HIPAA, Researchers and the IRB: Part Two
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

HIPAA, Researchers and the IRB: Part Two PowerPoint PPT Presentation


  • 43 Views
  • Uploaded on
  • Presentation posted in: General

HIPAA, Researchers and the IRB: Part Two. Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator. Introduction. AGAIN… Don’t kill the messenger – we didn’t write this rule!

Download Presentation

HIPAA, Researchers and the IRB: Part Two

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Hipaa researchers and the irb part two

HIPAA, Researchers and the IRB: Part Two

Alan Homans, IRB Chair and

Nancy Stalnaker, IRB Administrator


Introduction

Introduction

AGAIN…

  • Don’t kill the messenger – we didn’t write this rule!

  • Be kind – we do NOT have all the answers – but we do want to hear the questions - we will will continue to work towards answering them.


What research is affected

What Research is Affected?

Privacy rule applies to research that uses Protected Health Information (PHI).PHI is individually identifiable health information received from a covered entity.


What research is affected1

What Research is Affected?

Three categories of identifiability:

  • PHI – Identifiable – rule applies

  • De-Identified Information - rule doesnot apply

  • Limited Data Set – a middle option - limited parts of the rule apply


What research is affected2

What Research is Affected?

  • “De-Identified” – there are 18 specific identifiers which must be removed to be considered de-identified – thus not covered by rule.

  • Limited Data Set – Not fully “de-identified” – can retain certain dates, geographic info and unique identifying numbers . Most privacy rule requirements do not apply, the minimum necessary standard does apply and a data use agreement is required.


18 items which must be removed to be de identified

18 Items Which MustBeRemoved to Be “De-identified”

  • Names

  • ALL geographic subdivisions smaller than the state

  • All elements of dates smaller than a year (i.e. birth date, admission, discharge, death, etc.)

  • Phone numbers

  • Fax numbers

  • E-mail addresses

  • SS numbers

  • Medical record number

  • Health plan beneficiary


18 items which must be removed to be de identified continued

18 Items Which Must Be Removed to Be “De-identified” (continued)

  • Any other account numbers

  • Certificate/license numbers

  • Vehicle identifiers

  • Device identification numbers

  • WEB URL's

  • Internet IP address numbers

  • Biometric identifiers (fingerprint, voice prints, retina scan, etc)

  • Full face photographs or comparable images

  • Any other unique number, characteristic or code.

  • Diagnoses are not included in this list


How to obtain phi for research

How to obtain PHI for research?

  • Authorization from Research Subject

  • Waiver of Authorization


Elements of authorization

Elements of Authorization

  • Required elements in an authorization

    • Specific and meaningful description of what information will be used or disclosed

    • Who may use or disclose

    • To whom the PHI will be disclosed

    • Why the use or disclosure is being made (each purpose) Notice that authorization may be revoked;

    • Notice that the information may be disclosed to others not subject to the Privacy Rule


Elements of authorization ii

Elements of Authorization II

  • Required elements in an authorization

    • Statement of how long the use or disclosure will continue (no expiration date is allowed for research purposes - but this must be explicitly stated in the authorization form)

    • Notice that the covered entity may or may not condition treatment or payment on the individual’s signature

    • Individual’s signature and date


How to obtain authorization

How to obtain Authorization?

The Draft FAHC Authorization language template is now finished and will be piloted beginning this week. It is a SEPARATE document to be executed in addition to the Informed Consent Document.


How to obtain authorization1

How to obtain Authorization

Protocols Approved Prior to 4/14/03:

  • Surveys were sent to PIs to determine which approved protocols will require authorization (PHI + new accruals after 4/14/03).

  • Forms and processes will be piloted beginning this week and adjustments made.

  • IRB will email PIs having protocols identified as needing an authorization with instructions and the template, as soon as possible.


How to obtain authorization2

How to obtain Authorization?

Review of authorization forms for existing protocols will be done on a first-come, first-serve basis – if you know you will be entering new subjects soon after 4/14/03, get your authorizations as soon as possible.


How to obtain authorization3

How to obtain Authorization?

NEW PROTOCOLS:

The process for determining which new protocols will require authorization is currently being developed, including a revision to our protocol cover sheet. We will let you know as soon as this is available.


How to obtain waiver of authorization

How to obtain Waiver of Authorization?

In research, authorization is not required if it meets the criteria for waiver outlined in the privacy rule.


Criteria for waiver of authorization

No more than minimal risk

Not adversely affect rights and welfare of subjects

Research cannot be done without waiver

When appropriate, information will be provided to subjects of research

No more than minimal risk to privacy, based on, at least:

Plan to protect identifiers

Plan to destroy identifiers ASAP

Written assurance that PHI will not be used/disclosed with few exceptions

Research cannot be done without waiver, and

Research cannot be done without this PHI

CRITERIA FOR WAIVER OF AUTHORIZATION

COMMON RULE

PRIVACY RULE


How to obtain waiver of authorization1

How to obtain Waiver of Authorization?

The process and forms are currently being developed to address the required criteria necessary for the IRB to approve a waiver. We will let you know when these are available.


Transition to privacy rule

TRANSITION TO PRIVACY RULE

  • Compliance date: April 14, 2003

  • If you have a waiver of consent under the common rule prior to 4/14/03, you do NOT need to apply for a waiver under HIPAA

  • All new enrollment of subjects on research involving PHI falls under HIPAA & requires an authorization


Authorization waiver reminders

Authorization/Waiver Reminders

  • If you need to do an authorization, the IRB will contact you to inform you what you need to do

  • If you haven’t completed your survey yet, please do so immediately!

  • HIPAA is in addition to current IRB human subject requirements - when both regulations apply, both requirements must be followed.


Databases registries

DATABASES/REGISTRIES

  • HIPAA will add a new level of scrutiny to use of all PHI

  • UVM and FAHC need to place ourselves in the best compliance position possible


Databases registries1

DATABASES/REGISTRIES

  • In order to ensure that the development, maintenance and release of data involving PHI meets these requirements, we will be surveying all researchers about existing databases.

  • Processes are being developed for the IRB to review existing databases and, when appropriate, approve waiver of consent and/or authorization.


Databases registries2

DATABASES/REGISTRIES

  • Model procedures for developing and operating databases and registries will be drafted and made available upon completion.


  • Login