Action When a Required HIPAA Authorization in Human Subjects Research is not Obtained
Official university administrative policy
Policy Information
Action When a Required HIPAA Authorization in Human Subjects Research is not Obtained
Effective
June 22 2016
Number
HPR 2 01
Applicability
This policy applies to the University Research Community
Administrative Authority
Vice President for Risk Audit and Compliance
Responsible Unit
Privacy Office
215 Central Avenue, Suite 205
Louisville, KY 40208
Phone: 502-852-3803
Email: privacy@louisville.edu
History
Original Effective Date: October 1, 2004
Revision Date(s): October 15, 2015; March 5, 2020; November 16, 2022
Reviewed Date(s): June 23, 2016
Categories
Statement
When it is discovered that a required HIPAA authorization is either missing or is incomplete, the researcher shall submit a deviation to the Institutional Review Board/Privacy Board (Board). For incomplete authorizations, this applies to those without, for instance, a signature or a date, or a relationship if the subject is a minor (see Related Information below to access a complete list of authorization requirements). The submission shall include a Corrective Action Plan that includes steps to be taken to prevent future occurrences and sanctions against the individual responsible. The submission shall describe either the plan to obtain a valid authorization from the subject/s or to sequester the data.
The Board, in consultation with the University Privacy Officer, will determine the outcome of the request. No further PHI for the subject/s shall be obtained or used by the researcher until a final Board decision is made.
If the Board determines that the data cannot be maintained for the study, the researcher will not be allowed to use or disclose any protected health information from or about the study subject/s. All such Protected Health Information shall be eliminated from the active research files and sequestered, as appropriate, and an attestation that the required actions have been completed shall be sent to the Board.
Related Information
- Deviation submission:
http://louisville.edu/research/humansubjects/lifecycle/event-reporting - University Health Care Component:
https://louisville.edu/privacy/covered-entity-status
Reasoning
The University needs to have a method for handling Protected Health Information used or disclosed for University research purposes when a valid HIPAA authorization has not been obtained from the research subject/s as required by 45 C.F.R. § 164.508.
Definitions
Covered Entity means:
1. A health plan.
2. A health care clearinghouse.
3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Individually Identifiable Health Information - Information that is a subset of health information, including demographic information collected from an individual, and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Protected Health Information - Individually identifiable health information from or about a subject that is:
1. Held by a covered entity, or
2. Received by a UofL researcher who is part of the University's health care component, regardless of source.