1 / 43

HIPAA: What every Clinical

HIPAA: What every Clinical. Researcher needs to know!. by Charles Burbank. Objectives. At the end of this presentation you should be able to: Define the difference between Health Care Operations and Research

devon
Download Presentation

HIPAA: What every Clinical

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA: What every Clinical Researcher needs to know! by Charles Burbank

  2. Objectives At the end of this presentation you should be able to: • Define the difference between Health Care Operations and Research • Identify when a waiver of authorization approved by a Institutional Review Board/Privacy Board or a patient authorization for the use and disclosure of Protected Health Information (PHI) is required for research purposes • List the criteria that must be met for an IRB/Privacy Board waiver of authorization to be granted • Explain what a Limited Data Set is and the advantage in certain research situations

  3. Definitions:

  4. Protected Health Information (PHI)45 CFR 160.103 • Created or received by a provider, health plan, employer, or health care clearinghouse. • In any form (paper, electronic, film, oral) • Relating to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual • Which identifies the individual

  5. Covered Entity (CE)45 CFR 160.103 • A health plan • A health care clearinghouse • A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter

  6. Use45 CFR 160.103 • With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

  7. Disclosure45 CFR 160.103 • The release, transfer, provision of , access to, or divulging in any other manner of information outside the entity holding the information.

  8. Authorization for use and disclosure of PHIProtecting PHI in Research: Understand the HIPAA Privacy Rule An individual’s (or their personal representative’s) written permission to allow a CE to use or disclose specific PHI for a particular purpose. A valid authorization must be in writing and must contain specific data elements required by the 45 CFR 164.508.

  9. Personal Representative45 CFR 164.502 If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a CE must treat such person as a personal representative under this subchapter, with respect to PHI relevant to such personal representation.

  10. Minimum Necessary45 CFR 164.502 • Not really defined in the regulation: • Minimum necessary applies: when using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. • My interpretation: Least amount you need to do your job.

  11. De-identified PHI45 CFR 164.514 Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. - Requires the removal of 18 data elements

  12. Limited Data Set45 CFR 164.514 • PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: -Names -Address (other than city, state & zip) -Phone numbers -Fax numbers -Email Address -SSN -Medical Record # -Insurance or Health Plan Number -Account Number -Certificate/license numbers -Vehicle identifiers -Device identifiers and serial numbers -URLs -Internet Protocol (IP) address numbers -Biometric Identifiers -Full Face photographic images and any (includes finger and comparable images Voiceprints)

  13. Data Use AgreementProtecting PHI in Research: Understand the HIPAA Privacy Rule An agreement into which the CE enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.

  14. Health Care Operations45 CFR 164.501 • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;….

  15. Research45 CFR 164.502 A systemic investigation, including research development, testing, and evaluation, designed to develop or contribute to a generalizable knowledge.

  16. Now that we know the lingo we have to decide is it Research Or Health Care Operations

  17. Is it Research or Health Care Operations? • Common Rule & HIPAA Privacy Rule Define Research as:“… a systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge.” • HIPAA Privacy Rule Defines Health Care Operations as:“…conducting quality assurance and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.”*In other words, you must determine whether or not the primary purpose is to contribute generalizable knowledge, e.g. publication of study results.

  18. Permitted Uses and Disclosures45 CFR 164.502 A Covered Entity is permitted to use or disclose PHI as follows: • To the individual • For treatment, payment or health care operations • As permitted or required by the Privacy Standard *Other uses and disclosures require an AUTHORIZATION from the patient

  19. HIPAA’s Research Requirements

  20. Uses and Disclosures for Research45 CFR 164.512 (i) A CE may use or disclose PHI for research, regardless of the source of funding of the research, provided that: • An Institutional Review Board (IRB) or Privacy Board has approved a waiver of authorization • The review is preparatory to research • The research is on decedent PHI

  21. Uses and Disclosures for Researchcontinued Otherwise: • Research must use a limited data set or • A patient authorization must be obtained

  22. Patient Authorizations45 CFR 164.508 Required Elements: • Description of information to be used or disclosed that identifies the information in a specific and meaningful fashion • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. • A description of each purpose of the requested use or disclosure. • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

  23. Patient Authorizationscontinued Authorizations must also include: • Notification that the individuals have the right to revoke authorizations at any time in writing: • Statement that treatment, payment, enrollment in health plan or eligibility for benefits may not be conditioned on obtaining the authorization • Statement about the potential for PHI disclosed pursuant to the authorization re-disclosed by recipient.

