IRB Mythbusters – HIPAA and Research
The VCU Human Research Protection Program presents IRB Mythbusters — a periodic newsletter clarifying common misconceptions about conducting human research and the IRB!
In this issue, “myths” surrounding HIPAA and research are addressed. Access previous editions of IRB Mythbusters by visiting the “mythbusters” tag on our blog.
When collecting HIPAA-covered data, I can collect identifiers and still use the “de-identified data set” HIPAA pathway, as long as I remove the identifiers later.
FACT: The “de-identified data set” HIPAA pathway is only allowable when NONE of the 18 HIPAA identifiers are associated with the data, AT ANY TIME. This pathway can only be used when collecting truly anonymous data, meaning no identifiers are present in the dataset or associated with the data through the use of a code key. It is permissible for researchers to access or view identifiers while collecting the data, but they may not record identifiers at any time.
TIP: VCU has adopted specific terminology for describing different levels of data identifiability. It is important to understand the definitions of terms like “identifiable,” “de-identified,” and “anonymous.” VCU IRB Written Policy and Procedure (WPP) XII-1 provides definitions for each of these terms. In addition, this blog post also breaks down the definitions of “de-identified” and “anonymous,” among other data identifiability terms.
When considering using the “de-identified data set” HIPAA pathway, keep in mind that data must be anonymous, not de-identified, despite the name of the pathway.
Also keep in mind that HIPAA lists 18 specific identifiers, and if ANY of these identifiers are present in or associated with the data (through the use of a code key), then the de-identified data set pathway will not be appropriate. These identifiers include information like names and addresses, but also include less obvious identifiers, such as dates (date of birth, date of admission, etc.) and other unique codes, like Medical Record Numbers (MRNs).
In addition, the VCU IRB offers several guidance documents on its Policies and Guidance webpage, under the “HIPAA in Research” accordion. More details about each HIPAA pathway (including the de-identified data set pathway) can be found in the Understanding HIPAA and Research at VCU guidance document. This document also outlines which areas of VCU are covered by HIPAA, and lists the 18 HIPAA identifiers. There is also a decision tree that can help you determine which HIPAA pathway is appropriate for your study.
The “minimum necessary” standard in HIPAA means I must collect the minimum amount of identifiers necessary to carry out my research.
FACT: The “minimum necessary” standard in HIPAA requires that researchers collect the minimum amount of PHI necessary to carry out their research. PHI is NOT the same as “identifiers.” PHI refers to individually-identifiable health information. Health information means information like lab values, x-rays, and clinic notes. When thinking about this standard, think about the health information you intend to collect, not the identifiers.
TIP: HIPAA does not allow for “fishing” — which is to say, researchers must have a good idea of the scope of PHI needed to carry out their research before beginning data collection, and may not collect extraneous information that is not related to answering specific research questions. The IRB application will ask researchers to certify (by checking a box) that they will only collect the minimum amount of PHI necessary to achieve the research objectives. When considering how to operationalize this for your research, keep in mind that PHI is not synonymous with “identifiers.” PHI stands for Protected Health Information, and refers to individually-identifiable health information. So, think about how the health information you will collect (i.e.: lab values, x-rays, clinic notes, etc.) will be the minimum necessary to answer your research questions, rather than thinking about how the identifiers you collect will be the minimum necessary to conduct your research.
It is, of course, important to also minimize the identifiers collected in a research study as well, as part of a robust confidentiality and privacy protection plan. However, identifiers are not what is being referred to by HIPAA’s “minimum necessary” standard. Researchers should consider how to minimize both the amount of identifiers collected and the amount of health information collected in each research study they conduct.
Since I already have access to PHI through my role as a clinician, I can access these data for research purposes any time.
FACT: Even if you already have access to PHI through your clinician role, using PHI for research purposes requires the appropriate approvals. HIPAA allows for the use of PHI for treatment, payment, or healthcare operations without additional permission from patients, or approval from a Privacy Board. When used for research purposes, PHI must be accessed through the appropriate “pathway,” which is selected during IRB review, and may include obtaining authorization from participants during a consent process. “Research purposes” include collecting data intended to be used for a specific research project, but also include activities like reviewing clinic records to identify potentially eligible patients. In short, if an activity involves accessing/using PHI outside the normal course of your clinical duties, the access/use of the PHI is likely for research purposes, and therefore requires the appropriate approvals.
TIP: Utilize the “Determining When HIPAA Applies to Research” decision tree to figure out if HIPAA applies to the data you’re collecting for your research project. If HIPAA does apply, then you must select the most appropriate “pathway” for accessing PHI for your research project. The “Determining Pathway to Use PHI for Research” decision tree will help you determine which pathway to request during IRB review. It is important to have a complete understanding of how HIPAA applies to research at VCU, so referencing the Understanding HIPAA and Research at VCU guidance document will also be helpful. All of these resources can be found on the HRPP’s Policies and Guidance webpage, under the “HIPAA in Research” accordion.