Organization Policy on IRBs and Privacy Boards – Research (Policy No. HIPAA 164.2)

December 2006

Definitions

Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of PHI to persons or entities outside of the Johns Hopkins Covered Entities and Related OHCA Participants.

HIPAA means the Health Insurance Portability and Accountability Act of 1996.

Johns Hopkins Covered Entities and Related OHCA Participants -- see Johns Hopkins Privacy Office website for HIPAA Forms/Policies Templates or http://intranet.insidehopkinsmedicine.org/privacy_office

Protected health information or PHI means protected health information, i.e., individually identifiable health information, as defined under the Privacy Regulations promulgated under HIPAA.

Research

For purposes of this policy, research includes any systematic investigation (including research development, testing, and evaluation) that has as its primary purpose the development of or contribution to generalizable knowledge

  • Generalizable knowledge.  Knowledge may be generalizable even if a research study uses only protected health information held within Johns Hopkins and the results are generalizable only to the population served by Johns Hopkins.  Research is therefore not limited to clinical trials funded by government sponsors (such as the National Institutes of Health) or commercial sponsors.  However, quality assurance and utilization management activities do not typically result in generalizable knowledge and thus would not be governed by this policy.  Also, unplanned observations which may result in generalizable knowledge are not covered by this policy.
  • Primary purpose.  The development or contribution to generalizable knowledge must be the primary purpose of the investigation for this policy to be applicable.  In some instances, the primary purpose of the activity may change as preliminary results are analyzed.  An activity that was initiated as an internal Johns Hopkins outcomes evaluation, for example, may produce information that Johns Hopkins intends to generalize.  If the purpose of a study changes and the results will be generalized, the Principal Investigator (“PI”) must notify the IRB/PB and the IRB/PB must document the change in status of the activity.

If an activity would be considered "research" under other applicable Johns Hopkins policies, it should be considered research for purposes of this policy.

Use means the sharing, employment, application, utilization, examination or analysis of PHI within the Johns Hopkins Covered Entities and Related OHCA Participants.

Workforce members, for purposes of this policy only, are persons under the direct control of Johns Hopkins, including, but not limited to, all employees, medical and other students, interns, residents, fellows, researchers, staff, faculty, trainees, volunteers, temporary personnel, consultants, contractors and subcontractors.  “Workforce members” also includes all physicians and allied health professionals, whether or not employed by Johns Hopkins. 

Policy

Scope of Policy

This policy applies to any persons requesting access to or use of any protected health information for research purposes, the Johns Hopkins Institutional Review Boards and Privacy Boards (“IRB/PB”), the IRB/PB’s designees. 

Statement of Policy

Protected health information received or maintained by Johns Hopkins may not be used internally or disclosed to any persons or organizations outside Johns Hopkins for human subjects research purposes without prior approval by the IRB/PB in accordance with this policy.  The IRB/PB may designate one or more persons to act on its behalf as specified in this policy.  All references to the IRB/PB in this policy include the IRB/PB’s designees unless expressly excluded.  All requests for access to protected health information for research purposes must be made and reviewed in accordance with the procedures explained below.

Procedures

Certain requirements apply to the use and disclosure of protected health information in connection with all research involving human subjects.  As a general rule, the IRB/PB may not authorize the use or disclosure of protected health information for these purposes except:

  • for reviews preparatory to research;
  • for research on the protected health information of a decedent;
  • if Johns Hopkins obtained the informed consent of the individual to participate in the research, or the IRB approved a waiver of such informed consent, prior to April 14, 2003;
  • if the information is “completely de-identified”;
  • if the information is partially de-identified into a “limited data set” and the recipient of the information signs a data use agreement to protect the privacy of the information;
  • if Johns Hopkins has obtained a valid privacy authorization (whether a separate form or a combined informed consent/authorization form) from the individual who is the subject of the information; or
  • if the IRB/PB approves a waiver of the individual privacy authorization requirement.

The specific requirements for each of these exceptions are discussed below.

Special rules apply to the use and/or disclosure for research purposes of psychotherapy notes. Additional information on research involving psychotherapy notes can be found in the Johns Hopkins Policy for Psychotherapy Notes (Policy 164.3 – Organization Policy on the Use or Disclosure of Psychotherapy Notes for Research).

The IRB/PB must determine that one of the exceptions summarized above and described in greater detail below applies before permitting the use or disclosure of any protected health information for research purposes. The IRB/PB should require either an individual authorization or a waiver of authorization if he or she has any doubt about whether any other exception is applicable.  All Johns Hopkins research activities also must comply with other applicable Johns Hopkins policies relating to research (such as Johns Hopkins policies addressing Common Rule and FDA requirements for research) and with any additional requirements that apply to the specific types of information involved in the research.  Finally, to the extent members of the Johns Hopkins workforce provide treatment to subjects as part of a research study, they must follow other Johns Hopkins policies to the extent those policies apply to the provision of health care to individuals.  

General Prohibition and Exceptions

The IRB/PB may not authorize the use or disclosure of protected health information for research purposes unless at least one of the following exceptions applies:

1. Reviews Preparatory to Research.  The HIPAA Privacy Rule allows researchers to access protected health information for reviews preparatory to research if certain representations are made.  However, at Johns Hopkins all human subjects research, including screening of records and recruitment of subjects, must be approved by an IRB.  Because the IRB reviews and approves all screening of records and recruitment of subjects in the IRB’s protocol approval process, HIPAA’s concept of “reviews preparatory to research” is incorporated into the IRB review process.  This happens in one of two ways.  First, if subjects will be asked for their authorizations to review files and/or be recruited, such authorization obviates the need for any representations from the PI for a review preparatory to research.  Second, if subjects will not be asked for their authorizations to review files and/or be recruited, the IRB’s approval of the protocol will include a waiver of authorization which also obviates the need for any representations from the PI for a review preparatory to research.

However, if a review preparatory to research activity would be an exempt activity under regulations relating to human subjects research (45 CFR § 46.101(b)) but involves the use of protected health information as defined under HIPAA, then the IRB will not approve the review preparatory to research as part of a protocol.  In such case the researcher would need to make the following HIPAA representations:

  • the use or disclosure is sought solely to prepare a research protocol or for similar purposes preparatory to research;
  • no researcher will remove any protected health information from Johns Hopkins’ premises in the course of the review; and
  • the protected health information for which use or access is sought is necessary for the research purposes.

The IRB/PB must approve the activity based on the representations of the PI. HIPAA IRB Form 6 is the certification form that must be signed by researchers seeking access to protected health information for preparatory reviews.

During the preparatory review, those granted access may record information only in a form that is “de-identified.”  Appendix A describes the information that constitutes de-identified information. 

2. Research on the Protected Health Information of a Decedent.  Under the Common Rule and FDA requirements, the IRB/PB does not review research on data relating to decedents.  However, under the HIPAA Privacy Rule, access to identified information on decedents requires that certain representations be made by the researcher.  The IRB/PB has assumed the role of assuring that those representations are made.  The IRB/PB may permit the use and disclosure of the protected health information of a decedent for research purposes if the PI submits to the IRB/PB representations that the use or disclosure is sought solely for research on the protected health information of a decedent (e.g., researchers may not request a decedent’s medical history to obtain health information about a decedent’s living relative) and that the information for which use or disclosure is sought is necessary for the research purposes.  The PI must provide, at the IRB/PB’s request, documentation of the death of any individuals about whom information is sought. HIPAA IRB Form 5 is the certification form that must be signed by researchers seeking to engage in research on the protected health information of a decedent.

3. Informed Consents Obtained or Waivers of Informed Consent Approved Prior to April 14, 2003. The IRB/PB may approve the use or disclosure of protected health information for a specific research project provided that one of the three following requirements is met:

  • Express Legal Permission For Use And Disclosure Of Protected Health Information.  If, prior to April 14, 2003, the researcher obtained express legal permission from the individual that specifically authorizes a use or disclosure of protected health information for purposes of the research project, the IRB/PB may permit the use or disclosure for purposes of that project.  However, any restrictions on the use and disclosure of health information provided in the express legal permission must be honored.
  •  General Informed Consent.  If, prior to April 14, 2003, the researcher obtained the individual’s informed consent to participate in a specific research project, the IRB/PB may permit a use or disclosure of protected health information for purposes of that project even though the informed consent does not specifically authorize the use or disclosure of protected health information for purposes of the research project.  However, any restrictions on the use and disclosure of health information stated in the IRB approved informed consent document must be honored.
  • Waiver Of Informed Consent.  If, prior to April 14, 2003, the researcher obtained an IRB waiver of the informed consent requirement (in accordance with the Common Rule) for a specific research project, the IRB/PB may permit a use or disclosure of the individual’s protected health information for purposes of that project.  However, if the researcher obtains an individual subject’s informed consent at any time on or after April 14, 2003, the researcher also will be required to obtain the individual’s Research Authorization (as provided in this policy) at that time. 

           

4. Completely De-identified Information.  The IRB/PB may allow completely de-identified information to be used and disclosed for research purposes without restriction.  Information may be considered completely de-identified only when either (1) a qualified statistician documents his or her determination that the risk of identification is very small (see Appendix A of this policy), or (2) the information meets the safe harbor requirements described in Appendix A of this policy.  (See also, JH HIPAA Policy A042 De-identified Health Information)  If the IRB/PB has any doubts as to whether protected health information has been completely de-identified within the meaning of this policy, the information should be treated as though it were not completely de-identified and neither used nor disclosed for research purposes unless it meets the criteria for another exception.

5. Limited Data Set.   The IRB/PB may allow the use and disclosure for research purposes of a limited data set including a partially de-identified subset of the individual’s protected health information, provided that the person using or receiving the information has signed a Data Use Agreement through which he or she agrees to protect the privacy of the information received.  Appendix B of this policy provides more information about the identifiers that must be removed from an individual’s protected health information in order to create a limited data set.  (See also, JH HIPAA Policy A091 – HIPAA Related Agreements, and HIPAA IRB Form 9.)

6. Subject Authorization For Research.  The IRB/PB may allow the use and disclosure of protected health information pursuant to a completed and signed privacy authorization form.  This may be a separate form or combined with the informed consent.  (See HIPAA IRB Form 1 "Authorization for Use and Disclosure of Health Information for Research" , and HIPAA IRB Form 2 "Combined Informed Consent/Authorization Template".) Permissible uses and disclosures are limited to those described in the authorization, even though those permissible uses and disclosures may be more limited than what the Johns Hopkins’ Notice of Privacy Practices describes. 

The authorization must be completed by the PI.  It is the responsibility of the Principal Investigator to ensure that the authorization form covers the uses and disclosures necessary for the research study.  Instructions on preparing the authorization form are included with the form. 

After preparing the form, the PI must submit the form to the IRB/PB for approval.  The IRB/PB must stamp its approval on the form before any protected health information obtained by Johns Hopkins may be used or disclosed for research purposes.

When obtaining an authorization, an individual’s ability to receive research-related treatment as part of a research study is conditioned upon the individual’s agreement to sign the authorization form.  However, in presenting the authorization form to prospective subjects, researchers must not suggest that failure to sign the form will limit access to any treatment that may be available outside the study.  Any questions about the availability of treatment outside the study should be referred to the prospective subject's physician(s). 

7. IRB/PB Approval of Waiver.  (In this Section 7 “IRB/PB” refers only to the IRB or the PB and not to the IRB/PB’s designee.)  The IRB/PB may allow the use and disclosure of protected health information for research purposes if the IRB/PB grants a partial or total waiver of the authorization requirement.  If the IRB or Privacy Board grants only a partial waiver – that is, if it modifies or waives only some elements of the privacy authorization form or process – the IRB/PB must condition the use and/or disclosure of any protected health information for research purposes on compliance with any authorization requirements not waived and as modified.  For example, if an IRB/PB grants a partial waiver of authorization to allow a researcher to obtain protected health information without a privacy authorization to recruit potential research participants, the researcher still must obtain privacy authorizations from the subjects to use or disclose protected health information for the study itself.

The IRB/PB must document the waiver. (See Form 4  Application for IRB Waiver of HIPAA Privacy Authorization.)  The documentation must include at least:

  • the name of the IRB/PB (not the names of individual members of the board);
  • the date on which the waiver was approved;
  • the signature of the Chair of the IRB/PB, or other member designated by the chair;
  • a statement that the IRB/PB has determined that the waiver satisfies the required criteria;
  • a brief description of the protected health information that the IRB/PB has determined is necessary for research purposes; and

EXAMPLE:   If the IRB/PB approves only the use or disclosure of certain information from individuals’ medical records, and not individuals’ entire medical records, this must be stated on the document certifying IRB/PB approval.

  • a statement that the waiver has been reviewed and approved under either normal or expedited review procedures and that all applicable procedures were followed.

For more information on the waiver criteria and on IRB/PB documentation, please consult Appendix C of this policy.

Note:  A waiver of individual authorization under this policy is not a waiver of the requirements of informed consent for the project or of any other consent required by Johns Hopkins’ policies.  The IRB/PB may waive or alter informed consent requirements, but the IRB/PB must review a request to waive or alter informed consent requirements separately under criteria set forth in the Common Rule or FDA procedures.

Individual Access

Individuals generally have a right to access all their protected health information maintained by Johns Hopkins or its business associates in a designated record set (as defined in federal privacy regulations). Any patient requesting access to protected health information obtained in the course of research (including protected health information that may be contained in research records) should be directed to submit his or her request to the Medical Records Department of the Johns Hopkins entity for processing in accordance with Johns Hopkins’ policy Right to Access Designated Record Set, which provides detailed guidelines for responding to such requests.  The Medical Records Department will determine, with assistance from the Johns Hopkins Privacy Officer and the researcher, whether access to protected health information should be granted, or denied under any of the exceptions described in that policy.  Please note: Access to psychotherapy notes is limited by law.  See the Johns Hopkins Policy for Psychotherapy Notes (Policy No. HIPAA 164.3).

