HIPS Series > Privacy Issues for Researchers > Quiz + Answers

A. This sort of discussion always requires a prior authorization, unless there is an IRB waiver or exception determination.

B. Physicians can continue to discuss such options with their own patients, since this would be part of treatment.

C. Physicians can approach any patient in the hospital about recruitment, since this would be part of treatment.

D. HIPAA has no effect on such matters.

B is correct. A potential research subject can be approached by his/her care provider as a part of discussing treatment options; it's disclosure of the patient's information to another person that requires authorization. IRBs may choose to limit such conversations where the care provider is also an investigator on the protocol, but HIPAA does not require this.

•  •  •  •  •

2. BSH-BSU physicians and research staff commonly "mine" the clinical information systems looking for interesting patterns that might suggest a fundable research question. Is this sort of exploration prohibited unless there is prior "clearance" from the IRB and/or the Privacy Board or Privacy Officer?

A. No, because the efforts are merely "preparatory" to the development of a research protocol.

B. No, because the efforts clearly only present a minimal risk to the data subjects, and such explorations are clearly essential.

C. No, because even though it is research, protected information does not leave the facility and the work is entirely retrospective.

D. Yes, because exploration of identifiable health information for such purposes is research, even if entirely retrospective.

D is correct. An IRB or Privacy Board may make a finding that the effort deserves a waiver or exemption, e.g., because of minimal risk. Researchers do not get to decide this for themselves.

•  •  •  •  •

3. What about retrospective data explorations that apply only to deceased individuals? Surely that can be undertaken without any permission?

A. Yes, because there is a specific exemption for deceased persons.

B. Yes, because there is a specific exemption for deceased persons, as long as the data access is considered essential.

C. No, the researcher must still receive clearance if the information is identifiable.

D. No, information on deceased persons receives exactly the same protection as any other, and requires IRB approval.

C is correct. The covered entity may ask for proof of death, and the researcher is still required to "represent" that the access is essential. While deceased persons' information does not receive the same level of protection as for live persons, researchers do not get to decide for themselves.

•  •  •  •  •

4. For a particular research protocol, it is determined that a HIPAA research authorization is necessary for the data analysis effort. But once that document is signed by research subjects, is there any need for other review?

A. No. The patient's (research subject's) authorization is all that is required for data analysis.

B.Yes. IRB review is still required.

B is correct. We hope this was an easy one. An IRB must still make a determination about appropriateness of risks, adequacy of informed consent, etc.

•  •  •  •  •

5. BSH-BSU privacy officials are urging researchers to use "limited data sets" whenever possible, particularly for exploratory efforts. What is required for that?

A. Nothing is required, since this is de-identified data.

B. The researcher must enter into a "data use agreement," which eliminates the need for any other review.

C. The researcher must enter into a "data use agreement." IRB approval may also be required.

D. The researchers must obtain authorizations from research subjects.

C is correct. HIPAA's requirements are met by a data use agreement to govern the use of the limited data set. No authorizations are then required. Common Rule and FDA protections probably require review for anything remotely research-like.

•  •  •  •  •

6. BSH-BSU has re-written its research policies to reflect the HIPAA disclosure accounting requirement. Which of the following items must be provided to patients whose protected health information has been used for research?

A. Researcher contact information.

B. Researcher contact information and protocol name.

C. Researcher contact information, protocol name and study purpose.

D. Researcher contact information, protocol name, study purpose, and timeframe of the use/disclosure.

D is correct. All four of these are required even for the "abbreviated" accounting permitted for large (>50 subjects) protocols. Of course, if an authorization has been signed, there's no HIPAA requirement for a disclosure accounting of any kind.

•  •  •  •  •

7. BSH-BSU is creating a new Joint Center for Research, and as part of that effort wants to create a large, separate database of patient information under its control for unspecified future research. Does it need some kind of permission to do this?

A. No. Setting up repositories of data doesn't count as research, but merely as preparation for research, so no authorization is required.

B. Yes. But it is permissible to use a one-time general HIPAA authorization for "unspecified future research."

C. Yes. And HIPAA requires that research authorizations be specific.

D. Yes. And aside from a specific HIPAA authorization, one should remember to check with the IRB.

C is correct. Research authorizations must be specific as to purposes. D is correct too, of course.

•  •  •  •  •

8. Can the authorizations for such an effort have a vague expiration date -- say "end of the study effort" ? BSH-BSU researchers are adamant that they cannot predict how long the associated research efforts will last.

A. No. HIPAA also requires a specific expiration date for a research authorization.

B. Yes. HIPAA permits an authorization date like "end of the study" or even "none."

B is correct. However, if there is no expiration that must be clearly noted in the authorization.

•  •  •  •  •

9. BSU-BSH staff are very concerned about the environment, particularly the preservation of pine trees, and so wish to merge all the research documents into a single form in order to save paper. Does HIPAA permit its authorizations to be combined with other documents?

A. No. Authorizations must be kept separate from other documents associated with the research, particularly the informed consent required by the Common Rule or FDA regulations.

B. No. Authorizations must also be printed on recycled paper.

C. Yes. Authorizations may be combined with any other legal permission related to the research study, including another authorization or a consent to participate.

D. Yes. HIPAA is entirely silent on what documents may be combined with others.

C is correct. HIPAA explicitly permits this for research-related documents. But each constitutent document must have all the required elements, so as to be clear to the research (date) subject.

•  •  •  •  •

10. The information technology departments at BSH and BSU's School of Medicine are enquiring about the level and kind of computer security protections for research databases. What do you advise?

A. Less security is necessary than for the clinical information system, because these databases have much less information in them.

B. Identifiable health information must receive exactly the same level of protection, no matter where it resides.

C. More security is necessary, because research is an "additional" use of patients' data and requires minimal additional risk.

D. It depends on the kind and amount of patient information in the research database. Larger collections, or those with more sensitive data, appropriately receive greater security

D is correct. Quantity and sensitivity determine, at least in part, how much security is appropriate. B may be a tempting answer, , but it is essentially wrong.

•  •  •  •  •