Contents
Part 5: Certificates of Confidentiality
Part 6: Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
Part 7: Permitted Disclosures of Protected Health Information
Part 5: Certificates of Confidentiality 保密证书
What is a Certificate of Confidentiality?
A Certificate of Confidentiality provides an additional level of protection for the privacy of participants in biomedical, behavioral, and clinical research studies.
保密证书为生物医学、行为和临床研究参与者的隐私提供了额外的保护。
Certificates of Confidentiality may be granted for studies collecting information that, if disclosed, could have adverse consequences for study participants or damage their financial standing, employability, insurability, or reputation. By protecting researchers and institutions from being compelled to disclose information that would identify research subjects, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by assuring confidentiality and privacy to participants. For more information review the NIH Certificate of Confidentiality Kiosk.
保密证书可授予收集信息的研究,如果披露,可能会对研究参与者产生不利后果,或损害他们的财务状况、就业能力、保险或声誉。通过保护研究人员和机构不被强迫披露确定研究对象的信息,保密证书通过确保参与者的保密和隐私,帮助实现研究目标和促进参与研究。欲了解更多信息,请参阅NIH保密证书亭。
Key Points about Certificates of Confidentiality
Ⅰ、A Certificate of Confidentiality is not transferable from one researcher to another.
1、保密证书不得从一名研究人员转让给另一名研究人员。
Ⅱ、Every Certificate of Confidentiality has an expiration date. If the research project covered by the certificate will not be completed by the expiration date, the researcher must submit a written request for an extension well in advance of the expiration date.
2、每份保密证书都有有效期。如果证书涵盖的研究项目无法在到期日前完成,研究人员必须在到期日前提交书面延期申请。
Ⅲ、The Certificate of Confidentiality must be amended if significant changes occur in the research project (e.g., changes in key personnel, major changes in the scope or direction of the research protocol, changes in the drugs administered or the persons administering them). Amendment of the certificate must be requested in writing, giving details of the changes, before the changes are implemented.
3、如果研究项目发生重大变化(如关键人员的变化、研究方案范围或方向的重大变化、服用药物或服用药物人员的变化),则必须修改保密证书。在实施变更之前,必须以书面形式要求修改证书,并提供变更的详细信息。
Ⅳ、For a multi-site trial, one Certificate of Confidentiality (CoC) may be required for all sites. However, each study investigator may contact the CoC coordinator with the agency issuing the certificate.
4、对于多站点试验,所有站点可能需要一份保密证书(CoC)。但是,每位研究人员可与签发证书的机构的CoC协调员联系。
Applying for a Certificate of Confidentiality
Certificates of Confidentiality are granted by the Department of Health and Human Services (DHHS). (Click here for more information and instructions about applying to NIDA for a Certificate of Confidentiality.)
保密证书由卫生和公共服务部(DHHS)颁发。(有关向NIDA申请保密证书的更多信息和说明,请单击此处。)
Additional Information Required 所需额外资料
The following additional information is required in the application for a Certificate of Confidentiality for any research project involving the administration of investigational product:
在申请涉及研究产品管理的任何研究项目的保密证书时,需要提供以下额外信息:
Ⅰ、Identification of the drugs to be administered; description of the methods of administration, including dosages.
Ⅱ、Evidence that the persons administering the drugs are authorized to do so.
Ⅲ、For controlled drugs, a copy of the research project's Drug Enforcement Administration (DEA) registration form.
1、使用药物的鉴定;给药方法的说明,包括剂量。
2、给药人员被授权这样做的证据。
3、管制药品,需提供研究项目的禁毒管理局(DEA)登记表复印件。
What Participants Should Know About a Certificate of Confidentiality 关于保密证书,参与者应该知道什么
Participants must be told that a research project has been granted a Certificate of Confidentiality. They must be informed that:
Ⅰ、Except under certain conditions, researchers may not be compelled to identify research participants in any civil, criminal, administrative, legislative, or other proceeding.
Ⅱ、The certificate is not transferable.
Ⅲ、The certificate has an expiration date.
Ⅳ、The certificate must be amended if major changes occur in the research project.
参与者必须被告知研究项目已获得保密证书。必须告知他们:
1、除非在某些情况下,研究人员不得被强迫在任何民事、刑事、行政、立法或其他诉讼中确定研究参与者的身份。
2、证书不可转让。
3、证书有有效期。
4、如果研究项目发生重大变化,必须修改证书。
Part 6: HIPAA Privacy Rule HIPAA 隐私规则
What is the HIPAA Privacy Rule?
