1 / 43

Health Insurance Portability and Accountability Act – HIPAA Privacy Rule

Health Insurance Portability and Accountability Act – HIPAA Privacy Rule. Institutional Review Board and Research Education. Who should complete this training?. Required for anyone involved in the Institutional Review Board (IRB) Required for anyone involved in Human Subject Research

desmarais
Download Presentation

Health Insurance Portability and Accountability Act – HIPAA Privacy Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health Insurance Portability and Accountability Act – HIPAA Privacy Rule Institutional Review Board and Research Education

  2. Who should complete this training? • Required for anyone involved in the Institutional Review Board (IRB) • Required for anyone involved in Human Subject Research • Must complete this training prior to submitting research documents • Required annually

  3. Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Federal law that applies to health care providers, health plans and health care clearinghouses (Covered Entities) • Created to: • Protect the privacy of health care information • Improve access to health insurance • Promote standardization of electronic health records and to safeguard their use

  4. Other Privacy Laws • California Privacy Laws • Require reporting of intentional and unintentional breaches • Misdirected mailings, faxing • PHI provided to wrong parties • 5 business days to report to California Department of Public Health (CDPH) and to patient • Complete CDPH plan of correction documenting mitigation efforts taken • Fines and Penalties may apply

  5. Security Laws • Standards - required safeguards designed to ensure the confidentiality, integrity, and availability of electronic protected health information • Requires establishment of administrative, physical and technical safeguards • Compliance assurance by the entire workforce

  6. HIPAA and Research • Research is subject to HIPAA and Privacy Laws if the study uses an individuals identifiable health information • If data is used to identify, recruit, or enroll participants or any data gathered can identify the individual, either directly or indirectly, then HIPAA applies

  7. IRB and the Privacy Rule • The IRB will facilitate research-related privacy requirements, however; • The Principal Investigator is responsible for establishing and maintaining federal and state privacy and security compliance, including maintaining appropriate documentation

  8. Covered Entity • Anyone who transmits and stores electronic health records • Kaweah Delta Health Care District and all it’s entities and service areas are subject to Federal HIPAA, Security and Patient Privacy laws, rules and regulations

  9. What is the Privacy Rule? • Rules for Covered Entities (CE)for using and disclosing individually identifiable health information known as Protected Health Information (PHI) • Protects the privacy of PHI of individuals who are living or deceased • Supplements the Common Rule and the FDA’s protections for human subjects

  10. Who is Covered? • All District “workforce” • All employees • Independent contractors • Students • Residents/Medical Staff • Temporary help • Volunteers/Guild • Clergy • All contracted entities that receive PHI electronic data from the District

  11. Protected Health Information- PHI • PHI is the health and demographic information maintained by CE of individuals • PHI can be transmitted or maintained electronically or in any other form (hard copy, xray films, labels, etc.) • PHI can include identifiable information • Pertains to past, present or future: • Physical or mental health • Diagnosis and/or treatment • Payment for health care

  12. Patient Personal Identifiers • Name • Address, city, zip • Telephone number • Fax number • E-mail address • Social Security number • Date of Birth • Account number • Medical Record number • Insurance plan ID Treatment Dates License/Certificate number Full face photo images Other comparable images IP address URL Vehicle ID Biometric identifiers including finger & voice prints Any other unique identifying number, characteristic or code

  13. What is Covered? Treatment, Payment and Operations (TPO) • Treatment - provision of Health Care Services • Coordination of care with a third party • Consultation between health care providers • Referral of a patient to another provider • Payment - activities to obtain reimbursement for care • Determination of eligibility or coverage • Billing and collections • Disclosure to consumer reporting agency

  14. What is Covered? Treatment, Payment and Operations (TPO) • Operations – activities that make an entity a health care provider • Quality improvement • Credentialing and peer review • Licensing • Legal services, audit functions, compliance • Business planning and development • General administration and management • Customer service/grievance resolution

  15. Authorized Use & Disclosures • Reviewing a patient’s past medical history for treatment • Using “minimum necessary” information for Quality Assurance purposes (operations) • Reporting cases of communicable diseases and immunizations as mandated by law • Billing insurance companies for medical care (payment) • Using PHI for research with patient’s authorization

  16. Unauthorized Uses & Disclosures • Using patient information for research without the patients approval or authorization waiver • Posting comments on social medial about patients • Discussing a patient’s HIV diagnosis with family in the room without patient permission • Looking up your co-workers lab results • Emailing PHI to your personal email account

  17. Individual Rights • To receive a notice of privacy practices - how medical information about them may be used and disclosed and how they can get access • To access, inspect and get a copy of their own information • To amend their own PHI • To receive an accounting for the past 6 years of all disclosures • To request further restrictions on use and disclosures

  18. Individual Rights • Deceased individuals – ceases to be PHI 50 years after date of death • Sale of PHI – prohibited without specific written patient authorization • Fundraising – may be used, however patient can formally opt out • Electronic records – patients can request and CE must comply • Insurance billing - Patients may request that CE not bill their insurance and choose to pay out of pocket

  19. Administrative Requirements • Privacy Officer – Judy Cotta add phone # • Comply with all federal/state regulations • Policies and procedures • Training – All workforce • Safeguards to protect privacy • Complaint & investigation process • Sanctions for failure to comply • Process to mitigate harm due to a breach • Federal and State reporting of breaches

  20. Use and Disclosure of PHI • Some uses require authorization • Some uses require giving the individual opportunity to agree or object • Some uses continue to be required by other laws/permitted by HIPAA • Other uses require the information to be “de-identified” • All require only the minimum necessary PHI be accessed Balance between protecting individual health information and public health and safety needs!

