skip navigation

This page is designed for modern browsers. You will have a better experience with a better browser.

Brown Home Brown Home Brown Administration

Policies and Procedures Relating to Research Privacy

 

Introduction

Chapter I - Safeguarding and Managing Use and Disclosure

Chapter II - Definitions

Chapter III – Research Privacy Operations

Chapter IV – Uses and Disclosures

Chapter V – Registries, Repositories and Data Banks


INTRODUCTION

The policies and procedures in this manual are intended to ensure that Personally Identifiable Health Information (PIHI) obtained during the conduct of a Brown University research study is maintained and transmitted with appropriate measures to protect privacy of research subjects.

In addition, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and subsequent regulations published by the Department of Health and Human Services (DHHS) impose restrictions on other institutions* which may be covered under the Act with respect to their relationships with Brown. Brown University may, in conducting research in collaboration with one of these institutions, be required to comply with certain aspects of HIPAA in the conduct of human subjects research activities.

Although Brown University is not a Covered Entity as defined in the HIPAA privacy regulations, the University's policies and procedures, which govern the privacy rights of its research participants included in this manual, are compatible with those required by HIPAA for Covered Entities, and will become standard for research activities involving PIHI.

*The HIPAA privacy regulations refer to these institutions as “Covered Entities” which include: (1) a health plan, (2) a health care clearinghouse and (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by the Act.


Chapter I: Safeguarding and Managing the Use and Disclosure of “Personally Identifiable Health Information”

The Brown University Research Privacy Policy:

  • establishes safeguards to protect the privacy of Personally Identifiable Health Information
  • sets rules for the use and release of Personally Identifiable Health Information and records

For research subjects, the Brown University Research Privacy Policy:

  • restricts the use and disclosure of their Personally Identifiable Health Information to particular situations, except as specifically authorized by the research subject
  • limits the use and disclosure of their Personally Identifiable Health Information to the minimum reasonably necessary to conduct the research for which the information is collected, except as otherwise specifically authorized by the research subject
  • provides for information of how their Personally Identifiable Health Information will be disclosed

For Brown research investigators and members of the Brown research workforce, the policy:

  • requires either an Authorization from the research subject or a waiver by an Institutional Review Board (IRB) to use or disclose Personally Identifiable Health Information
  • requires the research investigator or workforce member to maintain a record of disclosures of Personally Identifiable Health Information in a format containing information established in this policy

The policy further:

  • provides for appropriate administrative, technical, and physical safeguards to protect the privacy of Personally Identifiable Health Information used in Brown research
  • establishes a process, through the Office of the Vice President for Research, to receive and document complaints and for the development of appropriate sanctions for failure to comply with its research privacy policy protections
  • establishes a process to provide and document adequate and timely training of appropriate members of its workforce on its policies and procedures for dealing with Personally Identifiable Health Information used in Brown research
  • requires that research subjects be given written notice of Brown's privacy policy and the proposed use and disclosure of Personally Identifiable Health Information
  • prohibits action to intimidate, threaten, coerce, discriminate against, or retaliate against any individual for exercising the rights under the policy

Chapter II: Definitions

Brown University researchers, employees or workforce members involved in the conduct of human subject research should be familiar with these basic definitions as they relate to Brown University's Research Privacy Policy.

Authorization. Permission from an individual to use or disclose Personally Identifiable Health Information for research purposes. A valid authorization must be written in language which is easily understood and must fully inform the research subject of the intended use and disclosure of the Personally Identifiable Health Information. The individual must be given a signed copy of the authorization that she or he has provided. Authorization to use or disclose Personally Identifiable Health Information for research purposes may be included in the research informed consent document.

Covered Entity. An institution, organization or corporation or other entity which is subject to the rules of the Health Insurance Portability and Accountability Act of 1996. Covered entities include: (1) a health plan, (2) a health care clearinghouse and (3) a health care provider who transmits any personally identifiable health information in electronic form in connection with a transaction covered by the Act.

Data Use Agreement. An agreement between a Covered Entity and Brown, Brown researchers or workforce members who receive a Limited Data Set. The agreement specifies permitted uses and disclosures of the information in a Limited Data Set.

