The HIPAA Privacy Regulations require Hopkins to enter into Business Associate Agreements with these entities. For example, The Johns Hopkins Hospital is a covered entity under HIPAA and its outside lawyers, consultants, and most contractors who receive PHI from JHH are business associates doing something on JHH's behalf. Under the HIPAA Privacy Regulations, a business associate is a person or entity that receives protected health information ("PHI") from a covered entity and performs certain functions or activities on behalf of the covered entity. Question 4: Are outside parties involved in a research study "business associates" of Hopkins, and do we need a Business Associate Agreement with these parties?Īnswer: No. (See the JHM IRB guidance on Research Databases for additional information) If, however, you wish to extract de-identified data from medical records or other identifiable sources, for use in your research or to create a de-identified database for future research, you must submit an Exempt Research Application and an Application for Waiver of HIPAA Privacy Authorization in eIRB. If your research involves only the analysis of pre-existing data that have been fully de-identified to the HIPAA standard, you do not need to submit an application in eIRB, because such research involves neither PHI nor an identifiable human subject. Do I still need to submit an eIRB application?Īnswer: The answer depends upon whether the data already exist in de-identified form. Question 3: I plan to use de-identified information in my research. An IRB may waive both consent and Authorization if the research meets all of the waiver criteria established by each of the applicable regulations. There are different requirements for the content of informed consent and HIPAA Authorization however both may be combined in one form ( see templates on the HIPAA forms page). The HIPAA Privacy rule, a different regulation, separately requires that patients give written Authorization before a covered entity may use or disclose patients’ protected health information for research. Question 2: What is the difference between HIPAA “Authorization” and informed consent?Īnswer: Informed consent is required under federal research regulations for the protection of human subjects. Iv) The data are in the form of a “limited data set” containing no HIPAA “direct identifiers,” and” and the researcher has signed a HIPAA Data Use Agreement. Iii)The covered entity has “de-identified” the data prior to its use or disclosure for research or Ii) An IRB has waived or altered the requirement for HIPAA Authorization I) The patient has signed a written Authorization containing all the elements specified in the Privacy Rule
5 TYPES OF HIPAA COMPLIANCE FORMS ZIP
The HIPAA Privacy Rule defines “individually identifiable” broadly, to include information such as name, address, or SSN, as well as “indirect identifiers” such as zip codes or date of birth, when attached to any health information.Ī covered entity and its employees may not use or disclose individually identifiable health information (called “protected health information,” or “PHI”) for research, except in one of the following circumstances: (These HIPAA requirements are in addition to IRB requirements under federal regulations for the protection of human subjects.) Question 1: As an employee of the JHM covered entity, how does the HIPAA Privacy Rule affect my research?Īnswer: Under the HIPAA Privacy Rule you must meet certain requirements before using or disclosing individually identifiable health information for research.
Access to PHI Created or Maintained by Non-JHM Providers
Subject Requests for Access to Research Data or Test Results
0 kommentar(er)