Documentation

The IRB/PB must retain any writings or documentation required by this policy for six years from the date of the creation of the information or the date when it last was in effect, whichever is later.


APPENDIX A

Complete De-Identification – Safe Harbor

APPENDIX B

Creation of Limited Data Set

APPENDIX C

IRB or Privacy Board Waiver Process

Privacy Boards or Institutional Review Boards (“IRB”s) functioning as Privacy Boards (but not their designees) may grant waivers of the research authorization requirement described in this policy.  The purpose of this Appendix is to assist researchers in submitting waiver requests to an IRB or Privacy Board by providing a brief description of the role of the IRB or Privacy Board and explaining what the IRB or Privacy Board is required by federal law to consider when evaluating the requests. 

Differences Between IRBs and Privacy Boards.  A Privacy Board is constituted solely to review research protocols and grant waivers, when appropriate, under the Health Insurance Portability and Accountability Act of 1996 and implementing regulations (“HIPAA”).  An IRB may also grant waivers under HIPAA, but only an IRB may review research protocols as required by other laws and policies and waive or alter informed consent requirements for a research study.   This means that Privacy Board members will focus almost exclusively on subjects’ privacy – the primary concern of HIPAA – whereas IRB members will focus more broadly on subjects’ welfare, as the Common Rule requires.  If the IRB is asked to grant a waiver under HIPAA, IRB members must separately consider their roles as privacy guardian under HIPAA and overall welfare guardian under other laws and IRB policies.

Composition of IRBs and Privacy Boards.  Under HIPAA, in order for an IRB to approve a waiver request, an IRB must be established in accordance with the Common Rule.  Under HIPAA, in order for a Privacy Board to approve a waiver request, a Privacy Board must be established in accordance with the HIPAA Privacy Regulations.  Those regulations require that the Privacy Board must:

  • include members of varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;
  • include at least one member who is not (1) affiliated with Johns Hopkins, (2) affiliated with any entity conducting or sponsoring the research, or (3) related to any person who is affiliated with either Johns Hopkins or an entity conducting or sponsoring the research; and
  • ensure that members who may have a conflict of interest abstain from participating in the review.

Criteria that the IRB or Privacy Board Must Consider.  An IRB or Privacy Board must document that the requested waiver satisfies each of the following criteria:

  • the use or disclosure involves no more than minimal risk to the privacy of the individuals because:
    • there is an adequate plan to protect the “identifiers” (the types of information listed in Appendix A of this policy);
    • there is an adequate plan to destroy the “identifiers” at the earliest opportunity, unless there is a health (i.e., individual care) or research justification for retaining the identifiers or their retention is required by law; and
    • there are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except (1) as required by law, (2) for authorized oversight of the research project, or (3) for other research for which the use or disclosure of protected health information is otherwise permissible under this policy.
  • the research could not practicably be conducted without the waiver; and
    • The difference between impossibility and impracticability is important.  In a research study that involves thousands of records, it may be possible to track down all potential subjects, but doing so may entail costs that would make the research impracticable.  Authorization may not, however, be waived simply for convenience.
    • If a researcher is to have direct contact with research subjects during the course of the research, the researcher should be able to seek and obtain authorizations for the use and disclosure of the research subjects’ protected health information for the research study.  Because most clinical trials could practicably be conducted without a waiver, research involving treatment will ALMOST NEVER be eligible for an IRB or Privacy Board waiver.  (The IRB or Privacy Board could, however, grant a partial waiver for recruitment in a clinical trial).
  • the research could not practicably be conducted without access to and use of the protected health information.
    • If a researcher can practicably use de-identified health information or a limited data set for a research study, a waiver of authorization should not be granted.

Review Procedures.  If the PI applies to an IRB to approve a waiver as described above, the IRB will follow the Common Rule’s normal or expedited review procedures as applicable.  If the PI applies to a Privacy Board to approve the waiver, the Privacy Board may:

  • review proposed research at convened meetings at which a majority of the Privacy Board members are present, including at least one member who is not (1) affiliated with Johns Hopkins, (2) affiliated with any entity conducting or sponsoring the research, or (3) related to any person who is affiliated with either Johns Hopkins or an entity conducting or sponsoring the research; or
  • approve the waiver pursuant to an expedited review procedure, in which case the review and approval of the waiver of authorization may be carried out by the chair of the Privacy Board, or by one or more members of the Privacy Board as designated by the chair.