Skip Navigation
 
 
 
 
 
Print This Page
Share this page: More
 

Research Databases

March 2006

A research database is any collection of patient -level data, whether identifiable or not, that is maintained for use in future research. Federal regulations and JHM policies that protect the privacy of patients and research subjects apply to both the creation and use of research databases, as described below.

The information in this guidance is also summarized in the table at Attachment A.

Getting Started

First, determine whether the database will contain identifiers. Identifiers include not only information (e.g., name, address, SSN, or medical record number) that can be used to identify someone directly, but also any of the other 18 data elements listed in the HIPAA privacy rule (see Attachment B), such as dates of birth or treatment.

A code number that is linked to an identifier is itself an identifier, unless

  • The code is unique and not used for any other purpose (and is not derived from another identifier, such as SSN); and
  • The database user will not have access to the code key and will not be permitted to re-identify any of the information.

Second, determine how information will be obtained for the database. Will the source be existing clinical or research information, or will patients/subjects be interviewed, tested, or otherwise contacted for the purpose of obtaining research data? A researcher who will interact with subjects for the purpose of collecting identifiable data for a database should ask for the subject's consent and HIPAA authorization, as described below.

A physician-investigator may also ask his or her patients to give their consent/HIPAA authorization to permit clinical data (and associated specimens) to be included in a research database. Procedures for obtaining consent and authorization are described below.

Creating and Using the "De-Identified" Database

To determine whether a de-identified database is suitable for your research, consider whether it may ever be necessary to re-link information in the database to the identities of the data subjects for the purpose of verifying entries, adding additional information, etc. Such follow-up is generally not possible with a de-identified database that a researcher creates for his or her own use, because the researcher is not permitted to treat the database as "de-identified" if he or she has access to the keys to re-identification codes.

No IRB submissions and no HIPAA forms are required to use a research database that has already been fully de-identified (contains no identifiers, as described above); however, to de-identify data for inclusion in a research database that the PI is creating, the PI must first submit an Exempt Research Application and Application for Waiver of HIPAA Privacy Authorization to the IRB.

NOTE that studies that are subject to FDA regulation (e.g., many In Vitro Diagnostic studies) must be conducted under an IRB-approved protocol, even if the specimens and/or information used in the study are de-identified. This means that an investigator creating or using a de-identified database in FDA-regulated research must submit a New Protocol Application to the IRB.

Creating a Research Database of Identifiable Information

If you will maintain identifiable data or information in your research database, then you must submit a New Research Application to the IRB. You will be the "Database PI" for the database protocol and will be responsible for maintaining the database, controlling access to it, and making required submissions to the IRB.

In the application you should describe the data and identifiers to be included in the database, explain the scope of intended research uses for the data, and indicate how you will protect the privacy of subjects' data and security of the information (e.g., by replacing identifiers with codes, storing code keys separately, and maintaining password protection on electronic files). The application will request the information necessary for the IRB to grant a waiver of informed consent (unless you intend to ask each subject for his/her consent to include information in the database). Note that waiver of informed consent is not available for databases that are used in FDA-regulated research.

You must also comply with the HIPAA Privacy Rule in one of two ways: have each subject sign an authorization for the inclusion of his/her data (the authorization may be combined with a consent form), or submit an Application for IRB Waiver of HIPAA Privacy Authorization to the IRB.

Note that if you are interacting with (e.g., interviewing or testing) subjects/patients for the purpose of obtaining new information for the database (versus drawing from existing clinical or research information), your project will not meet criteria for waiver and you must obtain both informed consent and HIPAA authorization.

NOTE: If you are submitting an application to collect data only for use in a single study (i.e., the purpose of your research application is not to create or add to a research database to be used in future studies), the collection of identifiable information for your research is not the creation of a "research database" and is not covered by this guidance.

Using a Research Database of Identifiable Information

Each time that you query or use the identifiable research database to answer a research question you must submit to the IRB a New Research Application and Application for IRB Waiver of HIPAA Authorization if your research is either

  1. FDA-regulated; or
  2. You will record identifiers for your research (including codes linked to identifiers, if you or anyone on the study team will have access to the code keys or the ability to re-identify the subjects).

