Privacy, Confidentiality & Security
1 / 33

Privacy, Confidentiality & Security - PowerPoint PPT Presentation

  • Uploaded on

Privacy, Confidentiality & Security. Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008. Institutional Review Board for the Protection of Human Subjects.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Privacy, Confidentiality & Security' - triage

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Privacy, Confidentiality & Security

Marisabel Davalos, M.S.Ed., CIP

Associate Director of Educational Initiatives

November, 2008

University of Miami

Institutional review board for the protection of human subjects
Institutional Review Board for the Protection of Human Subjects

  • Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students

    • Includes ensuring compliance with University of Miami HIPAA policies

    • Plan must contain elements required under HIPAA

    • Documentation of compliance with Covered Entity source of PHI

University of Miami

What is hipaa
What is HIPAA?

  • Health Insurance Portability and Accountability Act (HIPAA)

    Effective on April 14, 2003

  • Federal law that protects the privacy of individually identifiable health information (PHI)

  • Title 45 of the Code of Federal Regulations Parts 160 and 164

University of Miami

Who must comply with hipaa
Who Must Comply with HIPAA?

Covered Entity – Custodians of PHI

They must make a good faith effort to comply with the rule

Three types of “ Covered Entities”

  • Health Care ProvidersIncludes organizations, individuals such as researchers when they provide health care, e.g. clinical trials

  • Health Care Plans Insurers and payors

  • Health Care ClearinghousesBilling services

University of Miami

How is um approaching hipaa
How is UM Approaching HIPAA?

  • Hybrid Covered Entity

    • The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”.

University of Miami

UM – Hybrid Entity

Covered Components



Health Care Operations

Non-Covered Components


University of Miami

Important to note
Important to Note

  • Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations.

    • Necessary compliance with State privacy laws and Institutional and IRB policies only.

University of Miami

Um investigators and phi
UM Investigators and PHI

  • those who create, use, or access health information while providing health care services to research subjects must comply with HIPAA regulations as well as state privacy, institutional and IRB policies.

University of Miami

Types of studies covered
Types of Studies Covered

  • Clinical trials

  • Chart reviews

  • Epidemiological studies

  • Behavioral and Social Science Studies

  • Some basic science research activities

    • Studies may include the provision of treatment but others may provide neither treatment or diagnosis.

University of Miami

Hsro policies procedures
HSRO Policies & Procedures

  • HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”.

  • Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6th, 2008.

  • Policies are available on our website under, “Investigator Resources”.

University of Miami


  • Section 24.2 contains some important terms related to HIPAA.

  • PHI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity

  • RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care.

University of Miami

Definitions cont d
Definitions (cont’d).

  • Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information. 

    • The term “privacy” applies to persons whereas the term “confidentiality” refers to the treatment of personal information.

University of Miami

Definitions cont d1
Definitions (cont’d).

  • Security:  the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage. 

    • Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.

University of Miami

More about phi
More About PHI

Protected Health Information (PHI) is any individually

identifiable information that is transmitted or maintained

in electronic medium, or in any other form or medium

  • Medical RecordsE.g. Medical History, Diagnosis, Treatment

  • Payment InformationE.g. Bills, Receipts

  • Ancillary ServicesE.g. X-Rays, Labs

  • Demographic Information (When Maintained with Health Information)E.g. Date of Birth, Social Security Number

University of Miami


University of Miami

Irb privacy issue evaluation
IRB Privacy Issue Evaluation

  • Time and place where information is provided by participants to investigators;

  • Nature of the information provided;

  • Nature of the experience that participant will undergo from the study;

  • Who is receiving, accessing, and using the information;

  • Participants’s relationship to the investigator;

  • Presence of others when gathering data.

University of Miami

Factors to determine what is private to individuals
Factors to Determine What is Private to Individuals

  • Gender

  • Ethnicity

  • Age

  • Socio-economic status

  • Education

  • Ability level

  • Social or verbal skill

  • Health status

  • Legal status

  • Nationality

  • Intelligence

  • Personality

University of Miami

What is de identified phi
What is De-Identified PHI?

