Full AAHRPP Accreditation

Office Hours:
Monday - Friday,
8am - 5pm

Mailing Address:
Michigan State University, 202 Olds Hall
East Lansing, MI 48824.

Phone: (517) 355-2180
Fax: (517) 432-4503
Email: irb@msu.edu

Office Location:
202 Olds Hall.
Olds Hall is located between the Administration Building and MSU Main Library. Campus Map

Michigan State University
 

To submit a question not answered on our website, please use the Feedback Form.

What do I have to do to comply with HIPAA?
What makes an authorization valid?
What do I do with the authorization form after it is signed?
Do I need to have the authorization form approved?
Can I have one form for subjects to sign, one that combines consent and authorization?
What information do I need to include in my IRB application, renewal or revision to request a Waiver of Authorization?
I need to look at medical records to recruit subjects. How can I do this and still comply with HIPAA?
My research requires health information about dead subjects. How does HIPAA apply to my work?
I need an electronic file of information from the covered entity for my research, not actual medical records. How can I get this information under HIPAA?
How can I get more information about HIPAA?

What do I have to do to comply with HIPAA?

A1: If you do NOT need to use or access protected health information (PHI), you do not need to do anything. HIPAA does not apply to your research.

A2: If you DO need to use or access protected health information (PHI) AND your protocol includes obtaining informed consent of subjects, then you need to have subjects sign a VALID authorization form. You can use the valid authorization form approved by the medical provider that has the PHI, or you can use the MSU template authorization form. You do NOT need to submit a revision to your protocol if you are only adding a separate valid authorization form. If youwant advice on whether your form meets the HIPAA criteria to make it valid, you can ask IRB staff or the chair of the MSU Research Privacy Board to review it for you. (See Q2 on criteria for valid authorizations, and Q4 on when the IRB or Privacy Board must approve the authorization.) At your next renewal, include the authorization form.

A3: If you DO need to use or access protected health information (PHI) AND your protocol includes a WAIVER OF INFORMED CONSENT, then you need to request a Waiver of Authorization. (See Q6 on Criteria for Waiver of Authorization.)

Top of Page

What makes an authorization valid?

A1: HIPAA stipulates that a valid authorization form contain six elements and three required statements. The six elements are:

  1. The identification of who is providing the health information, i.e., the name of the hospital or doctor. For example, MSU HealthTeam, Dr. Smith, Family Practice, A255 Clinical Center, East Lansing, MI 48824-1313.
  2. The identification of who is receiving the health information, i.e., the name of the researcher(s). For example, Dr. Smith, Family Practice, A255 Clinical Center, East Lansing, MI 48824-1313 and The National Family Practice Research Group, 7777 N. XYZ Street, City, State 33333-3333. Note: the same person may be listed as the provider and the researcher, and more than one recipient of the information can be listed.
  3. Specific identification of what health information is being requested, e.g., the entire medical records, the X-Ray reports, the lab reports, etc. of which patients from which health care provider during what time period.
  4. The expiration event or date of the authorization, e.g., the end of the research study, six months after signing, etc.
  5. The signature of the subject, or their representative, and the date when signed.
  6. The specific purpose of the use / disclosure, e.g., for research purposes of a specific study. It is recommended that you include the title of the research study and the IRB number.

The three statements are:

  1. The authorization can be revoked by writing to _____________ (the person or group responsible for providing the health information, e.g., the name and address of the hospital or doctor). If an MSU HealthTeam practice is listed as the provider then the revocation must be mailed to the MSU HealthTeam HIPAA Privacy Officer, D130 West Fee Hall, East Lansing, MI 48824-1315. The researcher can also be listed as receiving notice of the revocation.
  2. The consequences of not signing the authorization. Regular treatment cannot be withheld; however, participation in the research can be restricted.
  3. The health information may be disclosed after being released. This is because the researcher may not be covered under HIPAA if he/she is not providing health care. Other qualifiers may be added that reflect the privacy commitments in the informed consent.

A2: The MSU template authorization form includes all the elements. It can be used by filling in the blanks, or as a guide to developing a study-specific authorization form. You can ask IRB staff for a template and instructions. This is a dynamic form as we continue to work with local hospitals to achieve consensus language.

What do I do with the authorization form after it is signed?

A1: You must give a copy of the signed authorization form to the subject.

A2: You will need the original signed authorization form as a "ticket" to get the medical records or health information from the hospital or doctor. The hospital or doctor is required to keep the original signed form for a period of six years after the expiration date. Many providers are putting these forms in the patient's medical chart. You may want to keep a copy for your research records.

Top of Page

Do I need to have the authorization form approved?

A1: Yes. If the authorization form is combined into the consent form, then it requires approval of the MSU IRB under DHHS regulations (approval of consent procedures) and the MSU Research Privacy Board under MSU policy (ensure it has all the elements and statements required by HIPAA regulations). See question Q5.

A2: Yes. If you are using a separate authorization form the MSU Research Privacy Board will review it to make sure it has all the elements and statements required by HIPAA regulations. The MSU IRB will also review it as part of their oversight of human subjects' research even though it is not required under the HIPAA Privacy Rule.

Can I have one form for subjects to sign, one that combines consent and authorization?

