Hipaa privacy rule and research
1 / 33

HIPAA Privacy Rule and Research - PowerPoint PPT Presentation

  • Updated On :

HIPAA Privacy Rule and Research. Elizabeth A. Trias, MA, CIP Pam Joy, RN, MN, PNP November 2003 (rev. May 2004). WA State Law & Privacy Rule. Good News: Children’s researchers already operate in compliance with Washington State’s Uniform Health Care Information Act.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA Privacy Rule and Research' - pilis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hipaa privacy rule and research l.jpg

HIPAA Privacy Rule and Research

Elizabeth A. Trias, MA, CIP

Pam Joy, RN, MN, PNP

November 2003 (rev. May 2004)

Wa state law privacy rule l.jpg
WA State Law & Privacy Rule

  • Good News:

    • Children’s researchers already operate in compliance with Washington State’s Uniform Health Care Information Act.

    • Many of the HIPAA Privacy Rule requirements for research were already in place.

    • Impact of HIPAA on researchers in the state of Washington is less than in other states.

Highlights of the privacy rule l.jpg
Highlights of the Privacy Rule

  • Effective April 14, 2003. Sets a federal floor for patient Protected Health Information (PHI), but:

    • States may have more stringent privacy protections, and

    • The more stringent law (HIPAA or state) governs.

  • Today we’ll review privacy rule implications for research. Failure to comply can result in civil fines ($) and criminal penalties.

(Remember to thank them, not us!)

Protected health information l.jpg
Protected Health Information

  • Privacy Rule protects health information identifying a person (or information that can be used to identify a person):

    • All individually identifiable health information that Children’s creates, uses or receives.

    • Includes information about:

      • Past, present or future physical or mental health of a person,

      • Provision of health care to that person, and

      • Payment for care received.

    • Includes information in written, electronic or oral form.

What is patient identifiable l.jpg
What is Patient Identifiable?

  • Information containing any one of 18 identifiers:

  • Name

  • Social Security Number

  • Device identifiers and serial numbers

  • Geographic subdivisions smaller than state (street address, city, county, precinct, zip code, equivalent geo-codes except first 3 digits of a zip code)

  • All elements of dates(except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and ages over 89

  • Biometric identifiers (including finger or voice prints)

  • Medical record numbers

  • Health plan beneficiary numbers

  • URL (Web Universal Resource Locator)

  • Telephone numbers

  • Account numbers

  • Email addresses

  • Fax numbers

  • Certificate/license numbers

  • Internal Protocol (IP) address numbers

  • Full face photographs

  • Vehicle identifiers and serial numbers, including license plate numbers

  • Any other unique identifying number, characteristic, or code

Use disclosure of phi l.jpg
Use & Disclosure of PHI

  • Use: Sharing within the entity.

  • Disclosure: Sharing outside the entity.

  • Privacy rule allows use and disclosure without specific authorization for Treatment, Payment, and Operations (TPO).

Research is not considered to be treatment, payment or operations

Minimum necessary standard l.jpg
Minimum Necessary Standard

  • Must limit PHI use or disclosure to the minimum necessary to accomplish the intended purposes of the research.

  • Minimum necessary applies:

    • Pursuant to a waiver of authorization,

    • Use or disclosure of decedent’s PHI,

    • Uses preparatory to research, and for

    • Limited Data Sets.

  • Minimum necessary does not apply to:

    • Treatment disclosures or requests,

    • Use or disclosure made under an authorization,

    • Disclosures to the patient of his/her PHI,

    • Disclosures to DHHS for compliance, and

    • Uses or disclosures required by law.

Overview of impact at children s l.jpg
Overview of Impact at Children’s

  • Under the Privacy Rule, researchers must:

    • Provide more detailed information to the IRB about how PHI will be created, used or shared,

    • Provide more information to research participants during the consent process and gain specific authorization for the use of their PHI, and

    • Track disclosures of PHI for studies that IRB has approved with waiver of authorization requirement

  • Affects any research conducted under Children’s auspices that creates, uses or discloses PHI.

