Case Reports typically involve retrospective medical record reviews (of three or less patients) and the only interaction with the patient has been for purposes of treating the patient, and not for the purpose of gathering research data. Since case reviews are not considered 'research' they won't fall under the Common Rule, and may not require IRB review.
Defining a Case Report
Often, Case Report activity involves sharing medical knowledge, improving quality, and providing education, and therefore will fall under the HIPAA definition of health care operations (45 CFR 164.501), which includes:
- "Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, [and] protocol development.... and
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities."
PHI may be used within the covered entity for the purpose of preparing a case report without obtaining a HIPAA Authorization. Often, a case report will be presented or published outside of the covered entity. If the case report does not contain any of the 18 identifiers that cause medical information to be considered PHI under HIPAA, the case report is considered de-identified, and its presentation or publication does not require a HIPAA authorization. If the case report contains PHI, then a HIPAA authorization would be required in order for it to be presented or published outisde of the covered entity.
- Health Care Privacy Compliance Handbook, published by Health Care Compliance Association, 2011, Chapter 4, pages 49-50.
- Institutional Review Board Management and Function, 2nd edition, 2006, Chapter 4-3, pages 103-104.
Conducting a Case Report
If an activity meets the definition of a Case Report, UCI faculty/resident should complete a request for non human subject research determination in via Kuali Research (KR) Protocols.
- Journals and science conference venues will generally inquire if an IRB review occurred for the Case Report activity
- UCI faculty/resident should retain the IRB-signed Request for Determination of Non-Human Subjects Research form (indefinitely) in the event that a journal (or, a Public Request Act/PRA, or external audit) request occurs
A HIPAA Authorization from the subject(s) of the Case Report is not required if there is access to PHI however there is no disclosure of PHI (outside of the covered/hybrid entity) in the Case Report publication.
A HIPAA Authorization from the subject(s) of the Case Report is required if there is disclosure of PHI outside of the covered/hybrid entity in the Case Report publication. (Disclosure of photos, even if de-identified, would require an Authorization Form.)
Use this Authorization Form:
- Section “Release Records To”: indicate the UCI faculty/resident name, and include the caveat “to be further disclosed in a Case Report publication
- Section “Purpose”: indicate “Case Report publication”
The signed Authorization Form should be uploaded and maintained in the patient's record. At the time of signing the Authorization Form, the patient has the right to ask for a copy of the signed Authorization Form.
https://research.uci.edu/human-research-protections/research-subjects/privacy-and-confidentiality/protected-health-information-hipaa/#phi-idsTranslated Authorization Forms are located here: https://www.ucihealth.org/patients-visitors/medical-records
A list of PHI data elements: https://research.uci.edu/human-research-protections/research-subjects/privacy-and-confidentiality/protected-health-information-hipaa/#phi-ids
Death Data and Records
If the Case Report involves access, use, and disclosure of data from death records, the above described process would be similar (i.e., Request for Determination of Non-Human Subjects Research, Authorization Form).
For death data/records accessed through the UCI Medical Center:
- If there is no disclosure of PHI in the Case Report publication, a HIPAA Authorization is not required.
- A HIPAA Authorization Form from the legally authorized representative of the deceased patient is required if there is disclosure of PHI outside the covered/hybrid entity in the Case Report publication. (Follow the above "PROCESS")
For death data/records accessed publicly through CDPH:
- Reach out to the CDPH IRB to inquire if an IRB review would be required (when there is no disclosure of PHI, and when there is disclosure of PHI): https://www.cdph.ca.gov/Programs/CHSI/Pages/Committee-for-the-Protection-of-Human-Subjects.aspx
- Note: when applicable, consider California Senate Bill 13 (SB 13)
- 2005 UCOP Fact Sheet on SB 13
- California State CPHS: https://oshpd.ca.gov/data-and-reports/data-resources/cphs/