HIPAA Privacy Rule and Research

1
HIPAA Privacy Rule and Research

• USCRF Research Educational Series
• March 19, 2003

2
HIPAA Overview

• Health Insurance Portability and Accountability
  Act of 1996
• Four Key Areas
• Privacy Standards
• Electronic Transaction Standards
• Security Standards
• Unique Identifiers
• Required Compliance October 16, 2002 April
  14, 2003

3
HIPAA - Scope

• Applies to
• Health plans
• Health care providers
• Health care clearinghouses
• Covered Entity an organization that transmits
  health information in electronic form in
  connection with a HIPAA transaction (financial
  and administrative activities related to health
  care)

4
HIPAA - Scope

• USC Hybrid Entity
• Covered Components
• Affiliated covered entities include PHA, Dorn VA,
  USC Clinics

5
HIPAA - Scope

• Protected Health Information (PHI) All
  individually identifiable health information
  transmitted or maintained by an organization
  covered by the HIPAA regulations (a covered
  entity) regardless of form

6
Privacy Rule

• Limits the use and disclosure of PHI
• Gives patients the right to access their medical
  records and to know who accessed their health
  information
• Restricts most disclosures of PHI to the minimum
  necessary

7
Privacy Rule (cont.)

• Establishes criminal and civil penalties for
  improper use or disclosure
• Establishes new requirements for access to
  records by researchers

8
Use and Disclosure of PHI

• Authorization
• Plain language
• Description of information to be disclosed
• Purpose of disclosure
• Identification of person(s) authorized to use
• Expiration date or expiration event
• Right to revoke
• Statement regarding possible redisclosure
• Signature and date

9
Authorization vs. Consent

• A privacy authorization says Its OK for you to
  look at my PHI and disclose it to a designated
  third party.
• A consent form says I agree to participate in
  your research project and I understand the risks,
  benefits etc.
• Both are needed for research
• May be combined

10
Disclosure Without Authorization

• Waiver by IRB or Privacy Board
• Reviews preparatory to research
• De-identified Information
• Use or disclosure of a limited data set
• Decedent information
• Public health disclosures

11
Waiver of Authorization

• Disclosure poses no more than minimal risk to the
  privacy of individuals
• Plan to protect identifiers from improper
  disclosure
• Plan to destroy identifiers at earliest
  opportunity
• Written assurance that PHI will not be reused or
  disclosed
• Research could not practicably be done without
  the waiver
• Research could not practicably be done without
  access to the PHI
• Privacy risks are reasonable in relation to
  expected benefits

12
Reviews Preparatory to Research

• For preparatory work, the researcher must submit
  a request to the covered entity documenting that
• Reviewing protected health information is
  necessary to prepare a research protocol
• Information will not be removed or recorded by
  the research during the review
• Information for which access is sought is
  necessary for research purposes.

13
De-identified Information

• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers, including license plate
  numbers
• Biometric identifiers (finger and voice prints
• Full-face photographic images
• Any other unique identifying number or code

• Names
• All geographic subdivisions smaller than a state.
• All dates (except year)
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Device identifiers and serial numbers
• Web locators URLs
• Internet Protocol address nos.

14
Limited Data Set

• Used or disclosed for research, public health, or
  health care operations purposes only
• Requires the removal of fewer identifiers
  facial identifiers
• May include
• Dates related to admission, discharge, birth,
  death
• City, state, five digit zip code
• Data use agreement signed by recipient

15
Research on Decedents Information

• Assurance that disclosure and use is solely for
  research on the PHI of decedents
• Documentation, when requested by CE, of the death
  of such individuals
• Assurance that the PHI is necessary for research
  purposes

16
Public Health Disclosures

• Mandated reporting of contagious diseases
• Disclosure regarding an FDA regulated activity
• Registries
• Government, academic and non-profit
• Required by law, IRB waiver, authorization,
  limited data set
• Development of registry for research is research

17
Specimens and Tissue Samples

• HIPAA applies if the specimens/samples include
  identifying information.

18
Impact on Research

• Researchers requiring access to PHI must request
  the information from and meet the requirements of
  the covered entity
• Reluctance by health care providers to
  participate in research
• Barriers to subject recruitment
• Increased responsibility for IRB

19
Recruitment of Subjects

• PHI cannot be disclosed to a third party for
  purposes of recruitment without IRB waiver or
  patient authorization
• Recruitment is allowed for covered health care
  providers without authorization or waiver (i.e.
  physicians can recruit their own patients for
  research studies)

20
Transition Prior Permission

• Privacy Rule includes a transition provision
• Allows for reliance on consent or IRB waiver
  obtained prior to 04/14/03
• May use or disclose PHI created before or after
  04/14/03 based on then valid consent
• Can rely on existing consent for future
  unspecified research

21
Privacy and the Common Rule

• Research with subject permission
• Privacy Rule subject authorization to
  use/disclose PHI
• AND
• Common Rule IRB approval of protocol and
  informed consent process

22
Privacy and the Common Rule

• Research without subject permission
• Privacy Rule IRB/Privacy Board waiver based on
  specified criteria unless preparatory to research
  or de-identified information or limited data set
  with data use agreement
• AND
• Common Rule Waiver of consent or other
  appropriate finding (i.e. exemption)

23
Waiver Approval - Documentation

• Identification and date of action
• Waiver criteria satisfied
• Brief description of required PHI
• Review and approval procedures
• Signature of IRB/PB Chair

24
Researcher Responsibilities

• Know the rules and be prepared for varying
  interpretations by covered entities
• Authorization vs. waiver
• Preparing a confidentiality plan
• What information is required?
• Who will have access to the data?
• How long will access be needed?
• Safeguards for protecting information
• Alternatives to use of PHI?
• Time to gain approval from an additional
  committee

25
IRB Responsibilities

• Having appropriate expertise in privacy and
  confidentiality concerns.
• Ensuring that consent forms contain appropriate
  authorization requirements if applicable.
• Understand waiver criteria and document
  appropriately.
• Coordinate communications with Privacy Board, if
  applicable.