HIPAA Questions and Answers Relating to Research Databases
Questions 1: I understand that certain types of databases require IRB approval and a HIPAA waiver under the Privacy Rule. I’m not sure I understand what databases are covered by this requirement.
Answer: Maybe the easiest way to approach this is to talk about what databases are not covered by this requirement. First, Hopkins’ entire clinical database is not a “research database” even though it may be used for research. When patients come to Hopkins, clinicians collect data and specimens that identify each patient (“health information”). This information is used for a myriad of treatment, payment and operations purposes. For example, this health information may be used to follow patients, perform look-backs when clinical problems are discovered, and to schedule follow-up visits, or for billing purposes, plan eligibility verification, quality assurance activities, teaching activities, preparing clinical protocols, etc.
Identifiable health information in the general clinical database may also be used for research under certain circumstances. Although the general clinical database is not itself a “research database” that requires IRB approval and a HIPAA waiver, the clinical database may not be used for a research purpose (e.g., queried to answer a research question) without meeting IRB and HIPAA requirements.
Question 2: But what about a database that was created by a clinician/researcher by extracting health information from the general clinical database?
Answer: A database that was created from the general clinical database may or may not be a “research database“ requiring a protocol and an IRB waiver. The answer depends upon the intended use of the secondary database. If the clinician/researcher created the secondary database as the “shadow record” for his or her patients and uses the database to follow patients, perform look-backs when clinical problems are discovered, schedule follow-up visits, perform QA or QI activities, prepare teaching materials, or prepare clinical protocols, then, like the general clinical database, this secondary or “abstracted” database would not be a “research database.”
On the other hand, if this abstracted database was created principally for research purposes (sole or predominant purpose is to analyze the data to answer a research question or to use the data for future studies), whether by the clinician/researcher for his/her own use or for the use of others in the department or elsewhere, this would be a “research database.” If the database was previously “established” using IRB HIPAA form 7.4, no additional IRB approval is necessary. Otherwise, the investigator who has created the database should submit an application for IRB approval of the database, along with a HIPAA waiver of Authorization, using eIRB.
Researchers or departments wishing to use departmental clinical information to create a de-identified or coded research database that may be used by multiple researchers will find instructions on the IRB website. (See the JHM IRB guidance on “Research Databases.”)
Question 3: What if the database is created by a researcher who is not a clinician/ researcher?
Answer: The answer would be the same, but it is more likely that the intent for creation of the database would be research. It is possible that a researcher could extract health information from the clinical database to create another database for operations purposes (i.e., non-research). For example, if QA/QI is the focus of the researcher and the IRB does not find the activity to be research reviewable by the IRB, the database would not be a “research database” requiring IRB approval or a HIPAA waiver. However, this likely would be the exception. A non-clinician’s intent` in creating a database more likely will be for the purpose of research.
Question 4: Could you give me some examples of research databases?
Example 1: A surgeon/researcher creates a database with health information of all his/her patients. The surgeon does not expect to use the database for clinical care, QA/QI, etc. The principal purpose of the database is to be available for use in future research protocols for which the surgeon/researcher would obtain future IRB approval. The surgeon/researcher also makes the database available to other researchers with approved protocols. In this example, the surgeon should submit an eIRB application for approval of the database and upload a HIPAA waiver (using HIPAA IRB Form 4, “Application for IRB Waiver of Privacy Authorization”) into the application.
Example 2: A pathologist/researcher routinely collects extra blood or tissue which otherwise is not needed for the clinical database or would be discarded. Identifiable patient health information would be attached in some form to the specimens collected. This databank is intended to be used and is used principally for research for which the pathologist/researcher would obtain IRB approval. In this example, the pathologist will need to follow the same path to compliance as the surgeon described above: submit an application to the IRB with a protocol for the maintenance of the database and request a waiver of HIPAA Authorization, as described above.
Question 5: In your last example, what if the pathologist/researcher already has IRB approval for the creation and maintenance of the research database?
Answer: If the pathologist/researcher received IRB approval for the creation and maintenance of the research database prior to 4/14/03, no further action by the IRB is needed to allow the researcher to create and maintain the database, provided that the IRB also waived informed consent for entry of patients' data and tissue into the database or repository prior to 4/14/03. Due to a special "transition" provision in the HIPAA regulations, this IRB waiver of informed consent prior to 4/14/03 may also be treated as a HIPAA waiver of Authorization, even for patients who enter the database or repository on and after April 14, 2003.
In contrast, if the creation and maintenance of a database or repository was not approved by an IRB prior to April 14, 2003 OR was approved prior to April 14, 2003 but without a waiver of informed consent, the researcher must submit a new IRB protocol and application for HIPAA waiver of Authorization to create or maintain the database. Any use of the database for research will require a separate IRB application and application for HIPAA waiver of Authorization.
If a database was “established” through the use of HIPAA Forms 7.1 or 7.2, it received an IRB waiver of HIPAA Authorization and may be maintained without further submissions to the IRB. If, however, the researcher wishes to add data to such a database or to use the database for research, IRB approval of a database protocol will now be required in addition to waiver of HIPAA authorization.
Question 6: What about adding health information to these research databases on or after 4/14/03?
Answer: Researchers must have Authorization and informed consent from the patient or a waiver of both from the IRB to add health information to research databases on or after 4/14/03. For existing approved protocols, if the IRB waived consent for adding new data to the database prior to 4/14/03, no new approval is needed (see Question 5). However, for existing approved protocols where the IRB approved use of an historical database, and the researcher now wants to add more health information to the database, new IRB approval will be needed to do so. In addition, the IRB must approve a waiver of HIPAA Authorization unless the researcher will obtain each patient’s HIPAA Authorization (in an IRB-approved form) to allow his or her health information to be added to the database and used in future research. The same would be true for “research databases” created with IRB approval and IRB waiver of consent prior to 4/14/03, where the IRB waiver of consent did not specifically address adding new data to the database.
Question 7: This sounds complicated. What forms do I use for all this?
Answer: The HIPAA IRB Form 4 form is available on the OHSR website, and through eIRB. To obtain (as applicable) IRB approval of the research database protocol, with a waiver of informed consent and a HIPAA waiver of privacy authorization, submit an application through eIRB. The eIRB software will request the necessary information and forms from you.
Question 8: What is the best way to create a departmental research database that may be used by multiple investigators?
Answer: The JHM IRB has information that will assist investigators who wish to use departmental clinical information to create a multi-user research database that may be used in future research. (See JHM IRB guidance on Research Databases ). If it is possible for the database PI to de-identify information in the database prior to use, then the PI may use the database under an IRB Exempt Application, with no HIPAA waiver needed. If the IRB-approved research database protocol specifies that outside investigators may use the database, but that all PHI will be stripped from the data before they are shared with the outside investigators, then the projects conducted by those investigators may not be human subjects research and may not require IRB review. Please review the Research Database Guidance for more details.
Question 9: What if I have more questions?
You may contact Joanne Pollak via: