Practices upon their first encounter with the individual
patient. |
| 7.8 |
LSUHSC-NO health care components have the right to
define a subset of protected health information created for
research. The health care components may provide additional
protections for, or place stricter limits on, use and
disclosure of this subset of records created for research. |
| 7.9 |
Accounting of Disclosures must be done in accordance
with the Policy on Accounting of Disclosures of PHI. Special
considerations are given to the following:
| 7.9.1 |
Multiple Disclosures: If during the period covered
by the accounting, the researcher has made multiple
disclosures of PHI to the same person or entity for a
single purpose (e.g. a sponsored project) or pursuant to
a single authorization, the accounting for such multiple
disclosures may provide:
| 7.9.1.1 |
the information required above for the first
disclosure during the accounting period; |
| 7.9.1.2 |
the frequency or number of the disclosures made
during the accounting period; and |
| 7.9.1.3 |
the date of the last such disclosure during the
accounting period. |
|
| 7.9.2 |
Research Disclosures Involving 50 or More Subjects:
If the research involved 50 or more subjects and was conducted in accordance with 45 CFR 164.512(i), the
accounting for any disclosures may provide:
| 7.9.2.1 |
the name of the protocol or other research
activity; |
| 7.9.2.2 |
a description, in plain language, of the
research protocol or other research, including the
purpose of the research and the criteria for
selecting particular records; |
| 7.9.2.3 |
a brief description of the type of PHI
disclosed; |
| 7.9.2.4 |
the date or period of time during which such
disclosures occurred, or may have occurred,
including the date of the last such disclosure
during the accounting period; |
| 7.9.2.5 |
the name, address, and telephone number of the
entity that sponsored the research and of the
researcher to whom the information was disclosed;
and |
| 7.9.2.6 |
a statement that the protected health
information of the individual may or may not have
been disclosed for a particular protocol or other
research activity. |
|
|
| 7.10 |
Minimum Necessary. Any LSUHSC-NO health care component
may rely, if such reliance is reasonable under the
circumstances, on a requested disclosure as the minimum
necessary for the stated purpose when documentation or
representations that comply with the applicable standards
for use and disclosure of PHI are provided by the researcher
requesting the information for research purposes.
| 7.10.1 |
For all uses, disclosures or requests that are made
for research purposes, the LSUHSC-NO health care
component may not use, disclose or request an entire
medical record, except when the entire medical record is
specifically justified as the amount that is reasonably
necessary to accomplish the purpose of the use,
disclosure or request. |
| 7.10.2 |
The documentation required as representation of the
minimum necessary PHI required for a research study may
be satisfied by one or more written statements, provided
that each is appropriately dated and signed as required
under section Research Studies that Do Not Require
Authorization But Do Require Documentation of the IRB
and/or Privacy Board Review. See Policy on Minimum
Necessary Standard for Use and Disclosure of Protected
Health Information. |
| 7.10.3 |
However, if the LSUHSC-NO health care component has
knowledge that the documentation of IRB approval was
fraudulent with respect to the PHI needed for a research
study, it may not rely on the IRB’s documentation as
fulfilling the minimum necessary requirement. |
|
| 7.11 |
Limited Data Sets. The use of a limited data set should
be considered when requests for PHI are submitted for
research studies. See Policy on Limited Data Sets for
requirements in preparing PHI as well as ensuring that a
Data Use Agreement is obtained from the data recipient.
Limited Data Sets for research purposes must be approved by
the IRB. |
| 7.12 |
De-identified Information. In certain instances,
research studies may involve requests for de-identified
information. In these instances, conversion of PHI to
de-identified information must be conducted according to
facility policy. See Policy on De-identification of
Protected Health Information. De-identification of data for
research purposes must be approved by the IRB. See the
required Certification Form for De-Identification. |
| 7.13 |
Research Databases: Researchers who create or maintain
their own research databases, which contain PHI, must
maintain the LSU System health care components’ HIPAA-compliant
privacy and security measures and must have IRB approval. |
| 7.14 |
Case Studies—Researchers must obtain an authorization
from the participant before publication of a case study, if the case study uses or discloses protected health information. |
| 8.0 |
Transition Provisions |
| 8.1 |
For research involving PHI and carried out according to
a protocol reviewed and approved by the IRB prior to April
14, 2003:
| 8.1.1 |
If the protocol included a research informed consent
or a waiver of informed consent:
| 8.1.1.1 |
A researcher may continue to use or disclose the
PHI created or received prior to April14, 2003. |
| 8.1.1.2 |
A researcher operating under a waiver of
informed consent may continue to enroll new subjects
and create, receive, use, and disclose PHI after
April 14, 2003, with no further action until the
next scheduled IRB and/or Privacy Board review. |
|
| 8.1.2 |
If the protocol reviewed prior to April 14, 2003 was
approved as an “exempt” protocol without documentation
of a waiver of consent, the researcher needs to contact
the IRB and/or Privacy Board for appropriate revision of
the protocol. Until that occurs, PHI created or received
prior to April 14, 2003 may not be used or disclosed
after April 14, 2003. |
| 8.1.3 |
The researcher may then use the IRB and/or Privacy
Board approval notice in conjunction with individual
research informed consent forms, if informed consent was
not waived, to access, use, and/or disclose PHI
according to documentation procedures adopted by the
administrative and management infrastructure of the
individual IRB and/or Privacy Board. |
|
|
