Privacy and Security
Use and Disclosure Policies, Research
Current Effective Date:
4/14/03, 6/1/04, 11/15/15
Original Effective Date:
HIPAA Privacy Rule establishes the conditions under which individually identifiable health information may be used or disclosed by covered health care component and their internal business associates for research purposes. Research is defined in the privacy rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” The HIPAA definition of research also applies to the development of research repositories and research databases. For the purposes of this policy, this definition of research is expanded for institutions operated by the Division of Mental Health, Developmental Disabilities and Substance Abuse Services (DMH/DD/SAS) to include the definition of research provided in North Carolina Administrative Code (NCAC), 10A NCAC 28A.0102, in which “‘research’ means inquiry involving a trial or special observation made under conditions determined by the investigator to confirm or disprove an [sic] hypothesis or to explicate some principle or effect.”
The privacy rule also defines the means by which clients will be informed of uses and disclosures of their individually identifying health information for research purposes, and their rights to access their health information held by covered health care components and internal business associates. Where research is concerned, the privacy rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.
DHHS agencies conducting research on clients shall have access to an Institutional Review Board established in accordance with the Common Rule (45 CFR 46, Subpart A) that will:
DHHS researchers shall request the individually identifying health information that is the minimum necessary to conduct the research. Whenever possible, DHHS researchers shall request either de-identified data or a limited data set as necessary if either of these is the minimum necessary for conducting the research.
Each DHHS researcher that is a recipient of a limited data set shall sign a data use agreement with the DHHS agency that maintains the information and shall comply with the conditions of that agreement, in accordance with the DHHS policies.
Each DHHS researcher that receives individually identifiable health information from a DHHS covered health care component or internal business associate shall ensure that the information is protected in accordance with the DHHS Privacy Policies.
The requirements in this policy are in addition to (not a replacement for) other policies and regulations for human subjects research.
For treatment purposes, DHHS covered health care components shall contact researchers (either internal or external to DHHS) if a research subject seeks additional health care services from or is admitted into the component for additional treatment.
Researchers External to DHHS
DHHS agencies that receive requests for individually identifying health information from researchers external to DHHS shall require the researcher to submit the request in writing. Research requests must be documented in accordance with the requirements identified in this policy.
Institutional Review Boards
Institutional Review Boards (IRBs) are responsible for reviewing and modifying (to secure approval), disapproving, or approving the following for research involving human subjects:
DHHS agencies conducting research involving human subjects shall either:
DHHS IRBs shall implement and document procedures for normal review as defined in 45 CFR 46.108(b), or expedited review according to the procedures defined by 45 CFR 46.110.
DHHS IRBs shall document all decisions regarding the modification, approval, or disapproval of research protocols, documentation, and requests to waiver or alter the informed consent or authorization requirements. The IRB shall also record meeting minutes and document continuing review activities.
These records shall be maintained for a minimum of three (3) years, as required by 45 CFR 46.115.
Research Conducted with Client Authorization
Unless otherwise permitted by this policy, or required by state or federal law, a client authorization must be obtained prior to the use or disclosure of the subject’s individually identifiable health information for research purposes. Any authorization form received by a DHHS agency from a researcher external to DHHS must contain the following elements to be considered valid:
An authorization is always required for access, disclosure, or use of psychotherapy notes for research purposes. An authorization for access, use, or disclosure of psychotherapy notes for research may not be combined with any other authorization except other authorization for access, disclosure, or use of the same notes.
If a client elects to revoke his/her authorization for the use and disclosure of individually identifying health information for research purposes, the revocation must be documented on the original authorization form in the Revocation section. This revocation shall become a permanent part of the research record and the client’s medical record. Researchers within DHHS shall report the revocations to the institutional review board at the time of continuing review.
DHHS agencies shall provide a copy of the signed research authorization to clients or their personal representatives.
Client authorization for use and disclosure of individually identifiable health information for research purposes does not replace the informed consent to participate in a research study required by the Common Rule, the FDA Protection of Human Subjects Regulations, NCGS 122C-57 (f), 10A NCAC 26C.0200, 10A NCAC 26D.1300, or 10A NCAC 28A.0305.
Alteration or Waiver of Client Authorization to Use or Disclose Individually Identifying Health Information for Research
A DHHS researcher may submit a request to an IRB or privacy board for a waiver or alteration of client authorization for the use or disclosure of individually identifying health information for research if the researcher determines that obtaining client authorizations is not feasible. For example, a researcher may need to request an alteration or waiver of requirement for client authorization for the use or disclosure of individually identifying health information for research in the following cases:
In the first case, an IRB or privacy board may elect to approve the researcher’s request for a limited waiver of authorization that will permit specified access and use of individually identifying health information solely for prescreening and recruitment contact pursuant to the approved research protocol. In the second case, the volume and/or age of records to be examined during the research may be such that it would not be practicable for the researcher to obtain client authorization beforehand. If the risk to the client’s privacy is minimal, the IRB or privacy board may also elect to approve a waiver in this instance.
