1PURPOSE
These are the procedures by which the Human Subjects Division (HSD) and the UW Institutional Review Boards (IRBs) fulfill their obligations with respect to the federal Health Insurance Portability and Accountability Act (HIPAA) and related Washington State (WA) regulations.See GUIDANCE: HIPAA and UW Medicine Compliance Policy Glossary of Terms for definitions.
2POLICY
2.1The UW IRBs comply with specific responsibilities assigned to IRBs by HIPAA and WA law for the protection of Protected Health Information (PHI). In addition, HSD and the UW IRBs assist the UW HIPAA-covered entity in meeting certain compliance obligations with respect to PHI.
2.2The UW covered entity establishes policies and responsibilities concerning HIPAA, WA law, and PHI in the UW MedicineCompliance Policies.Use and Disclosure of Protected Health Information (PHI) – COMP.103 focuses on HIPAA and research.Guidance for HSD and the IRBs isprovided in theGUIDANCE: HIPAA.
3PROCEDURES: HIPAA-related Pre-review of Researcher Materials
3.1Is PHI being accessed or obtained? HSD staff identify whether PHI will be accessed or obtained.
3.2Does the activity meet the definition of “human subjects research”? It may not, if the PHI is de-identified, in a limited data set, or from decedents.
3.2.1If NO and the activity consists solely of the PHI use: HSD staff follow the standard procedure for a Not Human Subjects Research determination. In addition, staff determine whether a waiver of HIPAA authorization is needed. If yes, a wavier may be granted as described below in Section 4.2.
3.3Is a waiver required in order to conduct the research?HSD staff assess the proposed activities to make this assessment.
3.4Is HIPAA authorization embedded in the consent form? UW policy does not allow the HIPAA authorization to be embedded within a consent form.
4PROCEDURES: Waiver or Alteration of HIPAA Authorization
4.1IRB review. The IRB determines whether the research meets the criteria for granting a waiver of HIPAA authorization. This is usually accomplished as part of the IRB’s review of whether the research meets the federal human subjects regulatory criteria for IRB approval.The IRB uses the CHECKLIST: Waiver of HIPAA Authorizationwhich lists the criteria.
4.1.1Level of review. The waiver can be granted by the determination of a full convened IRB or (for research that qualifies for expedited review) by the expedited review process.
4.1.2Full or partial waiver. The IRB may grant a full or a partial waiver. See the GUIDANCE.
4.1.3Documentation. The IRB documents the waiver by completing the Checklist. The research is provided with documentation as follows:
4.1.3.1For studies with a paper-based IRB application: The researcher is provided with a copy of the completed CHECKLIST: Waiver of HIPAA Authorization.
4.1.3.2For studies with a Zipline IRB application: The IRB approval letter to the researcher documents the granting of the waiver.
4.2Activities that are not human subjects research. Researchers may wish to obtain and use PHI for activities that do not meet the federal definition of “human subjects research” and therefore do not require IRB review. Examples include: case reports, and the use of decedent PHI. However, an IRB-granted waiver may still be required. To review these waiver requests:
4.2.1As an IRB member, a HSD staff person conducts an expedited review to determine whether the activity meets the criteria for granting a HIPAA waiver, following the same process and using the same documents as described above in Section 4.1.
5PROCEDURES: HIPAA-related Noncompliance or Breaches
5.1HSD staff and the IRBs follow the procedures described in the SOP: Management of Research-Related Problems and SOP: Research Inquiries when information is received that suggests noncompliance, or inappropriate or unauthorized access, involving research and PHI.
6MATERIALS
6.1CHECKLIST: Waiver of HIPAA Authorization
6.2GUIDANCE: HIPAA
6.3CHECKLIST: Master
6.4SOP: Management of Research-related Problems
6.5SOP: Research Inquiries
7REFERENCES
7.1HIPAA regulations: 45 CFR 160, 162, and 164
7.2WA State RCW 70.02 “Medical Records: Health Care Access Information and Disclosure”
7.3UW Medicine Compliance Policies, especially Glossary, COMP.101, COMP.103, and COMP.104.
Version 1.2 / #1824Implemented / 02/07/2018 / Page 1 of 3