The U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104- 191) in 1996 to improve the efficiency and effectiveness of the health care system. The law includes provisions requiring the Department of Health and Human Services (DHHS) to adopt national standards for electronic health care transactions. Congress recognized that the introduction of advances in electronic technology into the health care system could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of federal privacy protections for individually identifiable health information under 45 CFR 160 and 164.
美国国会于1996年通过了《健康保险可携性和责任法案》(HIPAA)(104- 191号公法),以提高医疗保健系统的效率和效力。该法律包括要求卫生与公众服务部(DHHS)采用电子医疗交易国家标准的条款。国会认识到,将先进的电子技术引入医疗保健系统可能会损害医疗信息的隐私。因此,国会在HIPAA中纳入规定,根据45 CFR 160和164规定,对个人可识别的健康信息采取联邦隐私保护。
DHHS issued the HIPAA Privacy Rule — also known as the Standards for Privacy of Individually Identifiable Health Information — to put into operation these privacy protections. It establishes for the first time a set of national standards for the protection of certain health information. The Privacy Rule became effective on April 14, 2003. It is enforced by the DHHS Office of Civil Rights.
DHHS发布了HIPAA隐私规则(也称为个人可识别健康信息隐私标准),以实施这些隐私保护。它首次建立了一套保护某些健康信息的国家标准。隐私规则于2003年4月14日生效。它由DHHS民权办公室执行。
This section provides a brief overview of the main provisions of the HIPAA Privacy Rule. For additional information, go to HIPAA Privacy Rule and Its Impact on Research, a website created to inform the research community about the Privacy Rule.
本节简要概述了HIPAA隐私规则的主要条款。有关更多信息,请访问HIPAA隐私规则及其对研究的影响,这是一个旨在向研究社区告知隐私规则的网站。
To whom does the HIPAA Privacy Rule apply?
The HIPAA Privacy Rule applies to covered entities. A covered entity is defined as.
Ⅰ、A health plan.
Ⅱ、A health care clearinghouse.
Ⅲ、A health care provider who transmits any health information electronically in connection with transactions such as claims, benefit eligibility inquiries, and referral authorization requests. Providers who use a billing service or other third party to handle such transactions are also considered covered entities.
HIPAA隐私规则适用于受保实体。涵盖实体定义为:
1、健康计划。
2、医疗信息交换所。
3、以电子方式传输与索赔、福利资格查询和转诊授权请求等交易有关的任何健康信息的医疗保健提供者。使用计费服务或其他第三方处理此类交易的提供商也被视为受保实体。
What information is protected by the HIPAA Privacy Rule?
The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by covered entities and their business associates. The information may be in any form (e.g., paper, electronic, verbal). The Privacy Rule calls this information protected health information (PHI).
HIPAA隐私规则保护受保实体及其业务伙伴持有或传输的所有个人可识别健康信息。信息可以是任何形式(例如,纸质、电子、口头)。隐私规则称此信息为受保护的健康信息(PHI)。
Part 7: Permitted Disclosures of Protected Health Information 受保护健康信息的允许披露
Covered entities may use or disclose the “minimum necessary” amount of protected health information (PHI) to or among themselves, without the individual's authorization, for purposes of treatment, payment, and health care operations.
受保护实体可在未经个人授权的情况下,出于治疗、支付和医疗保健操作的目的,使用或披露“最低必要”数量的受保护健康信息(PHI)。
The only exceptions to the “minimum necessary” requirement are for the use and disclosure of PHI:
Ⅰ、To or by health care providers for treatment purposes.
Ⅱ、To the individual who is the subject of the protected health information.
Ⅲ、To the Secretary of Health and Human Services, who has authority for the Privacy Rule.
Ⅳ、Use or disclosure that is required by the law.
“最低必要”要求的唯一例外是PHI的使用和披露:
1、出于治疗目的向医疗保健提供者或由医疗保健提供者提供。
2、受保护健康信息的主体。
3、致卫生与公众服务部长,他有权制定隐私规则。
4、法律要求的使用或披露。
Additionally, covered entities may disclose PHI for certain “public policy” purposes without the individual's authorization. However, they are required to track these disclosures for accounting purposes.
此外,受保实体可在未经个人授权的情况下出于某些“公共政策”目的披露PHI。然而,出于会计目的,他们需要跟踪这些披露。
Public Policy Purposes 公共政策目的
The HIPAA Privacy Rule permits covered entities to use or disclose protected health information (PHI) without the individual's authorization for the following public policy purposes:
Ⅰ、When the disclosure is required by law.
Ⅱ、For public health activities (e.g., prevention or control of disease, notification of adverse drug events).
Ⅲ、In cases of abuse, neglect, or domestic violence.
Ⅳ、For health care oversight activities authorized by law or regulations.
