HIPAA/Privacy & Research
The Health Insurance Portability and Accountability Act (HIPAA) has been in effect since April 14, 2003. Under this rule, researchers working at Drexel University are permitted to use and disclose Protected Health Information (PHI) for research with individual authorization, or with a waiver of authorization as set forth in the HIPAA Privacy Rule.
Applications to the Drexel University IRB for protocols that involve the access, collection or transportation of PHI are required to acknowledge these activities within their IRB application. Examples include protocols examining and retaining medical data from patient medical records and collection of PHI during an interview with the subject.
Training and Certification
Training and certification is mandatory for all investigators and research personnel who will access, use or disclose PHI. Web-based training includes completion of the CITI Health Information Privacy & Security (HIPS) course and the Drexel Core modules on Privacy and Security (HIPAA I & II) programs. HIPAA training guidance and instruction may be found at the Human Subjects Research Training. Recertification of the HIPS training is every three (3) years, Drexel Core modules HIPAA I & II does not require recertification at this time.
The mission of the Drexel University Privacy Board (Privacy Board) is to provide for the access, use and disclosure of individual protected health information (PHI) that is proposed for involvement in the research enterprise in a manner that is consistent with federal and state privacy regulations and University policy. The Privacy Board serves solely to review and approve the Privacy related documents and transactions that occur to satisfy the Health Insurance Portability and Accountability Act (HIPAA) and the Pennsylvania State Breach Act. The Privacy Board is not an Institutional Review Board (IRB) and an explanation may be found at the Privacy Board web page.
Requests for Waiver or Alteration of Authorization
If the research involves a waiver of consent for a protocol that will involve use, collection or retention of Protected Health Information, the investigator must also request an Alteration to or Waiver of HIPAA Authorization in accordance with HRP-441.
Grandfathering Approved Ongoing Research
Individual authorization or re-consent of research subjects for PHI collected prior to the compliance date of April 14, 2003, or when subjects who have consented prior to compliance date and enrollment to the study has stopped, need not provide individual authorization.
If consent forms have been modified by the IRB and the research is continuing past the compliance date, those studies require new individual authorization and re-consenting of subjects.
Preparing for Research
Researchers and their research personnel within a covered entity may access and use a research subject’s PHI by completing a Preparatory to Research Form.
Drexel University College of Medicine and Tenet Hospitals (Hahnemann and St. Christopher’s Hospital for Children) has a Representations for Preparatory to Research Form available at this link.
Researchers and their team cannot use the PHI to contact prospective subjects unless the subjects are patients under the researcher’s care. Subjects that are not patients under the researcher’s care may not be contacted until an IRB approved protocol sets conditions for contacting the subjects.
Researchers are not permitted to remove the PHI from the covered entity.
Accessing Existing Databanks and Repositories
Researchers and their team can access databanks and repositories with the permission of the owner of such resources.
Researchers and their teams can access databanks and repositories of covered entities with the approving authority of the covered entity (e.g. Privacy Officer).
Researches can also create databases within a covered entity. To create a database, you must obtain a waiver of authorization approval from a member of the Privacy Board in addition to Drexel University IRB approval and approval of the custodian of the medical records or source documents.
Research Involving Decedents
The researcher must provide a representation to the covered entity that the use or disclosure of the decedent’s PHI is necessary and used solely for the purpose of research.
At the request of the covered entity, the researcher will be required to provide documentation of death.
Request form for Access to Decedent PHI (doc)
Limited Data Use
The Privacy Rule primarily addresses identifiable and de-identified information. But it also includes a middle option where in investigators may use patient data that qualifies as "identified data" in the form of a "limited data set" without HIPAA Authorization or a waiver of HIPAA Authorization. The Limited data set permits the use of select identifiers with limited Privacy Rule requirements can be used for research, health care operations and public health purposes only. The Limited Data Set is identified data requiring permission of the record custodian for data use.
Limited Data Sets in Research FAQ (PDF)
Drexel University Sample Data Use Agreement (doc)