1 / 39

New HIPAA Privacy Rules Transform Health Care Research

The new HIPAA Privacy Rules impose stringent requirements on health care research regarding the use and disclosure of Protected Health Information (PHI). These regulations enhance privacy protections and require authorization for utilizing health data. Covered Entities must navigate these rules alongside existing state laws and the Common Rule governing human subjects' research. Key changes include the need for Privacy Boards, new penalties for non-compliance, and options for using limited data sets, de-identified data, or obtaining explicit authorizations. Understanding these changes is vital for researchers.

torgny
Download Presentation

New HIPAA Privacy Rules Transform Health Care Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HEALTH CARE RESEARCHUNDER HIPAA RULES New Privacy Rules for Health Care Research

  2. What is HIPAA and Why Do We Care? • Health Insurance Portability and Accountability Act • Intent: better access, less fraud, more privacy • HIPAA restricts use and disclosure to some health data (This is why we care!)

  3. Core Elements of HIPAA • Portability • Standardization of electronic data • Privacy & Security standards

  4. The Privacy Rule • New standards for protecting health information • Need permission to use or disclose protected health information

  5. Protected Health Information • IIHI and PHI defined in handouts • Protected Health Information = Health information + identifiers that are transmitted or maintained in any form by a Covered Entity.

  6. What is a Covered Entity? • A health plan • A health care clearinghouse • A health care provider who transmits any health information in electronic form

  7. HIPAA Privacy Rule Does Not Apply to the Whole World • Applies to covered entities and their business associates • Excludes health data held by non-covered entities

  8. HIPAA Changes Research . . . • New rules for disclosing & obtaining health data • Privacy boards are new (in addition to IRBs) • New requirements for authorizations & for waiver of authorization • New rules for tracking release of data • New penalties (fines & jail time)

  9. . . . But Some Things Stay the Same • Common Rule(HHS Protection of Human Subjects Regulations - Title 45 CFR Part 46) • California state laws still apply, unless less stringent • Data without personal identifiers not affected

  10. State Laws Still Apply Some examples: • California Information Practices Act • Confidentiality of Medical Information Act • Lanterman-Petris-Short Act • Program Specific Laws with Confidentiality ProvisionsNOTE: Most stringent law prevails.

  11. Use & Disclosure • Use = Sharing, application, utilization, examination or analysis of data with PHI within an entity that maintains such data • Disclosure = Release, transfer, divulging or providing access of PHI to persons or organizations outside the Covered Entity

  12. Uses And Disclosures Exempted from HIPAA • Required by law • Public health activities • Victims of abuse, neglect or domestic violence • Health care oversight • Judicial & administrative proceedings • Law enforcement

  13. Minimum Necessary • Use, disclose, or request only the minimum amount of PHI necessary to accomplish the purpose

  14. Common Rule & HIPAA • Research involving human subjects and PHI is subject to the HIPAA Privacy Rule and the Common Rule • Higher privacy protection prevails • IRBs still exist

  15. Disclosing Health Care Data for Research • Limited data set, or • De-identified data, or • Authorization from person whose health information is needed, or • Waiver of authorization from IRB or Privacy Board

  16. Option 1: Limited Data Set • Limited data set for the purposes of research, public health or health care operations • Disclosures may not contain direct identifiers • “Data Use Agreement” must be in place

  17. Data Use Agreement The Data Use Agreement Establishes: • Permitted uses and disclosures • Identity of recipient • Limits future disclosure or use for other purposes • Safeguards to protect data • Limits on subcontractors • Cannot re-identify the data or contact individuals

  18. Names Postal address Tel & fax number Email address SSN Medical record number Health plan number Certificate/license number Vehicle ID or license Device identifiers Web URLs Internet protocol Biometric ID Full face, comparable image The Limited Data Set Excludes:

  19. Limited Data Set Allows • City, state and 5 digit zip code • Dates

  20. Option 2: De-identified Data Set • De-identified by statistical expert, or • Specific identifiers are removed from the data

