DHHS POLICIES AND PROCEDURES

___________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Privacy Manual

Chapter:

Use and Disclosure Policies, Research

Current Effective Date:

5/1/05

Revision History:

4/14/03, 6/1/04

Original Effective Date:

4/14/03

___________________________________________________________________________________________________________

Purpose

This policy describes how individually identifiable health information within the North Carolina Department of Health and Human Services (NC DHHS) must be protected when it is accessed, used, or disclosed for research purposes.

This policy shall apply to any of the following DHHS agencies:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered health care components; and
Internal business associates.

Background

HIPAA Privacy Rule establishes the conditions under which individually identifiable health information may be used or disclosed by covered health care component and their internal business associates for research purposes. Research is defined in the privacy rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” The HIPAA definition of research also applies to the development of research repositories and research databases. For the purposes of this policy, this definition of research is expanded for institutions operated by the Division of Mental Health, Developmental Disabilities and Substance Abuse Services (DMH/DD/SAS) to include the definition of research provided in North Carolina Administrative Code (NCAC), 10A NCAC 28A.0102, in which “‘research’ means inquiry involving a trial or special observation made under conditions determined by the investigator to confirm or disprove an [sic] hypothesis or to explicate some principle or effect.”

The privacy rule also defines the means by which clients will be informed of uses and disclosures of their individually identifying health information for research purposes, and their rights to access their health information held by covered health care components and internal business associates. Where research is concerned, the privacy rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.

Currently, most research involving human subjects operates under the Common Rule (45 CFR Part 46, Subpart A) and/or the Food and Drug Administration’s (FDA) human subject protection regulations (21 CFR Parts 50 and 56), which have some privacy and confidentiality provisions that are similar to, but separate from, the HIPAA Privacy Rule’s provisions for research. However, the HIPAA Privacy Rule does not replace or act in lieu of these human subject protection regulations, so DHHS researchers who are also covered health care components or internal business associates may find themselves responsible for complying with multiple sets of regulations. This is particularly true for research on clients conducted by institutions operated by the DMH/DD/SAS, since, according to 10A NCAC 28A.0305, all such research, except minimal risk research (defined in the note below), is subject to the Common Rule.

NOTE:

‘Minimal risk research’ is defined in 10A NCAC 28A.0201 as research in which “the risks of harm anticipated in the proposed research are not greater, considering probability and magnitude, than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.”

North Carolina General Statute (NCGS) 122C-56(c) provides additional confidentiality protection for individually identifying health information obtained from DMH/DD/SAS facilities for research purposes in that “a person receiving the information may not directly or indirectly identify any client in any report of the research or audit or otherwise disclose client identity in any way.”

Policy

DHHS Researchers

DHHS agencies conducting research on clients shall have access to an Institutional Review Board established in accordance with the Common Rule (45 CFR 46, Subpart A) that will:

Review and modify, disapprove, or approve research protocols and informed consent for research forms; and
Conduct periodic reviews of the research.

DHHS agencies shall obtain client authorization using the DHHS Authorization to Disclose Health Information for Research prior to using or disclosing individually identifiable health information for research purposes, unless one (1) of the criteria listed below is met.

The researcher is required by contract to use a HIPAA compliant authorization form developed by a research facility (e.g., University of North Carolina researchers).
The authorization requirement is waived by either an Institutional Review Board established in accordance with the common rule, or a privacy board that is established according to the requirements defined in this policy.
The research requires the use of a decedent’s individually identifiable health information and that decedent’s information is used only for research purposes.
The individually identifiable health information is used in reviews preparatory to research and both of the following conditions are true:

The use of the individually identifiable health information is necessary for the preparatory review wherein protocol and goals are established for the proposed research and
The individually identifiable health information is not removed from the covered health care component’s site.

A limited data set is used that contains specific limited identifiers after the required data use agreement has been signed by the researcher and the DHHS agency that maintains the health information (see DHHS Privacy Policy Use and Disclosure Policies, De-Identification of Health Information and Limited Data Sets.
Only de-identified health information is used for the research (see DHHS Privacy Policy Use and Disclosure Policies, De-Identification of Health Information and Limited Data Sets).