De-Identified Information. Health information that does not identify an individual. Health information can be rendered de-identified either by (i) removal of 18 specific kinds of information, about the individual and the individual's relatives, employers, or household members (See Chapter IV C(1)) ; or (ii) documentation from a professional knowledgeable in statistical and scientific methods that the risk of identification is very small. De-identified information is not subject to Brown's privacy requirements.

Designated Record-Set. A group of records maintained by or for a covered entity that is:

· medical records and billing records about individuals maintained by or for a covered health care provider, or

· the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or

· used, in whole or in part, by or for the covered entity to make decisions about individuals

Disclosure. The release, transfer, provision of access to, or divulging in any other manner of PIHI outside the entity holding the information .

Institutional Review Board (IRB). A committee established at the University to review and approve research involving human subjects in accordance with FDA (21 CFR Part 56) and DHHS (45 CFR Part 46) Human Subject Protection regulations. The IRB may grant waivers of Brown University's requirement for Authorization from the research subject for the use or disclosure of Personally Identifiable Health Information in research.

Legally Authorized Representative. A personal representative who has the authority under applicable State law to sign an Authorization on behalf of another individual.

Limited Data Set. As defined by HIPAA , health information that excludes 16 specified kinds of information about the individual and the individual's relatives, employers, or household members (See Chapter IV, C(2)). Limited Data Sets may be used or disclosed only for purposes of research, and only if provided for in a written Data Use Agreement that satisfies seven specified criteria.

Minimum Necessary Standard. Reasonable efforts to use, disclose, or request the least amount of information needed for the intended purpose .

M inor. An individual who has not reached the age at which a person is legally competent or responsible. In Rhode Island, a minor is a person under 18 years of age who has not (i) been married or (ii) had minority status removed by a court.

Personally Identifiable Health Information. Any information, including demographic information collected from an individual, that:

· relates to (a) the past, present, or future physical or mental health or condition of an individual; (b) the provision of health care to an individual; or (c) the past, present or future payment for the provision of health care to the individual; and

· identifies the individual or there is a reasonable basis to believe it can be used to identify the individual

Personally Identifiable Health Information does not include education records, or medical records covered by the Family Educational Rights and Privacy Act or employment records held by Brown University in its role as an employer.

Psychotherapy Notes. Notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the medical record. Psychotherapy Notes do not include medication prescription and monitoring; session start and stop times; modalities and frequencies of treatment furnished; results of clinical tests; and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress.

Re- Identification. Use of a code or other means designed to enable coded or otherwise de-identified information to be rendered identifiable. Personally Identifiable Health Information that is re-identified is subject to Brown's privacy requirements.

Research. A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Use. The sharing, employment, application, utilization, examination, or analysis of Personally Identifiable Health Information within the entity holding the information.

Vice President for Research. The senior University officer with authority and responsibility for research programs and activities including the implementation and enforcement of Brown's research privacy policies and procedures.

Workforce. Means employees, volunteers, students, trainees, and other persons whose conduct, in the performance of work for an entity, is under the direct control of such entity, whether or not they are paid by that entity.


Chapter III: Brown University Research Privacy Operations

A. Applicability

The Brown University Research Privacy Policy shall apply to all Brown University employees, researchers and members of Brown's workforce engaged in human subjects research. All human subject research protocols shall be reviewed by the Brown University IRB, which shall ensure compliance with this policy.

B. Responsible Officers/Bodies

(1) Vice President for Research

Brown University's Vice President for Research has the authority to make final decisions regarding applicability of the policy. The Vice President for Research is responsible for the development and implementation of policies and procedures relating to research activities at Brown University including, for this policy:

· ensuring that institutional policies adequately address the protection of PIHI

· developing appropriate training programs and educating the research community about Brown University's Research Privacy Policy requirements

· establishing mechanisms for identifying and monitoring compliance

· receiving complaints relating to the use and disclosure of Personally Identifiable Health Information of individuals

· determining appropriate actions to address any failure to comply with the Brown University Research Privacy Policy

