Privacy - PowerPoint PPT Presentation

1 / 20

About This Presentation

Title:

Privacy

Description:

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information s ... – PowerPoint PPT presentation

Number of Views:155

Avg rating:3.0/5.0

Slides: 21

Provided by: vhaiowsmitha

Category:

Tags: privacy

more less

Transcript and Presenter's Notes

Title: Privacy

1
Privacy HIPAA Requirements at the Iowa
City VA Health Care System
2
New VA HIPAA Authorization Form
forResearch(Form 10-0493)
3

What does this form mean?
HIPAA Authorization means prior written
permission for use and disclosure of protected
health information (PHI) from the informations
source person, research subject, or legally
authorized personal representative, as required
under law, including HIPAA. (simple definition
This form is a release of information, signed by
the subject, authorizing you to use/disclose
their data outside of the VA)
What are the correct and incorrect ways this form
would be completed?
All elements of the HIPAA Authorization form must
be filled out by the investigator and will be
consistent with the informed consent and HawkIRB
application. All forms are required to be filled
out completely and signed by the subject, to whom
the information pertains too.
Failure to complete and have the subject sign the
HIPAA Authorization, will be reported to the
Privacy Officer, Office of Research Oversight
(ORO), Research Compliance Officer and the IRB as
a privacy violation

Which sections of the form are the investigators
vs. the subject responsible for understanding?
Investigators are responsible for ensuring that
no human being is involved as a subject in
research unless the investigator or a designee
has obtained legally effective HIPAA
Authorization for use and disclosure of the
subjects PHI, or has obtained IRB-approved waiver
of HIPAA Authorization
Subject or legally authorized representative are
responsible for understanding and consenting to
the use and disclosure of their PHI on the HIPAA
Authorization form
Where is the HIPAA authorization located?
HIPAA Authorization form will be located within
the HawkIRB application under approval tab.
Click on PO review, then other review screen,
then VA HIPAA. It is not located under
attachments because the IRB does not approve
HIPAA documents.
Will the HIPAA Authorization need to be included
in the HawkIRB application?
The HIPAA Authorization form is required to be
part of the HawkIRB application, when applicable

How would the new authorization form affect the
content of the current informed consent document?
The Principal Investigator will be responsible
for ensuring the HIPAA Authorization, informed
consent and protocol are consistent with each
other to include use of data or specimens for
other research as described within HIPAA
Authorization and who the information pertaining
to the subject is disclosed too outside of the VA
Where does this document get filed after it is
signed?
The original HIPAA Authorization should be kept
with the research team and a copy of the HIPAA
Authorization will be sent to the VA Scanning
department (mail code 136c) to be scanned into
the subjects medical record
What are the retention requirements for this new
form?
The National Archives and Records Administration
(NARA) currently have not set retention
requirements for ANY research records, therefore
nothing should be destroyed at the time. All
Research records including the HIPAA
Authorization must be kept until NARA provides
guidance for destroying research records.

What is individually-identifiable health
information?
Health information that does not identify an
individual and to which there is no reasonable
basis to believe that the information can be used
to identify an individual. 18 HIPAA identifiers.
Note Retinal Scans and audio recordings are
considered individual-identifiable identifiers
What is de-identified data?
For purposes of VA research, de-identified data
are data that have been de-identified in
accordance with both HIPAA Privacy Rule and the
Common Rule
(18 HIPAA identifiers)
Scrambling of names and social security numbers
is not considered de-identifying health
information
Coded data is data identifiable by the
individual(s) who has access to the code.
Therefore, coded data are not considered to be
de-identified or anonymous. When disclosing
de-identified data to non-VA entities this code
needs to be removed

Other information
Use of the new HIPAA Authorization, Form 10-0493
begins immediately for all new protocol
applications
All existing IRB approved projects will not be
required to revise the consent process at the
point of CR or modification to use the new HIPAA
Authorization, unless you are making changes to
your HIPAA Authorization or as directed by the
IRB

8
(No Transcript)
9
New section
10
New section
Need to insert your information here
11
(No Transcript)
12
This part of the form is new
13

Miscellaneous Research Privacy information
Record retention language will be used for all
protocols involving the VA
The required records, including the
investigators research records, will be retained
until disposition instructions are approved by
the National Archives and Records Administration
and are published in VHAs Records Control
Schedule (RCS 10-1)
Original audio recordings cannot be
deleted/destroyed even after transcribed (upload
to a VA server)
Research Identifiers cannot be deleted/destroyed
If you are storing VA information on a University
server this language needs to be documented in
the informed consent Transfer of your
information to an affiliate server constitutes
disclosure under HIPAA. After transfer of your
information to the University affiliate server,
VA no longer owns the transferred information and
VA cedes control over the information. A HIPAA
Authorization will also need to be completed if
storing information to the University server. If
the investigator is not getting the subjects
written consent/HIPAA Authorization, but storing
information on the University server you must
have a waiver from the VA Chief Information
Officer prior to storing information outside of
the VA.
A prior written HIPAA Authorization signed by the
subject must be obtained prior to disclosing PHI
to an academic affiliate

All employees will follow clean desk practices
to protect VA sensitive information (in any form)
in uncontrolled environments and all VA sensitive
information on printouts and other media will be
kept in locked files or cabinets when not in use
VA Authorization to transport data outside of VA
property will be filled out and signed by all
parties before any VA sensitive information is
transported, transmitted, accessed, or removed
from VA property.
Privacy Practice Notice
Handbook 1605.04 indicates VHA must provide a
copy of its VHA Notice of Privacy Practices to
all non-Veteran research subjects enrolled in an
approved VHA research study with clinical trials
The non veteran patient must acknowledge receipt
of the VHA Notice of Privacy Practices during
first episode of care on VA form 10-163. After
the non-Veteran has signed the acknowledgement
form the principal investigator for the research
study will send an encrypted email to the
facility Privacy Officer with the full name of
the non-Veteran and the non-Veterans last four
of social security number

Privacy Practice Notice continue
If an acknowledgement of VHA Notice of Privacy
Practices is not received from the non-Veteran
patient, an administrative note must be entered
into CPRS or the research subjects record
indicating the good faith efforts made to obtain
the written acknowledgement and the reason(s) why
the acknowledgement was not received
Legally Authorized Representative(LAR)
Is an individual who is qualified to provide
informed consent on behalf of a prospective
research subject but may not always qualify as a
personal representative for the purposes of
consent to use or disclose a human subjects PHI
(HIPAA authorization)
Examples of LAR
Health Care agent
Legal or special guardian
Next of kin in this order spouse, child, parent,
sibling, grandparent, grandchild, or
A close friend

If an investigator wants a copy of the research
data, a request must be submitted to the Privacy
Officer prior to receiving a copy of the data
All research data is the property of the VA and
is required to stay with the VA, even after the
research study is closed

18 HIPAA Identifiers
The following identifiers of the individual or of
relatives, employers, or household
members of the individual are removed
Names
(2) All geographic subdivisions smaller than a
State, including street address, city, county,
precinct, zip code, and their equivalent
geocodes, except for the initial three digits of
a zip code if, according to the current publicly
available data from the Bureau of the Census
(a) The geographic unit formed by combining all
zip codes with the same three initial digits
contains more than 20,000 people and
(b) The initial three digits of a zip code for
all such geographic units containing 20,000 or
fewer people is changed to 000

18
(3) All elements of dates (except year) for dates
directly related to an individual, including
birth date, admission date, discharge date, date
of death and all ages over 89 and all elements
of dates (including year) indicative of such age,
except that such ages and elements may be
aggregated into a single category of age 90 or
older (4) Telephone numbers (5) Fax
numbers (6) Electronic mail addresses (7)
Social Security Numbers (8) Medical record
numbers (9) Health plan beneficiary
numbers (10) Account numbers (11) Certificate
and/or license numbers
19
(12) Vehicle identifiers and serial numbers,
including license plate numbers (13) Device
identifiers and serial numbers (14) Web
Universal Resource Locators (URLs) (15) Internet
Protocol (IP) address numbers (16) Biometric
identifiers, including finger and voice
prints (17) Full-face photographic images and
any comparable images (18) Any other unique
identifying number, characteristic, or code
20
Questions for Privacy please contact