In either case, you must also submit an Application for IRB Waiver of HIPAA Authorization (HIPAA IRB Form 4) if you do not plan to obtain informed consent from the subjects.

Database FAQ

1. I maintain (or want to use) a database that was established under the old HIPAA Form 7.2 (Application for Establishment of a Research Database). What must I do?

A: JHM databases established previously using the old HIPAA Form 7.2 will be grandfathered so that no new IRB submission is required to continue to maintain the database. Investigators who wish to use such a database for research should consult this guidance to determine which forms to submit to the IRB. Note, however, that if NIH or another funder or sponsor requests documentation of IRB approval of the database to be used in the study, the PI must submit a database protocol for IRB review and approval (as described in this guidance).

2. I (or my department) would like to create a multi-user research database, and to include within it clinical and/or research data from our patients/subjects, for use in future research projects. How do we do this?

A: Following the procedures described in the database guidance document, identify one faculty member from the department who will be the Database Principal Investigator, and have that person submit the necessary forms to the IRB. We recommend that the Database PI (or someone working under his/her supervision) replace any HIPAA identifiers in the data with unique codes, and retain the code keys in a secure location. Provided that no other users of the database are permitted to access the re-identification codes, the database would be "de-identified" with respect to those other users, who would not need IRB submissions to use the database in research (unless the research is FDA-regulated).

In most cases, the Database PI should retain linking codes to enable him or her to supplement and verify the accuracy of data in the database. Because the coded data will remain identifiable with respect to the Database PI, he or she must submit IRB applications/HIPAA forms before using the data for a research purpose.

The database should contain a field indicating whether each data subject has signed a consent/HIPAA authorization form permitting his or her data to be retained in the database and used for future research. The Database PI may submit such an authorization form (using HIPAA Form 1 ) to the IRB with the database protocol, and if approved by the IRB, the form may be given to patients/subjects within the department/clinic/division. The scope of future research should be described in the authorization form in terms that are not overly broad, but that encompass the areas (e.g., disease states) of interest to the department.

If the database contains information from any patients/subjects who have not signed a consent/HIPAA authorization permitting retention of their data in a database, the IRB must grant a HIPAA waiver for the database and for any subsequent research use of identifiable information from the database.

Requirements for Creating and Using DATABASES for FUTURE RESEARCH

To Establish A Research Database for Future Studies


IRB Submission Required

Application Type

HIPAA Form

1.Human interaction required to obtain identifiable research data (except for IVD or other FDA research or recruitment databases (see #4 and #5 below) (1)

Yes

eIRB New Research Application

Indicate who will be the responsible PI for the database; describe oversight and intended use of the database (e.g., types of research) and how investigators will obtain access to the data

HIPAA Combined Informed Consent/Authorization Template

Researcher must obtain subjects'
express authorization and consent
to retain identifiable data in a database
for use in future research

2.No human interaction required to access or obtain identifiable research data (except for IVD or other FDA research (see #4 below)) (2)

Yes

eIRB New Research Application (PI will record/retain identifiers? in database)

Indicate who will be the responsible PI for the database; describe oversight and intended use of the database (e.g., types of research) and how investigators will obtain access to the data

eIRB Exempt Application (PI will not record/ retain identifiers in database)

Form 4, Application for IRB Waiver
of HIPAA Privacy Authorization,
unless it is possible to obtain authorization of each person
whose data will be entered into the database

3.De-identified data (PI is not accessing medical records or other identifiable information) (see #4 below) (3)

No

None

None

4.Data will be used in study of In Vitro Diagnostic or other FDA research. (4)

FDA regulations do not permit the IRB to exempt research using de-identified data from IRB review. Thus, if the study is subject to FDA regulations (e.g., an IVD study), and the PI wishes to establish a research database or to use a database (including tissue or specimens stored with any associated information, whether identifiable or not) for the research, the PI must submit a New Research Application to the IRB. If existing data will be de-identified for the research, the IRB may find that informed consent is not required, consistent with the JHM Policy on IVD Research. However, a New Research Application is still required.

