HSRC Frequently Asked Questions

List of frequently asked questions about the HSRC:

Is the LACDMH Human Subjects Research Committee (HSRC) an Institutional Review Board (IRB)?
Does my research need Human Subjects Research Committee (HSRC) review?
How is Human Subjects defined?
How is research defined?
What qualifies an activity as research?
What is the difference between a Directly-Operated (DO) program and a Legal Entity (LE) program?
When is LACDMH HSRC review and approval not needed?
What general criteria are necessary to apply for HSRC review?
How do I apply for LACDMH HSRC approval?
What are the HSRC requirements of a consent form when research involves LACDMH clients?
What is involved in the principal investigator attestation?
What is de-identified data?
What are the 18 HIPAA identifiers?
How do investigators demonstrate how they will ensure security of PHI?
How does LACDMH evaluate the security of sensitive data or PHI?

Is the LACDMH Human Subjects Research Committee (HSRC) an Institutional Review Board (IRB)?

No, the HSRC is NOT a federally registered IRB. Principle Investigators (PI) are required to obtain IRB approval from their home institution prior to submitting an HSRC application to LACDMH. These IRBs must include an association with a specific research institution located in Los Angeles County. Other IRBs may be considered on a case-by-case basis. The HSRC is necessary to provide an extra level of human subjects protection with respect to LACDMH clients.

Back to Top

Does my research need Human Subjects Research Committee (HSRC) review?

HSRC must review and approve all human subjects research projects involving LACDMH programs, staff, and data.  Research activities cannot begin until HSRC approval is obtained. This includes LACDMH Directly-Operated (DO) programs and programs with LACDMH legal entity (LE) agreements.

Research that involves human subjects as defined by federal guidelines and LACDMH Mental Health Review Policy No. 1400.01, Section 2.2, requires HSRC review.

Back to Top

How is Human Subjects defined?

Human Subjects is defined as a living individual about whom an investigator (whether professional or student) conducting research obtains: a) Data through intervention or interaction with the individual and b) Identifiable private information.

Back to Top

How is research defined?                                                          

Research is defined as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Activities that meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported under a program, which is considered research for other purposes. For example, some demonstration and service programs may include research activities.

Back to Top

What qualifies an activity as research?

The intent to develop or contribute to generalizable knowledge makes an activity research. Activities designed with intent to develop or contribute to generalizable knowledge are those designed to draw general conclusions, inform policy, or generalize finding beyond a single individual or an internal program (e.g., publication), require HSRC review. Results do not have to be published or presented to qualify the activity as research.

Back to Top

What is the difference between a Directly-Operated (DO) program and a Legal Entity (LE) program?

DO clinics and programs are operated and managed with LACDMH employed staff whereas LE contracted providers are funded by LACDMH, but are operated and managed by private organizations. Research that studies LACDMH LE contractors’ staff is exempt from HSRC review.

Back to Top

When is LACDMH HSRC review and approval not needed?

HSRC review is not needed if the investigation primarily involves quality assurance activities, including program evaluations solely for internal assessments, audits and program evaluations assessing the success of established programs or processes to continuously improve the program quality or performance where it is not the intention to share the results.

Back to Top

What general criteria are necessary to apply for HSRC review?

  1. The LACDMH HSRC approves research, which fits closely with its Departmental service mission, ability to allocate necessary associated resources, and responsibility to minimize, to the greatest extent possible, any risks to LACDMH clients or LACDMH.
  2. In accordance with LACDMH policy, all LACDMH services provided as part of research activities must fully meet Departmental clinical, programmatic, privacy and security requirements, and fiscal requirements, including those related to practice parameters, policies and procedures, and medical necessity.
  3. Again, the LACDMH HSRC is not a federally registered Institutional Review Board
    (IRB). LACDMH requires that investigators have IRB approval from their home institution’s federally registered IRB. These IRBs must include an association with a specific research institution located in Los Angeles County. Other IRBs may be considered on a case-by-case basis.


Back to Top

How do I apply for LACDMH HSRC approval?

