HIPAA and Existing Research Protocols and Databanks

Basic Rule. HIPAA has a grandfathering provision, Section 164.532(c), which addresses research protocols and protected health information ("PHI") in research databanks that existed prior to its effective date, April 14, 2003. If the grandfathering conditions are satisfied, an investigator may continue to collect, use and disclose PHI under the protocol and from the databank that was collected either before or after April 14^th.

To use and disclose PHI for research after April 14^th under this grandfathering provision, the following conditions must be met:

1. Prior to April 14, 2003, the IRB approved a research protocol that covered the PHI, and

2. The IRB approved protocol involved either

(a) a IRB waiver of informed consent, or

(b) the obtaining of informed consent from the subject.

However, if for any reason after April 14^th, an investigator must obtain informed consent from a subject under the protocol, then a HIPAA authorization must be combined with the informed consent. (This would mean that the investigator must amend the IRB protocol in order to submit a revision to the consent form. The IRB website has revised the model informed consent form to now include the elements of a HIPAA authorization.)

Also, if the original protocol was reviewed as "exempt" by the IRB, then there was probably not a waiver of informed consent. The protocol would have to be amended to either request a waiver of informed consent prior to April 14, 2003, or a waiver of consent and HIPAA authorization if submitted after April 14, 2003. (Some exempt reviews by the non-medical IRB panel might have involved a waiver, but no exempt review by the medical IRB panels involved a waiver.)

If you wish to use the existing data for a purpose not covered by the original protocol, you will probably have to submit a new protocol to the IRB. That is the existing IRB rule, but HIPAA would also require this after April 14, 2003. If the new protocol cannot meet the criteria for a waiver of consent and HIPAA authorization (the criteria for the two waivers are very similar), then an informed consent with the elements of a HIPAA authorization would be necessary for the new use.

Questions & Answers

Q #1. We have an ongoing prospective cohort study that has been up and running for 12 years and is funded for at least another 3. We need to be able to continue to access and use the information collected to date after April 14. Do we need a waiver or exemption for data collected prior to April 14, 2003?

A. If you had an IRB waiver of informed consent for the subjects under this protocol, then you can use the PHI collected before and after April 14^th with no further steps under HIPAA. If the IRB required informed consent, then you will need to amend the protocol and consent form to include the HIPAA authorization elements in the informed consent for any subjects who are consented after April 14^th. PHI collected under informed consents prior to April 14^th can continue to be used for research without any further steps under HIPAA.

Q #2. I have downloaded and entered information about past and current patients into an electronic file that I use for clinical care and when I am designing new studies and possible future publication. Can I continue to use the data for both clinical and research purposes and if so, what steps, if any, do I need to take to achieve HIPAA compliance?

A. If the information includes PHI and you did not have an IRB protocol that covered its collection and research use through the electronic file, then you will need to submit a protocol to the IRB. Both the human subjects rules and the HIPAA rules would be covered through the IRB review. If this could qualify for a waiver of consent, you might wish to do this prior to April 14^th, in order that any use for research purposes after April 14^th will not be considered a violation of HIPAA. If the human subjects rules would have required a protocol at the time you initially established the electronic file, there may be a past violation of those rules.

If an IRB protocol was originally submitted to cover the collection and use for research, then no further steps are required under HIPAA, unless it was an exempt protocol. Exempt protocols that were processed by all IRB panels (except some by the non-medical panel) would not qualify as a waiver of informed consent. Therefore, the HIPAA grandfathering provision would not be satisfied.

Your use of the electronic file for clinical care would constitute "treatment" under HIPAA. A HIPAA authorization from the patient would not be required. However, the PHI in the electronic file should be a duplicate of the information in the legal medical record. If not then certain rights under HIPAA (to the "designated record set") such as right to access would apply to your file as well as the legal medical record.

Q. #3. Please address HIPAA issues relating to the use of archived patient samples for research testing.

A. If the tissue samples include individually identifiable health information and were originally archived in part or whole for a research purpose, then the human subjects rules would have required a general databank protocol to cover their collection from the patient and storage for subsequent research. If that occurred and involved either a waiver of informed consent or the obtaining of informed consent, then the HIPAA grandfathering provision would be satisfied for their initial collection. As investigators developed research data from the samples prior to April 14^th, there should have been an additional IRB protocol to cover that use. If the IRB protocol involved a waiver of consent or obtaining of consent, then any use of PHI in connection with the samples could continue after April 14^th.

After April 14^th, as you and other investigators develop specific, new research studies that involve the use of these samples, both the human subjects rules and HIPAA would require an additional IRB protocol to cover the study. At that point, the IRB would determine if a waiver of informed consent and HIPAA authorization is possible, or if an informed consent with the elements of a HIPAA authorization is necessary.

Prepared 1/29/03
Rodney Johnson
Senior University Counsel
Stanford Office of the General Counsel

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -