Full AAHRPP Accreditation

Office Hours:
Monday - Friday,
8am - 5pm

Mailing Address:
Michigan State University, 202 Olds Hall
East Lansing, MI 48824.

Phone: (517) 355-2180
Fax: (517) 432-4503
Email: irb@msu.edu

Office Location:
202 Olds Hall.
Olds Hall is located between the Administration Building and MSU Main Library. Campus Map

Michigan State University
 
MSU Privacy Board Authorization Forms

About HIPAA Authorization
What Makes an Authorization Form "Valid"
When Authorization is Not Needed
When and How to Make a Request for Waiver
Review Criteria for Waiver of Authorization

About HIPAA Authorization

Effective April 14, 2003 health care providers, health care plans and health care clearinghouses (all "covered entities") cannot release health information about an individual without that person's written authorization except in limited circumstances as described in the HIPAA privacy rule. This is not a new practice to many providers. What is new are the specific details now required nationally for these authorizations to be valid under the HIPAA privacy rule.

The rule lists the core elements and the situations when authorizations are and are not required.

For Researchers a valid signed authorization is required to use or receive individuals' health information for research purposes from a "covered entity" with the following exceptions:

  1. The research only involves decedents
  2. The information is deidentified by the covered entity
  3. The information is provided by the covered entity as a "limited data set" and the researcher has a signed data use agreement with the covered entity
  4. The researcher has approval from an Institutional Review Board or Privacy Board for a waiver of authorization
  5. The researcher is a health care provider and is doing work that is "preparatory" to research, e.g., developing a research protocol based on their patient data or talking to their patients about the research study before obtaining their authorization.

In ALL cases, the covered entity makes the decision whether or not to disclose the health information. Covered entities may interpret the HIPAA requirements differently; for example: one may require that all redisclosures by the researcher be stated on the authorization form while another makes that requirement solely for the informed consent document.

Recommendation: Contact the hospitals, health care systems, health plans or whatever covered entity from which you will need individual health information for your research. Find out what their requirements are for the authorization form. IRB has a template that you can follow which contains all the core elements, HOWEVER, not all covered entities may accept this form.

Questions?
Contact Dr. Linda Triemer, Director of Compliance and Standards at (517)355-2180 ext. 224 or triemerl@msu.edu or the IRB staff at (517)355-2180 ext. 0 or irb@msu.edu.

Top of Page

What Makes an Authorization Valid?

45CFR 165.508 (c) Implementation specifications: Core elements and requirements.

  1. Core elements. A valid authorization under this section must contain at least the following elements:

    1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

    2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

    3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

    4. A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

    5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research including for the creation and maintenance of a research database or research repository.

    6. Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be pro vided.

  2. Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

    1. The individual's right to revoke the authorization in writing, and either:

      1. The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or

      2. To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by 164.520 [notice of privacy practice], a reference to the covered entity's notice.

    2. The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:

      1. The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

      2. The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization. [note: (b)(4)(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section…[(b)(4)(iii) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.]

    3. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.

  3. Plain language requirement. The authorization must be written in plain language.

  4. Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.
Authorization Form Templates and their instructions can be found here


When Authorization is Not Needed

De-identified Data Set does not require written authorization

  1. Permitted for research, public health, or health care operations.
  2. Documented to be de-identified by appropriate expert (statistical / scientific expertise)
  3. To achieve the "safe harbor" method of deidentification: REMOVE the following identifiers of the individual or of relatives, employers, or household members of the individual:
    1. Names
    2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if it contains more than 20,000 people.
    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
    4. Telephone numbers
    5. Fax numbers
    6. Electronic mail addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web URLs (universal resource locators)
    15. IP address numbers (internet protocol)
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographic images and any comparable images
    18. Any other unique identifying number, characteristic, or code, except as permitted to code for re-identification [see 164.514(c)].

164.514(c)) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

  1. Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
  2. Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanisms for re-identification.