Ⅴ、For judicial and administrative purposes (e.g., a court order, subpoena, or warrant).
Ⅵ、To a law enforcement official for law enforcement purposes.
Ⅶ、To a coroner, medical examiner, or funeral director when the information concerns a deceased person.
Ⅷ、For cadaveric organ, eye, and tissue donation.
Ⅸ、For research purposes.
Ⅹ、To avert a serious threat to health or safety.
Ⅺ、For national security or intelligence activities.
Ⅻ、For workers' compensation purposes.
HIPAA隐私规则允许受保护实体出于以下公共政策目的,在未经个人授权的情况下使用或披露受保护的健康信息(PHI):
1、法律要求披露时。
2、公共卫生活动(如疾病预防或控制、药物不良事件通知)。
3、虐待、忽视或家庭暴力案件。
4、法律法规授权的卫生监督活动。
5、出于司法和行政目的(例如,法院命令、传票或逮捕令)。
6、为执法目的向执法官员提供。
7、当信息涉及死者时,向验尸官、法医或殡仪馆馆长提供。
8、尸体器官、眼睛和组织捐赠。
9、用于研究目的。
10、避免对健康或安全造成严重威胁。
11、国家安全或情报活动。
12、用于工人补偿目的。
Permitted Disclosures of Protected Health Information for Research Purposes 为研究目的允许披露受保护的健康信息
Research is defined as “any systematic investigation designed to develop or contribute to generalizable knowledge.” Covered entities can disclose protected health information (PHI) when:
研究被定义为“任何旨在发展或促进可概括知识的系统调查”受保护实体可在以下情况下披露受保护的健康信息(PHI):
Authorization is Obtained from the Participant 从参与者处获得授权
Under the HIPAA Privacy Rule, a research participant may authorize a covered entity to use and disclose his or her protected health information (PHI) for research purposes. The authorization form must be approved by the relevant Institutional Review Board or a Privacy Board.
根据HIPAA隐私规则,研究参与者可以授权受保护实体为研究目的使用和披露其受保护的健康信息(PHI)。授权表格必须得到相关机构审查委员会或隐私委员会的批准。
IRBs and Confidentiality 内部评级机构与保密
In accordance with the Belmont Report, IRBs must ensure adequate provision is made to protect subjects’ privacy and maintain the confidentiality of data.
根据《贝尔蒙特报告》 ,互联网监管机构必须确保有足够的条款保护受试者的隐私和数据的保密性。
Protection of Subjects’ Privacy. 保护受试者的隐私
The IRB must consider whether the research involves an invasion of privacy. Factors to be considered include:
Ⅰ、The private or sensitive nature of the information sought,
Ⅱ、The likelihood that subjects will regard the study as an invasion of privacy,
Ⅲ、The importance of the research, and
Ⅳ、The availability of alternative ways to conduct the study.
IRB必须考虑研究是否涉及侵犯隐私。要考虑的因素包括:
1、所寻求信息的隐私或敏感性质,
2、受试者将研究视为侵犯隐私的可能性,
3、研究的重要性,以及
4、开展研究的替代方法的可用性。
Confidentiality of Data 数据的机密性
IRBs must evaluate whether adequate provisions exist to safeguard the confidentiality of information that is collected.
IRB必须评估是否有足够的条款来保护所收集信息的机密性。
Authorization for disclosures is obtained routinely from participants during the informed consent process. The authorization may be combined with the Informed Consent Form that a research participant signs when agreeing to participate in a study, or the participant may sign a separate authorization form. In either case, the authorization must include the following:
在知情同意过程中,通常要从参与者那里获得披露授权。该授权可以与研究参与者同意参与研究时签署的知情同意书结合使用,也可以与参与者签署单独的授权表格。在任何一种情况下,授权必须包括以下内容:
All members of the NIDA Clinical Trials Network (CTN) must ensure that the process of obtaining informed consent from research subjects not only conforms to federal, state, and local regulations but also respects each individual’s right to make a voluntary, informed decision.
Ⅰ、Description of the information to be disclosed.
Ⅱ、Identity of the person who may use or disclose the information.
Ⅲ、Identity of the person to whom the information will be disclosed or by whom it will be used.
Ⅳ、Purpose of the use or disclosure.
Ⅴ、Length of time the data will be retained with identifiers.
Ⅵ、Expiration date of the authorization.
Ⅶ、A statement of the participant's right to revoke authorization.
Ⅷ、A statement that information disclosed in accordance with an authorization may no longer be protected by the Privacy Rule.
Ⅸ、Participant's signature and date of signature.
