Statutes, codes, and regulations
Laws of Puerto Rico
TITLE TWENTY-SIX InsuranceSubtitle 3 Puerto Rico Health Insurance Code
Chapter 112. Health Information Protection
§ 9242. Collection, use, or disclosure of protected health information without authorization for scientific, medical and public policy research

P.R. Laws tit. 26, § 9242

Download
PDF
2019-02-20 00:00:00+00
§ 9242. Collection, use, or disclosure of protected health information without authorization for scientific, medical and public policy research

(a) A health insurance organization or issuer may disclose protected health information with authorization from the individual who is the subject of such information to research organizations conducting scientific, medical, or public policy research as provided in this section.

(b)

(1) A health insurance organization or issuer shall keep a record of research organizations to which protected health information is disclosed and shall keep the record five (5) years.

(c) A health insurance organization or issuer shall not disclose protected health information to a research organization until evidence is presented that the covered persons have been notified of the information requested to the health insurance organization or issuer and they have had the opportunity to accept or deny such request. The research organization may disclose the protected health information to its agents, collaborators, or contractors as needed to conduct or assist with the research, provided that all requirements of this section are applied to the agent, collaborator, or contractor. Notwithstanding the foregoing, the health insurance organization or issuer may disclose information, without identifiers, to research organizations without the authorization of the covered persons.

(d) A health insurance organization or issuer shall disclose only the minimum data necessary to conduct the intended research.

(e) If the scientific, medical, or public policy research does not require contact with the individual who is the subject of the protected health information, the following protections shall exist prior to disclosure:

(1) The research organization develops and implements a written policy that includes procedures to assure the security and privacy of protected health information. The policy shall include:

(A) Training and disciplinary procedures to assure that persons involved in research comply with the provisions of this section;

(B) safeguards to assure that information in a report of the research project does not contain protected health information. The safeguards shall include a system for ensuring that only authorized individuals are able to establish a link between individuals and their health information, and

(C) a method for removing all information that identifies, directly or indirectly, the individual who is the subject of the protected health information, when the information is no longer needed for research. The policy may also provide that the research organization may retain the protected health information for an indefinite period if archived in an encoded form, and provided that it may not be used for other research unless the requirements of this section are met. “Encoded” means that the personally identifiable information is removed or encrypted and the key to restore the protected health information is retained in a secure place within the research organization with access limited to the minimum number of people necessary to maintain the confidentiality and integrity of the key.

(2)

(A) The research organization prepares a plan that explains the purposes of the research, includes a general description of research methods to be used, and describes the potential benefits of the research.

(B)

(i) All research plans using protected health information shall be available to the public and may be obtained by written request to the chief executive officer of the research organization.

(ii) If the research plan contains information that is proprietary or protected from disclosure by contract or statute, the information may be deleted from the copy made available to the public.

(iii) The research organization shall keep the research plan on file for five (5) years.

(3)

(A) The health insurance organization or issuer and the research organization shall execute a written agreement in which they agree to the following:

(i) Stating the purposes of the research;

(ii) explaining how the purposes qualify as scientific, medical or public policy research;

(iii) documenting that the research organization meets the requirements of this section;

(iv) stating the expected time during which the data will be used for the stated purposes;

(v) explaining the method of disposition of the protected health information at the end of the term of use; and

(vi) stating that the written agreement shall be available to the public and can be obtained by written request to the chief executive officer of the research organization.

(B) The health insurance organization or issuer shall require the research organization to provide a copy of the written agreement upon request to any person. If the executed agreement contains information that is proprietary or protected from disclosure by contract or law, the information may be deleted from the copy that is made available pursuant to this subsection.

(C) The health insurance organization or issuer shall keep this agreement on file five (5) years.

