HIPAA%20Privacy%20Rule - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA%20Privacy%20Rule

Description:

HIPAA Privacy Rule Standards for Privacy of Individually Identifiable Health Information 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf (2.5 MB) – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 20
Provided by: Office379
Learn more at: http://www.bgsu.edu
Category:

less

Transcript and Presenter's Notes

Title: HIPAA%20Privacy%20Rule


1
HIPAA Privacy Rule
  • Standards for Privacy of Individually
    Identifiable Health Information
  • 45 CFR 160 and 164
  • http//www.hhs.gov/ocr/combinedregtext.pdf (2.5
    MB)

2
Privacy Rule
  • Establishes requirements relative to the use and
    disclosure of protected health information (PHI).
    This includes uses in and disclosures for
    research purposes.
  • A covered entity may not use or disclose
    protected health information except as otherwise
    permitted or required 45 CFR 164.502
  • Covered entities must be in compliance by April
    14, 2003
  • DHHS Office of Civil Rights is responsible for
    enforcement

3
Definitions
  • Covered entity
  • Health plan
  • Health care clearinghouse
  • Health care provider who transmits any health
    information in electronic form in connection with
    transactions covered by the rule
  • Health care claims, Health care payment
    remittance advice, Coordination of benefits,
    Referral certification authorization, Health
    care claim status, Enrollment/disenrollment in
    health plan, Eligibility for health plan, Premium
    payments, First injury reports, Health claim
    attachments, Anything else the Secretary
    prescribes via regulation

4
Definitions
  • Protected Health Information (PHI)
  • Individually identifiable health information that
    is
  • Transmitted by electronic media (e.g., internet,
    intranet, tape, disc, compact disc)
  • Maintained in electronic medium (e.g., tape,
    disc, compact disc)
  • Transmitted or maintained in any other form or
    medium
  • Note de-identified information is not PHI

5
Definitions
  • Individually Identifiable Health Information
  • Created or received by a health care provider,
    health plan, employer or health care clearing
    house and
  • Relates to past, present or future physical or
    mental health condition of an individual
    provision of health care to an individual or
    past, present or future payment for provision of
    health care of an individual and
  • Identifies the individual or
  • For which there is a reasonable basis to believe
    the information can be used to identify the
    individual

6
Definitions
  • Health Information
  • Any information, whether oral or recorded in any
    form or medium that
  • Is created or received by a health care provider,
    health plan, public health authority, employer,
    life insurer, school or university, or health
    care clearinghouse and
  • Relates to the past, present, or future physical
    or mental health or condition of an individual
    or the past, present or future payment for the
    provision of health care to the individual
  • Research
  • A systematic investigation, including research
    development, testing and evaluation, designed to
    develop or contribute to generalizable knowledge.

7
Research Use
  • 4 pathways for permission to use PHI for research
    related purposes
  • With Authorization from Patient
  • Without Authorization from Patient
  • Waiver of Authorization by IRB or Privacy Board
  • Reviews Preparatory to Research
  • PHI of Decedents
  • Limited Data Set and Data Use Agreement
  • De-identified Data

8
Research Use With Authorization
  • Authorization must have
  • At least the following core elements
  • Description of information to be used
  • Name of persons authorized to make the use or
    disclosure
  • Name of persons to whom the covered entity may
    make the use or disclosure
  • Description of each purpose of the use or
    disclosure
  • An expiration date or event
  • End of the research study or none are
    acceptable for research purposes
  • Signature of the individual and date

9
Research Use With Authorization
  • Authorization must include
  • The following statements
  • Individuals right to revoke the authorization in
    writing and exceptions to the right to revoke and
    a description of how the individual may revoke
    the authorization
  • Ability or inability to condition treatment,
    payment, enrollment or eligibility benefits on
    the authorization
  • Potential for information disclosed pursuant to
    the authorization to be subject to redisclosure
    and no longer protected

10
Research Use With Authorization
  • The authorization must be written in plain
    language
  • The authorization must be provided to the
    individual as a signed copy for them to keep.
  • The authorization may be combined with any other
    type of written permission for the same research
    study, such as a consent to participate in
    research.

11
Research Use W/out Authorization
  • Documented Waiver by IRB or Privacy Board,
    including
  • ID of IRB and approval date of the waiver
  • Statement that IRB has determined waiver
    satisfies 3 criteria
  • Use/disclosure involves no more than minimal risk
    to the individual
  • Adequate plan exists to protect identifiers from
    improper use or disclosure
  • Adequate plan exists to destroy identifiers at
    earliest opportunity consistent with conduct of
    research unless there is justification to retain

12
Research Use W/out Authorization
  • Documented Waiver by IRB or Privacy Board
  • Adequate written assurances that the PHI will not
    be reused or disclosed to anyone else or for
    other research
  • The research could not be practicably carried out
    without the waiver
  • The research could not be practicably carried out
    without access to the PHI
  • Brief description of the PHI for which the
    use/access is necessary
  • Statement that the waiver has been reviewed under
    normal or expedited review procedures
  • Signature of IRB Chair or other member, as
    designated by the Chair

13
Research Use Reviews Preparatory to Research
  • Requires representation (orally or in writing)
    from researcher that
  • The use/disclosure of PHI is solely for research
    protocol preparation and,
  • The researcher will not remove any PHI from the
    covered entity and,
  • The PHI for which access is sought is necessary
    for the research purpose.

14
PHI of Decedents
  • Requires representation (orally or in writing)
    from researcher that
  • The use/disclosure sought is solely for research
    on the PHI of decedents and,
  • The PHI for which access is sought is necessary
    for the research purpose and,
  • At the request of the covered entity,
    documentation of the death of the individuals
    about whom the information is sought.

15
Limited Dataset Use
  • Requires data use agreement between covered
    entity and researcher.
  • Covered entity may disclose a limited data set to
    the researcher
  • Data set excludes specific direct identifiers of
    the individual or of relatives, employers, or
    household members of the individual

16
Limited Dataset Use
  • Data use agreement must
  • Establish permitted uses of the data set
  • Limit who can use or receive the data
  • Requires recipient to agree to
  • No use/disclose the information other than as
    permitted in agreement
  • Use appropriate safeguards to present
    use/disclosure other than permitted in agreement
  • Report to covered entity any use/disclosure not
    provided for by agreement that recipient becomes
    aware of
  • Ensure that any agents to whom recipient provides
    the data set agrees to same restrictions and
    conditions
  • Not identify the information or contact the
    individual.

17
Limited Dataset Use
  • Data set must exclude variety of direct
    identifiers of the individual, relatives,
    employers or household members
  • Names, addresses other than city, state zip
    code, telephone numbers, email addresses,
    SSNs,medical record numbers, health plan
    beneficiary numbers, account numbers,
    certificate/license numbers, VINs, license plate
    numbers, device identifiers and serial numbers,
    web URLs, IP addresses, biometric identifiers,
    full face photographic images

18
De-identified data - Requirements
  • Determination or documentation by a person with
    appropriate knowledge of and experience with
    generally accepted statistical and scientific
    principles and methods for rendering information
    not identifiable that the risk is very small
    that the information could be used to identify an
    individual
  • OR

19
De-identified data - Requirements
  • Removal of elements related to the individual,
    relatives, employers or household members
  • Names, geographic subdivisions smaller than a
    state except for first 3 zip code digits (if all
    zip codes with those 1st 3 digits contain gt20,000
    people), all elements of dates (except year)
    directly related to individual (birth, admission,
    discharge, death), all ages over 89 and all
    elements of dates (including year) indicative of
    such age (can aggregate into single category of
    age 90 and older) and
  • All those elements excluded from Limited Data
    Sets, and
  • Any other unique identifying number,
    characteristic or code, except as permitted for
    re-identification by the covered entity
Write a Comment
User Comments (0)
About PowerShow.com