· appointing a University Research Privacy Officer to act under the designated authority of the Vice President for Research to enforce and implement the privacy protections covered by this policy

· appointing unit privacy representatives as necessary to assist in education/training and dissemination of information

(2) The Institutional Review Board (IRB)

The Brown University Primary IRB has authority regarding implementation of Brown University's Research Privacy Policy. In addition to granting waivers of Brown University's requirement for Authorization from the research subject for the use or disclosure of Personally Identifiable Health Information in research, it may also review and make recommendations regarding modifications of Brown's privacy policy, in consultation with the Vice President for Research and other appropriate officers of the University.

C. Education

Brown University shall ensure the training of all members of its workforce engaged in human subjects research on its policies and procedures for dealing with Personally Identifiable Health Information.


Chapter IV: Uses and Disclosures of Personally Identifiable Health Information in Research at Brown University

A. General Requirements

All human subject research carried out by Brown University must be approved by the IRB. Use and disclosures of Personally Identifiable Health Information are limited to the Minimum Necessary information needed to accomplish the intended purpose of the research project. Personally Identifiable Health Information may not be used or disclosed for research purposes unless:

· Written authorization has been obtained from the research subject

or

· Brown University receives a satisfactory assurance that the research involves only de-identified information, limited data sets, reviews preparatory research or, as appropriate, decedents' information

or

· Brown University's IRB approves and documents a formal Waiver of the Authorization requirement

Although Brown University is not a Covered Entity, Personally Identifiable Health Information may be obtained from Covered Entities for research purposes. Research subject Authorizations must satisfy the requirements of the Covered Entities and conform with the HIPAA privacy regulations.

B. Uses and Disclosures With Authorization

Except for the waiver and exceptions noted, research investigators must obtain the research subject's written “authorization” for the use or disclosure of Personally Identifiable Health Information.

Several of the authorization elements under the Brown University Research Privacy Policy are similar to the informed consent elements found in the federal human subject regulations, 45 CFR Part 46, including the requirement that the document be written in language understandable to the individual (or legal representative) and that the individual (or legal representative) sign the document. However, the authorization under this policy has additional elements to those specified under the informed consent requirements of the federal human subject regulations.

A valid Authorization under this policy includes the following:

1. a specific, meaningful description of the Personally Identifiable Health Information that is to be used or disclosed;

2. the name or other specific identification of the persons or class of persons authorized to make the requested use or disclosure of the Personally Identifiable Health Information;

3. the name or other specific identification of the persons or class of persons by whom the information may be used and/or to whom the information may be disclosed;

4. a description of each purpose of the requested use or disclosure;

5. an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study” or “none” or similar language is sufficient for research, including for the creation and maintenance of a research database or research repository; and

6. the signature of the research subject and the date - if the authorization is signed by a personal representative of the research subject, a description of the representative's authority to act for the research subject must also be provided.

In addition to the above, a valid Authorization also must include statements notifying the research subject of each of the following:

1. the research subject's right to revoke the Authorization in writing, any exceptions to the right to revoke the Authorization, a description of how to revoke the Authorization, and a statement that data collected prior to the revocation of authorization may remain in the study;

2. any disclosure of information carries with it the potential for an unauthorized redisclosure and may not be protected ; and

3. the consequences of failure to provide Authorization for research-related treatment (see below).

Legally Authorized Representative. If a research subject is a child/minor under State law, or is not competent to provide Authorization, the Authorization must be signed by a personal representative who has the authority under applicable State law to sign an authorization on behalf of another individual.

A description of the representative's authority to act for the individual must be provided with the Authorization.

Brown University policy recognizes the following legally authorized representatives:

· a parent or legal guardian, if the research subject is a minor. In Rhode Island, a minor is a person under 18 years of age who has not (i) been married or (ii) had minority status removed by a court

· a legal guardian, if the research subject has been found by a court to be incapable of managing his or her personal affairs

· an agent of the research subject authorized under a medical power of attorney for the purpose of making a health care decision when the research subject is incompetent

· an attorney ad litem and/or guardian ad litem appointed for the research subject by a court

· a personal representative or statutory beneficiary, if the research subject is deceased

· an attorney retained by the research subject or by the patient's legally authorized representative

· an attorney-in-fact of the patient

Authorization as a Condition for Research-Related Treatment. The provision of research-related treatment may be conditioned on the research subject's Authorization for the use or disclosure of Personally Identifiable Health Information for such research. The consequences of failure to provide the Authorization must be described in the Authorization.

Combining Research Authorization and Research Informed Consent . An Authorization for the use or disclosure of Personally Identifiable Health Information for a research study may be combined with any other type of written permission for the same research study, including another Authorization for the use of Personally Identifiable Health Information for such research or an Informed Consent to participate in such research, except as noted below.

· Separate Authorization for Psychotherapy Notes is Required . An Authorization for the use and disclosure of Psychotherapy Notes may only be combined with another authorization for use or disclosure of Psychotherapy Notes. Authorization for use and disclosure of Psychotherapy Notes may not be combined with Informed Consent for research.

Copy to Subject . A copy of the signed Authorization must be given to the research subject.

Retention of Authorizations. Signed Authorizations shall be retained by the Principal Investigator for six years

Minimum Necessary Standard Does Not Apply . Uses and disclosures of Personally Identifiable Health Information or de-identified data that are made under an Authorization from the research subject are not limited by the Minimum Necessary Standard.

Revocation of Authorization. An individual may revoke an Authorization at any time by notifying the Brown University investigator in writing. Once Authorization is revoked, the investigator may not subsequently use or disclose the individual's Personally Identifiable Health Information with the following exception.

Exception . The investigator may continue to use information after the subject has revoked Authorization if the investigator has already “taken action in reliance thereon.” This reliance exception is “intended to allow for certain continued uses of the information as appropriate to preserve the integrity of the research study, e.g., as necessary to account for the individual's withdrawal from the study”.

Research Consents Obtained Prior to April 14, 2003 . Authorization is not required from subjects who have provided informed consent for research prior to April 14, 2003. However, Authorization must be obtained for any subject enrolled in the research on or after April 14, 2003 as discussed below .

Research Consents Obtained After to April 14, 2003 . Personally Identifiable Health Information may continue to be created, received, used, or disclosed for research after April 14, 2003 (the Privacy Rule compliance deadline), if one of the following has been obtained prior to the April 14, 2003 deadline:

  • the informed consent of the individual to participate in the research; or ,
  • approval by the relevant IRB of a waiver of informed consent requirements in accordance with the requirements of the Common Rule and DHHS regulations at 45 CFR 46.116(d); or ,
  • express legal permission or authorization from the individual to use or disclose Personally Identifiable Health Information for the research.

Personally Identifiable Health Information created, received, used, or disclosed for research after April 14, 2003 that does not meet any of the above criteria must comply with the Authorization or waiver requirements of this policy.

C. Uses and Disclosures Without Authorization

(1) Research Using De-Identified Information

Personally Identifiable Health Information may be used to create information that is not individually identifiable. Once it is de-identified, the information is no longer subject to Brown's (or HIPAA's) privacy requirements. If de-identified information is re-identified, then all privacy requirements again apply.

Requirements for De-Identified Information . Health information is not identifiable if it does not (i) identify an individual or (ii) contain information that can reasonably be used to identify an individual. Brown's privacy protections are not required for such de-identified information; however, IRB review may still be necessary.

There are two methods to determine that health information is not identifiable and the use of either is permitted: (i) reliance on the determination of an expert, or (ii) removal of specific identifiers.

Reliance on the Determination of an Expert . The expert must have appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.

The expert must determine and document that the risk is very small that the information could be used, either alone or in combination with other reasonably available information, to identify an individual.

