The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” A covered entity may always use or disclosed for research purposed health information which has been de-identified in accordance with 45 CFR 164.502(d), and 164.514(a)-(c) of the Rule.

The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.

Protected Health Information
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

“Individually identifiable health information” is information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

De-Identified Health Information
There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

The Privacy Rule allows a covered entity to de-identify data by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following:

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
a. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
b. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
4. Telephone numbers.
5. Facsimile numbers.
6. Electronic mail addresses.
7. Social security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web universal resource locators (URLs).
15. Internet protocol (IP) address numbers.
16. Biometric identifiers, including fingerprints and voiceprints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

REVIEW PREPARATORY TO RESEARCH
This form should only be used if an investigator needs approval to review Protected Health Information (“PHI”) before submitting a research application to the IRB. The purpose for accessing the PHI is to identify a subject population to ultimately study through a future IRB approved protocol, and an application can not be completed without access to identifiable information.

To permit the researcher to conduct a review preparatory to research, the covered entity must receive from the researcher representations that:
• The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes,
• No PHI will be removed from the covered entity during the review, and
• The PHI that the researcher seeks to use or access is necessary for the research purposes.

RESEARCH USING DECEDENTS’ PHI
Mount Auburn Hospital IRB may approve access to decedents' records for research purposes if the IRB receives from the researcher (1) representations that the decedents' PHI is necessary for the research and is being sought solely for research on decedents (not, e.g., for research on living relatives of decedents) and (2) on request of the covered entity, documentation of the deaths of the study subjects.

No Authorization or waiver or alteration of Authorization by an IRB or Privacy Board is needed for use or disclosure of decedents' PHI for research, if these conditions are met.

The Decedent Research form should be used if an investigator is doing research only using the PHI of deceased individuals. If the investigator will include the PHI of any living subjects the research, investigators can not use this form and must complete an IRB application.

WAIVER OF AUTHORIZATION
This form should be used in the following circumstances only:
1. Identifying and Recruiting Potential Study Subjects

If you are reviewing medical records, rounding lists and procedure schedules, or having conversations with providers (and you are not the treating provider) to identify potential research subjects, you must apply for a waiver of authorization.

• If you ultimately intend to get the subjects’ informed consent to participate in the study, and thereby their written HIPAA authorization, you only need to complete the Waiver Form for those activities leading up to the subjects’ signing the informed consent and HIPAA Authorization document(s). All of the remaining uses and disclosures that occur throughout the conduct of the study will be covered by the HIPAA Authorization language in the informed consent.

• Also, please be aware that few requests for waivers authorizing the disclosure of PHI to study sponsors before obtaining the subjects’ informed consent will be allowed. All information sent to sponsors for pre-screening or for maintaining a log of pre-screening failures should be de-identified. Only PHI that subjects specifically authorize by signing the informed consent document should be disclosed to anyone outside of Mount Auburn Hospital.

2. Obtaining Verbal Informed Consent.
If you are conducting a study in which it is not possible to obtain the subjects’ written consent, you will have to apply for a Waiver of Authorization to allow the use of the subjects’ PHI. HIPAA does not currently allow us to obtain verbal authorization from study subjects in the same way that we obtain verbal informed consent. Therefore, please apply for a Waiver for this circumstance (Part A of the Application, Section B. 12). You can expect that the IRB will ask you to include additional statements in your text or questionnaire that specifically address the HIPAA Privacy Rule.

3. Waiver of Informed Consent.
If you are conducting a study where the IRB has determined that you do not have to obtain the informed consent of the study subjects, a Waiver of Authorization Form to request the subjects’ authorization to use and disclose their PHI may be necessary.

4. Waiver of Documentation of Informed Consent.
An IRB may waive the requirements for the investigator to obtain a signed consent form for some or all subjects if it finds either:
1) That the only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality. Each subject will be asked whether the subject wants documentation linking the subject with the research, and the subject’s wishes will govern; or
2) That the research presents no more than minimal risk of harm to subjects and involves no procedures for which written consent is normally required outside of the research context.

In cases in which the documentation requirement is waived, the IRB may require the investigator to provide subjects with a written statement regarding the research. (45 CFR 46.117(c))