Many journals now require a letter, or other acknowledgement, from an IRB prior to publication of a case report. Specifically, they wish to know whether IRB approval was obtained or was not required for the described case. The JHM IRBs have adopted a policy to address the following question and answers.
Q: What constitutes a “case report”?
A case report for IRB purposes is a retrospective analysis of one, two, or three clinical cases. If more than three cases are involved in the analytical activity, the activity will constitute “research.”
Q: Do faculty who prepare a case report as an article for submission to a journal require IRB approval prior to preparation?
No. A case report is a medical/educational activity that does not meet the DHHS definition of “research”, which is: "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge." Therefore, the activity does not have to be reviewed by a JHM IRB.
Q: Are there HIPAA implications associated with publication of case reports?
Yes. Under HIPAA, a case report is an activity to develop information to be shared for medical/educational purposes. Although the use of protected health information to prepare the paper does not require IRB review, the author of a case report must comply with HIPAA. Ideally, the author of the article will obtain the signed authorization of the subject, or the subject’s legally authorized representative if the subject is deceased, to use the subject’s information in the article. If it is not possible to obtain authorization, the author should be aware that one of the identifiers described by HIPAA as requiring written authorization is, “Any other unique identifying number, characteristic, or code….” Moreover, HIPAA requires that, at the time of publication, “[t]he covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” (See: Definition of De-Identified Data.)
- Authors who remove HIPAA identifiers (including unique patient characteristics) from the data prior to submission and publication of the article do not need to obtain a signed privacy authorization.
- Investigators who wish to publish case report data with HIPAA identifiers will need to obtain from the patient a signed HIPAA compliant authorization. This authorization does not need to be submitted to the IRB for review. The appropriate authorization form for use with a single case report may be found on the HIPAA web site at: http://www.insidehopkinsmedicine.org/hipaa/Forms/A_2_1_v.doc.
- If the author strips off all HIPAA identifiers, but the information associated with the subject of the article includes a “unique characteristic” which would make it identifiable to the subject, or the author has actual knowledge that the information about the subject could be used alone or in combination with other information to identify the subject, the author must contact the HIPAA Privacy Officer to discuss the required steps to take prior to publication.