HIPAA FAQs.:.HIPAA.:.IRB.:.OPRS

Mission : FAQs : Contact : Forms : Search : IRB Home : OPRS Home

What's New
General Information
eIRB
Templates
IRB Meetings
Committees
IRB Member Handbook
Policies and Guidance
Education and Training
HIPAA
IRB ListServe
Additional Resources

HIPAA FAQs

What is a covered entity?
Am I, the NU researcher, part of a covered entity?
If I'm not covered by HIPAA, why do I need HIPAA compliance?
What is protected health information (PHI)?
Do I have to re-consent currently enrolled subjects with the new authorization after April 14, 2003?
Once I have a waiver of authorization, can I access all of the subject's information?
Do I need to apply for a waiver of authorization if I have a retrospective medical record review already approved by the IRB?
Can I look through the medical records of my own patients to get an idea if a potential subject pool exists for a research protocol that I am developing?
What if I'm not sure whether I'll need an authorization for my subjects?
Can I obtain a waiver of authorization for a retrospective chart review that involves information related to the HIV/AIDS status of patients?
Do I have to revise my consent form for use after April 14, 2003?
What if my sponsor wants me to include HIPAA language in the consent form? Can I do this?
How long do I need to keep signed authorization forms?
Why is the IRB involved in this? I thought that HIPAA was being enforced by a Privacy Board?
If I submit my HIPAA response forms before April 14, 2003, but have not heard from the IRB, can I still enroll subjects on or after this date?
Does my HIPAA response form have to go to an IRB Board meeting?
What if my new project has recently been submitted to the IRB and will be reviewed on, near or soon after April 14, 2003? How do I address the HIPAA compliance?
Do I need to submit a HIPAA Response Form for a project that does not need HIPAA compliance?
What is minimum necessary standard?

1. What is a covered entity?
A covered entity is (1) a health plan, (2) a healthcare clearinghouse, or (3) a healthcare provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with healthcare transactions.

2. Am I, the NU researcher, part of a covered entity?
NU researchers and research are not considered part of the covered entity that is affected by HIPAA. NU is a hybrid covered entity meaning that parts of it are covered by HIPAA and other parts are not. The research function falls outside of the HIPAA regulations.

3. If I'm not covered by HIPAA, why do I need HIPAA compliance?
Because researchers may need to obtain medical records and patient information that is part of a covered entity, researchers have to comply with HIPAA.

4. What is protected heath information (PHI)?
PHI is individually identifiable health information, such as patient charts, medical billing and insurance records. In general, PHI is health information that contains any of the 18 direct individual identifiers that are listed in the HIPAA definition of de-identified data.

5. Do I have to re-consent currently enrolled subjects with the new authorization after April 14, 2003?
Subjects that are already enrolled prior to April 14, 2003 are "grandfathered," in that informed consent documents signed prior to this date and that do not contain the required HIPAA authorization elements remain valid for continued participation in the study after this date. However, if new information for the study requires re-consenting of already enrolled subjects on or after April 14, 2003, a HIPAA authorization must be obtained.

6. Once I have a waiver of authorization, can I access all of the subject's information?
No, the Privacy Rule permits only the minimum necessary information (minimum necessary standard) to be accessed under a waiver of authorization for research. You will have to list and justify what identifiable health information you need.

7. Do I need to apply for a waiver of authorization if I have a retrospective medical record review already approved by the IRB?
If you have not completed data collection, and need to access additional patient records on or after April 14, 2003, you will be required to get an IRB approved waiver of authorization before you access additional records. If all data collection is complete, you do not need a waiver.

8. Can I look through the medical records of my own patients to get an idea if a potential subject pool exists for a research protocol that I am developing?
Yes, if the medical records belong to your patients, you do not have to apply for an ñexceptionî in order to assess protocol feasibility with your own patient population. If the patients are not yours, you will have to apply for an exception to the authorization before looking through the records. This exception is only to get an idea of the number of potential research subjects that may exist for the purposes of developing a protocol or deciding whether to even consider doing a study. It does not permit activities that lead to identification of potential subjects or their recruitment.

9. What if I'm not sure whether I'll need an authorization for my subjects?
If you are uncertain as to whether you will need to access medical records for your project, it is advised that you proceed with the authorization. This way you will have it if it becomes necessary.

10. Can I obtain a waiver of authorization for a retrospective chart review that involves information related to the HIV/AIDS status of patients?
No, according to Illinois law, a waiver of authorization cannot be granted for studies involving information related to HIV/AIDS, genetic information or mental health information. This supercedes the HIPAA requirements.

11. Do I have to revise my consent form for use after April 14, 2003?
No, the HIPAA authorization form will be a separate document at NU. The current IRB approved consent forms do not need to be modified to address HIPAA.

12. What if my sponsor wants me to include HIPAA language in the consent form? Can I do this?
No, it is the Northwestern University policy for HIPAA that all HIPAA language for authorization be a separate stand-alone document. HIPAA policies and authorization language is specific to the covered entity. The NU HIPAA Authorization template has been created by the NU affiliates to conform to the regulations according to our policy.

13. How long do I need to keep signed authorization forms?
Signed authorization forms need to be kept for a minimum of 6 years.

14. Why is the IRB involved in this? I thought that HIPAA was being enforced by a Privacy Board?
Northwestern University and its affiliates (NMH, NMFF, RIC, VA) have designated the NU IRB as the Privacy Board for research purposes only.

15. If I submit my HIPAA response forms before April 14, 2003, but have not heard from the IRB, can I still enroll subjects on or after this date?
No, if you need HIPAA compliance (an authorization, waiver of authorization or exception) you must have IRB approval of this prior to enrolling new subjects on or after this date.

16. Does my HIPAA response form have to go to an IRB Board meeting?
No. For current open projects, the HIPAA response forms will undergo administrative review in order to expedite the process. However, the HIPAA requirements will become part of all new project submissions after the compliance date and HIPAA-related documents will be reviewed at regularly scheduled IRB meetings.

17. What if my new project has recently been submitted to the IRB and will be reviewed on, near or soon after April 14, 2003? How do I address the HIPAA compliance?
You should obtain IRB approval prior to submitting your HIPAA compliance. The HIPAA compliance can be reviewed administratively and should not delay your project more than a few days at the most. Also, these recent submissions may not be part of the list of active IRB projects you received in the mail. It is important to address HIPAA compliance for ALL open studies first. Also, our New Project Submission Form has been revised to include HIPAA compliance issues so that HIPAA issues can be considered in the initial review.

18. Do I need to submit a HIPAA Response Form for a project that does not need HIPAA compliance?
Yes, OPRS is asking that all investigators submit a HIPAA Response Form for all active projects disclosing the type of HIPAA compliance needed, even if the answer is "none".

19. What is minimum necessary standard?
When using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

OPRS Home ... IRB Home ... HIPAA ... HIPAA FAQs


Office for Research

Mission : FAQs : Contact : Forms : Search : IRB Home : OPRS Home
What's New General Information eIRB Templates IRB Meetings Committees IRB Member Handbook Policies and Guidance Education and Training HIPAA IRB ListServe Additional Resources	HIPAA FAQs Download \| A Microsoft Word Document Version of This Page What is a covered entity? Am I, the NU researcher, part of a covered entity? If I'm not covered by HIPAA, why do I need HIPAA compliance? What is protected health information (PHI)? Do I have to re-consent currently enrolled subjects with the new authorization after April 14, 2003? Once I have a waiver of authorization, can I access all of the subject's information? Do I need to apply for a waiver of authorization if I have a retrospective medical record review already approved by the IRB? Can I look through the medical records of my own patients to get an idea if a potential subject pool exists for a research protocol that I am developing? What if I'm not sure whether I'll need an authorization for my subjects? Can I obtain a waiver of authorization for a retrospective chart review that involves information related to the HIV/AIDS status of patients? Do I have to revise my consent form for use after April 14, 2003? What if my sponsor wants me to include HIPAA language in the consent form? Can I do this? How long do I need to keep signed authorization forms? Why is the IRB involved in this? I thought that HIPAA was being enforced by a Privacy Board? If I submit my HIPAA response forms before April 14, 2003, but have not heard from the IRB, can I still enroll subjects on or after this date? Does my HIPAA response form have to go to an IRB Board meeting? What if my new project has recently been submitted to the IRB and will be reviewed on, near or soon after April 14, 2003? How do I address the HIPAA compliance? Do I need to submit a HIPAA Response Form for a project that does not need HIPAA compliance? What is minimum necessary standard? 1. What is a covered entity? A covered entity is (1) a health plan, (2) a healthcare clearinghouse, or (3) a healthcare provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with healthcare transactions. 2. Am I, the NU researcher, part of a covered entity? NU researchers and research are not considered part of the covered entity that is affected by HIPAA. NU is a hybrid covered entity meaning that parts of it are covered by HIPAA and other parts are not. The research function falls outside of the HIPAA regulations. 3. If I'm not covered by HIPAA, why do I need HIPAA compliance? Because researchers may need to obtain medical records and patient information that is part of a covered entity, researchers have to comply with HIPAA. 4. What is protected heath information (PHI)? PHI is individually identifiable health information, such as patient charts, medical billing and insurance records. In general, PHI is health information that contains any of the 18 direct individual identifiers that are listed in the HIPAA definition of de-identified data. 5. Do I have to re-consent currently enrolled subjects with the new authorization after April 14, 2003? Subjects that are already enrolled prior to April 14, 2003 are "grandfathered," in that informed consent documents signed prior to this date and that do not contain the required HIPAA authorization elements remain valid for continued participation in the study after this date. However, if new information for the study requires re-consenting of already enrolled subjects on or after April 14, 2003, a HIPAA authorization must be obtained. 6. Once I have a waiver of authorization, can I access all of the subject's information? No, the Privacy Rule permits only the minimum necessary information (minimum necessary standard) to be accessed under a waiver of authorization for research. You will have to list and justify what identifiable health information you need. 7. Do I need to apply for a waiver of authorization if I have a retrospective medical record review already approved by the IRB? If you have not completed data collection, and need to access additional patient records on or after April 14, 2003, you will be required to get an IRB approved waiver of authorization before you access additional records. If all data collection is complete, you do not need a waiver. 8. Can I look through the medical records of my own patients to get an idea if a potential subject pool exists for a research protocol that I am developing? Yes, if the medical records belong to your patients, you do not have to apply for an ñexceptionî in order to assess protocol feasibility with your own patient population. If the patients are not yours, you will have to apply for an exception to the authorization before looking through the records. This exception is only to get an idea of the number of potential research subjects that may exist for the purposes of developing a protocol or deciding whether to even consider doing a study. It does not permit activities that lead to identification of potential subjects or their recruitment. 9. What if I'm not sure whether I'll need an authorization for my subjects? If you are uncertain as to whether you will need to access medical records for your project, it is advised that you proceed with the authorization. This way you will have it if it becomes necessary. 10. Can I obtain a waiver of authorization for a retrospective chart review that involves information related to the HIV/AIDS status of patients? No, according to Illinois law, a waiver of authorization cannot be granted for studies involving information related to HIV/AIDS, genetic information or mental health information. This supercedes the HIPAA requirements. 11. Do I have to revise my consent form for use after April 14, 2003? No, the HIPAA authorization form will be a separate document at NU. The current IRB approved consent forms do not need to be modified to address HIPAA. 12. What if my sponsor wants me to include HIPAA language in the consent form? Can I do this? No, it is the Northwestern University policy for HIPAA that all HIPAA language for authorization be a separate stand-alone document. HIPAA policies and authorization language is specific to the covered entity. The NU HIPAA Authorization template has been created by the NU affiliates to conform to the regulations according to our policy. 13. How long do I need to keep signed authorization forms? Signed authorization forms need to be kept for a minimum of 6 years. 14. Why is the IRB involved in this? I thought that HIPAA was being enforced by a Privacy Board? Northwestern University and its affiliates (NMH, NMFF, RIC, VA) have designated the NU IRB as the Privacy Board for research purposes only. 15. If I submit my HIPAA response forms before April 14, 2003, but have not heard from the IRB, can I still enroll subjects on or after this date? No, if you need HIPAA compliance (an authorization, waiver of authorization or exception) you must have IRB approval of this prior to enrolling new subjects on or after this date. 16. Does my HIPAA response form have to go to an IRB Board meeting? No. For current open projects, the HIPAA response forms will undergo administrative review in order to expedite the process. However, the HIPAA requirements will become part of all new project submissions after the compliance date and HIPAA-related documents will be reviewed at regularly scheduled IRB meetings. 17. What if my new project has recently been submitted to the IRB and will be reviewed on, near or soon after April 14, 2003? How do I address the HIPAA compliance? You should obtain IRB approval prior to submitting your HIPAA compliance. The HIPAA compliance can be reviewed administratively and should not delay your project more than a few days at the most. Also, these recent submissions may not be part of the list of active IRB projects you received in the mail. It is important to address HIPAA compliance for ALL open studies first. Also, our New Project Submission Form has been revised to include HIPAA compliance issues so that HIPAA issues can be considered in the initial review. 18. Do I need to submit a HIPAA Response Form for a project that does not need HIPAA compliance? Yes, OPRS is asking that all investigators submit a HIPAA Response Form for all active projects disclosing the type of HIPAA compliance needed, even if the answer is "none". 19. What is minimum necessary standard? When using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must generally make reasonable efforts to limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." OPRS Home ... IRB Home ... HIPAA ... HIPAA FAQs
	Northwestern Home .:. Calendar: Plan-It Purple .:. Sites A-Z .:. Search Mailing address: Office for the Protection of Research Subjects : Rubloff Hall, 7th Floor, 750 N. Lake Shore Drive, Chicago, IL 60611-3078 Chicago: 312-503-9338 .:. Evanston: 847-467-1723 .:. Comments: irb@northwestern.edu Last modified 02.19.07 .:. World Wide Web Disclaimer and University Policy Statements \| © 2007 Northwestern University