hipaa privacy rule
Download
Skip this Video
Download Presentation
HIPAA Privacy Rule

Loading in 2 Seconds...

play fullscreen
1 / 19

HIPAA Privacy Rule - PowerPoint PPT Presentation


  • 242 Views
  • Uploaded on

HIPAA Privacy Rule . “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf (2.5 MB). Privacy Rule.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HIPAA Privacy Rule' - carver


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa privacy rule

HIPAA Privacy Rule

“Standards for Privacy of Individually Identifiable Health Information”

45 CFR 160 and 164*

*http://www.hhs.gov/ocr/combinedregtext.pdf (2.5 MB)

privacy rule
Privacy Rule
  • Establishes requirements relative to the use and disclosure of protected health information (PHI). This includes uses in and disclosures for research purposes.
    • “A covered entity may not use or disclose protected health information except as otherwise permitted or required” – 45 CFR 164.502
  • Covered entities must be in compliance by April 14, 2003
  • DHHS Office of Civil Rights is responsible for enforcement
definitions
Definitions
  • Covered entity
    • Health plan
    • Health care clearinghouse
    • Health care provider who transmits any health information in electronic form in connection with transactions covered by the rule:
      • Health care claims, Health care payment & remittance advice, Coordination of benefits, Referral certification & authorization, Health care claim status, Enrollment/disenrollment in health plan, Eligibility for health plan, Premium payments, First injury reports, Health claim attachments, Anything else the Secretary prescribes via regulation
definitions1
Definitions
  • Protected Health Information (PHI)
    • Individually identifiable health information that is
      • Transmitted by electronic media (e.g., internet, intranet, tape, disc, compact disc)
      • Maintained in electronic medium (e.g., tape, disc, compact disc)
      • Transmitted or maintained in any other form or medium
    • Note – de-identified information is not PHI
definitions2
Definitions
  • Individually Identifiable Health Information
    • Created or received by a health care provider, health plan, employer or health care clearing house and
    • Relates to past, present or future physical or mental health condition of an individual; provision of health care to an individual; or past, present or future payment for provision of health care of an individual and
      • Identifies the individual; or
      • For which there is a reasonable basis to believe the information can be used to identify the individual
definitions3
Definitions
  • Health Information
    • Any information, whether oral or recorded in any form or medium that
      • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and
      • Relates to the past, present, or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to the individual
  • Research
    • A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.
research use
Research Use
  • 4 pathways for permission to use PHI for research related purposes
    • With Authorization from Patient
    • Without Authorization from Patient
      • Waiver of Authorization by IRB or Privacy Board
      • Reviews Preparatory to Research
      • PHI of Decedents
    • Limited Data Set and Data Use Agreement
    • De-identified Data
research use with authorization
Research Use – With Authorization
  • Authorization must have:
    • At least the following core elements:
      • Description of information to be used
      • Name of persons authorized to make the use or disclosure
      • Name of persons to whom the covered entity may make the use or disclosure
      • Description of each purpose of the use or disclosure
      • An expiration date or event
        • “End of the research study” or “none” are acceptable for research purposes
      • Signature of the individual and date
research use with authorization1
Research Use – With Authorization
  • Authorization must include:
    • The following statements:
      • Individual’s right to revoke the authorization in writing and exceptions to the right to revoke and a description of how the individual may revoke the authorization
      • Ability or inability to condition treatment, payment, enrollment or eligibility benefits on the authorization
      • Potential for information disclosed pursuant to the authorization to be subject to redisclosure and no longer protected
research use with authorization2
Research Use – With Authorization
  • The authorization must be written in plain language
  • The authorization must be provided to the individual as a signed copy for them to keep.
  • The authorization may be combined with any other type of written permission for the same research study, such as a consent to participate in research.
research use w out authorization
Research Use – W/out Authorization
  • Documented Waiver by IRB or Privacy Board, including:
    • ID of IRB and approval date of the waiver
    • Statement that IRB has determined waiver satisfies 3 criteria:
      • Use/disclosure involves no more than minimal risk to the individual
      • Adequate plan exists to protect identifiers from improper use or disclosure
      • Adequate plan exists to destroy identifiers at earliest opportunity consistent with conduct of research unless there is justification to retain
research use w out authorization1
Research Use – W/out Authorization
  • Documented Waiver by IRB or Privacy Board
    • Adequate written assurances that the PHI will not be reused or disclosed to anyone else or for other research
    • The research could not be practicably carried out without the waiver
    • The research could not be practicably carried out without access to the PHI
    • Brief description of the PHI for which the use/access is necessary
    • Statement that the waiver has been reviewed under normal or expedited review procedures
    • Signature of IRB Chair or other member, as designated by the Chair
research use reviews preparatory to research
Research Use – Reviews Preparatory to Research
  • Requires representation (orally or in writing) from researcher that:
    • The use/disclosure of PHI is solely for research protocol preparation and,
    • The researcher will not remove any PHI from the covered entity and,
    • The PHI for which access is sought is necessary for the research purpose.
phi of decedents
PHI of Decedents
  • Requires representation (orally or in writing) from researcher that:
    • The use/disclosure sought is solely for research on the PHI of decedents and,
    • The PHI for which access is sought is necessary for the research purpose and,
    • At the request of the covered entity, documentation of the death of the individuals about whom the information is sought.
limited dataset use
Limited Dataset Use
  • Requires data use agreement between covered entity and researcher.
  • Covered entity may disclose a limited data set to the researcher
  • Data set excludes specific direct identifiers of the individual or of relatives, employers, or household members of the individual
limited dataset use1
Limited Dataset Use
  • Data use agreement must:
    • Establish permitted uses of the data set
    • Limit who can use or receive the data
    • Requires recipient to agree to:
      • No use/disclose the information other than as permitted in agreement
      • Use appropriate safeguards to present use/disclosure other than permitted in agreement
      • Report to covered entity any use/disclosure not provided for by agreement that recipient becomes aware of
      • Ensure that any agents to whom recipient provides the data set agrees to same restrictions and conditions
      • Not identify the information or contact the individual.
limited dataset use2
Limited Dataset Use
  • Data set must exclude variety of direct identifiers of the individual, relatives, employers or household members:
    • Names, addresses other than city, state & zip code, telephone numbers, email addresses, SSNs,medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, VINs, license plate numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full face photographic images
de identified data requirements
De-identified data - Requirements
  • Determination or documentation by a person with “appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not identifiable” that the risk is “very small” that the information could be used to identify an individual

OR

de identified data requirements1
De-identified data - Requirements
  • Removal of elements related to the individual, relatives, employers or household members:
    • Names, geographic subdivisions smaller than a state except for first 3 zip code digits (if all zip codes with those 1st 3 digits contain >20,000 people), all elements of dates (except year) directly related to individual (birth, admission, discharge, death), all ages over 89 and all elements of dates (including year) indicative of such age (can aggregate into single category of age 90 and older) and
    • All those elements excluded from Limited Data Sets, and
    • Any other unique identifying number, characteristic or code, except as permitted for re-identification by the covered entity
ad