The PI must also obtain each subject's HIPAA authorization or submit the Application for IRB Waiver of HIPAA Privacy Authorization unless all data specimens have been de-identified prior to establishment of the database or repository.

5.Recruitment databases

To create a database of PHI for recruitment only, no forms must be submitted to the IRB, provided that each patient whose information is included has signed the HIPAA Form 3, Authorization to Contact You About Future Research Studies or provided consent to be contacted for future research in another IRB-approved study. NOTE: The researcher may use the recruitment database only in connection with an approved study.

To Use an Established Database for Research


IRB Submission Required

Application Type

HIPAA Form

1.Human interaction required to obtain identifiable research data (except for IVD or other FDA research or recruitment databases (see #4 and #5 below)

Follow procedures described in Row 2, below

2.No human interaction required to access or obtain identifiable research data (except for IVD or other FDA research (see #4 below))

Yes

eIRB New Research Application (PI will record/use identifiers in study)

eIRB Exempt Application (PI will not record/use identifiers for study)

Form 4, Application for IRB Waiver of HIPAA Privacy Authorization,

3.De-identified data (PI is not accessing medical records or other identifiable information) (see #4 below)

No

None

None

4.Data will be used in study of In Vitro Diagnostic or other FDA research

FDA regulations do not permit the IRB to exempt research using de-identified data from IRB review. Thus, if the study is subject to FDA regulations (e.g., an IVD study), and the PI wishes to establish a research database or to use a database (including tissue or specimens stored with any associated information, whether identifiable or not) for the research, the PI must submit a New Research Application to the IRB. If existing data will be de-identified for the research, the IRB may find that informed consent is not required, consistent with the JHM Policy on IVD Research. However, a New Research Application is still required.

The PI must also obtain each subject's HIPAA authorization or submit the Application for IRB Waiver of HIPAA Privacy Authorization unless all data specimens have been de-identified prior to establishment of the database or repository.

5.Recruitment databases

To create a database of PHI for recruitment only, no forms must be submitted to the IRB, provided that each patient whose information is included has signed the HIPAA Form 3, Authorization to Contact You About Future Research Studies or provided consent to be contacted for future research in another IRB-approved study. NOTE: The researcher may use the recruitment database only in connection with an approved study.

1. E.g., new data will be collected from subjects during a study and retained for future use.
2. Data already exists and includes some or all of the specified HIPAA identifiers; the data were collected for clinical or administrative purposes (e.g., medical records data associated with pathology samples), OR data were collected during a prior study.
3. Data do not include any of the specified HIPAA identifiers, and investigator has no access to identifiers or code keys.
4. See IRB Guidance on In Vitro Device and other FDA research.
Note: For information about the creation, use, or disclosure of HIPAA limited data sets, consult IRB.

Attachment B

De-identified Data: De-identified data are not considered to be Protected Health Information (PHI). The Safe Harbor under HIPAA permits a covered entity to consider data "de-identified" if all of the following identifiers removed:

  • Names
  • Geographic subdivisions smaller than a state except first three digits of the zip code;
  • All elements of dates (except year) for individuals under 90 years old; all elements of dates (including year) for those 90 years old or older;
  • Telephone numbers;
  • Fax numbers;
  • E-mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet protocol address numbers;
  • Biometric identifiers, including voice and finger prints;
  • Full face photographic images and any comparable images;
  • Any other unique, identifying number characteristic, or code, except for unique codes, provided that the persons who receive or use the data do not have access to the code keys or any means of re-identifying data subjects.

AAHRPP

 

 

Traveling for care?

blue suitcase

Whether crossing the country or the globe, we make it easy to access world-class care at Johns Hopkins.

U.S. 1-410-464-6713 (toll free)
International +1-410-614-6424

 

 
 
 
 
 

© The Johns Hopkins University, The Johns Hopkins Hospital, and Johns Hopkins Health System. All rights reserved.

Privacy Policy and Disclaimer