Impact on clinical research l.jpg
Impact on Clinical Research


IRB Approval

Screen participants

(Obtaining PHI)

Recruit participants

Conduct Research

Generate Results & Reports

  • Oath of Confidentiality for Recruitment

  • Authorization signed for each subject and filed with Medical Records




  • Documentation of IRB approval (IRB cover sheet)

New Privacy Requirements

Screening patients l.jpg
Screening Patients

  • Obtain IRB approval

    • include signed “Oath of Confidentiality – Recruitment” if researchers need access to protected health information to identify, select and recruit patients

  • Screen participants

    • Present documentation of IRB approval (IRB cover sheet) & signed Oath of Confidentiality – Recruitment when requesting data or records on potential participants (e.g., Medical Records, Lab, Radiology),

    • Obtain/Use only the minimum necessary PHI, and

    • All PHI must remain within Children’s

  • Recruit participants

    • Obtain signed authorization for each subject (file original with original consent form in researchers’ file), or

    • Destroy PHI for participants who do not take part, do not respond or are not eligible

Authorizations l.jpg

  • “Permission to Use, Create and Share Health information for Research” authorization form:

    • Contains required elements of authorization under Privacy Rule,

    • Signed by parent or legal guardian unless participant is a legal adult (18 years and older)

    • Allows researchers to use subject’s PHI for a specific research study.

  • At Children’s, authorization is separate from from the research consent:

    • Avoids detracting from essential elements of consent form, and

    • Ensures consistent compliance with privacy elements.

Signed authorizations where to file l.jpg
Signed Authorizations: Where to File

  • Signed Authorizations:

    • Signed Original remains in the principal investigator’s research files along with original, signed consent form

    • Signed Copy to parent or research participant (if 18 and older)

    • Signed Copy to Children’s Medical Records – Filing 4P-2, if research participant is Children’s patient (patient information box must be completed)

Authorization form l.jpg
Authorization Form

  • Available on IRB Web Site under Forms and under HIPAA and Research – http://irb.seattlechildrens.org

  • Versions in English, Vietnamese, Spanish, Somali, Russian, Korean, Simplified Chinese and Traditional Chinese.

  • Researcher must complete the highlighted areas (e.g., study title, name and address of PI, name of sponsor, etc.)

  • Researcher must complete the box at the end of the form if research participant is a Children’s patient. Required so that authorization can be filed in the participant’s medical record

Clinical studies with authorization before after 4 13 2003 l.jpg
Clinical Studies (with Authorization)Before & After 4/13/2003

Status of Research Study

Action Required

1. New research study

Enrollees need to sign authorization form and consent form

2. On-going analysis – Data collection complete

No further HIPAA compliance activity required

3. On-going research –Consented

No further compliance activity required

4. On-going research – Requiring re-consents

All re-consenting enrollees need to sign authorization form and consent form

5. On-going research – Enrolling new participants

All new enrollees need to sign authorization form and revised form

New = Study initiated on or after April 14, 2003.

On-Going = Study approved before April 14, 2003.

Research under waiver of authorization l.jpg
Research Under Waiver of Authorization


IRB Approval for Waivered Study

Collect Data

Analyzing Data

Generate Results & Reports

  • Signed Oath of Confidentiality

  • Documentation of IRB approval (IRB cover sheet)

  • If tracking required (IRB will advise) researcher keeps track of patients whose records are being used.




New Privacy Requirement

Waiver of authorization l.jpg
Waiver of Authorization

  • Researcher is asking IRB to waive authorization from patient or their parent to use their PHI in research:

    • Almost exclusively used for retrospective records review research.

    • Must meet HIPAA criteria for waiver of authorization.

    • Must also meet Federal Regulations (Common Rule) and Washington State law for waiver of consent/permission.

Hipaa criteria for waiver of authorization l.jpg
HIPAA Criteria for Waiver of Authorization

  • The use or disclosure of protected health information must involve no more than minimal risk to the privacy of the individual, based on at least the presence of the following:

    • An adequate plan to protect the identifiers from improper use or disclosure

    • An adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law; and

    • Adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject.

Criteria for waiver of authorization cont l.jpg
Criteria for Waiver of Authorization cont.

  • The research could not practicably be conducted without the waiver or alteration; and

  • The research could not practicably be conducted without access to the protected health information

Implications for research under waiver l.jpg
Implications forResearch Under Waiver

  • Obtain IRB approval

  • Include signed “Oath of Confidentiality”

  • Collect Data:

    • Provide documentation of IRB approval (IRB cover sheet) to data sources (e.g., Medical Records, Lab, Radiology). Complete forms as required by providing department, e.g., ‘Research Chart Request Form’ for Medical Records; “Request for Tissue for Use in Research” for Laboratory

    • If tracking required, record access on “Disclosure Tracking” form located at http://irb.seattlechildrens.org/hipaa.asp, (Medical Records will do tracking when researchers are requesting aper copies of the medical record).

    • Obtain/Use only the minimum necessary PHI

Disclosures of phi without authorization l.jpg
Disclosures of PHI without Authorization

  • Patients have right to request an accounting of how their/their child’s PHI was disclosed without their authorization.

  • Disclosure means communicating information (PHI) outside the covered entity.

