Rebecca D. Armstrong

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included provisions to protect the privacy of individually identifiable health information and established the conditions under which covered entities might release such information for research purposes.  These new regulations go in to effect as of Monday, April 14, 2003.  The Privacy Rule requirements will affect your research, IF AND ONLY IF, you obtain Protected Health Information (PHI) from a health care provider who is a covered entity under the regulations. 

For researchers who currently obtain PHI from a covered entity, and for those investigators who in the future may wish to obtain protected health information as part of their research or to pre-screen potential research subjects, the requirements imposed by HIPAA will change how you conduct your research.  Please read on to learn more about what you will be required to do, how the IRB is involved, and what we can do to help you through this transition.

A few definitions that you will need to know:

Protected Health Information (PHI) – is individually identifiable health information that has been entered into a medical record.

Individually identifiable health information – is any information (including demographics) collected from an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an individual.  (see 45 CFR 160.103 for the complete definition).  Examples include information as it pertains to health care such as: name, address, social security number, telephone and fax numbers, email addresses, admission dates, birth date, date of death, etc.

Covered Entity – health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a HIPAA required standard transaction – typically providers that bill electronically.

So what will you, as an investigator, need to do to obtain PHI information from a covered entity for research purposes?

To obtain PHI information, covered entities will require you to have obtained a valid Authorization that is the express written permission of that individual to release and use their individually identifiable health information for a particular purpose.  This is similar to Informed Consent documentation.  The covered entity will want to keep a copy of the Authorization document.

The Privacy Rule allows for several exceptions to the authorization requirement in the research context.  A Purdue investigator may seek a Waiver of the Authorization or a Modification of the Authorization from the Purdue IRB.  These requests will be reviewed by expedited or full board review depending on the level of risk.  In addition, researchers may be able to utilize Limited Data Set information in conjunction with a Data Use Agreement.  With a limited data set, “facial identifiers” like; name, address, biometric identifiers, device identifiers and serial numbers, IP addresses, etc. must be deleted from the data set.  Additional information about these requirements and procedures will be posted on our web site www.irb.purdue.edu soon.

However, if you are obtaining PHI for your research from a covered entity and currently consenting research participants on an IRB approved protocol, you will need to submit a protocol revision form to include an authorization and have it approved before April 14, 2003 or your IRB approval will be suspended.  We strongly encourage you to contact Dr. Becky Armstrong at 46840 for further guidance in order to avoid any disruption of your research.

Research involving only decedent information will, as of April 14, 2003, require IRB review and approval under HIPAA regulations.  This type of research did not previously require any IRB review and approval.

While these regulations may not apply to a large number of Purdue investigators, it is very important that you and Purdue University remain in compliance.  For additional information see:

Office of Civil Rights – HIPAA http://www.hhs.gov/ocr/hipaa/

Welcome to the first issue of I.R.B. News. We hope you will choose to remain subscribed to receive future quarterly issues. We are experimenting with enewsletter formats and would appreciate feedback about how well this particular enewsletter format works in your email client and/or other suggestions.

Many new and exciting changes are occurring in the Human Subjects Protection Program (HSPP) that supports the operation of Purdue’s Institutional Review Board (IRB).  As part of restructuring in the Office of the Vice Provost for Research, Reatha Walls has joined the office as support staff and assists the IRB Committee Secretary, Kristine Hershberger with processing applications, database management and correspondence with investigators.  As you may know, Nancy Hathaway, our first IRB Administrator left Purdue to pursue other opportunities this past February.  The search to fill this position is underway and we have some very highly qualified candidates in the pool.

In other news, significant projects that are underway in the HSPP office include:

·        A working group has formed to review software programs that would support a web-based IRB protocol submission and review process.

·        Preliminary steps have been taken in the process to pursue accreditation of our human subjects protection program by the American Association for the Accreditation of Human Research Protection Programs (AAAHRPP).

·        An e-newsletter has been established to facilitate information dissemination.

And, as always, we continue to try and accommodate all the education and training requests that come into to the office.  We appreciate your patience and flexibility during this period when we are understaffed.  We look forward to working with you to protect human research participants and facilitating the high quality research you engage in.  Please let us know how we may be of assistance to you at irb@purdue.edu.