DHHS researchers shall request the individually identifying health information that is the minimum necessary to conduct the research, in accordance with the DHHS Privacy Policy, Use and Disclosure Policies, Minimum Necessary. Whenever possible, DHHS researchers shall request either de-identified data or a limited data set as necessary if either of these is the minimum necessary for conducting the research.

Each DHHS researcher that is a recipient of a limited data set shall sign a data use agreement with the DHHS agency that maintains the information and shall comply with the conditions of that agreement, in accordance with the DHHS Privacy Policy Use and Disclosure Policies, De-identified Health Information and Limited Data Sets. Agreements that do not conform to the DHHS Data Use Agreement template must be submitted for review/approval by the DHHS Privacy Officer, after which any agreements that substantially deviate from the template will be forwarded to the Office of the Attorney General for review and approval.

Each DHHS researcher that receives individually identifiable health information from a DHHS covered health care component or internal business associate shall ensure that the information is protected in accordance with the DHHS Privacy Policies.

The requirements in this policy are in addition to (not a replacement for) other policies and regulations for human subjects research.

For treatment purposes, DHHS covered health care components shall contact researchers (either internal or external to DHHS) if a research subject seeks additional health care services from or is admitted into the component for additional treatment.

Researchers External to DHHS

DHHS agencies that receive requests for individually identifying health information from researchers external to DHHS shall require the researcher to submit the request in writing. Research requests must be documented in accordance with the requirements identified in this policy.

Implementation

Institutional Review Boards

Institutional Review Boards (IRBs) are responsible for reviewing and modifying (to secure approval), disapproving, or approving the following for research involving human subjects:

Research protocols;
Forms to be used by researchers to obtain authorizations for the use or disclosure of client’s individually identifying health information for research;
Forms to be used by researchers to obtain informed consents from research subjects;
Requests to waive or alter the requirement for client informed consent for participation in research study; and
Requests to waive or alter the requirement for client authorization for the use or disclosure of client individually identifying health information for research.

IRBs must also conduct periodic reviews of the research.

NOTE:

According to 10A NCAC 26C.0204, research conducted in institutions operated by DMH/DD/SAS must be reviewed at least every three months or whenever a change in the research protocol is planned.

DHHS agencies conducting research involving human subjects shall either:

Establish an internal IRB in accordance with the Common Rule as necessary to review, approve, and monitor such research; or
Identify an IRB external to DHHS that will review, approve, and monitor such research.

DHHS IRBs shall implement and document procedures for normal review as defined in 45 CFR 46.108(b), or expedited review according to the procedures defined by 45 CFR 46.110.

DHHS IRBs shall document all decisions regarding the modification, approval, or disapproval of research protocols, documentation, and requests to waiver or alter the informed consent or authorization requirements. The IRB shall also record meeting minutes and document continuing review activities.

These records shall be maintained for a minimum of three (3) years, as required by 45 CFR 46.115.

Privacy Boards

If DHHS agencies determine the IRB cannot provide timely reviews of researcher requests to alter or waive the client authorizations requirement, the agency can establish or designate an external privacy board that:

Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;
Has at least one (1) member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and
Does not have any members participating in a review of any project in which the member has a conflict of interest.

DHHS Privacy Boards shall implement and document procedures for normal and expedited reviews of requests to alter or waive the client authorization requirement for research.

Privacy Board normal review procedures shall state that:

The proposed research will be reviewed at convened meetings at which a majority of the privacy board is present;
At least one (1) of the privacy board members present at the review meeting will not be affiliated with the covered entity or the entity sponsoring or conducting the research, nor will that member be a relative of any person who is affiliated with such entities; and
Requests for the alteration or waiver of client authorization must be approved by the majority of the privacy board members present at the review meeting, unless the privacy board elects to use an expedited review procedure.

DHHS Privacy Board expedited review procedures shall state that:

Expedited procedures will be used only to review requests for waiver of authorization for research that involves no more than minimal risk to the privacy of the subjects and their individually identifying health information;
and
Either the chair of the privacy board or one (1) or more members designated by the chair will conduct the review and decide on the approval, modification, or disapproval of the request for waiver.

