Northeast Ohio Medical University

HIPAA Application

Northeast Ohio Medical University

Use of Private Health Information (PHI) Application

Office of Research and Sponsored Programs

Instructions: Your application must include a completed printout of this form, together with your complete IRB packet. Answer ALL questions in the application form; do NOT say, “see protocol.” Refer to NEOMED Standard Operating Procedures for Human Subjects Research – Appendix A for directions in completing this form and submitting your HIPAA application to the IRB.

If you are applying for an expedited review, please submit 1 copy with original signatures, If you are submitting to the full board for review, please submit 1 copy with original signatures to Trish Wilson, Research Coordinator, Office of Research and Sponsored Programs, IRB Office, Room G-235, NEOMED Rootstown Campus.

Failure to properly complete this application will delay final review of your protocol!

Please read “NEOMED HIPAA Policies and Procedures” prior to completing this application.

First investigator listed belowmust be a NEOMED faculty member.

I. INVESTIGATORS(names, degrees) / Dept./Section/Location / Telephone / Email / Status
Faculty/PIFaculty/Co-PIOther
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
Ia. Staff Contact / Research Coordinator / Telephone / FAX / Location and Room #
II. TITLE OF PROTOCOL
III. TRAINING: HIPAA Policies and Procedures are located on the Research and Sponsored Programs Web-Site. By signing this statement the PI is acknowledging that they are taking responsibility that they and the key personnel involved in this research have read and understand the NEOMED HIPAA Policy and Procedures. Reading and understanding these policies will meet the requirements for HIPAA training until further notice.
“I have read NEOMED’s Policies and Procedures for HIPAA and all key personnel have also read the Policy and Procedures for HIPAA.”
PI Signature . Date .

REQUIRED INFORMATION: (Double-click on boxes below if using electronic version of this form)

1)Type of Review Requested:

a) Full Board Review (More than minimal risk for privacy issues)

b) Expedited Review (Minimal risk for privacy issues)

2)Data Use Agreement:

a) All studies which use PHI must have a signed Data Use Agreement on file with the IRB. A copy of NEOMED’s “Data Use Agreement” is found at the end of this application. Please complete and return with this application.

3)Please list specifically what health information is used in this study (i.e. blood pressure, CBC, weight. Must be more specific then just “test results” or “health history”)

a)

b)

c)

d)

e)

f)

g)

4)De-Identified Data Set: Health information is considered de-identified when it does not identify an individual and there is no reasonable basis to believe that the information collected for the research can be used to identify an individual. HIPAA regulations considerinformation to be de-identified if the 16 identifiers listed below are not found in the data set and if the health data retrieved for the research project could not be used alone, or in combination, to identify the subject.

Please check below all identifiers that you will be including in your study:

Geographic Info Smaller than State (Including street address, city, county, precinct, zip code [except for first 3 numbers if more than 15,000 live in the zip code) and geocodes

All Dates (However, can use year) (Including but not limited to birth date, admission date, discharge date, date of death, age and date of service)

NamesTelephone Numbers (Including fax numbers)

E-mail addressesSocial Security Number

Medical Records NumbersHealth Plan Beneficiary Numbers

Account Numbers (of any kind)Certificate/License Number

Vehicle Identifiers (including license plates)Device Identifiers and Serial Numbers

Web URL and IP addressesAny unique identifying number characteristic

Full face photographic imagesBiometric identifiers (including finger/voice prints)

If you have checked any box above, you DO NOT have a de-identified dataset.

5)Limited Data Set: A limited data set is information disclosed to a researcher who has no relationship with the individual whose information is being disclosed. The covered entity is permitted to disclose PHI, with direct identifiers removed, subject to obtaining a data use agreement from the researcher receiving the limited data set and approval from the Institution Review Board. A data use agreement specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the data or contact with the individuals. The PHI in a limited data set may not be used to contact subjects. The Institutional Review Board may allow waivers of authorization for use of limited data sets in research. If the data are to be removed from the covered entity, the researchers must sign a data use agreement with the covered entity and the NEOMED IRB.

