Utah Population Database(UPDB) Consent and Authorization Requirements

Version: October 2, 2019

Guidance

The Utah Population Database (UPDB) is a resource that is housed and operated at Huntsman Cancer Institute; however, the UPDB is not considered part of the University of Utah Covered Entity.

For studies using the UPDB, specific HIPAA requirements and privacy and confidentiality protections may be applicable, depending on (a) the location of the study (i.e., inside or outside the covered entity), as well as (b) the nature of data being shared by the study to the UPDB.

For additional guidance regarding the use of UPDB or IRB applications, you may contact the following offices:

Resource for Genetic and Epidemiologic Research

Phone: 801-581-6351

Institutional Review Board

Phone: 801-581-3655

Email: irb@hsc.utah.edu

Criteria for Determining the Applicability of UPDB HIPAA/Privacy and Confidentiality Requirements

Use the following decision tree to determine if the nature of data sharing between the study and the UPDB requires the UPDB-specific HIPAA and privacy and corresponding consent language.

Will participant identifiers be collected by the study and then uploaded into the UPDB for linkage? Participant identifiers can include name, date of birth, social security number, etc. See the Investigator Guidance Series document “HIPAA Privacy Rule and Authorization” for a complete list of identifiers. (Note: If the study will provide participants’ phenotypic data for kinship analysis only, answer “No”.)

- If Yes, proceed to question 2.
- If No, UPDB-specific HIPAA/privacy and confidentiality requirements do not Use standard HIPAA/privacy and confidentiality requirements described by the IRB and the Resource for Genetic and Epidemiologic Research (RGE).

Will the identifier upload to UPDB be facilitated independent of the UUHSC Enterprise Data Warehouse (EDW)?

- If Yes, UPDB-specific HIPAA/privacy and confidentiality requirements apply. See requirements below.
- If No, UPDB-specific HIPAA/privacy and confidentiality requirements do not Use standard HIPAA/privacy and confidentiality requirements described by the IRB and the Resource for Genetic and Epidemiologic Research (RGE).

Summary of UPDB-Specific HIPAA/Privacy and Confidentiality Requirements
Use the following table to identify the items that are required in the IRB application and consent document(s). Proceed to the subsequent sections for specific instructions regarding each requirement.

Studies using a waiver of consent (and authorization, as applicable)

Studies using a consent document (including authorization, as applicable)

Studies INSIDE the Covered Entity

· Address HIPAA disclosure requirements on the “HIPAA and Covered Entity” page of the IRB application

· Address privacy and confidentiality protections on the “Data Monitoring Plan” page of the application

· Address HIPAA disclosure requirements on the “HIPAA and Covered Entity” page of the IRB application

· Address privacy and confidentiality protections on the “Data Monitoring Plan” page of the application

· Include confidentiality and HIPAA disclosure language in the consent document

Studies OUTSIDE the Covered Entity

· Address privacy and confidentiality protections on the “Data Monitoring Plan” page

· Include confidentiality language in the consent document

Privacy and Confidentiality Requirements:

Question 1 on the “Data Monitoring Plan” page of the IRB application, the PI must describe how the privacy of participants will be protected when disclosing information to the UPDB.
Question 2 on the “Data Monitoring Plan” page of the application, the PI must describe how the confidentiality of participants’ data will be protected when disclosing information to the UPDB.
If the study requires a consent (and authorization, if applicable) document, the PI must describe the confidentiality protections in the Confidentiality section of the consent document.

HIPAA Disclosure Requirements:

Question 1b on the “HIPAA and Covered Entity” page of the IRB application, the PI must indicate that Protected Health Information (PHI) will be disclosed to the UPDB for the purposes of data linkage.
If the study requires a consent and authorization document, the study must also include HIPAA language in the Authorization section of the consent. The consent document must identify the UPDB as a recipient of PHI in the Authorization.
HIPAA Consent Language Option for UPDB Disclosure (to be included in the Authorization section of the Consent):
In conducting this study, we may share your information with the following groups outside of the University of Utah Health Sciences Center. Information disclosed to groups outside of the University of Utah Health Sciences Center may no longer be covered by the federal privacy protections.

The Utah Population Database (UPDB): The UPDB is a University of Utah research resource and is an extensive research database of demographic information linked to other data, such as family history and medical information. By sharing your identifying data with the UPDB, we can obtain genealogy information about you and your family for this study. This will allow information about you and your family to be updated and evaluated for this study. The UPDB has extraordinary security measures to protect the identity and information of all study participants and their family members. No medical information about you or your family members collected from this study will be provided to the UPDB.

You may choose to include additional information describing the study procedures surrounding the UPDB linkage if you feel it is relevant and necessary to the participants’ decisions to enroll in the study. All language will be reviewed and approved by the RGE and IRB.

Please contact the IRB Office at (801) 581-3655 or irb@hsc.utah.edu for additional guidance.