Minding HIPAA & IRBs Cave Fatuis!

Elements HIPAA definitions of identifiable data Reducing risk of identifying people Research and IRB approval Business Associate Agreements Data protection Example of a GIS-web NO NO

HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA) –“Covered Entities” health plans health care clearinghouses health care providers –Protected Health Information –Treatment, Payment and Healthcare Operations Department of Health and Human Services National Standards to Protect the Privacy of Personal Health Information.

HIPAA Research Resources

Research Can use protected Health Information if: –Obtain authorization from each patient –Have IRB or Privacy Board authorization waiver –Receive only a limited data set under a DUA with certain PHI elements removed –Use completely de-identified data –Are doing research preparation and need PHI data for this purpose

Research & IRB Independent researchers are not subject to the HIPAA Privacy Rule even with identifiable protected health information –A critical point of the Privacy Rule is that it applies only to individually identifiable health information held or maintained by a covered entity or its business associate acting for the covered entity. Individually identifiable health information that is held by anyone other than a covered entity, including an independent researcher who is not a covered entity, is not protected by the Privacy Rule and may be used or disclosed without regard to the Privacy Rule. There may, however, be other Federal and State protections covering the information held by these entities that limit its use or disclosure. Your problem may be from IRB and Human Protections enforcement

Identifying data features

Identifying data A covered entity may use statistical methods to establish de-identification without removing all 18 identifiers Can keep unique patient codes so long as they cannot be translated in a way that identifies patients Business Associates can be given role of de-identifying data

Research & IRB Research Use Without Authorization –Waiver of authorization approved by an Institutional Review Board (IRB) or a Privacy Board –Researchers unable to use de-identified information and it is not practicable to obtain research participants' authorization –IRB/privacy board approval requirements and criteria very prescriptive

Research & IRB Q: Does the Privacy Rule permit the creation of a database for research purposes through an IRB or Privacy Board waiver of individual authorization? A: Yes. A covered entity may use or disclose PHI without individuals' authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. PHI maintained in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule - that is, for future studies in which individual authorization has been obtained or where the rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.

Research & IRB Certificate of Confidentiality –Protects against forced disclosure of data –For HHS conducted or supported research

Limited Data Sets & DUAs May not need an Authorization Waiver from an IRB or Privacy Board if you can work with PHI data that has the following removed:

Business Associate Agreement Contract Business Associate –will use the information only for the purposes for which they were engaged by the covered entity –safeguard the information from misuse –PHI disclosed to a business associate only to help providers/plans carry out their health care functions - not for independent use by the business associate –Not for research purposes for external consumption

BAA, cont’d Because a Business Associate receives protected health information to do work for a covered entity—the privacy rule still applies Covered entity is not liable for privacy violations of a business associate

Data Protection within GIS HIPAA rules, in an attempt to clarify what constitutes personal "identifiable" information, define data items such as a street address, ZIP Code, or an "equivalent geocode" as identifiable information that is subject to "de-identification." There is no Federal guidance about geographically displaying patient data and risk of identifying individuals

What we did No patient names are attached to data or addresses; Pin-mapping will be used rarely, and to prevent identification of patient homes, address dots will be mapped on street segments within a range of addresses and will be deliberately and randomly offset a distance of 0.1 mile from the actual location; No pin-mapping of disease specific data will be produced, only choropleth (census locations such as tracts or block groups, shaded to indicate statistic) maps of aggregate rates will be used. To prevent discovery in areas of extremely low population density, homes in census tracts or smaller geographical units with fewer than four diagnoses-cases will not be mapped (per Alpert and Haynes, 1994);

What we did All disease diagnoses will be ranked by frequency in a given patient population (highest to lowest) and the lowest 5% will be reassigned dummy variables to prevent the possibility of mapping rare diagnoses which may be more identifiable; We have developed a written data-sharing agreement for clinics and/or clinic systems who share data with us. This basic protocol (attached) may be modified (analyses made less revealing) to accommodate clinic concerns and will govern how data is used and published. Maps of diagnoses-data analyses will require review by relevant CHC advisory board(s) prior to publication. Based on extensive review, we believe this protocol is a higher standard than those used in South Carolina, Maryland (specifically Baltimore), and the District of Columbia as noted above.

What other’s are doing Jefferson County, Kentucky –In conjunction with U of Louisville Math Dept (Jennifer Ferrell) –Geographic Masking Displacement by Translation, Rotation, Change of Scale (common options) Random perturbation—random displacement in random direction (50 feet) was better method –SAS with SAS Bridge to ESRI

#1 vote-getter in priority issues for GIS in cancer control: Develop methods to ensure privacy and confidentiality while allowing access, especially with small data sets. Encourage collaborations among agencies, ethicists, HIPAA specialists, "maskers" to reduce ethical barriers to sharing data.

FIGURE 2 —Distribution of clients of the Men’s Health Center in Baltimore City, Maryland. Source. Map courtesy of Baltimore City Health Department. May 2003, Vol 93, No. 5 | American Journal of Public Health © 2003 American Public Health AssociationAmerican Public Health Association