Use of Medical Records in Research

The privacy rule establishes conditions under which protected health information may be used or disclosed by covered entities (hospitals, clinics, schools, etc.) for research purposes. The information below will assist researchers in complying with the regulations and expediting the approval of the research proposal by the IRB. If research falls under the HIPAA regulations, the research records must be kept for a minimum of six years, not the usual three years. The regulations define three conditions that allow researchers access to medical records.

1.   De-Identification of Health Information
The privacy rule allows the release of health information if a list of 18 identifiers is stripped from the records. The identifiers that must be removed include: name, street address, mailing address, city, county, telephone and fax numbers, social security number, birth date, date of death, age (if over 90), chart number, admission and discharge dates, five digit zip code (allows for the initial three digits of the zip code to be used if the information could not be used in a combination with other information to identify someone), license number, vehicle identifiers, URLs, IP, and email addresses, and full face photos. The de-identified information may be coded by the hospital or institution to allow for re-identification at a later date.

2.   Use of Medical Information with Subject Authorization
A hospital or institution may release information if authorization is granted by the subject. The authorization must contain the following information: 1) a specific description of the purpose of the authorization and the information to be used or disclosed; 2) Who is authorized to disclose the information; 3) Who is authorized to receive the information; 4) An expiration date for the authorization or a statement such as, “end of research study”, “none” or similar language; 5) A statement that the individual has a right to revoke the authorization; 6) A statement that the entity disclosing the information may have conditions to the disclosure of information; and 7) A statement that the information disclosed is no longer protected by the privacy rule and may be re-disclosed. The authorization must be written in plain language. The authorization may be included within a consent form to participate in the same research study. It is required that the authorization be signed and dated. A signed copy of the authorization must be given to the subject. (See Sample Form attached)

3.   Use of Medical Information without Subject Authorization
There are four options stated in the regulations to gain access to medical records without written authorization from the subject. The researcher will be required to state specifically in the protocol what information will be taken from the medical records, and provide a reason why that specific information is necessary to the research. Only the minimum amount of information necessary to conduct the research may be disclosed.

      a.   IRB Approved Waiver of Authorization The waiver must include the following information:

            (1)  The date the IRB approved the waiver and a statement identifying the IRB
 
(2)  A statement that the IRB approved the waiver based on the following criteria:

      (a)  The use or disclosure of the information involves no more than minimal risk to the privacy of the individuals, based on the presence of the following elements: an adequate plan has been stated to protect the identifiers from improper use and disclosure; an adequate plan has been stated to destroy the identifiers; adequate written assurances that the protected information will not be reused or disclosed other than what is required by law

      (b)  The research could not practicably be conducted without the waiver

      (c)  The research could not practicably be conducted without access to and use of the health information

(3)  A brief description of the health information determined is necessary by the IRB (e.g. labs, family history)

            (4)  A statement that the waiver has been reviewed and approved under either normal or expedited review procedures; and
 
(5) the signature of the Chair or other member designated by the Chair, of the IRB

      b.   Preparation of a Research Proposal.  A researcher may be granted access to records if the researcher agrees in writing or orally that the use or disclosure of the health information is solely to prepare a research protocol or for similar purposes preparatory to research; that the researcher will not remove any health information from the covered entity (e.g. hospital, clinic); that access is necessary for the purpose of research.

      c.   Research on Health Information of Decedents.  A researcher may be granted access to records if the researcher agrees in writing or orally that the use of the information is solely for research on the health information of decedents; that the health information is necessary for the research; and that documentation of the death of the individuals about whom information is being sought it provided to the hospital or institution.

      d.   Limited Data Sets with a Data Use Agreement.  A data use agreement can be entered into by the researcher and the hospital or institution, or with UND and the hospital or institution. A limited data set can be disclosed for research. A limited data set can not include the following: name, street address, telephone and fax numbers, e-mail address, social security number, chart number, finger and voice prints, certificate/license number, vehicle identifiers and serial numbers, URLs and IP addresses, and full face photos. A limited data set can include admission and discharge dates, date of death, age, and five-digit zip codes. A date of birth may be disclosed if it is needed for the purpose of the research. If not, the age of the individual can be expressed in years or in months, days, or hours as appropriate. Only the minimum amount of information necessary to conduct the research may be disclosed. The data use agreement must: establish the permitted uses and disclosures of the limited data set by the researcher; limit who can use or receive the data; and require the researcher to agree to the following: not to use or disclose the information other than as permitted by the data use agreement; use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the agreement; report to the hospital any use or disclosure of the information not provided for by the data use agreement of which the researcher becomes aware; ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the researcher with respect to the limited data set; and not to identify the information or contact the individual.