1 / 34

HIPAA Privacy: The Impact of HIPAA on Sponsors of Medical Research

HIPAA Privacy: The Impact of HIPAA on Sponsors of Medical Research. Sybil Ingram-Muhammad, Ph.D. Sr. Practice Director, Healthcare IntelliMark I.T. Business Solutions June, 2003. Title II: Administrative. Simplification. Privacy. Security. Transactions. Identifiers. Standards.

wrose
Download Presentation

HIPAA Privacy: The Impact of HIPAA on Sponsors of Medical Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Privacy: The Impact of HIPAA on Sponsors of Medical Research Sybil Ingram-Muhammad, Ph.D.Sr. Practice Director, HealthcareIntelliMark I.T. Business SolutionsJune, 2003

  2. Title II: Administrative Simplification Privacy Security Transactions Identifiers Standards Requirements Enforcement Civil Penalties -OCR Transactions Formats Provider Administrative Practices Rights of Individuals Disclosure Rules Criminal Penalties - FBI Code Sets 58 Standards Employer Standard Data Elements Accrediting Agencies Health Plan Public Complaint/Image Individual Administrative Physical Technical Technical Procedures Safeguards Services Mechanisms 12 Requirements 6 Requirements 5 Requirements 1 Requirement (Data at rest) (Data in transit) HIPAA Structure

  3. CONFUSION

  4. Research • A systematic investigation, including research development, testing and evaluation designed to develop or contribute to general knowledge vs. Health Care Operations • Conducting quality assessment and improvement activities including outcomes evaluation and development of clinical guidelines PROVIDED that the obtaining of generalizable knowledge is NOT the primary purpose of any studies resulting from such activities • ……Hmmmmm????

  5. Which do you do?What does it mean if you do what you do? • Research; no treatment • Research with treatment • Research with treatment; no bill/claim • Research with treatment, claim generated to be paid by third party • Research…with treatment…claim generated …to be paid by a “health plan” as define by HIPAA

  6. Hybrid Entity Common Ownership Issues… Common Control Issues… A single legal entity that is a covered entity whose business activities include both covered and non-covered function and designates health care components that would meet the definition of a covered entity if it were a single legal entity.

  7. Covered Functions • “Hybrid entities” with covered components--that is, an entity with one or more divisions that provide covered functions • Health Plans • Clearinghouses • Providers that conduct electronic transactions (billing, status queries, etc.)

  8. What’s The Difference??? Uses and Disclosures HI…IIHI…PHI OHCA vs. ACE Research vs. Health Care Operations Designated Record Set vs. Shadow Record Business Associate Contract vs. Data Use Agreement

  9. (A) Names; (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. (C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan beneficiary numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers; (P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code Individually Identifiable Health Information (IIHI) Protected Health Information (PHI) Electronic-Written/Printed-Verbal

  10. Limited Data Set • PHI that excludes specific, readily identifiable information, not only about the individual themselves but also their relatives, employers and members of their households. 16 IIHI must be excluded. Researchers may disclose information in the limited data set if the researcher's covered entity enters into a data use agreement with the recipient of the limited data set PHI in a limited data set may not be used to contact subjects

  11. Limited Data Set & De Identification (i) Names; (i) Postal address information, other than town or city, state and zip code (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; (xvi) Full face photographic images and any comparable images

  12. Authorizations • -Must be obtained for each use or disclosure of PHI for • research purposes • -Treatment that occur during research • trial may be conditioned based • upon the patient signing an authorization • May be combined with an informed consent to participate in the study, • another authorization or any other legal permission related to research • Authorizations received from research study participants must include • a statement that the authorization will have no expiration date

  13. Required by law Public health activities Reporting abuse Health oversight Judicial or administrative proceedings Law enforcement Deceased patients Organ transplants Threat or danger Specialized government functions Workers’ Compensation Permitted Disclosures without Authorization

  14. Waiver Criteria • IRB or Privacy board must use the following when • approving request for a waiver of written authorization: • use of the PHI involves no more than minimal risk* to the • privacy of the individual • the research could not practically be conducted without the • waiver • the research could not practically be conducted without • access to the PHI • *= plans and assurances must be put in pace to protect identifiers • from improper use or disclosures, will be destroyed at the earliest • opportunity and will not be disclosed to a 3rd party (EARBL)

  15. Reviews Preparatory to Research Researcher must represent that: • Use or disclosure is sought solely to prepare research protocol or similar purpose • No protected information will be removed from the facility during review • Information being sought is necessary for the research purposes

  16. Research on Decedents Researcher must represent that: • Use or disclosure is sought solely for research on decedents • Upon request, will provide documentation of patient’s death • Information being sought is necessary for the research purposes

  17. Business Associates • A business associate performs functions on behalf ofthe health care organization involving the use or disclosure of identifiable health information. • Examples include: billing or management companies, attorneys, accountants, consultants, and companies providing claims processing, data analysis or aggregation, accreditation, or financial services, among other services.

