Health Insurance Portability and Accountability Act
Research that May Affect Privacy of Health Information
If your study involves health information about a research subject, then you MUST comply with the Privacy Rule in the Health Insurance Portability and Accountability Act (HIPAA), which comes into effect April 14, 2003. This rule is designed to protect individually identifiable health information, known as protected health information.
If you plan to share or disclose a subject's protected health information outside of MIT, and not just use it within MIT, then under the Privacy Rule you must first obtain the permission of the subject. This permission, called an Authorization for Release of Protected Health Information, must specify precisely what information will be released, why it is being released, and from and to whom it is being released. A template for this form is provided in the Forms and Templates section of this website which can be accessed from the main menu. This form must be appended to the informed consent form and completed by the subject at the same time the subject completes the informed consent form. A subject cannot participate in the research if he/she do not complete the Authorization. Additionally, the investigator must maintain a detailed record of each release of health information, and this record must be accessible to the subject.
COUHES, however, may permit the disclosure of individual health information without a subject's specific prior authorization, if the research cannot be practically conducted without access to the protected health information and the disclosure involves no more than minimal risk to the privacy of the subject. If you are requesting such a Waiver of Authorization then you must complete the relevant portions of the COUHES standard application form.
The Privacy Rule applies only to identifiable health information. If the health information is de-identified it is exempt from the Privacy Rule. To be completely de-identified the data set must meet strict criteria and be stripped of ALL direct and indirect subject identifiers. As an alternative method, a researcher may choose to use a limited data set, which is less restrictive and excludes mostly direct subject identifiers. While also exempt from the Privacy Rule, the researcher must complete a formal data use agreement with COUHES governing the disclosure of the information.
The Privacy Rule as noted above comes into effect April 14, 2003. All subjects enrolled in research prior to April 14, 2003 are grandfathered in if they have completed an informed consent form. However, any subjects consented or re-consented after April 14, 2003, under a new or an existing COUHES approved protocol, MUST complete both an informed consent form and an authorization form for the release of health information.
All researchers working with protected health information must complete an appropriate training course on the HIPAA Privacy Rule.
Failure to comply with the HIPAA Privacy Rule will result not only in termination of your study and suspension of related research grants, but may also result in criminal and/or civil penalties to you and M.I.T. (for an individual as high as $250,000 or 10 years imprisonment.)
A more detailed description of the HIPAA Privacy Rule requirements is contained in the COUHES HIPAA Guidance Document which may be accessed by clicking on the link above.
|
