Privacy & HIPAA Requirements at the Iowa City VA Health Care System

1. Privacy & HIPAA Requirements at the Iowa City VA Health Care System

2. New VA HIPAA Authorization Form forResearch(Form 10-0493)

3. What does this form mean? • HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s source person, research subject, or legally authorized personal representative, as required under law, including HIPAA. (simple definition: This form is a release of information, signed by the subject, authorizing you to use/disclose their data outside of the VA) What are the correct and incorrect ways this form would be completed? • All elements of the HIPAA Authorization form must be filled out by the investigator and will be consistent with the informed consent and HawkIRB application. All forms are required to be filled out completely and signed by the subject, to whom the information pertains too. Failure to complete and have the subject sign the HIPAA Authorization, will be reported to the Privacy Officer, Office of Research Oversight (ORO), Research Compliance Officer and the IRB as a privacy violation

4. Which sections of the form are the investigators vs. the subject responsible for understanding? • Investigators are responsible for ensuring that no human being is involved as a subject in research unless the investigator or a designee has obtained legally effective HIPAA Authorization for use and disclosure of the subjects PHI, orhas obtained IRB-approved waiver of HIPAA Authorization • Subject or legally authorized representative are responsible for understanding and consenting to the use and disclosure of their PHI on the HIPAA Authorization form Where is the HIPAA authorization located? • HIPAA Authorization form will be located within the HawkIRB application under “approval” tab. Click on “PO review”, then “other review screen”, then “VA HIPAA”. It is not located under “attachments” because the IRB does not approve HIPAA documents. Will the HIPAA Authorization need to be included in the HawkIRB application? • The HIPAA Authorization form is required to be part of the HawkIRB application, when applicable

5. How would the new authorization form affect the content of the current informed consent document? • The Principal Investigator will be responsible for ensuring the HIPAA Authorization, informed consent and protocol are consistent with each other to include: use of data or specimens for other research as described within HIPAA Authorization and who the information pertaining to the subject is disclosed too outside of the VA Where does this document get filed after it is signed? • The original HIPAA Authorization should be kept with the research team and a copy of the HIPAA Authorization will be sent to the VA Scanning department (mail code 136c) to be scanned into the subjects medical record What are the retention requirements for this new form? • The National Archives and Records Administration (NARA) currently have not set retention requirements for ANY research records, therefore nothing should be destroyed at the time. All Research records including the HIPAA Authorization must be kept until NARA provides guidance for destroying research records.

6. What is individually-identifiable health information? • Health information that does not identify an individual and to which there is no reasonable basis to believe that the information can be used to identify an individual. 18 HIPAA identifiers. Note: Retinal Scans and audio recordings are considered individual-identifiable identifiers What is de-identified data? • For purposes of VA research, de-identified data are data that have been de-identified in accordance with both HIPAA Privacy Rule and the Common Rule (18 HIPAA identifiers) • Scrambling of names and social security numbers is not considered de-identifying health information • Coded data is data identifiable by the individual(s) who has access to the code. Therefore, coded data are not considered to be de-identified or anonymous. When disclosing de-identified data to non-VA entities this code needs to be removed

7. Other information: • Use of the new HIPAA Authorization, Form 10-0493 begins immediately for all new protocol applications • All existing IRB approved projects will not be required to revise the consent process at the point of CR or modification to use the new HIPAA Authorization, unless you are making changes to your HIPAA Authorization or as directed by the IRB

9. *New section

10. *New section *Need to insert your information here

12. *This part of the form is new

13. Miscellaneous Research Privacy information: • Record retention language will be used for all protocols involving the VA “The required records, including the investigator’s research records, will be retained until disposition instructions are approved by the National Archives and Records Administration and are published in VHA’s Records Control Schedule (RCS 10-1)” • Original audio recordings cannot be deleted/destroyed even after transcribed (upload to a VA server) • Research Identifiers cannot be deleted/destroyed • If you are storing VA information on a University server this language needs to be documented in the informed consent “Transfer of your information to an affiliate server constitutes “disclosure” under HIPAA. After transfer of your information to the University affiliate server, VA no longer owns the transferred information and VA cedes control over the information”. A HIPAA Authorization will also need to be completed if storing information to the University server. If the investigator is not getting the subjects written consent/HIPAA Authorization, but storing information on the University server you must have a waiver from the VA Chief Information Officer prior to storing information outside of the VA. • A prior written HIPAA Authorization signed by the subject must be obtained prior to disclosing PHI to an academic affiliate

14. All employees will follow “clean desk” practices to protect VA sensitive information (in any form) in uncontrolled environments and all VA sensitive information on printouts and other media will be kept in locked files or cabinets when not in use • VA Authorization to transport data outside of VA property will be filled out and signed by all parties before any VA sensitive information is transported, transmitted, accessed, or removed from VA property. *Privacy Practice Notice Handbook 1605.04 indicates “VHA must provide a copy of its VHA Notice of Privacy Practices to all non-Veteran research subjects enrolled in an approved VHA research study with clinical trials” • The non veteran patient must acknowledge receipt of the VHA Notice of Privacy Practices during first episode of care on VA form 10-163. After the non-Veteran has signed the acknowledgement form the principal investigator for the research study will send an encrypted email to the facility Privacy Officer with the full name of the non-Veteran and the non-Veteran’s last four of social security number

15. Privacy Practice Notice continue: • If an acknowledgement of VHA Notice of Privacy Practices is not received from the non-Veteran patient, an administrative note must be entered into CPRS or the research subjects record indicating the good faith efforts made to obtain the written acknowledgement and the reason(s) why the acknowledgement was not received Legally Authorized Representative(LAR) • Is an individual who is qualified to provide informed consent on behalf of a prospective research subject but may not always qualify as a personal representative for the purposes of consent to use or disclose a human subject’s PHI (HIPAA authorization) • Examples of LAR: • Health Care agent • Legal or special guardian • Next of kin in this order: spouse, child, parent, sibling, grandparent, grandchild, or • A close friend

16. If an investigator wants a copy of the research data, a request must be submitted to the Privacy Officer prior to receiving a copy of the data • All research data is the property of the VA and is required to stay with the VA, even after the research study is closed

17. 18 HIPAA Identifiers: • The following identifiers of the individual or of relatives, employers, or household • members of the individual are removed: • Names • (2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: • (a) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and • (b) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

18. (3) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older (4) Telephone numbers (5) Fax numbers (6) Electronic mail addresses (7) Social Security Numbers (8) Medical record numbers (9) Health plan beneficiary numbers (10) Account numbers (11) Certificate and/or license numbers

19. (12) Vehicle identifiers and serial numbers, including license plate numbers (13) Device identifiers and serial numbers (14) Web Universal Resource Locators (URLs) (15) Internet Protocol (IP) address numbers (16) Biometric identifiers, including finger and voice prints (17) Full-face photographic images and any comparable images (18) Any other unique identifying number, characteristic, or code

20. Questions for Privacy please contact: Amber Smith VA Privacy Officer (319) 338-0581, ext. 6092 Amber.Smith2@va.gov Sara Miller Research Compliance Officer (319) 338-0581, ext. 6217 Sara.Miller@va.gov