  1. HSRC Application Process: The HSRC will only initiate its review process for applications that are complete. A complete application includes documentation of IRB approval from the investigator home institution’s registered IRB, required documents, supporting letters and signatures, as well as applicable forms. The HSRC will schedule a meeting, at which time the principal investigator (PI) must be available by telephone to the HSRC. The HSRC will identify any specific issues pertaining to LACDMH policies, impact on services, consent, privacy and security, etc. The investigator must resolve these issues before the application is approved.
  2. Program Manager and DMH Deputy Director Approval: Investigators are to obtain one approval per site from each LACDMH program site’s respective program manager and deputy director. Approval(s) are required for both LACDMH directly-operated sites, as well as LE contracted sites. Signatures indicate respective signators’ intent to support the research project with the necessary resources. Attach all applicable Approval(s) (HSRC Application Part I, Section F & G). For LE contracted sites, program manager’s signature must have authority equivalent to a program manager/clinical manager or above, and approval from the deputy director responsible for overseeing their contracts are required. Investigators should anticipate that individuals who are responsible for programs may have other questions, or may request additional information before granting research approval.
  3. Privacy Protections: All investigators are required to complete Exhibit A – Privacy Protections.
  4. Protection of Information and Safeguarding the Infrastructure: All investigators are required to complete Exhibit B – Protection of Information and Safeguarding the Infrastructure. Even if the section does not apply, please thoroughly explain why it does not apply.
  5. Volunteer Registration: All non-DMH research staff and investigators whose work will involve a physical presence in any Directly-Operated LACDMH clinic for recruitment, screening, study measures, etc., are required to register as a DMH volunteer with the LACDMH Human Resources Bureau, and identify a DMH employee as a volunteer supervisor for the research project site, per DMH Policy 600.11. DMH HIPAA Training is REQUIRED for all DMH volunteers prior to starting volunteer registration. Please contact the DMH Privacy Officer, Ginger Fong, via email at GFong@dmh.lacounty.gov if you have any questions.
  6. Application Submission: Send the completed application to HSRC@dmh.lacounty.gov. You will be contacted if additional information is needed.
  7. Responding to Initial Review/Time Limit: To process the application in a timely manner, the investigator should respond as quickly as possible to any questions or suggested revisions during the initial review of the application. Applications should be completed within six (6) months of initial submission; e.g., Privacy Protections, Protection of Information and Safeguarding the Infrastructure, and signed Approval(s).
  8. Attachments: Complete and submit the following documents with your HSRC application, as applicable.
  • IRB Application and IRB Approval Letter*
  • Evidence of PI Qualifications
  • Consent Documents
  • Recruitment Material(s)
  • HIPAA Research Authorization Form(s)
  • Oath of Confidentiality Agreement(s)

*Please ensure that the information in the IRB documents is consistent with the information you include in your HSRC application.  Any inconsistencies can significantly delay HSRC approval of your study.

Back to Top

What are the HSRC requirements of a consent form when research involves LACDMH clients?

  1. All consents should include the following statement: “Clients served by the Los Angeles County Department of Mental Health directly-operated clinics or LE contractors with questions or concerns regarding the impact of their research activities on access to or quality of their usual care may contact the Los Angeles County Department of Mental Health Human Subjects Research Committee at (213) 639-6348.” 
  2. Statement that the study involves research, explanation of the purposes of the research, expected duration of participation, description of the procedures to be followed, and identification of any procedures that are experimental.
  3. Description of any reasonably foreseeable risks or discomforts to the participant.
  4. Description of any benefits to the participant or to others that may reasonably be expected from the research.
  5. Disclosure of appropriate alternative procedures or courses of treatment, if any, that might be advantageous to the participant.
  6. Statement describing the extent, if any, to which confidentiality of records identifying the participant will be maintained.
  7. Explanation of who to contact for answers to pertinent questions about the research and research participant’s rights and who to contact in the event of a research-related injury to the participant.
  8. Statement that participation is voluntary, and that refusal to participate will involve no penalty or loss of benefits to which the participant is otherwise entitled to, and the participant may discontinue participation at any time without penalty or loss of benefits to which the participant is otherwise entitled. The research and consent processes should not interfere with DMH services, or treatment of clients.
  9. For research involving greater than minimal risk, an explanation about whether: (1) medical treatments are available if injury occurs and, if so, what they consist of or where further information can be obtained. (2) Compensation is available if injury occurs and, if so, an explanation as to what it consists of or where further information can be obtained.
  10. Any additional costs to the participant that may result from participation in the research.
  11. Consequences of a participant’s decision to withdraw from the research and procedures for orderly termination of participation by the participant.
  12. Statement that significant new findings developed during the course of the research that may relate to the participant’s willingness to continue participation will be provided.


