Limited data set hipaa research consent

Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing certain pieces of information from each record as specified in the Rule.

The Privacy Rule allows a covered entity to de-identify data by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following:

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
   1. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
   2. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
   1. Telephone numbers.
   2. Facsimile numbers.
   3. Electronic mail addresses.
   4. Social security numbers.
   5. Medical record numbers.
   6. Health plan beneficiary numbers.
   7. Account numbers.
   8. Certificate/license numbers.
   9. Vehicle identifiers and serial numbers, including license plate numbers.
   10. Device identifiers and serial numbers.
   11. Web universal resource locators (URLs).
   12. Internet protocol (IP) address numbers.
   13. Biometric identifiers, including fingerprints and voiceprints.
   14. Full-face photographic images and any comparable images.
   15. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

   Covered entities may also use statistical methods to establish de-identification instead of removing all 18 identifiers. The covered entity may obtain certification by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" that there is a "very small" risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information. The person certifying statistical de-identification must document the methods used as well as the result of the analysis that justifies the determination. A covered entity is required to keep such certification, in written or electronic format, for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later.

   Other Issues Relating to De-identification

   Under the first method, unique identifying numbers, characteristics, or codes must be removed if the health information is to be considered de-identified. However, the Privacy Rule permits a covered entity to assign to, and retain with, the health information a code or other means of record identification if that code is not derived from or related to the information about the individual and could not be translated to identify the individual. The covered entity may not use or disclose the code or other means of record identification for any other purpose and may not disclose its method of re-identifying the information. For example, a randomly assigned code that permits re-identification through a secured key to that code would not make the information to which it is assigned PHI, because a random code would not be derived from or related to information about the individual and because the key to that code is secure.

   A covered entity is permitted to de-identify PHI or engage a business associate to de-identify PHI. For example, a researcher may be a covered entity him/herself performing, or may be hired as a business associate to perform, the de-identification. In most cases, the covered entity must have a written contract with the business associate containing the provisions required by the Privacy Rule before it provides PHI to the business associate. In addition, a covered entity, if a hybrid entity, could designate in its health care component(s) portions of the entity that conduct business associate-like functions, such as de-identification.

   De-identifying PHI according to Privacy Rule standards may enable many research activities; however, the Privacy Rule recognizes that researchers may need access to and generate identifiable health information during the course of research. Where PHI is needed for research activities, the Privacy Rule permits its use and disclosure if certain standards are met. These standards are discussed in the following sections.

   Authorization for Research Uses and Disclosures

   One way the Privacy Rule protects the privacy of PHI is by generally giving individuals the opportunity to agree to the uses and disclosures of their PHI by signing an Authorization form for uses and disclosures not otherwise permitted by the Rule. The Privacy Rule establishes the right of an individual, such as a research subject, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in addition to the informed consent to participate in research required under the HHS Protection of Human Subjects Regulations and other applicable Federal and State law.

   Area of Distinction	HIPAA Privacy Rule	HHS Protection of Human Subjects Regulations Title 45 CFR Part 46	FDA Protection of Human Subjects Regulations Title 21 CFR Parts 50 and 56
   Permissions for Research	Authorization	Informed Consent	Informed Consent
   IRB/Privacy Board Responsibilities	Requires the covered entity to obtain Authorization for research use or disclosure of PHI unless a regulatory permission applies. Because of this, the IRB or Privacy Board would only see requests to waive or alter the Authorization requirement. In exercising Privacy Rule authority, the IRB or Privacy Board does not review the Authorization form.	The IRB must ensure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, HHS regulations. If specified criteria are met, the IRB may waive the requirements for either obtaining informed consent or documenting informed consent. The IRB must review and approve the Authorization form if it is combined with the informed consent document. Privacy Boards have no authority under the HHS Protection of Human Subjects Regulations.	The IRB must ensure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, FDA regulations. If specified criteria are met, the requirements for either obtaining informed consent or documenting informed consent may be waived. The IRB must review and approve the Authorization form if it is combined with the informed consent document. Privacy Boards have no authority under the FDA Protection of Human Subjects Regulations.

   Elements of an Authorization

   • A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
   • The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
   • The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
   • A description of each purpose of the requested use or disclosure.
   • Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure ("end of the research study" or "none" are permissible for research, including for the creation and maintenance of a research database or repository).
   • Signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided.
   • A statement of the individual's right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.
   • Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
   • A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.

   Waiver or Alteration of the Authorization Requirement

   • Members must have varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on individuals' privacy rights and related interests.
   • Each Board must have at least one member who is not affiliated with the covered entity or with any entity conducting or sponsoring the research and who is not related to any person who is affiliated with such entities.
   • Members may not have conflicts of interest regarding the projects they review.
   1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
      1. An adequate plan to protect health information identifiers from improper use and disclosure.
      2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so).
      3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.

      Area of Distinction	HIPAA Privacy Rule	HHS Protection of Human Subjects Regulations Title 45 CFR Part 46	FDA Protection of Human Subjects Regulations Title 21 CFR Parts 50 and 56
      Review of Cooperative Research	Requests to waive or alter the Authorization requirement are reviewed and approved by an IRB or Privacy Board. The Privacy Rule permits a covered entity to reasonably rely on the determination of an IRB or Privacy Board, if the covered entity obtains appropriate documentation of such determination.	Each institution is responsible for safeguarding the rights and welfare of human subjects and for complying with the HHS Protection of Human Subjects Regulations. With the approval of HHS, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon the review of another qualified IRB, or make similar arrangements for avoiding duplication of effort.	Cooperative research/multi-institutional studies may use joint review, reliance upon the review of another qualified IRB, or similar arrangements aimed at avoiding duplication of effort.
      Waivers of Authorization or Informed Consent Requirements	Allows waiver or alteration of Authorization when IRB or Privacy Board deems the following criteria are met: (1) Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements: (a) An adequate plan to protect health information identifiers from improper use or disclosure, (b) an adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them, and (c) adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule; (2) research could not practicably be conducted without the waiver or alteration; and (3) research could not practicably be conducted without access to and use of PHI.	Permits an IRB to waive some or all of the elements of informed consent, or to waive the requirement to obtain informed consent, provided the IRB finds and documents that (1) the research involves no more than minimal risk to the subjects; (2) the waiver or alteration will not adversely affect the rights and welfare of the subjects; (3) the research could not practicably be carried out without the waiver or alteration; and (4) whenever appropriate, the subjects will be provided with additional pertinent information after participation.

      Limited Data Set and Data Use Agreement

      A limited data set is described as health information that excludes certain, listed direct identifiers (see below) but that may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. The direct identifiers listed in the Privacy Rule's limited data set provisions apply both to information about the individual and to information about the individual's relatives, employers, or household members. The following identifiers must be removed from health information if the data are to qualify as a limited data set:

      • Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
      • Identify who is permitted to use or receive the limited data set.
      • Stipulations that the recipient will
        • Not use or disclose the information other than permitted by the agreement or otherwise required by law.
        • Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
        • Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
        • Not identify the information or contact the individuals.

        Activities Preparatory to Research

        For activities involved in preparing for research, covered entities may use or disclose PHI to a researcher without an individual's Authorization, a waiver or an alteration of Authorization, or a data use agreement. However, the covered entity must obtain from a researcher representations that (1) the use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research, (2) the PHI will not be removed from the covered entity in the course of review, and (3) the PHI for which use or access is requested is necessary for the research. The covered entity may permit the researcher to make these representations in written or oral form.

        According to HHS guidance on the Privacy Rule,

        The preparatory to research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity's site. As such, a researcher who is an employee or a member of the covered entity's workforce could use protected health information to contact prospective research subjects [emphasis added]. The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their Authorization to use or disclose protected health information for a research study.

        Under the preparatory to research provision, a covered entity may permit a researcher who works for that covered entity to use PHI for purposes preparatory to research. A covered entity may also permit, as a disclosure of PHI, a researcher who is not a workforce member of that covered entity to review PHI (within that covered entity) for purposes preparatory to research. Within a hybrid entity, the situation is similar. A covered entity that is a hybrid entity may permit a researcher within its health care component to use, without an individual's Authorization, PHI for activities preparatory to research. A covered entity may also permit a researcher who is outside the hybrid entity's health care component to review PHI within that health care component without an individual's Authorization for purposes preparatory to research.

        Researchers should note that any preparatory research activities involving human subjects research as defined by the HHS Protection of Human Subjects Regulations, which are not otherwise exempt, must be reviewed and approved by an IRB and must satisfy the informed consent requirements of HHS regulations.

        Research on Decedents' Protected Health Information

        To use or disclose PHI of the deceased for research, covered entities are not required to obtain Authorizations from the personal representative or next of kin, a waiver or an alteration of the Authorization, or a data use agreement. However, the covered entity must obtain from the researcher who is seeking access to decedents' PHI (1) oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents, (2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and (3) documentation, at the request of the covered entity, of the death of the individuals whose PHI is sought by the researchers.

        Other Uses and Disclosures of Protected Health Information

        Some of the PHI uses and disclosures that are permitted under the Privacy Rule at Section 164.512 without Authorization, waiver or alteration of Authorization, or data use agreement are summarized below. Covered entities seeking to use and disclose PHI for these or other purposes permitted under Section 164.512 should consult the Privacy Rule for information on the relevant implementation requirements.

        Among other limited purposes, a covered entity may use or disclose PHI without an Authorization, as follows:

        • To the extent the use or disclosure is required by law and complies with, and is limited to, the relevant requirements of such law. For example, a covered entity may disclose, without Authorization, PHI to cancer registries if the disclosure (or reporting) is required by law. In addition, a covered entity may disclose to the Federal Government, without Authorization, PHI associated with data first produced under a Federal award in accordance with 45 CFR 74.36 3 .
        • For disclosure to a public health authority that is authorized by law to collect or receive the information for purposes of preventing or controlling disease, injury, or disability. Activities included here are reporting disease, injury, and vital events, such as birth or death, as well as conducting public health surveillance, investigations, and interventions. For example, a covered entity may disclose PHI, without Authorization, related to an adverse event to NIH or FDA as public health authorities. Additional guidance on the use and disclosure of PHI for public health purposes is available at: Centers for Disease Control and Prevention (2003). HIPAA Privacy Rule and Public Health Guidance from CDC and the U.S. Department of Health and Human Services. Morbidity and Mortality Weekly Report, 52.
        • To a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for purposes related to the quality, safety, or effectiveness of the FDA-regulated product or activity (including, but not limited to, adverse event reporting; FDA-regulated product tracking; post-marketing surveillance; and enabling product recalls, repairs, replacements, or lookback). For example, a covered entity may disclose adverse event/safety reports to sponsors of investigational new products.
        • To health oversight agencies for oversight activities authorized by law that are necessary, for example, for the appropriate oversight of government-regulated programs. For example, because Office for Human Research Protections (OHRP) is a health oversight agency under the Privacy Rule, a covered entity may disclose PHI, without Authorization, to OHRP for purposes of determining compliance with the HHS Protection of Human Subjects Regulations.

        Minimum Necessary Restriction

        With some exceptions, the Privacy Rule imposes a minimum necessary requirement on all permitted uses and disclosures of PHI by a covered entity. This means that a covered entity must apply policies and procedures, or criteria it has developed, to limit certain uses or disclosures of PHI, including those for research purposes, to "the information reasonably necessary to accomplish the purpose [of the sought or requested use or disclosure]." For uses and routine and recurring disclosures of and requests for PHI, the covered entity must develop policies and procedures (which may be standard protocols) to reasonably limit such uses, disclosures, and requests to the minimum necessary to achieve the purpose of the use or disclosure. For nonroutine disclosures and requests, a covered entity must review each disclosure or request individually against criteria it has developed.

        There are several exceptions to the minimum necessary requirements that may affect researchers (Sections 164.502(b) and 164.514(d) of the Privacy Rule). The minimum necessary standard does not apply to the following:

        • Uses and disclosures made with an individual's Authorization.
        • Disclosures to, or requests by, a health care provider for treatment.
        • Disclosures to the individual.
        • Uses or disclosures required by law.
        • Disclosures to HHS for purposes of determining compliance with the Privacy Rule.
        • When required for compliance with other HIPAA rules (e.g., to fill out required or situationally required data fields in standard transactions).

        Unless otherwise excepted, covered entities are required to implement policies and procedures or establish criteria that limit the PHI used, disclosed, or requested to the minimum amount reasonably necessary to achieve the purposes (e.g., necessary for the specific research) for which disclosure is sought. These covered entity policies and procedures will apply to researchers who are members of the covered entity's workforce and may apply to business associates.

        The Privacy Rule does not require a covered entity to independently determine, in all instances, whether a request for PHI meets the minimum necessary requirement. As relevant here, the Privacy Rule permits the covered entity to rely, when reasonable, on a request for disclosure of PHI as the minimum necessary when making permitted disclosures to public officials, disclosing information requested by another covered entity, or when disclosing PHI to researchers who have documentation of an IRB or Privacy Board waiver or alteration of Authorization or certain other representations permitted by the Privacy Rule, which are discussed in detail in related publications, Institutional Review Boards and the HIPAA Privacy Rule and Privacy Boards and the HIPAA Privacy Rule.

        How Are Research Subjects' Rights Affected by the Privacy Rule?

        • The Privacy Rule provides individuals with certain rights about how their health information is used and disclosed as well as how they can gain access to health records and information about when their PHI was released without their permission.
        • The Privacy Rule describes how covered entities can implement these rights while maintaining the integrity of the research project.

        In addition to establishing conditions for the use and disclosure of PHI, the Privacy Rule establishes certain rights of individuals with respect to their health information. Covered entities must provide individuals with written notice of the entity's privacy practices and the individual's privacy rights. In addition, the Rule permits individuals to gain access to, request amendment of, request restrictions on, and request confidential communication of certain records related to their health care. Individuals are also given the right to request and receive a written account from a covered entity of when and why their PHI has been disclosed without their Authorization, except under limited circumstances. Individuals also have the right to complain to the covered entity and to the Secretary of Health and Human Services if they believe a violation of the Privacy Rule has occurred. This document discusses an individual's rights to access PHI and receive an accounting of PHI disclosures.

        Access to Protected Health Information

        With few exceptions, the Privacy Rule guarantees individuals access to their medical records and other types of health information to the extent the information is maintained by the covered entity or its business associate within a designated record set. Research records maintained by a covered entity may be part of a designated record set if, for example, the records are medically related or are used to make decisions about research participants.

        In most cases, patients or research subjects can have access to their health information in a designated record set at a convenient time and place. One exception, among others, is during a clinical trial, when the individual's right of access can be suspended while the research is in progress if, in consenting to participate in research including treatment, the individual agreed to the temporary denial of access. The covered entity, however, must inform the individual that the right to access his/her health records in the designated record set will be restored upon conclusion of the clinical trial.

        Designated Record Set - A group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

        Accounting of Disclosures of Protected Health Information

        Use - With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information.

        • For treatment, payment, or health care operations.
        • Under an Authorization for the disclosure.
        • To an individual about himself or herself.
        • As part of a limited data set under a data use agreement.
        • Prior to the compliance date.

        An individual's right to receive an accounting of disclosures (unless an exception applies) starts with the covered entity's compliance date and goes back 6 years from the date of the request, not including periods prior to the compliance date. A covered entity must therefore keep records of such PHI disclosures for 6 years.

        The Privacy Rule allows three methods for accounting for research-related disclosures that are made without the individual's Authorization or other than a limited data set: (1) A standard approach, (2) a multiple-disclosures approach, and (3) an alternative for disclosures involving 50 or more individuals. Whatever approach is selected, the accounting is made in writing and provided to the requesting individual. Accounting reports to individuals may include results from more than one accounting method.

        Standard Accounting

        Standard accounting includes, for each disclosure, the following information:

        • The date the disclosure was made.
        • The name and, if known, address of the person or entity receiving the PHI.
        • A brief description of the PHI disclosed.
        • A brief statement of the reason for the disclosure.

        Multiple Disclosures Accounting

        Multiple disclosures accounting is permissible if the covered entity has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections 164.502(a)(2)(ii) or 164.512 of the Privacy Rule. For each disclosure, the following must be included:

        • The date the initial disclosure was made during the accounting period.
        • The name and, if known, address of the person or entity receiving the PHI.
        • A brief description of the PHI disclosed.
        • A brief statement of the reason for the disclosure.
        • The frequency, periodicity, or number of the disclosures made during the accounting period.
        • The date of the last such disclosure during the accounting period.

        Alternative Accounting

        If a covered entity has made disclosures regarding 50 or more individuals for a particular research project under Section 164.512(i) of the Privacy Rule, the accounting may be limited to the following information:

        • The name of the protocol or research activity.
        • A plain-language description of the research protocol or activity, purpose of the research, and criteria for selecting particular records.
        • A description of the type of PHI disclosed.
        • The date or period of time during which the disclosure(s) occurred or may have occurred, including the date of the last disclosure during the accounting period.
        • The name, address, and telephone number of the entity that sponsored the research and of the researcher who received the PHI.
        • A statement that the individual's PHI may or may not have been disclosed for a particular protocol or research activity.

        If the covered entity uses the alternative accounting method, it must, if requested to by the individual, assist the individual in contacting the research sponsor and the researcher. Such assistance, however, is limited to those situations in which there is a reasonable likelihood that the individual's PHI was actually disclosed for the research protocol or activity.