UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD

USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION

1. PURPOSE
   
   To provide guidance to investigators regarding the conditions under which protected health information (PHI) may be used in research without the authorization of subjects.
2. SCOPE
   
   This SOP applies to the IRB members and investigators.
   
   Personnel Responsible:
   
   Institutional Review Board members and investigators.
3. BACKGROUND
   The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that persons provide authorization for the use of PHI for specific purposes other than treatment, payment or health care operations. Specific authorization is generally required for the use and disclosure of PHI in research studies. However, HIPAA also permits the research use of PHI without subject authorization under specific conditions. These conditions include review of PHI preparatory to research, research involving subjects who are decedents, research involving the use of limited data sets or de-identified data, and research in which a waiver or alteration of authorization is granted by the IRB. Further information about the conditions under which PHI may be used without subject authorization can be obtained by consulting the UTHSC IRB, or the HIPAA compliance officer or legal department of the institutions in which the research is conducted. Requests to use PHI for research purposes without subject authorization must be submitted to the IRB for approval prior to initiation.
   
   In Accordance With:
   
   45 CFR 160, 164
   https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
   Compliance with this policy also requires compliance with state or local laws or regulations that provide additional protections for human subjects.

Definitions:

De-identified data means that the source material used by an investigator (as contrasted with the data as abstracted) does not include any of the following 18 categories of personal identifiers of individuals, or of the relatives, employers or household members of such individuals:

1. names;
2. all geographic subdivisions smaller than a state, including street address, city, county, precinct, and their equivalent geocodes, except for the initial three digits of a zip code if the geographic unit represented by these three initial digits contains more than 20,000 people;
3. all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates indicative of age over 89, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. telephone numbers;
5. fax numbers;
6. electronic mail addresses;
7. social security numbers;
8. medical record numbers;
9. health plan beneficiary numbers;
10. account numbers;
11. certificate/license numbers;
12. vehicle identifiers and serial numbers, including license plate numbers;
13. device identifiers and serial numbers;
14. web universal resource locators (URLs);
15. internet protocol (IP) address numbers;
16. biometric identifiers, including finger and voice prints;
17. full face photographic images and any comparable images; and
18. any other unique identifying number, characteristic, or code.

Limited Data Set means that the source material used by an investigator (as contrasted with the data as abstracted) does not include any of the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

1. names;
2. postal address information, other than town or city, state and zip code;
3. telephone numbers;
4. fax numbers;
5. electronic mail addresses;
6. social security numbers;
7. medical record numbers;
8. health plan beneficiary numbers;
9. account numbers;
10. certificate/license numbers;
11. vehicle identifiers and serial numbers, including license plate numbers;
12. device identifiers and serial numbers;
13. web universal resource locaters (URLs);
14. internet protocol (IP) address numbers;
15. biometric identifiers, including finger and voice prints; and
16. full face photographic images and any comparable images.
    

4. PROCEDURES
   1. Any proposal for research use of PHI without the authorization of the subject must be submitted for IRB review using the Form 1 Application. Request for the research use of PHI without subject authorization will be approved only if one of the following regulatory categories applies:
      1. The use and disclosure of PHI for research purposes qualifies for a waiver or alteration of subject authorization. Such research purposes include the use of PHI in identifying potential subjects for recruitment, in contacting potential subjects regarding study participation, and in conducting the study itself. The investigator must document the following conditions in the Form 1 Application:
         1. there is no more than minimal risk to the privacy of individual subjects based on the presence of the following elements: (a) an adequate plan to protect the identifiers from improper use and disclosure; (b) an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research and the IRB’s research record retention policy (http://www.uthsc.edu/research/compliance/irb/researchers/documents/ study-closure-and-record-retention.pdf ), unless there is a health or research justification for retaining identifiers after such time or such retention is otherwise required by law; and (c) an adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, or for authorized oversight of the research study, or for other research for which the use or disclosure is permitted without authorization;
         2. it is not practicable to conduct the research without the waiver or alteration of the authorization requirement; and
         3. it is not practicable to conduct the research without access to and use of the PHI for which the waiver or alteration of the authorization requirement is sought.
      2. All PHI to be used in the study is from deceased individuals. Qualification under this category requires that the researcher document the following:
         1. the use or disclosure is sought solely for research on the PHI of decedents;
         2. adequate documentation exists that all subjects are deceased; and at the request of the covered entity from which the PHI is sought, documentation will be provided to it that all subjects are deceased; and
         3. use of the PHI is necessary for the research purposes. (Note: use of PHI from deceased individuals for research purposes is not allowed at Methodist Healthcare facilities when the study only targets deceased individuals.)
      3. The PHI to be used in the study involves a “limited data set.” The investigator must address the following items:
         1. the PHI used in the research excludes the 16 categories of direct identifiers necessary for the creation of a limited data set;
         2. a data use agreement, satisfying the requirements of the HIPAA regulations, has been reached with the entity holding the PHI;
         3. a copy of the data use agreement must be submitted with the application or prior to final IRB approval for the research use of PHI without the subject’s authorization.
      4. The investigator’s source materials (as contrasted with the data as abstracted) constitute “de-identified data” as defined in the HIPAA regulations. The investigator must address the following items:
         1. it must be explained that the data has been determined to be de- identified either by a qualified and independent expert in biostatistics or by the exclusion from the data of all 18 categories of direct identifiers specified in the regulations;
         2. if the entity which maintains the health information will utilize a code or other means to re-identify the records, then it must be certified that the code or other means used to re-identify the records is not derived from or related to the individuals, or otherwise capable of being translated to identify individual subjects; and
         3. it must be verified that the entity maintaining the records will not disclose to the investigator the means used for re-identifying the records.
      5. The PHI will be used for a review preparatory to research. The investigator must document the following points:
         1. the use or disclosure is being sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
         2. PHI will not be copied or removed by the investigator in the course of the review from the entity which maintains the PHI; and
         3. use of the PHI is necessary for purposes that are preparatory to research.
   2. UTHSC IRB will include the following in its letter to the investigator indicating that it has approved the research use of PHI without subject authorization:
      1. The name of the study and the assigned IRB number;
      2. The date of the action;
      3. Specific criteria that have been satisfied for research use of PHI without subject authorization;
      4. Description of the PHI for which use or access has been determined to be necessary;
      5. Review and approval procedures used; and
      6. Signature of IRB Analyst.
   3. UTHSC IRB will maintain such documentation for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later.