DHHS researchers shall submit all requests for the alteration or waiver of client authorizations for research in writing to an institutional review or privacy board.
If the IRB or Privacy Board approves the request for alteration or waiver of client authorization, the board shall document that the following criteria are satisfied:
The documentation of the alteration/waiver of authorization approval shall also include the following elements:
If a DHHS IRB or privacy board does not approve a request to alter or waive the client authorization requirement for research, the board must inform the researcher of the decision in writing. Similarly, if the board requires a change to the request for the alteration or waiver of client authorization prior to approving the request, the required changes must be documented and sent to the researcher.
If a research project is taking place at multiple sites and/or requires the use and disclosure of individually identifying health information created or maintained by more than one agency (collectively referred to as ‘multisite projects’), more than one IRB may be involved in research study reviews, or researchers participating in the multisite project may elect to use a single IRB. The same situation is expected to occur with Privacy Boards. In some circumstances, Privacy Boards and IRBs will coexist. Regardless, a DHHS agency may rely on a waiver or an alteration of authorization approved by any IRB or Privacy Board, without regard to the location of the approver. However, DHHS agencies may elect to require duplicate IRB or Privacy Board reviews before disclosing individually identifying health information to requesting researchers.
Researchers external to DHHS covered health care components that identify potential research subjects during their reviews preparatory to research must submit a written request to the DHHS agency if they want the agency to notify the client about a possible opportunity to participate in the research.
DHHS researchers that are part of the DHHS covered health care component’s workforce may contact the client directly for the purposes of recruitment for the research study. However, DHHS researchers must obtain authorization from a client who has indicated interest in participating in a study prior to asking the client any screening questions that involve individually identifying health information.
If the preparatory research activity involves human subjects research (e.g., research subject recruitment, prescreening), the preparatory research activity must be reviewed and approved by an IRB and must satisfy the informed consent requirements unless otherwise waived by an IRB.
Health information may be considered de-identified if one of the following criteria is met:
The DHHS agency is unaware of a means by which the information could be used alone or in combination with other information to identify a client who is the subject of the information; and a person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable (e.g., Statistician I or II):
The following identifiers for the client or the relatives, guardians, employer, or household members of that client are removed:
Use of Limited Data Sets in Research
DHHS agencies may use or disclose a limited number of individual identifiers via a ‘limited data set’ for research without client authorization or IRB/Privacy Board alteration or waiver of authorization whenever the limited data set will meet the researcher’s request.
To qualify as a limited data set, only the following identifiers for DHHS clients or relatives, guardians, employers, or household members of those clients can be associated with the health information:
All other individual identifiers such as name, address, telephone number, etc. must be removed from the data before the resulting information can be considered a limited data set.
Research Requests Received from Organizations External to DHHS
All requests for access to health information (e.g., individually identifying health information, limited data sets, de-identified health information) for research purposes, including those from researchers external to DHHS, must be submitted in writing to DHHS agencies via the Request for Access to Data form. In addition to the Request form, researchers must submit the following documentation, as indicated on the form for their type of request:
DHHS researchers may disclose individually identifying health information that has been gathered or created during the research study if the disclosure is:
If a revision to the authorization or alteration/waiver of authorization is necessary to allow the desired disclosure, an IRB or Privacy Board must approve the revision to the protocol. If the terms of the data use agreement must be changed to permit the disclosure, a revised data use agreement must be signed by the researcher and the covered component.
Individually identifying health information gathered during the research study may not be included in presentations or publications of any type unless explicitly permitted by:
DHHS agencies may not allow the authorization, alteration/waiver of authorization, or data use agreement obtained for one research project to be used for another research project. However, the IRB or Privacy Board may reanalyze such disclosures and grant a waiver for other studies.
Retention of Research Documentation
DHHS agencies receiving requests for access to individually identifying health information for research shall maintain a copy of the following in the client records:
Research documentation filed in the client record must be retained according to the agency’s retention and disposition schedule for such records.
DHHS researchers must maintain copies of authorizations for research and approved waivers of authorization for a minimum of six (6) years from the date of creation, or the date on which the document was last in effect, whichever is later.
Accounting of Disclosures of Individually Identifying Health Information for Research Purposes
Clients have a right to request access to an accounting of all disclosures of their individually identifying health information for research purposes, unless such disclosure was made:
Similarly, clients will not receive an accounting of disclosures of their health information if the information was de-identified.
Documentation of disclosures must be kept in the circumstances listed below and provided to clients upon their request:
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy and Security Office. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.