Removal of Specific Identifiers . All specific identifiers of the individual (or of relatives, employers, or household members of the individual) have been removed, including:

  • names
  • all geographic subdivisions smaller than a State, including street address, county, precinct, zip codes, and their equivalent geocodes, except for the first three digits of a zip code, if (i) current Census Bureau data indicate that the geographic unit corresponding to the same three digits contains more than 20,000 people, and (ii) the three digits are changed to 000 for all geographic units containing 20,000 or fewer people
  • all elements of dates (except year) for dates directly related to an individual; all ages over 89; and all elements of dates (including year) for ages over 89, except that all such ages and elements may be aggregated into a single category for age 90 or older
  • telephone numbers
  • fax numbers
  • electronic mail addresses
  • Social Security numbers
  • medicaid record numbers
  • health plan beneficiary numbers
  • account numbers
  • certificate/license numbers
  • vehicle identifiers and serial numbers, including license plate numbers
  • device identifiers and serial numbers
  • web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • biometric identifiers, including finger and voice prints
  • full face photographic images and any comparable images
  • any other unique identifying number, characteristic, or code except as noted below

De-Identified Information is not subject to the Minimum Necessary Standard.

Documentation for Use of De-Identified Information in Research . The IRB, or its designee, will require written assurance from the investigator (e.g. within the protocol) that he/she is using de-identified information prior to the use or disclosure of information for research.

Re-Identification Codes . Codes or other means of record identification may be assigned to allow de-identified information to be re-identified. However, the investigator may not disclose the code or record identifier for re-identification, and the code or record locator may not be:

  • derived from or related to the individual.
  • capable of being translated to identify the individual.
  • used or disclosed for any purpose other than re-identification by the investigator.

Any de-identified Personally Identifiable Health Information that has been re-identified is subject to the provisions of this policy.

IRB Approval Requirement for Research Involving De-Identified Information with Re-Identification Codes. De-Identified Information that includes Re-Identification Codes (i.e., codes or other means to allow De-Identified Information to be re-identified) is considered “identifiable” by DHHS and is not exempt under the Common Rule at 45 CFR 46.101(b)(4). Consequently, research involving De-Identified Information that includes Re-Identification Codes must receive IRB review and approval.

(2) Limited Data Sets

A Limited Data Set may only be used for purposes of:

  • research
  • public health
  • health care operations

Requirements for a Limited Data Set. A Limited Data Set consists of Personally Identifiable Health Information that excludes the following direct identifiers of the individual (or of relatives, employers, or household members of the individual):

  • names
  • postal address (but the town, city, State and zip code are acceptable)
  • telephone numbers
  • fax numbers
  • electronic mail addresses
  • Social Security numbers
  • medical record numbers
  • health plan beneficiary numbers
  • account numbers
  • certificate/license numbers
  • vehicle identifiers and serial numbers, including license plate numbers
  • device identifiers and serial numbers
  • web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • biometric identifiers, including finger and voice prints
  • full face photographic images and any comparable images

Uses of a Limited Data Set for Research Brown University researchers may conduct research using Limited Data Sets in two ways:

(a) A Brown University researcher or employee may create a Limited Data Set which may be shared with colleagues at other institutions, or entities, on a Brown sponsored research project.

(b) Brown University may receive a Limited Data Set for Research from another institution or entity, which is a Covered Entity. Under such an arrangement, Brown researchers will be required to comply with HIPAA provisions governing such relationships.

Under HIPAA, a Covered Entity has full responsibility to determine that Limited Data Sets are used and disclosed under a Data Use Agreement that meets Privacy Rule requirements. Consequently, the covered entity will require Brown Researchers (or Brown) to enter into a written Data Use Agreement prior to the use or disclosure of a Limited Data Set in research. All Limited Data Set Data Use Agreements between Brown University and a Cover Entity should be submitted to the Office of Research Administration for review and approval.

Data Use Agreements must include the following:

  • establish the permitted uses and disclosures of the information by the recipient (for example, that the use or disclosure will be for research involving diabetes)
  • indicate that the recipient may not use or further disclose the information in any way that would violate Privacy Rule requirements, the conditions stated in the Agreement, or applicable law
  • identify who is permitted to use or receive the information
  • require the recipient to use appropriate safeguards to prevent unauthorized uses or disclosures of the information
  • require the recipient to report to the covered entity any unauthorized use or disclosure of the information
  • require the recipient to ensure that all agents or subcontractors of the recipient have agreed to the same restrictions and conditions on use or disclosure of the information
  • require the recipient not to identify the information or contact the individuals with whom the information is associated

A sample Data Use Agreement for research use of a Limited Data Set is provided in Appendix A.

