Embed Size (px)
Citation preview
New HIPAA Privacy New HIPAA Privacy Regulations Governing Regulations Governing
ResearchResearch
Karen Blackwell, MSKaren Blackwell, MSDirector, HIPAA ComplianceDirector, HIPAA Compliance
[email protected]@kumc.edu913913--588588--09420942
HIPAAHIPAA
HHealthealth
IInsurancensurance
PPortability and ortability and
AAccountabilityccountability
AActct
““In a NutshellIn a Nutshell””The Privacy Regulations govern a The Privacy Regulations govern a
providerprovider’’s use and disclosure of s use and disclosure of
health information and grant health information and grant
individuals new rights of access individuals new rights of access
and control. The regulations also and control. The regulations also
establish establish civil and criminal penalties civil and criminal penalties
for violations of patient privacy.for violations of patient privacy.
The History of the Privacy RuleThe History of the Privacy Rule
Proposed Proposed -- November 1999November 1999Finalized Finalized -- December 2000December 2000On Hold On Hold –– February 2001February 2001““EffectiveEffective”” –– April 2001April 2001Guidance Guidance –– July 2001July 2001Proposed changes Proposed changes –– March 2002March 2002Modified Final Rule Modified Final Rule –– August 2002August 2002More Guidance More Guidance –– October 2002October 2002Much More Guidance Much More Guidance –– December 2002December 2002
HIPAA: The TerminologyHIPAA: The Terminology
Covered entityCovered entity
Protected Health Information (PHI) Protected Health Information (PHI)
Use and disclosureUse and disclosure
RoleRole--based accessbased access
Minimum necessaryMinimum necessary
Covered EntitiesCovered Entities
Health plansHealth plans
Health care clearinghousesHealth care clearinghousesHealth care providers who conduct Health care providers who conduct electronic transactions related to electronic transactions related to thirdthird--party billingparty billing
Protected Health InformationProtected Health Information(PHI)(PHI)
Relates to past, present, or future health, or Relates to past, present, or future health, or health care, or payment for health care health care, or payment for health care
Identifies the individual, directly or indirectlyIdentifies the individual, directly or indirectly
PHI can be paper, electronic, or oral. PHI can be paper, electronic, or oral. Examples include clinic charts, billing Examples include clinic charts, billing records, rounding lists, medical media, records, rounding lists, medical media, clinic or research databases, and hallway clinic or research databases, and hallway conversations.conversations.
Use and DisclosureUse and Disclosure
““UsesUses”” occur within the covered occur within the covered entityentity
““DisclosuresDisclosures”” are releases outside are releases outside the entity that is responsible for the entity that is responsible for holding the informationholding the information
RoleRole--based Accessbased AccessIdentify the persons or classes Identify the persons or classes of persons who need access to of persons who need access to PHI, and the categories of PHI PHI, and the categories of PHI that they need access to, in that they need access to, in order to carry out their duties.order to carry out their duties.
Covered entities must limit the Covered entities must limit the PHI used or disclosed to the PHI used or disclosed to the minimum necessaryminimum necessary to to achieve the purpose of the use achieve the purpose of the use or disclosure. or disclosure. –– DoesnDoesn’’t apply to disclosures made t apply to disclosures made
for treatment or to the individualfor treatment or to the individual
Minimum NecessaryMinimum NecessaryMake reasonable efforts not to use, disclose, Make reasonable efforts not to use, disclose, or request more than the minimum amount of or request more than the minimum amount of information necessary to achieve the information necessary to achieve the purposepurposeIn the research context, this applies to In the research context, this applies to studies that do not obtain written studies that do not obtain written authorization from the subjectauthorization from the subject
Examples: recent visits instead of the entire Medical Examples: recent visits instead of the entire Medical Record; age instead of DOBRecord; age instead of DOB
Basic Requirements:Basic Requirements:Research IssuesResearch Issues
New review process for privacy issuesNew review process for privacy issues
HIPAA requirements are in addition to HIPAA requirements are in addition to Common Rule regulationsCommon Rule regulations
HIPAA governs how PHI is used for HIPAA governs how PHI is used for research and the conditions that must be research and the conditions that must be met in order for covered entities to release met in order for covered entities to release PHI for research purposesPHI for research purposes
Underlying Principles for PrivacyUnderlying Principles for Privacy
Health information belongs to the patientHealth information belongs to the patient
Patients have a right to know how their Patients have a right to know how their information is being used. information is being used.
When does HIPAA apply to When does HIPAA apply to research?research?
The rules apply if we access PHI to The rules apply if we access PHI to initiate the study or if we create initiate the study or if we create
PHI during the course of the study. PHI during the course of the study.
What makes it PHI?What makes it PHI?Health Info + Identifying ElementsHealth Info + Identifying Elements
Names Names Street address, city, county, Street address, city, county, precinct, zip code precinct, zip code Dates (e.g. DOB, DOD, Dates (e.g. DOB, DOD, admission, discharge, admission, discharge, procedure dates)procedure dates)Ages over 89Ages over 89Phone and numbers Phone and numbers Fax numbersFax numbersEE-- mail addresses mail addresses Social security numbersSocial security numbersMedical record numberMedical record numberHealth Plan Numbers Health Plan Numbers
Account numbersAccount numbersCertificate/license numbers; Certificate/license numbers; VIN/License plate numberVIN/License plate numberDevice identifiers and serial Device identifiers and serial numbers numbers URLs URLs Internet Protocol (IP) address Internet Protocol (IP) address Biometric identifiers, including Biometric identifiers, including finger and voice prints; finger and voice prints; Full face photographic images Full face photographic images and any comparable images; and any comparable images; and and Any other unique identifying Any other unique identifying number, characteristic, or codenumber, characteristic, or code
Allowable Conditions for Allowable Conditions for Use of PHI in ResearchUse of PHI in Research
Obtain written authorization from the Obtain written authorization from the patientpatient
ORORMeet one of the following criteria:Meet one of the following criteria:–– DeDe--identified data identified data –– IRB waiver of individual authorizationIRB waiver of individual authorization–– Limited data set + data use agreementLimited data set + data use agreement–– Activities that are Activities that are ““preparatory to researchpreparatory to research””–– Research on decedentsResearch on decedents
Required Elements for AuthorizationsRequired Elements for Authorizations
A specific description of the purpose of the authorization A specific description of the purpose of the authorization and the information to be used or disclosedand the information to be used or disclosedThe names or classes of individuals authorized to make The names or classes of individuals authorized to make the use or disclosurethe use or disclosureThe names or classes of individuals authorized to The names or classes of individuals authorized to receive the use or disclosurereceive the use or disclosureAn expiration date for the authorization An expiration date for the authorization A statement that the individual has a right to revoke the A statement that the individual has a right to revoke the authorization authorization The consequences of refusal to signThe consequences of refusal to signA statement that the information used or disclosed A statement that the information used or disclosed pursuant to the authorization may be subject to repursuant to the authorization may be subject to re--disclosure and no longer protected by the Privacy Rule.disclosure and no longer protected by the Privacy Rule.
Conditions Not Requiring Conditions Not Requiring AuthorizationAuthorization
DeDe--identified dataidentified dataWaiver of authorization by an IRB or Waiver of authorization by an IRB or Privacy BoardPrivacy BoardLimited data setsLimited data setsActivities that are Activities that are ““preparatory to researchpreparatory to research””Research on decedentsResearch on decedents
DeDe--identified dataidentified data
All eighteen identifiers must be removedAll eighteen identifiers must be removed
Not necessarily designed for research Not necessarily designed for research purposespurposes
If you are accessing or receiving only If you are accessing or receiving only dede--identified data for your project, HIPAA identified data for your project, HIPAA rules do not apply. rules do not apply.
Waiver of the Authorization Waiver of the Authorization Requirement*Requirement*
Examples:Examples: retrospective chart review; accessing medical retrospective chart review; accessing medical records to screen subjects for a clinical trialrecords to screen subjects for a clinical trial
Application for waiver must be approved by an IRB or Application for waiver must be approved by an IRB or Privacy BoardPrivacy BoardUse and disclosure poses no more than minimal risk to Use and disclosure poses no more than minimal risk to privacyprivacy–– Adequate data protection planAdequate data protection plan–– Adequate plan to destroy identifiersAdequate plan to destroy identifiers–– Adequate assurances against reAdequate assurances against re--use or disclosureuse or disclosure
Research is not practicable w/o waiverResearch is not practicable w/o waiverResearch is not practicable w/o PHIResearch is not practicable w/o PHI
**DHHS has promised more guidance on implementation of DHHS has promised more guidance on implementation of the waiver criteria.the waiver criteria.
