Appointments Jobs About Search Education & Research Clinical Trials Health Information Medical Services
Institutional Review Board (IRB)

personnel directory

more pages
Policy Health Insurance Portability and Accountability Act (HIPAA)
DEPARTMENT: OFFICE FOR HUMAN RESEARCH PROTECTION
POLICY NUMBER: IX.A
SECTION: PRIVACY AND CONFIDENTIALITY
REVIEW: IRB POLICY AND PROCEDURE COMMITTEES
ORIGINAL CREATION DATE: March 19, 2007
REVISION DATES:  

Subject: Health Insurance Portability and Accountability Act (HIPAA)

Policy:

It is the policy of Mayo Clinic's Office for Human Research Protection – Institutional Review Board (IRB) – requires in its role as the Privacy Board for Mayo Clinic, that research data be used, stored and/or disclosed only according to current HIPAA regulations. This Policy covers all Protected Health Information (PHI), that is created, used, or disclosed during research activities.

  1. Research Use or Disclosure of PHI with Authorization.
    1. Except as set forth in this Policy, the Investigator must obtain an authorization from each participant prior to the use or disclosure of PHI for any research related purpose. [1]
    2. A legally effective authorization must include the following:
      1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful way;
      2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use of disclosure;
      3. The name or other specific identification of the person(s), or class of persons, to whom the Investigators may make the requested use or disclosure;
      4. A description of each purpose of the requested use or disclosure;
      5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement such as "end of research study" or "none" may be used when appropriate;
      6. A statement that the individual may revoke the authorization if requested in writing. However, the Investigator may continue to use and disclose, for research integrity and reporting purposes, any PHI collected from the individual, pursuant to such authorization before it was revoked;
      7. A statement that either: Mayo Clinic may not condition treatment, payment or eligibility for benefits on whether the individual signs the authorization (for non-treatment studies) or Mayo Clinic may condition the individual's research-related treatment on the provision of the authorization (for treatment studies);
      8. A statement that information disclosed pursuant to the authorization could potentially be subject to redisclosure by the recipient and no longer be protected under HIPAA; and
      9. The individual's signature (or that of his/her legally authorized representative) and date. [2]
    4. An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same research study (including the consent form for the research study). [3]
    5. An Investigator may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of PHI for the research. [4]
  2. Research Use or Disclosure of PHI with Waiver of Authorization
    1. Authorizations otherwise required under this policy may be waived or altered by the IRB, provided the following criteria are satisfied and documented:
      1. The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on the presence of at least the following elements:
        1. An adequate plan to protect the identifiers from improper use and disclosure;
        2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; an
        3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this Policy;
      3. The research could not practicably be conducted without the waiver or alteration; and
      4. The research could not practicably be conducted without access to and use of the PHI. [5]
    3. When uses or disclosures of PHI are made pursuant to a waiver, the Investigator must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. [6] When the Investigator makes the representations set forth in Section II.A to obtain a waiver, the IRB will rely on the Investigator to ensure that the minimum necessary standard is met. [7]
    4. If the IRB grants a waiver and the Investigator discloses any PHI outside Mayo Clinic, the Investigator must record the following information for any PHI disclosed:
      1. The date of the disclosure;
      2. The name of the entity or person who received the PHI and, if known, the address of such entity or person;
      3. A brief description of the PHI disclosed; and
      4. A brief statement of the purpose of the disclosure that describes the basis for disclosure. [8]
  3. Research Use or Disclosure of Limited Data Set.
    1. An Investigator may use or disclose a Limited Data Set for research purposes without an authorization or waiver of authorization, if a Data Use Agreement is completed. [9]
    2. When uses or disclosures of a Limited Data Set are made pursuant to a Data Use Agreement, the Investigator must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. [10]
  4. Research Use or Disclosure of Decedent's PHI without Authorization.
    1. Except as set forth in Section IV.B below, an Investigator may use and disclose a decedent's PHI for research purposes without IRB review provided that all of the following criteria are satisfied:
      1. The use or disclosure will be solely for research on the PHI of decedents;
      2. The PHI for which use or disclosure is sought is necessary for research purposes; and
      3. The Investigator has documentation of the death of the individuals whose PHI is being sought. [11]
    3. For PHI that is included in medical records at Mayo Clinic Rochester or any facility in Minnesota, an Investigator may use and disclose a decedent's PHI for research purposes in accordance with this IRB Policy.
    4. When uses or disclosures of a decedent's PHI are made without authorization, the Investigator must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. [12]
  5. Research Use or Disclosure of "De-Identified" Health Information.
    1. De-identified health information is exempt from HIPAA regulations and may be used or disclosed for research purposes without an authorization or IRB waiver of authorization. [13], [14]
    2. The de-identified information may be assigned code or other means or record identification to allow de-identified information to be re-identified, provided that, the key to such a code is not accessible to the Investigator requesting to use or disclose the de-identified health information and the code is not derived from or related to information about the individual and is not capable of being translated so as to identify the individual. [15]
  6. Use and Disclosure of PHI without Authorization when it is Preparatory to Research.
    1. An Investigator may use or disclose PHI without IRB review for activities preparatory to research if all of the following criteria are satisfied:
      1. Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
      2. No PHI is to be removed from Mayo Clinic by the Investigator in the course of the review; and
      3. The PHI for which use is sought is necessary for the research purposes. [16]
    3. When uses or disclosures are made without authorization preparatory to research, the Investigator must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. [17]
  7. Participant's Access to Research Information.

    Individuals who participate in research generally have a right to access their own PHI that is maintained in a Designated Record Set. However, an individual's access to PHI created or obtained in the course of research that involves treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research study, and the Investigator has informed the individual that the right of access will be reinstated upon completion of the research. [18]

  8. Participant's Request to Revoke Research Authorization.

    An individual may revoke his or her authorization at any time, provided that the revocation is in writing, except to the extent that the Investigator has taken action in reliance on the authorization. [19] The Investigator may continue to use and disclose any PHI collected pursuant to a valid authorization before it was revoked, for study integrity and reporting purposes.

[1] 45 CFR 164.508 (a)(1)

[2] 45 CFR 164.508 (c)

[3] 45 CRF 164.508 (b)(3)(i)

[4] 45 CFR 164.508(b)(4)(i)

[5] 45 CFR 164.512(i)(2)(ii)

[6] 45 CFR 164.502(b)

[7] 45 CFR 164.514(d)(3)(iii)(D)

[8] 45 CFR 164.528(b)(2)

[9] 45 CFR 164.514(e)(1)

[10] 45 CFR 164.502(b)

[11] 45 CFR 164.512(i)(1)(iii)

[12] 45 CFR 164.502(b)

[13] 45 CFR 164.502(d)

[14] 45 CFR 164.514(a)

[15] 45 CFR 164.514(c)

[16] 45 CFR 164.512(i)(1)(ii)

[17] 45 CFR 164.502(b)

[18] 45 CFR 164.524(a)(2)(iii)

[19] 45 CFR 164.508(b)(5)


Appointments Contact Us Make A Gift Search

Legal restrictions and terms of use applicable to this site

Use of this site signifies your agreement to the terms of use
Copyright © 2008 Mayo Foundation for Medical Education and Research.