- This policy applies to any UIC investigators and research staff requesting to create, access or use for research purposes any protected health information (PHI) obtained or maintained by the covered components of the University of Illinois at Chicago (UIC).
- Protected health information obtained or maintained by covered components of University of Illinois at Chicago for research purposes may not be used internally or disclosed to any persons or organizations outside the Covered Component for research purposes without prior review and approval of the UIC IRB.
- The UIC Institutional Review Boards (IRBs) apply the provisions of the Health Insurance Portability and Accountability Act of 1996 and Omnibus Final Rule of 2013 when reviewing research that creates, uses or discloses PHI. Studies may involve PHI by:
- deriving research information by retrospectively or prospectively reviewing medical records.
- creating new medical records because as part of the research a health-care service is being performed, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.
- HIPAA permits the use or disclosure of PHI for research under the following circumstances and conditions:
- If the individual to whom the PHI belongs has granted specific written permission through an authorization;
- If the IRB has granted a waiver of the authorization requirement;
- If the PHI has been de-identified in accordance with the standards set by HIPAA;
- If preparatory to research;
- If research on decedent’s information; or
- If the information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity.
- In addition to the HIPAA privacy rule, UIC IRBs apply existing federal regulations, state laws and UIC policies governing human subject research and protecting subject privacy and confidentiality of their private information when reviewing research involving PHI.
- Refer to UIC policy Research Data Security for a description of UIC policies and procedures related to protecting and securing research data, including PHI.
- Authorization: An individual's written permission to allow a covered entity to use or disclose specified PHI for a particular purpose. Except as otherwise permitted by the Rule, a covered entity may not use or disclose PHI for research purposes without a valid Authorization.
- Covered Entity: health plan, a health care clearinghouse, or a health care provider transmitting health information in electronic form in connection with a transaction subject to the HIPAA regulations.
- Data Use Agreement: agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.
- Designated Record Set : group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
- Disclosure: release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information.
- Health Information: any information, whether oral or recorded in any form or medium, that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): requires, among other things, under the Administrative Simplification subtitle, the adoption of standards, including standards for protecting the privacy of individually identifiable health information.
- Hybrid Entity: a single legal entity with business activities that include HIPAA covered (health care) and noncovered functions. For hybrid entities, HIPAA generally applies only to its designated covered (health care) components. The UIC is a hybrid entity The covered components include the University of Illinois Hospital and Health Science System (UIHHSS), College of Dentistry, College of Medicine, College of Nursing, College of Pharmacy, College of Allied Health Professions and School of Public Health.
- Individually Identifiable Health Information: subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- Limited Data Set: PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, with a data use agreement and without obtaining either an individual's Authorization or a waiver or an alteration of Authorization.
- Minimum Necessary Standard: least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request of PHI. A covered entity that is using or disclosing PHI for research without Authorization must make reasonable efforts to limit PHI to the minimum necessary. A covered entity may rely on documentation of IRB approval as establishing that the request for PHI for the research meets the minimum necessary requirements.
- Protected Health Information (PHI): individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act and employment records held by a covered entity in its role as employer.
- Use: the sharing, employment, application, utilization, examination, or analysis of PHI within the entity or health care component (for hybrid entities) that maintains such information.
- Investigator Responsibilities
- Researchers are responsible for knowing and complying with UIC HIPAA policies and procedures, as well as applicable State or Federal regulations governing access to PHI outside the University of Illinois at Chicago hybrid covered entity
- The investigator must provide information as part of the protocol and IRB application of all proposed access to PHI which will occur during the conduct of the research, including:
- access to paper and electronic medical records for the purpose of subject identification or screening,
- collection and recording of PHI from medical records as part of research,
- any intended addition of information into the medical records (i.e., research creates PHI), and
- collection or use of biospecimens linked to individually identifiable health information.
- Investigators and members of their research team who are involved in the access or disclosure of PHI as part of their research must complete the UIC HSPP HIPAA Training program prior to initiation of their research. HIPAA training taken to support their clinical role does not substitute for this requirement.
- Investigators should limit collection of PHI to the minimum necessary to achieve the purposes of the research.
- Investigators must describe in the protocol or IRB application the following concerning any health information to be used or disclosed:
- elements that will allow an individual to be identified (i.e., one or more of the 18 HIPAA identifiers),
- list the identifiers and health information to be collected and include a copy of the data collection form with the submission
- source of PHI (UIC covered entity, nonUIC covered entity),
- research-related or -generated data to be placed in the medical record,
- data security plan (refer to UIC Policy Research Data Security),
- authorization processes to be used in research,
- data to support a request for waiving or altering HIPAA authorization, if relevant, and
- completed HIPAA authorization form, when required, for IRB review.
