1 / 26

HIPAA and the Common Rule

Impact of the Privacy Rule. Does not reduce the effect of the Common Rule or FDA regulations.Mandates more protections to ensure privacy of subjects and confidentiality of data.Requires action whenever any PHI is used for research.. Definition of

salena
Download Presentation

HIPAA and the Common Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. HIPAA and the Common Rule Christina Solis, JD Elisa Fallows, MS UTHSC-H: Legal Affairs and Institutional Compliance 2004 Mini-Ethics Course

    3. Definition of “Research” A systematic investigation …designed to develop or contribute to generalizable knowledge. 45 CFF 46.102(d) and 45 CFR 164.501

    4. Definition of “Human Subject” A living individual about whom an investigator … conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information. 45 CFR 46.102(f)

    5. Definition of “Human Subject” Operational Change due to Privacy Rule A living individual about whom an investigator … conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information

    6. Regarding Research, the Privacy Rule Applies to: Ascertainment of Potential Subjects Recruitment of Subjects Consent/Authorization Process Study Amendments Data Management Decedent Research Reuse of data for another study

    7. Research Provisions Covered entities may use and disclose PHI for research: With individual authorization, or Without individual authorization under limited circumstances 45 CFR § §164.508, 164.512(i)

    8. Relationship to other Research Rules The Privacy Rule does not override the Common Rule or FDA’s human subject protection regulations.

    9. Ascertainment/Recruitment of Potential Subjects Via Review of PHI Notification of a Review Preparatory to Research Description Justifying a Waiver of Authorization Via Ad

    10. If PHI or other identifiable private information is to be recorded during the ascertainment/recruitment process, consent of the potential subject, or IRB approval of a Waiver of Consent, must be obtained. (DHHS NIH Common Rule Guidance 8/03)

    11. Ascertainment/Recruitment – Satisfying Both Rules Via a Review of Preparatory to Research Do not record PHI, or Record PHI and obtain Common Rule IRB waiver of consent, or De-identify PHI, then deal with the Common Rule. If the data now retains a link to subject identity, the Common Rule still applies. If the data does not retain any identifying link (data anonymized or unlinked), the Common Rule does not apply.

    12. Ascertainment/Recruitment – Satisfying Both Rules Via Waiver of Authorization Do not record PHI – usually not useful or practical, or Record PHI and obtain IRB Waiver of Consent De-identify PHI – usually not useful or practical

    13. Exception from Requirement for Informed Consent An IRB may waive consent requirement or alter consent element if it finds and documents that: (1) Research involves no more than minimal risk; (2) Rights and welfare of subjects will not be adversely affected; (3) Research could not be practicably be carried out without waiver or alteration; and (4) When appropriate, the subjects will be provided pertinent information after participation.

    14. Reducing the Impact Ensure that Information Associated with Data/Samples is Modified so it does not relate to a “Human Subject” and either does not involve PHI or is presented as a limited data/sample set.

    15. An Activity does not prompt the Common Rule or Privacy Rule Considerations Requiring IRB Review when: The activity is not research; OR The research does not involve a human subject AND The research does not involve PHI.

    16. Examples of how can a PI doing research reduce the impact of the Common Rule and the Privacy Rule Modify information associated with the Data/Samples so the information does not relate to a “Human Subject”, and the information does not involve PHI or PHI is presented as a limited data set.

    17. How to modify data/samples so the information does not relate to a “human subject” Anonymize (unlink) the data/samples. Establish conditions whereby subject identity cannot be readily ascertained.

    18. Anonymize (unlink) the data/samples Remove all identifiers or codes that directly or indirectly link a particular data point or sample to an identifiable person. These data/samples then become irreversibly unlinked from any subject identifiers.

    19. Modify Information Associated with the Data/Samples so the Information does not relate to a “Human Subject”, and The INFORMATION DOES NOT INVOLVE PHI or PHI is Presented as a Limited Data Set.

    20. Modify Information Associated with the Data/Samples so the information does not involve PHI Remove health information De-identify data/samples

    21. Information is health information when it Relates to one’s physical or mental health or condition; or Related to one’s health care; OR Relates to one’s payment for health care. 45 CFR160.103

    22. Items to Exclude for De-identification 45 CFR 64.514(b)(2) ? Names ? E-mail address ? Addresses ? SS# ? Zip codes ? Medical Record # ? Dates except years ? Health plan beneficiary #s ? Telephone #s ? Account #’s ? Fax #s ? Certificate/license #s ? VIN #’s ? Device ID & serial #’s ? URLs ?Full face photo images ? biometric identifiers ? internet protocol address #s ? any other unique identifying #, characteristic or code

    23. Modify information associated with the data/samples so the information does not related to a “human subject”, and the information does not involve PHI or PHI IS PRESENTED AS A LIMITED DATA SET Establish a limited data set with a data/sample use agreement. Remove direct personal identifiers. Remove postal address information other than town or city, state or zip code. Note: Event dates, any age and an identifying code related to the person are permitted.

    24. Anonymization vs HIPAA De-identification The only setting where IRB approval of anonymization (unlinking) does not also confer approval of HIPAA de-identification is when the anonymized (unlinked) health information contains an event date more specific than the year, or a geocode more specific than a state or 3 digit zip code, or a subjects specific age is over 89 years (instead state as 90+ years)

    25. HIPAA De-identification vs Anonymization The only setting where IRB approval of HIPAA de-identification does not also confer approval of anonymization (unlinking) is when a code with a key linking back to the subject is retained with the de-identified data.

    26. Approach to satisfy both Establish conditions so the identity of a research subject cannot readily be ascertained. Establish a limited data/sample set and a data/sample use agreement.

More Related