Office for Research

What's New
General Information
eIRB
Templates
IRB Meetings
Committees
IRB Member Handbook
Policies and Guidance
Education and Training
HIPAA
IRB ListServe
Additional Resources 		HIPAA Guidance Document *** DRAFT

Download | A Microsoft Word Document Version of This Page
Download | The Authorization for Release of Protected Health Information for Research Purposes Form
Download | The Revocation of Authorization for Release of Protected Health Information for Research Purposes Form


1. Introduction

The Veterans Health Administration is committed to conducting research in compliance with all applicable laws and regulations. To ensure this, the Office for Research and Development is publishing this guidance document to assist the VHA research community in implementing the requirements of the HIPAA Privacy Rule ("Privacy Rule").

The Privacy Rule, while not intended to regulate the conduct of research, does have implications for the use of protected health information in the conduct of research. It contains sections that impose requirements on those involved in research, both individuals and institutions. This guidance discusses those requirements and how VHA researchers and VAMCs can comply with those requirements.

1.1 HIPAA Privacy Rule and the "Common Rule"

A primary source of regulation of research is the Federal Policy for Human Subject Protection, known as the Common Rule. This federal regulation has been adopted by 17 federal departments and agencies, including the VA, as the basis for protection of human subjects in research. The VA's adoption of the Common Rule is codified at 38 CFR Part 16.

The Privacy Rule does not make any changes to the Common Rule. However, it does contain several provisions that resemble provisions of the Common Rule or that reference those provisions. For example, the Common Rule contains specific requirements for the composition of an institutional review board (IRB). Similarly, the Privacy Rule contains specific requirements for the composition of a Privacy Board, an alternative to the IRB that may be used exclusively for the review of privacy issues. The composition of a Privacy Board is similar to that of an IRB. The Privacy Rule does not require the development or use of a Privacy Board. Nor does it offer the Privacy Board as a replacement for the IRB. It merely sets up the mechanism for developing such a board as an alternative to using the IRB for reviewing privacy issues.

All IRBs and researchers must continue to adhere to the mandates of the Common Rule while implementing the requirements of the HIPAA Privacy Rule.

1.2 Key Concepts

Covered Entity Ð The VHA is a single covered entity for the purpose of complying with the Privacy Rule. This covered entity includes all VHA hospitals and health care systems.

Use and Disclosure of Information Ð According to the definitions in the Privacy Rule, information is "used" when it remains within the entity holding the information and it is "disclosed" when it is released outside the entity that holds this information.

PHI Ð "Protected Health Information" (PHI) is individually identifiable health information transmitted or maintained electronically or in any other form or medium, except for education records or employment records, as excluded in the Privacy Rule.

Privacy Board Ð The Privacy Rule requires board approval of waivers or alterations of authorizations for release of PHI. The board can be either an IRB, established under the provisions of the Common Rule, or a Privacy Board, established according to the provisions of the Privacy rule. A Privacy Board is an alternative to an IRB for privacy issues onlyÑit cannot replace the IRB for Common Rule purposes. A covered entity does not have to establish a Privacy Board if it chooses to use its IRB to review privacy-related waivers or alterations of authorization.

Role of the IRB Ð The Privacy Rule does not regulate the work of IRBs as it relates to the protection of human subjects. However, in regard to research data, the Privacy Rule relies heavily on the IRBs as the key point of contact within a "covered entity" for researchers.

Minimum Necessary Ð The Privacy Rule restricts use and disclosure of PHI. However, it does contain exceptions granting access in certain circumstances. Underlying all the exceptions, however, is the principle that any access should be limited to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure.

For VHA research purposes, this standard requires a VHA researcher to evaluate the needs of his or her study and to request access only to those pieces of information that are necessary for the complete and accurate development of the research. This is advisable even if a research subject permits more information to be used or disclosed.

"Representations" Ð In several sections, the Privacy Rule requires that a researcher give "representations" of certain facts to obtain access to PHI. The rule does not specify that such representations be made in writing; they could be oral or implied by actions. Where written representations are required under the Privacy Rule, they are specified. VHA researchers are advised, however, that where the Privacy Rule requires that "representations" be made, the researcher should provide complete documentation.

2. VHA Access to Information

The VHA policy on release of information for research purposes is set forth in the Privacy and Release of Information Handbook (VHA Handbook 1900.xx, in draft). The following discussion on implementing the HIPAA Privacy Rule is based on that policy.

2.1 Reviews Preparatory to Research

The HIPAA Privacy Rule and VHA policy allow for the access to PHI without an authorization from the individual or a waiver from an IRB or Privacy Board when a VHA researcher is preparing a protocol. However, the researcher must represent that access is only for the purpose of preparing a protocol. See discussion of representations, above. The representations necessary for preparatory access are 1) the access is only to prepare a protocol, 2) no protected health information will be removed from the VHA and 3) the protected health information accessed is necessary to the research proposed. This is the only instance of access allowed without authorization or IRB approval. This access is granted only to VHA researchers; non-VHA researchers may not access VHA data for reviews preparatory to research.

