Playing by New Rules: Privacy and Health Services Research

1
Playing by New Rules Privacy and Health
Services Research

• Joe Vasey
• Center for Health Care and Policy Research
• November 12, 2003

2
The HIPAA Privacy Rule

• The Privacy Rule governs access to and use of
  protected health information (PHI) under the
  control of a covered entity
• PHI cannot be used or disclosed by covered
  entities without written individual authorization
  unless its use is covered by an exception to the
  Privacy Rule
• Researchers needing access to PHI are affected by
  the Privacy Rule because of restrictions placed
  on covered entities

3
Protection of Human Subjects

• Prior to the HIPAA Privacy Rule the Common Rule
• Ethically performed research
• Participation on the basis of informed consent
• Minimal risk
• Confidentiality is important, but no extensive
  requirements for safeguards
• IRB oversight

4
Protection of Human Subjects

• The HIPAA Privacy Rule
• Supplements (does not replace) the Common Rule
  requirements regarding privacy and
  confidentiality of protected health information
• Covered entities (providers, insurers) can use
  PHI for treatment, payment, and operations (TPO)
• For any other purpose (including research)
• written authorization is required
• unless an exception applies

5
Terminology

• Protected Health Information
• Individually identifiable health information that
  a covered entity creates or receives, whether in
  electronic, paper, or verbal form
• The definition is broad and includes information
  relating to the past, present, or future physical
  or mental health of a person, the provision of
  health care to a person, and payment for health
  care.
• The rule covers one's PHI for as long as the
  covered entity retains it hence, decedents'
  health information is protected by this rule.

6
Terminology

• Covered entity
• Health care providers
• Health plan
• Health care clearinghouse
• Business Associate
• A contractor, agent, consultant, or other entity
  that
• performs services (e.g., quality assurance,
  accreditation, data analysis, consulting) on
  behalf of a covered entity
• Using protected health information
• In accordance with a contract that includes
  safeguards for PHI

7
Who can protected health information be disclosed
to?

• Required disclosures
• To the individual who is the subject of the
  information
• To the Department of Health and Human Services to
  investigate potential violations
• Any other use or disclosure of protected data is
  permissive for the covered entity

8
Uses of Protected Health Information

• Treatment, payment, and health care operations
  (TPO)
• Specific situations where the patient has an
  opportunity to agree or object (eg, a hospital
  room directory)
• Specific public purpose exceptions restrictions
  vary depending on type of exception. Research is
  covered by one of these exceptions.
• Any other use must be individually authorized by
  the patient

9
Authorized Disclosures

• The nature of the information to be released must
  be clearly defined
• The person, agency, or entity that is authorized
  to release the data must be clearly specified
• The recipient of the data must be clearly
  identified
• How the information will be used must be clearly
  described. Authorizations are study specific.
• There must be an expiration date for the use of
  the data
• The authorization must be signed by the
  individual or his/her authorized representative.
• The authorization form must be in plain language
  and a copy must be provided to the individual

10
Disclosures Without Authorization

• Exceptions to the written authorization
  requirement include
• Reviews preparatory to research
• Research on deceased individuals
• Public health disclosures
• IRB/Privacy Board Waivers
• De-identified dataset
• Statistically safe
• Completely de-identified
• Limited dataset with data use agreement

11
Disclosure Without Authorization

• Data Review Preparatory to Research
• Researchers may review medical records without
  patient authorization in order to prepare a
  research proposal or protocol.
• Data may not be removed or transmitted from CE
• PHI must be necessary for research preparation
  purposes
• No electronic (or otherwise) transfer of data to
  researchers office
• CEs IRB/PB will review and approve request for
  data review activities

12
Disclosure Without Authorization

• Research on Decedents
• Researcher must justify the use of PHI data
• CE may require researcher to document or certify
  the death of subjects
• CEs IRB/PB will review and approve request for
  research on decedents

13
Disclosure Without Authorization

• Public Health Disclosures
• Agencies or authorities authorized or required by
  law to collect information, including
• Public Health Authorities/Departments
• Registries
• FDA
• CDC
• Data elements should be limited to the minimum
  necessary to fulfill reporting requirements

14
Disclosure Without Authorization

• IRB / Privacy Board Waiver
• CE may release PHI for research if an IRB or
  Privacy Board
• waives written authorization or
• approves a modified authorization
• The Board must certify that disclosure poses
  minimal risk to individuals privacy, based on
• Protection of identifiers from improper use
• A plan to destroy identifiers
• Adequate assurance that PHI will not be disclosed
  to any other person or entity, or used for any
  other purpose
• The research must be impractical without the
  waiver
• The research must be impractical without access
  to the PHI

15
Disclosure Without Authorization

• De-identified data
• Statistically safe data CE relies on expert
  opinion to conclude that there is a very small
  risk that an individual could be identified
• Completely de-identified - removal of specific
  data elements
• Limited dataset Research, public health,
  operations purposes only
• Data use agreement specifies safeguards, uses,
  restrictions
• Re-identification is prohibited

16
A statistically safe dataset

• A covered entity may determine that health
  information is not individually identifiable only
  if
• A person with appropriate knowledge of and
  experience with accepted statistical and
  scientific principles and methods for rendering
  information unidentifiable
• Applies such methods to determine that the risk
  is very small that the information could be
  used alone or in combination with other data to
  identify the individual, and
• Documents the methods and results of the analysis
  to justify the conclusion that there is a very
  small risk of re-identification

17
A de-identified dataset must exclude

• Names
• All geographic location data smaller than a state
  or 3-digit zipcode
• Dates (year permitted)
• Telephone numbers
• Fax numbers
• Email address
• Social security number
• Medical record number
• Health plan beneficiary number
• Account numbers

• Certificate or license numbers
• Vehicle identification numbers, serial numbers,
  license plate numbers
• Device identifiers, serial numbers
• Web URLs
• Internet Protocol (IP) address
• Biometric identifiers (fingerprint, retinal
  image)
• Full face or comparable images
• Any other unique identifier (eg, GPS coordinates)

18
A limited use dataset may include

• Dates
• Admission, discharge, service dates, payment
  dates, dates of birth and death
• Geo data
• 5-digit zip code
• State, county, city, and precinct
• All other PHI data elements are prohibited

19
Limited Dataset with Data Use Agreement

• The researcher agrees to
• Use the data only for its requested use
• Not re-identify the data
• Not contact any individual in the dataset
• Safeguard the information
• Report violations
• Hold subcontractors to the same standards

20
Working With A Covered Entity

• The CE incurs a burden in providing you with
  data. They must
• Review your proposal
• Review IRB / PB documentation
• Assess the risks and benefits of cooperating
• Prepare dataset(s) for your use
• Time and resources ()
• Business associate may prepare data for you, but
  cannot disclose it or deliver it to you
• In the role of researcher, you are prohibited
  from data preparation
• Maintain records of PHI disclosures
• Except for TPO, IA, limited datasets
• Specify and complete conditions of data use

21
Working with the Penn State IRB

• All research protocols involving human
  participants
• must be submitted to the Office for Research
  Protections (ORP),
• for review and a determination whether the
  protocol will be subject to HIPAA rules governing
  disclosure and use of PHI.
• If it is determined that the protocol is subject
  to HIPAA rules, the terms of the policy will
  apply to that protocol.

22
Working with the Penn State IRB

• Before acquiring or working with PHI data,
  researchers at Penn State must do one of the
  following
• obtain written authorization from the individual
  who is participating as a research subject in
  accordance with HIPAA standards for
  authorization,
• obtain a waiver of the authorization requirement
  from the Institutional Review Board (IRB) in
  accordance with HIPAA standards for such waivers,
  
• obtain approval for such use as preparatory to
  research, or
• notify the IRB of such use as research on
  decedents' information.
• PHI may be used only by and disclosed only to the
  principal investigator and other members of the
  research team identified in the research protocol
  application.

23
http//www.research.psu.edu/orp/HIPAA/forms/index.
htm
24
Resources

• Research at Penn State
• Policy RA-22 http//guru.psu.edu/policies/RA22.
• Training http//www.research.psu.edu/orp/HIPAA/tr
  aining_instruct.htm
• Application forms
• http//www.research.psu.edu/orp/HIPAA/forms/index
  .htm
• Department of Health and Human Services
• http//www.hhs.gov/ocr/hipaa
• http//www.hhs/gov/ocr/hipaa/guidelines/research.p
  df