NOTE:

Privacy Boards only have the authority in regards to approving, modifying (to secure approval), and disapproving requests to alter or waive the client authorization for research. All other approvals for the research study (protocol, informed consent for research documents, and requests for waivers or alterations of informed consent requirement) and periodic reviews must be conducted by an IRB.

Research Conducted with Client Authorization

Unless otherwise permitted by this policy, or required by state or federal law, a client authorization must be obtained prior to the use or disclosure of the subject’s individually identifiable health information for research purposes. Authorizations for research conducted by DHHS agencies shall be completed prior to research activities using the DHHS Authorization to Disclose Health Information for Research.

Any authorization form received by a DHHS agency from a researcher external to DHHS must contain the following elements to be considered valid:

A specific and meaningful description of the information to be used or disclosed;
The name of the entity (e.g., Dorothea Dix Hospital) authorized to disclose the individually identifying health information for research purposes;
The name of the researcher or entity conducting the research to whom the disclosure of individually identifying health information for research purposes can be made;
A description of the specific research study in which the information will be used (authorizations cannot be used for nonspecific research or future, unspecified projects);
An expiration date or event (e.g., client discharge) for the authorization that relates to the client or the research. The following statements meet the requirements for an expiration date or an expiration event if the appropriate conditions apply:

The statement “end of the research study” or similar language;

The statement “none” or similar language if the purpose of the authorized disclosure of individually identifying health information is for the researcher to create and maintain a research database or repository;

NOTE:

If the database or repository is created by a DHHS agency, client authorization or alteration/waiver of the authorization requirement must be obtained before the data can be disclosed for a different research study.

Signature of the client and the date of the signature.

If a client’s personal representative signs the authorization form, a description of the personal representative’s authority to act on behalf of the client must also be provided.

NOTE:

In the DHHS psychiatric hospitals and Alcohol and Drug Abuse Treatment Centers, when a minor is receiving treatment for alcohol or substance abuse as a part of a research study, based upon the consent of the minor’s personal representative, both the minor and personal representative must sign the research authorization.

In addition to the required elements, the authorization form must also contain the statements listed below:

A statement that the client has a right to revoke the authorization and a description of how the authorization may be revoked. The authorization must also state that the researcher may continue to use and disclose the individually identifiable health information obtained before the authorization was revoked if needed to maintain the integrity of the research and for reporting purposes such as reporting adverse events and conducting investigations of scientific misconduct.
A statement that either:

Any treatment received from the covered entity is not dependent upon whether the client signs the authorization to use or disclose information for research purposes (this statement can be used only if the treatment is not delivered as part of the research study),
OR
The provision of research-related treatment is conditioned on a client authorizing the use or disclosure of individually identifiable health information for such research.

A statement that information authorized for disclosure for research use could potentially be re-disclosed by the recipient and would no longer be protected under HIPAA. (Exception: According to 42 CFR 2.52(b) and/or NCGS 122C-56(c), individually identifying health information used or disclosed by facilities operated by DMH/DD/SAS for research purposes may not re-disclosed without further written authorization by the client unless otherwise provided for by state or federal law.)

An authorization is always required for access, disclosure, or use of psychotherapy notes for research purposes. An authorization for access, use, or disclosure of psychotherapy notes for research may not be combined with any other authorization except other authorization for access, disclosure, or use of the same notes.

If a client elects to revoke his/her authorization for the use and disclosure of individually identifying health information for research purposes, the revocation must be documented on the original authorization form in the Revocation section. This revocation shall become a permanent part of the research record and the client’s medical record. Researchers within DHHS shall report the revocations to the institutional review board at the time of continuing review.

DHHS agencies shall provide a copy of the signed research authorization to clients or their personal representatives.

NOTE:

Client authorization for use and disclosure of individually identifiable health information for research purposes does not replace the informed consent to participate in a research study required by the Common Rule, the FDA Protection of Human Subjects Regulations, NCGS 122C-57 (f), 10A NCAC 26C.0200, 10A NCAC 26D.1300, or 10A NCAC 28A.0305.

