SIMPLIFYING PRIVACY:SIMPLIFYING PRIVACY:HIPAA PRIVACY STANDARDS HIPAA PRIVACY STANDARDS
AND AND RESEARCHRESEARCH
Angela M. VieiraGeneral Counsel
Children’s Hospital and Health CenterJune 5, 2004
Research and Privacy
• Common Rule– “adequate provisions to protect the privacy of subjects
and to maintain the confidentiality of data” 45 CFR §46.111(a)(7)
• FDA– informed consent include “statement describing the
extent, if any, to which confidentiality of records identifying the subject will be maintained and … not[ing] the possibility that the [FDA] may inspect the records” 21 CFR §50.25(a)(5)
Health Insurance Portability and Accountability Act of 1996
• Title I: Health Care Access, Portability, and Renewability
• www.hcfa.gov/medicaid/hipaa
• Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
• aspe.hhs.gov/admnsimp
• www.hhs.gov/ocr/hipaa
Administrative SimplificationComponents
Tran sac tionS tan d ard s
S tan d ardC od eS ets
U n iq u eH ea lth
Id en tifie rs
S ecu rityS tan d ard s
E lec tron icS ig n a tu reS tan d ard s
In fo rm ationTran s fe rA m on g
H ea lth P lan s
P rivacyS tan d ard s
A d m in is tra tive S im p lica tion
TIMELINE• Transactions and Code Set Standards
– October 16, 2002 (providers, large health plans)• extension but must file compliance plan
– October 16, 2003 (health Plans < $ 5 million)
• Privacy Rule– April 14, 2003 April 14, 2003 (providers, large health plans)– April 14, 2004April 14, 2004 (small health plans)
• Security Rule– April 20, 2005 (providers, large health plans)– April 20, 2006 (small health plans)
Who is Covered?
• Health care providers who transmit any health information in electronic transactions
• Health plans
• Health care clearinghouses
• [Prescription drug discount sponsor]
• Business associate relationships
What is covered?
• Protected health information (PHI) that is:– individually identifiable health information– transmitted or maintained in any form or medium
• Held by a covered entity in any form or medium
• De-identified information - NOT COVERED
Key Points
• Federal rule sets floor– covered entities may provide greater protection
– More protective state law applies
– California law permitted research uses & disclosures without specific authorization
• Required disclosures limited to:– subject of information
– DHHS for compliance
• All other disclosures are permissive
Privacy Rule - in brief
• Notice of Privacy Practices• Uses and disclosures permitted for treatment,
payment, health care operations• Minimum necessary requirements• Individual rights• Patient authorization• Organizational requirements• Business associates
Individual Rights• Right to inspect and receive copy of PHI
• Right to request restrictions of uses/disclosures
• Right to request amendment
• Right to an accounting of disclosures
• Right to have reasonable requests for confidential communications accommodated
• Right to written notice of information practices from providers and plans
• Right to file complaint with DHHS or covered entity
Enforcement• Civil Monetary Penalties
– $100/violation– Capped at $25,000/calendar year for each
requirement or prohibition that is violated– Enforced by DHHS Office of Civil Rights
• Criminal Penalties– Greater penalties for certain knowing violations– Enforced by Department of Justice
• Other liability
Permitted Uses/Disclosures Research
45 CFR §§164.512(i), 164.514(a), (e)
• Subject authorization
• Approved waiver
• Reviews preparatory to research
• Research on decedent’s information - NEW
• De-identified information – Not subject to Privacy Rule requirements
• Limited data set
Patient Authorization – Core Elements
• description of PHI
• CE authorized to make use/disclosure
• authorized recipient of PHI
• description of each purpose
• expiration date or event
• signature and date
– personal representative’s authority
Patient Authorization - Required Statements
• Right to revoke in writing– How, describe exceptions OR– Refer to CE’s Notice of Privacy Practices
• Research participation may be conditioned on signing authorization
• Potential of information to be redisclosed by recipient and no longer protected by Privacy Rule
Patient Authorization –Additional Requirements
• Plain language
• Copy of signed authorization
Criteria for Approval of Waiver• Minimal risk to subject’s privacy
– Adequate plan to protect identifiers from improper use/disclosure– Adequate plan to destroy identifiers at earliest opportunity consistent with
conduct of research, unless health, research or legal justification for retention
– Adequate written assurances that PHI will not be reused or redisclosed to any other person or entity except as required by law, authorized oversight of research, or other permissible research
• Could not be practicably conducted without waiver
• Could not be practicably conducted without access to or use of PHI
Documentation Requirements
• Identification and date of action
• Waiver criteria
• PHI needed
• Review and approval procedures
• Required signature
Additional Requirements
• Notice of privacy practices
• Accounting of disclosures
• Minimum necessary standard
Reviews Preparatory for Research
• Permitted if CE obtains from researcher representations that:– use or disclosure sought solely to prepare a
research protocol or for similar purposes– no PHI will be removed from CE by researcher
in course of review– PHI necessary for research purposes
Research Decedent’s Information
Permitted if CE obtains from researcher:– representation that use or disclosure solely for
research– documentation, upon request, of individuals’
deaths– representation that PHI necessary for research
purposes
Common Rule - Waiver
• No more than minimal risk to subjects;
• Will not adversely affect the rights and welfare of the subjects;
• Research not practicably carried out without waiver or alteration; and
• Subjects provided with additional pertinent information after participation, when appropriate
Privacy Rule vs. Common Rule
• De-identified information is not subject to privacy rule requirements– Certain exempt research now subject to IRB
review
• Coded information still subject to IRB review under Common Rule
De-identification RequirementsExpert Opinion
Person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable– determination that risk is “very small”; and
– documents methods and results of analysis.
45 CFR §164.514
De-identificationRemoval of Identifiers
Names Addresses Dates
Telephone #s Fax #s E-mail addresses
SSNs MRNs HP Beneficiary #s
Account #s License #s Vehicle #s
Device IDs URLs IP address
Biometric IDs Photos Other
Limited Data Set
• Research, public health, health care operations
• CE may contract with business associate to create LDS
• Data Use Agreement– Privacy Rule requirements
Limited Data SetRemoval of Direct Identifiers
Names Street Address
Telephone #s Fax #s E-mail addresses
SSNs MRNs HP Beneficiary #s
Account #s License #s Vehicle #s
Device IDs URLs IP address #s
Biometric IDs Photos
Common Issues• Health care operations or research
– QA, QI activities• Outcomes evaluation, development of clinical guidelines
– Population-based activities relating to improving health or reducing cost
– Protocol development, case management, case coordination
– Cost management and planning-related analysis• Formulary development
• Improved payment methodologies
• Intent is key!– obtain generalizable knowledge not primary purpose
Common Issues
• Covered Entity, Hybrid Entity, or non-Covered Entity– Cities, counties, states, agencies– Schools, universities– Non-health care employers
• Databases
• Decedent research
• De-identification
WEBSITES
• Privacyruleandresearch.nih.gov– HIPAA & Research
• Aspe.hhs.gov/admnsimp– HIPAA Administrative Simplification
Components
• www.dhhs.gov/ocr/hipaa– HIPAA Privacy Rule