- Investigators may not access PHI for research purposes either through the UIC or non-UIC medical records until IRB review and approval of their protocol, including the proposed access to PHI. Prior IRB approval is required even when the access will occur under the preparatory to research or decedent’s information provisions.
- Protocol submissions for Data Repositories may request IRB approval for future repositories queries involving the release of aggregated data.
- Collection, storage, use, and transmission of PHI must follow the procedures in UIC OPRS Policy Research Data Security.
- Possible breaches of unsecured PHI must be reported following procedures in UIC Policy 616: Research Data Security.
- De-identified Health Information
- De-identified health information is not considered PHI and may be used or disclosed for research purposes without an authorization from the research subject or a waiver of authorization from the IRB.
- The investigator must describe in the protocol and IRB application the procedures for de-identifying the health information. The description should include:
- method must conform with standards in 45 CFR 164.514(a) [expert determination] or 45 CFR 164.514(b)[safe harbor].
- when de-identification will occur: generally before the data is provided to the investigator
- who will perform de-identification: cannot be investigator
- whether a code for re-identification will be present and who will possess code
- Expert Determination (45CFR164.514(a))
- Determination is made by a person appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.
- The individual by applying these principles and methods determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.
- The individual’s qualifications to make this determination, the methods used and the results of the analysis are documented and provided to the IRB.
- Safe Harbor Method (45CFR164.514(b))
- The following identifiers of the subject or of relatives, employers, or household members of the subject are removed:
- Geographic subdivisions smaller than a state, including:
- Zip codes
- Street address
- Elements of date (except year) directly related to an individual. This includes:
- birth date
- admission date
- discharge date
- death date
- all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- telephone numbers
- fax numbers
- electronic mail addresses
- social security numbers
- medical record numbers
- health plan beneficiary identifiers
- account numbers
- certificate/license numbers
- vehicle identifiers and serial numbers, including license plate numbers
- device identifiers and serial numbers
- web universal resource locators (URL)
- internet protocol (IP) address numbers
- biometric identifiers, including finger and voice prints
- full face photographic images
- any other unique identifying number, characteristic or code that could be used to identify the subject, except as permitted in II.5. below..
- Additionally, the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
- The following information may be contained in a de-identified dataset:
- Age with dates limited to the year ( see exception for > 90 years of age above)
- Aggregated zip codes identified by the initial 3 digits and containing > 20,000 people
- Marital status
- Re-identification codes (see requirement below)
- Individual preparing “safe harbor” de-identified dataset
- IRB may allow investigators or other research team members to create the de-identified dataset themselves only when they have legitimate access (i.e., are part of the covered entity or a business associate of the covered entity) to the PHI used to create the dataset.
- When the research team proposes to obtain the de-identified dataset from someone outside the research, the investigator must provide the IRB with evidence that this individual(s) has legitimate access to the PHI.
- Re-identification Codes
- The de-identified data may be assigned a code to allow its re-identification by the covered entity.
- Codes may not be derived from or related to information about the individual, such as name (e.g., initials), social security number or other numerical values (e.g., birth date, medical record number, telephone number). If this type of code is used, the data is no longer de-identified.
- The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification to anyone without authority to re-identify.
- The key to the code must not be accessible to the investigator requesting to use or disclose the de-identified health information. Evidence of this may be requested by the IRB.
- OCR Guidance from November 26, 2012 clarifies that the avoidance of a code derived from PHI referred to in 164.514(b)(1)does not preclude the transformation of PHI into values derived from cryptographic hash functions using the expert determination method. The keys associated with the hash function must not be disclosed to unauthorized individuals, including the recipients of the de-identified dataset.
- Limited Data Set
- Researchers may use and disclose PHI as a limited dataset without an authorization from a subject or waiver of authorization from the IRB. The covered entity disclosing the limited data set must enter into a Data Use Agreement with the recipient of the information.
- A limited dataset represents PHI where only certain identifiers may be included. Unlike health information de-identified according to the safe harbor process, a limited data set may include:
- elements of addresses other than street name or street address or post office boxes (e.g., town, city, state, or zip code)
- all elements of date (e.g., birth date, date of death, admission and discharge dates, and dates of service)
- Unique identifying numbers, characteristics and codes other than those listed in II.D.1.a-q. and as permitted in II.5.
- IRB approval of research involving a limited data set requires the execution of data use agreement between the recipient and UIC.
- Data use agreements must contain the following provisions:
- Specific permitted uses and disclosures of the limited data set by the recipient must be consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule),
- identify who is permitted to use or receive the limited data set, and
- stipulations that the recipient will:
- not use or disclose the information other than permitted by the agreement or otherwise required by law,
- use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement,
- require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware,
- hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information, and
- not identify the information or contact the individuals.