  • Use means communicating information (PHI) within the covered entity

Children s covered entity l.jpg
Children’s – Covered Entity

  • Researchers would be considered part of Children’s workforce (the covered entity) if one of the following applies:

    • Employee of Children’s

    • Employee of Children’s University Medical Group (CUMG)

    • Residents and Fellows working at Children’s

Tracking of disclosures l.jpg
Tracking of Disclosures

  • Children’s is responsible for tracking unauthorized disclosures.

  • Disclosures are tracked; Uses are not.

  • IRB will advise researchers at the time their research project is reviewed whether tracking is required.

Tracking disclosures l.jpg
Tracking Disclosures

  • Unauthorized disclosures of PHI for research purposes must be tracked.

  • Children’s has tracking form available on IRB web site (online version and Word version). The following information must be tracked:

    • IRB # and Research Study Title

    • List of individuals whose PHI was accessed, including their Medical Record #,

    • Date of access,

    • Name of person/entity accessing the PHI, and

    • Brief description of PHI accessed.

Tracking of disclosures is not required l.jpg
Tracking of Disclosures isNot Required

  • To carry out Treatment, Payment or Operations (TPO) of the Covered Entity

  • Disclosure is to the individual or their legal representative (parent)

  • Pursuant to an Authorization

  • Limited Data Set

  • De-identified Data

Research under waiver of authorization and consent l.jpg
Research Under Waiver (of Authorization and Consent)

Status of Research Study

Action Required

1. Research study – All research team members are part of Children’s workforce

No Tracking required.

Departments providing PHI need documentation of IRB approval.

2. Research study – Not all members of research team are part of Children’s workforce

  • Tracking required.**

  • Departments providing PHI need documentation of IRB approval.

  • **Tracking required means:

  • Complete Disclosure Tracking Form

  • If researcher is only using the paper medical records, i.e., patient charts, Medical Records will do tracking.

Limited data sets l.jpg
Limited Data Sets

  • Contain limited direct identifiers that may include:

    • Dates: admission, discharge and service dates, date of birth, date of death,

    • Age (including age 90 or over), and

    • Geographical subdivisions such as state, county, city, precinct and five digit zip code.

  • Advantages:

    • No need to track disclosures.

  • But remember:

    • Cannot use LDS information to contact individuals,

    • Recipient must sign a data use agreement (DUA) (a kind of “super-confidentiality” agreement),

    • Minimum necessary standard applies, and

    • Still requires IRB approval.

De identified data l.jpg
De-Identified Data

  • Previously known as anonymous data.

  • How to de-identify data:

    • Expert in statistical principles reviews and documents methods used to determine that risk is “very small” that data could be used alone or in combination with other reasonably available information to re-identify, or

    • All 18 identifiers must be removed. You must know that remaining information cannot be used alone or in combination with other information to re-identify.

  • Common Rule and State Law still apply!

Implications for de identified coded data l.jpg
Implications for De-Identified & Coded Data

  • Common Rule considers coded information to be indirectly identifiable.

  • A protocol must be submitted to the IRB even if a researcher plans to de-identify information.

  • IRB will determine whether it qualifies for exempt or expedited IRB application.

Requirements summary l.jpg
Requirements Summary


Identifiable Data:



Identifiable Data:




Data Set

De-Identified Data

IRB Approval





Authorization or Waiver





Data Use Agreement


Minimum Necessary



Tracking Disclosures*


* PHI access is a disclosure if any member of research team is not part of Children’s workforce

Other implications l.jpg
Other Implications

  • Case Studies:

    • Children’s does not consider to be research or require IRB review.

    • Privacy Rule does apply

    • Must be de-identified when disclosed

    • Consent/authorization is best

    • Formal policy and approval process being discussed

  • Departmental/Personal Databases:

    • Purposes include patient care, education, and QA

    • Privacy Rule applies

    • Research using these databases requires IRB review

    • Work is beginning to identify these databases to protect them to comply with the HIPAA Security Rule

Remember rights of participants l.jpg
Remember Rights of Participants

  • Right to privacy of PHI

  • Right to authorize use of identifiable PHI for research purposes

  • Right to an accounting of how identifiable PHI was disclosed for research without authorization

  • Right to revoke an authorization in writing. No further PHI may be collected for the research after the authorization is revoked

    • Researchers may continue to use and disclose PHI that was collected under the authorization to maintain the integrity of the research

Questions l.jpg

  • Additional Resources:

    • IRB website http://irb.seattlechildrens.org:

      • Outline of HIPAA-related responsibilities of researchers,

      • Links to authorization form, disclosure tracking form, research chart request form, Oath of Confidentiality

    • External resources:

      • “Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (http://privacyruleandresearch.nih.gov/), and

      • Privacy Rule Research FAQs (http://answers.hhs.gov). Search under “research”.