1 / 36

New JHSPH HIPAA Policy: How does it impact your research Leah Mendelsohn, J.D. Research Regulations Specialist Office

What is different in the new policy?. OLD Policy:Some studies were covered by HIPAA while others were not covered by HIPAA.NEW Policy:No new JHSPH study is covered by HIPAA. . What if there is an ongoing study which is covered by HIPAA?. Ongoing studies that are covered by HIPAA, the informat

tate
Download Presentation

New JHSPH HIPAA Policy: How does it impact your research Leah Mendelsohn, J.D. Research Regulations Specialist Office

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. New JHSPH HIPAA Policy: How does it impact your research? Leah Mendelsohn, J.D. Research Regulations Specialist Office of Graduate Education and Research ORS Brown Bag Series April 12, 2006

    2. What is different in the new policy? OLD Policy: Some studies were covered by HIPAA while others were not covered by HIPAA. NEW Policy: No new JHSPH study is covered by HIPAA.

    3. What if there is an ongoing study which is covered by HIPAA? Ongoing studies that are covered by HIPAA, the information obtained from participants in these studies, and the databases created from these studies will remain covered by HIPAA. If an investigator or study staff member is added to a covered study and will have access to the individually identifiable health information, the individual must: Complete the HIPAA training course entitled "Privacy Issues Relating to Research" and Sign a Confidentiality Agreement for Workforce Members - General (dated 08/2004). These are available at http://irb.jhmi.edu.

    4. Overall Picture Fewer forms Application Authorization (if applicable) Data Use Agreement (if applicable) Business Associates Agreement (if applicable) Improved compliance Less confusing HIPAA status Fewer approvals of the HIPAA application and forms New obligation for some information obtained from JH covered entities

    5. How are JHSPH studies still impacted by HIPAA? Questions to help determine how studies are impacted: What information is being obtained? Is the information being obtained from a Johns Hopkins covered entity or from a non-Hopkins covered entity? Is the protocol a JHSPH protocol and is the Principal Investigator is a JHSPH investigator?

    6. What information is being obtained? Protected Health Information is individually identifiable health information, transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. If PHI is being sought from a covered entity, your study will be impacted by HIPAA.

    7. What are identifiers under HIPAA? Name Geographic information smaller than state Elements of dates Telephone numbers FAX numbers Electronic mail addresses Social Security Numbers Medical record numbers Account numbers Health plan beneficiary numbers Certificate or license numbers Vehicle identifiers and serial numbers including license plate numbers Device identifiers and serial numbers URLs IP address numbers Biometric identifiers Full face photographic images and comparable images Any other unique identifying number, characteristic or code

    8. What is a covered entity? A covered entity is a health plan, health care clearinghouse, or a health care provider who transmits information in electronic form in connection with a transaction for which HHS has adopted a standard.

    9. What is a Johns Hopkins covered entity? PROVIDERS The Johns Hopkins University School of Medicine The Johns Hopkins University School of Nursing The Johns Hopkins Hospital Johns Hopkins Bayview Medical Center, Inc. Hopkins ElderPlus (a Provider and a Plan) Howard County General Hospital, Inc. The Johns Hopkins Medical Services Corporation Johns Hopkins Community Physicians, Inc. Priority Partners Managed Care Organization, Inc. (a Provider and a Plan) Johns Hopkins Pharmaquip, Inc. Johns Hopkins Home Health Services, Inc. Johns Hopkins Pediatrics at Home, Inc. Ophthalmology Associates, LLC The Central Maryland Heart Center, Inc. The Center for Ambulatory Services, Inc. (TCAS) HCP Venture One Corporation Howard County MRI Limited Partnership Cedar Emergency Services Company, Inc. Ambulatory Blood Gas Services. Inc. JH Ventures, LLC / Howard County Neonatal Services Series JH Ventures, LLC / Frederick County Neonatal Services Series JH Ventures, LLC / JHHC Participating Physician Series JH Ventures, LLC / Johns Hopkins Emergency Medical Services Series

    10. What is a Johns Hopkins covered entity? HEALTH PLANS (Some of the following health plans, particularly EHP health plans, are administered by Johns Hopkins Health Care LLC) The Johns Hopkins University Welfare Plan* Benefit Elections Program Plan* SOM & SPH Student Health Program SOM Dental Insurance Program Student Health Insurance Plan APL Medical and Dental Insurance Plans APL Health Care Spending Account APL Employee Assistance Program The Johns Hopkins Health System Broadway Services EHP Medical Plan Bayview Medical Center: Employee Benefits Plan Represented Employee Benefits Plan House Staff Employee Benefits Plan Employee Assistance Plan Long Term Care Insurance Plan (6/1/04) Johns Hopkins Health System Corporation/Johns Hopkins Hospital Employee Benefits Plan for Non-Represented Employees* Johns Hopkins Hospital Employee Benefits Plan for Represented Employees* Howard County General Hospital: EHP Medical Plan Blue Choice MDIPA CareFirst BC/BS Dental Plan Care First BC/BS Select Vision Plan Flexible Benefit Plan (Medical Reimbursement) Employee Assistance Plan LongTerm Care Insurance Program (6/1/04) Hopkins ElderPlus (a Provider and a Plan) Priority Partners Managed Care Organization, Inc. (a Provider and a Plan) Uniformed Services Family Health Plan at Johns Hopkins * “Wrap” or umbrella plans that may have a variety of component plans encompassed within them, including various insurer offerings, employee assistance plans (EAPs), medical flexible spending accounts (FSAs) and the like.

    11. What is not a Johns Hopkins covered entity? Examples of non-Hopkins covered entities include: Kennedy Krieger Institute CMS Indian Health Services

    12. What is a JHSPH study? A study on which the PI is a JHSPH researcher. If the study involves human subjects research, the project is approved by CHR.

    13. What if the PI has a joint appointment at SOM or SON? When performing clinical care under a joint appointment at SOM/SON, the information obtained solely in that capacity will remain subject to HIPAA. If the PI is doing research on a JHSPH protocol, the new policy applies. If the PI generates or accesses PHI at a JH covered entity when conducting a JHSPH protocol, the PHI in the medical record remains subject to HIPAA. The information documented in a separate research record will be free of HIPAA limitations.

    14. What if the PI is a SOM or SON researcher? The study is still included within the JH covered entities and is still fully covered by HIPAA. JHSPH researchers will be treated as “outsiders.” PHI obtained through the protocol may only be used according to the terms of the protocol or a subsequent protocol approved by the SOM IRB. The PHI may not be added to a database accessible to researchers not part of the protocol.

    15. If a JHSPH researcher is seeking to obtain PHI from a non-Hopkins covered entity Consult with the entity from whom you are receiving data to determine their policies. The covered entity may require that the PI use their forms or follow different guidelines than what JHSPH has implemented with Johns Hopkins covered entities.  Once the covered entity is contacted, the JHSPH researcher will know exactly what HIPAA forms will need to be completed to be compliant with that covered entity’s procedures.  Complete a JHSPH HIPAA Application

    16. If a JHSPH researcher is seeking to obtain PHI from a non-Hopkins covered entity The JHSPH HIPAA Authorizations may be used as default forms with the permission of the covered entity. The JHSPH CHR may approve waivers or alterations of the Authorization requirement.

    17. If a JHSPH researcher is seeking to obtain PHI from a non-Hopkins covered entity The HIPAA application and associated forms will undergo administrative review. The Authorizations will not be stamped as approved. They will be stamped as received. The HIPAA application will be administratively reviewed. You will receive a letter from the Office of Graduate Education and Research indicating that your HIPAA application/forms have been received and reviewed. The only time the HIPAA forms will be reviewed and approved by CHR is if a waiver or alteration of the Authorization requirement is requested.

    18. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity If the research team will access PHI only post-consent process: The subject’s Authorization must be obtained for the disclosure of PHI from the covered entity to the researcher. An Authorization for the disclosure of health information allows a covered entity to release a patient’s individually identifiable health information with the patient’s signed permission. If a JHSPH PI is seeking to obtain PHI from a Johns Hopkins covered entity for a JHSPH protocol, the HIPAA Authorization available at www.jhsph.edu/hipaa must be utilized. This Authorization has been approved by JH HIPAA and may not be altered.

    19. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Access to PHI may be obtained without the Authorization of the individual in the following cases: Research using de-identified information Research using limited data sets Research on decedents Reviews preparatory to research Research where a waiver or partial waiver of the Authorization requirement has been granted.

    20. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research using de-identified data: Submit a HIPAA Application Enter into a Business Associates Agreement with the Johns Hopkins HIPAA Office

    21. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research using a limited data set: Submit a HIPAA Application Enter into a Business Associates Agreement with the Johns Hopkins HIPAA Office Enter into a Data Use Agreement with the Johns Hopkins HIPAA Office The information obtained in the limited data set may ONLY be used in a manner consistent with the Data Use Agreement.

    22. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity When a Johns Hopkins covered entity discloses PHI to a JHSPH researcher: For a review preparatory to research; For research on the PHI of decedents; and In response to a full or partial waiver of the Authorization requirement The researcher must track the disclosure in the SPH JH HIPAA Compliance System.

    23. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity HIPAA requires covered entities to account for disclosures for up to six years for PHI disclosed: For a review preparatory to research, For research on decedents, and Under a full or partial waiver of the Authorization requirement. Due to our close research relationship with the Hopkins “covered entity” health care components, it is JHSPH policy to assist the JH covered entities in accounting for disclosures that occur as a result of a JHSPH study by “tracking” those disclosures.