Back to Top

What is involved in the principal investigator attestation?

GENERAL ATTESTATION

  1. Initiate the research only after LACDMH HSRC approval has been received.
  2. Ensure that all non-DMH researchers conducting research at DMH Directly-Operated sites register with the LACDMH Human Resources Bureau as volunteers.
  3. Perform the research as approved by the HSRC, utilizing appropriately trained and qualified personnel with adequate resources.
  4. Obtain and document (unless waived) informed consent and HIPAA research authorization from human subjects (or their legally authorized representatives) prior to their involvement in the research using the HSRC-approved consent form(s) and proposed recruitment process.
  5. Promptly report to the LACDMH HSRC any events that represent unanticipated problems involving risks to study participants or others, and/or significant new findings that may relate to the participants’ willingness to continue to participate.
  6. Inform the HSRC of any proposed changes in the research or informed consent process before changes are implemented, and agree that no changes will be made until approved by the HSRC (except where necessary to eliminate apparent immediate hazards to participants). To propose changes to an approved study, PI must submit a Request for Amendment Form (insert hyperlink to form) to LACDMH HSRC for review and approval.
  7. Complete and submit an Application for Continuing Review (insert hyperlink to form) 45 days prior to the expiration date of the previous HSRC approval period at one-year intervals and/or as determined by the HSRC to be appropriate to the degree of risk (but not less than once per year) to avoid expiration of HSRC approval and cessation of research activities.
  8. Complete and submit an Application for Continuing Review (including Section 11 – Final Study Review) when all research activities have ended.
  9. Maintain research-related records in a manner that supports the validity of the research and integrity of the data collected, while protecting the confidentiality of the data and privacy of participants.
  10. Retain research-related records for audit for a period of at least six (6) years after the research has ended (or longer, according to sponsor or publication requirements).
  11. Submit manuscripts to the LACDMH HSRC for review prior to submission for publication to ensure that PHI is not included.
  12. Provide copies to the LACDMH HSRC of all publications resulting from the research project.
  13. Maintain current IRB renewals.
  14. Adhere to Los Angeles County Policy 608.02, which states, “No employee is permitted to accept any gifts or other considerations from any person, firm or corporation other than the County for the performance of an act that the employee would be required or expected to render in the regular course of their County employment.”
  15. Inform all co-investigators, research staff, employees, and LACDMH staff assisting in the research of their obligations in meeting this Assurance.
  16. Complete HIPAA training.

 

DATA SECURITY ATTESTATION

  1. Understand that project approval applies only to the protocol processes documented in the HSRC Application including the Privacy Protections and Protection of Information and Safeguarding the Infrastructure sections.
  2. Agree that any changes in the scope, methodology or in the configuration of systems and tools to those previously approved must be reviewed and approved by LACDMH HSRC prior to implementation.
  3. Report changes or be subject to possible suspension of all activities or cancelation of the project.
  4. Acknowledge that LACDMH may conduct audits to validate full compliance with the LACDMH HSRC Application “Assurance” section.


Back to Top

What is de-identified data?

Data is considered de-identified if the LACDMH Chief Information Office Bureau (CIOB) is providing and de-identifying data or none of the 18 HIPAA identifiers are collected. If LACDMH CIOB is not providing or de-identifying the data, appropriate security measures must be taken by the investigator. All data not de-identified by CIOB which may contain identifiers (coded or not coded) are treated as Protected Health Information (PHI). The investigator’s research is required to be in compliance with federal HIPAA laws and LACDMH policy.

Back to Top

What are the 18 HIPAA identifiers?

  1. Names
  2. All geographical subdivisions smaller than a State (e.g., street address, city, county, zip code)
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)


Back to Top

How do investigators demonstrate how they will ensure security of PHI? 

LACDMH requires compliance with the “Health Information Technology for Economic and Clinical Health (HITECH)” Act. HITECH Act of 2009 defines PHI as “rendered, unusable, unreadable, or indecipherable” if the data is either encrypted or destroyed by approved technology or methodologies which will satisfy the reporting requirements defined for a breach in the event the data is lost, stolen, misplaced or an attempt made to hack the data.

  • The approved encryption method for data at rest (i.e., audio or video recorded session stored temporarily on a recording device, data stored on a workstation, laptop, USB thumb drive, remote Web-Server, data that resides in databases, file systems, and other structured storage methods) are based on the National Institute of Standards and Technology (NIST) Special Publication 800-111.
  • The approved encryption processes for data in motion (i.e., data that is moving through a network, including wireless transmission) are those that comply with Federal Information Processing Standards (FIPS) 140-2 and are included in NIST Special Publication 800-52, “Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations” and NIST Special Publication 800-77, “Guide to IPsec VPNs”. For the transportation of sensitive information where the solution is maintained by a third-party vendor, the researcher must obtain a Business Associate (BA) contract with the vendor using language consistent with the HIPAA Final “Omnibus” Rule. The BA vendor is responsible for protecting the sensitive data from unauthorized access, including its own staff, and must comply with the Security and Breach Notification Rules.
  • The approved data destruction method is dependent on the type of media. Paper, film, and other hard copy media should be shredded or destroyed so that the PHI cannot be read or reconstructed. Electronic media should be cleared, purged or destroyed so that the PHI cannot be retrieved and be consistent with NIST Special Publication 800-88, “Guidelines for the Media Sanitation.”


Back to Top

How does LACDMH evaluate the security of sensitive data or PHI?

  • LACDMH requires that computing devices used for the research and transportation of sensitive data meet federal (HIPAA) guidelines. The LACDMH CIOB verification process is accomplished through a risk assessment as described below:
    • Evaluation of the computing devices used for accessing, processing or transporting sensitive data. Portable computer devices, laptops, notebooks, and tablets must be encrypted with a solution validated by NIST as meeting FIPS publication 140-2 and equipped with a strong and complex password.
    • Ensure that all workstations, portable computing devices, and other systems that process and/or store sensitive data have a commercial third party anti-virus software solution and are updated when new anti-virus definition/software release is available. Additionally, ensure that the above-mentioned devices have current security patches applied and up-to-date.
    • Encrypt all electronic sensitive files when the file is stored on any electronic portable devices or devices with removable media (e.g., USB thumb drives, floppies, CD/DVDs, SD Cards, digital audio or video recorders, etc.) using a vendor product validated by NIST as FIPS 140-2 compliant or simply use devices with encrypted hardware that are compliant with FIPS 140-2 (e.g., encrypted USB thumb drives, notebooks with encrypted hard-drives, encrypted audio recorders secured by a PIN, audio or video recording using webcam and microphone, and encrypted notebook with complex password security).
    • Ensure that all emails containing sensitive information is sent via an encrypted method using a vendor product validated by NIST as FIPS 140-02 compliant.
    • Smart Phone devices used by the research staff for the project must include encryption compliant to FIPS 140-2. The device must be locked if not in use and accessed by a complex password. The web browser’s caching must be disabled. The device must have remote wipe capability in an event it is misplaced or lost. Texting information that may include any of the above HIPAA identifiers is strictly prohibited. The non-sensitive texts should have a statement warning clients to never respond, forward or reply to the text and delete it once read.
    • Evaluation of the transportation method(s) for existence of adequate safeguards to secure the sensitive information from unauthorized access during transportation/transmittal. For solutions utilizing the internet/webservers, security measures such as Valid SSL Certificates, Security Protocols, Authentication Methods, Cipher strength, and FIPS Compliance will be tested and evaluated.
    • Evaluation of the data workflow determines if the path that the sensitive information travels from creation until delivery to authorized recipients includes sufficient protection to render the data unusable, unreadable or indecipherable to unauthorized access.
  • LACDMH requires that the research project investigator use role-based access controls for all user authentications, enforcing the principle of least privilege to protect the sensitive information from unauthorized persons. Only the minimum necessary amount of PHI required to perform necessary functions, as defined by HIPAA Rule, may be copied, downloaded, or exported by the research staff.
  • The research PI is expected to maintain an automated audit trail which can identify the user or a system process which initiates any level of access to PHI. The audit trail must be date and time stamped, log both successful and failed accesses, is read only, and restricted to authorized users. If PHI is stored in a database, database logging functionality must be enabled.

Back to Top