(f) If the scientific, medical or public policy research requires contact with the individual who is the subject of protected health information, the following protections shall exist prior to disclosure:

(1) The research organization and health insurance organization or issuer shall meet the requirements of subsection (e) of this section, and

(2)

(A) The research organization is responsible for obtaining a legally effective willful informed consent of the subject or the subject's legally authorized representative. A research organization shall seek consent only under circumstances that provide the prospective subject or the representative with sufficient opportunity to consider whether to participate in the research, and that minimize the possibility of coercion or undue influence.

(B) The information that is given to the subject or the representative shall be in language understandable to them.

(C) The document whereby a subject furnishes the informed consent may not include any exculpatory language through which the subject or the representative waives or appears to waive any of the subject's legal rights, or releases or appears to release the researcher, the sponsor, the research organization or its agents from liability or negligence.

(D) Basic elements of informed consent.— In seeking informed consent the following information shall be provided to each subject:

(i) A statement that the study involves research, an explanation of the purposes of the research and the expected duration of the subject's participation, a description of the procedures to be followed, and identification of any procedures that are experimental;

(ii) a description of any reasonably foreseeable risks or discomforts to the subject;

(iii) a description of any benefits to the subject or to others that may reasonably be expected from the research;

(iv) a disclosure of appropriate alternative procedures or treatments, if any, that might be advantageous to the subject;

(v) a statement describing the extent to which confidentiality of records identifying the subject will be maintained;

(vi) for research involving more than minimal risk, an explanation as to whether any compensation and medical treatments are available if injury occurs and, if so, what they consist of, or where further information may be obtained;

(vii) an explanation of whom to contact for answers to pertinent questions about the research and the research subject's rights;

(viii) the name of the person to contact in the event of a research-related injury to the subject, and

(ix) a statement that participation is voluntary, refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled, and that the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled.

(E) Additional elements of informed consent.— When appropriate, the following shall also be provided to each subject:

(i) A statement that the particular treatment or procedure may involve risks to the subject (or to the embryo or fetus, if the subject is or may become pregnant) that are currently unforeseeable;

(ii) foreseeable circumstances under which the subject's participation may be terminated by the investigator without regard to the subject's consent;

(iii) any additional costs to the subject that may result from participation in the research;

(iv) the consequences of a subject's decision to withdraw from the research and procedures for orderly termination of subject's participation in the research;

(v) a statement that significant new findings developed during the course of the research that may relate to the subject's willingness to continue participation will be provided to the subject, and

(vi) the approximate number of subjects involved in the study.

(F) If a research organization submits research for approval by an institutional review board under the Federal Policy for the Protection of Human Subjects—56 Federal Register 28000 (1991)—compliance with that process will be deemed compliance with the provisions of subsections (c)(2) and (f)(2) of this section.

(g)

(1) If a health insurance organization or issuer discloses to an organization health information that is not protected health information because all identifying information is encrypted, the health insurance organization or issuer and research organization shall execute a written agreement that provides:

(A) That the research organization will not disclose the data accompanied by the encrypted indentifying information to a third person. However, the research organization may disclose protected health information to its agents, collaborators, or contractors as needed to conduct or assist with the research, provided that all requirements of this section are applied to the agent, collaborator, or subcontractor;

(B) that the research organization shall make no efforts to link any health information it received with encrypted indentifying information to any other data that may identify the individual who is the subject of the information, and

(C) that the research organization shall make no efforts to link any encrypted protected health information with any other identifiable data.

(2) Prior to any encrypted information being decrypted or linked to identifying data, the research organization shall comply with the requirements set forth in this section and health information with decrypted identifying information shall be deemed protected health information.

(h) Nothing in this chapter shall be construed to prevent the creation, use, or disclosure of anonymized data for which there is no reasonable basis to believe that the information could be used to identify an individual.

(i) Nothing in this section shall be construed as superseding federal or Commonwealth laws and regulations governing scientific, medical, and public policy research.

History —Aug. 29, 2011, No. 194, added as § 14.120 on Aug. 23, 2012, No. 203, § 1, eff. 90 days after Aug. 23, 2012.