  18. 164.530 (c) (1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. PAST DUE >>> APRIL 14, 2003 …research activities were not exempted from this duty

  19. Where ,oh where does my PHI Flow? Oh where, oh where could it be? - Contractual obligations - Trading partner readiness - Risk assessment - Contingency plans - Coordination issues PHI Data Flows VPN Sponsor Email Provider Patient/ Subject Researcher NIH FDA REPORTING AGENCIES Clinic Business Associate CDC STATE

  20. CONSEQUENCES (Alan Goldberg, J.D., November, 2002)

  21. …a threat or a promise? “ They said they were going to come and get me before. Why should I believe they’ll come and get me now?”

  22. HIPAA Sanctions Civil penalties. Health plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated. Federal criminal penalties. Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. • Up to $50,000 and one year in prison for obtaining or disclosing protected health information; • Up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; • Up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

  23. Who Goes To Jail? Page 82603 - Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations Extracted from the Preamble of the Final Privacy Rule: “However, we note that section 1128A(1) of the Social Security Act, which applies to the imposition of civil monetary penalties under HIPAA, provides that a principal is liable for penalties for the actions of its agent acting within the scope of the agency.”

  24. OCR HIPAA Privacy Complaint Form (excerpts) (Alan Goldberg, J.D., November, 2002) …mind answering a few questions please? • Are you filing this compliant for someone else? • Who ( or what agency or organization, eg., provider, health • plan) do you believe violated your (or someone else's) health • information privacy rights or committed another violation of • the Privacy Rule? • When do you believe that the violation of health privacy rights • occurred? • Describe briefly what happened? How and why do you believe • your (or someone else’s) health information privacy rights were • violated, or the privacy rule otherwise was violated?

  25. CONSENSUS (Alan Goldberg, J.D., November, 2002)

  26. Three Important Considerations How compliant do you want to be? …in the absence of a de facto check list, how will you determine when you’re done?

  27. Three Important Considerations … How much risk are you willing to accept? The answers to the questions help drive your: budget process $$$$ policy and procedure development defining your HCO

  28. Next Steps…What Do I Do?

  29. Research Impact Assessment A Balancing Act

  30. Expect Changes… • § 160.104 Modifications. • Except as provided in paragraph (b) of this section, the Secretary may • adopt a modification to a standard or implementation specification adopted • under this subchapter no more frequently than once every 12 months. • (b) The Secretary may adopt a modification at any time during the first year • after the standard or implementation specification is initially adopted, if the • Secretary determines that the modification is necessary to permit compliance • with the standard or implementation specification. • (c) The Secretary will establish the compliance date for any standard or • implementation specification modified under this section. • The compliance date for a modification is no earlier than 180 days after the • effective date of the final rule in which the Secretary adopts the modification. • (2) The Secretary may consider the extent of the modification and the time • needed to comply with the modification in determining the compliance date • for the modification. • (3) The Secretary may extend the compliance date for small health plans, as • the Secretary determines is appropriate

  31. Basic HIPAA Compliance Remediation Elements Senior Management Endorsement and Active Participation Budget HRT Leader HRT Team Team Composition Team SME’s General Counsel Involvement Documentation Education Implementation ***Compliance*** Monitoring and Enforcement

  32. Remediation Plan Contents • Identify responsible parties for each task • Identify change management process • Identify communication process • Policy and procedure creation /modification • Forms creation/modification • Job description review • minimum necessary/need to know • -Training Material Preparation • -Training • -Re-assessment • -Mock Sentinel Event/Review/Re-plan • -Implement • -Repeat, repeat, incorporate, repeat, repeat…

  33. Informative Web Sites • www.snip.wedi.org- Strategic National Implementation Process/ Workgroup for Electronic Data Interchange • www.aspe.os.hhs.gov/admnsimp - Department of Health and Human Services • www.cms.gov/hipaa - Centers for Medicare and Medical Services • www.edipartners.com – X12N 4010 Training • www.wpc-edi.com - Washington Publishing Company – Implementation Guides • www.aamc.org – Association of American Medical Colleges • www.healthprivacy.org - Health Privacy Project • www.ahima.org - American Health Information Management Assoc

  34. Thank You! Sybil Ingram-Muhammad, MT(ASCP), MBA, Ph.D. Senior Practice Director, Healthcare IntelliMark I.T. Business Solutions www.intellimark-it.com smuhammad@intellimark-it.com 1-972-304-2260

More Related