Information that does not identify the individual; andthere is no reasonable basis to believe the information can be used to identify an individual.

University of Miami

How do you de identify phi
How do you De-Identify PHI?

  • Remove 18 Specified Identifiers:

    • Name

    • All Geographic Subdivisions Smaller Than a State(Street, City, County, Precinct, Parish, Zip Code, & their Equivalent Geo-codes Except for Initial 3 Digits of a Zip Code)

    • All Elements of Dates, Except Year(Admission Date, Discharge Date, Date of Death)

    • All Ages Over 89 & Dates and Elements Related to such Ages(Unless Aggregated into a Single Category of Age over 90)

University of Miami

How do you de identify phi1
How do you De-Identify PHI ?

  • Telephone & Fax Number

  • E-mail, IP Address & URL

  • Social Security #, Medical Record #, Health Plan Beneficiary #, & Account #

  • Certificate License #, VIN, Device Identifiers, & Serial #

  • Full Face Photographs, Biometric Identifiers

  • Any Other Unique Identifying Number, Characteristic, or Code

University of Miami

Minimum Necessary Requirement

  • Research procedures should be carefully designed to limit the personal information to be acquired to that which is minimally necessary and should be administered using procedures that will protect the subject's privacy.

    Example: Only the information pertaining to a specific use should be given to researcher.

University of Miami

Responsibilities of the principal investigator
Responsibilities of The PrincipalInvestigator

  • Document research team has completed HIPAA Privacy/Security Training and HIPAA Training for Researchers

  • Submit project application to the IRB

  • Assume responsibility for compliance with HIPAA

  • Maintain logs of all access to, uses of, & disclosures of PHI

  • Submit Data Use Agreements to the IRB

University of Miami


University of Miami

General principles

  • As custodian of a study’s research data, the Principal Investigator shall ensure compliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol ;

  • The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI;

  • Access to research data (including ePHI) should be restricted and controlled.

    • The PI must ensure locks on files or  password or other protections (as applicable) (note – access  to e PHI must be by password)

  • The PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity. 

University of Miami

Security section 24 6
Security, Section 24.6

  • All research data (including PHI) must be secured and protected, as reasonable, against breaches in confidentiality, unpermitted uses and disclosures.

  • HIPAA standards also apply after project completion when computers, devices, and/or media are destroyed or reformatted for other uses.

  • Provides important requirements and methods to assure security of all research data.

  • Additional requirements for ePHI (electronic PHI).

University of Miami

Security section 24 61
Security, Section 24.6

  • Specifically addresses concerns and safeguards for when dealing with ePHI, securing paper records, securing faxes, and unanticipated problems and reportable events related to breaches in ePHI

University of Miami

Security section 24 62
Security, Section 24.6

  • Paper records: PHI must be stored using locked filing system within a locked office or storage room.

  • Shredding is required to discard printed materials with direct identifiers.

  • Paper-based PHI should not be carried/sent unless necessary for research purposes.

University of Miami

Confidentiality section 24 7
Confidentiality, Section 24.7

  • Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of his/her research records.

    • Examples: personality inventories, interviews, questionnaires, observations, photos and film, tape recordings, and stored data.

University of Miami

Certificates of confidentiality
Certificates of Confidentiality

  • In certain circumstances involving civil, criminal, administrative, legislative, or other proceedings at the federal, state, or local level, PIs and Institutions may be compelled to release information that could identify subjects within a research study.

  • Certificates of Confidentiality protect PIs and Institutions from having to divulge this information.

University of Miami

Certificates of confidentiality cont d
Certificates of Confidentiality – Cont’d.

  • Certificates of Confidentiality are provided by the National Institutes of Health and are awarded whether a research study is federally funded or not.

University of Miami

Who do i contact about hipaa questions for research
Who do I contact about HIPAA Questions for Research?

  • Evelyne Bital, MS, CIP

    • Associate Director of Privacy & Regulatory Affairs, (305) 243-3195

    • e-mail: [email protected]

  • For general HIPAA information or to access standard HIPAA forms for research:

University of Miami


  • Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164

  • University of Miami HIPAA Policies and Procedures

University of Miami


University of Miami