HIPAA and Research

1
HIPAA and Research
OSR, IRB Administrators, and IRBs New Roles
Tina S. SheldonCompliance Risk
ManagementRisk Management Audit Services

• HIPAA Working Group
• November 22, 2002

2
Agenda

• HIPAA BasicsWhat is it? Who must Comply with
  it?
• How does HIPAA Impact Harvard?
• How does HIPAA Impact Research?
• How Can Researchers Obtain Protected Health
  Information?Five Pathways to Obtaining
  Information
• HIPAA Roles Red Flags PIs, OSR, IRBs
• HIPAA Research Quick Reference
• HIPAA Website References

3
What is the HIPAA Privacy Rule?

• It is a federal law that protects the privacy of
  individually identifiable health care
  information.
• The protection applies to all forms of
  information, e.g. electronic, paper and oral.
• The law was enacted to restore public trust in
  the health care industry.
• The law creates a floor for health care privacy.

4
What is Protected Health Information (PHI)?

• Medical RecordsE.g. Medical History, Diagnosis,
  Treatment
• Payment InformationE.g. Bills, Receipts, EOBs
• Ancillary ServicesE.g. X-Rays, Labs
• Demographic Information (When Maintained with
  Health Information)E.g. Date of Birth, Social
  Security Number
• Note The protection includes information
  relating to the past, present and future physical
  or mental health of a person. The protection
  also includes information generated in the
  context of clinical research.

5
Who Must Comply with HIPAA?

• Health Care ProvidersIncludes researchers when
  they provide health care, e.g. clinical trials
• Health Care Plans
• Health Care ClearinghousesNote The above
  groups are considered covered entitiesand must
  make a good faith effort to comply with the rule.

6
What are Covered Entities Required to do?

• Limit Use Disclosure of PHI Treatment,
  Payment Health Care Operations (TPH)
• Ensure Individual Rights
• Receive Privacy Notice
• Have Questions Answered
• Access to their Information
• Obtain Copies of their Records
• Amend their Records
• Limit Use Disclosure of their Information
• Request an Accounting of Certain Uses
  Disclosures
• Have their Information Protected
• Implement Administrative Requirements
• Obtain Authorizations
• Provide Access, Amendments Accounting
• Restrict Communications
• Restrict Use Disclosure
• Train Entire Work Force
• Enforce Redress Noncompliance

7
How does HIPAA Impact Harvard?

• Harvard has PHI on campus.
• Harvard has covered entities.
• Harvard has non-covered entities impacted by
  HIPAA.

8
Where is PHI at Harvard?

• University Health Services
• Dental School Dental Clinic
• Mental Health Services (Schools)
• Student Athletics
• Faculty Staff Assistance Program

• University Group Health Plan
• Medical Flexible Spending Account Plan
• Workers Compensation
• Disability Plan
• Research with Human Subjects

9
What are Harvards Covered Entities?

• Health Care Providers
• University Health Services
• Dental School Dental Clinics
• Health Plan
• University Group Health Plan
• Medical Flexible Spending Account Plan
• Health Care Clearinghouse
• None

10
How is Harvard Approaching HIPAA?

• Hybrid Organization Model
• Primary Function Education Research
• Designate Health Care ComponentsHUHS (HUGHP),
  HSDM, BSG/OHR
• Document Designation Corporate Vote
• Privacy Officer
• Each Covered Component has Designated a Privacy
  Officer
• Each Privacy Officer has Access to Governing Body

11
If Research is not a Covered Entity, Does HIPAA
Apply?

• Yes!
• HIPAA will apply to the following types of
  research
• Biomedical Research
• Psychological Research
• Epidemiological Research

12
How does HIPAA Impact Research?

• PIs will need to go through the covered entitys
  HIPAA-Hoops to obtain data.E.g. Authorization,
  Waiver of Authorization, Data De-identification
  or Limited Data Set.
• Harvards IRBs will need to consider research
  subjects privacy rights.
• Bottom-line Research data may be more
  difficult to obtain!

13
Are Harvards HIPAA Research Obligations the Same
as the Teaching Hospitals?

• NO, because
• Harvard University is not a covered entity. It
  is a hybrid entity with three covered
  components.
• Harvards researchers predominately obtain data
  from covered entities outside the University.
  These entities are required to comply with all of
  HIPAAs privacy requirements. The covered entity
  is on the line to protect individuals health
  information.
• Note In some instances, Harvards researchers
  may themselves be considered covered entities,
  e.g. MDs providing health care. In those
  situations, the PI must satisfy their HIPAA
  obligations as a covered entity.

14
What are the Barriers to Getting Information for
Research?

• Covered Entities Requirements 1. Keep records
  of certain disclosures 2. Provide an accounting
  of certain disclosures, including a. Use
  pursuant to waiver b. Use preparatory to
  research c. Use of PHI of decedent 3. Provide
  only minimally necessary information,
  including a. Use pursuant to waiver b. Use
  preparatory to research c. Use PHI of
  decedents d. Use of limited data setsNote
  This requires significant resources, e.g. time
  and labor, as well as strong internal controls on
  the part of the covered entity.

15
What are the Barriers to Getting Information for
Research? (continued)

• State Preemption
• Most states have health care privacy laws.(E.g.
  mental health, HIV, confidentiality)
• Under HIPAA stricter state statutes may preside.

16
How can PHI be Obtained?

• Five Pathways for Permitted Use of PHI for
  Research Related Purposes
• Part of Health Care Operations
• Authorization by Research Participant
• Waiver of Authorization by IRB or Privacy Board
• De-Identification of Data
• Limited Data Set Data Use Agreement

17
What are Health Care Operations?

• Protocol Development
• Quality Assurance
• Clinical Guidelines Outcome Studies
• Population-based Activities Relating to Improving
  Health Care or Reducing Health Care Costs

18
Is it Research or Health Care Operations?

• Common Rule HIPAA Privacy Rule Define Research
  as a systematic investigation, including
  research development, testing and evaluation
  designed to develop or contribute to
  generalizable knowledge.
• HIPAA Privacy Rule Defines Health Care Operations
  asconducting quality assurance and
  improvement activities, including outcomes
  evaluation and development of clinical
  guidelines, provided that the obtaining of
  generalizable knowledge is not the primary
  purpose of any studies resulting from such
  activities.In other words, you must determine
  whether or not the primary purpose is to
  contribute generalizable knowledge, e.g.
  publication of study results.

19
What is Authorization?

• Each Study Participant Permits Use Disclosure
  of their PHI for Research Use
• Authorization for Use Disclosure Can Be
  Combined with any Other Legal Permission Related
  to the Research StudyE.g. Informed Consent
• Must Contain Privacy Notice Provisions
• Must be Written in Plain LanguageNote
  Authorizations are most applicable to clinical
  trials. The process is primarily between the
  researcher and the covered entity however, IRBs
  should be aware of the requirements.

20
What is Required in an Authorization?

• Description of information to be used or
  disclosed
• Identification of persons authorized to make the
  use or disclosure of PHI
• Identification of persons to whom covered entity
  is authorized to make the use or disclosure
• Description of each purpose of the use or
  disclosureThe purpose of the disclosure must be
  described specifically, as it relates to the
  study at-hand.
• Expiration date or eventResearch authorizations
  may state there is no expiration date.
• Individuals signature and date and
• If signed by a personal representative, a
  description of his/her authority to act for the
  individual.

21
What is Required in an Authorization? (continued)

• Authorization must also include
• Notification that individuals have the right to
  revoke authorizations at any time in writing
• PI may continue using disclosing PHI obtained
  prior to revocation as necessary to maintain the
  integrity of the research.(In other words, the
  PI is not required to remove PHI from completed
  databases. The PI can continue to analyze data
  that has already been collected. However, the PI
  cannot use data already collected for other
  research purposes without a waiver of
  authorization.)
• Covered entities may not continue disclosing to
  the PI additional PHI gathered at the time the
  individual withdraws their authorization.
• Statement that treatment, payment, enrollment, or
  eligibility for benefits may not be conditioned
  on obtaining the authorization.
• Statement about the potential for health
  information to be re-disclosed by the recipient.

22
What is De-Identified PHI?

• Information that does not identify the
  individual andthere is no reasonable basis to
  believe the information can be used to identify
  an individual.

23
What is Required to De-Identify PHI?

• Removal of 18 Specified Identifiers
• Name
• All Geographic Subdivisions Smaller Than a
  State(Street, City, County, Precinct, Parish,
  Zip Code, their Equivalent Geo-codes Except for
  Initial 3 Digits of a Zip Code)
• All Elements of Dates, Except Year(Admission
  Date, Discharge Date, Date of Death)
• All Ages Over 89 Dates and Elements Related to
  such Ages(Unless Aggregated into a Single
  Category of Age over 90)
• Telephone Fax Number
• E-mail, IP, Address, URL
• Social Security , Medical Record , Health Plan
  Beneficiary , Account
• Certificate License , VIN, Device Identifiers,
  Serial
• Full Face Photographs, Biometric Identifiers
• Any Other Unique Identifying Number,
  Characteristic, or Code
• Assurance by Statistical Expert that Individuals
  are not IdentifiablePerson with appropriate
  knowledge and experience in applying generally
  accepted statistical scientific principles
  methods for rendering information not
  individually identifiable.

24
How Useful is De-Identified Data?

• In general, de-identification of PHI renders
  most data useless. For example
• Relational Databases(E.g. Comparison of genetic
  database with clinical database)
• Certain Longitudinal Studies(E.g. Add new data
  on identifiable individuals)
• Certain Outcome Studies(E.g. Inability to use
  date of event may undermine study)
• Epidemiological Studies(E.g. Need dates to track
  disease)
• Studies Involving Infants (E.g. Need DOB)
• Studies Involving Environmental Factors(E.g.
  Need zip codes)Note Once identifiers have
  been stripped, covered entities can assign new
  unique identifiers to subjects for the purpose of
  facilitating research use of database.

25
What is a Limited Data Set?

• Limited Set of Information to be Used for
  Research, Public Health, and Health Care
  Operations Purposes
• Permits Use of Some Identifiable Health
  Information
• Five-Digit Zip Codes
• Geo-Codes
• Dates of Birth
• Age Expressed in Years, Months, Days or Hours
• Dates of Death
• Dates of Admission/Discharge/Service
• Excludes Direct Identifiers
• Subject to Minimum Necessary Standard

26
What is a Limited Data Set? (continued)

• Data set must be stripped of
• Name
• Street Address
• Telephone Fax s
• E-Mail Address
• Social Security
• Certificate/License
• Vehicle Identifiers Serial
• URLs and IP Addresses
• Full Face Photos Comparable Images
• Medical Record , Health Plan Beneficiary ,
  Account
• Device Identifiers Serial
• Biometric Identifiers
• Note List does not include the catch-all
  phrase any other unique identifying ,
  characteristic, or code.

27
What is Required to have a Limited Data Set?

• Requires a Data Use Agreement Between Covered
  Entity Researcher1. Defines who can use or
  receive data2. Defines for what purpose the
  data may be used3. Provides that PI will not
  re-identify the data or contact the data
  subject4. Provides that data will be
  safeguarded not used for unauthorized purposes
  5. Provides that researcher will report
  improper uses disclosures6. Provides that
  researcher will push down privacy protection
  obligations to subcontractors.Note HHS only
  has recourse against the covered entity if the
  covered entity knows of a breach and fails to
  take reasonable steps to resolve and, if
  unsuccessful, discontinues disclosure and reports
  to HHS. As a result, covered entities will be
  concerned about the terms conditions of Data
  Use Agreement.

