Case reports submitted for publication do not strictly meet the criteria of research. Although a case report (defined as a retrospective analysis of one (1), two (2), or three (3) clinical cases) may be illustrative, it does not meet the Federal Policy for the Protection of Human Subjects definition of Research, which requires an investigation that contributes to generalizable knowledge about a disease or condition. Instead, a case report is intended to develop information to be shared for medical or educational purposes.
The institution’s policy, therefore, is that a case report is not research that must be approved by the IRB . If an author wants to have a project assessed by the IRB to determine whether it meets the institution’s definition of a case report the author may contact the IRB.
Although there is no requirement of IRB approval for a case report, the HIPAA Privacy Rule restricts how protected health information (individually identifiable health information) may be used and disclosed. HIPAA requires written authorization for certain uses and disclosures of an individual’s protected health information, including publication of a single case report.
An author may be exempted from obtaining a signed authorization from the patient discussed in the case report if certain identifiers are removed from the case report prior to disclosure (i.e., before the case report is submitted to a journal). The removal should be done by a member of the Tufts Medical Center workforce. It is the responsibility of the author to ensure compliance with patient privacy, institutional rules, and federal regulations. It is also the responsibility of the author to ensure that (i) no photos or illustrations that contain identifiable features are included the case report (e.g. pictures of a patient’s face or tattoos should not be included or the identifying information should not be visible) and (ii) the case(s) described in the report are not so unique or unusual that it might be possible for others to identify the patients in the case reports.
If an author wants to publish a case report that is not completely de-identified pursuant to the standards set forth in HIPAA or if there is any concern that a patient could be identified or likewise could identify themselves or a family member (for example, because the condition or diagnosis is distinct or identifiable features appear in photographs), the institutional privacy officer or his/her designee should be consulted and explicit authorization from the patient must be sought for the use of identifiable information. If a patient is deceased, authorization for the use of identifiable patient information must be obtained from the personal representative of the patient’s estate.
If case reports are not identifiable, there is no need to obtain the patient’s signed authorization, to contact the HIPAA Privacy Officer, or to submit any documents to the IRB.
If a case report will contain information that directly or indirectly identifies a patient, the author is to contact his/her institutional privacy officer or designee. In addition, the author must attain authorization for the use of this identifiable information from the patient, or the patient’s estate if the patient is deceased. Please contact your institution’s HIPAA Privacy Officer or his/her representative if you have questions about whether the data in your case report may directly or indirectly identify a patient.
1) An analysis of more than three clinical cases does meet the definition of research that must receive IRB approval before commencing. These cases also require the authorization of a subject that meets the requirements set forth in HIPAA.