HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT With regard to research use…. The effective date was April 14, 2003 The Act establishes the conditions under which Protected Health Information may be used or disclosed by covered entities for research purposes

COVERED ENTITY A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard. (YU, MMC, HHC, & the offices of private physicians are all covered entities)

HEALTH INFORMATION Any information, whether oral or recorded, in any form or medium, that relates to past, present, or future physical or mental health or condition of an individual or to the provision of health care to an individual.

In the course of conducting research, researchers my obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without authorization under limited circumstances set forth in the Privacy Rule.

In providing authorization, individuals must be informed of the uses and disclosures of their health information (what information will be used, for what purpose, and by whom) and their rights, including their right to access information about them held by covered entities.

AUTHORIZATION FORM YU and MMC have agreed that, for the first year, a separate authorization form will be used. Consideration will be given in the future to combining the two documents. Generally, researchers will conduct the informed consent process and then explain the authorization form

CORE ELEMENTS OF AN INDIVIDUAL AUTHORIZATION A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. The name or other specific identification of the person or class of persons authorized to make the requested use or disclosure An expiration date or an expiration event (such as “never” or “end of research study”) that relates to the individual or the purpose of the use or disclosure

A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization If authorization is revoked, information that was already collected may still be used and disclosed to others, if the researchers have relied on it to complete and protect the validity of the research.

A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by the privacy rule The informed consent lists all entities to whom information may be sent. These entities are asked to maintain confidentiality. However, if information is sent to a non-covered entity, it is no longer protected by the privacy rule.

If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual Only a legally appointed representative can provide authorization. This must be documented in the research record.

The Authorization Form on the AECOM CCI home page contains all the required core elements, including ‘help text.’ Modification or use of another model requires IRB review prior to use. The signature of the person obtaining the authorization does not need to be included. The research participant must be given a copy of the signed authorization form.

ACCOUNTING FOR RESEARCH DISCLOSURES In general, the Privacy Rule gives individuals the right, on request, to receive an accounting of certain disclosures of protected health information made by a covered entity. This must include specified information regarding each disclosure. Researchers must be able to disclose what was sent, when it was sent, and to whom it was sent. A more general accounting is permitted for subsequent multiple disclosures to the same person or entity for a single purpose.

DELAYED ACCESS TO RESEARCH RECORDS The Privacy Rule permits suspension of the participant’s access rights while a clinical trial is in progress, provided that the participant agrees to this denial of access when consenting to participate. The participant must be informed that the right to access information will be reinstated at the conclusion of the trial.

TRANSITION PROVISIONS A covered entity may use and disclose protected health information that was created or received for research purposes, either before or after the compliance date, if the covered entity obtained any one of the following prior to the compliance date: An authorization or other express legal permission from an individual to use or disclose Protected Health Information for the research; The informed consent of the individual to participate in the research; or A waiver of informed consent by an IRB.

INDIVIDUALS ENROLLED IN RESEARCH BEFORE THE COMPLIANCE DATE AUTHORIZATION MUST BE OBTAINED IF… The patient is to be reconsented A waiver of informed consent was obtained prior to the compliance date, but informed consent subsequently is sought after the compliance date.

RESEARCH USE/DISCLOSURE WITHOUT AUTHORIZATION

ALTERATION OR WAIVER OF RESEARCH PARTICIPANTS’ AUTHORIZATION Documentation is required that the use or disclosure of information for research purposes has been approved by an IRB under normal or expedited review, with Identification of the IRB Statement by IRB that the alteration or waiver satisfies the three criteria in the Rule A brief description of the protected health information Signature of the IRB Chair or designee

ALTERATION OR WAIVER OF AUTHORIZATION THE IRB MUST AGREE THAT THE FOLLOWING THREE CRITERIA HAVE BEEN MET: (1) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

An adequate plan to protect the identifiers from improper use and disclosure; An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

(2) The research could not practicably be conducted without the waiver or alteration; and (3) The research could not practicably be conducted without access to and use of the protected health information.

USE OF DE-IDENTIFIED DATA De-identified health information is not protected health information, and thus is not protected by the Privacy Rule A covered entity may always use or disclose for research purposes health information that has been de-identified, either by statistical verification or by removing certain pieces of information

ELEMENTS THAT MUST BE DELETED TO QUALIFY AS DE-IDENTIFIED DATA Name Address Employer Relative’s names All elements of dates (year OK*) Telephone and fax numbers E-mail addresses Social Security Number Member or Account Number Certificate/license number Voice/fingerprints, photos, or other number, code, or characteristics *All ages over 89 must be recorded as “age 90 or older”

EXEMPTIONS FROM HIPAA AUTHORIZATION Use of PHI preparatory to research Research on protected health information of decedents Use of a limited data set

USE OF PROTECTED HEALTH INFORMATION PREPARATORY TO RESEARCH The use or disclosure is solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research (such as to aid study recruitment). The PHI cannot be removed from the covered entity. The PHI for which use or access is requested is necessary for the research.

RESEARCH ON PROTECTED HEALTH INFORMATION OF DECEDENTS The use of disclosure is sought solely for research on the PHI of decedents. The use or disclosure is necessary for the research purposes. Documentation will be obtained, at the request of the covered entity, of the death of the individuals whose PHI is sought by the researchers.

LIMITED DATA SET A Limited data set is the same as a de-identified data set except that the following data elements ARE allowed: Zip code City, State Date of Birth, and other dates. A Data Use Agreement is required. It is the means by which covered entities obtain assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes.

DATA USE AGREEMENT Must contain the following provisions: Include specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule). Identify who is permitted to use or receive the limited data set.

DATA USE AGREEMENT Stipulates that the recipient will - Not use or disclose the information other than permitted by the agreement or otherwise required by law. Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware. Hold any agent of the recipient (including subcontractors) to the standards, restrictions and conditions stated in the data use agreement with respect to the information. Not identify the information or contact the individuals.