1 / 20

The HITECH NPRM: Overview of Research Comments

The HITECH NPRM: Overview of Research Comments. October 19, 2010 Christina Heide, JD HHS Office for Civil Rights. Dates : Published July 14, 2010 (75 Fed. Reg. 40,868) Comments were due by September 13, 2010 Roughly 300 comments were submitted by the public. Content : Business associates

zuriel
Download Presentation

The HITECH NPRM: Overview of Research Comments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for Civil Rights

  2. Dates: Published July 14, 2010 (75 Fed. Reg. 40,868) Comments were due by September 13, 2010 Roughly 300 comments were submitted by the public Content: Business associates Enforcement Electronic access Marketing and fundraising Sale of protected health information (PHI) Right to request restrictions Minimum necessary Notice of privacy practices (NPP) Research authorizations Student immunization records Decedent information HITECH Proposed Rule

  3. Research Comment Areas • Compound authorizations for research • Authorizations for future research • Period of protection for decedents • Sale of PHI • Business associates

  4. Compound Authorizations • Current Rule: • Covered entities must use separate authorization forms for conditioned (e.g., participation in a clinical trial) and unconditioned (e.g., storage of PHI in a biorepository) research activities. 4

  5. Compound Authorizations • NPRM Proposal: • Covered entities may use a single authorization form for the use and disclosure of PHI for conditioned and unconditioned research activities, provided that the components are clearly differentiated. • Request for comment on ways to differentiate the components. 5

  6. Compound Authorizations • Comments Received: • Predominantly in favor of allowing combined authorizations • Flexibility preferred in terms of the specific approach (e.g., single vs. separate signature lines, use of check boxes, opt-in vs. opt-out) • Some opposition • May further complicate authorization forms • Patient response to such a change is unknown • No evidence to suggest that the combining forms would be beneficial 6

  7. Future Research • Current Interpretation: • Authorizations for research must include descriptions that are study specific. 7

  8. Future Research • NPRM Proposal: • Request for comment on the amount of specificity about future research uses needed in authorizations to permit individuals to voluntarily and knowingly authorize such future uses. 8

  9. Future Research • Comments Received: • Predominantly in favor of allowing authorization for future research • Most prefer maximum flexibility to ensure alignment with the Common Rule • Some in favor of requiring specific disclosure statements for certain sensitive research • Some opposition • Study-specific descriptions are necessary to protect patients • Additional burdens to interpret appropriateness of future studies 9

  10. Information about Decedents • Current Rule: • Covered entities generally must protect the privacy of decedent PHI in the same manner and to the same extent as is required for living individuals. 10

  11. Information about Decedents • NPRM Proposal: • Limit the period of protection for decedent PHI to 50 years after the date of death. • Request for comment on the appropriateness of the 50 year period. 11

  12. Information about Decedents • Comments Received: • Majority of respondents, including those from the research community, in support of proposal to limit protection to 50 year period. • Some request clarification that period of protection in no way affects record retention time frames. • Some oppose due to privacy concerns, particularly if information is highly sensitive. 12

  13. Sale of PHI • Current Rule: • General restriction on selling patient list or other PHI but no restriction on receiving remuneration in exchange for disclosing PHI in an otherwise permissible manner. 13

  14. Sale of PHI • NPRM Proposal: • Covered entities are prohibited from disclosing PHI (without individual authorization) in exchange for remuneration. If authorization is obtained, it must state that the disclosure will result in remuneration. • Research exception: No authorization required if the remuneration is limited to the cost to prepare and transmit the PHI. Request for comment on the types of costs that should be permitted. 14

  15. Sale of PHI • Comments Received: • General support for the research exception with a broad interpretation of permissible remuneration • Appreciate intent to facilitate research • Indirect costs need to be included • Some opposed to cost-based restriction within the exception and want complete exemption for research • Impediment to research, elimination of incentives • Increased burdens on IRBs • Some minimal opposition to the research exception • Authorization should be required to avoid privacy loophole 15

  16. Business Associates • Current Rule: • Covered entities may disclose PHI to business associates provided there is a contract in place to protect the information. • No direct liability on business associate for misuse of information or lack of safeguards because not “covered entity.” • Researchers are not considered business associates solely by virtue of their research activities (although they may become business associates in some other capacity). 16

  17. Business Associates • NPRM Proposal: • Changes to the definition of business associates and their liability. • Definition would now expressly include: • Health Information Organizations & Personal Health Record Vendors (to extent acting on behalf of covered entity), and • Subcontractors 17

  18. Business Associates • NPRM Proposal: • BAs directly liable for: • Security Rule violations • Impermissible uses and disclosures under Privacy Rule • Uses and disclosures must comply with Privacy Rule and business associate agreement • Failure to disclose to Secretary or provide e-access • Covered entities (and BAs) liable for acts of BAs acting as agents within scope of agency • BA must take reasonable steps in response to impermissible pattern or practice of subcontractor BA

  19. Business Associates • Comments Received: • Requests for clarification on the definition of business associate with respect to research relationships. 19

  20. Questions? 20

More Related