8.1 - Human Subjects Research: Access to Protected Health Information by OUCOD Researchers

Background: Ensuring the protection of human participants in research is of critical importance. Federal regulations require that Institutional Review Boards (IRBs) have written policies and procedures governing human participant research and that activities at the institution are carried out as described in the written policies and procedures documents. An audit of the University of Oklahoma College of Dentistry (OUCOD) by the OUHSC HIPAA Compliance Office identified the absence of a centralized repository of information in the college regarding human subjects research that is conducted by OUCOD faculty, staff, residents and students. The absence of a policy governing the implementation and oversight of human subjects research in the various programs at OUCOD was also identified during the audit. This policy addresses the above-mentioned deficiencies.

Purpose:  To ensure that patients’ protected health information (PHI) is being properly accessed, transmitted, and stored in accordance with the requisite federal and University of Oklahoma Health Sciences Center (OUHSC) guidelines during the conduct of human subjects research in the University of Oklahoma College of Dentistry and its affiliated education programs

Policy Statement: It is the policy of the College of Dentistry that faculty, staff, residents and students who conduct research involving human subjects must manage PHI in accordance with Federal HIPAA Laws, OUHSC HIPAA Privacy and Security Policies, and OUHSC Institutional Review Board (IRB) guidelines.

Scope and Applicability: This policy shall apply to all College of Dentistry key personnel who have access to PHI. Internal policies that apply to the operations of individual departments, divisions, advanced programs and business units may not conflict with OUCOD-wide policy, but they may be more restrictive.

Definitions:

Protected Health Information (PHI): Protected health information (PHI) is any information in the medical record or designed record set that can be used to identify an individual and that was created, used or disclosed in the course of providing a health care service. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA applies only to research that uses, creates, or discloses PHI that enters the medical record or is used for healthcare services, such as treatment, payment, or operations.

Health Insurance Portability and Accountability Act (HIPAA): The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required creation of national standards to protect sensitive patient health information from being discussed without the patient’s consent or knowledge.

OUHSC Institutional Review Board (IRB):  The Institutional Review Board (IRB) for the OUHSC campus is responsible for reviewing research submissions that involve human subjects and assessing that they adequately meet the criteria for approval set forth by the federal regulations, state law, and OU policies and procedures.

Policy Approval:  This policy was reviewed by the Dean’s Advisory Council on June 28, 2023 and signed by the Dean on July 6, 2023. It will go into effect on the date it is formally communicated across the College, and will be reviewed every three years. 

Corresponding Procedures

• 8.1.1(a) Procedure for Access to Protected Health Information (PHI) by OUCOD Researchers

Related OUHSC Policies

• University of Oklahoma HIPAA Policies

• Minimum Necessary Access and Rule
• PHI in Research
• De-Identification/Re-Identification of PHI
• OU IT Information Classification Standard
   

Related OUCOD Policies

• None

Revision History

Introduction: Maintaining a system of human participant research compliance is a critical aspect of research conducted at academic institutions. Toward that end, this procedure outlines the actions that OUCOD faculty, staff, residents and students must adhere to for the conduct of human subjects research. This procedure also specifies disciplinary actions that may be imposed in instances of non-compliance.

Prerequisites: None

Procedure:

1. 1. The faculty person who is designated as the Principal Investigator of the IRB application will send an email to the Dean for Research and Innovation containing the IRB protocol, the names and titles of key personnel, the approval notice from IRB and data management plan (if any), for the proposed human subjects research project.
2. 1. 1. The Dean for Research and Innovation will upload the approved IRB protocol, approval notice and data management plan (if any) to the Intranet - Special Groups - Research IRB folder.
3. 1. 2. Once the Dean for Research and Innovation has reviewed the IRB protocol, approval notice and data management plan, he will email the Director of Compliance and the Compliance Coordinator, and CC the Principal Investigator, to notify them the documents have been added to the Research IRB Intranet folder.
          
4. 2. The Principal Investigator will provide the parameters of PHI being requested for their study via an email to the Director of Compliance and the Compliance Coordinator so that only the approved PHI is released for study purposes. Depending on the patient management system, the Director of Compliance or the Compliance Coordinator will:
      1. axiUm or OMS Vision - reply all to the email, including Dentistry IT Services Informatics using the cod-di@ouhsc.edu email address, identifying the Principal Investigator and other key personnel, who are named in the IRB protocol, and providing parameters of PHI that the Principal Investigator may access.
      2. Principal Investigator will go to Informatics to acquire any necessary reports created, as designated by the IRB protocol, to the file share designated by Dentistry IT Services.Graduate Orthodontics - reply all to the email, including the Ortho II and Paper Records Administrators, identifying the Principal Investigator and other key personnel, who are named in the IRB protocol, and providing parameters of PHI that the Principal Investigator may access.
5. 1. 1. 1. Principal Investigator will go to the Graduate Orthodontics Records Administrators to have any necessary reports created or paper records copied, as designated by the IRB protocol, to the file share designated by Dentistry IT Services.
             
6. 3. The Principal Investigator will use password protection to safeguard the electronic files or reports containing PHI that will be used for the duration of the study. All paper records will be kept secure at all times, as stipulated in OUHSC guidelines.
       
7. 4. The Principal Investigator is responsible for informing the Dean for Research and Innovation and the Director of Compliance about a change in key personnel on the study within 30 days.
       
8. 5. The Principal Investigator is responsible for obtaining confirmation of the deletion of data or removal of access for all study-related PHI from key personnel prior to graduation, change in participation in the study, or termination of employment, and will forward the confirmation to the Dean for Research and Innovation and the Director of Compliance.
       
9. 6. Disciplinary Actions: In addition to reporting to the OUHSC Office of HIPAA Compliance, faculty, staff, residents and students will be subject to disciplinary actions ranging from temporary suspension to termination of their employment, as determined by the Dean of the College of Dentistry in consultation with the Dean for Research and Innovation.

1. Prior to submitting an IRB applicaiton, consult with the Director of Dentistry IT Services if:
   • The study will list any specific IT or clinical equipment by make, model or serial number in order to ensure that the proposed technology has a service life and replacement schedule that is compatible with the student duration.
   • The study includes category A healthcare data or category D1 confidential research data (NIH, export controlled research, DOD technical information, etc).  Proposals that include these data categories will require creation of a specific file share for the study where all study-related materials will be maintained.  Access to the share will be limited to only those authorized in the eventual IRB approval.  Consultation prior to proposal submission will facilitate the estimation of projected size requirements, and ensure logistical and operational needs are met.  It is the responsibility of the PI to ensure that all individuals participating in the study utilize only the approved file share for study file, photo and document storage.
2. Keep portable device(s) secure at all times. External drives, including USB thumb drives, will not be used in research projects that include category A healthcare data.
3. Provide annual check in, update and termination notifications to the Dean for Research and Innovation and the Director of Compliance.
4. Dispose of paper copies of PHI in secure shred bins located throughout the College of Dentistry.
5. Remove all PHI from portable devices prior to graduation or termination of employment.
6. Report lost or stolen devices that contain PHI immediately to College of Dentistry IT, the Director of Compliance, the Compliance Coordinator, and the Dean for Research and Innovation.
7. Use strong passcodes or passwords that adhere to University guidelines for accessing devices used for university business.
8. Adhere to federal and OUHSC policies pertaining to human subjects research.