Institutional Review Board and Research Education Health Insurance Portability and Accountability Act – HIPAA Privacy Rule Institutional Review Board and Research Education

Who should complete this training? Required for anyone involved in the Institutional Review Board (IRB) Required for anyone involved in Human Subject Research Must complete this training prior to submitting research documents Required annually

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Federal law that applies to health care providers, health plans and health care clearinghouses (Covered Entities) Created to: Protect the privacy of health care information Improve access to health insurance Promote standardization of electronic health records and to safeguard their use

Other Privacy Laws California Privacy Laws Require reporting of intentional and unintentional breaches Misdirected mailings, faxing PHI provided to wrong parties 5 business days to report to California Department of Public Health (CDPH) and to patient Complete CDPH plan of correction documenting mitigation efforts taken Fines and Penalties may apply

Security Laws Standards - required safeguards designed to ensure the confidentiality, integrity, and availability of electronic protected health information Requires establishment of administrative, physical and technical safeguards Compliance assurance by the entire workforce

HIPAA and Research Research is subject to HIPAA and Privacy Laws if the study uses an individuals identifiable health information If data is used to identify, recruit, or enroll participants or any data gathered can identify the individual, either directly or indirectly, then HIPAA applies

IRB and the Privacy Rule The IRB will facilitate research-related privacy requirements, however; The Principal Investigator is responsible for establishing and maintaining federal and state privacy and security compliance, including maintaining appropriate documentation

Covered Entity Anyone who transmits and stores electronic health records Kaweah Delta Health Care District and all it’s entities and service areas are subject to Federal HIPAA, Security and Patient Privacy laws, rules and regulations

What is the Privacy Rule? Rules for Covered Entities (CE) for using and disclosing individually identifiable health information known as Protected Health Information (PHI) Protects the privacy of PHI of individuals who are living or deceased Supplements the Common Rule and the FDA’s protections for human subjects

Who is Covered? All District “workforce” All employees Independent contractors Students Residents/Medical Staff Temporary help Volunteers/Guild Clergy All contracted entities that receive PHI electronic data from the District

Protected Health Information- PHI PHI is the health and demographic information maintained by CE of individuals PHI can be transmitted or maintained electronically or in any other form (hard copy, xray films, labels, etc.) PHI can include identifiable information Pertains to past, present or future: Physical or mental health Diagnosis and/or treatment Payment for health care

Patient Personal Identifiers Treatment Dates License/Certificate number Full face photo images Other comparable images IP address URL Vehicle ID Biometric identifiers including finger & voice prints Any other unique identifying number, characteristic or code Name Address, city, zip Telephone number Fax number E-mail address Social Security number Date of Birth Account number Medical Record number Insurance plan ID

What is Covered? Treatment, Payment and Operations (TPO) Treatment - provision of Health Care Services Coordination of care with a third party Consultation between health care providers Referral of a patient to another provider Payment - activities to obtain reimbursement for care Determination of eligibility or coverage Billing and collections Disclosure to consumer reporting agency

What is Covered? Treatment, Payment and Operations (TPO) Operations – activities that make an entity a health care provider Quality improvement Credentialing and peer review Licensing Legal services, audit functions, compliance Business planning and development General administration and management Customer service/grievance resolution

Authorized Use & Disclosures Reviewing a patient’s past medical history for treatment Using “minimum necessary” information for Quality Assurance purposes (operations) Reporting cases of communicable diseases and immunizations as mandated by law Billing insurance companies for medical care (payment) Using PHI for research with patient’s authorization

Unauthorized Uses & Disclosures Using patient information for research without the patients approval or authorization waiver Posting comments on social medial about patients Discussing a patient’s HIV diagnosis with family in the room without patient permission Looking up your co-workers lab results Emailing PHI to your personal email account

Individual Rights To receive a notice of privacy practices - how medical information about them may be used and disclosed and how they can get access To access, inspect and get a copy of their own information To amend their own PHI To receive an accounting for the past 6 years of all disclosures To request further restrictions on use and disclosures

Individual Rights Deceased individuals – ceases to be PHI 50 years after date of death Sale of PHI – prohibited without specific written patient authorization Fundraising – may be used, however patient can formally opt out Electronic records – patients can request and CE must comply Insurance billing - Patients may request that CE not bill their insurance and choose to pay out of pocket

Administrative Requirements Privacy Officer – Judy Cotta add phone # Comply with all federal/state regulations Policies and procedures Training – All workforce Safeguards to protect privacy Complaint & investigation process Sanctions for failure to comply Process to mitigate harm due to a breach Federal and State reporting of breaches

Use and Disclosure of PHI Some uses require authorization Some uses require giving the individual opportunity to agree or object Some uses continue to be required by other laws/permitted by HIPAA Other uses require the information to be “de-identified” All require only the minimum necessary PHI be accessed Balance between protecting individual health information and public health and safety needs!