A1: Yes, this will require IRB approval because it is a revised consent document. However, the IRB and Privacy Board do not recommend combining the consent and authorization because the medical providers (hospitals or doctors) are required to keep the original signed authorization form. The researcher no longer has the original signed consent document in this case. The IRB and Privacy Board recommend that you use separate authorization and consent documents.

What information do I need to include in my IRB application, renewal or revision to request a Waiver of Authorization?

A1: Include the following six items:

  1. Specific identification of the protected health information that is needed,
  2. Your reasons why the information is necessary for your research,
  3. Your reasons why your research could not be done without the waiver, and
  4. Your plan to protect "identifiers,"
  5. Your plan to destroy "identifiers," and
  6. Your written assurance that the information will not be reused or disclosed except as required by law.

Top of Page

I need to look at medical records to recruit subjects. How can I do this and still comply with HIPAA?

A1: If you are the health care provider, then you can use the medical records to "recruit" subjects. You do not need a waiver of authorization to do this because it is considered use "preparatory to research." You may discuss the study with your patients to obtain their consent and authorization.

A2: If you are NOT the health care provider (or covered entity), or if you hire research staff who are not employees of the covered entity, then you MUST request a waiver (or partial waiver) of authorization from the MSU Research Privacy Board before you can use the medical records for recruitment. This is necessary before the covered entity will disclose the information to you EVEN though you will be asking the subjects to sign an authorization form once they are recruited. Note: the Privacy Board may request documentation of training on HIPAA privacy regulations for the individuals using medical records or protected health information for recruitment, and may restrict the recruitment methods, e.g., require initial patient contact be made by the health care provider and not by the researcher.

A3: Some researchers are paying covered entities to do the recruitment for them.

My research requires health information about dead subjects. How does HIPAA apply to my work?

A1: HIPAA allows research on protected health information of deceased subjects WITHOUT authorization. However, you will need to "represent" to the covered entity that the subjects are dead, that your use of the health information is "solely" for research, and that you need the health information to do the research. Some hospitals are requiring documentation of death and/or filling out forms to request these records.

A2: Some covered entities may require IRB or Privacy Board approval before disclosing health information on deceased individuals even though the HIPAA Privacy Rule permits this access. If that is your situation, you can apply to the IRB for Privacy Board review and approval. You do not need to apply for regular IRB review, only for Privacy Board review. Contact the IRB staff if you have questions.

Top of Page

I need an electronic file of information from the covered entity for my research, not actual medical records. How can I get this information under HIPAA?

A1: HIPAA allows use and disclosure of "de-identified" health data because it no longer identifies the individual. You do not need authorization from the subject to use de-identified health information. At a minimum, the health care provider will need to exclude the following information from the data file for it to be considered "de-identified" using a "safe harbor" method. These exclusions apply to the individual, their relatives, employers, or household members [45 CFR 164.514(b)(2)(i)(A)-(R)].In your application to the IRB include information on the de-identification methods being used by the health care provider.

  1. Names
  2. Addresses (except for State or first three zip code numbers if there are more than 20,000 people in that geographic area)
  3. Dates (except for year) for birth, death, admission, etc... For ages >89, year must be excluded in age dates.
  4. Telephone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate / license numbers
  12. Vehicle identifiers and serial numbers, including license plate
  13. Device identifiers
  14. Web URLs
  15. Internet IP addresses
  16. Biometric identifiers (includes finger and voice prints)
  17. Full face photos
  18. Any other unique identifying number, characteristic, or code (except those assigned by a covered entity as a method to de-identify and then re-identify records)

A2: HIPAA also allows use and disclosure of a "limited data set" that includes some of the items excluded above. You will need to sign a "data use agreement" with the provider for them to disclose these data to you. Submit this signed form to the IRB with your application. A limited data set [45 CFR 164.514(e)(2)(i)-(xvi)] excludes the same elements as above except for:

  1. Addresses - town, city, State and zip code are allowed, no street addresses.
  2. Dates are allowed.
  3. Any other unique identifying number is allowed.

A3: A covered entity may have arrangements with a "business associate" to create these data sets, de-identified or limited.

A4: In your application to the IRB include a copy of the signed data use agreement or the de-identification methods. If you need advice about data use agreements, you can contact the IRB staff or the chair of the MSU Research Privacy Board.

Top of Page

How can I get more information about HIPAA?

A1: Check the web site for the Office of Civil Rights at http://www.hhs.gov/ocr/hipaa/ for the text of the rule and the latest OCR guidance on interpretation.

A2: Contact Dr. Linda Triemer, Chair of the MSU Research Privacy Board at triemerL@msu.edu or (517) 355-2180 ext. 224.

A3: Contact the IRB staff at irb@msu.edu, crirb@msu.edu or (517) 355-2180 ext. 0.

A4: For specifics on how medical providers are interpreting HIPAA, contact the hospital compliance officer, medical records manager, IRB chair or IRB administrator.

A5: For MSU Health Team, check their website at http://www.healthteam.msu.edu; or contact the Compliance/HIPAA Privacy Officer at maryj.waterstraat@ht.msu.edu.

MSU Privacy Board Frequently Asked Questions

Home | Investigator Login | Reviewer Login | IRB News | Participants Info | Audits Info
Acronyms | Regulatory Affairs | Contacts | Site Index

MSU Home PageOffice of Vice President for Research and Graduate Studies

© 2007 MSU Board of Trustees, All Rights Reserved