NIDA临床试验网络(CTN)的所有成员必须确保从研究对象获得知情同意的过程不仅符合联邦、州和地方法规,而且尊重每个人做出自愿知情决定的权利。
1、待披露信息的描述。
2、可能使用或披露信息的人的身份。
3、信息将被透露给谁或将被谁使用的人的身份。
4、使用或披露的目的。
5、使用标识符保留数据的时间长度。
6、授权截止日期。
7、参与者撤销授权的权利声明。
8、声明根据授权披露的信息可能不再受隐私规则的保护。
9、参赛者签名及签名日期。
Treatment programs do not need to keep track of disclosures that are authorized by the participant. In other words, once a program obtains a participant's permission to disclose his or her PHI, there is no need to document each occasion that a disclosure is made.
治疗项目不需要记录参与者授权的信息披露。换句话说,一旦程序获得参与者的允许来公开他或她的PHI,就不需要记录每次公开的情况。
Sharing a Limited Data Set 共享有限数据集
A covered entity may enter into a data use agreement to use and disclose protected health information (PHI) that is included in a limited data set without obtaining either authorization or a waiver of authorization. Limited data sets may be used or disclosed only for purposes of research, public health, or health care operations.
受保护实体可签订数据使用协议,使用和披露有限数据集中包含的受保护健康信息(PHI),而无需获得授权或放弃授权。有限的数据集只能用于研究、公共卫生或医疗保健业务。
The following identifiers are permitted in a limited data set:
Ⅰ、Admission, discharge, and service dates.
Ⅱ、Birth date.
Ⅲ、Date of death.
Ⅳ、Age.
Ⅴ、Geographical subdivisions (e.g., state, county, city, precinct, zip code).
在有限的数据集中允许使用以下标识符:
1、入院、出院和服务日期。
2、出生日期。
3、死亡日期
4、年龄。
5、地理分区(如:州、县、市、辖区、邮政编码)。
The data use agreement must:
Ⅰ、Identify who is permitted to use or receive the limited data set.
Ⅱ、Stipulate that the recipient will:
i、Not use or disclose the information other than as permitted by the agreement or required by law.
ii、Use appropriate safeguards to prevent the use or disclosure of the information except as permitted in the agreement.
iii、Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement.
iv、Not identify the information or contact the individuals whose information is included in the limited data set.
数据使用协议必须:
1、确定允许使用或接收有限数据集的人员。
2、规定收件人将:
(1)不使用或披露除协议允许或法律要求之外的信息。
(2)使用适当的保障措施防止信息的使用或披露,本协议允许的除外。
(3)使接收方的任何代理(包括分包商)遵守数据使用协议中规定的标准、限制和条件。
(4)不识别信息或联系信息包含在有限数据集中的个人。
De-Identifying the Health Information 取消识别健康信息
Covered entities may “de-identify” protected health information (PHI) by removing all individually identifiable health information from the record or file. Once health information has been de-identified, it is no longer considered PHI and therefore is not subject to the HIPAA Privacy Rule.
受保护实体可通过从记录或文件中删除所有可单独识别的健康信息来“取消识别”受保护的健康信息(PHI)。一旦健康信息被取消识别,它就不再被视为PHI,因此不受HIPAA隐私规则的约束。
Individually Identifiable Health Information 个人可识别的健康信息
Under the HIPAA Privacy Rule, individually identifiable health information includes the following:
根据HIPAA隐私规则,个人可识别健康信息包括以下内容:
Ⅰ、Names.
Ⅱ、 All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
i、The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
ii、The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
Ⅲ、All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
Ⅳ、Telephone numbers.
Ⅴ、Facsimile (fax) numbers.
Ⅵ、Electronic mail addresses (e-mail).
Ⅶ、Social security numbers.
Ⅷ、Medical record numbers.
Ⅸ、Health plan beneficiary numbers.
Ⅹ、Account numbers.
Ⅺ、Certificate/license numbers.
Ⅻ、Vehicle identifiers and serial numbers, including license plate numbers.
XIII、Device identifiers and serial numbers.
XIV、Web universal resource locators (URLs).
XV、Internet protocol (IP) address numbers.
XVI、Biometric identifiers, including fingerprints and voiceprints.
XVII、Full-face photographic images and any comparable images.
XVIII、Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.