  21. HIPAA Penalties • May apply to the individual, the organization and/or its officers • Individuals can be found criminally liable, no grace for serious and deliberate acts • State and Federal civil fines and penalties may apply • Under the jurisdiction of the Office for Civil Rights, Department of Health and Human Services

  22. HIPAA and Research • Individually identifiable health insurance that is collected and used solely for research is NOT considered PHI • Researches obtaining PHI from a CE must obtain the subject’s authorization or must justify the exception to the requirement: • Waiver of authorization • Limited Data Set • De-identified Data Set

  23. HIPAA and Research • Conditions under which the CE may release PHI for research purposes • Authorization received by subject or subjects representative, for specific study, not for future studies • Decedent research • Limited Data Set • De-identified Data Set • Disclosures related to FDA-regulated products

  24. Researcher’s Responsibility • To obtain PHI, a researcher must provide a Letter of Approval from the IRB and one of the following: • Subject’s authorization to release PHI, or • Certification of Waiver by IRB • Request for Limited Data Set or De-identified Data Set

  25. IRB’s Responsibility • Assure the CE that all research-related HIPAA requirements have been met: • Provide letter of approval to researcher • Certify and document that waiver of authorization criteria is met • Review and approve all authorizations and data use agreements • Retain records documenting actions taken for 6 years

  26. Preparatory to Research Activities • With prior IRB approval, permits CE to use or disclose PHI for purposes preparatory to research that include, but not limited to the following: • Preparing a research protocol • Assisting in the development of a research hypothesis • Aiding in research recruitment, such as identifying prospective participants who would meet the eligibility requirements for enrollment into study

  27. Preparatory to Research Activities • Allows researcher to: • Identify, but NOT contact potential study participants • Review PHI in medical records or elsewhere to prepare for research • Does not allow: • Removal of PHI from District • Emails containing PHI to be sent outside of District email accounts

  28. Preparatory to Research Activities • Does not allow: • Removal of PHI from District • Emails containing PHI to be sent outside of District email accounts

  29. Informed Consent vs Authorization • Informed Consent • Description of study • Discusses anticipated risk and benefits of study • Describes how the confidentiality of records will be protected • Agreement to participate in the study • Authorization • Focus on privacy risks • How, why and whom the PHI will be used/disclosed • Agrees to the use/disclosure of PHI

  30. Subject’s Authorization • Must include specific elements • May be part of or attached to the research consent form • Must use standard IRB authorization language • Original signed authorization must be retained by the CE • Subject must be given a copy

  31. HIPAA Required Authorization Elements • Meaningful description of information to be used • Name of persons authorized to disclose information • Name of recipients of the information • Description of research purpose • Authorization expiration date • Right to revoke authorization • Disclosure of refusal consequences • HIPAA protections may not apply • Signature of the individual and date

  32. HIPAA Required Authorization Expiration • If the study has no expiration date, the authorization must state “no expiration date” • Expiration may be a specific date or relate to the purpose, for example….. • “July 28, 2014” • “End of the research study” • 5 years after last patient is enrolled” • After the stated date or event, researcher can no longer use the PHI

  33. Authorization Waiver • Investigator/researcher provides IRB approval of Authorization Waiver to CE • IRB approval: • IRB name, date of approval, brief description of PHI; and • Statement of IRB approved Authorization Waiver under normal or expedited review; and • Statement that IRB has determined that research could not be conducted without waiver and without PHI, minimum necessary data

  34. The 30-Day Cure • For failure to obtain proper authorization before beginning research the PI must either: • Obtain appropriate authorization within 30 days of identifying the problem to be able to continue the study, or • Immediately destroy all affected data and specimens and obtain the correct authorization to be able to begin the research again

  35. The 30-Day Cure • For failure to obtain a waiver before beginning research, the PI must: • Immediately destroy all affected data and specimens and • Obtain a waiver to begin the research again • These actions must be completed within 30-days of when the deficiency was discovered or should have reasonably known. • If unsure, check with the IRB office

  36. What is Minimum Necessary? • Limits unnecessary or inappropriate access to and disclosure of protected health information • Requires that entity takes reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose

  37. Decedent Research • Provide documentation to the CE that the use or disclosure is solely for the purpose for research on decedents PHI • Similar to Authorization Waiver • Represents that authorization from next of kin or legal representative may be difficult or impossible to obtain • Requires review and approval by the IRB

  38. Limited Data Set (LDS) • May include: • Zip code • Full dates of birth or death • Full dates of service • City • May not include: • Other personal identifies of subject, relatives, employer or household members • CE does not have to account for LDS disclosures

  39. De-identification • Remove all eighteen personal identifiers of subject, relatives, employer or household members • CE does not have to account for disclosures using de-identified data

  40. Conclusion • Responsibility on the CE to meet HIPAA requirements for disclosing PHI to a researcher • Responsibility on the IRB to assure the CE that health information will be protected under the research protocol • Does not replace Common Rule or FDA human subject protection regulations • Does not override California Privacy Law

  41. HIPAA/Privacy/Research Resources • http://privacyruleandresearch.nih/gov/clin_research.asp • http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf • http://hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/research.html • http://www.hhs.gov/ocr/privacy/hipaa/understanding/

  42. Source Acknowledgements • University of Florida • University of California • U.S. Department of Health and Human Services, National Institute of Health • Office for Civil Rights • Center for Medicare & Medicaid Services

  43. Questions? • Contact Kevin Ferguson, M.D., IRB Chairman, 559-624-5217 • Contact Susan Delgado, GME Program Coordinator, 559-624-5220 • Contact Judy Cotta, Compliance and Privacy Officer, 559-624-2154

More Related