Temple University Institutional Review Board

1
Temple University Institutional Review Board
Overview of the Privacy Rule
HIPAA
Health Insurance Portability and Accountability
Act of 1996
The Rule
HIPAA/RCT/10.2003
2
Temple University Institutional Review Board
Overview of the Privacy Rule
HIPAA , Research and You

• Covered Entity
• Use and Disclosure
• Protected Health Information Identifiable
• Authorization and Waiver of Authorization
• Minimum Necessary Standard
• Individual Rights

HIPAA/RCT/10.2003
3
Temple University Institutional Review Board
Overview of the Privacy Rule

• Covered Entity
• Temple University
• Temple University Health System
• A covered entity must follow the Rule -
• Failure to follow the Rule civil and/or
• criminal actions

HIPAA/RCT/10.2003
4
Temple University Institutional Review Board
Overview of the Privacy Rule

• Covered Entity
• PHI (personal health information)
• Researchers within a Covered Entity
• Generate PHI
• clinical trials
• Receive and/or access existing PHI
• chart reviews

HIPAA/RCT/10.2003
5
Temple University Institutional Review Board
Overview of the Privacy Rule

• Use and Disclosure
• Use refers to sharing within the entity
• Disclosure refers to sharing outside the
• entity

HIPAA/RCT/10.2003
6
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• Individually identifiable health information that
  a covered entity creates or receives
• Information about the past, present or
• future physical or mental health
• Information in written, electronic or
• oral form

HIPAA/RCT/10.2003
7
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• Identifiably Three Categories
• Identifiable information
• (PHI, to which the Rule applies)
• De-identified information
• (to which the Rule does not apply)
• Limited data set
• (a middle option, to which limited parts
• of the Rule apply)

HIPAA/RCT/10.2003
8
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• How to de-identify information
• Expert certification risk very small to
• identify an individual
• OR the one that will work
• Remove 18 identifiers of the individual or
• of relatives, employers, or household
• members of the individual

HIPAA/RCT/10.2003
9
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• 18 identifiers
• Names
• Geographic subdivisions smaller than a state,
  including street address, city,
• county, precinct, zipcode and their equivalent
  geocodes, except for the initial
• 3 digits of the zip code if, according to the
  current policy available fro the
• Bureau of the Census 1) geographic unit formed
  by combining all zip codes
• with the same 3 initial digits contains more
  than 20,000 people, AND 2) the
• initial 3 digits of the zip code for all
  geographic units containing 20,000 or
• fewer people is changed to 000
• Dates (except year) directly related to an
  individual (e.g., DOB, discharge
• date, date lf death) and all ages over 89 and
  all elements of dates (including
• year) indicative of such age, except that such
  ages and elements may be
• aggregated into a single category of age 90 or
  older
• Telephone numbers
• Fax numbers
• Electronic mail addresses

HIPAA/RCT/10.2003
10
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• 18 identifiers cont.
• Social Security Numbers
• Medical Record Numbers
• Heath plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including
  license plant numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice
  prints
• Full face photographic images and any comparable
  images and
• Any other unique identifying number,
  characteristic or code

HIPAA/RCT/10.2003
11
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• Privacy Rule does NOT apply to de-identified
• information
• Privacy Rule does NOT apply to coded
  information
• (all 18 identifiers must be either coded or
  not
• used)
• Privacy Rule does apply to the code (link) that
  
• allows identification of coded information

HIPAA/RCT/10.2003
12
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• Coded Information
• The Common Rule considers coded
• information to be directly identifiable
• Even if research is de-identified, protocol
• must come before the IRB. The IRB will
• determine whether the research is covered
• by the Common or the Privacy Rule.

HIPAA/RCT/10.2003
13
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• Limited Data Sets
• A set of data that are not fully de-identified
• Of the 18 identifiers, limited may contain
• Dates
• Geographic information (not street address)
• Other unique identifying numbers,
  characteristics,
• or codes (not excluded)

HIPAA/RCT/10.2003
14
Temple University Institutional Review Board
Overview of the Privacy Rule

• Protected Health Information
• Limited Data Sets
• Remember limited data sets will likely be
  identifiable under the Common Rule therefore,
  this research must be reviewed by the IRB

HIPAA/RCT/10.2003
15
Temple University Institutional Review Board
Overview of the Privacy Rule

• Privacy Notice
• Covered entity must tell individuals how their
  protected health information is used and
  disclosed
• Covered entity must do this by providing a
  Privacy Notice and making a good faith effort to
  obtain written acknowledgement of receipt (on
  file)

HIPAA/RCT/10.2003
16
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Not Required
• Health Care Operations -
• Quality assessment and improvement, evaluation of
  providers, training, legal services, auditing,
  compliance, limited marketing and fundraising
  activities and other business and administrative
  operations

HIPAA/RCT/10.2003
17
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Required
• In Research
• Permission (authorization) is generally required
• This must be written in plain language, and
• Include specific elements as defined in the
• Rule

HIPAA/RCT/10.2003
18
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Required elements
• Specific and meaningful description of what
  information
• will be used or disclosed
• Who may use or disclose
• Why the use or disclosure is being made
• Statement of how long the use or disclosure will
• continue use of none
• Notice that authorization may be revoked
• Notice that the information may be disclosed to
  others
• not subject to the Rule
• Individuals signature and date

HIPAA/RCT/10.2003
19
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Authorization and Waiver Recruitment
• Clinician (Researcher) may discuss research
• with patient (participant) without
  authorization
• Clinician (Researcher) discusses PHI with a 3rd
  
• party (other than participant), then an
• authorization or waiver is required

HIPAA/RCT/10.2003
20
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Authorization not required
• A waiver has been granted
• Research is on decedents
• Activity is preparatory to research

HIPAA/RCT/10.2003
21
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Waiver of Authorization
• A written assurance to the IRB that the PHI
• will not be re-used or disclosed except
• As required by law
• For authorized oversight of the research, or
• For other research that has been reviewed and
• approved thru the IRB with specific approval
  
• regarding access to this PHI

HIPAA/RCT/10.2003
22
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Approved Waiver
• Disclosure of PHI under a waiver of
• authorization must be tracked
• Uses and disclosures of PHI under the waiver
• must be limited to the minimum necessary to
• support the research purpose

HIPAA/RCT/10.2003
23
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Minimum Necessary Standard
• Limit the PHI used, disclosed, or requested to
  the minimum necessary to achieve the purposes
  (reason for the PHI)
• Under a waiver
• Use/disclosures of decedents PHI
• Use preparatory to research
• Limited data sets

HIPAA/RCT/10.2003
24
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Rights of the Individual
• Access their PHI
• Request amendment of their PHI
• Receive a record of certain disclosures of their
  PHI
• made within the previous 6 years
• Request restrictions on uses and disclosures
• Revoke their authorization
• Request receipt of communication of their PHI by
• alternative means/location
• Right to access can be temporarily suspended
  while
• research is in progress stated in authorization

HIPAA/RCT/10.2003
25
Temple University Institutional Review Board
Overview of the Privacy Rule

• Authorization
• Right to revoke Authorization
• Revocation must be in writing
• If revoked, researcher cannot use or disclose
• PHI except for data acquired prior to the
• request to revoke
• - included the PHI in an analysis
• - integrity of the research
• - account for drop-outs
• - adverse event reporting

HIPAA/RCT/10.2003