1 / 47

RESEARCH PRIVACY AND HIPAA With

RESEARCH PRIVACY AND HIPAA With S. Joseph Austin, JD, LL.M, Regulatory Coordinator Jan Hewett, JD, BSN, Director, IRBMED Robin Sedman , MAEd , MSN, Senior Associate Regulatory Analyst Lauren Shellenberger , JD, RN, Director, Compliance Policy & Education Alan Sugar, MD, Co-Chair, IRBMED

shing
Download Presentation

RESEARCH PRIVACY AND HIPAA With

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RESEARCH PRIVACY AND HIPAA With S. Joseph Austin, JD, LL.M, Regulatory CoordinatorJan Hewett, JD, BSN, Director, IRBMEDRobin Sedman, MAEd, MSN, Senior Associate Regulatory AnalystLauren Shellenberger, JD, RN, Director, Compliance Policy & Education Alan Sugar, MD, Co-Chair, IRBMED Moderated by: Jennifer Galland, MHA, Board Member, IRBMED October 18, 2011 2:00 to 4:00CVC Danto Auditorium

  2. IRBMED Privacy Board HIPAA Protected Health Information Authorization Waiver of HIPAA Authorization Certification Preparatory to Research Decedents De-Identified Data Sets Limited Data Sets

  3. Institutional Review Boards of the University of Michigan Medical School (IRBMED) http://www.med.umich.edu/irbmed/

  4. IRBMED:Structure Director Jan Hewett Review Teams A1 A2 B1 B2 C1 Office Manager Lisa Kiel Coordinators Pat Gordon, eResearch Georgia Marvin, Compliance Support Staff Maria Camilleri Colleen Bouton Patti Meredith Education Joseph Austin, Senior Education & Regulatory Brian Seabolt, Technical Writer Monica Stiddom, Education Expedited Reviewer Jennifer Galland

  5. IRBMED:Structure

  6. Privacy Board

  7. PRIVACY BOARD:Responsibility • Privacy Board oversees research aspects of HIPAA • Compliance Office oversees clinical aspects of HIPAA.

  8. PRIVACY BOARD:Members Chair: Alan Sugar, MD Members: Fran Lyman, MLS Duke Morrow, DMin Michael Paschke, MA Joy Stair, MS, RN Coordinator: S Joseph Austin, JD, LL.M

  9. HIPAA

  10. HIPAA:Basics • HIPAA is the Health Insurance Portability and Accountability Act. • Purpose: • Protect the privacy of individuals’ personal health information. • Provide physical and electronic security for PHI. • Simplify billing. • Provide rights for patients regarding access to and use of their medical information.

  11. HIPAA:Authorizations • A HIPAA Authorization is signed permission from an individual that allows that individual’s PHI to be used or disclosed for reasons other than Treatment, Payment or Healthcare Operations (TPO purposes). • The Authorization must include: • A description of the PHI to be used/disclosed. • Who will make the disclosure. • To whom the disclosure will be made. • An expiration date. • The purpose of the disclosure. Note: An individual may revoke a signed authorization at any time.

  12. Protected Health Information (PHI)

  13. PROTECTED HEALTH INFORMATION: Defined • Protected Health Information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as treatment, payment, or operations. Note:PHI may be in any form or media, including electronic, paper, or oral.

  14. PROTECTED HEALTH INFORMATION:HIPAA • HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. • However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment, or operations. • Examples: • PHI is used in research studies when researchers will access existing medical records for research information. • Studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or using a new drug or device for treating a health condition.

  15. PROTECTED HEALTH INFORMATION: Individually Identifiable Health Information Individually identifiable health information is information (including demographic information) that is related to: At least one of the following three: • The past, present, or future physical or mental health or condition of the individual. • The health care provided to the individual. • The past, present, or future payment for health care provided to the individual, AND • Either identifies the individual or there is a reasonable basis to believe that the information could be used to identify the individual.

  16. PROTECTED HEALTH INFORMATION: Identifiers • Names • Geographic subdivisions smaller than a state. • Dates directly related to the individual except year • All ages over 89 and/or dates indicating an age over 89 • Telephone numbers • Fax numbers • Email addresses • Social security numbers • Medical record numbers • Health plan numbers • Account numbers • Certificate or license numbers • Vehicle identification/serial numbers, including license plate numbers • Device identification/serial numbers • Universal Resource Locators (URLs) • Internet protocol (IP) addresses • Biometric identifiers, including finger and voice prints • Full face photographs and comparable images • Any unique identifying number, code, or other similar information. PHI includes the following:

  17. PROTECTED HEALTH INFORMATION:Use v Disclosure • “Use” refers to the access, sharing, and utilization of PHI within the Covered Entity. • “Disclosure” refers to the sharing of PHI to individuals and entities outside of the Covered Entity

  18. PROTECTED HEALTH INFORMATION: Covered v Not Covered • PHI does not, however, cover employment records that a covered entity maintains in its capacity as an employer. • PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

  19. PROTECTED HEALTH INFORMATION: Re-Identification • Additional standards exist to protect an individual's privacy from re-identification. • Any code used to replace the identifiers in datasets cannot be derived from information related to the individual. • For example, a subject's initials cannot be used to code their data because the initials are derived from their name. • Also, the method used to derive the codes may not be disclosed. • Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers.

  20. Waiver of HIPAA Authorization

  21. WAIVER OF HIPAA AUTHORIZATION:Types of Applications There are three types of applications that require a Waiver of Authorization: • Regulated Studies, when simultaneously requesting: • A Waiver of Informed Consent OR • A Waiver of Documentation of Informed Consent

  22. WAIVER OF HIPAA AUTHORIZATION:Types of Applications • Exempt Studies, when accessing PHI • Non-Regulated Studies, when accessing PHI Note: Requests for a Waiver for Regulated studies may be granted by the Full Board or by expedited review. Waivers for Exempt or Non-Regulated studies may be granted by the Full Board, expedited review, or by Privacy Board.

  23. WAIVER OF INFORMED CONSENT:Criteria Waivers should only be granted for studies where the study team will access PHI if the following are met: • There is no more than minimal risk to the privacy of the individuals. • The research could not practicably be conducted without the waiver of consent or waiver of documentation of consent. • The research could not practicably be conducted without the requested use or disclosure of PHI. • Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

  24. HIPAA:Authorizations • A HIPAA Authorization is signed permission from an individual that allows that individual’s PHI to be used or disclosed for reasons other than Treatment, Payment or Healthcare Operations (TPO purposes). • The Authorization must include: • A description of the PHI to be used/disclosed. • Who will make the disclosure. • To whom the disclosure will be made. • An expiration date. • The purpose of the disclosure. Note: An individual may revoke a signed authorization at any time.

  25. WAIVER OF HIPAA AUTHORIZATION:Criteria • There is an adequate plan in place to protect patient identifiers and PHI from improper use and disclosure. • There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a Privacy Review Board-approved health or research justification for retaining the identifiers or such retention is otherwise required by law. • There are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure would be permitted by HIPAA. • The Waiver or Alteration of Authorization will not adversely affect the rights and welfare of the subjects • The research could not practicably be conducted without the Waiver or Alteration of Authorization. • The research could not practicably be conducted without access to and use of the PHI. • Whenever appropriate, the subjects (including their physicians, as applicable) are provided with additional pertinent information after participation. • Where the Principal Investigator anticipates the disclosure of PHI outside the Covered Entity (as that may be determined from time to time), the Principal Investigator must account for each disclosure and retain records of such disclosures.

  26. WAIVER OF HIPAA AUTHORIZATION: eResearchApplication • The study team will need to complete Sections 25-1 and 25-2 for a Waiver of HIPAA Authorization • Note: eResearch logic does not always force these sections; they are, however, necessary • The study team will need to complete Section 25.1 and the following when applicable: • Section 25-3 when “Preparatory to Research” • Section 25-4 when “Limited Data Set” • Section 25-5 when “Deidentified Data Set” • Section 25-6 when “Decedents”

  27. Certification Preparatory to Research

  28. CERTIFICATION PREPARATORY TO RESEARCH • Projects that are preparatory to research are not regulated under the Common Rule. • However, when researchers will be accessing Protected Health Information (PHI) to assess the feasibility of a research project, the activities are subject to HIPAA. • To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

  29. CERTIFICATION PREPARATORY TO RESEARCH • In order to use PHI preparatory to research purposes, the researcher will need to affirm the following: • The use or disclosure of the PHI is solely to prepare to conduct research. • None of the PHI will be removed from the covered entity. • Access to the PHI is necessary for the research purpose. • Importantly, researchers may not record identifiers and may not use the accessed information in order to identify or recruit subjects for the study.

  30. CERTIFICATION PREPARATORY TO RESEARCH • Researchers should complete a Not-Regulated application through eResearch. • As part of the submission, the researcher will need to complete Sections 25-1 and 25-3 of the application. • The completed application will then be reviewed by the Privacy Board.

