AQuIRE - Institutional Review Board Frequently Asked Questions

• Do I need IRB approval to participate?
• Is there information available that I can submit to my IRB?
• What is HIPAA?
• Who is covered by HIPAA?
• Who are the covered entities?
• What is a business associate?
• What is protected health information (PHI)?
• Are there restrictions on the use of deidentified information?
• Is protected health information collected in the ACCP AQuIRE Registry?
• How are the data secured once they are entered into the ACCP AQuIRE Registry?
• Additional Resources

Do I need IRB approval to participate?
While IRB approval is not required to participate in a quality improvement registry, the need for IRB approval to participate in a quality improvement registry is at the discretion of the local IRB.

The ACCP AQuIRE Registry is HIPAA-compliant for the purpose of receiving feedback about clinical performance; therefore, patients’ personal health information is not required in either of the ACCP AQuIRE Registries. Furthermore, a business associate agreement has been developed for participating sites and must be agreed to before data entry is permitted.

Top

Is there information available that I can submit to my IRB?
Your local IRB may require that you submit a protocol for review prior to participation in AQuIRE Registry. The ACCP has provided information relevant to the ACCP AQuIRE Registry that you may adapt for your individual protocol. Click here to download.

If you require additional information, please contact Danielle Jungst. at aquire@chestnet.org.

Top

What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 (Pub L 104-191). The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

A major goal of the HIPAA Privacy Rule is to ensure that individuals’ health information is properly protected, while allowing the flow of health information needed to provide and promote high-quality health care and protect the public’s health and well being. The rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health-care marketplace is diverse, the rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

Top

Who is covered by HIPAA?
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health-care clearinghouses, and any health-care provider who transmits health information in electronic form in connection with transactions for which the Secretary of the US Department of Health and Human Services has adopted standards under HIPAA (the “covered entities”).

Top

Who are the covered entities?

• Health plans/insurers (45 CFR §§ 160.102, 160.103)
• Health-care providers: Every health-care provider, regardless of size (45 CFR §§ 160.102, 160.103; see Social Security Act § 1172(a)(3), 42 USC § 1320d-1(a)(3). The transaction standards are established by the HIPAA Transactions Rule at 45 CFR Part 162.)
• Health-care clearinghouses: Organizations that process nonstandard information (ie, billing companies) (45 CFR § 160.103)

Top

What is a business associate?
A person or organization, outside of the covered entity, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information. This includes data analysis and utilization review (45 CFR § 160.103).

However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information.

Top

What is protected health information (PHI)?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” (45 CFR § 160.103)

"Individually identifiable health information" is information, including demographic data, that relates to:

• The individual’s past, present or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual, and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual (45 CFR § 160.103).

Individually identifiable health information includes many common identifiers (eg, name, address, birth date, social security number).

Top

Are there restrictions on the use of deidentified information?
There are no restrictions on the use or disclosure of deidentified health information [(45 CFR §§ 164.502(d)(2), 164.514(a) and (b)].

Deidentified health information neither identifies nor provides a reasonable basis to identify an individual.

There are two ways to deidentify information:
(1) A formal determination by a qualified statistician
(2) The removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual [45 CFR § 164.514(b)].

Top

Is protected health information collected in the ACCP AQuIRE Registry?
No, protected health information is not collected in the ACCP AQuIRE Registry.

In order to protect the personal health information of the patient data, the ACCP AQuIRE Registry generates a random unique patient ID number for each patient. Once this number is assigned to a patient, this number will never be changed or reassigned to a different patient. If the patient returns for follow-up, he or she will be associated with this same unique patient identifier.

Each participating site is required to maintain a logbook in Excel and store it on a secure server at their local site. This logbook is modifiable to participants’ needs but is meant to associate the patient to the unique AQuIRE patient ID number assigned.

Top

How are the data secured once they are entered into the ACCP AQuIRE Registry?
All the ACCP AQuIRE Registry support systems are managed and hosted on servers owned by CECity and reside in dedicated server rooms within the CECity offices. These server rooms are secured, and all data is backed up nightly. All data are backed up using an automated robotic tape management system, and archived copies of tapes are stored at an off-site secure storage facility. CECity also maintains a disaster recovery plan for handling multiple failure scenarios.

The physical security of the data center provides multiple layers of physical and technological security. Physical security includes security guards employed 24 hours a day, 7 days a week, and 365 days a year, as well as closed-circuit TV cameras both outside and inside the data center. There is a key proximity door access security system with Mantrap and Liebert Site-Scan Systems that sound an alarm when any external door is opened. All cabinets and rack spaces are locking. The facility is monitored via closed-circuit digital camera coverage with 24-hour recording and 60-day digital video storage. The facility is equipped with a centralized security station and security personnel employed 24 hours a day, 7 days a week, and 365 days a year by the data center.

The network security of all CECity servers sits behind enterprise-class, redundant, load-balanced, Check Point firewalls. External server access is restricted to a limited number of developers and IT personnel located within the CECity office network through the use of firewall rules, operating system security, and application level security. Only required ports and services are exposed to the external Internet.

A 128-bit certificate encrypts all application passwords and data transferred via the system. Encrypted cookies are used to store session state variables that identify a unique user session. There is never user identifiable information stored in the cookies.

Top

Additional Resources
Understanding HIPAA Privacy

Dokholyan RS, Muhlbaier LH, Falletta JM, et al. Regulatory and ethical considerations for linking clinical and administrative databases. Am Heart J 2009; 157:971-982

Top