HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004

Similar documents
HIPAA and Research at UB

EVMS Medical Group A. RESEARCH USE AND OR DISCLOSURE WITHOUT AUTHORIZATION:

This form is to be used in conjunction with the Application for IRB Review

COLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB)

HIPAA Insurance Portability Act HIPAA. HIPAA Privacy Rule - Education Module for Institutional Review Boards

Standards for Privacy of Individually Identifiable Health Information

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION

HIPPA Research Policy

Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research

HHS Proposed Rule Modification for the HIPAA Standards for Privacy of Individually Identifiable Health Information (NPRM)

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH

Children s Hospital of Philadelphia SOP 707 Page Effective Date: Title: Requirements for and

7 ATLzr UNIVERSITY OF CALIFORNIA. January 30, 2014

UBMD Policy for HIPAA Compliant Subject Recruitment

RELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES

HIPAA Business Associate Agreement

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Project Number Application D-2 Page 1 of 8

HIPAA Basics For Clinical Research

Human Research Protection Program (HRPP) HIPAA and Research at Brown

HIPAA: What Researchers Need to Know

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

LIMITED DATA SET REQUEST AND DATA USE AGREEMENT

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

ARTICLE 1. Terms { ;1}

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Executive Policy, EP HIPAA. Page 1 of 25

E-Protocol Document Checklist and GPS IRB Guide - Students

HARVARD CATALYST DATA USE AGREEMENT FOR LIMITED DATA SETS

POLICY FOR THE PROTECTION OF HUMAN SUBJECTS IN RESEARCH

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

City and County of San Francisco Department of Public Health DPH Health Information Data Use Agreement

ACGME BUSINESS ASSOCIATE AGREEMENT

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

FACT Business Associate Agreement

Last Approval Date: April 2017

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Parts 160 and 164]

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

PREPARATORY TO RESEARCH & PRESCREENING Appreciating Our Differences

1 Security 101 for Covered Entities

CHAPTER 33 HIPAA PRIVACY REGULATIONS

SUBJECT: Disclosure and accounting of protected health information (PHI).

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name

AS 3101, The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion

Health and Welfare Plan Compliance Checklist

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Privacy Regulations HIPAA-Administrative Simplification Internal Assessment

Common Rule Overview

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Pursuing Research with an External Collaborator. June 6, 2018

Definitions: Policy: Procedure:

Record Management & Retention Policy

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

Interpreters Associates Inc. Division of Intérpretes Brasil

ARTICLE 1 DEFINITIONS

HIPAA ADDENDUM TO SERVICE AGREEMENT

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

BUSINESS ASSOCIATE AGREEMENT

AMERICAN BAR ASSOCIATION. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

O n Jan. 25, 2013, the U.S. Department of Health

BUSINESS ASSOCIATE AGREEMENT

DUA Toolkit. A guide to Data Use Agreements in the HMO Research Network

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

UCLA Health System Data Use Agreement

PIEDMONT ACCESS TO HEALTH SERVICES, INC. Contract Review and Approval

GUIDANCE ON HIPAA & CLOUD COMPUTING

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

BUSINESS ASSOCIATE AGREEMENT

EXTERNAL IRB AUTHORIZATION AGREEMENT

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

HIPAA s Medical Privacy Standards:

Emma Eccles Jones College of Education & Human Services

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Frequently Asked Questions About the HIPAA Privacy Rule

HIPAA Privacy For our Group Customers and Business Partners

What do you need? Copy of HIPAA Policy on Accounting for Uses or Disclosures of Protected Health Information Department Disclosure Log(s)

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

State Data Requests Memo Introduction Defining research

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A

HIPAA Privacy Rule. Positive Changes Affecting Hospitals Implementation of the Rule Melinda Hatton -- Oct. 31, 2002

Limited Data Set Data Use Agreement For Research

PRIVACY STANDARDS OVERVIEW

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

Transcription:

HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004 This guidance addresses: 1. Criteria a covered function should employ for evaluating an IRB issued AWA to determine its adherence to the HIPAA regulations 2. IRB AWA criteria and a covered function s adherence to the minimum necessary standard for release of PHI identified in a valid AWA 3. Mechanisms available to a covered function for providing PHI identified in an AWA to a researcher 4. Accounting for disclosures when releasing PHI to a researcher outside of the covered function via the AWA mechanism NB: Parts of this guidance are specific to the SUNY-UB HIPAA hybrid entity environment where the SUNY-UB research function, and consequently any SUNY-UB researcher, has been specifically defined as being separate from, and not part of, any HIPAA covered function/entity. It is specifically applicable to all SUNY-UB researchers in any setting dealing with a HIPAA covered function/entity and, separately, all SUNY- UB covered functions.

1) Covered function criteria for determining that an alteration or waiver of authorization (AWA) has been appropriately executed by an IRB 45 CFR 164.512(i) addresses the documentation that must be provided by an IRB to constitute a valid AWA. Specifically, the required elements are: (1)(i)(A) Issued by an Institutional Review Board (IRB), established in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107 (2)(i) Identification and date of action. A statement identifying the IRB and the date on which the alteration or waiver of authorization was approved; (2)(ii) Waiver criteria. A statement that the IRB has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria [Note: A covered function is not responsible for separately determining that the criteria identified in (2)(ii) have been met. The covered function is only required to confirm that the alteration or waiver of authorization contains a statement from the IRB comprised of these elements]: (A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; (1) An adequate plan to protect the identifiers from improper use and disclosure; (2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law (3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart (B) The research could not practicably be conducted without the waiver or alteration

(C) The research could not practicably be conducted without access to and use of the protected health information. (2)(iii) Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB pursuant to paragraph (i)(2)(ii)(c) of this section (2)(iv) Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures 1 (2)(v) (v) Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB If a waiver in whole is not issued, the covered function must adhere to the constraints associated with the waiver in part or alteration in whole or in part as identified in the AWA. Any request for PHI by the researcher that falls outside the parameters identified in a valid AWA will require a separate HIPAA PHI research disclosure mechanism to be in place. In general, an AWA issued by an IRB containing these elements may be used by the covered function to release the PHI listed in section (2)(iii) of the AWA to the requesting researcher. The UB IRB currently issues a 2-part AWA. The AWA itself contains all required elements with the exception of (2)(iii) above. The information required for (2)(iii) is contained in a separate UB document titled The Request for Waiver of Individual Authorization for Use of Individually Identifiable Health Information. This document is completed by the researcher and submitted to the UB IRB for its review in determining that AWA criteria under (2)(ii) can be met. Question #1 of this document contains the information that constitutes the required (2)(iii) element of the AWA. This document can be considered part of the AWA provided it is stamped, dated and signed or initialed by the UB IRB. 1 An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110)

Once the PHI identified in section (2)(iii) of a AWA is released to a researcher who is outside of the covered function (i.e., any SUNY-UB researcher), the covered function has no additional HIPAA obligations with regards to the researcher s subsequent use of the information. In particular, the covered function is not responsible for ensuring that the researcher is in or remains in compliance with the representations they made to the IRB, which may or may not be known by the covered function, in order to obtain the AWA. The UB Request for Waiver of Individual Authorization for Use of Individually Identifiable Health Information form provides additional information that is intended for internal UB IRB use in making its determination on whether or not to issue an AWA to the researcher. The information provided in questions 2-6 and the subsequent researcher attestation is not information that a covered function needs to evaluate in determining whether the AWA is valid. As noted in the preceding criteria section, a covered function is not responsible for separately determining that the criteria in (2)(ii) of a valid AWA have been met. The Office of Civil Rights (OCR), which is responsible for compliance with the HIPAA Privacy Regulations, has addressed the broad discretion it permits IRBs in determining that these criteria have been met 2 : Question Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects? Answer Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks. While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the Department will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about the Common Rule and Institutional Review and Privacy Boards. 2 OCR HIPAA Privacy guidance on Research; December 3, 2002; also available on HHS WEB FAQ (http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php;) Answer ID=303, dated 03/03/2003 06:30 PM

2) Minimum Necessary and PHI access The HIPAA standard of Minimum Necessary, covered in 45 CFR 164.502(b), applies to the release of information associated with an AWA. This impacts the IRB, the SUNY- UB researcher, and the covered function in the following areas: a) IRB Determination of the minimum necessary PHI required by the researcher. The AWA criteria in 45 CFR 164.512(i)(2)(ii)(C) restrict an IRB to granting an AWA only for PHI that is specifically required for use in the research study. In granting the AWA, it is incumbent upon the IRB to evaluate the PHI being requested by the researcher and to determine that its use is necessary for the conduct of the research. An IRB may not grant an AWA permitting access to PHI that is not required for use in the study. Specifically an IRB cannot grant an AWA for accessing the entire medical record as a mechanism for permitting the researcher to enter the covered function in order to create a subset PHI dataset from the medical record when that subset of PHI is all that is required for use in the research. b) Covered function determination of the minimum necessary PHI required by the researcher. A covered function may rely on the IRB s determination in this regard as to what constitutes the minimum necessary information required to conduct the research per 45 CFR 164.514(d)(3)(iii)(D). This means the covered entity may, without further analysis, provide the researcher with the PHI specifically determined as necessary for the conduct of the research in section (2)(iii) of a valid AWA 3 : Question May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary? Answer Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information requested is the minimum necessary for the research purpose. See 45 CFR 164.514(d)(3)(iii). This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or from one that is associated with the covered entity. 3 HHS WEB FAQ (see footnote 2) Answer ID=217; Category: Privacy of Health Information/HIPAA, Minimum Necessary, Research Uses and Disclosures, Smaller Providers/Small Businesses; Date updated: 07/18/2003 11:01 AM

c) Covered function creation of the data set identified as minimum necessary for disclosure to the external researcher. A covered entity may only permit the researcher access to, and use of, PHI that is specifically required for the conduct of the research as identified in section (2)(iii) of a valid AWA. Often, this data resides co-mingled with other PHI in the covered function s PHI repository, e.g., within the medical or dental record. Creation of a data set for use by an external researcher is an activity of the covered function and is not a research activity that can be conducted by the researcher. Specifically, the AWA is not a mechanism by which the researcher may access PHI other than that identified in section (2)(iii) of the AWA, i.e., the researcher may not be given access to a superset of PHI, such as the medical or dental record, in order to create a data set of the required PHI elements identified in the AWA. 3) Mechanisms available to covered functions for providing PHI to a SUNY-UB researcher The covered function s creation of the PHI data set required by the researcher, as identified in (2)(iii) of the AWA, can be approached in basically one of two ways: a) The data set is generated by the covered function through activities of its workforce. b) The data set is generated by a business associate of the covered function, with an appropriately executed business associate agreement (BAA) in place governing the service of creating this data set. In both cases, creation of the data set is an activity of the covered function that falls within the Operations component of its HIPAA Treatment, Payment and Operations activities. Consequently, all access to and use of PHI for this activity constitutes a use of PHI by the covered entity. In instances where the researcher, in a separate and distinct capacity from their research (non-covered function) duties, is also a member of a covered function s workforce, they may created the required data set via mechanism (i) provided that activity is formally part of their separate and distinct job duties within the covered function. Note that per 45 CFR 160.103 Definitions: Workforce, volunteers are defined to be members of the covered function s workforce. An external researcher who is also a formal volunteer of the covered function could create the required data set by way of this mechanism provided that the covered function has an formally and appropriately established mechanism for appointing volunteers, that this activity is formally defined by

the covered function as part of the volunteer s duties, and that volunteers in the covered function are required to fully comply with all aspects of the covered function s HIPAA implementation pertaining to its workforce. If the researcher is not part of the covered function which possesses the required PHI, and the covered function does not have a mechanism for providing the researcher with only the PHI identified in the waiver, then the researcher may perform the dataset creation only via mechanism 3)(b). 4 Mechanism 3)(b) is not recommend for use by SUNY-UB researchers wishing to access PHI within a SUNY-UB covered function. If a SUNY-UB researcher wishes to enter into a BAA with a non-suny-ub covered entity, an appropriate SUNY-UB signatory agent needs to be identified by the UB Director of HIPAA Compliance and the BAA must be vetted by legal counsel associated with the signatory agent. 4) Accounting for disclosures Pursuant to 45 CFR 164.528, the covered function must be able to provide an accounting of PHI disclosures. Such an accounting is required when PHI defined in section (2)(iii) of a valid AWA is released by a covered function to a SUNY-UB researcher. An accounting for disclosures is not required for the covered function s use of PHI in creating the PHI dataset as this activity constitutes a use as part of Treatment/Payment/Operations of the covered function, and not a disclosure by the covered function. 4 HHS WEB FAQ (see footnote 2); Answer ID=249; Category: Privacy of Health Information/HIPAA, Business Associates, Limited Data Set; Date updated: 03/03/2003 06:16 PM; generalized from example where BAA is identified as the proper mechanism to be used by a researcher to create limited data required to conduct their research when the covered entity cannot provide this service.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback