What is HIPAA ?

1
What is HIPAA ?
HIPAA with the DHPG
Research Medical Records Clinical Trials
Business Associate Agreement
Michael Shoob, Elizabeth Bankert
February 2003
2
What is HIPAA?

• The Health Insurance Portability and
  Accountability Act of 1996 and
• Three sets of regulations issued by the
  Department of Health and Human Services
• Privacy Regulations - April 14, 2003 Compliance
  Deadline
• Transaction Standards - October 16,2002
  Compliance Deadline
• Security Regulations - Pending

3
http//www.hhs.gov/ocr/hipaa/privacy.html
This guidance explains and answers questions
about key elements of the requirements of the
HIPAA Standards for Privacy of Individually
Identifiable Health Information (the Privacy
Rule). The Department of Health and Human
Services (HHS) published the Privacy Rule on
December 28, 2000, and adopted modifications of
the Rule on August 14, 2002.
PHI Protected Health Information
4
PHI Protected Health Information

• Any information, created or received by us in any
  form, that
• identifies an individual and is related to the
  past, present, or
• future
• Physical or mental health of the individual
• Provision of health care to the individual or
• Payment for health care provided to the individual

5
The HIPAA Privacy Rule for the first time creates
national standards to protect individuals
medical records and other personal health
information. It gives patients more control over
their health information. It sets boundaries on
the use and release of health records. It
establishes appropriate safeguards that health
care providers and others must achieve to protect
the privacy of health information. It holds
violators accountable, with civil and criminal
penalties that can be imposed if they violate
patients privacy rights
6
For patients it means being able to make
informed choices when seeking care and
reimbursement for care based on how personal
health information may be used. It enables
patients to find out how their information may be
used, and about certain disclosures of their
information that have been made. It generally
limits release of information to the minimum
reasonably needed for the purpose of the
disclosure. It generally gives patients the
right to examine and obtain a copy of their own
health records and request corrections. It
empowers individuals to control certain uses and
disclosures of their health information.
7
"Overall, these national standards required
under HIPAA will make it easier and less costly
for the health care industry to process health
claims and handle other transactions while
assuring patients that their information will
remain secure and confidential," Secretary
Thompson said. "The security standards in
particular will help safe guard confidential
health information as the industry increasingly
relies on computers for processing health care
transactions."
8
William Braithwaite, MD, PhD Doctor
HIPAA PriceWaterHouseCoopers
Rule 1 DONT SURPRISE THE PATIENT
9
Rule 2 Use minimal amount of PHI necessary to
conduct research
10
DHPG
Dartmouth Hitchcock Privacy Group Dartmouth
Hitchcock Clinics Mary Hitchcock Memorial
Hospital Dartmouth Medical School Dartmouth-Hitchc
ock Psychiatric Associates Cheshire Medical
Center Mt. Ascutney Hospital Upper Connecticut
Valley Hospital Weeks Medical Center West Central
Behavioral Health Other Affiliated Institutions
Using the Dartmouth-Hitchcock Name to
Provide Health Care Services to Patients
11
HIPAA / DHPG
Privacy Officer Peter Johnson
Linda Messman, Director of Medical Records
Privacy Notice
http//intranet.hitchcock.org/is/hdr/pages/hipaa.h
tml
Scott Farr / (work in progress)
12
Privacy Notice Treatment Payment Operations
(TPO)
Research not included !
13
Quality Assurance/ Peer Review

• The process of reviewing, analyzing or evaluating
  patient and/or provider specific data which may
  indicate (the need for) changes in systems or
  procedures which would improve the quality of
  care.

14
Quality Assurance/ Peer Review Characteristics

• Confidential
• Learn from individual cases
• Involves patient and/or provider specific data
• Protected from legal discoverability
• Review often triggered by predetermined
  thresholds/criteria
• Must be conducted within QA/PR committee
  structure
• Knowledge generation typically for local,
  immediate application

15
Quality / Performance Improvement

• The process of reviewing, analyzing and
  evaluating aggregate data to understand patterns
  trends
• Process triggers a cycle of
• Analyzing a process
• Identifying potential changes
• Testing changes
• Evaluating impact of changes on measures of
  success

16
QI / PI Characteristics

• Not protected from legal discoverability
• Uses aggregate data, not patient identifiable
  information
• Evaluates patterns trends
• Not usually triggered by specific event
• Pre-data collection, a commitment to a
  corrective/improvement action plan
• Knowledge generation typically for local,
  immediate application

17
What do researchers do when they want to access
patient information for research purposes?
Research a systematic investigation,
including research development, testing and
evaluation, designed to develop or contribute to
generalizable knowledge.
Obtain IRB approval !
18
How can researchers access patient information
for research purposes?
HIPAA rules !
19
Six ways the IRB will allow researchers to
access protected health information (PHI)
1. Obtain informed consent (authorization) from
the patient
2. Waive the requirement for obtaining informed
consent
3. The information is being collected only for
preparatory work to research

• Only a Limited Data Set is collected
• accompanied with a Data Use Agreement

5. Only decedent data is being collected
6. Information requested is de-identified
20
6. De-identification Requirements (Two Methods)

• HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i)
• Names
• Geographic subdivisions smaller than a state
• Zip codes
• Dates (birth, admission, discharge, death)
• Age, if over 89
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate and license numbers
• Vehicle identification and serial numbers
• License plate numbers
• Device identifiers and serial numbers
• URLs
• Internet Protocol address numbers

• Statistical 45 CRF 164.514(b)(1)
• A person with appropriate knowledge of and
  experience with generally accepted statistical
  and scientific principles and methods for
  rendering information not individually
  identifiable
• Determines that the risk of re-identification of
  the data, alone or in combination with other
  reasonably available data, is very small and
• Documents the methods and results.

21
5. Decedent Information
Privacy Board or IRB
22
4. Limited Use Data Set

• Not Allowed
• Names
• Postal info (OTHER than town, city, state, and
  zip code)
• Telephone and Fax Number
• e-Mail Addresses
• Social Security Number
• Medical Record Number
• Health Plan Beneficiary Number
• Account Number
• Certificate / License Number
• Vehicle ID (license plate) and Serial
• Device ID and Serial Number
• URLs and IP Addresses
• Biometric ID (finger, voice prints)
• Full Face Photos and Comparable Images

23
Data Use Agreement Used with Limited Data Set

Researcher must agree a. to the use of the
limited data set or PHI to the specified
purpose as described

• to limit who can use or receive the data to the
• research team directly involved in this project

• not to re-identify the data or contact the
  individuals
• to whom the data belongs

24

• 3. Preparatory to Research
• - Notice from the researcher1. The use or
  disclosure of the PHI is solely to prepare a
  research protocol or for similar purposes
  preparatory to research
• 2. Will not remove any PHI from the covered
  entity,
• 3. The PHI for which access is sought is
  necessary for the research purpose.
• This provision might be used, for example, to
  design a research study or to assess the
  feasibility of conducting a study.

25

1. IRB Waiver of IC requirements

• A. Use or disclosure involves no more than
  minimal risk to individuals
• Alteration or waiver will not adversely affect
  privacy rights and welfare of individuals
• C. Research could not practicably be conducted
  without the alteration or waiver
• Research could not practicably be conducted
  without access to and use of PHI
• Adequate plan to protect identifiers from
  improper use and disclosure
• Adequate plan to destroy identifiers at the
  earliest opportunity, unless there is a health or
  research justification or legal requirement to
  retain them and
• G. Adequate written assurances that PHI will not
  be reused or disclosed for other purposes.

26
1. Obtain Consent (authorization) from the
Patient
1. Description of Health Information to be
gathered. 2. Identification of Person authorized
to disclose 3. Identification of Recipient 4.
Description of Purpose(s) 5. Expiration date -
"end of research study," "none," or similar
language is sufficient if the disclosure is for
research, including for the creation and
maintenance of a research database or research
repository 6. Statement of Right to Revoke 7.
(In)Ability to Condition Treatment on the
Authorization statement 8. Statement Regarding
Re-disclosure 9. Remuneration for Marketing
Activity (if applicable) 10. Dated Patient
Signature 11. if signed by Personal
Representative, a description of that person's
authority
27
Consent Forms for Clinical Trials Please
remember each study is unique, thus the correct
language for the consent form is dependent on
the language in the protocol and/or contract.
You will begin to see HIPAA language in sponsor
provided consent form templates.
28
In the Consent Form under the section entitled
Other Important Items You Should Know
Add a sub - section entitled
Data Collection
Under the same section expand the current
sub-section entitled Confidentiality
29

• Data Collection Add a general sentence about
  the data to be collected.
• And add the following sentences as applicable for
  the particular study
• The data collected in this study includes
• The data collected in this study will be used
  for the purpose
• described in this form. Patient identifiable data
  will not be released
• beyond that required for the purposes of
  conducting this research
• study. By signing this form, you are allowing
  the research team
• access to your medical records. The research
  team includes the
• researchers listed in this consent form and other
  personnel
• involved in this study at DHMC and other entities
  as described in
• the "Confidentiality" section of this consent
  form. If you chose to
• withdraw from the study, you may revoke your
  approval for the
• use of your future medical information. To do
  this, you may
• contact the researcher in writing. Data which
  has already been
• collected will be maintained with the research
  records.

