Questions and Answers
What does 'retrospective research' under HIPAA generally require?
Either an authorization or meeting one of the criteria for a waiver of authorization.
What must be obtained for the use or disclosure of PHI for retrospective research studies?
Patient authorization or a waiver, alteration, or exception determination from an IRB or Privacy Board.
A covered entity may use or disclose PHI without authorization, documentation of waiver, or alteration of authorization for all of the following EXCEPT:
Under HIPAA, what is generally required if data in question meet the definition of PHI for research purposes?
Signup and view all the answers
Who can you consult with if you have questions about HIPAA research requirements at your organization?
Signup and view all the answers
Which protections do HIPAA's regulations supplement for health information used for research purposes?
Signup and view all the answers
Under HIPAA, when is a disclosure accounting required?
Signup and view all the answers
What remains the responsibility of Institutional Review Boards (IRBs) in relation to HIPAA's requirements?
Signup and view all the answers
What characteristics does a HIPAA authorization have?
Signup and view all the answers
When are authorizations required under HIPAA?
Signup and view all the answers
Study Notes
HIPAA and Retrospective Research
- Retrospective research involves data mining of Protected Health Information (PHI) and requires either patient authorization or criteria for a waiver.
- Use or disclosure of PHI for retrospective studies mandates patient authorization, or necessitates a waiver or determination from an Institutional Review Board (IRB) or Privacy Board.
Disclosure of PHI
- A covered entity can disclose PHI without authorization for various reasons, except when data does not cross state lines.
- Explicit written authorization is generally required for research involving PHI, unless specific exemptions apply, such as minimal risk research or use of de-identified data.
Approval Necessities
- It is important to consult an organizational IRB, Privacy Board, or privacy/security officials for questions regarding HIPAA research requirements.
- Generic advice from colleagues or representatives of funding entities may not be authoritative or suitable for a specific organization’s rules.
HIPAA's Protections
- HIPAA provides protections that supplement existing regulations from the Common Rule and FDA, enhancing the safeguarding of health information in research.
- Disclosures using PHI for human subjects research require accounting unless they involve limited data sets.
Institutional Review Board (IRB) Protocols
- HIPAA's data protections, effective since 2003, complement rather than replace the Common Rule and FDA criteria.
- IRBs may review HIPAA's additional requirements or delegate responsibilities to Privacy Boards or privacy officers.
Disclosure Accounting Requirements
- Disclosure accounting is not required for instances where consent or authorization has been obtained or where information pertains to the subject themselves.
- Accounting is also not mandated for limited data set disclosures under data use agreements or for de-identified information.
Characteristics of HIPAA Authorization
- HIPAA authorizations must be written in "plain language" for understanding, similar to informed consent documents.
- Authorizations are mandatory unless the use conforms to specific exemptions; they must be signed by the research subject or their authorized representative.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
This flashcard set covers essential concepts related to HIPAA privacy protections, specifically focusing on retrospective research and the use of Protected Health Information (PHI). Gain a deeper understanding of the regulations and the criteria for research authorization. Ideal for students studying health law or those in healthcare professions.
