360 likes | 492 Views
What is different in the new policy?. OLD Policy:Some studies were covered by HIPAA while others were not covered by HIPAA.NEW Policy:No new JHSPH study is covered by HIPAA. . What if there is an ongoing study which is covered by HIPAA?. Ongoing studies that are covered by HIPAA, the informat
E N D
1. New JHSPH HIPAA Policy:
How does it impact your research?
Leah Mendelsohn, J.D.
Research Regulations Specialist
Office of Graduate Education and Research
ORS Brown Bag Series
April 12, 2006
2. What is different in the new policy? OLD Policy:
Some studies were covered by HIPAA while others were not covered by HIPAA.
NEW Policy:
No new JHSPH study is covered by HIPAA.
3. What if there is an ongoing study which is covered by HIPAA? Ongoing studies that are covered by HIPAA, the information obtained from participants in these studies, and the databases created from these studies will remain covered by HIPAA.
If an investigator or study staff member is added to a covered study and will have access to the individually identifiable health information, the individual must:
Complete the HIPAA training course entitled "Privacy Issues Relating to Research" and
Sign a Confidentiality Agreement for Workforce Members - General (dated 08/2004).
These are available at http://irb.jhmi.edu.
4. Overall Picture Fewer forms
Application
Authorization (if applicable)
Data Use Agreement (if applicable)
Business Associates Agreement (if applicable)
Improved compliance
Less confusing HIPAA status
Fewer approvals of the HIPAA application and forms
New obligation for some information obtained from JH covered entities
5. How are JHSPH studies still impacted by HIPAA?
Questions to help determine how studies are impacted:
What information is being obtained?
Is the information being obtained from a Johns Hopkins covered entity or from a non-Hopkins covered entity?
Is the protocol a JHSPH protocol and is the Principal Investigator is a JHSPH investigator?
6. What information is being obtained? Protected Health Information is individually identifiable health information, transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
If PHI is being sought from a covered entity, your study will be impacted by HIPAA.
7. What are identifiers under HIPAA? Name
Geographic information smaller than state
Elements of dates
Telephone numbers
FAX numbers
Electronic mail addresses
Social Security Numbers
Medical record numbers
Account numbers
Health plan beneficiary numbers Certificate or license numbers
Vehicle identifiers and serial numbers including license plate numbers
Device identifiers and serial numbers
URLs
IP address numbers
Biometric identifiers
Full face photographic images and comparable images
Any other unique identifying number, characteristic or code
8. What is a covered entity? A covered entity is a
health plan,
health care clearinghouse, or
a health care provider who transmits information in electronic form in connection with a transaction for which HHS has adopted a standard.
9. What is a Johns Hopkins covered entity? PROVIDERS
The Johns Hopkins University School of Medicine
The Johns Hopkins University School of Nursing
The Johns Hopkins Hospital
Johns Hopkins Bayview Medical Center, Inc.
Hopkins ElderPlus (a Provider and a Plan)
Howard County General Hospital, Inc.
The Johns Hopkins Medical Services Corporation
Johns Hopkins Community Physicians, Inc.
Priority Partners Managed Care Organization, Inc. (a Provider and a Plan)
Johns Hopkins Pharmaquip, Inc.
Johns Hopkins Home Health Services, Inc.
Johns Hopkins Pediatrics at Home, Inc.
Ophthalmology Associates, LLC
The Central Maryland Heart Center, Inc.
The Center for Ambulatory Services, Inc. (TCAS)
HCP Venture One Corporation
Howard County MRI Limited Partnership
Cedar Emergency Services Company, Inc.
Ambulatory Blood Gas Services. Inc.
JH Ventures, LLC / Howard County Neonatal Services Series
JH Ventures, LLC / Frederick County Neonatal Services Series
JH Ventures, LLC / JHHC Participating Physician Series
JH Ventures, LLC / Johns Hopkins Emergency Medical Services Series
10. What is a Johns Hopkins covered entity? HEALTH PLANS
(Some of the following health plans, particularly EHP health plans, are administered by Johns Hopkins Health Care LLC)
The Johns Hopkins University
Welfare Plan*
Benefit Elections Program Plan*
SOM & SPH Student Health Program
SOM Dental Insurance Program
Student Health Insurance Plan
APL Medical and Dental Insurance Plans
APL Health Care Spending Account
APL Employee Assistance Program
The Johns Hopkins Health System
Broadway Services EHP Medical Plan
Bayview Medical Center:
Employee Benefits Plan
Represented Employee Benefits Plan
House Staff Employee Benefits Plan
Employee Assistance Plan
Long Term Care Insurance Plan (6/1/04)
Johns Hopkins Health System Corporation/Johns Hopkins Hospital Employee Benefits Plan for Non-Represented Employees*
Johns Hopkins Hospital Employee Benefits Plan for Represented Employees*
Howard County General Hospital:
EHP Medical Plan
Blue Choice
MDIPA
CareFirst BC/BS Dental Plan
Care First BC/BS Select Vision Plan
Flexible Benefit Plan (Medical Reimbursement)
Employee Assistance Plan
LongTerm Care Insurance Program (6/1/04)
Hopkins ElderPlus (a Provider and a Plan)
Priority Partners Managed Care Organization, Inc. (a Provider and a Plan)
Uniformed Services Family Health Plan at Johns Hopkins
* “Wrap” or umbrella plans that may have a variety of component plans encompassed within them, including various insurer offerings, employee assistance plans (EAPs), medical flexible spending accounts (FSAs) and the like.
11. What is not a Johns Hopkins covered entity? Examples of non-Hopkins covered entities include:
Kennedy Krieger Institute
CMS
Indian Health Services
12. What is a JHSPH study?
A study on which the PI is a JHSPH researcher.
If the study involves human subjects research, the project is approved by CHR.
13. What if the PI has a joint appointment at SOM or SON? When performing clinical care under a joint appointment at SOM/SON, the information obtained solely in that capacity will remain subject to HIPAA.
If the PI is doing research on a JHSPH protocol, the new policy applies.
If the PI generates or accesses PHI at a JH covered entity when conducting a JHSPH protocol, the PHI in the medical record remains subject to HIPAA.
The information documented in a separate research record will be free of HIPAA limitations.
14. What if the PI is a SOM or SON researcher? The study is still included within the JH covered entities and is still fully covered by HIPAA.
JHSPH researchers will be treated as “outsiders.”
PHI obtained through the protocol may only be used according to the terms of the protocol or a subsequent protocol approved by the SOM IRB.
The PHI may not be added to a database accessible to researchers not part of the protocol.
15. If a JHSPH researcher is seeking to obtain PHI from a non-Hopkins covered entity
Consult with the entity from whom you are receiving data to determine their policies.
The covered entity may require that the PI use their forms or follow different guidelines than what JHSPH has implemented with Johns Hopkins covered entities.
Once the covered entity is contacted, the JHSPH researcher will know exactly what HIPAA forms will need to be completed to be compliant with that covered entity’s procedures.
Complete a JHSPH HIPAA Application
16. If a JHSPH researcher is seeking to obtain PHI from a non-Hopkins covered entity
The JHSPH HIPAA Authorizations may be used as default forms with the permission of the covered entity.
The JHSPH CHR may approve waivers or alterations of the Authorization requirement.
17. If a JHSPH researcher is seeking to obtain PHI from a non-Hopkins covered entity The HIPAA application and associated forms will undergo administrative review.
The Authorizations will not be stamped as approved. They will be stamped as received.
The HIPAA application will be administratively reviewed.
You will receive a letter from the Office of Graduate Education and Research indicating that your HIPAA application/forms have been received and reviewed.
The only time the HIPAA forms will be reviewed and approved by CHR is if a waiver or alteration of the Authorization requirement is requested.
18. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity If the research team will access PHI only post-consent process:
The subject’s Authorization must be obtained for the disclosure of PHI from the covered entity to the researcher.
An Authorization for the disclosure of health information allows a covered entity to release a patient’s individually identifiable health information with the patient’s signed permission.
If a JHSPH PI is seeking to obtain PHI from a Johns Hopkins covered entity for a JHSPH protocol, the HIPAA Authorization available at www.jhsph.edu/hipaa must be utilized.
This Authorization has been approved by JH HIPAA and may not be altered.
19. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Access to PHI may be obtained without the Authorization of the individual in the following cases:
Research using de-identified information
Research using limited data sets
Research on decedents
Reviews preparatory to research
Research where a waiver or partial waiver of the Authorization requirement has been granted.
20. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research using de-identified data:
Submit a HIPAA Application
Enter into a Business Associates Agreement with the Johns Hopkins HIPAA Office
21. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research using a limited data set:
Submit a HIPAA Application
Enter into a Business Associates Agreement with the Johns Hopkins HIPAA Office
Enter into a Data Use Agreement with the Johns Hopkins HIPAA Office
The information obtained in the limited data set may ONLY be used in a manner consistent with the Data Use Agreement.
22. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity When a Johns Hopkins covered entity discloses PHI to a JHSPH researcher:
For a review preparatory to research;
For research on the PHI of decedents; and
In response to a full or partial waiver of the Authorization requirement
The researcher must track the disclosure in the SPH JH HIPAA Compliance System.
23. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity HIPAA requires covered entities to account for disclosures for up to six years for PHI disclosed:
For a review preparatory to research,
For research on decedents, and
Under a full or partial waiver of the Authorization requirement.
Due to our close research relationship with the Hopkins “covered entity” health care components, it is JHSPH policy to assist the JH covered entities in accounting for disclosures that occur as a result of a JHSPH study by “tracking” those disclosures.
24. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity The SPH JH HIPAA Compliance System was developed to provide a method of tracking protected health information disclosed by Johns Hopkins covered entities.
It also enables researchers to note limitations that individuals may have on the use of their medical information which are discovered during the conduct of research.
25. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Researchers must check the database to determine if a limitation is noted:
Prior to contacting any individual to obtain a consent/authorization relating to research, if a waiver or partial waiver of the Authorization requirement has been obtained; or
If a PI is going to use PHI previously obtained from a JH covered entity pursuant to a waiver of the Authorization requirement or for research on decedents.
If a limitation is noted, the researcher must abide by the limitation.
26. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity The SPH JH HIPAA Compliance System can be accessed at:
http://www.jhsph.edu/HIPAA/SPH%20JH%20HIPAA%20Compliance%20System.
PIs will be granted access when they submit a HIPAA application which requires them to track disclosures or track/search limitations.
Researchers will only have access to their own studies.
All PIs with access to the System will be able to search all limitations.
27. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Activities preparatory to research
Example: A researcher would like access to medical records to create a research question.
Complete a HIPAA Application, making the required representations.
PHI disclosed to JHSPH researchers from a JH covered entity in a review preparatory to research must be tracked in the SPH JH HIPAA Compliance System.
You may only remove minimal amounts of PHI from the covered entity necessary to satisfy the tracking requirements.
The PHI may only be used to complete the tracking database.
28. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research reviewing the PHI of decedents
Complete a HIPAA Application making the required representations
Track the disclosures of PHI and limitations found in the review in the SPH JH HIPAA Compliance System
29. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research where access to PHI is being obtained without contact with the individual:
Examples:
Retrospective medical chart review
Review of medical charts to obtain the contact information of prospective participants
Apply for a waiver or partial waiver of the Authorization requirement.
Complete the JHSPH HIPAA Application
Your Application will be reviewed by CHR.
Full or partial waivers of the Authorization requirement must be approved by an IRB or Privacy Board. 45 CFR §164.512(i)(1)(i).
You will have to make entries into a new SPH JH HIPAA Compliance System regarding the PHI disclosed and any limitations learned while conducting the research.
30. What if a JHSPH researcher stores specimens at a Johns Hopkins covered entity? If a JHSPH researcher stores specimens from a JHSPH protocol at a Johns Hopkins covered entity, those specimens will not become subject to HIPAA if all of the following exist:
The JHSPH researcher “owns” the specimens and has the total right to control the use of the specimens;
The Johns Hopkins covered entity does not have control over the use of the specimens;
The specimens are clearly identified as belonging to the JHSPH researcher;
To the extent that the covered entity works with the samples, it works with de-identified information; and
If a link exists between the specimens and the individually identifiable health information, the covered entity does not have access to that link.
31. What if a JHSPH researcher stores specimens at a Johns Hopkins covered entity? If the specimens stored at a Johns Hopkins covered entity are de-identified, the specimens are not covered by HIPAA.
de-identified = the 18 identifiers under HIPAA are removed from the data
32. What if a study is international? If a JHSPH study is being conducted outside of the U.S. and individually identifiable health information is being sent from a health care provider to JHSPH, your study is not impacted by HIPAA.
If information is sent from a research setting outside the U.S. to a Johns Hopkins covered entity, the information may become subject to HIPAA if:
the information is identifiable (i.e. contains any of the 18 identifiers under HIPAA)
OR
the covered entity has access to a link between the information and the person from whom the information was obtained.
33. What happens to the information once it arrives at JHSPH? Information disclosed to a researcher from a covered entity, which is maintained at JHSPH, is not protected by the Privacy Rule.
Exception: PHI obtained through a Data Use Agreement (i.e. a limited data set) or otherwise limited by contractual terms
Other Federal and State protections, such as the Common Rule, may limit the use or disclosure of the information.
34. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Information received from a Johns Hopkins covered entity by a JHSPH researcher MAY NOT be used for marketing or fundraising purposes.
35. Review Process All forms will be administratively reviewed by the Research Regulations Specialist (RRS).
With one exception, they will be stamped as received, but will not be approved.
If the Application indicates that the researcher is seeking a waiver or partial waiver of the Authorization requirement:
The waiver request will be reviewed and approved or denied by CHR.
Once the administrative review (and approval, if necessary) is completed, the PI will be notified by the RRS.
36. Questions? Leah Mendelsohn, J.D.
Research Regulations Specialist
Office of Graduate Education and Research
615 North Wolfe Street, W1033
Baltimore, Maryland 21204
(410) 502-0433
lmendels@jhsph.edu
http://www.jhsph.edu/hipaa