    24. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity The SPH JH HIPAA Compliance System was developed to provide a method of tracking protected health information disclosed by Johns Hopkins covered entities. It also enables researchers to note limitations that individuals may have on the use of their medical information which are discovered during the conduct of research.

    25. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Researchers must check the database to determine if a limitation is noted: Prior to contacting any individual to obtain a consent/authorization relating to research, if a waiver or partial waiver of the Authorization requirement has been obtained; or If a PI is going to use PHI previously obtained from a JH covered entity pursuant to a waiver of the Authorization requirement or for research on decedents. If a limitation is noted, the researcher must abide by the limitation.

    26. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity The SPH JH HIPAA Compliance System can be accessed at: http://www.jhsph.edu/HIPAA/SPH%20JH%20HIPAA%20Compliance%20System. PIs will be granted access when they submit a HIPAA application which requires them to track disclosures or track/search limitations. Researchers will only have access to their own studies. All PIs with access to the System will be able to search all limitations.

    27. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Activities preparatory to research Example: A researcher would like access to medical records to create a research question. Complete a HIPAA Application, making the required representations. PHI disclosed to JHSPH researchers from a JH covered entity in a review preparatory to research must be tracked in the SPH JH HIPAA Compliance System. You may only remove minimal amounts of PHI from the covered entity necessary to satisfy the tracking requirements. The PHI may only be used to complete the tracking database.

    28. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research reviewing the PHI of decedents Complete a HIPAA Application making the required representations Track the disclosures of PHI and limitations found in the review in the SPH JH HIPAA Compliance System

    29. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Research where access to PHI is being obtained without contact with the individual: Examples: Retrospective medical chart review Review of medical charts to obtain the contact information of prospective participants Apply for a waiver or partial waiver of the Authorization requirement. Complete the JHSPH HIPAA Application Your Application will be reviewed by CHR. Full or partial waivers of the Authorization requirement must be approved by an IRB or Privacy Board. 45 CFR §164.512(i)(1)(i). You will have to make entries into a new SPH JH HIPAA Compliance System regarding the PHI disclosed and any limitations learned while conducting the research.

    30. What if a JHSPH researcher stores specimens at a Johns Hopkins covered entity? If a JHSPH researcher stores specimens from a JHSPH protocol at a Johns Hopkins covered entity, those specimens will not become subject to HIPAA if all of the following exist: The JHSPH researcher “owns” the specimens and has the total right to control the use of the specimens; The Johns Hopkins covered entity does not have control over the use of the specimens; The specimens are clearly identified as belonging to the JHSPH researcher; To the extent that the covered entity works with the samples, it works with de-identified information; and If a link exists between the specimens and the individually identifiable health information, the covered entity does not have access to that link.

    31. What if a JHSPH researcher stores specimens at a Johns Hopkins covered entity? If the specimens stored at a Johns Hopkins covered entity are de-identified, the specimens are not covered by HIPAA. de-identified = the 18 identifiers under HIPAA are removed from the data

    32. What if a study is international? If a JHSPH study is being conducted outside of the U.S. and individually identifiable health information is being sent from a health care provider to JHSPH, your study is not impacted by HIPAA. If information is sent from a research setting outside the U.S. to a Johns Hopkins covered entity, the information may become subject to HIPAA if: the information is identifiable (i.e. contains any of the 18 identifiers under HIPAA) OR the covered entity has access to a link between the information and the person from whom the information was obtained.

    33. What happens to the information once it arrives at JHSPH? Information disclosed to a researcher from a covered entity, which is maintained at JHSPH, is not protected by the Privacy Rule. Exception: PHI obtained through a Data Use Agreement (i.e. a limited data set) or otherwise limited by contractual terms Other Federal and State protections, such as the Common Rule, may limit the use or disclosure of the information.

    34. If a JHSPH researcher is seeking to obtain PHI from a JHU/JHHS covered entity Information received from a Johns Hopkins covered entity by a JHSPH researcher MAY NOT be used for marketing or fundraising purposes.

    35. Review Process All forms will be administratively reviewed by the Research Regulations Specialist (RRS). With one exception, they will be stamped as received, but will not be approved. If the Application indicates that the researcher is seeking a waiver or partial waiver of the Authorization requirement: The waiver request will be reviewed and approved or denied by CHR. Once the administrative review (and approval, if necessary) is completed, the PI will be notified by the RRS.

    36. Questions? Leah Mendelsohn, J.D. Research Regulations Specialist Office of Graduate Education and Research 615 North Wolfe Street, W1033 Baltimore, Maryland 21204 (410) 502-0433 lmendels@jhsph.edu http://www.jhsph.edu/hipaa

More Related