HIPAA and the Common Rule - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

HIPAA and the Common Rule

Description:

Establish conditions whereby subject identity cannot be readily ascertained. ... conditions so the identity of a research subject cannot readily be ascertained. ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 27
Provided by: netwo145
Category:

less

Transcript and Presenter's Notes

Title: HIPAA and the Common Rule


1
HIPAA and the Common Rule
  • Christina Solis, JD
  • Elisa Fallows, MS
  • UTHSC-H Legal Affairs and Institutional
    Compliance
  • 2004 Mini-Ethics Course

2
Impact of the Privacy Rule
  • Does not reduce the effect of the Common Rule or
    FDA regulations.
  • Mandates more protections to ensure privacy of
    subjects and confidentiality of data.
  • Requires action whenever any PHI is used for
    research.

3
Definition of Research
  • A systematic investigation designed to develop
    or contribute to generalizable knowledge.
  • 45 CFF 46.102(d) and 45 CFR 164.501

4
Definition of Human Subject
  • A living individual about whom an investigator
    conducting research obtains (1) data through
    intervention or interaction with the individual,
    or (2) identifiable private information.
  • 45 CFR 46.102(f)

5
Definition of Human Subject Operational Change
due to Privacy Rule
  • A living individual about whom an investigator
    conducting research obtains (1) data through
    intervention or interaction with the individual,
    or (2) identifiable private information

6
Regarding Research, the Privacy Rule Applies to
  • Ascertainment of Potential Subjects
  • Recruitment of Subjects
  • Consent/Authorization Process
  • Study Amendments
  • Data Management
  • Decedent Research
  • Reuse of data for another study

7
Research Provisions
  • Covered entities may use and disclose PHI for
    research
  • With individual authorization, or
  • Without individual authorization under limited
    circumstances
  • 45 CFR 164.508, 164.512(i)

8
Relationship to other Research Rules
  • The Privacy Rule does not override the Common
    Rule or FDAs human subject protection
    regulations.

9
Ascertainment/Recruitment of Potential Subjects
  • Via Review of PHI
  • Notification of a Review Preparatory to Research
  • Description Justifying a Waiver of Authorization
  • Via Ad

10
  • If PHI or other identifiable private information
    is to be recorded during the ascertainment/recruit
    ment process, consent of the potential subject,
    or IRB approval of a Waiver of Consent, must be
    obtained.
  • (DHHS NIH Common Rule Guidance 8/03)

11
Ascertainment/Recruitment Satisfying Both Rules
  • Via a Review of Preparatory to Research
  • Do not record PHI, or
  • Record PHI and obtain Common Rule IRB waiver of
    consent, or
  • De-identify PHI, then deal with the Common Rule.
  • If the data now retains a link to subject
    identity, the Common Rule still applies.
  • If the data does not retain any identifying link
    (data anonymized or unlinked), the Common Rule
    does not apply.

12
Ascertainment/Recruitment Satisfying Both Rules
  • Via Waiver of Authorization
  • Do not record PHI usually not useful or
    practical, or
  • Record PHI and obtain IRB Waiver of Consent
  • De-identify PHI usually not useful or practical

13
Exception from Requirement for Informed Consent
  • An IRB may waive consent requirement or alter
    consent element if it finds and documents that
  • (1) Research involves no more than minimal risk
  • (2) Rights and welfare of subjects will not be
    adversely affected
  • (3) Research could not be practicably be carried
    out without waiver or alteration and
  • (4) When appropriate, the subjects will be
    provided pertinent information after
    participation.

14
Reducing the Impact
  • Ensure that Information Associated with
    Data/Samples is Modified so it does not relate to
    a Human Subject and either does not involve PHI
    or is presented as a limited data/sample set.

15
  • An Activity does not prompt the Common Rule or
    Privacy Rule Considerations Requiring IRB Review
    when
  • The activity is not research OR
  • The research does not involve a human subject AND
  • The research does not involve PHI.

16
Examples of how can a PI doing research reduce
the impact of the Common Rule and the Privacy Rule
  • Modify information associated with the
    Data/Samples so the information does not relate
    to a Human Subject, and the information does
    not involve PHI or PHI is presented as a limited
    data set.

17
How to modify data/samples so the information
does not relate to a human subject
  • Anonymize (unlink) the data/samples.
  • Establish conditions whereby subject identity
    cannot be readily ascertained.

18
Anonymize (unlink) the data/samples
  • Remove all identifiers or codes that directly or
    indirectly link a particular data point or sample
    to an identifiable person.
  • These data/samples then become irreversibly
    unlinked from any subject identifiers.

19
  • Modify Information Associated with the
    Data/Samples so the Information does not relate
    to a Human Subject, and The INFORMATION DOES
    NOT INVOLVE PHI or PHI is Presented as a Limited
    Data Set.

20
Modify Information Associated with the
Data/Samples so the information does not involve
PHI
  • Remove health information
  • De-identify data/samples

21
Information is health information when it
  • Relates to ones physical or mental health or
    condition or
  • Related to ones health care OR
  • Relates to ones payment for health care.
  • 45 CFR160.103

22
Items to Exclude for De-identification 45 CFR
64.514(b)(2)
  • ? Names ? E-mail address
  • ? Addresses ? SS
  • ? Zip codes ? Medical Record
  • ? Dates except years ? Health plan beneficiary
    s
  • ? Telephone s ? Account s
  • ? Fax s ? Certificate/license s
  • ? VIN s ? Device ID serial s
  • ? URLs ?Full face photo images
  • ? biometric identifiers ? internet protocol
    address s
  • ? any other unique identifying , characteristic
    or code

23
Modify information associated with the
data/samples so the information does not related
to a human subject, and the information does
not involve PHI or PHI IS PRESENTED AS A LIMITED
DATA SET
  • Establish a limited data set with a data/sample
    use agreement.
  • Remove direct personal identifiers.
  • Remove postal address information other than town
    or city, state or zip code.
  • Note Event dates, any age and an identifying
    code related to the person are permitted.

24
Anonymization vs HIPAA De-identification
  • The only setting where IRB approval of
    anonymization (unlinking) does not also confer
    approval of HIPAA de-identification is when the
    anonymized (unlinked) health information contains
    an event date more specific than the year, or a
    geocode more specific than a state or 3 digit zip
    code, or a subjects specific age is over 89 years
    (instead state as 90 years)

25
HIPAA De-identification vs Anonymization
  • The only setting where IRB approval of HIPAA
    de-identification does not also confer approval
    of anonymization (unlinking) is when a code with
    a key linking back to the subject is retained
    with the de-identified data.

26
Approach to satisfy both
  • Establish conditions so the identity of a
    research subject cannot readily be ascertained.
  • Establish a limited data/sample set and a
    data/sample use agreement.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "HIPAA and the Common Rule" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!