- The UIC Data Use Agreement for external investigators may be accessed by following the link to the ORS website and clicking on Data Use Agreement. Review and approval of this agreement by the UI Board of trustees is facilitated through ORS.
- Investigators who are UIC employees but not a part of the UIC hybrid covered entity should complete should complete Appendix R: Internal Data Use Agreement and submit it with their IRB submission for review and approval.
- Reviews Preparatory to Research
- Researchers may use and disclose PHI without an authorization from a subject or waiver of authorization from the IRB for activities preparatory to research provided the investigator conveys to the covered entity that:
- use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes,
- no PHI will be removed from the covered entity during the review, and
- PHI that the researcher seeks to use or access is necessary for the research purposes.
- At UIC, these representations are made to the covered entity via the IRB application and research protocol.
- Activities preparatory to research may include:
- preparing a research protocol,
- assisting in the development of a research hypothesis,
- feasibility assessment to determine the number of subjects meeting the eligibility criteria available at the institution, or
- identifying potential subjects for recruitment.
- Contacting potential research participants under the preparatory to research provision. The UIC IRB may approve researchers to contact potential participants without an authorization or waiver of authorization provided:
- The IRB provides a waiver of informed consent for recruitment purposes under 45 CFR 46.116(d) and
- The researcher is a workforce member or is a has business associate of the covered entity (and thus the contact occurs as part of the entity’s health care operations) or
- The researcher is not a workforce member but the IRB has waived the authorization requirement and someone authorized by the covered entity provides the researcher with the PHI necessary for contact.
- IRB Review: The UIC considers the use and disclosure of health information gathered under the HIPAA preparatory to research provision to represent human subject research as defined under 45 CFR 46. As such, preparatory to research activities constitute a component of the research protocol, and IRB approval or an exemption or human subject research determination is required before the preparatory to research activity commences. Protocol submissions for Data Repositories may request IRB approval for future repositories queries involving the release of aggregated data. It is not acceptable to gather preliminary data via scanning the EHR, clinic appointment logs or other records of clinical care prior to IRB or OPRS review. This requirement is applicable for retrospective and prospective studies.
- Research Involving Decedent PHI
- Researchers may use and disclose decedent-only PHI without an authorization from a subject or waiver of authorization from the IRB for activities preparatory to research provided the investigator conveys to the covered entity that:
- the use or disclosure is solely for research on the protected health information of decedents,
- the researcher has documentation of the death of the individuals, that can be supplied at the request of the covered entity, and
- the protected health information for which use or disclosure is sought is necessary for the purposes of the research.
- Research involving decedents is not generally considered to represent human subject research under the common rule (45 CFR 46).
- At UIC, the representations in IV.A. are made to the covered entity via the UIC OPRS Determination of Whether an Activity Represents Human Subjects Research at UIC form.
- Authorization from the Research Subject
- A covered entity may also use and disclose an individual’s PHI for research when a signed authorization is obtained, e.g., clinical trials or prospective records research. The UIC IRB expects the use of an authorization when the criteria for preparatory to research or a limited data set are not met and a waiver or alteration of authorization is not indicated.
- The purpose of the authorization and informed consent differ, with the authorization representing an individual's permission to use or disclose PHI versus the informed consent representing the individual's permission to participate in the research.
- However, as obtaining a signed authorization concurs with the principle of respect for persons embodied in the Belmont Report, the IRB generally requires that when it is feasible signed authorization is obtained.
- An authorization to use and disclose PHI must be written in plain language and contain the following core elements:
- A description of information to be used or released,
- Description of each purpose of the requested use or disclosure,
- name of person(s) or class of persons (e.g., project staff) who will use the information,
- name of persons or organizations to whom PHI will be released. (e.g., central coordinating offices of multi-center trials, sponsor),
- authorization for research, unlike other authorizations, may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the “end of the research study,
- statement that the research participant has the right to revoke authorization (as part of withdrawal from study procedures),
- statement that if information is disclosed to other organizations the information may no longer be protected,
- signature of individual or their legally authorized representative and date, and
- statement that subject may inspect or copy their records, however investigator may indicate that records will not be available for review until after study is complete.
- Authorization may be a stand-alone document or combined with a consent or other permission document (e.g., parental permission) related to the study.
- UIC has template Authorization forms (http://research.uic.edu/compliance/human-subjects-irb/forms), stand-alone or language to drop into the informed consent that should be utilized when the source of the PHI is the UIHSS/UIC covered entity. If the source of the PHI is psychotherapy notes, the UIC authorization to use and disclose PHI from psychotherapy notes must be used.