30
Explain how long data will be maintained
Examples Data gathered from this study will be
maintained for as long as the sponsor needs to
obtain approval from the FDA. Data gathered
from this study will be maintained indefinitely
or as required by federal or state regulations.
If there are limits to the patient access to
research records describe here Example
During the course of this study participants
may not have access to research records. If
you chose, you may request this information after
the research is completed.
31
2. Identification of Person authorized to
disclose
The research team includes the researchers listed
in this consent form and other personnel
involved in this study at DHMC and other
entities as described in the "Confidentiality"
section of this consent form
32
3. Identification of Recipient Describe as
applicable who may have access to research data -
this can be added to Confidentiality section
Example Research data may be shared, as
required by law, with Dartmouth Hitchcock Medical
Center authorities and ...... Examples
Federal agencies such as the Food and Drug
Administration, add as appropriate National
Co-operative Study Group, Multi-center sites ,
Insurance Company. If the research is sponsored
or if the data is being sent anywhere outside of
DHMC describe in some detail The sponsor of
the study, xxx, and any corresponding entities
involved in the monitoring of this study (name of
CRO if applicable) or Data and Safety Monitoring
Committee if applicable, will also have access to
this research data. These organizations do not
have a regulatory obligation to protect the data.
(however if the data being released is not
patient identifiable or the sponsor agrees not to
redisclose patient identifiable information, a
statement to that effect should be included
here).
33
4. Description of Purpose(s) Most consent
forms describe the purpose of the research in
the opening paragraphs. If not, please add.
34
5. Expiration date - "end of research study,"
"none," or similar language is sufficient if the
disclosure is for research, including for the
creation and maintenance of a research database
or research repository Data gathered from this
study will be maintained for as long as the
sponsor needs to obtain approval from the
FDA. Data gathered from this study will be
maintained indefinitely or as required by federal
or state regulations.
35
6. Statement of Right to Revoke If you choose
to withdraw from the study, you may revoke your
approval for the use of your future medical
information. To do this, you may contact the
researcher in writing. Data which has already
been collected will be maintained with the
research records.
36
7. (In)Ability to Condition Treatment on the
Authorization statement If not already in
the consent form, add in the "Other Important
Items" section o Your decision whether or not
to participate in this study, or a decision to
withdraw will not involve any penalty or loss of
benefits to which you are entitled.
37
8. Statement Regarding Re-disclosure The
wording in the contract with the sponsor will
determine this statement in the consent form. If
a sponsor will not re-disclose patient
identifiable information, include that
information or
These organizations do not have a regulatory
obligation to protect the data. (however if the
data being released is not patient identifiable
or the sponsor agrees not to redisclose patient
identifiable information, a statement to that
effect should be included here).
38
9. Remuneration for Marketing Activity (if
applicable) The sponsor usually provides
wording for this activity, which is usually
something to the effect "You will not receive
any compensation if the results of this research
are used towards the development of a
commercially available product."
39
10. Dated Patient Signature This is already
required in the signature section. Please
also add this sentence if it is not in the
current consent form I have been given a
copy of this consent document for my own
records.
40
11. if signed by Personal Representative, a
description of that person's authority This
is already required in the signature section.
41
PLEASE NOTE The signed consent form must be
maintained for at least 6 years after it is
signed. This can be satisfied by placing the
consent form in the medical record or by keeping
it in the study's research files. There is CIS
team recently released a feature to create an
electronic consent form and protocol summary.
42
Patients enrolled into a research study prior to
April 14, 2003 do not have to sign another
consent form.
New patients enrolled into a clinical trial on or
after April 14, 2003 will need to sign an IRB
approved HIPAA compliant consent form OR the
currently IRB approved consent form PLUS an IRB
approved 'add on form describing HIPAA
information.
43
To be considered

• 1. Departmentally maintained databases
• Registries
• 3. Disclosures / Tracking

44
Committee for the Protection of Human Subjects
http//www.dartmouth.edu/cphs/
a. NEW FORM Research with PHI
b. HIPAA Compliant Consent Form Template
c. HIPAA powerpoint

• Additional HIPAA
• presentation/consent review dates

45
Additional HIPAA forum dates
Review Consent Forms Café B 2/18 9-10
am Café B 2/21 9-10 am Café B 3/5 9-10
am Café C 3/10 9-1030 am Café B 3/17 2-3
pm Café A 3/26 12-130 pm
HIPAA EDUCATION DATES 3/4 Aud E 200 to 300
pm 2/18 L2B 800 to 1030am 3/26 L2B 1030
to 100pm.
46
HIPAA applies to Covered Entities (CEs) only
- Health Care Providers - Health Care Plans -
Health Care Clearinghouse
47
Business Associates of HIPAA Covered Entities
48
Business Associates of HIPAA Covered Entity
A person or entity (not a member of the
Covered Entities workforce or plan) that
provides services for a Covered Entity that
involves the use of protected health
information (PHI)
49
Business Associates could include Pharmaceutic
al / Biotech Companies Data Entry Service
Vendors Other covered entities
50
Business Associate Agreement
Does not pass through the same privacy
requirements of Covered Entity to business
associate. It requires in a written contract
Satisfactory assurance that PHI will
be appropriately safeguarded and used only
for the purposes of performing associates
obligations Assure that agents of business
associate agree to the same restriction
Make PHI available as require by law Return or
destroy all PHI at conclusion of contract
51
Business Associate Agreement
Requirements continued
Associate to advise Covered Entity when
violations have occurred Take reasonable steps
to cure a breach of privacy requirements Cov
ered Entity may terminate agreement if breach
of privacy not cured
52
Chain-of-Trust Provisions
Business Associate agrees to protect the
integrity and confidentiality of PHI exchanged
electronically
53
HIPAA Health Insurance Portability and
Accountability Act