HIPAA and Medical Research

1. Training and certification is mandatory for all investigators and their team of researchers who access, use or disclose PHI.
2. A web-based training is made available to receive training.
3. To receive training and certification, please go to HIPAA Online Training.
4. Certificates are printed out at your desktop printer and at the Office of Research Compliance.

1. As in the past, the Office of Research Compliance shall continue to review research projects at all three levels (exempt, expedited and full review).
2. The deadlines for full review submissions shall remain the same as before. Exempt and Expedited reviews can be submitted at any time.
3. Please note that consent forms have been modified to include HIPAA authorization. All forms are posted below.
4. Please note that additional forms are required to obtain waiver of authorization, preparatory to research, review of decedents PHI, access to databanks and repositories and limited data set agreement. Some of the forms are posted below and those that are not posted will be posted before April 14, 2003.

1. Consent Form Document #1 [ download in MS Word ] requiring Individual HIPAA authorization
   1. Use this form if you are accessing, using or disclosing PHI. Individual authorization is required for such studies.
   2. The revised consent form includes HIPAA authorization.
   3. This consent form template has been extensively modified. Specifically Section 6 and Section 19 have been modified to include the privacy rights of research subjects. Please make sure to include on your revised consent from all of the elements enumerated in section 19.
2. Consent Form Document #2 [ download in MS Word ]. This form must be used for research projects that do not use PHI, but require research subjects consent.
3. Consent Form Document #3 [ download in MS Word ]. PHI will not be used
   1. This form is exclusively used for Non-Medical IRB.
   2. If a non-medical IRB application requests access, use or disclosure of subjects PHI, such applications require the use of Consent Form Document #1. Such projects will be reviewed by the medical IRB.

1. Exempt review: Application for Alteration or Waiver or HIPAA Privacy Authorization for Exempt Reviews [ download in MS Word ]. Use this form when:
   1. The research project is exempt from IRB review under the Common Rule; and
   2. The research project intends to access, use or disclose PHI during the research without seeking authorization since subjects identifiers are not going to be recorded.
2. Expedited or Full Review: Application for Waiver of HIPAA Authorization and Common Rule Informed Consent [ download in MS Word ]. Use this form when:
   1. This form is applicable to all IRBs.
   2. To obtain a waiver of consent or alteration of informed consent.
   3. To access, use or disclose PHI during the research project without authorization from the subject.

1. Effective April14, 2003 (compliance date) exempt reviews are done by combining Common and Privacy Rules.
2. Research projects for exempt review must not involve any risk to the subject, data or pathological samples must exist and all identifiers must be stripped. The information collected must not be linked back to the source document.
3. Unlike before the compliance date, accessing PHI shall require waiver of authorization even when identifiers are not going to be recorded.
4. Unlike before, if PHI is going to be accessed and a waiver of authorization is required, such projects shall be reviewed and approved by the IRB chair or one of the IRB members.
5. Exempt studies currently approved, if data collection is complete such studies DO NOT require new waiver of authorization.
6. On the contrary, currently approved exempt studies continuing past the compliance date (April 14, 2003) DO require waiver of authorization. Investigators who have such approvals will be contacted to submit waiver of authorization to continue studies past the compliance date.
7. Research projects that do not involve the use or disclosure of PHI do not require a waiver of authorization. Those projects will be reviewed and approved by the Office of Research Compliance.
8. All exempt studies are approved for one year only. A continuing review is necessary for the continuation of the project in the succeeding years.

1. Research involving expedited review must be minimal risk and involve healthy subjects only.
2. If consent forms are going to be used to conduct the study, and to access, use and disclose PHI, individual authorization will be required from research subjects.
3. Researchers are permitted to request for a waiver of authorization if following Common and Privacy Rules are met:
   1. The researcher and internal collaborator has been properly trained on the procedures of Privacy Rules and safeguarding of PHI;
   2. Brief description of the PHI for which use or access has been requested;
   3. The use or disclosure of PHI involves no more than minimal risk to the subject;
   4. The waiver or alteration will not adversely affect the rights and welfare of the subject;
   5. The research could not practically be carried out without the waiver or alteration of waiver;
   6. Whenever appropriate, research subjects will be provided with additional pertinent information on the research project after participation;
   7. The researcher has provided adequate plan to protect the identifiers from improper use of PHI and disclosure;
   8. The privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individuals;
   9. Provide a description of importance of the knowledge that may reasonably be expected to result from such research; and
   10. There is adequate plan in place to destroy the identifiers at the earliest opportunity consistent with the conduct of the research unless there is health or research justification for retaining the identifiers.
4. Expedited reviews and waiver of authorization is approved by the IRB Chair or one of the IRB members.
5. Expedited reviews that do not involve the use or disclosure of PHI do not require a waiver of authorization. However, a consent form is required or the researcher may request for a waiver of consent under the provisions of Common Rule (see 3c-3f above).

1. PHI collected prior to compliance date (April14, 2003) or subjects who have consented prior to compliance date and enrollment to the study has stopped, those studies do not require new individual authorization or re-consent of research subjects.
2. On the contrary, if consent forms are modified by the IRB (risk benefit ratio) and the research is continuing past the compliance date, those studies require new individual authorization and re-consenting subjects.

1. Researchers and their research team within the covered entity [Drexel Med and Tenet Hospitals (Hahnemann, MCP and St. Christophers Hospital for Children)] can use the PHI by completing a Preparatory to Research Form
2. Researchers and their team within the covered entity can use the PHI to contact prospective subjects.
3. However, researchers are not permitted to remove the PHI from the covered entity.
4. REPRESENTATIONS FORM FOR REVIEWS PREPARATORY TO RESEARCH [ MS Word ]

1. Researchers and their team can access databanks and repositories created by the covered entity with individual authorization or waiver of authorization (see waiver of authorization form above).
2. Researches can also create databases within a covered entity. To create a database, you must obtain a waiver of authorization (use waiver of authorization form) from the IRB.

1. The researcher must provide a representation to the covered entity that the use or disclosure of descendents PHI is necessary and used solely for the purpose of research.
2. At the request of the covered entity, the researcher will be required to provide documentation of death.

1. Limited Data Sets in Research FAQ [ MS Word ]
2. DUCoM Data Use Agreement [ MS Word ]