General Privacy Policy

Privacy practices govern the receipt, use and storage of personal and confidential information in research.  Because the use of personal and confidential information is common in both biomedical and behavioral research, confidentiality is a major concern.  Currently, most research involving human subjects operates under the Common Rule (45 CFR Part 46, Subpart A) and/or the Food and Drug Administration's (FDA) human subject protection regulations (21 CFR Parts 50 and 56).  These human subject protection regulations, which apply to most Federally-funded and to some privately funded research, include protections to help ensure the privacy of subjects and the confidentiality of information. 

Federal statute(s) require(s) without exception that the confidentiality of the personally identifiable information be maintained throughout the research and thereafter. In proposing a research study, the Principal Investigator s hall consider the nature, probability, and magnitude of harms that would be likely to result from a disclosure of collected information outside the research. The PI shall also evaluate the effectiveness of the proposed anonymizing techniques, coding systems, encryption methods, storage facilities, access limitations, and other relevant factors in determining the adequacy of confidentiality protections.

It is a requirement of the IRB that the IRB Proposal and consent documentation (if applicable, according to submission category) describe the extent to which confidentiality of records identifying the subject(s) will be maintained (or not maintained).   Were deemed necessary, the PI shall obtain a certificate of confidentiality which protects against the compulsory release of individually identifiable research information.

HIPAA Privacy Rule

In addition to the standard research privacy practices, there are additional requirements regarding " individually identifiable health " or " personal health " information"  (PHI).  These requirements are provided in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.   In short, HIPAA requires that "covered entities" give additional rights to persons utilizing services of the health industry and further protect their information (See "Links") .  Currently, FIU does not meet the criteria to be classified as a " covered entity " therefore, FIU is not directly subject to the HIPAA requirements for the use of PHI in research. However, the research of individual FIU investigators is subject to the privacy rule requirements if they are obtaining PHI from a "covered entity" (See faq "How does the Privacy Rule Affects Research ").

Each investigator is responsible for and required to:

1. Find out what the Privacy Policy is for the entity from whom the PHI is being requested. The requirements will differ according to the category of PHI you are requesting from the entity. Please contact the FIU Compliance Coordinator if you have questions regarding submission of PHI paperwork to an entity.

The following is a limited list of requirements that an investigator can expect to perform in order to receive PHI:

· Provide a Letter of Request to the entity in order to access PHI for Preparatory and Decedent research.

· Prepare a HIPAA Authorization Form in order to access PHI for research in which an Individual Authorization will be used.  Sample authorization language may be obtained at the following webpage:  http://privacyruleandresearch.nih.gov/authorization.asp#samplelang  

· Sign a Data Use Agreement (DUA) in order to access PHI for research using a Limited Data Set or otherwise as indicated by the entity. The DUA should be provided by the entity to meet their requirements.  Prior to entering into an agreement with an entity, the PI should contact the IRB office for document review and/or assistance in preparation.

Note:  FIU requires that DUAs be signed by the investigator (faculty) and his/her immediate supervisor or the student investigator and his/her faculty advisor.

2. After authorization to access PHI is obtained, submit a copy of ALL documentation regarding the use and/or disclosure of PHI to the FIU IRB. The authorization and accompanying documentation may be submitted as a part of your initial application for use of human subjects or as a modification to the approved proposal. If submitted as a modification, All changes to the original IRB proposal must be indicated in the IRB Proposal by bold or underline .

For additional information regarding HIPAA see the links below. 

FAQ's

What is "Individually Identifiable Health Information"?

Individually identifiable health information is health information including demographic information, that is collected from an individual by a covered entity or employer: which relates to the past, present, or future physical, or mental health condition of an individual; the provision of healthcare to an individual; or the past, present or future, payment for healthcare to an individual; and that identifies the individual, or where it is reasonable to believe the information can be used to identify the individual.

What is Protected Health Information (PHI)?

PHI is individually identifiable health information that is transmitted or maintained by a covered entity in any form or medium.

What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and represents efforts by the Federal government to standardize and provide safeguards for the electronic transmission of health information of US citizens, including research subjects.

Who or what are covered entities?
Covered entities are healthcare providers, health plans, and healthcare clearinghouses, which electronically transmit health information.  HIPAA regulations only apply to uses and disclosures of protected health information by covered entities. 

How does the Privacy Rule Affect Research?

Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that investigators continue to have access to medical information necessary to conduct vital research. The Privacy Rule establishes the conditions under which PHI may be used or disclosed for research purposes.   The Privacy Rule defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities. 

A covered entity may de-identify PHI (remove the 18 identifiers), using either the statistical or the "Safe Harbor" method, in order to provide data to an investigator without being subject to policies and procedures that limit the use and disclosure of protected health information as required by HIPAA Privacy regulations. The Privacy Rule outlines the process for use and disclosure of PHI for research by obtaining an individual authorization or without individual authorization under limited circumstances. This information is outlined in the FIU- Accessing PHI document online.

Is it possible to get a Waiver of Authorization?

In some situations, the IRB can waive the requirement that research subjects sign an Authorization Form.  A Waiver of Authorization does not mean your research is exempt from HIPAA’s privacy regulations. It only means you do not need signed authorization from each research subject.

To qualify for Waiver of Authorization, investigators should indicate that:

  • The research use of the health information does not represent more than a minimal risk to privacy

  • That the research could not be done without the requested health information

  • That it would not be practical to obtain signed authorizations from the research subjects

  • That the specific elements of health information that are requested are not more than the minimum necessary to accomplish the goals of the study.

The “Waiver of Authorization Form" should be completed and submitted with your IRB application packet.

What are the 18 HIPAA Identifiers?

  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

Where can I get additional Information regarding HIPAA?

  1. DHHS' Office for Civil Rights (OCR) - Complete HIPAA Guidance Document (Go to Research Category) http://www.hhs.gov/ocr/hipaa/privacy.html
  2. Public Welfare - General Administrative Requirements - Title 45 CFR 160 www.access.gpo.gov/nara/cfr/waisidx_02/45cfr160_02.html
  3. Public Welfare - Security and Privacy - Title 45 CFR 164 www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html
  4. DHHS FAQ's on HIPAA - Privacy of Health Information (Search criteria "research") http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php
  5. National Institutes of Health - HIPPA Privacy Rule
    http://privacyruleandresearch.nih.gov/
  6. IRBtool -  Assists with determining when privacy protections in HIPAA apply to a protocol http://www.irbtool.com/hipaa/