PROCESS

Determine if your research is subject to the regulation. The Privacy Rule covers all research activities that use individually identifiable health information that is collected in a setting related to patient care, and it applies whether the subject is living or dead. If you are both a clinician or health care provider and a researcher, any information you create or receive that is incidental to your role as a health care provider is PHI.



Releasing PHI for research or for any reason other than treatment, payment, or requirements of law without obtaining an authorization from the patient or a waiver is a violation of the Privacy Rule.



Transition provisions. All institutions must be in compliance with HIPAA on April 14, 2003. Data collected under a research subjects' consent that was obtained before this date is not subject to the Privacy Rule. However, if informed consent or reconsent is obtained from research subjects after April 14, 2003, the Marquette Health Care Provider Unit must obtain the patient's authorization for the use or disclosure of protected health information. In ongoing research projects, for example, you must obtain patient authorization to use protected health information as well as consent when the previous consent is no longer valid for the research (through expiration or amendment).



If you collected patient data for a research database before April 14, 2003, you do not need to obtain patient authorization to use or disclose the data, provided you adhere to the conditions of your IRB approved protocol or earlier patient consent. You MUST comply with the Privacy Rule if your protocol changes or you seek a new patient consent.



Using de-identified health information. De-identified health information is information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-identified health information is exempt from Privacy Rule regulation and may be used or disclosed for research purposes without a patient's authorization or IRB waiver of authorization.



To obtain approval to use or disclose de-identified health information, the researcher must provide documentation to the IRB that the health information has been de-identified by the Marquette Health Care Provider Unit using one of these two methods:



Statistical Method. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable has a) applied such principles and methods and determined that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information, and b) documented the methods and results of the analysis that justify his or her determination. Most commentators expect this approach will prove impractical.
Removal of Identifiers. The following 18 identifiers of the individual or of relatives, employers, or household members of the individual, are removed by the Marquette Health Care Provider Unit:
Names
All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographical unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, or the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
Telephone numbers
Fax numbers
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images, and
Any other unique identifying number, characteristic, or code.
In addition, the Marquette Health Care Provider Unit must also certify to the IRB that the Marquette Health Care Provider Unit does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information.


The Marquette Health Care Provider Unit may assign a code or other means of record identification to allow the Marquette Health Care Provider Unit to re-identify the information, provided that the code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual, and the Marquette Health Care Provider Unit does not use or disclose the code or other means of record re-identification for any other purpose, and does not disclose the mechanism for re-identification.


Because the statistical method will typically involve considerable expense, and because data without identifiers is of limited research use, most researchers will want to pursue other alternatives described in this addendum.


If your research is subject to the policy, the following research pathways will help you navigate the new regulations and speed your work.