DEPARTMENTS | DIRECTORY | ADVANCED SEARCH | SCHOOL HOME
School Home NYU School of Medicine

irb
 Today is Sunday, July 6th 2008
 
   

HIPAA - Frequently Asked Questions (FAQs)

Take time to read the following answers and questions to ensure that you fully understand the implications of HIPAA on research. If you are in need of any information regarding the new regulations, feel free to contact the IRB office at any time.

  1. What Does HIPAA stand for and what is HIPAA anyway?

  2. Do research subjects have to authorize the use or their protected health information?

  3. When is this Act scheduled for implementation?

  4. Do I have to re-consent all my subjects by April 14, 2003?

  5. Must the IRB approve the separate authorization form or is the new HIPAA language included in the new consent form template?

  6. How will the IRB approve all of these submissions in time to ensure that everyone is compliant with the new HIP AA regulations before April 14th?

  7. What if I just submitted a request for continuation to the IRB or a new study protocol and it is in currently in the review process?

  8. Is there some type of HIPAA training available and is it required?

  9. Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients?

  10. If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?

  11. Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?

  12. Do the HIPAA Privacy Rule’s requirements for authorization and the Common Rule’s requirements for informed consent differ?
  13. If research subjects’ consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?

  14. Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects?

  15. Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?

  16. Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) waiver of individual authorization?

  17. How does the Rule help Institutional Review Boards (IRB) handle the additional responsibilities imposed by the HIPAA Privacy Rule?

  18. By establishing new waiver criteria and authorization requirements, hasn’t the HIPAA Privacy Rule, in effect, modified the Common Rule?

  19. Is documentation of Institutional Review Board (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual’s authorization?
  20. What does the HIPAA Privacy Rule say about a research participant’s right of access to research records or results?

  21. Are the HIPAA Privacy Rule’s requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?


  22. When is a researcher a covered health care provider under HIPAA?



  23. Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections?


  24. Can covered entities continue to disclose protected health information to the HHS Office for Human Research Protections for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR Part 46)?



What Does HIPAA stand for and what is HIPAA anyway?
No, it is not short for girl hippopotamus! The mnemonic HIPAA stands for the Health Insurance Portability & Accountability Act of 1996. HIPAA is also referred to as the Kennedy-Kassebaum Act or The Privacy Rule.

Back to top >>

Do research subjects have to authorize the use or their protected health information?
Yes, subject must authorize the use or disclosure of their protected health information (PHI). PHI stands for “Proctected Health Information”. Protected Health Information relates to past, present, or future health, health care, or payment for health care that identifies the individual directly of indirectly.

Back to top >>

When is this Act scheduled for implementation?
Organizations must be HIPAA-compliant by April 14, 2003, however, federal regulations allow an additional year for business associates contracts-- a contract where one party performs a function or activity involving the use of PHI. Business associate contracts must meet the HIPAA requirements before April 14, 2004.

Therefore, anyone you consent must be consented with the new Consent Authorization Template available online or with a Research Authorization Form also available online.

Back to top >>

Do I have to re-consent all my subjects by April 14, 2003?
No. Research consent forms obtained from subjects prior to the implementation date need not be modified until the date of their next continuing review. At that time, you will use the new consent/authorization template which has incorporated the new HIPAA language into the body of the consent form .

Back to top >>

Must the IRB approve the separate authorization form or is the new HIPAA language included in the new consent form template?
The IRB has created a new consent/authorization template that is available online.

The title of the document is, “Informed Consent Form to Participate and Authorization of Research”. It contains all of the required consent document elements as well as the new HIPAA requirements.

The IRB has also created an addendum research authorization form. This form can be used as a supplemental attachment to your current consent document. Simply download the form, read the instructions, complete the form as indicated, print your document and begin using the form immediately. We only require that you submit one copy to the IRB for filing purposes. You will have to conform to the full consent/authorization template if you require any modifications to the consent or when your study is up for continuing review.


Back to top >>

How will the IRB approve all of these submissions in time to ensure that everyone is compliant with the new HIPAA regulations before April 14th?
The IRB has adopted a blanket approval policy for HIPAA compliant authorization forms.

This form is required by all researchers with IRB approved studies that require consent. If you will be consenting subjects after April 14, 2003, you will need to complete this form and use it as an attached addendum with your current approved IRB consent document. Subjects consented before April 14, 2003, will not have to be re-consented. The form is also available in Spanish.


You will need to insert required name specific information for each study. The requested name specific information is shaded in gray. The document will be used with your existing approved IRB consent document and you will submit one copy to the IRB office to place on file. Upon the submission of future requests for related to existing studies, approval of amendment, final study closure and continuation each document will be reviewed for accuracy in content by the IRB or a designated member of the IRB.

NEW PROTOCOL SUBMISSIONS: All protocol submissions requiring consent documents must conform to the new consent/authorization template.

Download the form in English and/or Spanish here:

English Standard Consent Authorization Form

Spanish Standard Consent Authorization Form

Chinese Standard Consent Authorization Form


It is important to remember that each study participant will be required to sign and date the research authorization addendum. Remember to have the research participant initial and date the bottom of each page of this document.

However, if you wish to go ahead and conform your current existing consent document to the new consent form authorization template, you will also complete a Request for Amendment Form. If you are simply submitting the new template and there are no changes to the study specific content of your consent document, it will be reviewed expedited and you will receive an administrative acknowledgment and letter of approval from the IRB. Please keep in mind that if you made any changes to the study specific content previously submitted to the IRB it will undergo the normal processing procedure for an amendment.

Back to top >>

What if I just submitted a request for continuation to the IRB or a new study protocol and it is in currently in the review process?
If your study is approved before April 14, 2003 the only thing you will need to do is complete the research authorization form available online and submit one copy to the IRB office for filing purposes.

The IRB has adopted a blanket approval policy to review HIPAA compliant authorization forms.

This form is required by all researchers with IRB approved studies that require consent. If you will be consenting subjects after April 14, 2003, you will need to complete this form and use it as an attached addendum with your current approved IRB consent document. Subjects consented before April 14, 2003, will not have to be re-consented. The form is also available in Spanish.


You will need to insert required name specific information for each study. The requested name specific information is shaded in gray. The document will be used with your existing approved IRB consent document and you will submit one copy to the IRB office to place on file. Upon the submission of future requests for, approval of amendment, final study closure and continuation each document will be reviewed for accuracy in content by the IRB or a designated member of the IRB.


It is important to remember that each study participant will be required to sign and date the research authorization addendum. Remember to have the research participant initial and date the bottom of each page of this document.

You will then use your approved research authorization form as a supplemental attachment to your currently approved consent document. Don’t Forget! If in the future you have to make changes to your consent document or submit a continuation, you will have to conform to the new consent authorization template available online.

Back to top >>

Is there some type of HIPAA training available and is it required?
Yes, and YES! §164.530(b)(1) states, "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart (45 CFR 164)..." All applicable employees ("members of the workforce") are required to complete HIPAA compliance training prior to the April 14, 2003, implementation date. All new members of the workforce must also be trained within a reasonable amount of time. HIPAA compliance education is required for ALL employees. To complete the NYU requirements, employees should contact the IRB office for a complete listing of upcoming HIPAA training sessions.

Back to top >>

Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients?
It is not expected that the Privacy Rule will hinder medical research. Indeed, patients and health plan members may be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected. For example, in genetic studies conducted at the National Institutes of Health, nearly 32 percent of eligible people offered a test for breast cancer risk declined to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason.

The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information. The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the Rule’s requirements for research uses and disclosures are too burdensome and will choose to limit researchers’ access to protected health information. We believe few providers will take this route, however, because the Common Rule includes similar, and more rigorous requirements, that have not impaired the willingness of researchers to undertake Federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires an Institutional Review Board (IRB) review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use or disclosure of protected health information for research purposes is to be altered or waived. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?
Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. An individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. For research uses and disclosures, this reliance exception at 45 CFR 164.508(b)(5)(i) permits the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. For example, the reliance exception would permit the continued use and disclosure of protected health information to account for a subject’s withdrawal from the research study, as necessary to incorporate the information as part of a marketing application submitted to the Food and Drug Administration, to conduct investigations of scientific misconduct, or to report adverse events.

However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?
Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). NYUSOM policy stipulates that the research obtain IRB approval before accessing existing databases or repositories even if those databases were created prior to the compliance date.

Back to top >>

Do the HIPAA Privacy Rule’s requirements for authorization and the Common Rule’s requirements for informed consent differ?
Yes. Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information. For this reason, there are important differences between the Privacy Rule’s requirements for individual authorization, and the Common Rule’s and FDA’s requirements for informed consent. However, the Privacy Rule’s authorization elements are compatible with the Common Rule’s informed consent elements. Thus, both sets of requirements can be met by use of a single, combined form, which is permitted by the Privacy Rule.

For example, the Privacy Rule allows the research authorization to state that the authorization will be valid until the conclusion of the research study, or to state that the authorization will not have an expiration date or event. This is compatible with the Common Rule’s requirement for an explanation of the expected duration of the research subject’s participation in the study. It should be noted that where the Privacy Rule, the Common Rule, and/or FDA’s human subjects regulations are applicable, each of the applicable regulations will need to be followed. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

If research subjects’ consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?
Yes. If informed consent or reconsent (e.g.., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf) The revised informed consent document may be combined with the authorization elements required by 45 CFR 164.508.

Back to top >>

Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects?
Under the HIPAA Privacy Rule, IRBs and Privacy Boards must use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule’s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks. While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants’ privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the DHHS will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?
No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) waiver of individual authorization?
Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule ­ that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB waiver. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

How does the Rule help Institutional Review Boards (IRB) handle the additional responsibilities imposed by the HIPAA Privacy Rule?
Recognizing that some institutions may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board­which could have fewer members, and members with different expertise than IRBs.

In addition, the Rule allows an IRB to use expedited review procedures as permitted by the Common Rule to review and approve requests for waiver of authorizations. An expedited review process permits covered entities to accept documentation of waiver of authorization when only one or more members of the IRB have conducted the review. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

By establishing new waiver criteria and authorization requirements, hasn't’t the HIPAA Privacy Rule, in effect, modified the Common Rule?
No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.

Back to top >>

Is documentation of Institutional Review Board (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual’s authorization?
No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

Back to top >>

What does the HIPAA Privacy Rule say about a research participant’s right of access to research records or results?
With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a "designated record set." A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider’s medical records and billing records, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. While it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule’s permitted exceptions applies.

One of the permitted exceptions applies to protected health information created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual’s access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

Are the HIPAA Privacy Rule’s requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?
Yes. The Privacy Rule does not require clinical laboratories that are also covered health care providers to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to "authorized persons," as defined primarily by State law. The individual who is the subject of the information is not always included as an authorized person. Therefore, the Privacy Rule includes an exception to individuals’ general right to access protected health information about themselves if providing an individual such access would be in conflict with CLIA.

In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories, if they are also a covered health care provider, to provide individuals with access to protected health information because doing so may result in the research laboratory losing its CLIA exemption. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

When is a researcher a covered health care provider under HIPAA?
A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. See 45 CFR 160.102, 160.103. For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf. For further assistance in determining covered entity status, see the "decision tool" at: http://www.hhs.gov/ocr/hipaa/. (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)


Back to top >>

Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections?
Yes. The Office for Human Research Protections is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the Office for Human Research Protections either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b). (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

Back to top >>

Can covered entities continue to disclose protected health information to the HHS Office for Human Research Protections for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR Part 46)?
Yes. The Office for Human Research Protections is a health oversight agency under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to the Office for Human Research Protections for such compliance investigations either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for health oversight activities as permitted at 45 CFR 164.512(d). (Source: http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf)

 

IRB Resources
HRPP Accreditation Tutorial
IRB Online Tutorials
IRB Online Tutorials Completion Search+Certificate Tool
IRB CITI Tutorials
Decision Charts -
Human Subject Regulations Decision Charts
IRB Newsletter
IRB Course Calendar
Policies and Procedures
HELP Downloading Forms
Lay Glossary
Useful Web Links
Sponsored Programs Administration (SPA)
Office of Clinical Trials (OCT)
Email a Suggestion or Comment to the IRB
Contact the IRB
GCRC Web Page
Instructions for Research Conducted at Bellevue
Printer-Friendly Version
Email this to a friend


Dept. Home | FAQs | IRB Forms | HIPAA Forms | Other Forms | Consent Templates | Info Sheets | Tool Kit | Schedule | Categories of Review | Policies | Glossary | Helpful Web Links | Multiple Project Assurance | Contact

NYU School of Medicine
Institutional Review Board
© 2003 New York University
Ethics and Disclaimer