HIPAA and Research

About This Presentation

Title:

HIPAA and Research

Description:

Geographic info (city, state, zip code, etc) Elements of dates. Telephone # Fax # E-mail address ... Cheat sheet 'When you need to log a disclosure for accounting' ... – PowerPoint PPT presentation

Number of Views:192

Avg rating:3.0/5.0

Slides: 79

Provided by: cherylbyer

Category:

more less

Transcript and Presenter's Notes

Title: HIPAA and Research

1
HIPAAand Research

November 30, 2004
Educational Seminar Sponsored by the Office of
Research, the IRB, the Privacy Office and the
Security Office of WFUBMC

2
Background

HIPAA Health Insurance Portability and
Accountability Act of 1996, Public Law 104-101
was enacted on Aug. 21, 2996.
Required the establishment of privacy regulations
governing individually identifiable information
These regulations became known as the Privacy
Rule (45CFR parts 160 and 164)
Effective April 14, 2003

3
Definition of Research

Defined by the Privacy Rule as
a systematic investigation, including research
development, testing, and evaluation, design to
develop or contribute to generalizable knowledge

The Privacy Rule protects individually
identifiable health information, while at the
same time ensuring that researchers continue to
have access to medical information necessary to
conduct vital research.

5
Please Note

The Privacy Rule does not replace, modify or
change the Common Rule (45 CFR 46) and FDA
regulations (21 CFR 50 and 56)
The Privacy Rule is in addition to these
regulations
Applies to Covered Entities regardless of funding
Contains standards for de-identifying info
Requires Authorization
Applies to decedents information

6
Protected Health Information (PHI)

Health information Identifier PHI
Applies to information transmitted or maintained
in any form including paper and web-based
Does not include de-identifiable health
information or biological tissue

7
Use and Disclosure of PHI

Under the Privacy Rule, PHI may only be used for
Treatment
Payment
Operational activities
For research purposes, an authorization to use
and disclose PHI must be obtained unless waived
by the IRB

8
Use and Disclosure of PHI Continued

Research provisions apply to
Covered entities (CEs) that may disclose
individually identifiable health information that
they create or maintain
Researchers who, as members of the CE, receive
individually identifiable information from other
CEs or create individually identifiable health
information as part of research activites

9
Use and Disclosure of PHI Continued

PHI Includes demographic information whether oral
or recorded in any medium or form that relates
to
An individuals past, present or future physical
or mental health or condition
The provision of health care to the individual
The past, present, or future payment for the
provision of healthcare to the individual that
identifies the individual or for which there is a
reasonable basis to believe that the information
can be used to identify the individual.

10
18 Identifiers

Names
Geographic info (city, state, zip code, etc)
Elements of dates
Telephone
Fax
E-mail address
SS
Medical record, prescription
Health plan beneficiary
Account

Certificate/license
VIN or serial , license plate
Device identifiers, serial s
Web URLs
IP addresses
Biometric identifiers (finger prints)
Full face or comparable photos
Unique identifying s

11
Sources of PHI
12
What is needed to participate in research?

SINCE April 14, 2003
Informed Consent
Authorization to disclose PHI
Waiver of both IC Auth

BEFORE April 14, 2003
Informed Consent or Waiver

13
What is an Authorization

The default requirement for use of PHI in
research.
A study specific document that tells study
participants how their PHI will be used and
disclosed.
For sub-studies, authorization must be obtained
for the sub-study
Authorization for future, unspecified research is
NOT permitted but Authorization may be obtained
to permit the use or disclosure of PHI to create
or maintain a repository or database.

14
Authorizations continued

Any individual wishing to participate in a study
must sign an authorization on after April 14,
2003 when a consent form is signed
Participants can revoke an authorization at any
time they would no longer be able to
participate in the study however, any data
collected up until the participant revokes the
auth can be used
Authorizations must be kept on file for 6 years

15
Elements of an Authorization

Core Elements (signified by ?)
Description of PHI to be used or disclosed
Person(s) authorized to make the requested use or
disclosure.
Person(s) to whom the covered entity may disclose
PHI.
Each purpose for the use or disclosure.
Expiration date or event ("end of the research
study").
Participant Signature and Date

Statements (signified by ?)
Right to revoke Authorization plus exceptions and
process.
Ability/Inability to condition treatment,
payment, or enrollment/eligibility for benefits
on Authorization.
PHI may no longer be protected by Privacy Rule
once it is disclosed by the covered entity.

The authorization must be written in plain
language, and the covered entity must provide the
individual with a copy of the signed
Authorization.
16
New IRB Policy

Effective January 1, 2005
Authorizations MUST be compounded into the
Informed consent for (ICF) for all new protocol
applications.
For continuing review, Authorization language
MUST be incorporated into the ICF

17
Research Authorizations

All language in IC Template under Use,
Disclosure and Confidentiality of Health
Information (pages 89) MUST be included in ICF.
New language for expiration date
This consent and authorization form is effective
for 6 years or 5 years after the end of the
study, whichever is longer.

18
Research Authorizations Continued

Can cover the use and disclosure of PHI for
multiple activities of a specific study
including
The collection storage of tissues (even if the
tissue is stored in a central repository for
future use)
However
If an authorization is used for more than one
activity, each activity must be clearly specified
You cannot combine activities where the provision
of research-related treatment, payment, or
eligibility is contingent upon storage of tissue
samples

19
Research Authorization Continued

If you did not receive authorization for an
active study, you MUST go back and obtain it from
the subject.
To revoke an authorization, the subject must send
a written request to the PI.
A copy of the letter should be sent to the
Privacy Office.

20
Waiver of Authorization

Used a lot for studies that do not involve the
collection of health information or where
authorization does not apply
Used a lot in retrospective chart review studies
Can only be determined by the IRB
Investigators must have written documentation
from the IRB that authorization has been waived

21
How to obtain a waiver

Complete the Request for Waiver of Authorization
form on the IRB website
Must prove the following
The use or disclosure of PHI involves no more
than minimal risk to privacy
There is an adequate plan to protect the
identifiers from improper use and disclosure
There is an adequate plan to destroy the
identifiers at the earliest opportunity

22
How to obtain a waiver continued

There are written assurances that the PHI will
not be reused or disclosed to any other person
except as required by law
The research cannot practicable be conducted
without the waiver
The research could not practicably be conducted
without access to and use of the PHI

23
Accounting for Disclosures

When PHI is accessed through a waiver of
authorization, the researcher muse account for
such disclosures.
For example, if PHI is accessed in a
retrospective chart review (using either paper or
electronic records), you must account for the
disclosure
Information on what needs to be documented is
included in the approval memo

24
De-Identification of Research Records

Means the deletion of the 18 identifiers defined
by the HIPAA Privacy Rule
Can use age, gender, marital status, ethnicity as
identifiers
Can have a qualified statistician determine that
there is a small risk that the information can be
used to identify the subject
De-identified data sets are not subject to HIPAA
Privacy Rule regulations

25
Limited Data Sets

Deletion of 12 of the 18 identifiers those that
are direct identifiers must be removed
Limited Data Sets can include
Zip codes or other geographic subdivisions such
as State, city, or county
All elements of dates (date of birth, date of
admission, etc.)
Unique Identifiers if certain requirements are
met
Limited Data Sets are considered PHI under the
Privacy Rule

26
Unique Identifiers

A CE can assign to, and retain with, the health
information a code or other means of record
identification if that code is not derived from
or related to the information about the
individual and could not be translated to
identify the individual.
The CE cannot use or disclose the code or means
of record identification and cannot disclose the
means of re-identifying the information.

27
Example

A randomly assigned code that permits
re-identification through a secured key to that
code would not make the information to which it
is assigned PHI because a random code would not
be derived from or related to information about
the individual and because the key to that
information is secure.

28
Disclosing a Limited Data Set

To send a limited data set outside the
institution, you must use a Data Use Agreement
(DUA)
DUAs assure the CE that the recipient of the data
set will use or disclose the PHI for purposes
specified in the document.
A template DUA is available on the IRB website
under the HIPAA heading.

29
Disclosing a Limited Data Set Continued

You must retain a copy of the DUA with the study
documents.
You must provide a copy of the DUA to the
recipient of the limited data set.
DUAs must be signed by the IRB Director or Legal
Counsel at WFUBMC

30
Receiving a Limited Data Set

When receiving a limited data set from an entity
outside WFUBMC, you must request a DUA.
If an investigator received a limited data set
and does not have a DUA, they have violated the
Privacy Rule.
The IRB Director, Assistant Director, or
Institutional Legal Counsel must review and
approve all Data Use Agreements

31
Review Preparatory to Research

Researchers can review PHI to prepare a protocol
or grant application.
This allows the researcher to determine, for
example, if there is a sufficient number of
records to conduct research.
The researcher CANNOT remove the PHI from the CE

32
Requirement for Review Preparatory to Research

The researcher must document that
The use or disclosure is sought solely to review
PHI as necessary to prepare the research protocol
or other similar purpose
No PHI will be removed from the CE during the
review
The PHI the researcher seeks to use or access is
necessary for research purposes

33
Using Prep to Research Provision for Recruitment
Purposes

Can use the preparatory to research provision to
determine the number of eligible subjects for a
research project
To contact those individuals, you MUST have a
waiver of authorization from the IRB
The contact is then subject to the accounting of
disclosure

34
Research on Decedents

Research on decedents is not subject to human
subject regulations but is subject to HIPAA
Privacy Rule regulations.
Researchers must assure that
The information being sought is solely for
research on decedents
The information being sought is necessary for
research purposes

35
Minimum Necessary Rule

Privacy Rule requires researchers to request and
maintain only the minimum necessary PHI to
accomplish your research purpose.
Researchers are responsible for designating
personnel who need access to study files that
contain PHI. Access should be commensurate with
the role of the individual on the project.

36
Transition Provisions

Researchers are allowed to use study-specific PHI
that was obtained either on or before April 14,
2003 provided that an ICF or waiver of consent
was obtained.
Grandfathering provision only applies to studies
who recruited all participants and had consent
forms signed prior to April 14, 2003.
If re-consenting for whatever reason on or after
April 14, 2003, you MUST also get authorization
to use and disclose PHI for research purposes.

37
Research Databases Repositories

The creation and use or disclosure of PHI from a
database or repository is considered a research
activity under the Privacy Rule.
When using existing databases repositories, it
may be impracticable to obtain authorization so
the IRB can waive the requirement.
Prospective collection of data or tissue samples
generally requires authorization (as well as
consent)

38
Research Databases Repositories

Three ways in which PHI can be compiled for a
database or repository
With individual authorization from the subject
With a waiver of authorization obtained from the
IRB
In a Limited Data Set accompanied by a Data Use
Agreement when obtained from outside the
institution

39
Other Times PHI can be used without an
Authorization

When required by law
To public health entities authorized by law to
collect or receive information to prevent or
control disease, injury or disability
When the information involves the FDA or
FDA-regulated products or activities.
When reporting to oversight agencies such as the
Office of Human Research Protections

40
Recruitment

Must get authorization/or waiver of auth to
contact potential subjects.
Initial contact should come from someone involved
in the care of the potential subject.
Health care providers can talk to their patients
about available studies.
Researchers can advertise and eligible
participants can contact study directly.

41
Resources

Office of Civil Rights - http//www.hhs.gov/ocr/hi
paa
US Dept. of Health Human Services and the
National Institute for Health Website -
http//privacyruleandresearch.nih.gov
Education materials include the following
guidance documents
Protecting Personal Health Information in
Research Understanding the HIPAA Privacy Rule
Research Repositories, Databases and the HIPAA
Privacy Rule
Clinical Research and the HIPAA Privacy Rule
HIPAA Authorization for Research

42
HIPAA and Researchfrom the Privacy
OfficePerspective

What, When, and How to
Lori Lamb
Privacy Program Manager

43
Research Under HIPAA

Situation in which PHI may be used for research
purposes
With an individual Authorization
With a waiver of Authorization by IRB
By de-identification of PHI
As a limited Data Set with a Data Use agreement
As an activity preparatory to research
For research on a decedents information

44
Research Under HIPAA

Research involving uses (accesses) and
disclosures with a HIPAA compliant signed patient
Authorization do not require an accounting
HIPAA Authorization and Consent under the Common
Rule are not the same, though some forms are
combined and contain verbiage to meet both
requirements
All other research involving use or disclosure of
PHI, regardless of funding, requires accounting
documentation (retained for six years)
HIPAA Privacy Rule effective date April 14, 2003

45
Revoking an Authorization

Individuals have the right to revoke their
Authorization in writing
Except covered entities may continue to use or
disclose PHI that was obtained before a
revocation if necessary to maintain the
integrity of the research study (Reliance
exception)

46
Revoking an Authorization

For example, researchers can continue using PHI
to account for a subjects withdrawal from a
study
Please notify the Privacy Office of all
revocations you can send a copy
We are required to keep the revocation
documentation for six years

47
Disclosure Defined

HIPAA Legal Definition the release,
transfer, provision of, access to, or divulging
in any other manner of information (written,
verbal, electronic) outside of the entity holding
the information 160.103

48
Operationally Think in one of two scenarios

We communicate or send PHI to an outside person
or entity.
We allow individuals/organizations into our
facility to have access to PHI. This also means
allowing remote access to PHI.
Both are disclosures!

49
An Accounting of Disclosure is documented
evidence of all accountable disclosures of PHI.
50
Accounting for Disclosures

In general, an accounting is required for PHI
disclosures made without Authorization
Including research disclosures of PHI for
Reviews preparatory to research
Research using decedents PHI
Research under a waiver of Authorization
Disclosures to public health authorities or
sponsors
Most disclosures mandated by law

51
Research Use and Disclosure of PHI Requiring
Accounting of Disclosure

Preparatory to Research
Requires notification of the entity holding the
PHI
Researcher must provide representation that
The PHI is to be used solely to prepare a
protocol or for a similar purpose
The PHI will not be removed from the covered
entity
The PHI is necessary for research

52
Research Use and Disclosure of PHI Requiring
Accounting of Disclosure

Preparatory to Research
A form is available on the IRB web site under
HIPAA
Complete this form and keep with research for six
years
May be used to develop hypothesis, protocol, or
characteristics of research cohort
May not be summarized, used, or presented as a
research study without prior IRB approval

53
Research Use and Disclosure of PHI Requiring
Accounting of Disclosure

Decedents Information
The researcher must provide representation that
The use and disclosure is solely for research
The PHI is necessary for research
The individual is deceased and provide
documentation upon request
A form is available on the IRB web site under
HIPAA Request for Preparatory Research
Maintain document for six years

54
Research Use and Disclosure of PHI Requiring
Accounting of Disclosure

IRB Waiver of Authorization Obtain documentation
that the IRB has determined that each of the
following waiver criteria were satisfied
The use or disclosure involves no more than
minimal risk because of an adequate
plan/assurance
To protect PHI from improper use or disclosure
To destroy identifiers at the earliest
opportunity
That PHI will not be inappropriately reused or
disclosed

55
Research Use and Disclosure of PHI Requiring
Accounting of Disclosure

IRB Waiver of Authorization
The research could not practicably be conducted
without the waiver
The research could not practicably be conducted
without access to and use of PHI
Keep this documentation for six years
Waiver is very specific dont exceed the waived
components

56
Accesses to Providers Own Patient Records

Is Accounting Of Disclosures (AOD) Required? The
key is the reason for the access
Treatment purposes no AOD required
Research with Authorization no AOD required
Research requiring IRB Approval AOD required
Preparatory Research AOD required
Decedent Research AOD required

57
Disclosure to a Public Health Authority or
Required by Law

Disclosure without Authorization permitted if
required by law or for public health activities
Example Adverse event reporting to a sponsor,
FDA, NIH
A covered entity may disclose PHI related to an
adverse event to NIH if required to do so by NIH
regulations. Even if not required to do so, the
researcher may disclose adverse events to NIH as
a public health authority
Does require an Accounting of Disclosure

58
New WFUBMC Policy

PPB-NCBH-MC-32Accounting of Disclosures Policy
Includes
Definitions
Procedure for documenting
Instructions for directing a request for AOD
Cheat sheet When you need to log a disclosure
for accounting
Sample log with required components

59
This can be in many forms, written or electronic

A log
A list
A specific document
A registry (if it captures the required
components)
We may already be doing this for other reasons.

60
Items that must be logged for an Accounting

Patients name
Medical record number
Date of disclosure and/or access
Name and address of person receiving PHI
Brief description of the purpose of disclosure
(i.e., study number, type of survey, etc.)
Brief listing of PHI disclosed and/or accessed
Logs must be maintained for six years
Currently must be maintained by the primary
investigator (PI)

61
What will happen if a request for an Accounting
of Disclosures is received?

ALL must go through the Privacy Office
60-day federal timeframe for response
Privacy Office will coordinate communication
throughout the system to gather data
Privacy Office will track, log, and respond to
requestor

62
What will your role be?

Properly logging accountable disclosures when
they occur
Maintain log/documentation in a safe but
accessible location
When the Privacy Office calls your area, they
will request information of any accountable
disclosures by your department for the patient
Search your logs and documentation. If
name/medical record number is found, report the
six required items to the Privacy Office
Remember short timeframes!We need your help!

63
Patients Right to Complain

HIPAA related
Complaints must be directed to the Privacy Office
(713-4472)
Privacy Office must conduct an investigation of
legitimate complaints
Privacy Office must determine if any HIPAA
violations have occurred
Privacy Office must make recommendations that may
include system changes to minimize risk or
sanctions per the Medical Centers policy
Time sensitive
This is a separate function, not the same as IRB
oversight of the Common Rule

64
Problem Areas that may precipitate or result from
a Privacy investigation

Lack of Authorizations in a non-waived study
Authorization is not HIPAA compliant
Uses, accesses or disclosures of PHI that exceed
what was authorized or the specific components of
the IRB waiver
Complaints by patients/employees about inclusion
in studies (waived)

65
Problem Areas that may precipitate or result from
a Privacy investigation

Unauthorized accesses to medical record
(off-site, non co-investigators)
Photography, videoing, audioing without proper
Authorization
Publishing non de-identified, unauthorized PHI

66
Improper Disclosures

Improper disclosures are those that are
intentionally or unintentionally
Made in error wrong Rx, wrong chart, spoke to
wrong person
Not permitted by law breach of state or federal
statute
Made without proper Authorization not included
in what is authorized, outside of IRB waiver
components
They have varying risks.Example Lost PDA or
laptop with PHI

67
All improper disclosures must be reported to the
Privacy Office immediately

Privacy Office will account for them, as required
May require an investigation
May require mitigation
Facilitate steps to prevent future disclosures

68
WFUBMC Privacy Office
We are here to help! JT Moser, Chief Privacy
Officer (3-2300) Lori Lamb, Privacy Program
Manager (6-5942) Let us help you be HIPAA
compliant!
69
HIPAA/Research Security

Jon Brown
WFUBMC Security Officer

70
I.T. Security Office

Purpose is to protect the Medical Centers
electronic assets.
Foundation
Security Policy
Training/Awareness
Web Site - http//intranet.wfubmc.edu/security
Contact us
security_at_wfubmc.edu
65401

71
When is Research Data Confidential?

Contains patient identifiers
Data that if lost, stolen, or found could
Cause early termination of a study
Result in self reporting to funding organization
Result in another organization getting credit
Data that is changed by an unauthorized person
could
Alter the outcome of a study
Negatively affect our reputation as a research
facility.

72
When is Research Data Considered Critical?

Can not be recreated if data is lost, stolen or
corrupted.
Study required retention policy
Hard drive crashes after 5 years of 10 year
retention policy.
Fire destroys paper one year into 5 year
retention requirement.
Study data not analyzed
Hard drive failure prior to data analysis
Paper based information destroyed prior to entry
to computer system.

73
Security Standards

Industry Best Practices
Meets Regulatory Requirements
21 CFR Part 11
HIPAA

74
Security Standards for Research Databases
Containing Confidential Information
75
Security Standards for Research Databases
Containing Confidential Information
76
Security Standards for Research Databases
Containing Confidential Information
77
TIPS