Signature Date Date First Effective: Signature Date Revision Date: 07/18/2011

Similar documents
Signature Date Date First Effective: Signature Date Revision Date:

University of Iowa External/Central IRB Reliance Process Standard Operating Procedure (SOP)

Signature Date Date First Effective: Signature Date Revision Date: 05/14/2014

University of Kentucky Office of Research Integrity and Institutional Review Board Standard Operating Procedures SOP #4-1 Revision #6

UNIVERSITY OF TENNESSEE GRADUATE SCHOOL OF MEDICINE INSTITUTIONAL REVIEW BOARD CONTINUING REVIEW AND REAPPROVAL OF RESEARCH

SOP 801: Investigator Qualifications and Responsibilities

IRB Authorization Agreement Implementation Checklist and Documentation Tool

SMART IRB Agreement Implementation Checklist and Documentation Tool

SYRACUSE UNIVERSITY HUMAN RESEARCH PROTECTION PROGRAM STANDARD OPERATING PROCEDURES

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD CONTINUING REVIEW OF RESEARCH

Reporting an Unanticipated Problem Involving Risks to Subjects or Others (UPIRTSO) to the IRB

Your Roadmap to Single IRB Review Serving as a Reviewing IRB

Supersedes Document Dated: 7/7/11. SOP: RR 401 Version No.: 07 Version Date: 9/8/15 EXPEDITED REVIEW 1. POLICY

Michigan State University Human Research Protection Program

University of Pennsylvania Institutional Review Board. Reliance Agreement Guidance: Penn as Central IRB FAQ

7.0 DEVIATION and EXCEPTION of a PREVIOUSLY APPROVED PROTOCOL

EXPEDITED REVIEW. Terms used in this policy, but not defined herein shall have the meanings set forth in the Glossary.

Florida State University IRB Standard Operational Procedures

UNIVERSITY OF TENNESSEE GRADUATE SCHOOL OF MEDICINE INSTITUTIONAL REVIEW BOARD PROCEDURES FOR FULL BOARD REVIEW

IRB MEETING ADMINISTRATION

I. Summary. II. Responsibilities

University of Pennsylvania Institutional Review Board. Reliance Agreement Guidance: Post-Approval Submissions

SOP #2-2 Version #1 Date First Effective: December 14, Page 1 of 6

The Children s Hospital of Philadelphia Committee for the Protection of Human Subjects Policies and Procedures. Cooperative Agreements

I. Summary. II. Responsibilities

Baptist Health Institutional Review Board. Study Closure Report (Expedited Review) IRB #: Study Title:

Initial Review. Approved By: Michele Kennett, JD, MSN, LLM Associate Vice Chancellor for Research. Table of Contents

Effective Date Revisions Date Review by the Convened Institutional Review Board

SOP 5.06 Full Committee Review: Initial IRB Review

SOP 407: PROTOCOL DEVIATIONS AND UNANTICIPATED PROBLEMS

CONTINUING REVIEW OF APPROVED IRB PROTOCOLS

OHRP Guidance on Written IRB Procedures

UNIVERSITY OF GEORGIA Institutional Review Board

To assure knowledge and compliance by documenting the annual administrative review and continuing IRB review of non-exempt projects for the IRB.

AUTHORITY AND PURPOSE

COMPLIANCE MONITORING

DOCUMENTATION OF IRB DISCUSSIONS AND DECISIONS ( IRB MINUTES)

CONTINUING REVIEW 3/7/2016

Children s Hospital of Philadelphia Committees for the Protection of Human Subjects Policies and Procedures. IRB Review Processes

SYRACUSE UNIVERSITY HUMAN RESEARCH PROTECTION PROGRAM STANDARD OPERATING PROCEDURES 02 06/30/10 08/01/07 1 OF 6

Commercial/ Central IRB An independent organization that provides IRB review services

Children s Hospital of Philadelphia Committees for the Protection of Human Subjects Policies and Procedures Continuing Review of Approved Research

NONCOMPLIANCE. 1. Overview

Policies & Standard Operating Procedures

University of Pennsylvania Institutional Review Board. Reliance Agreement Guidance: How to Apply for External IRB Review

Institutional Review Board Standard Operating Procedure. Suspension and Termination of IRB Approval

Investigator Manual. If you have questions about whether an activity requires IRB review, contact the IRB Office.

Yale University Human Research Protection Program

RESEARCH SUBMISSION REQUIREMENTS

SOP 903: HRPP AND NON-COMPLIANCE

Effective Date: January 16, 2012 Policy Number: MHC_RP0107. Revised Date: November 2, 2015 Oversight Level: Corporate

CONTINUING REVIEW CRITERIA FOR RENEWAL

IRB Chair Responsibilities

INSTITUTIONAL REVIEW BOARD MANUAL: PURPOSE and POLICIES.

Frequently Asked Questions (FAQs)

IOWA STATE UNIVERSITY Institutional Review Board. Policy on IRB Review of Protocol Deviations and Noncompliance for Non-exempt Research

HEALTH CARE SYSTEMS RESEARCH NETWORK

Title: EXPEDITED IRB REVIEW OF HUMAN SUBJECTS RESEARCH

Policy Number: 42 Title: Investigational Devices Date of Last Revision: 06/12/2008; 07/22/2010; 05/29/2013; 05/01/2016; 10/16/2018

AMENDMENTS TO PREVIOUSLY APPROVED RESEARCH 3/01/2016

Yale University Institutional Review Boards

CUNY HRPP Policy: Suspension or Termination of Human Subject Research

INSTITUTIONAL REVIEW BOARD (IRB) PROCEDURES

RESEARCH PROTECTIONS OFFICE

CONTINUING REVIEW CRITERIA FOR RENEWAL

EMERGENCY USE 03/02/2016

Chapter 4 Institutional Review Board (IRB) Roles and Authorities

Ceded IRB Review. The project involves prisoners or other vulnerable populations that require special considerations.

Current Status: Active PolicyStat ID: Origination: 04/2018 Effective: 04/2018 Approved: 04/2018 Last Revised: 04/2018 Expiration: 04/2021

IRB MEETING ADMINISTRATION

IRB COMPOSITION AND IRB MEMBER ROLES AND RESPONSIBILITIES

POLICY NO EXEMPT RESEARCH... 4 POLICY NO DISCLOSURE OF RESEARCH LAB TEST RESULTS... 5

Issue in IRB Approvals:

Independent Ethics Committees

IRB-REQUIRED INVESTIGATOR ACTIONS

A Guide to SMART IRB s Resources for IRB and HRPP Personnel

University of Wisconsin Colleges Administrative Policy #56 NON-COMPLIANCE IN HUMAN SUBJECTS RESEARCH

THE DUHS IRB REVIEW PROCESS 8/13/2014

Wayne State University Institutional Review Board

Single IRB Review. Jeannie Barone Director, HRPO. Institutional Review Board

SUSPENSION OR TERMINATION OF HUMAN SUBJECTS RESEARCH

the HRPP Director will prepare a draft report within three (3) workdays after the IRB meeting at which the determination occurred.

GUIDE TO DAILY OPERATIONS

Procedure Department: HUMAN RESEARCH PROTECTIONS PROGRAM Policy Number: II.B.1

HOW TO CONDUCT AN IRB RELIANCE AGREEMENT. What Reliance Agreements Are, How They Are Reviewed, and What It Means for Submitting Research

Research Involving Human Subjects: AA 110.7

To assure knowledge and compliance by documenting the continuing review procedure of approved projects for the IRB.

Standard Operating Policy and Procedures (SOPP) 3:

Section 8. Continuing Review of Ongoing IRB-Approved Research (Revised 7/1/10)

University of Iowa External/Central IRB Single IRB (sirb) Reliance Process Standard Operating Procedure (SOP)

INTRA-INSTITUTIONAL COMMUNICATION

MISSISSIPPI STATE UNIVERSITY HUMAN RESEARCH PROTECTION PROGRAM. Collaborative Research and Performance Sites (01-23) Approved

Effective Date: January 16, 2012 Policy Number: Appendix II. Revised Date: November 2, 2015 Oversight Level: Corporate

Initial Review of Research Policy and Procedure

Review of Research by the Convened IRB

USC Institutional Review Boards (IRBs)

IRB MEMBERSHIP COMPOSITION, ROLES AND RESPONSIBILIES

INSTITUTIONAL REVIEW BOARD (IRB) PROCEDURES

Office of the Vice President for Research

Tuesday, May 15, Please be sure to sign in and take copies of each handout.

Transcription:

University of Kentucky Office of Research Integrity and Institutional Review Board Revision #4 TITLE: HIPAA in Research Page 1 of 8 Approved By: ORI Director Signature Date Date First Effective: 06-10-05 Approved By: Nonmedical IRB Chair Approved By: Medical IRB Chair Signature Signature Date Date Approved By: HIPAA Privacy Officer Signature Date Revision Date: 07/18/2011 OBJECTIVE To describe Institutional Review Board (IRB) policy and procedures for conducting reviews of Health Insurance Portability and Accountability Act (HIPAA) research authorization forms, waiver of authorization requests, de-identification forms, and coordination with the University of Kentucky s HIPAA Privacy Officer GENERAL DESCRIPTION The IRB reviews HIPAA research de-identification, research authorization, and research waiver of authorization requests for any investigator obtaining protected health information (PHI) from a UK covered entity (CE) department. Although federal regulations do not require IRBs to review authorization forms or de-identification requests, UK made a decision to review authorization forms and de-identification requests as a service to its researchers and to assist them in complying with the HIPAA Privacy Rule. All other HIPAA research issues such as preparatory work, decedent research, limited data sets, public health activities, business associate agreements, privacy notice, and accounting of disclosures fall under the jurisdiction of UK s Privacy Officer. Definitions Protected health information is defined as any of the 18 identifiers listed in the HIPAA Privacy Regulations in combination with health information that is created or maintained by a UK covered entity (CE) department that relates to the past, present, or future physical or mental health or conditions of an individual. A UK covered entity department is defined as any department that provides services that meets the definition of health care provider, health plan, or health care clearinghouse and bills patients/subjects electronically. UK legal counsel determined which UK departments fall within UK s CE.

Revision #4 TITLE: HIPAA in Research Page 2 of 8 A business associate agreement is defined as a contract where a person or entity performs certain functions or activities that involve the use and/or disclosure of PHI. Options for Obtaining Protected Health Information An investigator has the following six options for obtaining PHI from the University of Kentucky (UK) for research purposes: De-identified Information - health information that cannot be linked to an individual; Authorization - a document signed by the subject that gives the researcher permission to use/disclose PHI collected during the research study for defined purposes; Waiver of Authorization - a request to forgo the authorization requirement based on the fact that the disclosure of PHI is a minimal risk to the subject and the research can not practically be done without access to/use of PHI; Limited Data Set - a subset of identifiers that contain the following elements: city, state, zip code, date of birth, death, or date of service; Preparatory Work - PHI reviewed for the purpose of designing a research study or identifying potential subjects. PHI cannot be removed from the CE during the review; or Decedent Research - research where PHI is collected from a subject(s) that is deceased prior to the initiation of the study. RESPONSIBILITY Execution of SOP: IRB Chair, IRB Members, Principal Investigators (PI)/Research Staff, ORI Staff, Research Privacy Specialist (RPS), UK Privacy Officer, Research Compliance Officer (RCO) PROCEDURES General Procedures 1. Investigators working in a UK CE department comply with the UK Medical Center s HIPAA educational requirements. 2. IRB members do not review any research authorizations, waiver of authorization, or deidentification requests in which they have a conflict of interest. (See IRB Member and Consultant Conflict of Interest SOP for additional information.) Research Authorization Review Procedures 1. The PI makes a preliminary assessment to determine whether his/her protocol needs a research authorization form. A PI may call the ORI if he/she needs assistance in determining the HIPAA review type.

Revision #4 TITLE: HIPAA in Research Page 3 of 8 2. The PI submits his/her IRB application (i.e., exempt, expedited, or full) and authorization form to the ORI. The PI uses the IRB s Model Authorization Form, which includes all federally and institutionally mandated criteria. 3. If the investigator includes a HIPAA Authorization Form in the IRB submission or checks HIPAA in the application, or if there are any HIPAA concerns, ORI staff forward the IRB application to the ORI Research Privacy Specialist for review. 4. The RPS reviews protocols forwarded by ORI staff and determines whether the study is regulated by the HIPAA Privacy Rule and if an authorization form is appropriate for the study. The RPS reviews the authorization form to ensure that all federally and institutionally mandated criteria are in the document and submits written recommendations to ORI staff. ORI staff forward the RPS s comments to the appropriate IRB Committee and/or IRB reviewer. 5. The IRB reviews research authorization forms at convened meetings of the IRB, as outlined in the Initial Full, Expedited, Exempt and Continuation Review SOPs. IRB members use the ORI HIPAA Authorization Form Checklist and comments from the RPS to assist them with their authorization review. The IRB and/or IRB reviewer make the final determination as to whether the study is regulated by the HIPAA Privacy Rule and whether the investigator must revise the authorization form. 6. The IRB may review authorizations during initial full review, expedited review, or continuation review. The IRB requests revisions of any authorization form that does not contain all the federally and institutionally mandated criteria for authorization forms. 7. The ORI sends requests for revisions to the authorization form to the PI, who in turn makes the necessary corrections and resubmits the revised document to ORI. The IRB reviews revisions to the authorization form and determines whether all the federally and institutionally mandated criteria for authorization forms are satisfied. 8. Once the IRB determines the HIPAA Authorization Form meets the federal regulations and institutional requirements, no further IRB review is necessary unless the investigator makes subsequent changes to the authorization form. The PI obtains IRB review prior to implementing changes in the authorization form. 9. The PI takes the IRB reviewed authorization form signed by the subject to Medical Records (or data source) to obtain PHI. 10. The IRB does not review authorization forms for research activities conducted at sites outside of UK s CE. 11. The IRB does not review authorizations under the following circumstances:

Revision #4 TITLE: HIPAA in Research Page 4 of 8 PHI that was created or received either before or after the compliance date (April 14, 2003) may continue to be used and disclosed for research purposes, if any one of the following was obtained prior to the compliance date: o An authorization or other express legal permission from the subject to use or disclose PHI for the research; or o o The informed consent of the subject to participate in the research; or A waiver of informed consent by the IRB in accordance with the federal regulations pertaining to human subject research protection commonly known as the Common Rule or in accordance with an exception under the FDA s human subject protection regulations. If the PI obtains a waiver of informed consent prior to the compliance date, but subsequently seeks informed consent after the compliance date, he/she must obtain the subject s authorization at the time he/she obtains the new informed consent. It is the PI s responsibility to submit a copy of the authorization form for IRB review. 12. The ORI maintains copies of all versions of the PI s research authorization form for a period of no less than six (6) years after the study closure. (See Recordkeeping SOP.) 13. The ORI/IRB revises the IRB s Model Authorization Form as appropriate. Research Waiver of Authorization Request Review Procedures 1. The PI makes a preliminary assessment to determine whether his/her proposal needs a HIPAA research waiver of authorization. A PI may call the ORI if he/she needs assistance in determining the HIPAA review type. 2. The PI submits his/her IRB application (i.e., exempt, expedited, or full) and research waiver of authorizations requests to the ORI. A PI submits a waiver request using the ORI s HIPAA Waiver of Authorization Request Form, which includes all federally and institutionally mandated criteria. 3. If the PI includes a HIPAA Waiver of Authorization Request Form in the IRB submission or checks HIPAA in the application or if there are any HIPAA concerns, ORI staff forward the IRB application to the RPS for review. 4. The RPS reviews protocols forwarded by ORI staff and determines whether the study is regulated by the HIPAA Privacy Rule and if a research waiver of authorization request is appropriate for the study. The RPS reviews the waiver to ensure that all federally and institutionally mandated criteria are in the document and submits written recommendations to ORI staff. 5. ORI staff forward the RPS s comments to the appropriate IRB and/or IRB reviewer.