Alteration or Waiver of Client Authorization to Use or Disclose Individually Identifying Health Information for Research

A DHHS researcher may submit a request to an IRB or privacy board for a waiver or alteration of client authorization for the use or disclosure of individually identifying health information for research if the researcher determines that obtaining client authorizations is not feasible. For example, a researcher may need to request an alteration or waiver of requirement for client authorization for the use or disclosure of individually identifying health information for research in the following cases:

The researcher cannot practicably obtain a potential research subject’s authorization for the review of individually identifying health information in advance of contacting the potential subject; or
The research will only involve the use of existing client records or specimens and no intervention, interaction, or direct contact of any kind with the research subjects will occur.

In the first case, an IRB or privacy board may elect to approve the researcher’s request for a limited waiver of authorization that will permit specified access and use of individually identifying health information solely for prescreening and recruitment contact pursuant to the approved research protocol. In the second case, the volume and/or age of records to be examined during the research may be such that it would not be practicable for the researcher to obtain client authorization beforehand. If the risk to the client’s privacy is minimal, the IRB or privacy board may also elect to approve a waiver in this instance.

DHHS researchers shall submit all requests for the alteration or waiver of client authorizations for research in writing to an institutional review or privacy board.

Researchers may document their alteration or waiver request via the DHHS Application for Waiver/Limited Waiver of Authorization for Research or the application form required by the IRB or Privacy Board that will decide whether to honor the request.

If the IRB or Privacy Board approves the request for alteration or waiver of client authorization, the board shall document that the following criteria are satisfied:

The use of disclosure of the individually identifiable health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

An adequate plan to protect the individual identifiers (more information on individual identifiers is provided in the DHHS Policy Use and Disclosure Policies, De-Identification of Health Information and Limited Data Sets and Administrative Policies, Privacy Safeguards;
An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
Adequate written assurances that the individually identifying health information will not be reused or disclosed to any other person or entity, except:

As required by law;
For authorized oversight of the research project; or
For other research for which the use or disclosure of the individually identifiable health information would be permitted by this policy;

The research could not practicably be conducted without the alteration or waiver; and
The research could not practicably be conducted without access to and use of the individually identifying health information.

The documentation of the alteration/waiver of authorization approval shall also include the following elements:

A statement identifying the IRB or the privacy board and the date on which the alteration or waiver was approved;
A brief description of the individually identifiable health information for which use or access has been determined by the IRB or the privacy board to be necessary to the research;
A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited procedures; and
A signature from the chair of the IRB or privacy board, or from another member of the board who has been designated by the chair.

If a DHHS IRB or privacy board does not approve a request to alter or waive the client authorization requirement for research, the board must inform the researcher of the decision in writing. Similarly, if the board requires a change to the request for the alteration or waiver of client authorization prior to approving the request, the required changes must be documented and sent to the researcher.

If a research project is taking place at multiple sites and/or requires the use and disclosure of individually identifying health information created or maintained by more than one agency (collectively referred to as ‘multisite projects’), more than one IRB may be involved in research study reviews, or researchers participating in the multisite project may elect to use a single IRB. The same situation is expected to occur with Privacy Boards. In some circumstances, Privacy Boards and IRBs will coexist. Regardless, a DHHS agency may rely on a waiver or an alteration of authorization approved by any IRB or Privacy Board, without regard to the location of the approver. However, DHHS agencies may elect to require duplicate IRB or Privacy Board reviews before disclosing individually identifying health information to requesting researchers.

Use and Disclosure of Individually Identifying Health Information without Authorization Preparatory to Research

DHHS agencies may allow researchers to access individually identifying health information without a client authorization, IRB/Privacy Board waiver of authorization, or data use agreement if the access is for the development of a research protocol, an assessment of feasibility of a research protocol, or other reviews preparatory to research. Researchers requesting the information must provide written documentation, via the DHHS Request for Access to Health Information for Research, to the DHHS agency that the following criteria are met:

The use or disclosure of individually identifying health information is solely to prepare a research protocol, or for similar purposes preparatory to research;
The researcher shall not record or remove the individually identifying health information from the agency; and
The individually identifying health information sought is necessary for purposes of the research.

