|
POLICY:
Researchers, including investigators affiliated with Columbia University as well as Sponsors and other Third Party Investigators, seek three kinds of access to data for research:
(1) Data for evaluating a research hypothesis;
(2) Data that can be re-analyzed to develop new ideas or ways of looking at a problem;
(3) and Data to meet government requirements regarding the integrity of research.
Under HIPAA, the use or disclosure of Protected Health Information (PHI) for research purposes requires a signed Research Authorization Form from the research subject unless an exception under HIPAA applies.
Review of research-related HIPAA forms is the responsibility of the Privacy Officer (for those eligible for expedited review) or a Privacy Board, per HIPAA. At Columbia University, the Institutional Review Board (IRB) serves as the Privacy Board, and many research projects will require review for both IRB and HIPAA issues. However, HIPAA also applies to certain human research-related activities that are not covered by the federal regulations for the protection of human subjects (i.e., DHHS 45 CFR 46 Subpart A aka the “Common Rule”, and FDA 21 CFR 56), e.g., research on decedents or studies determined to be exempt from IRB review.
The Privacy Rule applies to the following types of research activities when they involve PHI:
- Research using or creating PHI about living individuals
- Activities preparatory to research
- Research on decedents
- Recruitment
- Research using a limited data set
Research using only de-identified data (data that contains none of the 18 HIPAA identifiers) does not generally present privacy concerns and so is not covered by the HIPAA Privacy Rule; however, review of the protocol by the IRB may be required in limited situations, i.e., when the researcher is collaborating with individuals who have access to identifiers. For those situations, consultation with IRB staff to determine whether a protocol should be submitted is advised. Submission of a Form G (Investigators Certification for Research with De-Identified Data attesting to the fact that the 18 HIPAA identifiers will not be used) to the IRB for review and approval is required.
PROCEDURES: Requirements for research use of Protected Health Information (PHI)
- Provision of data for research
- Investigators who propose to conduct research involving patients of Columbia University, engage in prospective collection of data from patients of Columbia University, create PHI for research subjects in protocols conducted by Columbia University researchers who are not patients, or analyze medical records maintained by Columbia University regarding its patients, shall indicate to the IRB whether they propose to obtain authorization from each subject.
- Where a researcher proposes to analyze medical records maintained by Columbia University, the IRB shall, wherever possible, encourage use of a data use agreement for a Limited Data Set.
- All authorizations, waivers and alterations of authorization shall be reviewed as part of the IRB review process.
- Except where a Limited Data Set is sufficient for the research analysis, the Privacy Rule states that an investigator may not use or obtain PHI for research purposes unless:
(a) Each participant (or the participant’s legal representative) provides a signed, written authorization to use and disclose the participant’s protected health information for the research purpose; or (b) The IRB provides documentation of a waiver of authorization to use and disclose participants’ protected health information for the research purpose. This requirement is independent of and in addition to any informed consent to participate in research that may be required by the Common Rule or other applicable human subject protection laws and regulations, or waiver of informed consent granted by the IRB; however, the two should be compatible.
- Process to submit a request for approval to use patient information as required by HIPAA utilizing one of the proposed forms:
- The appropriate form(s) must be attached to the IRB Protocol when it is submitted for review and approval by the IRB. The forms are available in RASCAL and the content of the form is automatically populated based on the information included in the protocol. The table below identifies the forms that may be required, depending on the protocol.
Nature of Research or Protocol Component |
Applicable Form |
Clinical Research Authorization (sponsored and non-sponsored) |
Form A |
Application for a Waiver of Authorization |
Form B |
Request for Recruitment Waiver of Authorization |
Form C |
Investigator’s Certification for Review Preparatory to Research |
Form D |
Investigator Certification for Research with Decedent Information |
Form E |
Data Use Agreement for Disclosure of Limited Data Set |
Form F |
Investigator Certification for Research with De-Identified Data |
Form G |
- The form that is attached to the IRB protocol will be reviewed by the Privacy Officer.
- If the form is denied (i.e., not approved), the reviewer will return the form to the PI electronically and send a note to the Principal Investigator advising him/her of the decision and the reason for the denial (e.g. inadequate information, alteration of the form etc.)
- If the form is approved, the RASCAL system will date and time stamp an approval date on the Form and the PI is notified by an electronic message from RASCAL.
- The protocol approval documentation will indicate which forms attached to the protocol have been approved.
For additional information about HIPAA and Research go:
RASCAL Web Site: https://www.rascal.columbia.edu/
IRB Web Site: http://www.cumc.columbia.edu/dept/irb/
APPLICABLE LAW: 45 C.F.R. §§ 164.508, -.512(i)
|