28
What is a Waiver of Authorization?

• An IRB or Privacy Board Waives the Authorization
  RequirementA waiver of authorization can be
  obtained from any IRB or Privacy Board. A covered
  entity can rely on the decision of any IRB or
  Privacy Board. In addition, a covered entity can
  accept or reject any decision.
• Minimum Necessary Standard AppliesIRB waivers
  should inform the covered entities which data
  elements are necessary for a given research
  project.
• IRB Plays a Direct Role in Waiver
  ProcessNote Most Applicable when
  Authorization is ImpracticableE.g. Retrospective
  Medical Research, Identifiable Database Research

29
What are the Criteria to Waive Authorization?
(continued)

• Waiver of Authorization Criteria1. Disclosure
  involves no more than minimal privacy risk to the
  individual. The researcher must provide the
  following (a) Adequate plan to protect
  identifiers from improper use or
  disclosure (b) Adequate plan to destroy
  identifiers at earliest opportunity, unless there
  is health or research justification or required
  by law and (c) Adequate written assurances
  that PHI will not be reused or disclosed to any
  other person or entity2. Research could not
  practicably be conducted without PHI or waiver
  and3. Research could not practicably be
  conducted without access to PHI sought.

30
Other Issues Reviews Preparatory to Research?

• A covered entity may use or disclose PHI for
  research provided that the covered entity obtains
  written representations from the researcher
  that
• The use or disclosure is sought solely to review
  PHI as necessary to prepare a research protocol
  or for similar purposes preparatory to research
• No PHI is to be removed from the covered entity
  by the researcher in the course of the review
• The PHI for which use or access is sought is
  necessary for research purposes and
• The researcher will only record de-identified
  information.Note PIs cannot comb through
  medical records of a covered entity to identify
  potential research subjects. The PI needs an
  authorization or waiver of authorization to
  identify research candidates. Treating MDs can
  discuss clinical trial enrollment with patients
  but are not authorized to discuss patients with
  research colleagues for potential enrollment
  purposes. PIs, who are not covered entities or
  the workforce of a covered entity, can use
  pre-existing PHI in their possession to identify
  candidates and otherwise use such PHI for
  research purposes.

31
Other Issues Research Involving Decedent
Information?

• A covered entity may use or disclose PHI
  provided that the covered entity obtains from the
  researcher
• Representation that the use or disclosure is
  sought solely for research on the PHI of the
  decedents
• Documentation of the death of the subjects at the
  request of the covered entity and
• Representation that the PHI for which use or
  disclosure is sought is necessary for the
  research purposes.
• Note The researcher may also be permitted to
  obtain the PHI if the IRB grants a waiver of
  authorization.

32
Other Issues Pre-Existing Data and the Covered
Entity

• The HIPAA Privacy Rule permits covered entities
  to use and disclose PHI that was created or
  received for research, either before or after the
  April 14, 2003 compliance date if certain
  criteria have been met.
• If the covered entity obtained Common Rule
  Consent before the April 14, 2003 compliance
  date, then the covered entity can continue to use
  and disclose pre-existing PHI. In other words,
  research subjects who enrolled and signed a
  Common Rule compliant Informed Consent Form
  before April 14, 2003 do not need to sign a HIPAA
  compliant Authorization Form after April 14,
  2003.Note If new research subjects enroll
  either on or after the April 14, 2003, then the
  covered entity will need to obtain a signed
  Common Rule and HIPAA compliant Informed
  Consent/Authorization Form from each new research
  subject.
• If the IRB approved a Waiver of Informed Consent
  before the April 14, 2003 compliance date, then
  the covered entity can continue to use and
  disclose pre-existing PHI.In other words, the
  pre-existing PHI is grandfathered-in under the
  Privacy Rule and the covered entity will not need
  a Waiver of Authorization after April 14, 2003.
• If the covered entity never obtained written
  permission (e.g. Common Rule Consent or IRB
  Waiver) before the April 14, 2003 compliance
  date, then the covered entity cannot continue to
  use and disclose pre-existing PHI. Note The
  covered entity would need to obtain either an
  Authorization or a Waiver of Authorization.

