1 / 25

HIPAA – Privacy Rule and Research

HIPAA – Privacy Rule and Research. USCRF Research Educational Series March 19, 2003. HIPAA Overview. Health Insurance Portability and Accountability Act of 1996 Four Key Areas: Privacy Standards Electronic Transaction Standards Security Standards Unique Identifiers

nuncio
Download Presentation

HIPAA – Privacy Rule and Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003

  2. HIPAA Overview • Health Insurance Portability and Accountability Act of 1996 • Four Key Areas: • Privacy Standards • Electronic Transaction Standards • Security Standards • Unique Identifiers • Required Compliance – October 16, 2002 & April 14, 2003

  3. HIPAA - Scope • Applies to • Health plans • Health care providers • Health care clearinghouses • Covered Entity = an organization that transmits health information in electronic form in connection with a “HIPAA transaction” (financial and administrative activities related to health care)

  4. HIPAA - Scope • USC = “Hybrid Entity” • Covered Components • Affiliated covered entities include PHA, Dorn VA, USC Clinics

  5. HIPAA - Scope “Protected Health Information” (PHI): All individually identifiable health information transmitted or maintained by an organization covered by the HIPAA regulations (a “covered entity) regardless of form

  6. Privacy Rule • Limits the use and disclosure of PHI • Gives patients the right to access their medical records and to know who accessed their health information • Restricts most disclosures of PHI to the minimum necessary

  7. Privacy Rule (cont.) • Establishes criminal and civil penalties for improper use or disclosure • Establishes new requirements for access to records by researchers

  8. Use and Disclosure of PHI Authorization • Plain language • Description of information to be disclosed • Purpose of disclosure • Identification of person(s) authorized to use • Expiration date or expiration event • Right to revoke • Statement regarding possible redisclosure • Signature and date

  9. Authorization vs. Consent • A privacy authorization says: “It’s OK for you to look at my PHI and disclose it to a designated third party.” • A consent form says: “I agree to participate in your research project and I understand the risks, benefits etc. • Both are needed for research • May be combined

  10. Disclosure Without Authorization • Waiver by IRB or Privacy Board • Reviews preparatory to research • De-identified Information • Use or disclosure of a limited data set • Decedent information • Public health disclosures

  11. Waiver of Authorization • Disclosure poses no more than minimal risk to the privacy of individuals • Plan to protect identifiers from improper disclosure • Plan to destroy identifiers at earliest opportunity • Written assurance that PHI will not be reused or disclosed • Research could not practicably be done without the waiver • Research could not practicably be done without access to the PHI • Privacy risks are reasonable in relation to expected benefits

  12. Reviews Preparatory to Research • For preparatory work, the researcher must submit a request to the covered entity documenting that: • Reviewing protected health information is necessary to prepare a research protocol; • Information will not be removed or recorded by the research during the review; • Information for which access is sought is necessary for research purposes.

  13. Names All geographic subdivisions smaller than a state. All dates (except year) Telephone numbers Fax numbers Electronic mail addresses Device identifiers and serial numbers Web locators – URLs Internet Protocol address nos. Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, including license plate numbers Biometric identifiers (finger and voice prints Full-face photographic images Any other unique identifying number or code De-identified Information

  14. Limited Data Set • Used or disclosed for research, public health, or health care operations purposes only • Requires the removal of fewer identifiers – “facial identifiers” • May include • Dates related to admission, discharge, birth, death • City, state, five digit zip code • Data use agreement signed by recipient

  15. Research on Decedents Information • Assurance that disclosure and use is solely for research on the PHI of decedents • Documentation, when requested by CE, of the death of such individuals • Assurance that the PHI is necessary for research purposes

  16. Public Health Disclosures • Mandated reporting of contagious diseases • Disclosure regarding an FDA regulated activity • Registries • Government, academic and non-profit • Required by law, IRB waiver, authorization, limited data set • Development of registry for research is “research”

  17. Specimens and Tissue Samples • HIPAA applies if the specimens/samples include identifying information.

  18. Impact on Research • Researchers requiring access to PHI must request the information from and meet the requirements of the covered entity • Reluctance by health care providers to participate in research • Barriers to subject recruitment • Increased responsibility for IRB

  19. Recruitment of Subjects • PHI cannot be disclosed to a third party for purposes of recruitment without IRB waiver or patient authorization • Recruitment is allowed for covered health care providers without authorization or waiver (i.e. physicians can recruit their own patients for research studies)

  20. Transition – Prior Permission • Privacy Rule includes a transition provision • Allows for reliance on consent or IRB waiver obtained prior to 04/14/03 • May use or disclose PHI created before or after 04/14/03 based on then valid consent • Can rely on existing consent for “future unspecified research”

  21. Privacy and the Common Rule • Research with subject permission • Privacy Rule – subject authorization to use/disclose PHI AND • Common Rule – IRB approval of protocol and informed consent process

  22. Privacy and the Common Rule • Research without subject permission: • Privacy Rule – IRB/Privacy Board waiver based on specified criteria unless preparatory to research or de-identified information or limited data set with data use agreement AND • Common Rule – Waiver of consent or other appropriate finding (i.e. exemption)

  23. Waiver Approval - Documentation • Identification and date of action • Waiver criteria satisfied • Brief description of required PHI • Review and approval procedures • Signature of IRB/PB Chair

  24. Researcher Responsibilities • Know the rules and be prepared for varying interpretations by covered entities • Authorization vs. waiver • Preparing a confidentiality plan • What information is required? • Who will have access to the data? • How long will access be needed? • Safeguards for protecting information • Alternatives to use of PHI? • Time to gain approval from an additional committee

  25. IRB Responsibilities • Having appropriate expertise in privacy and confidentiality concerns. • Ensuring that consent forms contain appropriate authorization requirements if applicable. • Understand waiver criteria and document appropriately. • Coordinate communications with Privacy Board, if applicable.

More Related