Process Maps: Patient Privacy and Security
When does HIPAA apply?
When an established patient is being considered for participation in a research study by a clinician involved in the patient’s care, the HIPAA rules can be confusing. HIPAA applies when a provider is reviewing a patient’s medical record for both treatment and research purposes. In general, under the HIPAA privacy rules, a patient’s medical information may be accessed for a treatment, payment or operational purpose without obtaining prior written consent. Access to a patient’s medical record for any other purposes may require additional steps to be in compliance with privacy laws and rules. This means that when a provider looks at his or her patient’s medical record for research purposes, the research-related HIPAA rules apply.
When is access considered to be for a research purpose?
If a patient’s record is reviewed for a treatment purpose (e.g., to view lab results or consult with a referring provider) the research-related rules do not apply. However, once a patient’s medical information is viewed for a research-related activity (e.g., to screen for eligibility or review, to review a unique case for possible study, or to collect data) the research-related HIPAA rules apply. For example, if a provider is reviewing a patient’s lab report for regular care, this access would be for treatment purposes and the research-related rules would not apply. However, if during this review, the provider notices that the lab value may make them a potential research subject and wants to review the chart further for eligibility; the research-related rules would need to be considered.
What are the research-related privacy rules that should be considered?
In general, before any patient information can be used for a research purpose, the patient must sign and date a study-specific HIPAA Authorization for Research form (“Permission to Use Personal Health Information for Research”) which recites the patient’s privacy rights. This is true whether or not the patient is seen by the researcher/physician for medical care. Patient information cannot be used for research-related purposes without a signed patient authorization. There are two limited exceptions: if the IRB has granted a Waiver of Authorization (“Form R” waiver) or if the UCDHS Privacy Board has granted a “Preparatory to Research Authorization.” If access to a patient’s medical information is pursuant to one of these exceptions, then any access must be documented and tracked the Disclosure Tracking Database. See Clinical Trials Newsletter v.12,November 2012 for additional information http://intranet.ucdmc.ucdavis.edu/ctsc/area/ctnewsletters/
Cohort Discovery Tool and Specific Patient Cohorts
The Cohort Discovery Tool provides researchers the ability to query several sources of patient data. Cohort discovery is a repository of patient information gathered from multiple sources,including electronic medical records, lab results, and demographic data. To register to access Cohort Discovery and for training on its use go to: (http://www.ucdmc.ucdavis.edu/ctsc/area/informatics/cohortdiscovery/).
In order to contact patients identified by EMR screening, provide the contact script (usually a paper letter) to the IRB for review. Describe the planned approach in HRP-503, Section 25 – Recruitment Methods. The CTSC Biomedical Informatics team provides data extraction.
HIPAA Waiver of Authorization for Recruitment
A HIPAA Waiver of Authorization can be obtained from the IRB if access to patient data is needed for recruitment purposes. Describe the need in the protocol template (HRP-503, Section 25 - Recruitment Methods). This section is reviewed by the IRB. If a full or partial waiver is granted, access to identifiable patient data to determine if a patient may be a potential research subject will be authorized. IRB approval is confirmed by issuance of the Form R (“Waiver of Research Participant’s Authorization for Use/Disclosure of PHI for Recruitment”).
If you want to look at PHI for decedent research where there are no identifiers linked to living persons and no use of vital death records, you must submit a Decedent Research Application. Be aware that the HIPAA Privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. The application can be found on the Compliance website. The Privacy Officer may request proof of death. If the research will include any identifiers linked to living persons or involves accessing death records maintained by the State Registrar, local registrars, or county recorders, the project must be approved by the IRB in advance. For more information about the Privacy Rule and decedent research provisions go to: 45 CFR 160.103, paragraph (2)(iv) of the definition of “protected health information.”
Any study data obtained without the proper authorizations cited above may not be used for publication (i.e. journals, abstracts, etc.) or any other purpose and can be subject to notification requirements under state and/or federal laws.
The Privacy Rule and UCDHS P&P 2446 require an accounting of certain disclosures of protected health information (PHI). This includes chart reviews: In accordance with the Privacy Rule, a patient can request that the institution provide him or her with an accounting of these types of disclosures
The Privacy Rule and UCDHS P&P 2446 require an accounting of certain disclosures of protected health information (PHI).