HIPAA Penalties May apply to the individual, the organization and/or its officers Individuals can be found criminally liable, no grace for serious and deliberate acts State and Federal civil fines and penalties may apply Under the jurisdiction of the Office for Civil Rights, Department of Health and Human Services

HIPAA and Research Individually identifiable health insurance that is collected and used solely for research is NOT considered PHI Researches obtaining PHI from a CE must obtain the subject’s authorization or must justify the exception to the requirement: Waiver of authorization Limited Data Set De-identified Data Set

HIPAA and Research Conditions under which the CE may release PHI for research purposes Authorization received by subject or subjects representative, for specific study, not for future studies Decedent research Limited Data Set De-identified Data Set Disclosures related to FDA-regulated products

Researcher’s Responsibility To obtain PHI, a researcher must provide a Letter of Approval from the IRB and one of the following: Subject’s authorization to release PHI, or Certification of Waiver by IRB Request for Limited Data Set or De-identified Data Set

IRB’s Responsibility Assure the CE that all research-related HIPAA requirements have been met: Provide letter of approval to researcher Certify and document that waiver of authorization criteria is met Review and approve all authorizations and data use agreements Retain records documenting actions taken for 6 years

Preparatory to Research Activities With prior IRB approval, permits CE to use or disclose PHI for purposes preparatory to research that include, but not limited to the following: Preparing a research protocol Assisting in the development of a research hypothesis Aiding in research recruitment, such as identifying prospective participants who would meet the eligibility requirements for enrollment into study

Preparatory to Research Activities Allows researcher to: Identify, but NOT contact potential study participants Review PHI in medical records or elsewhere to prepare for research Does not allow: Removal of PHI from District Emails containing PHI to be sent outside of District email accounts

Preparatory to Research Activities Does not allow: Removal of PHI from District Emails containing PHI to be sent outside of District email accounts

Informed Consent vs Authorization Description of study Discusses anticipated risk and benefits of study Describes how the confidentiality of records will be protected Agreement to participate in the study Authorization Focus on privacy risks How, why and whom the PHI will be used/disclosed Agrees to the use/disclosure of PHI

Subject’s Authorization Must include specific elements May be part of or attached to the research consent form Must use standard IRB authorization language Original signed authorization must be retained by the CE Subject must be given a copy

HIPAA Required Authorization Elements Meaningful description of information to be used Name of persons authorized to disclose information Name of recipients of the information Description of research purpose Authorization expiration date Right to revoke authorization Disclosure of refusal consequences HIPAA protections may not apply Signature of the individual and date

HIPAA Required Authorization Expiration If the study has no expiration date, the authorization must state “no expiration date” Expiration may be a specific date or relate to the purpose, for example….. “July 28, 2014” “End of the research study” 5 years after last patient is enrolled” After the stated date or event, researcher can no longer use the PHI

Authorization Waiver Investigator/researcher provides IRB approval of Authorization Waiver to CE IRB approval: IRB name, date of approval, brief description of PHI; and Statement of IRB approved Authorization Waiver under normal or expedited review; and Statement that IRB has determined that research could not be conducted without waiver and without PHI, minimum necessary data

The 30-Day Cure For failure to obtain proper authorization before beginning research the PI must either: Obtain appropriate authorization within 30 days of identifying the problem to be able to continue the study, or Immediately destroy all affected data and specimens and obtain the correct authorization to be able to begin the research again

The 30-Day Cure For failure to obtain a waiver before beginning research, the PI must: Immediately destroy all affected data and specimens and Obtain a waiver to begin the research again These actions must be completed within 30-days of when the deficiency was discovered or should have reasonably known. If unsure, check with the IRB office

What is Minimum Necessary? Limits unnecessary or inappropriate access to and disclosure of protected health information Requires that entity takes reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose

Decedent Research Provide documentation to the CE that the use or disclosure is solely for the purpose for research on decedents PHI Similar to Authorization Waiver Represents that authorization from next of kin or legal representative may be difficult or impossible to obtain Requires review and approval by the IRB

Limited Data Set (LDS) May include: Zip code Full dates of birth or death Full dates of service City May not include: Other personal identifies of subject, relatives, employer or household members CE does not have to account for LDS disclosures

De-identification Remove all eighteen personal identifiers of subject, relatives, employer or household members CE does not have to account for disclosures using de-identified data

Conclusion Responsibility on the CE to meet HIPAA requirements for disclosing PHI to a researcher Responsibility on the IRB to assure the CE that health information will be protected under the research protocol Does not replace Common Rule or FDA human subject protection regulations Does not override California Privacy Law

HIPAA/Privacy/Research Resources http://privacyruleandresearch.nih/gov/clin_research.asp http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf http://hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/research.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/

Source Acknowledgements University of Florida University of California U.S. Department of Health and Human Services, National Institute of Health Office for Civil Rights Center for Medicare & Medicaid Services

Questions? Contact Kevin Ferguson, M.D., IRB Chairman, 559-624-5217 Contact Susan Delgado, GME Program Coordinator, 559-624-5220 Contact Judy Cotta, Compliance and Privacy Officer, 559-624-2154