Only the workforce of the covered health care components may contact that agency’s clients without authorization for purposes of recruiting them to participate in a research study.

Therefore, researchers external to DHHS covered health care components that identify potential research subjects during their reviews preparatory to research must submit a written request to the DHHS agency if the researcher wishes the agency to notify the client about a possible opportunity to participate in the research.

This request can be submitted via the DHHS Request for Access to Health Information for Research, or a separate letter. The researcher can choose to accompany this request with an authorization form he/she has already developed (either a stand-alone authorization form, or preferably, one combined with the informed consent form) or the researcher could request that the covered component use the DHHS Authorization to Disclose Health Information for Research. Alternatively, the researcher can pursue approval to alter or waive the client authorization requirement so he or she can conduct the recruitment activities.

DHHS researchers that are part of the DHHS covered health care component’s workforce may contact the client directly for the purposes of recruitment for the research study. However, DHHS researchers must obtain authorization from a client who has indicated interest in participating in a study prior to asking the client any screening questions that involve individually identifying health information.

NOTE:

If the preparatory research activity involves human subjects research (e.g., research subject recruitment, prescreening), the preparatory research activity must be reviewed and approved by an IRB and must satisfy the informed consent requirements unless otherwise waived by an IRB.

Use of Individually Identifiable Health Information for Decedents in Research

DHHS agencies may use or disclose individually identifying health information relating to deceased clients without executing a data use agreement or obtaining an authorization from the executer, administrator, or other person with the authority to act on behalf of the deceased client or the client’s estate, if the researcher requesting the information provides written documentation, via the DHHS Request for Access to Health Information for Research, to the DHHS agency that the following criteria are met:

The information to be used or disclosed is solely for research on the individually identifiable health information of the deceased client;
The researcher has documentation of the death of the client who is the subject of information being sought and can make such documentation available to the DHHS agency upon request (NOTE: If the researcher does not specify clients, but requests individually identifiable health information for “deceased clients” in general, then the DHHS covered component will not need to request proof of client death.); and
The information sought is necessary for the purposes of the research.

Use of De-identified Health Information in Research

DHHS agencies may use or disclose health information for research purposes without obtaining either client authorization or an IRB/Privacy Board waiver for authorization, or executing a data use agreement if the information has been ‘de-identified’.

In de-identified health information, all the elements that could identify a client have been removed so that there can be no reasonable basis to believe that the resulting data may be used, with or without other available information, to identify a client. Researchers must submit requests for de-identified data to the DHHS agency via the DHHS Request for Access to Health Information for Research.

Health information may be considered de-identified if one of the following criteria is met:

The DHHS agency is unaware of a means by which the information could be used alone or in combination with other information to identify a client who is the subject of the information; and a person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable (e.g., Statistician I or II):

Determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify a client who is the subject of the information; and
Documents the methods and results of the analysis that justify such determination.

The following identifiers for the client or the relatives, guardians, employer, or household members of that client are removed:

Names;
All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geocodes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:

The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and
The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000;

All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
Telephone numbers;
Facsimile numbers;
E-mail addresses;
Social Security Numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code that can be re-identified without the use of the code key or knowledge of the method used to re-identify the information.

For more information on de-identified health information, see the DHHS Policy Use and Disclosure Policies, De-identification of Health Information and Limited Data Sets.

Use of Limited Data Sets in Research

DHHS agencies may use or disclose a limited number of individual identifiers via a ‘limited data set’ for research without client authorization or IRB/Privacy Board alteration or waiver of authorization whenever the limited data set will meet the researcher’s request. Researchers must submit requests for a limited data set to the DHHS agency via the DHHS Request for Access to Health Information for Research.

To qualify as a limited data set, only the following identifiers for DHHS clients or relatives, guardians, employers, or household members of those clients can be associated with the health information:

State, county, city or town, and/or ZIP Code;
Birth date, admission date, discharge date, and/or date of death;
Age; and/or
Any unique identifying number, characteristic, or code, except for the following:

Social Security Numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers; and
Device identifiers and serial numbers.