Revised September 28, 2005

Limited Data Set Does not Require Written Authorization

  1. Permitted for research, public health, or health care operations.
  2. Data Use Agreement is required between the covered entity and limited data set recipient.
  3. Limited Data Set Excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
    1. Names
    2. Postal address other than town, city, state, zip code
    3. Telephone numbers
    4. Fax numbers
    5. Electronic mail addresses
    6. Social security numbers
    7. Medical record numbers
    8. Health plan beneficiary numbers
    9. Account numbers
    10. Certificate/license numbers
    11. Vehicle identifiers and serial numbers, including license plate numbers
    12. Device identifiers and serial numbers
    13. Web URLs (universal resource locators)
    14. IP address numbers (internet protocol)
    15. Biometric identifiers, including finger and voice prints
    16. Full face photographic images and any comparable images

164.514(e)(4) Implementation specifications: Data use agreement.

  1. Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirement of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.
  2. Contents. A data use agreement between the covered entity and the limited data set recipient must:
    1. Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section [note: research, public health, or health care operations]. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;
    2. Establish who is permitted to use or receive the limited data set; and
    3. Provide that the limited data set recipient will:
      1. Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
      2. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
      3. Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
      4. Ensure that any agents including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
      5. Not identify the information or contact the individuals.

September 29, 2005

Data Use Templates can be found here

Top of Page

When and How to Make a Request for Waiver

When:
A principal investigator can make a request for a waiver of authorization when submitting an initial application, when renewing an application, or at any time that it is necessary (e.g., the hospitals have stopped doing the recruitment for their study and now they have to change their recruitment plan).

How:
A principal investigator submits a new application, a renewal application, or a revision form with supporting documentation.

Information to include:

  • A description of the specific individual health information that is needed
  • A description of the plan to protect any individual identifiers
  • A description of the plan to destroy the individual identifiers at the earliest opportunity or reasons why they will be retained
  • Written assurance that they will not reuse or disclose the individual health information improperly (recommend that all planned uses and disclosures be described)
  • An explanation as to why the individual health information is necessary for the research
  • An explanation as to why a waiver is needed

Questions:
If you have any questions contact Dr. Linda Triemer, chair of the MSU Research Privacy Board, (517)432-4500 or triemerl@msu.edu.

Review Criteria for Waiver of Authorization

If the research protocol meets any of the following criteria the protocol can be reviewed through an Expedited Privacy Board review:

  1. An authorization to use or disclose protected health information is submitted, or
  2. All research subjects are deceased, or
  3. Protected health information is "de-identified" as certified by the covered entity, or
  4. Protected health information is in a "limited data set", and a "data use agreement" with the covered entity is submitted, or
  5. A waiver of informed consent for the research was obtained prior to April 14, 2003, or
  6. Researchers, who are also the health care providers of the subjects, need to use protected health information solely to prepare a research project or to recruit subjects prior to having subjects sign an authorization form, and the records will not be removed from the "covered entity", or
  7. A waiver of authorization is requested to use existing medical records, e.g., a retrospective review of medical records with no prospective patient contact.

Criteria for Approval of a Waiver of Authorization by the Privacy Board
for Expedited and Normal Review Procedures

If the research protocol has all the following elements:

  1. Involves no more than Minimal Risk to privacy of individuals by having all of the following:
    1. Adequate plan to protect the identifiers from improper use and disclosure, and
    2. Adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law), and
    3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by low, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted.
  2. The research could not practicably be conducted without the waiver or alteration.
  3. The research could not practicably be conducted without access to and use of the protected health information.

Revised September 28, 2005

Top of Page

 

 

 

Home | Investigator Login | Reviewer Login | IRB News | Participants Info | Audits Info
Acronyms | Regulatory Affairs | Contacts | Site Index

MSU Home PageOffice of Vice President for Research and Graduate Studies

© 2007 MSU Board of Trustees, All Rights Reserved