Privacy Practices General Privacy Policy Privacy practices govern the receipt, use and storage of personal and confidential information in research. Because the use of personal and confidential information is common in both biomedical and behavioral research, confidentiality is a major concern. Currently, most research involving human subjects operates under the Common Rule (45 CFR Part 46, Subpart A) and/or the Food and Drug Administration's (FDA) human subject protection regulations (21 CFR Parts 50 and 56). These human subject protection regulations, which apply to most Federally-funded and to some privately funded research, include protections to help ensure the privacy of subjects and the confidentiality of information. Federal statute(s) require(s) without exception that the confidentiality of the personally identifiable information be maintained throughout the research and thereafter. In proposing a research study, the Principal Investigator s hall consider the nature, probability, and magnitude of harms that would be likely to result from a disclosure of collected information outside the research. The PI shall also evaluate the effectiveness of the proposed anonymizing techniques, coding systems, encryption methods, storage facilities, access limitations, and other relevant factors in determining the adequacy of confidentiality protections. It is a requirement of the IRB that the IRB Proposal and consent documentation (if applicable, according to submission category) describe the extent to which confidentiality of records identifying the subject(s) will be maintained (or not maintained). Were deemed necessary, the PI shall obtain a certificate of confidentiality which protects against the compulsory release of individually identifiable research information. HIPAA Privacy Rule In addition to the standard research privacy practices, there are additional requirements regarding " individually identifiable health " or " personal health " information" (PHI). These requirements are provided in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In short, HIPAA requires that "covered entities" give additional rights to persons utilizing services of the health industry and further protect their information (See "Links") . Currently, FIU does not meet the criteria to be classified as a " covered entity " therefore, FIU is not directly subject to the HIPAA requirements for the use of PHI in research. However, the research of individual FIU investigators is subject to the privacy rule requirements if they are obtaining PHI from a "covered entity" (See faq "How does the Privacy Rule Affects Research "). Each investigator is responsible for and required to: 1. Find out what the Privacy Policy is for the entity from whom the PHI is being requested. The requirements will differ according to the category of PHI you are requesting from the entity. Please contact the FIU Compliance Coordinator if you have questions regarding submission of PHI paperwork to an entity. The following is a limited list of requirements that an investigator can expect to perform in order to receive PHI: · Provide a Letter of Request to the entity in order to access PHI for Preparatory and Decedent research. · Prepare a HIPAA Authorization Form in order to access PHI for research in which an Individual Authorization will be used. Sample authorization language may be obtained at the following webpage: http://privacyruleandresearch.nih.gov/authorization.asp#samplelang · Sign a Data Use Agreement (DUA) in order to access PHI for research using a Limited Data Set or otherwise as indicated by the entity. The DUA should be provided by the entity to meet their requirements. Prior to entering into an agreement with an entity, the PI should contact the IRB office for document review and/or assistance in preparation. Note: FIU requires that DUAs be signed by the investigator (faculty) and his/her immediate supervisor or the student investigator and his/her faculty advisor. 2. After authorization to access PHI is obtained, submit a copy of ALL documentation regarding the use and/or disclosure of PHI to the FIU IRB. The authorization and accompanying documentation may be submitted as a part of your initial application for use of human subjects or as a modification to the approved proposal. If submitted as a modification, All changes to the original IRB proposal must be indicated in the IRB Proposal by bold or underline . For additional information regarding HIPAA see the links below. FAQ's What is "Individually Identifiable Health Information"? Individually identifiable health information is health information including demographic information, that is collected from an individual by a covered entity or employer: which relates to the past, present, or future physical, or mental health condition of an individual; the provision of healthcare to an individual; or the past, present or future, payment for healthcare to an individual; and that identifies the individual, or where it is reasonable to believe the information can be used to identify the individual. What is Protected Health Information (PHI)? PHI is individually identifiable health information that is transmitted or maintained by a covered entity in any form or medium. What is HIPAA? Who or what are covered entities? How does the Privacy Rule Affect Research? Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that investigators continue to have access to medical information necessary to conduct vital research. The Privacy Rule establishes the conditions under which PHI may be used or disclosed for research purposes. The Privacy Rule defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities. A covered entity may de-identified PHI (remove the 18 identifiers), using either the statistical or the "Safe Harbor" method, in order to provide data to an investigator without being subject to policies and procedures that limit the use and disclosure of protected health information as required by HIPAA Privacy regulations. The Privacy Rule outlines the process for use and disclosure of PHI for research by obtaining an individual authorization or without individual authorization under limited circumstances. This information is outlined in the FIU- Accessing PHI document online. Where can I get additional Information regarding HIPPAA?
|
|||||