All other individual identifiers such as name, address, telephone number, etc. must be removed from the data before the resulting information can be considered a limited data set. (See the Use of De-identified Health Information in Research section above or the DHHS Privacy Policy De-Identification of Health Information and Limited Data Sets for a listing of all individual identifiers.)

Before using or disclosing the limited data set, DHHS agencies must enter into a data use agreement, using the DHHS Data Use Agreement, with the researcher unless the use or disclosure is required by state or federal law.

The minimum necessary rule, as stated in the DHHS Privacy Policy Use and Disclosure Policies, Minimum Necessary, shall apply to limited data sets; therefore, only data elements that are necessary to perform the purpose(s) specified in the data use agreement should be included in the limited data set released to the researcher. HIPAA permits DHHS to rely on the minimum necessary determination of another covered entity of or another covered entity’s IRB or Privacy Board.

Refer to the DHHS Privacy Policy Use and Disclosure Policies, De-identification of Health Information and Limited Data Sets for more information about limited data sets and data use agreements.

Research Requests Received from Organizations External to DHHS

All requests for access to health information (e.g., individually identifying health information, limited data sets, de-identified health information) for research purposes, including those from researchers external to DHHS, must be submitted in writing to DHHS agencies via the DHHS Request for Access to Health Information for Research.

In addition to the Request form, researchers must submit the following documentation, as indicated on the form for their type of request:

Research protocol;
IRB approval letter for the research protocol;
Informed consent forms for research signed by DHHS clients that have agreed to participate in the research study as subjects, or IRB approval of informed consent alteration or waiver;
Either:

Authorization forms signed by DHHS clients that have agreed to become research subjects;
IRB/Privacy Board approval of client authorization alteration or waiver; or
Request that the DHHS agency obtain client authorization via the DHHS Authorization to Disclose Health Information for Research, or the authorization form or combined authorization/informed consent form provided by the researcher;

Upon DHHS agency request, documentation of the decedent status of the clients who is the subject of the individually identifying health information requested. (NOTE: If the researcher does not specify clients, but requests individually identifiable health information for “deceased clients” in general, then the DHHS covered component will not need to request proof of client death.)

Transition Provisions for Research in Progress

For research that involves the use of individually identifying health information and is being carried out according to a protocol reviewed and approved by the Institutional Review Board prior to April 14, 2003:

A research study may continue to use or disclose a client’s individually identifiable health information created or received prior to April 14, 2003.
A research study operating under a waiver of informed consent approved by the Institutional Review Board prior to April 14, 2003, may continue to create, receive, use, and disclose a client’s individually identifiable health information for the study after April 14, 2003, without an IRB or Privacy Board waiver of authorization unless the research study subsequently seeks informed consent, in which case a client’s authorization would be required together with the client’s informed consent.
If the research protocol approved by an IRB before April 14, 2003, required a client’s informed consent, no additional authorization is required to continue to create, receive, use and disclose that client’s identifying health information for the approved study.
Informed consent obtained on or after April 14, 2003, also requires authorization for use or disclosure of the client’s individually identifying health information. If a previously approved research project will be enrolling clients on or after April 14, 2003, the researcher must submit a protocol revision to the IRB that specifies this requirement.

Disclosure of Individually Identifying Health Information from Research Data

DHHS researchers may disclose individually identifying health information that has been gathered or created during the research study if the disclosure is:

Permitted by client authorization;
Permitted by the approved alteration or waiver of authorization;
Permitted by the data use agreement;
Made to the sponsor of the study if the protocol includes a FDA regulated product or activity for which the sponsor is responsible, and the disclosure is for the purposes of quality, safety, or effectiveness (e.g., adverse event/safety reports for investigational new products);
Made to a health oversight agency that is performing oversight activities authorized by law (e.g., disclosure to the Office for Human Research Protections for the purposes of determining compliance with the Common Rule); or
Required by law (e.g., disclosure to cancer registries, other public health reporting).

