RESEARCH PATHWAYS

This section describes five typical scenarios involving HIPAA compliance and the policies and procedures that apply to each case:

I. Marquette researchers within their own Marquette Health Care Provider Unit.

This section guides Marquette researchers seeking to gather and use protected health information from a Marquette Health Care Provider Unit in which they are employed or affiliated.

Marquette personnel and students may wish to engage in research involving protected health information that is gathered and maintained by the Marquette's Health Care Provider Unit with which they are affiliated.

In such cases, the Health Care Provider Unit may use or disclose PHI for research, regardless of the source of funding, provided that:

A. The patient or subject of the information signs an authorization form that has been approved by the Marquette Health Care Provider Unit and the Marquette University IRB (in that order).

B. The Marquette University IRB approves an alteration or waiver of the patient authorization required by Section 164.508 of the Privacy Rule.

1. Documentation of approval of waivers will be maintained by the Office of Research Compliance. A copy of such documentation will be maintained by the Point of Contact for the Marquette Health Care Provider. The Marquette Health Care Provider will maintain records of disclosures for research purposes. For a large research project involving 50 or more individuals where the researcher obtained an IRB approved waiver of authorization, the Marquette Health Provider may maintain a general record indicating that an individual's protected health information may have been disclosed as part of the project.

2. The documentation must include all of the following:

a) Identification and date of action. A statement identifying the IRB(s) and the date on which the alteration or waiver of authorization was approved,

b) A statement that the IRB has determined that the alteration or waiver satisfies the following criteria:

i. the use or disclosure of protected health information involves no more than minimal risk to the individuals,

ii. the alteration or waiver will not adversely affect the privacy rights and welfare of the individuals,

iii. the research could not practicably be conducted without the alteration or waiver of authorization,

iv. the research could not practicably be conducted without access to and use of the protected health information,

v. the privacy risks to individuals whose protected health information is to be used or disclosed is reasonable in relation to the anticipated benefits, if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research,

vi. there is an adequate plan to protect the identifiers from improper use and disclosure.

vii. there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law, and

viii. there are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this policy.

c) Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB (i.e., "the IRB has determined that the research could not practicably be conducted without access to and use of the protected health information").

d) Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved by the IRB under full board review or expedited review procedures, as required by the Common Rule.

e) Required signature. The documentation of the alteration or waiver of authorization must be signed by the IRB chair or other IRB member designated by the chair.

f) In the case of a modification to the individual authorization for research purposes, a model copy of the modified authorization will be included in the file.

g) The name, address, and telephone number of the entity that sponsored the research and of the researcher(s) to whom the information was disclosed (45 CFR 164.528).

C. For reviews preparatory to research, the IRB may approve use or disclosure of protected health information. To request such approval, the researcher must provide written assurance that:

1. The use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research,

2. No protected health information is to be removed from the Marquette Health Care Provider Unit in the course of the review, and

3. The protected health information for which use or access is sought is necessary for the research purposes.

The written assurance must be endorsed by the Point of Contact for the Marquette Health Care Provider Unit before it is presented to the IRB for approval.

D. Research involving decedent's information. It is noted that research on decedents does not involve "human subjects" and is therefore not subject to the Common Rule. However PHI about decedents is subject to HIPAA. Therefore the IRB, acting as Marquette University’s Privacy Board for research, has the authority to review requests for such information. For research on decedent's information, the researcher must provide to the Office of Research Compliance the following:

1. Representation that the use or disclosure sought is solely for research on the protected health information of decedents,

2. Documentation of the death of such individuals,

3. Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.

E. Use of a Limited Data Set. See section V.

II. Marquette researchers at another Marquette Health Care Provider Unit.

This section guides Marquette researchers seeking to gather and use protected health information from a Marquette Health Care Provider Unit in which they are not employed or affiliated.

Marquette personnel and students may wish to engage in research involving protected health information that is gathered and maintained by a Marquette Health Care Provider Unit with which they are not affiliated.

In such cases, the Health Care Provider Unit may use or disclose protected health information for research provided that:

A. The patient or subject of the information signs an authorization form that has been approved by the Marquette Health Care Provider Unit and the Marquette University IRB (in that order).

B. The Marquette University IRB approves an alteration or waiver of the patient authorization required by Section 164.508 of the HIPAA.

1. Documentation of waiver approval will be maintained by the Office of Research Compliance. A copy of such documentation will be maintained by the Point of Contact for the Marquette Health Care Provider. The Marquette Health Care Provider will maintain records of disclosures for research purposes. For a large research project involving 50 or more individuals where the researcher obtained an IRB approved waiver of authorization, the Marquette Health Care Provider may maintain a general record indicating that an individual's protected health information may have been disclosed as part of the project.