This includes chart reviews:
In accordance with the Privacy Rule, a patient can request that the institution provide him or her with an accounting of these types of disclosures
Prior to a subject signing the HIPAA Authorization for Research form, any access to patient identifiable data for research purposes must be reported in the Disclosure Tracking Database, even if a Preparatory Research Application or HIPAA Waiver of Authorization has been approved. Recording a disclosure of access to patient records may be documented in one of two ways:
First, access can be documented in the on-line Disclosure Tracking Database. When completing this form, the type of access should be checked as “Disclosures for Research (no authorization).”
Second, the access can be documented in the Electronic Medical Record of the patient accessed, using Quick Disclosure Activity. With the Quick Disclosure activity, EMR users can quickly and conveniently record what information they release, all from their clinical workspace
To access the Quick Disclosure in EPIC:
- Go to Hospital Chart or Chart;
- Click “More Activities” and choose Quick Disclosure;
- Quick Disclosure opens. Fill out the appropriate fields.
- Purpose Field – type Research and choose the appropriate purpose
- Info Requested – click on magnifying glass to see all categories
- Authorization Received – click “Third Party” and type “UCD” in requester field then press enter. (Always indicate disclosure made to the UC Davis Health System)
- Authorization Received? – Choose “Yes” or “No”
See CT Newsletter v19, March 2014 for description of the Quick Disclosure
The UC Davis IRB must review and approve all materials for human subject recruitment before recruitment efforts begin. An advertisement to recruit subjects is any form of materials whose main purpose is to inform and invite the potential subjects to participate in a research study, including:
- Flyers and handouts
- Bulletin boards/Billboards
- Letters and e-mails
- Newspapers/magazine Ads
- Radio, TV and Cable
- Website/Internet postings
- Phone scripts
The advertisement should be limited to the information prospective subjects need to determine their eligibility and interest, such as:
For FDA-regulated research, the advertisement should not:
- Make claims, either explicitly or implicitly, that the drug, biologic or device is safe or effective for the purposes under investigation.
- Make claims, either explicitly or implicitly, that the test article is known to be equivalent of superior to any other drug, biologic or device.
- Use terms, such as “new treatment”, “new medication” or “new drug” without explaining that the test article is investigational.
- Include a coupon good for a discount on the purchase price of the product once it has been approved for marketing.
- State or imply a certainty of favorable outcome or other benefits beyond what is outlined in the consent document and the protocol.
- Promise “free treatment”, when the intent is only to say subjects will not be charged for a taking part in the research.
- Include exculpatory language.
- Emphasize the payment of the amount to be paid, by such means as larger or bold type.
Subject screening is the term used to describe research activities performed on participants after obtaining their informed consent. Usually screening activities are performed to ensure subjects are eligible to be enrolled in the study, i.e. that the participant meets the inclusion and exclusion criteria for the study. Screening activities include interactions with potential subjects to determine eligibility that would not otherwise have been performed if not for the study. Note that a screen failure is the term used to describe the circumstance in which a subject who has provided consent has subsequently failed to meet eligibility criteria for participation in the study based on screening procedures performed after informed consent was obtained. UC Davis does not have a separate informed consent just for screening. The screening script (i.e. by telephone) has to be approved by the IRB.
Please reference Appendix A “Informed Consent”
Consent Forms for research are required to be in the Legal Medical Record for drug and device studies. Policy & Procedure 2306 (Legal Medical Record Content/Core Elements) requires that the Informed Consent Form must be part of the Legal Medical Record. Under Section VI.E.2.f, (Consents for Care, Treatment and Research/Human Subjects Research involving investigational use of a drug or device), the policy requires that a “signed copy of the consent form is filed in the medical record.”
All consent documents must have the patient's label or patient's name and medical record number on the top right hand corner. This will allow HIM to locate the correct patient record and upload the consent form. Place consent documents in the HIM mail baskets located in all patient care areas. Couriers routinely pick these up, and all documents are promptly scanned by the HIM into the medical record. It is important to send the signed ICF’s to HIM as soon as possible since they are held to time standards for scanning documents.
In some cases, it may make sense to establish a local scanner to expedite the upload process. To do so, you can use any of your existing scanners, as long as they are properly configured.
- Create an on-line access request in Lotus Notes for OnBase Clinical - Scan/Index.
- Once access is approved, HIM will set up an appointment to install scan software, set up network drive, map your scanner, and train on how to use the scan to HIM.
The scanned documents can be found under the “Media” tab in the EMR. The ICF needs to be scanned and uploaded even if the patient does not pass screening criteria.
Clinical Trials Newsletter November 2012 provides further details on the process for documenting ICF in the EMR. October 2013 Issue describes how to upload Consents into the HIM queue using a local scanner
Please refer to Activity #11