If a revision to the authorization or alteration/waiver of authorization is necessary to allow the desired disclosure, an IRB or Privacy Board must approve the revision to the protocol. If the terms of the data use agreement must be changed to permit the disclosure, a revised data use agreement must be signed by the researcher and the covered component.

Individually identifying health information gathered during the research study may not be included in presentations or publications of any type unless explicitly permitted by:

The client via authorization or informed consent for research;
Wavier of the client’s authorization by an IRB or Privacy Board;
Waiver of the client’s informed consent by an IRB; or
The data use agreement signed by the DHHS agency disclosing the health information and the researcher.

DHHS agencies may not allow the authorization, alteration/waiver of authorization, or data use agreement obtained for one research project to be used for another research project. However, the IRB or Privacy Board may reanalyze such disclosures and grant a waiver for other studies.

Retention of Research Documentation

DHHS agencies receiving requests for access to individually identifying health information for research shall maintain a copy of the following in the client records:

The approved DHHS Request for Access to Health Information for Research;
The research protocol and IRB letter of approval;
Client authorization or IRB/Privacy Board documentation of approved alteration/waiver of authorization; and
Client informed consent or IRB documentation of approved alteration/waiver of informed consent.

Research documentation filed in the client record must be retained according to the agency’s retention and disposition schedule for such records.

DHHS researchers must maintain copies of authorizations for research and approved waivers of authorization for a minimum of six (6) years from the date of creation, or the date on which the document was last in effect, whichever is later.

Accounting of Disclosures of Individually Identifying Health Information for Research Purposes

Clients have a right to request access to an accounting of all disclosures of their individually identifying health information for research purposes, unless such disclosure was made:

Pursuant to the client’s authorization; or
As part of a limited data set.

Similarly, clients will not receive an accounting of disclosures of their health information if the information was de-identified.

Documentation of disclosures must be kept in the circumstances listed below and provided to clients upon their request:

Disclosures pursuant to an IRB or Privacy Board alteration or waiver of authorization;
Disclosures used in preparation of a research protocol; or
Disclosure of a decedent’s individually identifying health information used for research.

Refer to the DHHS Privacy Policy Use and Disclosure Policies, Accounting of Disclosures for more information about accounting for disclosures of individually identifying health information made for research purposes.

Client Access to Research Information

Client health records that are designated record sets may contain research data to which a client has the right to request access. Clients also have a right to request access to separate research records that have been identified as designated record sets.

Clients receiving treatment in research protocols may be temporarily denied access to their research records in accordance with the DHHS Privacy Policy Client Rights Policies, Rights of Clients provided that:

The individually identifying health information was obtained in the course of the research;
The client agreed to the denial of access via the signed research authorization;
The research remains in process; and
The client’s right to access such individually identifying health information is re-instated once the research study has concluded.

Refer to the DHHS Privacy Policies Client Rights Policies, Designated Record Sets and Rights of Clients for more information about the designated record sets and the client’s right to request access to their health information.

References: DHHS Directive III-11; 42 CFR 2.52(b); 45 CFR 164.501;
45 CFR 164.508(b) and(c)(4); 45 CFR 164.512(i); 45 CFR 164.514(e);
45 CFR 164.524(a); 45 CFR 164.528(b); 45 CFR 164.532;45 CFR 46.107;
45 CFR 46.110; 45 CFR 46.115; 45 CFR 46.116-117;
NCGS 90-113.3(c)-(f); NCGS 122C-56(c); NCGS 122C-57(f); NCGS 130A-131.17;
10A NCAC 26C.0200; 10A NCAC 26D.1300; 10A NCAC 27E.0201; 10A NCAC 28A.0102; 10A NCAC 28A.0305-.0306

For Relevant Documents:

DHHS Authorization to Disclose Health Information for Research
DHHS Request for Access to Health Information for Research
DHHS Application for Waiver/Limited Waiver of Authorization for Research
DHHS Data Use Agreement

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Section VIII:	Privacy and Security
Title:	Privacy Manual
Chapter:	Use and Disclosure Policies, Research
Current Effective Date:	5/1/05
Revision History:	4/14/03, 6/1/04
Original Effective Date:	4/14/03