33
Other Issues Pre-Existing Data and the
PI/Non-Covered Entity

• The HIPAA Privacy Rule also permits
  PIs/non-covered entities to use PHI obtained
  before and after the April 14, 2003 compliance
  date, if either Common Rule Consent or IRB Waiver
  was obtained before April 14, 2003. (See Slide
  32, Bullets 1 2)
• But, What About In-Hand Data?
• If the PI/non-covered entity has in-hand,
  pre-existing PHI (e.g. in a database), which was
  obtained prior to the April 14, 2003 compliance
  date, then the PI/non-covered entity can continue
  using the in-hand data after the April 14, 2003
  compliance date. In other words, unlike
  covered entities, even if the PI/non-covered
  entity never obtained written permission before
  the compliance date, the PI/non-covered entity
  can continue to use the data. The PI/non-covered
  entity does not need to obtain an Authorization
  or a Waiver of Authorization to continue using
  the in-hand, pre-existing PHI.Note
  PIs/non-covered entities are not under the same
  HIPAA obligations as covered entities.

34
What does HIPAA Mean for Harvards PIs?

• UnderstandIdentifiable Data, De-Identifiable
  Data, Limited Data Set
• Work with Covered EntityAuthorization/Informed
  Consent, Health Care Operations, Data Use
  Agreement
• Work with IRBWaiver of Authorization

35
What does HIPAA mean for Harvards Pre-Award
Office?

• UnderstandIdentifiable Data, De-Identifiable
  Data, Limited Data Set
• Review Grant ApplicationsTypes of Data
  De-Identified, Limited Data Set
• Negotiate Work with PILimited Data Sets
  Data Use Agreements

36
What does HIPAA mean for Harvards IRB
Administrators?

• UnderstandIdentifiable Data, De-Identifiable
  Data, Limited Data Set, Waiver Criteria, HIPAA
  Exceptions
• DevelopWaiver Application Approval
  FormAuthorization/Informed Consent Checklist
• Work with PI and Pre-Award OfficeAuthorization,
  Limited Data Set Data Use Agreement, IRB Waiver
  Criteria
• Work with IRBIRB Waiver Criteria, Authorization
  Criteria

37
What does HIPAA mean for Harvards IRBs?

• Understand IRBs Expanded Role as Privacy
  BoardAuthorization/Informed Consent, Waiver
  Criteria
• EstablishPrivacy Board Policies
  ProceduresWaiver Approval Processes

38
Summary of HIPAA Action Items

• Dont be a Sitting Target
• Educate PIs IRBs Members Regarding HIPAA
• Identify Institutions from which PIs Obtain PHI
  for Research Purposes
• Begin Discussions with these Institutions ASAP to
  Determine what PIs Need to do to Continue Using
  PHI for Research Purposes

39
HIPAA Research Quick Reference
40
HIPAA Bottom-Line Issues

• Privacy Rule Applies Directly to Covered
  Entities
• Covered Entities are Custodians of PHI
• Researchers will need to Work with Covered
  Entities to Obtain Data
• Pre-Award and IRB Administrators can Educate and
  Advise PIs and IRB Members
• Pre-Award and IRB Administrators can Facilitate
  Compliance with HIPAA

41
HIPAA Website References

• http//www.hipaadvisory.com/
• http//aspe.hhs.gov/admnsimp/
• http//www.aamc.org/members/gir/gasp/
• http//www.hipaadvisory.com/regs/
• http//www.hhs.gov/ocr/hipaa/
• http//ahima.org/journal/practice/brief.html

42
Before HIPAA Takes a Bite Out of You, Remember

• HIPAA protects our health care information.
• HIPAA impacts us more as consumers of health care
  than as employees at Harvard.
• HIPAA requirements impact how health care
  organizations operate and deliver care.