2.2 Use and Disclosure of Information

The Privacy Rule identifies five distinct methods of using and disclosing information for research purposes. The researcher should be familiar with the five methods and should choose the method most suited to his or her study.
  1. Use and Disclosure with Authorization of the Subject

    The most direct method of using and disclosing data is to ask the permission of the subject of that data. The permission is termed "authorization" in the Privacy Rule. A VHA researcher may use or disclose PHI for research purposes after obtaining a privacy-related authorization from the individual who is the subject of the information. Such authorization is distinct fromÑbut may be combined in a form withÑan informed consent for participation in a research study.

    The Privacy Rule defines a valid authorization as having six "core elements" and three "required statements." These are detailed below. In addition to these items, the authorization must be written in plain language and a signed copy must be given to the individual. An authorization form does not have to be approved by an IRB or Privacy Board to be valid for purposes of the Privacy Rule. However, because it will generally be part of the informed consent process, an IRB or Privacy Board may review the authorization as part of its review of the informed consent process proposed by the researcher.

    1. Core Elements of an Authorization

      • Description of the PHI to be used and disclosed "in a specific and meaningful fashion" Ð To meet this definition, the description should be understandable to the individual; not a mere recitation of data elements understandable only to the research team. The description should be specific and the request should be limited to that information necessary to the research protocol. Examples of specific and meaningful descriptions include "Lab tests" "clinic visit data" "X-ray readings." Do not use medical jargon or test codes ("Chem7").
      • Name or specific identification of the person or class of persons authorized to make the disclosure Ð This refers to the "covered entity" that holds the information. Because the VHA is a single covered entity, use of "VHA" as the releasing entity is acceptable.
      • Name or specific identification of the person or class of persons authorized to receive the information Ð It is advisable to identify the principal investigator as receiving this information. An authorization also should refer to the "research team" that will work with the PI in conducting the research.
      • Description of each purpose of the requested use or disclosure Ð The authorization should include a clear, concise and understandable description of the purpose of the research. This description may be drawn from the explanation of the research contained in the informed consent form.
      • Expiration date or event Ð This is the date that the authorization to use or disclose the information will expire. For research purposes, this may be the end of the study. It is acceptable, for studies that will include development of a database, for the authorization to indicate "no expiration date." If a study has a specific end date or event that will occur at the end, this should be used. However, the authorization must include this information in some form.
    2. Required Statements in an Authorization Form

      • A statement that the individual has a right to revoke the authorization in writing and EITHER

        • The exceptions to this right and description of how the individual may revoke OR
        • A reference to the covered entity's notice of privacy practices, if the exception information is contained there.

      • Ability or inability to condition treatment, etc., on signing the authorization Ð Because research may be dependent on the use and disclosure of PHI, participation in the study may be conditioned on the subject signing the authorization.
      • The potential for information to redisclosed and no longer protected under HIPAA.


    2. Appendix A contains a template form for an authorization that can be used by VHA researchers. All indicated information must be inserted at the appropriate places in the document. Although IRB approval is not required to make the authorization valid under HIPAA, your IRB may require prior approval of this document as part of the overall informed consent process. It is the responsibility of the researcher to obtain IRB approval of this form, if necessary. Once the form has been signed, a copy must be given to the individual. In addition, Appendix B contains a template form for a revocation of authorization that can be given to a subject who expresses a desire to revoke a previously granted authorization.

  2. Waiver of Authorization

    An alternative to asking each research subject for an authorization is to ask an IRB or Privacy Board for a waiver of authorization or an alteration of the standard elements of an authorization. The Privacy Rule includes specific guidelines for the IRB or Privacy Board to follow in granting the request for a waiver of authorization.

    The IRB or Privacy Board must obtain from the researcher a statement that is sufficient for the IRB or Privacy Board to determine the following:

    • The use or disclosure of PHI for the study involves no more than minimal risk to the privacy of the subject individual(s) based on the presence of:

      • An adequate plan by the researcher to protect the identifiers from improper use or disclosure. A full explanation of the plan is required.
      • An adequate plan to destroy the identifiers at the earliest opportunity UNLESS there is a health or research justification for retaining the identifiers is required by law
      • Adequate written assurances by the researcher that all efforts will be made to protect the information

    • The research could not practicably be done without the requested waiver or alteration
    • The research could not practicably be done without access to and use of the PHI

    Once a waiver has been granted by the IRB or Privacy Board, the researcher must have in his or her file, documentation of the action taken by the IRB or Privacy Board to grant the waiver. The documentation must include the following:

    • Identification of the IRB and the date of the action
    • The waiver criteria used by the IRB in reaching its decision
    • A description of the PHI being requested
    • Review and approval procedures used by the IRB in reaching its decision
    • Signature of the IRB Chairman or authorized member.


  3. De-Identification (Safe Harbor)

    The HIPAA Privacy Rule applies only to identifiable information. If information is de-identified, it no longer is subject to the Privacy Rule. CAUTION: de-identification for HIPAA purposes may not be the same as "anonymizing" data as commonly understood by researchers.

    To meet the standard for de-identified data under the Privacy Rule, a data set cannot include any of the following 18 elements:

    1. Names
    2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of the zip code if according to the current publicly available data from the Bureau of the census: a) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and b) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
    4. Telephone numbers
    5. Fax numbers
    6. Electronic mail addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web Universal Resource Locators (URLs)
    15. Internet Protocol (IP) address numbers
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographic images and any comparable images
    18. Any other unique identifying number, characteristic, or code.


  4. Statistical Method of De-identification

    An alternative to the "safe harbor method" is the statistical method. This standard is met if a person with appropriate knowledge and experience applying generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable makes and documents a determination that there is only a small risk that the information could be used by others to identify a subject of the information. These techniques include removing all direct identifiers, reducing the number of variables on which a match might be made, and limiting the distribution of records through a "data use agreement"' or "restricted access agreement" in which the recipient agrees to limits on who can use or receive the data.


  5. Limited Data Set

    The limited data set option is less restrictive than complete de-identification but does not allow unfettered access to identifiable information but requires certain safeguards. A limited data set is one that has been stripped of the following elements:

    1. Name
    2. Street address (specifically, a postal address other than city, State and Zip code)
    3. Telephone and fax numbers
    4. E-mail address
    5. Social security number
    6. Certificate/license number
    7. Vehicle identifiers and serial numbers
    8. URLs and IP addresses
    9. Full face photos and any other comparable images
    10. Medical record numbers, health plan beneficiary numbers, and other account numbers
    11. Device identifiers and serial numbers
    12. Biometric identifiers, including finger and voice prints

    The key differences between a de-identified data set and a limited data set would be the inclusion, in the latter, of dates and some geographic codes.

    The use of a limited data set requires a data use agreement. This document is intended to provide assurance of the limited use or disclosure of the information in the limited data set. Under the Privacy Rule, a valid data use agreement must specify 1) the permitted uses and disclosures of information by the recipient, consistent with the purposes of the research, 2) the limits on who can use or receive the data, 3) that the recipient will not re-identify the data or contact the individuals, and 4) that the recipient will use appropriate safeguards to prevent use or disclosure of the limited data set other than as permitted by the Privacy Rule and data use agreement or as required by law.

    Disclosure of the information in a limited data set does not require review by an IRB or Privacy Board.
3. Research on Decedents' Information

Research on decedent's information is permitted if the covered entity (VHA) obtains from the researcher, either orally or writing: 1) representation that the use or disclosure is sought solely for research on the PHI of decedents; 2) documentation, at the request of the covered entity, of the death of such individuals; and 3) representation that the PHI for which use or disclosure is sought is necessary for the research purposes.

At this time there is no guidance on this issue in the VHA Handbook. It is suggested that the researcher have written documentation in his/her files covering these issues.

4. Transition Provision (Grandfather Provision)

HHS recognized that research is being conducted currently and that it would be difficult at best to obtain authorizations or waiver of authorization for all ongoing research. Therefore, a transition provision was included in the Privacy Rule that has significant impact on the research community by "grandfathering" certain research studies that are underway at the compliance date mandated for the Privacy Rule.

The Privacy Rule allows for use and disclosure of PHI created or received for research, either before or after April 14, 2003, if one of the following was obtained prior to that date:
  • An authorization or other express legal permission from the individual to use or disclose his or her information for research,

  • The legally effective informed consent of the individual to participate in the research, OR

  • A valid waiver of informed consent from an IRB according to the Common Rule or an exception under the FDA's human subject protection regulation at 21 CFR 50.24
However, if a subject is asked for informed consent (or asked to re-consent) on or after April 14, an authorization must be obtained at that time.

Summary of Transition Provisions:
  • Waiver of informed Consent obtained prior to April 14, 2003: No action necessary. The waiver is deemed "authorization" for Privacy Rule purposes.

  • Informed Consent obtained prior to April 14, 2003: Information obtained pursuant to an informed consent signed prior to April 14, 2003, even if the information is not obtained until after April 14, 2003, is "grandfathered" under the Privacy Rule. HOWEVER, if the subject is "re-consented," that is, asked for a new informed consent ON OR AFTER April 14, 2003, a valid authorization must be obtained.

  • Informed Consent obtained ON OR AFTER April 14, 2003: Must include a separate authorization form or authorization language within the informed consent form, or must obtain waiver of informed consent from IRB.
5. More Information

The Office for Research and Development will continue to provide guidance to its research community. Questions regarding this guidance and requests for further information should be directed to Patricia Lynch Watts at patricia.l.watts@hq.med.va.gov.

OPRS Home ... IRB Home ... HIPAA ... HIPAA Guidance Document