2. The documentation must include all of the following:

a) Identification and date of action. A statement identifying the IRB(s) and the date on which the alteration or waiver of authorization was approved,

b) A statement that the IRB has determined that the alteration or waiver satisfies the following criteria:

i. the use or disclosure of protected health information involves no more than minimal risk to the individuals,

ii. the alteration or waiver will not adversely affect the privacy rights and welfare of the individuals,

iii. the research could not practicably be conducted without the alteration or waiver of authorization,

iv. the research could not practicably be conducted without access to and use of the protected health information,

v. the privacy risks to individuals whose protected health information is to be used or disclosed is reasonable in relation to the anticipated benefits, if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research.

vi. there is an adequate plan to protect the identifiers from improper use and disclosure.

vii. there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law, and

viii. there are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this policy.

c) Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB (i.e., "the IRB has determined that the research could not practicably be conducted without access to and use of the protected health information").

d) Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved by the IRB under either full board or expedited procedures, as required by the Common Rule.

e) Required signature. The documentation of the alteration or waiver of authorization must be signed by the IRB chair or other IRB member designated by the chair.

f) In the case of a modification to the individual authorization for research purposes, a model copy of the modified authorization will be included in the file.

g) The name, address, and telephone number of the entity that sponsored the research and of the researcher(s) to whom the information was disclosed ance that:

1. The use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research,

2. No protected health information is to be removed from the Marquette Health Care Provider Unit in the course of the review, and

3. The protected health information for which use or access is sought is necessary for the research purposes.

In connection with point 2, above, researchers not employed by or affiliated with the relevant Marquette Health Care Provider Unit may NOT use protected health information to contact patients to recruit them into a study, since doing so in effect indicates that the data has been removed from the Unit. Before they can be contacted, potential study recruits must sign an authorization that has been approved by the Marquette Health Care Provider Unit and the Marquette University IRB (in that order).

The written assurance must be endorsed by the Point of Contact for the Marquette Health Care Provider Unit before it is presented to the IRB for approval.

D. Research involving decedent's information. It is noted that research on decedents does not involve "human subjects" and is therefore not under the purview of the IRB. For research on decedent's information, the researcher must provide to the Office of Research Compliance the following:

1. Representation that the use or disclosure sought is solely for research on the protected health information of decedents,

2. Documentation of the death of such individuals,

3. Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.

E. Use of a Limited Data Set. See section V.

III. Marquette researchers and non-Marquette health care providers.

This section guides Marquette researchers seeking protected health information from a non-Marquette health care provider.

Marquette personnel and students may wish to engage in research involving protected health information that is gathered and maintained by or disclosed to a non-Marquette health care provider.

In such cases, the researcher must secure approval for the research from the Marquette University IRB and such approvals as may be required by the outside entity.

It is likely that the non-Marquette health care provider will impose conditions on the sharing of data. Where such conditions take the form of an agreement, the Marquette researcher must seek approval from the Office of the General Counsel, and the agreement must be reviewed and signed by an authorized institutional official. Marquette employees and faculty are reminded that they are not authorized to sign agreements on behalf of Marquette University.


IV. Non-Marquette researchers and Marquette Health Care Provider Units.
This section guides non-Marquette researchers seeing protected health information from a Marquette Health Care Provider Unit.

Researchers from other universities and other outside entities may request protected health information from Marquette University Health Care Provider Units.

Such requests must be directed to the Primary Contact associated with the relevant Marquette Health Care Provider Unit identified elsewhere in this document.

Where such approval is granted, the use of the protected health information shall be subject to the terms and conditions of a data sharing agreement that has been approved by the Office of the General Counsel and signed by the Primary Contact as well as an authorized institutional official. The data and the data use agreement will comply with the Limited Data Set guidance provided in Section V of this document.

A model "limited data use" agreement for sharing PHI is included in this document.

The full cost of responding to requests for PHI or for de-identified information will be charged to the entity making the request, and payment must be received before any action is taken on behalf of the entity making the request.

V. Limited Data Set.

A Marquette Health Care Provider Unit may use or disclose a limited data set for the purpose of research. The Marquette Health Care Unit may use protected health information to create a limited data set if the following requirements are met:

A. A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

Names;
Postal address information, other than town or city, State, and zip code;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints; and
Full face photographic images and any comparable images.

It is therefore permissible to include in the limited data set dates related to the individual (e.g., dates of birth, admission, discharge, or death) and any geographic subdivision other than street address, so long as the researcher, the IRB, and the Health Care Provider Unit agree that such data is absolutely necessary for the purpose of the research.

B. Marquette University must obtain satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.

Employees are reminded that agreements between Marquette University and outside entities must be approved by the Office of the General Counsel and signed by an authorized institutional official. Limited Data Use agreements must also be endorsed by the Point of Contact for the relevant Marquette University Health Care Provider Unit.

A data use agreement between Marquette University and the limited data set recipient must:

1. Specify that the data set will be exclusively used for a specific research purpose. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate this requirement.

2. Establish who is permitted to use or receive the limited data set; and

3. Provide that the limited data set recipient will:

a) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;

b) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;

c) Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;

d) Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and

e) Not identify the information or contact the individuals.

C. If Marquette University knows of a pattern of activity or practice of the limited data set recipient that constitutes a material breach or violation of the data use agreement, the University will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, will:

1. Discontinue disclosure of protected health information to the recipient; and
2. Report the problem to the Secretary, Health and Human Services.