In a clinical trial, these parties must be listed on the HIPAA Privacy Authorization as parties to whom PHI may be disclosed in the course of the study. Rather, these entities all are parties necessarily involved in the common enterprise of the research project. For example, if a Johns Hopkins protocol has two sponsors and an entity performing the lab work for the study, these parties are not deemed to be acting on Johns Hopkins' behalf and are not its business associates. Although these entities are not covered entities themselves, they agree to treat the PHI they receive as if they were covered entities under HIPAA.Īlthough this analysis might seem to apply to some parties in a research context, it now is widely accepted that persons and entities who receive PHI from research organizations in the course of an approved research project are not the business associates of the research organization.
The HIPAA Privacy Regulations require Hopkins to enter into Business Associate Agreements with these entities. For example, The Johns Hopkins Hospital is a covered entity under HIPAA and its outside lawyers, consultants, and most contractors who receive PHI from JHH are business associates doing something on JHH's behalf. Under the HIPAA Privacy Regulations, a business associate is a person or entity that receives protected health information ("PHI") from a covered entity and performs certain functions or activities on behalf of the covered entity. Question 4: Are outside parties involved in a research study "business associates" of Hopkins, and do we need a Business Associate Agreement with these parties?Īnswer: No. (See the JHM IRB guidance on Research Databases for additional information) If, however, you wish to extract de-identified data from medical records or other identifiable sources, for use in your research or to create a de-identified database for future research, you must submit an Exempt Research Application and an Application for Waiver of HIPAA Privacy Authorization in eIRB. If your research involves only the analysis of pre-existing data that have been fully de-identified to the HIPAA standard, you do not need to submit an application in eIRB, because such research involves neither PHI nor an identifiable human subject. Do I still need to submit an eIRB application?Īnswer: The answer depends upon whether the data already exist in de-identified form. Question 3: I plan to use de-identified information in my research. An IRB may waive both consent and Authorization if the research meets all of the waiver criteria established by each of the applicable regulations. There are different requirements for the content of informed consent and HIPAA Authorization however both may be combined in one form ( see templates on the HIPAA forms page). The HIPAA Privacy rule, a different regulation, separately requires that patients give written Authorization before a covered entity may use or disclose patients’ protected health information for research. Question 2: What is the difference between HIPAA “Authorization” and informed consent?Īnswer: Informed consent is required under federal research regulations for the protection of human subjects. Iv) The data are in the form of a “limited data set” containing no HIPAA “direct identifiers,” and” and the researcher has signed a HIPAA Data Use Agreement.
Iii)The covered entity has “de-identified” the data prior to its use or disclosure for research or Ii) An IRB has waived or altered the requirement for HIPAA Authorization I) The patient has signed a written Authorization containing all the elements specified in the Privacy Rule
#HIPAA COMPLIANCE FORMS SPREADSHEET ZIP#
The HIPAA Privacy Rule defines “individually identifiable” broadly, to include information such as name, address, or SSN, as well as “indirect identifiers” such as zip codes or date of birth, when attached to any health information.Ī covered entity and its employees may not use or disclose individually identifiable health information (called “protected health information,” or “PHI”) for research, except in one of the following circumstances: (These HIPAA requirements are in addition to IRB requirements under federal regulations for the protection of human subjects.) Question 1: As an employee of the JHM covered entity, how does the HIPAA Privacy Rule affect my research?Īnswer: Under the HIPAA Privacy Rule you must meet certain requirements before using or disclosing individually identifiable health information for research. Access to PHI Created or Maintained by Non-JHM Providers Subject Requests for Access to Research Data or Test Results
0 kommentar(er)