  24. Patient AuthorizationsSpecial Research Considerations • Compound authorizations: not normally allowed. However, authorizations for a research study may be combined with any other type of written permission for the same research study. • Prohibition of conditioning of authorizations: A covered health care provider may condition the provision of research-related treatment on the provision of an authorization for the use or disclosure of PHI for such research. • Right to Revoke: - Principle Investigator (PI) may continue using & disclosing PHI obtained prior to revocation as necessary to maintain the integrity of the research - CEs may not continue disclosing to the PI additional PHI gathered at the time the individual revokes their authorization • Expiration date: For research the statement “end of research study” or “none” is acceptable

  25. Waiver Criteria45 CFR 164.512 (1) (2) Must include a statement by the IRB or privacy board that the waiver satisfies the following criteria: • An adequate plan to protect the identifiers from improper use and disclosure; • An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

  26. Waiver Criteriacontinued • Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted by this subpart; • The research could not practicably be conducted without the waiver or alteration; and • The research could not practicably be conducted without access to and use of the PHI

  27. Reviews Preparatory to Research45 CFR 164.512 (i)(1)(ii) The CE obtains from the researcher representation that: • Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research; • No PHI is to be removed from the CE by the researcher in the course of the review; and • The PHI for which use or access is sought is necessary for the research purpose

  28. Research on Decedents45 CFR 164.512(i)(1)(iii) The CE obtains from the researcher: • Representation that the use or disclosure sought is solely for research on the PHI of decedents; • Documentation, at the request of the CE, of the death of such individuals; and • Representation that the PHI for which use or disclosure is sought is necessary for the research purposes

  29. Limited Data Set45 CFR 164.514(e)(1) • Created specifically for research, public health and health care operations purposes • Partially de-identifies the PHI • Requires a Data Use Agreement between the CE and recipient • Some CEs may require IRB or privacy board approval

  30. Limited Data Set45 CFR 164.514(e Identifiers allowed to be retained: • City or town and zip code • All elements of dates • Any other unique identifying number, characteristic, or code.

  31. Data Use Agreements45 CFR 164.514(e)(4) • Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e) (3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the CE • Establish who is permitted to use or receive the limited data set; and

  32. Data Use Agreementscontinued • Provide that the limited data set recipient will: • Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; • Report to the CE any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; • Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and • Not identify the information or contact the individuals

  33. Accounting of Disclosures45 CFR 164.528 Patients have the right to obtain an accounting of certain disclosures of their PHI for up to 6 years after the disclosure was made. Research disclosures are included unless: • The patient authorized the use of their PHI • The data was de-identified • The data was part of a limited data set

  34. Accounting of Disclosurescontinued The accounting must include the following for each disclosure: • Date of disclosure • The name of the entity or person who received the PHI and the address • A brief description of the PHI disclosed • A brief statement of the purpose of the disclosure that reasonably informs the individual of the reason for the disclosure

  35. Accounting of Disclosurescontinued • If the research project involves fewer than 50 patients you must track access to each patient’s record. • A “simplified” accounting procedure may be used for research projects involving 50 or more patients. For more information refer to 45 CFR 164.528

  36. Other areas of the Privacy Rule that impact Research Patient’s right to access their PHI Normally patients have the right to access their medical records and obtain copies. However, they may be denied access to their records during an active research study if: • They agreed to his limitation when they agreed to participate in the study • The right of access is reinstated when the study is completed They may still access PHI not associated with the research study

  37. Other areas of the Privacy Rule that impact Research continued Minimum Necessary The Privacy Rule requires that information used or disclosed be limited to the minimum amount needed to accomplish the purpose. Minimum necessary requirements apply to research studies. Only the PHI needed for the research study should be provided.

  38. Other areas of the Privacy Rule that impact Research continued Reporting adverse events CEs may continue to report research related adverse events to the U.S. Department of Health and Human Services Office for Human Research Protections.

  39. Other areas of the Privacy Rule that impact Research continued • Protection of information on portable devices and removable devices. • Recommend password protection and encryption of removable media (Flash Drives, CDs) and portable devices (laptops, hand held devices) • Texas State Law has fines and penalties for breaches of “Sensitive Personal Information” if the information is not encrypted. The law requires notification of individuals whose information was breached. Penalties range from $2000 to $50,000 per violation of law with fines of up to $500 per record breached. (B & C code chapter 48)

  40. Resources • U.S. Department of Health and Human Services Office of Civil Rights: www.hhs.gov/ocr/hipaa • National Institute of Health: http://privacyruleandresearch.nih.gov

  41. Questions

More Related