HIPAA Privacy Standards and the UAB IRB - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

HIPAA Privacy Standards and the UAB IRB

Description:

Authorization is in addition to the Informed Consent. Authorization must be limited to use and disclosure of PHI for the specific research protocol ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 14
Provided by: KKAU3
Learn more at: https://www.uab.edu
Category:
Tags: hipaa | irb | uab | privacy | standards

less

Transcript and Presenter's Notes

Title: HIPAA Privacy Standards and the UAB IRB


1
HIPAA Privacy Standardsand the UAB IRB
  • What researchers need to know

2
Objectives
  • HIPAA Privacy Standards
  • Changes to IRB protocol submission
  • PHI involved in research.
  • De-identified or limited data set
  • Patient authorization to use PHI or request for
    waiver of patient authorization.
  • IRB Forms
  • Participant Authorization
  • Researcher Request for Waiver
  • IRB Confirmation of Waiver
  • Data Repositories
  • Transition schedule approval of existing
    research protocols
  • Questions

3
HIPAA Privacy Standards
  • Covered Entities may not use or disclose PHI,
    except as authorized by HIPAA
  • Covered Entities providers who submit
    electronic claims for healthcare services
  • Hybrid Entities one entity can designate
    covered and excluded operating units, based on
    functions of those units
  • PHI any information, including demographic
    information that is transmitted or maintained in
    any medium that is created or received by a
    healthcare provider, health plan or health care
    clearinghouse that relates to or describes the
    past, present or future mental health or physical
    condition of an individual or future payment for
    the provision of healthcare to the individual,
    and that can be used to identify the individual

4
HIPAA Privacy Standards
  • No patient authorization required for
    use/disclosure of PHI for
  • Treatment, payment and healthcare operations
    (TPO)
  • Required by law
  • To coroner/medical examiner
  • To health oversight agencies
  • Organ donation
  • Workers compensation
  • Incidental disclosures
  • Research is NOT TPO.

5
HIPAA and Research
  • Research is a systematic investigation,
    including research development, testing, and
    evaluation, designed to develop or contribute to
    generalizable knowledge.
  • Research that involves PHI generated by or
    through a Covered Entity must meet one of the
    following
  • Patient Authorization to use PHI
  • IRB Waiver of Patient Authorization
  • Same standards for waiver of Informed Consent
  • Decedent Research/Reviews Preparatory to Research
  • De-identified Data No Patient
    Authorization/Waiver required
  • Limited Data Set No Patient Authorization/Waiver
    required

6
HIPAA and Research
  • HIPAA Privacy Standards apply when research
    involves the use or disclosure of protected
    health information (PHI).
  • PHI is health information that can be used to
    identify an individual. If any of the following
    identifiers are used in research with respect to
    health information, the HIPAA privacy standards
    apply
  • names, all geographic subdivisions smaller than a
    State, all elements of dates (except year)
    related to an individual, telephone numbers, fax
    numbers, email addresses, social security
    numbers, medical record numbers, health plan
    beneficiary numbers, account numbers,
    certificate/license numbers, vehicle identifiers
    and serial numbers, device identifiers and serial
    numbers, biometric identifiers, full face
    photographic images and any other unique
    identifying number

7
Deidentified Data
  • HIPAA privacy standards do not apply to
    deidentified data
  • Research that excludes ALL of the following is
    not subject to HIPAA privacy standards
  • names, all geographic subdivisions smaller than a
    State, all elements of dates (except year)
    related to an individual, telephone numbers, fax
    numbers, email addresses, social security
    numbers, medical record numbers, health plan
    beneficiary numbers, account numbers,
    certificate/license numbers, vehicle identifiers
    and serial numbers, device identifiers and serial
    numbers, biometric identifiers, full face
    photographic images and any other unique
    identifying number

8
Limited Data Sets
  • Researchers may use limited data sets of PHI
    for research without obtaining authorization or
    waiver of authorization.
  • Limited data sets are PHI that exclude all the
    identifiers listed for de-identified data with
    the exception of dates and all geographic
    subdivisions (limited data sets must exclude
    postal address information, other than town or
    city, State and zip code).
  • The researcher must sign a Data Use Agreement
    certifying that the use of the data will be
    limited to the research protocol.

9
Authorization
  • Participant Authorization
  • Written authorization from the participant to use
    and disclose their PHI in research is required,
    unless the researcher requests a waiver
  • Authorization is in addition to the Informed
    Consent
  • Authorization must be limited to use and
    disclosure of PHI for the specific research
    protocol
  • Authorization form available from IRB

10
Waiver of Authorization
  • Waiver of Participant Authorization
  • Researchers may request the IRB to waive the
    participant authorization requirement by
    certifying to the following
  • The use/disclosure of PHI involves no more than
    minimal risk to the privacy of individuals
  • There is a plan to protect the identifiers from
    improper use and disclosure.
  • There is a plan to destroy the identifiers at the
    earliest opportunity consistent with conduct of
    the research, unless there is a health or
    research justification for retaining the
    identifiers or such retention is otherwise
    required by law
  • There is assurance that the PHI will not be
    reused or disclosed to any other person or
    entity, except as required by law, for authorized
    oversight of the research study, or for other
    research for which the use or disclosure of PHI
    would be permitted
  • The research cannot practicably be conducted
    without the waiver or alteration
  • The research cannot practicably be conducted
    without access to and use of the PHI
  • Waiver Form available from IRB

11
IRB HIPAA Forms
  • Protocol Submission
  • Check-off for identifying PHI
  • Check-off for deidentified or limited data set
  • Participant Authorization Form
  • Researcher Request for Waiver Form
  • IRB Confirmation of Waiver

12
Data Repositories
  • Data Repositories
  • Clinical data repositories contain PHI and used
    exclusively for clinical care
  • No IRB approval required to establish data
    repository
  • Research using PHI from the clinical data
    repository requires IRB approval and participant
    authorization or waiver of authorization of
    use/disclose the PHI
  • De-identified data repositories contain
    de-identified health information
  • No IRB approval required, other than approval of
    the research protocol using the data from the
    repository
  • Data Repositories contain PHI that is used for
    research or other non-clinical purposes
  • IRB approval of data repository is required
  • IRB approval of each research protocol required
  • IRB approval of access by other researchers
    required

13
Transition --Approval of Current Protocols
  • Protocols with Informed Consent
  • Participants enrolled prior to 4/14 are not
    required to sign an Authorization
  • Participants enrolled on and after 4/14 must sign
    an Authorization
  • Protocols where Informed Consent Waived
  • Authorization requirement waived upon
    presentation of justification from researcher
  • IRB Staff will visit Departments and have open
    office hours to review protocols, approve
    Authorization forms and approve waivers prior to
    4/14
Write a Comment
User Comments (0)
About PowerShow.com