Case Reports

Case Reports typically involve retrospective medical record reviews (of three or less patients) and the only interaction with the patient has been for purposes of treating the patient, and not for the purpose of gathering research data. Case reports or case series of three or less individuals are not considered Human Subject's Research therefore UCI IRB review is not required. However an Administrative Self-Determination of Non-Human Subject's Research is required to be submitted via Kuali Research (KR) Protocols. The UCI IRB will not review or approve the submission. Activities may begin once the self-determination form is completed and submitted.

Per UCI HRP Policy #2, a case series involving access to more than three patient medical records or case reports requires submission for IRB review

Defining a Case Report

Often, Case Report activity involves sharing medical knowledge, improving quality, and providing education, and therefore will fall under the HIPAA definition of health care operations (45 CFR 164.501), which includes:

  1. "Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, [and] protocol development.... and
  2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities."

PHI may be used within the covered entity for the purpose of preparing a case report without obtaining a HIPAA Authorization.  Often, a case report will be presented or published outside of the covered entity.  If the case report does not contain any of the 18 identifiers that cause medical information to be considered PHI under HIPAA, the case report is considered de-identified, and its presentation or publication does not require a HIPAA authorization.  If the case report contains PHI, then a HIPAA authorization would be required in order for it to be presented or published outisde of the covered entity.

Source:

  • Health Care Privacy Compliance Handbook, published by Health Care Compliance Association, 2011, Chapter 4, pages 49-50.
  • Institutional Review Board Management and Function, 2nd edition, 2006, Chapter 4-3, pages 103-104.

Conducting a Case Report

If an activity meets the definition of a Case Report, UCI faculty/resident should complete a request for non human subject research determination in via Kuali Research (KR) Protocols.

  • Journals and science conference venues will generally inquire if an IRB review occurred for the Case Report activity
  • UCI faculty/resident should retain the IRB-signed Request for Determination of Non-Human Subjects Research form (indefinitely) in the event that a journal (or, a Public Request Act/PRA, or external audit) request occurs

A HIPAA Authorization from the subject(s) of the Case Report is NOT required if there is access to PHI however there is no disclosure of PHI (outside of the covered/hybrid entity) in the Case Report publication.

A HIPAA Authorization from the subject(s) of the Case Report is required if there is disclosure of PHI outside of the covered/hybrid entity in the Case Report publication.  (Disclosure of photos, even if de-identified, would require an Authorization Form.)

Use this HIPAA Authorization Form:

  • Section “Release Records To”:  indicate the UCI faculty/resident name, and include the caveat “to be further disclosed in a Case Report publication
  • Section “Purpose”:  indicate “Case Report publication”

The signed HIPAA Authorization Form should be uploaded and maintained in the patient's record.  At the time of signing the Authorization Form, the patient has the right to ask for a copy of the signed Authorization Form.

HIPAA Authorization Forms are located here (under "HIPAA Forms"): https://research.uci.edu/human-research-protections/research-subjects/privacy-and-confidentiality/protected-health-information-hipaa/

Translated HIPAA Authorization Forms are located here (under "Foreign Language Translations"): https://research.uci.edu/human-research-protections/irb-forms/

A list of PHI data elements: https://research.uci.edu/human-research-protections/research-subjects/privacy-and-confidentiality/protected-health-information-hipaa/#phi-ids

Death Data and Records

If the Case Report involves access, use, and disclosure of data from death records, the above described process would be similar (i.e., Request for Determination of Non-Human Subjects Research, Authorization Form).

For death data/records accessed through the UCI Medical Center:

  • If there is no disclosure of PHI in the Case Report publication, a HIPAA Authorization is not required.
  • A HIPAA Authorization Form from the legally authorized representative of the deceased patient is required if there is disclosure of PHI outside the covered/hybrid entity in the Case Report publication.  (Follow the above "PROCESS")

For death data/records accessed publicly through CDPH: