Tenet must meet specific conditions of the HIPAA Privacy Rule which describe how protected health information may be used or disclosed by covered entities for research purposes. Tenet can use or disclose PHI for research with or without individual authorization depending on the situations outlined in this policy. When patient authorization is required to use or disclose PHI for research purposes, Tenet must make sure to get a valid authorization and ensure that the use and disclosure of the PHI aligns with what the authorization says.
- Institutional Review Board (IRB) or Privacy Board approved a waiver for the use or disclosure of PHI for research purposes
- Representation that PHI is being used or disclosed for developing a research protocol, the PHI is not going to be removed and is necessary for the research
- Representation that PHI is being used or disclosed for research on decedents and PHI is necessary for the research
- Data set for research, health care operations and public health use may be provided
- Data Use Agreement (DUA) must be in place with recipient
- DUA is in Contract Arrangements Manual (CAM)
- Description of the information to be used or disclosed
- Name of the person or class of persons authorized to make the request
- Name of the person or class of persons to whom Tenet can make the request
- Purpose for each of the requests
- Expiration date or end event for the request (as applicable)
- Statement related to individual's right to revoke and process/exceptions to revoke the authorization
- Statement that treatment and payment are not conditioned on getting the authorization (unless otherwise allowed)
- Statement that authorized information might be disclosed again by the recipient and no longer be protected by this rule
- Statement that individual can inspect or copy the PHI in response to the authorization
- Statement that the use or disclosure of the requested information will result in remuneration to Tenet (if applicable)
- Copy of signed authorization must be provided to individual for their own use or disclosure of PHI
- Signature of the individual and date (representative's authority to act for the individual)
- Other considerations
- Authorization must be written in plain language
- Authorization must be documented on a form such as “Sample Authorization to Use andDisclose Health Information”
- Authorization does not need to expire (i.e., it continue until the “end of the research study” without an end date or event date)
- Authorization may be combined with consent to participate in the research or other legal permission related to the research study
- Privacy Rule
- Adds greater privacy protections for human subjects
- Establishes specifics for how PHI can be used or shared
- Common Rule
- Established for research involving human subjects
- Provides for some patient confidentiality protections
- Common Rule References for Tenet’s Model Policies
- CR 1.00 General Requirements
- CR 1.01 Conflict of Interest
- CR 2.01 Cost Analysis
- CR 2.02 Hospital Time Analysis
- CR 2.04 Billing Within Research Accounts
- CR 2.05 Auditing and Monitoring of Research Accounts
- CR 3.0 Informed Consent for Human Subjects Research
- Research disclosures made based on an individual’s authorization
- Disclosures of the limited data set provided to researchers with a data use agreement