1、姓名。
2、小于一个州的所有地理分区,包括街道地址、市、县、辖区、邮政编码及其等效地理编码,邮政编码的前三位数字除外,如果根据人口普查局的当前公开数据
(1)将所有的邮政编码用相同的三个首字母组合而成的地理单元包含了超过20,000人。
(2)包含20,000人或更少的所有这样的地理单位的邮政编码的头三位数字改为000。
3、与个人直接相关的日期的所有要素(年除外),包括出生日期、入院日期、出院日期、死亡日期;以及所有超过89岁的年龄和所有表示该年龄的日期(包括年份)元素,但此类年龄和元素可聚合为90岁或以上的单一类别。
4、电话号码。
5、传真号码。
6、电子邮件地址(电子邮件)。
7、社会保障号码。
8、病历号/医疗记录号。
9、健康计划受益人编号。
10、账号。
11、证书/许可证编号。
12、车辆标识和序列号,包括车牌号。
13、 设备标识符和序列号。
14、 Web通用资源定位器(URL)。
15、 互联网协议(IP)地址号码。
16、 生物识别标识,包括指纹和声纹。
17、 全脸摄影图像和任何类似图像。
18、 任何其他唯一识别号、特征或代码,除非隐私规则允许重新识别。
Obtaining a Waiver of Authorization for Certain Research Activities 豁免某些研究活动的授权
An Institutional Review Board or Privacy Board may waive, in whole or in part, the requirement that the participant authorize the disclosure of protected health information (PHI) if it is satisfied that:
机构审查委员会或隐私委员会可全部或部分免除参与者授权披露受保护健康信息(PHI)的要求,前提是其满足以下条件:
Ⅰ、The use or disclosure involves no more than minimal risk to the privacy of individuals because
i、An adequate plan exists to protect health information identifiers from improper use and disclosure and to destroy identifiers as soon as practicable; and
ii、Adequate written assurances have been provided that the PHI will not be reused or shared with any other person or entity, except as required by law, for authorized oversight of the research study, or for other research purposes.
Ⅱ、The research could not practicably be conducted without the waiver or alteration.
Ⅲ、The research could not practicably be conducted without access to and use of the PHI.
1、使用或披露对个人隐私的风险不超过最小,因为
(1)制定了充分的计划,以保护健康信息标识符不被不当使用和泄露,并在切实可行的情况下尽快销毁标识符;和
(2)已提供充分的书面保证,PHI不会与任何其他个人或实体重复使用或共享(法律要求除外),用于研究研究的授权监督或其他研究目的。
2、如果没有弃权/豁免或变更,这项研究实际上无法进行。
3、如果没有访问和使用PHI,研究实际上是无法进行的。
Privacy Board 隐私委员会
A Privacy Board is a review body that may be established to act upon requests for a waiver or an alteration of the authorization requirement under the Privacy Rule for uses and disclosures of protected health information (PHI) for a particular research study. A Privacy Board may waive or alter all or part of the authorization requirements for a specified research project or protocol. A covered entity may use and disclose PHI without authorization, or with an altered authorization, if it receives the proper documentation of approval of such alteration or waiver from a Privacy Board.
隐私委员会是一个审查机构,可根据特定研究使用和披露受保护健康信息(PHI)的隐私规则,根据豁免或修改授权要求的请求成立。隐私委员会可以放弃或更改指定研究项目或协议的全部或部分授权要求。受保实体可在未经授权或授权变更的情况下使用和披露PHI,前提是其收到隐私委员会批准此类变更或弃权的适当文件。
For more information about Privacy Boards and the HIPAA Privacy Rule, go to Privacy Boards and the HIPAA Privacy Rule.
有关隐私委员会和HIPAA隐私规则的更多信息,请访问隐私委员会和HIPAA隐私规则。
Preparing a Research Protocol 准备研究方案
Covered entities may use and disclose protected health information (PHI) without authorization if the researcher states in writing that:
Ⅰ、The use or disclosure is solely for the purpose of preparing a research protocol;
Ⅱ、No PHI will be removed from the covered entity's location; and
Ⅲ、The PHI sought is necessary for the research.
如果研究人员书面声明,受保护的实体可以未经授权使用和披露受保护的健康信息(PHI):
1、使用或披露仅用于准备编制研究方案;
2、PHI将不会从覆盖实体的位置移除;和
3、寻求的PHI对于研究是必要的。
The Participant is Deceased 参与者已死亡
Covered entities may use and disclose protected health information (PHI) without authorization if:
Ⅰ、The researcher states in writing that:
i、The use or disclosure sought is solely for research on the PHI of deceased persons;
ii、The PHI sought is necessary for the research; and
iii、The covered entity obtains documentation of the death of the persons whose PHI is sought.
在以下情况下,受保护实体可未经授权使用和披露受保护的健康信息(PHI):
1、研究人员书面声明:
(1)所寻求的使用或披露仅用于研究死者的PHI;
(2)寻求的PHI对于研究是必要的;和
(3)受保实体获得寻求PHI的人员死亡的文件。