The Minimum Necessary Standard applies to the use or disclosure of Limited Data Set Information.

IRB Approval Requirement for Research Involving Limited Data Sets with Re-Identification Codes. A Limited Data Set that includes Re-Identification Codes (i.e., codes or other means to allow Limited Data Set information to be Re-Identified) is considered “identifiable” by DHHS and is not exempt under the Common Rule at 45 CFR 46.101(b)(4). Consequently, research involving Limited Data Set information that includes Re-Identification Codes must receive IRB review and approval.

Waiver of Authorization Requirement for Research . Brown University researchers seeking research data from a HIPAA Covered Entity may encounter situations requiring a waiver of Authorization to acquire Personally Identifiable Health Information . If such a situation presents itself, the HIPAA Covered Entity should seek a waiver from its IRB or Privacy Board for the release of the data to the Brown research program. If the Covered Entity does not have an IRB or Privacy Board, the waiver of Authorization may be sought from another IRB, either a third party IRB or the Brown IRB.

To approve requests for alteration or waiver of the HIPAA Authorization requirement for Personally Identifiable Health Information provided by a Covered Entity, the IRB or Privacy Board of the Covered Entity must determine that the alteration or waiver satisfies the following criteria:

1. The use or disclosure of Personally Identifiable Health Information involves no more than minimal risk to the privacy of individuals based on the following:

· there is an adequate plan to protect the identifiers from improper use and disclosure

· the identifiers will be destroyed at the earliest possible opportunity unless there is a research or a health justification for retaining them (or retention is required by law)

· written assurance is provided by the research investigator that the Personally Identifiable Health Information will not be reused or disclosed to another person or entity (except as required by law, for authorized oversight of the research, etc.)

2. The research could not practicably be conducted without the alteration or waiver

3. The research could not practicably be conducted without access to and use of the Personally Identifiable Health Information

Note : On a case-by-case basis, the Brown University IRB will determine whether it should consider and/or grant a waiver of an Authorization for release of Personally Identifiable Health Information by a Covered Entity.

Documentation of Alteration or Waiver of Authorization. Documentation of the determination by either the Brown University IRB, or by an IRB or Privacy Board of a Covered Entity for Personally Identifiable Health Information provided by that Covered Entity, shall include:

  • the date of approval of the alteration or waiver of Authorization
  • a brief description of the Personally Identifiable Health Information to be used or accessed
  • a written determination by the IRB or Privacy Board that the alteration to or waiver of individual Authorization satisfies the criteria listed above
  • a statement that the alteration or waiver was reviewed and approved using (a) normal (full, convened) review procedures, or (b) expedited review procedures
  • the signature of the reviewing IRB or Privacy Board Chairperson, or other member of the IRB or Privacy Board as designated by the Board's Chairperson

D. Other Uses and Disclosures

(1) Reviews Preparatory to Research

An Authorization from the research subject or waiver of Authorization requirement by the Brown IRB is not required for reviews of Personally Identifiable Health Information preparatory to research (e.g., to prepare a protocol or estimate the number of available subjects.)

However, if the Personally Identifiable Health Information is being provided by a Covered Entity, to dispense with the Authorization requirement, the Covered Entity may require the following representations from the research investigator:

  • the use or disclosure of Personally Identifiable Health Information is sought solely to review such health information as necessary to prepare a research protocol or for similar purposes preparatory to research
  • the Personally Identifiable Health Information will not be removed from the Covered Entity during the course of the researcher's review
  • the review or use of the Personally Identifiable Health Information is necessary for the purposes of the research
  • the researcher will not use the preparatory research provision to contact prospective research subjects

Any use or disclosure of Personally Identifiable Health Information for a Review Preparatory to Research is limited to the minimum needed for the intended purpose.

Recruitment of Research Subjects. The HIPAA provision for reviews preparatory to research permits Brown University investigators to access Covered Entity-held Personally Identifiable Health Information to prepare research protocols or estimate the number of available subjects. However, the HIPAA provision does not permit Covered Entity-held PIHI to be removed from the Covered Entities, or permit Brown University investigators to use this Personally Identifiable Health Information to contact prospective subjects for recruitment into research.

(2) Research Involving Decedents Information

An Authorization (from the research subject prior to death or a representative of the research subject after death) for research involving decedents' information is not required. However, the following assurances from the research investigator must be provided to receive decedents' information from a Covered Entity:

(a) the use or disclosure is sought solely for research on the Personally Identifiable Health Information of the decedent (and not of family members);

(b) documentation of the death of the individual(s) has been obtained; and

(c) the Personally Identifiable Health Information is necessary for the purposes of the research.

The use or disclosure of Personally Identifiable Heath Information for research on decedents must be limited to the minimum needed for the intended purpose.

(3) As Required by Law

Personally Identifiable Health Information may be disclosed where required by law or regulation. The following are examples of when such disclosure is permitted:

· for public health activities as conducted or directed by a Public Health or other government authority including:

o prevention or control of disease, injury or disability

o reporting of disease, injury, birth, death, or other vital event

o public health surveillance, investigations; or interventions

o reporting of child abuse or neglect, other abuse or neglect, or domestic violence

· to avert a serious threat to individual or public health or safety

· to coroners and medical examiners or for cadaveric organ, eye, or tissue donation

· for judicial and administrative proceedings in response to (i) an order of a court or administrative tribunal; or (ii) a subpoena, discovery request, other lawful process

· for law enforcement purposes ; specialized government functions and workers' compensation

· by workforce members who are whistleblowers or victims of a criminal act

(4) Disclosures to Sponsors As Required Under FDA Regulations

Disclosure of Personally Identifiable Health Information to persons who have responsibilities relating to the quality, safety, or effectiveness of FDA-regulated products or activities is permitted. Such persons include the Sponsors of clinical investigations (and their agents, auditors, or monitors) for activities such as:

  • collecting or reporting adverse events, product defects or problems, or biological product deviations
  • tracking FDA-regulated products
  • enabling product recalls, repairs, replacements, or “lookbacks” (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems)
  • conducting post-marketing surveillance

Disclosure of Personally Identifiable Health Information for such purposes must be limited to the information needed under the relevant FDA requirements.

(5) Disclosures for Health Oversight Activities

Disclosures to government health oversight agencies for activities authorized under law, including audits, administrative investigations, inspections, or other activities necessary for oversight are permitted and are limited to the information needed for the intended purpose.

(6) Reporting of Adverse Events and Unanticipated Problems

Brown University research investigators continue to be responsible for the reporting of adverse events and unanticipated problems involving risks to subjects or others to the IRB, the sponsor, the FDA, other government entities, and other entities legitimately entitled to this information.

(7) Confidentiality Requirements for Research Informed Consent

Human subject protection regulations (FDA [21 CFR 50.25(a)(5)] and DHHS [45 CFR 46.116(a)(5)]) require that subjects be informed about the extent to which confidentiality will be maintained in the research. In general, informed consent for research participation should make clear to the prospective subject that identifiable personal information may be shared., For example, the researcher may be required to provide access to research data to, among others, the Study Sponsor, FDA, DHHS, the IRB(s), and where applicable, the government funding agency.

E. Accounting for Disclosures

Brown University researchers using Personally Identifiable Health Information should maintain a record of disclosures made to third parties. Such records should cover disclosures for a six-year period. Records of disclosure should include:

  • the date of each disclosure
  • the name and address, if known, of the person or entity receiving the information.
  • a brief description of the Personally Identifiable Health Information disclosed.
  • a brief statement of the purpose of and basis for the disclosure, or a copy of the written request for the Disclosure

F. Other Operations

Business Associate Relationships with Covered Entities. Under the HIPAA privacy regulations, a Business Associate is a person (or entity) who, although not a member of the workforce of a Covered Entity, performs (or assists in performing) a covered function or activity on behalf of the Covered Entity that involves the use or disclosure of Personally Identifiable Health Information received from that Covered Entity.

Research activities of a Business Associate involving Personally Identifiable Health Information may take place under a contractual agreement that clearly establishes the permitted and required disclosures for both the Covered Entity and the Business Associate at Brown University in compliance with the HIPAA Privacy Rule requirements. Examples of activities which create a Business Associate relationship include:

· claims processing or administration

· data analysis, processing or administration

· utilization review

· quality assurance

· billing

· benefit management

· practice management

· repricing

· legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services.


Chapter V: Registries, Repositories, and Data Banks

Registries, Repositories, and Data Banks* involve the collection and storage of information and/or biological specimens for some future purpose. Some are created and maintained explicitly for research purposes. Others are created and maintained for non-research purposes, but may be accessed for research. Brown University's privacy policy for Research Registries, Research Repositories, and Research Data Banks depends upon how Personally Identifiable Health Information in the Registry, Repository, or Data Bank is collected, used, and disclosed.

(*Such Registries, Repositories and Data Banks may or may not be Covered Entities. If a Registry, Repository or Data Bank is a Covered Entity, the HIPAA Privacy Rule applies.)

A. IRB Oversight

When the purpose of the Registry, Repository, or Data Bank includes research, its collection and storage activities are considered research and require oversight from Brown's IRB.

When information or tissues from a Registry, Repository, or Data Bank are used in research, the research use requires IRB oversight, regardless of the purpose for which the Registry, Repository, or Data Bank was created.

Brown University investigators should consult with the IRB to determine the IRB review and oversight requirements for establishing a Registry, Repository, or Data Bank or for using information or specimens from a Registry, Repository, or Data Bank.

B. Operations

Identifiable Information. Collecting or storing identifiable health information or identifiable biological specimens for research purposes generally requires specific Authorization from the research subject.

De-Identified Information . Any Brown University investigator receiving De-Identified Information from a Registry, Repository, or Data Bank of a Covered Entity is not subject to this policy. However, IRB approval may still be necessary.

Limited Data Sets . Any Brown University investigator who utilizes a Registry, Repository, or Data Bank made up of Limited Data Set Information from a Covered Entity will be required to execute a Data Use Agreement.

Decedents Information . Any Brown University investigator who utilizes a Covered Entity's Registry, Repository, or Data Bank made up of Decedents' Information must provide written assurance (see Chapter IV, D(2)) regarding this activity to the Covered Entity, which maintains this Registry.

Activities Preparatory to Research. Any Brown University investigator who utilizes a Covered Entity's Registry, Repository, or Data Bank for an Activity Preparatory to Research must provide written assurance (see Chapter IV, D(1)) regarding this activity to the Covered Entity, which maintains this Registry.

Unidentifiable Biological Specimens . Brown University's Research Privacy Policy does not apply to repositories that contain only unidentifiable biological specimens.

C. Non-Research Registries, Repositories, and Data Banks

Some Registries, Repositories, and Data Banks exist for non-research purposes. For example, certain Disease Registries may be mandated by State law or regulation for public health purposes. Other Registries, Repositories, and Data Banks may exist at an institutional level for quality assurance purposes. Privacy requirements for the creation and maintenance of such Registries, Repositories, and Data Banks will vary depending upon their purpose and utilization.

Regardless of their intended purpose, such resources often hold information of value for research. Investigators who access information from non-research Registries, Repositories, and Data Banks for research purposes must adhere to the applicable IRB and privacy policy requirements.

Research Authorization Not Obtained . Authorization for disclosure and research use is not likely to have been obtained from the individuals whose Personally Identifiable Health Information is contained in non-research Registries, Repositories, and Data Banks. When prior authorization has not been obtained, access to the information will require either:

  • A Waiver of Authorization approved by the relevant IRB or Privacy Board; or
  • A written representation from the investigator that the research use involves only De-Identified Information, Limited Data Set Information, Decedents' Information, or Activities Preparatory to Research.

April 15, 2003