  21. Removing Specific Identifiers • Remove direct identifiers • Remove all geographic identifiers smaller than a state, except: Can keep initial 3 digits of zip code when pop >20K But use “Zero” for zip codes for pop <20K • Remove month & day from dates (Year OK) • Remove specific ages for people over 89

  22. Allowed in De-identified Data • Gender • Specific age under 90 • Grouping for ages 90+ • Codes for re-identifying the data

  23. Option 3: Authorization • Written permission from individual • It must contain specific elements

  24. 6 Required Core Elements • A description of the PHI requested • Who is authorized to make the disclosure • Who is requesting the data • The purpose • An expiration date • Signature • (State law requirement: 14 point font)

  25. 3 Required Statements • The individual’s right to revoke • Whether treatment is conditioned by authorization • Risk of future re-disclosure

  26. Authorization vs. Informed Consent • Authorization focuses on privacy risk • Informed consent focuses on risks and/or benefits of study and confidentiality of records • May get both authorization & consent • HIPAA allows combining consent & authorization but State law does not

  27. Re-Disclosure • Privacy Rule does not continue to protect PHI • Other State & federal regulations may apply • An IRB may impose further restrictions

  28. Option 4: A Waiver • Get IRB/PB to waive requirement for individual authorization • IRB established in Common Rule • Privacy Board established by HIPAA

  29. Criteria for Waiver of Individual Authorization IRB / PB can grant a waiver of individual authorization/alteration if it determines: • Minimal risk to the privacy of individuals • Research not practicable without access to PHI • Research not practicable without waiver/alteration Note: Data Use Agreement can be required even with a waiver

  30. Waiver – 5 Required Elements • Name of IRB/PB & date waiver approved • Minimal risk • Description of the PHI • Statement of approval • Signature of IRB/PB chair

  31. Other strategies to Access Data with PHI • Research on decedents’ data • Reviews preparatory to research

  32. Tracking (Accounting) for Research Disclosures Include: • Disclosures within a 6 year period • Disclosures without authorizations Exclude: • Data disclosed with authorizations • Limited data set disclosures • Disclosures for TPO • Disclosures prior to April 14, 2003

  33. Accounting for Multiple Disclosures • Permitted for multiple disclosures of PHI to same person/entity for a single purpose • Must include: • Date of initial disclosure • Name & address of who received the PHI • Brief description of what was disclosed • Purpose of disclosure • Frequency/periodicity of disclosure • Date of most recent disclosure

  34. Alternative Multiple Accounting Disclosure of PHI for 50 or more people: • Name of research activity • Plain-language description of protocol, purpose and criteria • Description of PHI disclosed • Date/period of disclosure • Name, address, tel # of recipients • Statement that individual’s PHI may / may not have been disclosed

  35. Issues for Health Care Researchers • New liability for Covered Entities • IRBs/PBs workload increase • Privacy Rule permits release of data with PHI • Minimum Necessary requirement • Common Rule Still Applies (including IRB requirements)

  36. Burden of Research on Covered Entities • Reviews of research proposal • Review IRB/PB documentation • Assess risk/benefits • Write data use agreement • Minimum necessary review • Maintain record of PHI disclosures

  37. Research Begun Prior to April 14, 2003 • Limited grandfather clause • Research allowed to continue if the following was obtained before April 14, 2003: • Express legal permission, • Informed consent, or • IRB-approved waiver

  38. Penalties • Civil monetary penalties$100 per violation$25,000 maximumEnforced by HHS/Office of Civil Rights • Criminal penaltiesMaximum of $250,000 fine & 10 years in prisonEnforced by Dept. of Justice

  39. and decide whether to disclose the PHI Inquiring Minds Need to Know . . . • Privacy Rulehttp://www.hhs.gov/ocr/hipaa • California Office of HIPAA Implementationhttp://www.ohi.ca.gov/state/calohi/ohiHome.jsp • Federal HIPAA Guidelines for Researchhttp://www.hhs.gov/ocr/hipaa/guidelines/research.pdf • Committee for the Protection of Human Subjects http://www.oshpd.state.ca.us/cphs

More Related