Limited data setLimited data setExample:Example: receiving tissue samples w/ partial identifiersreceiving tissue samples w/ partial identifiers
Remove certain Remove certain ““directdirect identifiersidentifiers””–– Name, street address, phone, fax, email, IP, SSN, MR#, insuranceName, street address, phone, fax, email, IP, SSN, MR#, insurance
and billing #, device serial numbers, fulland billing #, device serial numbers, full--face photos, biometricsface photos, biometrics
(DOB, service dates are OK; City, zip code, precinct are OK)(DOB, service dates are OK; City, zip code, precinct are OK)
Provide aProvide a Data Use AgreementData Use Agreement–– Specific uses and planned disclosuresSpecific uses and planned disclosures–– No further disclosures allowedNo further disclosures allowed–– Agreement not to identify or contact individualsAgreement not to identify or contact individuals
Preparatory to ResearchPreparatory to ResearchExample:Example: reviewing medical records to determine reviewing medical records to determine adequacy of patient base adequacy of patient base
PHI may be viewed, but only dePHI may be viewed, but only de--identified data identified data can be can be recordedrecorded. . Covered entity must obtain an attestation from the Covered entity must obtain an attestation from the researcher:researcher:–– Review of PHI is solely to prepare a protocol or formulate Review of PHI is solely to prepare a protocol or formulate
hypotheseshypotheses–– PHI will not be removed from the covered entityPHI will not be removed from the covered entity–– PHI being reviewed is necessary for research purposesPHI being reviewed is necessary for research purposes
This activity generally precedes HSC application, This activity generally precedes HSC application, if there is no formal protocol developed. if there is no formal protocol developed.
Research on DecedentsResearch on Decedents
Covered entity must obtain an attestation Covered entity must obtain an attestation from the researcher:from the researcher:–– Research is solely on decedentsResearch is solely on decedents–– PHI is necessary for research purposesPHI is necessary for research purposes
Covered entity may stipulate that Covered entity may stipulate that documentation of death be provideddocumentation of death be provided
Research after April 14, 2003Research after April 14, 2003GRANDFATHERING GRANDFATHERING –– If the consent is already signed, study visits and data collectiIf the consent is already signed, study visits and data collection on
may continue.may continue.–– Existing databases may continue to be accessed, if the data was Existing databases may continue to be accessed, if the data was
collected under a consent or waiver of consent. collected under a consent or waiver of consent. HIPAA review will happen during HSC review.HIPAA review will happen during HSC review.Starting 4/14, anyone who is consented or reStarting 4/14, anyone who is consented or re--consented consented on a study on a study MUSTMUST sign a privacy authorizationsign a privacy authorizationExempt studies that collect data after 4/14 need a Exempt studies that collect data after 4/14 need a privacy review. privacy review. New recruitment practicesNew recruitment practicesAppropriate documentation must be presented to the Appropriate documentation must be presented to the holder of the medical record in order to access PHI for holder of the medical record in order to access PHI for researchresearchSome implementation procedures are institutionSome implementation procedures are institution--specific.specific.
Recruitment QuestionsRecruitment Questions
Are you using PHI to identify subjects?Are you using PHI to identify subjects?
If so, what permissions do you need to gain If so, what permissions do you need to gain access to the PHI? access to the PHI?
Do you have a treatment relationship with the Do you have a treatment relationship with the prospective subject?prospective subject?
Allowable Recruitment PracticesAllowable Recruitment PracticesProviders can always talk to their own patients about Providers can always talk to their own patients about studies they are conducting.studies they are conducting.Providers can notify the patient that they might qualify for Providers can notify the patient that they might qualify for a particular study, and the patient can initiate the contact a particular study, and the patient can initiate the contact with the researcher. with the researcher. Provider or Medical Records Dept. can release Provider or Medical Records Dept. can release information to researchers if:information to researchers if:–– The patient signs a preThe patient signs a pre--approved authorization so that the approved authorization so that the
provider can give PHI to researcher, or provider can give PHI to researcher, or –– The IRB approves a partial waiver of authorization for The IRB approves a partial waiver of authorization for
recruitment purposes. (The HIPAA waiver criteria must be met.) recruitment purposes. (The HIPAA waiver criteria must be met.) Researcher identifies subjects, and member of treatment team Researcher identifies subjects, and member of treatment team makes initial contact. makes initial contact.
Patients can selfPatients can self--refer from ads, flyers, etc. refer from ads, flyers, etc.
Other IssuesOther Issues
PrePre--screening logsscreening logs
““Future unspecified researchFuture unspecified research””
Research repositoriesResearch repositories
Accounting of disclosuresAccounting of disclosures
SubjectsSubjects’’ access to the research recordaccess to the research record
Computer security for research recordsComputer security for research records
PrePre--screening Logsscreening Logs
PHI in logs cannot be disclosed because PHI in logs cannot be disclosed because consent has not been obtained.consent has not been obtained.
Options include deOptions include de--identification or identification or negotiation of a Data Use Agreement.negotiation of a Data Use Agreement.
Future Unspecified ResearchFuture Unspecified Research
““Future unspecified researchFuture unspecified research”” will no will no longer be allowedlonger be allowed
Consents for tissue, blood banking, Consents for tissue, blood banking, etc. need to be specific etc. need to be specific
Contacting subjects for future studies Contacting subjects for future studies must follow new recruitment guidelinesmust follow new recruitment guidelines
Research RepositoriesResearch Repositories
Creation of a research repository Creation of a research repository requires HSC approval: allowed with requires HSC approval: allowed with written authorization, waiver, or a written authorization, waiver, or a limited data set. limited data set.
Subsequent studies using the Subsequent studies using the repository must go through HSC. repository must go through HSC.
Accounting RequirementAccounting RequirementCovered entities must track disclosures Covered entities must track disclosures made under a waiver of authorization, a made under a waiver of authorization, a review preparatory to research, or review preparatory to research, or research on decedents.research on decedents.Patients may request the name of the Patients may request the name of the study, the purpose of the study, type of study, the purpose of the study, type of PHI disclosed, timeframe of disclosurePHI disclosed, timeframe of disclosureHIPAA Compliance Office will assign a HIPAA Compliance Office will assign a tracking number.tracking number.
SubjectsSubjects’’ Access to Research RecordsAccess to Research Records
Patients have right to access their Patients have right to access their ““designated record setdesignated record set”” –– the set of the set of medical and billing records that are used medical and billing records that are used to make decisions about them.to make decisions about them.Any temporary denial of access must be Any temporary denial of access must be accepted by the patient.accepted by the patient.Research records Research records generallygenerally are not part are not part of the designated record set. of the designated record set. Be sure to put any clinicallyBe sure to put any clinically--relevant relevant information into the medical record. information into the medical record.
Computer Security for Research Computer Security for Research RecordsRecords
Practice rolePractice role--based accessbased access
PasswordPassword--protect filesprotect files
Store records on secured networks or Store records on secured networks or serversservers
Obtain certification for hard drives that Obtain certification for hard drives that contain PHIcontain PHI
Planning Your StudyPlanning Your Study
What type of data do you need?What type of data do you need?
WhatWhat’’s the minimum necessary?s the minimum necessary?
Who holds the data you need to access?Who holds the data you need to access?
How will you identify subjects?How will you identify subjects?
What data protections will you put into place?What data protections will you put into place?
Stay Tuned!Stay Tuned!
WeWe’’re just beginning, and the government is re just beginning, and the government is planning changes. planning changes.
April 14, 2003April 14, 2003
Office of HIPAA ComplianceOffice of HIPAA ComplianceKaren Blackwell, MSKaren Blackwell, MS
Tom Field, Tom Field, MSEdMSEd, MHSA, MHSA913.588.0942913.588.0942
www.kumc.edu/hipaa/researchwww.kumc.edu/hipaa/research
