Policies

Statement of Practice: HIPAA and U-M study team members outside Michigan Medicine in eResearch applications

IRBMED
Mar 2, 2022 2:30 pm
Login to Bookmark  Share

Consult guidance from Michigan Medicine Corporate Compliance Office (level-2 login or VPN required) and IRBMED for general definitions (PHI, HIPAA, Covered Entity, etc.) and concepts.

The vast majority of studies subject to IRBMED oversight involve access to Michigan Medicine Protected Health Information (PHI). The study team members listed in an IRB application (Section 01) may fall into one of the following categories:

If you have questions about a member status related to CE, contact the U-M Compliance Office. U-M faculty/staff/students/trainees outside the CE do not typically view/access PHI as part of their current appointment/affiliation with U-M.

This document provides guidance on how to complete the IRB application (especially Section 25 HIPAA and sub-sections), for study team members who are within the U-M but outside the CE. This guidance does not apply to study team members within the CE, nor to external study team members or disclosing PHI to external entities.

  • Statement of Practice

    For IRB applications, it is important to identify the status of a study team member (within the CE or outside CE) and how the PHI will be utilized so the IRB application can be reviewed according to the applicable regulations and institutional policies.

    1. In question 01.8 Project Summary of the IRB application, identify the study team members who are within U-M and outside the CE.
      Indicate whether these study team members will have access to Michigan Medicine PHI (i.e., any identifiable health information collected from U-M medical records (Michart, etc.) or the health information collected from a research study and then entered into U-M medical records). Note that the 'dates of service' are also considered PHI.
    2. If these members (within-U-M and outside-CE) will NOT have access to Michigan Medicine PHI:
      1. answer “No” to any questions on system-activated pages asking about sharing PHI outside the CE:
        • 25-2.7 (HIPAA waiver page)
        • 25-3.3 (Certification Preparatory to Research)
        • 25-4.3 (Limited Data Set)
        (unless PHI is disclosed outside U-M entirely)
      2. Secondary Use Research applications: answer “Yes” to question 8.1 on page 01-1.2 (Scope) to indicate all PHI is kept within the CE (unless PHI is shared outside U-M entirely).
    3. If these members (within U-M and outside the CE) will have access to Michigan Medicine PHI (generally because Michigan Medicine study team member(s) access/collect PHI and share it with the U-M study team member outside the CE)
      1. answer “Yes” to any questions on system-activated pages asking about sharing PHI outside the CE:
        • 25-2.7 (HIPAA waiver page)
        • 25-3.3 (Certification Preparatory to Research)
        • 25-4.3 (Limited Data Set)
      2. Secondary Use Research applications: answer “No” to question 8.1 on page 01-1.2 (Scope). This will most usually open additional sections (05, 10, and 11) for the study team to complete to request ‘standard’ IRB approval. (as opposed to Exempt human subjects research determination).
      3. The Responsible Data Use & Disclosure Attestation document should be completed per the Michigan Medicine Limited Data Sets Policy, 01-04-342 (U-M internal sharing template is available as an Attachment on the Policy 01-04-342 page).
        • Upload the signed copy into the IRB application at 25-4.3 (if system-activated) or 44.1 (additional supporting documents).
        • If there is a delay in completing and uploading this document to the IRB application for any reason, communicate this information with the IRB staff and re-submit the IRB application/submission.

  • Helpful Notes
    • IRBMED will not hold the IRB approval for the signed copies of the attestation document. However, completion of the document is important as part of compliance with appropriate U-M policies and HIPAA regulations.
    • Per the Michigan Medicine Policy 01-04-342, the attestation document should be utilized for a limited data set scenario, but it is also in use for sharing full PHI. Note that access to and use of PHI must be limited to the minimum necessary to perform the work.
    • For any questions regarding the attestation document or a member status as it relates to CE, contact the U-M Corporate Compliance (phone 734-615-4400, email compliance-group@med.umich.edu Website: https://www.med.umich.edu/u/compliance/hipaa/index.html
Tags: Study Coordinator Principal Investigator Study Teams IRBMED Statement of Practice
Units: Institutional Review Boards (IRBMED)
Topic: eResearch Regulatory Management (eRRM) HIPAA & Protected Health Information Investigator & Study Team Responsibilities Regulations & Policies (Federal, State & Local) Statements of Practice
Questions?

Contact us at irbmed@umich.edu or 734-763-4768 / (Fax 734-763-1234)
2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By: larkspur@umich.edu
Last Updated: March 2, 2022 2:30 PM

Related Documents

External (non-UM) Study Team MembersProtected Health Information (PHI)Uses & Disclosures of Protected Health Information (PHI)