* Direct identifiers that must be removedfrom the information in order to have a limited data set are: (Please check all that are included in your study)

Geographic Info Smaller than State (Including street address, city, county, precinct, zip code [except for first 3 numbers if more than 15,000 live in the zip code) and geocodes

NamesTelephone Numbers (Including fax numbers)

E-mail addressesSocial Security Number

Medical Records NumbersHealth Plan Beneficiary Numbers

Account Numbers (of any kind)Certificate/License Number

Vehicle Identifiers (including license plates)Device Identifiers and Serial Numbers

Web URL and IP addressesAny unique identifying number characteristic

Full face photographic imagesBiometric identifiers (including finger/voice prints)

Identifiers that are allowedin the limited data set are: (Please check all that are included in your study)

StateCounty

CityZip Code (and/or geocode)

Birth DateDate of Death

AgeDate of Service

6)Are You Applying for A Waiver of Authorization (Consent form from each participant to sign to use their Private Health Information)?

(To receive a waiver of authorization your study must meet ALL of the following requirements.)

• Would the Authorization be the only record linking the subject and the research subject and the principal risk would be potential harm resulting from a breach of confidentiality?
• YesNo
• Does the use or disclosure of protected health information involve no more than minimal risk to the privacy, safety, and welfare of the individual?
• YesNo
• Will the waiver of authorization adversely affect the rights and welfare of the subjects?
• YesNo
• Could the research be practicably conducted without the waiver or alteration?
• YesNo
• Could the research be practicably conducted without access to the protected health information?
• YesNo
• If appropriate, will the subjects be provided with additional pertinent information after participation?
• YesNo

If your study does not meet all of the above requirements, a signed HIPAA Authorization for data use will be required from each participant enrolled in your study. A HIPAA Authorization template can be found at Please complete and return with this application.

7)Accounting Requirements?(Are you required to keep a separate list in the chart of where this information has been disclosed)

Type of Research you are conducting Needs Accounting in Chart?

Research Subject signs an Authorization NO accounting required

De-Identified Data w/waiver of Authorization NO accounting required

Limited Data Set w/waiver of Authorization NO accounting required

Identifiable Info w/waiver of Authorization (very rare) * ACCOUNTING required*

*Research subjects may request an accounting of disclosuresgoing back for up to six years.

Does Your Research Require an Accounting for all PHI accessed, according to the above table?

YesNo

What risks are posed by the use of the data and how have they been minimized?

a)

8)What is the justification for access to the data and why are they necessary to conduct the research?

a)

9)What plan does the researcher have to protect identifiers from improper use or disclosure?

a)

10)What is the researcher's plan to destroy the identifiers? If it is not possible to destroy the identifiers, what is the health, legal, or scientific justification?

a)

11)Provided adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject?

a)

Northeast Ohio Medical University

Institutional Review Board

DATA USE AGREEMENT

Instructions: Your HIPAA application must include a completed printout of this form, together with your proposed Authorization (if required), and all IRB other requirements.

Failure to properly complete this agreement will delay final review of your protocol. Refer to NEOMED Guidelines for Protection of Human Subjects in Research Appendix A “Policy and Guidance for HIPAA” for directions in completing this Data Use Agreement and submitting your final application to the IRB. If you are applying for an expedited review, please submit 3 copies of this document. If you are submitting to the full board for review, please submit 1 copy of this document. Send HIPAA applications and Data Use Agreement to Trish Wilson, Research Coordinator, Office of Research and Sponsored Programs.

First investigator listed belowmust be a NEOMED faculty member. You may designate only 1 PI below who must sign and date this form. Designated signatures will not be accepted.

I. INVESTIGATORS(names, degrees) / Dept./Section/Location / Telephone / Email / Status
Faculty/PIFaculty/Co-PIOther
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
FacultyStaffStudent/Fellow
Ia. Staff Contact / Research Coordinator / Telephone / FAX / Location and Room #
IV. TITLE OF PROTOCOL

I understand that the approval of this request is contingent upon my complete agreement:

1)The use or disclosure is sought solely to

a)Review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research –or-

b)A waiver of authorization is currently being pursued and the research is not in progress.

2)No protected health information will be removed from the Institution during the course of the review that has not already been approved by the Institutional Review Board and

3)The protected health information sought is necessary for the research purposes.

I certify that I will carry out the proposed data collection/research in compliance with the principals stated above and those directed by the NEOMED Institutional Review Board.

Signature of Principal InvestigatorDate

1 of 1