- UIC requires that the stand-alone authorization or combined consent-authorization for research be reviewed by the IRB to ensure compliance with UIC/UIHHSS and HIPAA requirements. The combined consent-authorization is approved as part of the IRB’s review of informed consent.
- Revocation of authorization: The subject or their authorized representative has the right to revoke the authorization, in writing, at any time. The revocation is effective when the investigator receives the written revocation. The investigator is not required to retrieve information that was disclosed under a valid Authorization before receiving the revocation. For research, the reliance exception permits the continued use and disclosure of PHI already obtained pursuant to the Authorization to the extent necessary to protect the integrity of the research, to account for a subject's withdrawal from the study, to conduct investigations of scientific misconduct, or to report adverse events.
- Compound authorizations:
- Compound (i.e., for multiple studies) authorizations are allowed by the January, 2013 Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the HITECH Act and Genetic Information Nondiscrimination Act provided the conditions below are met.
- Authorization for the use or disclosure of PHI for a research study may be combined with an authorization for a different research activity, provided that:
- if research-related treatment is conditioned on the subject providing authorization for one of the activities, such as participation in a clinical trial, then the compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the unconditioned research activity, such as an optional genetic, biomarker or pharmacokinetic sub-study.
- Authorization may be obtained from an individual for uses and disclosures of PHI for future research purposes, e.g., retaining samples in a tissue bank, so long as the authorization adequately describes the future research such that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for the future research purposes.
- The UIC IRB will review the content and utilization of the compound authorization to ensure it meets HIPAA regulations.
- Waiver of Authorization or Alteration of Authorization Requirements
- The UIC IRB, serving as the privacy board, may approve the waiver or alteration of authorization requirements when they determine that the following criteria are met:
- Use or disclosure involves no more than a minimal risk to the privacy of individuals based on the presence of:
- an adequate plan presented to the IRB to protect identifiers from improper use and disclosure’
- an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, unless a health or research justification for retaining the identifiers or if retention is otherwise required by law, and
- adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except: as required by law, for authorized oversight of the study, or for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.
- research could not practicably be conducted without the requested waiver or alteration; and
- research could not practicably be conducted without access to and use of the PHI.
- A waiver of authorization may be granted for the entire study (e.g., retrospective chart review) or only a portion of the research (e.g., recruitment activities for investigators who are not employees of the covered entity).
- Alteration of authorization involves a request to omit one or more of the required elements of authorization, e.g., waiving the requirement for a signature and date on the authorization for research where contact with subjects is occurring via the phone or internet.
- When approving a waiver or alteration of HIPAA authorization, the IRB must document the following to the covered entity (e.g., UIHHSS/UIC):
- Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
- statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
- brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
- statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
- signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.
- Other HIPAA Related Review Considerations
- Expedited Review:
- The IRB may review by expedited procedures a request for an alteration or waiver of authorization when the research activity falls within the list of HHS and FDA approved categories (63 Federal Register 60364 (November 9, 1998)) and involves no more than minimal risk (45 CFR 46.110 and 21 CFR 56.110).
- The determination that the use or disclosure of PHI involves no more than minimal risk should be based on the waiver criterion at 45 CFR 164.512(i)(2)(ii)(A) (see VII.A.1).
- Modification to a previously approved research protocol, which only involves the addition of an Authorization for the use or disclosure of PHI to the IRB-approved informed consent, is considered no more than a minor change to research and may be reviewed by the IRB through an expedited review procedure.
- Minimum Necessary Standard: The IRB during its review of a request to use or disclose PHI without an authorization (i.e., waiver or alteration of authorization, preparatory to research, limited data set) will confirm that the PHI being requested is the minimum needed to accomplish the research purpose (164.514(d)(3)(iii)(D)).
45 CFR 160
45 CFR 164
HIPAA Administrative Simplification: Regulation Text, Department of HHS, Office of Civil Rights, March 26, 2013 (Unofficial Version).
NIH Publication 03-5428. Institutional Review Boards and the HIPAA Privacy Rule. Department of HHS, Office of Civil Rights, August 2003.
NIH Publication 05-5308, Health Services Research and the HIPAA Privacy Rule. Department of HHS, Office of Civil Rights, May 2005.
Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Department of HHS, Office of Civil Rights, November 26, 2012.
63 FR 60364-60367, Categories of Research that may be Reviewed by the IRB Through an Expedited Review Procedure. Department of HHS, Office of Human Research Protections, November 9, 1998.
Research Data Security, UIC HSPP policy, June 25, 2015.
Version (#, date)
Replaces (#, date)
Summary of changes
Modifications to reflect the January 2013 update to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the HITECH Act and Genetic Information Nondiscrimination Act