  31. Decedents

  32. DECEDENTS:Basics • Research involving decedents is not regulated under the Common Rule. • However, when researchers will be accessing Protected Health Information (PHI) in order to create a limited data set, the activities are subject to HIPAA. • To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

  33. DECEDENTS:Criteria • In order use the PHI of decedents for research purposes, the researcher will need to affirm: • The use or disclosure being sought is solely for research on the PHI of decedents. • The PHI being sought is necessary for the research. • At the request of the covered entity, the research will be able to provide documentation of the death of the individuals about whom information is being sought.

  34. DECEDENTS:Process • Researchers should complete a Not-Regulated application through eResearch. • As part of the submission, the researcher will need to complete Sections 25-1 and 25-6 of the application. • The completed application will then be reviewed by the Privacy Board.

  35. DE-IDENTIFIED DATA SETS

  36. De-Identified Data Sets:Definition • A de-Identified data set is a data set that meets both of the following: • Does not identify any individual that is a subject of the data. • Does not provide any reasonable basis for identifying any individual that is a subject of the data.

  37. De-Identified Data Sets:Methods for De-Identification • There are two methods for de-identifying information: • The removal of certain identifiers • The statistical method

  38. DE-IDENTIFIED DATA SETS:Removal of Identifiers • Names • Geographic subdivisions smaller than a state. • Dates directly related to the individual except year • All ages over 89 and/or dates indicating an age over 89 • Telephone numbers • Fax numbers • Email addresses • Social security numbers • Medical record numbers • Health plan numbers • Account numbers • Certificate or license numbers • Vehicle identification/serial numbers, including license plate numbers • Device identification/serial numbers • Universal Resource Locators (URLs) • Internet protocol (IP) addresses • Biometric identifiers, including finger and voice prints • Full face photographs and comparable images • Any unique identifying number, code, or other similar information. Under the first method, the identifiers that must be removed include the following:

  39. DE-IDENTIFIED DATA SETS:Statistical Method • An individual with knowledge of and experience with generally accepted statistical and scientific methods for rendering information not individually identifiable must provide certification that the data is de-identified. • The individual should find that the risk is very small that the information could be used (either alone or in combination with other reasonably available information) to identify any individual who is a subject of the data. • Additionally, the methods and results of the analysis must be documented.

  40. DE-IDENTIFIED DATA SETS:Creating a De-Identified Data Set • Research involving a de-identified data set is not regulated under the Common Rule. • However, when researchers will be accessing PHI in order to create a de-identified data set, the activities are subject to HIPAA. • To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

  41. DE-IDENTIFIED DATA SETS:Using a De-Identified Data Set • Pre-existing, de-identified data sets are not subject to the requirements of the HIPAA Privacy Rule since they do not include individually identifiable information.  • However,in order to ensure compliance with HIPAA, the project should be reviewed by the Privacy Board.

  42. LIMITED DATA SETS

  43. LIMITED DATA SETS:Basics • A limited data set is a distinct category of protected health information (PHI) where certain identifiers have been removed. • Importantly, these identifiers must have been removed for the individuals as well as their relatives, household members, and employers (when applicable).

  44. LIMITED DATA SETS:Removed Identifiers • Names • Postal address information other than town/city, state, and zip code • Telephone numbers • Fax numbers • Email addresses • Social Security number • Medical record numbers • Vehicle identification/serial numbers, including license plate numbers • Health plan numbers • Account numbers • Certificate or license numbers • Device identification/serial numbers • Universal Resource Locators (URLs) • Internet Protocol (IP) addresses • Biometric identifiers, including finger and voice prints • Full face photographs and comparable images The identifiers that must be removed include the following:

  45. LIMITED DATA SETS:Data Use Agreements • A limited data set may be used and disclosed for research purposes, as well as for health care operations and public health purposes. • Before any such use, however, the recipient must enter into a data use agreement. • The agreement guarantees that certain measures will be taken to safeguard the PHI.

  46. LIMITED DATA SETS:Creating a Limited Data Set • Research involving a limited data set is not regulated under the Common Rule. • However, when researchers will be accessing PHI in order to create a limited data set, the activities are subject to HIPAA. • To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

  47. LIMITED DATA SETS:Using a Limited Data Set • Research using a pre-existing limited data set is not regulated under the Common Rule. • However,in order to ensure compliance with HIPAA, the project should be reviewed by the Privacy Board. • In order to use a limited data set, the recipient of the data must first enter into a data use agreement. After the agreement is finalized, a Not-Regulated application should be completed through eResearch.

More Related