Revision #4 TITLE: HIPAA in Research Page 5 of 8 6. The IRB reviews Research Waiver of Authorization Request Forms at convened IRB meetings, as outlined in the Initial Full, Expedited, Exempt, Continuation Review, and Modification SOPs. IRB members use the ORI HIPAA Waiver of Authorization Form Checklist and comments from the RPS to assist them with their HIPAA review. The IRB and/or IRB Reviewer make the final determination as to whether the study is regulated by the HIPAA Privacy Rule and whether the investigator must revise the HIPAA form. 7. The IRB may review the waiver of authorization request during initial full review, expedited review, continuation review, or exemption review. The IRB requests revisions of any waiver of authorization request that does not adequately address the questions/issues in the ORI s HIPAA Waiver of Authorization Request Form. 8. The ORI sends requests for revisions to the PI, who in turn makes the necessary corrections and resubmits the revised form to the ORI. The IRB reviews revisions to the HIPAA Waiver of Authorization Request Form and determines whether all the federally and institutionally mandated criteria for waiver of authorization are satisfied. 9. Once the IRB reviews the waiver, the IRB Chair or Designee signs the waiver of authorization approval letter and forwards the document to the ORI. The ORI sends the letter to the PI. 10. Once the IRB determines the contents of the HIPAA Authorization Form meet the federal regulations and institutional requirements, the waiver of authorization request, no further IRB review is necessary unless the PI makes subsequent changes to the HIPAA form. It is the PI s responsibility to obtain IRB approval prior to implementing changes in the Waiver of Authorization Request Form. 11. The PI takes the Waiver of Authorization Approval letter to Medical Records (or data source) to obtain PHI. 12. The IRB does not review a research waiver of authorizations for research activities conducted at sites outside of UK s CE. 13. The IRB does not require a research waiver of authorizations under the following circumstances: A PI may use and disclose for research purposes PHI that was created or received either before or after the compliance date (April 14, 2003) if a waiver of informed consent was reviewed by the IRB in accordance with the federal regulations and obtained prior to the compliance date. If the PI obtains a waiver of informed consent prior to the compliance date, but subsequently seeks informed consent after the Compliance Date, he/she must obtain the subject s authorization at the time he/she obtains the new informed consent.

Revision #4 TITLE: HIPAA in Research Page 6 of 8 14. The ORI maintain copies of all versions of the PI s HIPAA Waiver of Authorization Request Forms for a period of no less than six (6) years after the study is closed. (See Recordkeeping SOP) 15. The ORI/IRB revises the HIPAA Waiver of Authorization Request Form as appropriate. Research De-identification Review Procedures 1. The PI makes a preliminary assessment to determine whether his/her protocol meets the criteria for de-identification. A PI may call the ORI if he/she needs assistance in determining the HIPAA review type. 2. The PI submits his/her IRB application (i.e., exempt, expedited, or full) and research deidentification requests to the ORI, using the ORI HIPAA De-identification Certification Form. 3. If the PI includes a HIPAA De-identification Certification Form in the IRB submission or if there are any HIPAA concerns, ORI staff forward the IRB application to the ORI RPS for review. 4. The RPS reviews protocols forwarded by ORI staff and determines whether de-identification is appropriate for the study and submits written recommendations to ORI staff. 5. ORI staff forward the RPS s comments to the appropriate IRB and/or IRB reviewer. 6. The IRB reviews research de-identification requests at convened IRB meetings, as outlined in the Initial Full Review, Expedited Initial Review, Exempt Review, Continuation Review, and Modification, Deviations, and Exceptions IRB Review of Changes SOPs. IRB members may use comments from the RPS to assist them with their HIPAA review. The IRB makes a final determination as to whether the study meets the criteria for de-identification. The IRB notifies the PI if the study does not meet the criteria for de-identification. 7. If the IRB denies the de-identification request, ORI staff or the RPS notify the PI and provide assistance in determining the appropriate HIPAA review type. 8. A PI in the CE submits a HIPAA De-identification Certification Form to Medical Records (or data source) to obtain PHI. A PI not in the CE submits a HIPAA De-identification Certification Form and a Business Associate Agreement to Medical Records to obtain PHI. 9. The IRB does not review research de-identification requests for research activities conducted at sites outside of UK s CE. 10. The ORI/IRB revises the HIPAA De-identification Certification Form as appropriate.

Revision #4 TITLE: HIPAA in Research Page 7 of 8 Research Databases/Repositories Review Procedures 1. Since the HIPAA Privacy Rule does not give clear guidance on databases and repositories, the IRB follows the NIH s Research Repositories, Databases, and the HIPAA Privacy Rule guidance document when reviewing HIPAA database/repositories issues. 2. The PI submits an IRB application (initial full or expedited) and the applicable HIPAA form to establish or remove PHI or specimens with identifiers from a research database or repository. 3. The database/repository does not fall under the Privacy Rule if the PI: De-identifies all data/specimens collected for the database/repository; or Obtains self reported health information from the subject and does not add the health information to a designated record set. For the purposes of this policy, a designated record set is defined as a group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. 4. PIs, IRB members, ORI staff, and the RPS follow the authorization, waiver of authorization, and deidentification procedures previously outlined in this document. 5. The IRB does not require a PI to comply with the HIPAA requirements if the research database or repository was established before April 14, 2003 and the following conditions are met: The information/specimens in the database are de-identified (e.g., all 18 identifiers listed in the HIPAA Privacy are removed); or Subjects signed a consent form; or The IRB waived informed consent. HIPAA Compliance Procedures for Investigators Working in the Covered Entity 1. Investigators working in a UK CE must comply with the UK Medical Center s HIPAA policies and procedures. 2. Any significant noncompliance HIPAA issue, such as a breach or complaint, involving research will be reviewed in conjunction with the UK Privacy Officer. If the UK Privacy Officer receives a HIPAA research complaint or an alleged HIPAA research noncompliance issue, the Privacy Officer will immediately (i.e., within approximately 2 working days) notify the ORI RPS or ORI s Research Compliance Officer (RCO). The Privacy Officer may confer with the RPS or the RCO to assess whether the complaint/alleged noncompliance issue falls under the purview of the IRB or both the IRB and UK Corporate Compliance.

Revision #4 TITLE: HIPAA in Research Page 8 of 8 If the ORI RCO receives a HIPAA research complaint or report of an alleged HIPAA research noncompliance issue, the RCO or RPS will immediately (i.e., within approximately 2 working days) notify the UK Privacy Officer. The RCO or the RPS may confer with the Privacy Officer to assess whether the complaint/alleged noncompliance issue falls under the purview of the IRB or both the IRB and UK Corporate Compliance. If the complaint/alleged noncompliance issue falls under IRB purview, the ORI will initiate an inquiry following ORI/IRB standard operating procedures. (See the Subject Complaints/Concerns and Noncompliance SOPs) The IRB determines whether the incident meets requirements for reporting to the federal regulatory agencies. In making the determination, IRB follows the procedures for reporting. (See the Mandated Reporting to External Agencies SOP) After the IRB has completed its review of the complaint/alleged noncompliance issue, the ORI RCO or RPS provides the UK Privacy Officer with a copy of the final deliberations if the allegation involves both research and a violation of the HIPAA regulations. If ORI staff determine the incident to be reportable to a federal regulatory agency, the RCO sends a copy of the federal report to the UK Privacy Officer. (See the Mandated Reporting to External Agencies SOP) If the complaint/alleged noncompliance falls under UK Corporate Compliance purview, the Privacy Officer will initiate an investigation. After the Privacy Officer has completed its review of the complaint/alleged noncompliance, the Privacy Officer provides the ORI with a copy of the final deliberations if the allegation involves both research and a violation of the HIPAA regulations. If the Privacy Officer determines the incident to be reportable to a federal regulatory agency, the Privacy Officer sends a copy of the federal report to the ORI. REFERENCES 45 CFR 164.512 45 CFR 164.532 45 CFR 164.530 45 CFR 164.508 45 CFR 164.514 NIH s Research Repositories, Databases, and the HIPAA Privacy Rule NIH s Privacy Boards and the HIPAA Privacy Rule J:\Master Outreach Documents\Survival Handbook\C - SOPs\C2-0450-HIPAA_SOP.doc

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback