HIPAA Privacy & Security: Medical Research Context

Slides:



Advertisements
Similar presentations
Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.
Advertisements

Presented to Second Annual Medical Research Summit Washington, D.C. by Mark Barnes ROPES & GRAY March 25, 2002 APPLICABILITY OF HIPAA TO RESEARCH AND CLIINICAL.
Advanced Issues in HIPAA Research Compliance The Sixth National HIPAA Summit March 27, 2003 Kim P. Gunter Senior Consultant.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Informed Consent.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
HIPAA Business Associates Leadership Group Meeting June 28, 2001.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
Revised February 4, Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
HIPAA Privacy and Research August 21, 2015
Health Insurance Portability and Accountability Act (HIPAA)
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be.
PwC Tissue Banking and Repositories – Human Subject Protections Privacy Protections Medical Research Summit Tom Puglisi, Ph.D. Friday March 7 – 9:15 am.
HIPAA and Research Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer.
HIPAA – How Will the Regulations Impact Research?.
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
1 HIPAA Compliance Strategies for Pharmaceutical Manufacturers, PBMs and Pharmacies Jean-Paul Hepp, Ph.D. Director, Global Privacy HIPAA Colloquium Harvard.
University of Pennsylvania Health System 1 Session 3.02: Case Studies in Clinical Research Compliance Russell M. Opland, M.P.H., EMT-P Chief Privacy Officer.
Health Insurance portability and Accountability Act (HIPAA)‏
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
06/20/03- revised1 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators,
 Epidemiology -- Research – or Not Research? Medical Research Summit March Tom Puglisi, PhD.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
HIPAA The Health Insurance Portability and Accountability Act of 1996 (Public Law ) Impact on Pathologist Trina Shanks University Pathology Services,
1 The Impact of HIPAA on US Biomedical Research Presented To The: HIPAA SUMMIT Washington, DC March 28, 2003 Oliver Johnson, Chief Privacy Officer Merck.
Copyright © 2002 PricewaterhouseCoopers LLP 1 HIPAA Privacy Modification Rule - Final Harvard Colloquium August 21, 2002 Tom Hanks Director Client Services.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA and RESEARCH 5 th Thursday May 31, Page 2.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA 2017 JHSPH IRB Clarifications and Changes
Institutional Review Board and Research Education
Winter 2008 HIPAA, Privacy & Confidentiality.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
Impact of the HIPAA Privacy Rule on Human Subject Research
National Congress on Health Care Compliance
Issues in HIPAA Research Compliance
Analysis of Final HIPAA Privacy Modification Rule
The Health Insurance Portability and Accountability Act
Office of the Vice President for Research Human Subjects Protection Program IRB Submission Process Module 4 - Health Insurance Portability and Accountability.
The Health Insurance Portability and Accountability Act
Presentation transcript:

HIPAA Privacy & Security: Medical Research Context Medical Research Summit Washington, DC March 25, 2002 Bill Braithwaite, MD, PhD Director Pwc

The Privacy Rule: Research Provisions Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. (Definition from the ‘Common Rule’) Debate about effect of new federal medical privacy rule on research: 2 articles in January 17, 2002 issue of NEJM Opposing viewpoints well expressed.

Debate over privacy rule - CON: Complex, burdensome, and costly Ambiguous Too specific (de-identification, notices, and authorizations) Fear of liability – enforcement (potential suspension of research programs) Unnecessary (no research breaches) Need new comprehensive health information privacy law. PRO: Inform patients, give them control, restore trust High level of public concern about research and medical records. More people will be willing to participate in confident No HIPAA provisions impede research - reasonable Clarifications may be needed

Types of Research Two forms of research are affected: Research that only uses protected health information (PHI) either with or without individual authorization. Research that includes treatment of research participants.

“Covered Entities” Health care providers Health plans who transmit health information in electronic form in connection with a HIPAA transaction, Including providers who disclose information to researchers. Including researchers who provide treatment to research participants. Health plans Health care clearinghouses

Covered Information Individually identifiable health information, in any form or medium, that is created or received by a health care provider, health plan, employer or health care clearinghouse. Becomes PHI in hands of ‘covered entity’ De-identified health information is NOT covered.

Using PHI for Research Purposes 5 ways PHI can be used for research: De-identified PHI PHI with IRB/Privacy Board waiver PHI for research protocol preparation PHI of deceased PHI with authorization of subject plus, Healthcare Operations, Public Health, and as otherwise required by law (registry, reportable).

De-identified Information A covered entity may determine health information is not individually identifiable under two circumstances… The ‘statistical’ method The ‘safe harbor’ method

‘Statistical’ De-identification A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that : the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual; OR…

‘Safe Harbor’ De-identification Identifiers are removed: Names Geographic subdivisions smaller than a State (except 3 digit zips) All elements of date (except year) for dates directly related to the individual Telephone numbers Fax numbers Electronic mail addresses SSNs Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers VIN and serial numbers, license plate number Device identifiers and serial numbers URLs Internet Protocol address numbers Biometric identifiers Full face photographic images and any comparable images Any other unique identifying number, characteristic or code

PLUS… The covered entity must not have actual knowledge that the information can be used alone or in combination with other information to identify the individual. De-identified information may include: re-identification codes ages (<90) date differences (e.g. LOS, time since diagnosis)

Research Use and Disclosure of PHI WITHOUT Individual Authorization Permissible under three circumstances: obtain documentation that an IRB or privacy board has determined specified criteria for a waiver were satisfied; obtain representation that the use or disclosure is necessary to prepare a research protocol or for similar purposes preparatory to research; obtain representation that the use or disclosure is solely for research on decedents’ PHI.

8 Waiver Criteria (1st 3 same as Common Rule) Use or disclosure involves no more than minimal risk to the individuals; Waiver will not adversely affect the privacy rights and the welfare of the individuals; Research could not practicably be conducted without the waiver; Research could not practicably be conducted without access to and use of the PHI; Privacy risks are reasonable in relation to the anticipated benefits, if any, to individuals, and the importance of the knowledge that may result;

8 Waiver Criteria (continued) There is an adequate plan to protect the identifiers from improper use and disclosure; There is an adequate plan to destroy the identifiers at the earliest opportunity, unless there is a health or research justification for retaining the identifiers or if otherwise required by law; and There are adequate written assurances that the PHI will not be reused or disclosed, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by the rules.

Research Use and Disclosure of PHI WITH Individual Authorization The Privacy Rule does not override the Common Rule or FDA’s human subjects regulations. For research that is subject to the Privacy Rule and above, both individual authorization AND informed consent are required. May be in same document.

Requirements for Individual Authorization If initiated by the prospective research subject, must contain 8 core elements. If initiated by the covered entity for its own uses and disclosures (e.g., for research), must contain the 8 core elements plus 4 additional elements.

8 Core Elements of Authorization A specific and meaningful description of the information to be used or disclosed; The name or other specific identification of those authorized to make the requested use or disclosure; The name or other specific identification of those to whom the covered entity may make the requested use or disclosure; An expiration date or an expiration event; Event may be the termination of the research study

8 Core Elements of Authorization A statement of the individual’s right to revoke the authorization; A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure and no longer protected by [HIPAA]; Signature of the individual and date; and If the authorization is signed by a personal representative, a description of the authority to act for the individual.

4 Additional Elements (when entity asks for authorization) a statement that the covered entity will not condition treatment on the individual's providing authorization for the requested use or disclosure; Unless treatment is research related a description of each purpose of the requested use or disclosure; a statement that the individual may: Inspect or copy the PHI to be used or disclosed, and Refuse to sign the authorization; and if use or disclosure of the requested information will result in direct or indirect remuneration to the covered entity from a third party, a statement that such remuneration will result.

Research Use and Disclosure of PHI for Research that Involves Treatment Researcher must obtain research subjects’ authorization for any uses or disclosures of “research PHI” not permitted by the Rule without authorization. Authorization for research that involves treatment must include three elements:

Three authorization elements for Research involving Treatment A description of the extent to which such PHI will be used or disclosed to carry out treatment, payment or health care operations; A description of any PHI that will not be used or disclosed for purposes permitted by the privacy rule without individual authorization; and If a consent for TPO has been/will be obtained, or a notice of privacy practices has been/will be provided, must state that this research authorization is binding.

Options for Research Authorization Research authorization may be in the same document as: The informed consent document; A consent to use or disclose PHI to carry out TPO; A notice of privacy practices. Disclosures for research must be accounted for, and revealed to individual when asked.

Individual Access In general, research participants have a right to access PHI about themselves in designated record sets, except: If a covered entity is subject to CLIA and state law prohibits individuals from obtaining access; If a covered entity is exempt from CLIA; i.e some research laboratories; While a trial is in progress, if the individual has agreed, and has been informed that their right of access will be reinstated at the end of the research. If research information is NOT in a DRS.

Designated Record Set A group of items of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity that is: The medical records and billing records about individuals maintained by or for a covered health care provider; The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or Used, in whole or in part, by or for the covered entity to make decisions about individuals.

Definition of Data Aggregation Data aggregation means the combining of PHI by a business associate with the PHI received from other covered entities, to permit data analyses that relate to the health care operations of the respective covered entities.

Health Care Operations examples outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies. population-based activities relating to: improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives. evaluating performance of providers and plans. training programs. accreditation, certification, licensing, or credentialing.

Privacy and Security Regulation Schedule Final Privacy Rule Compliance date April 14, 2003. Likely NPRM with modifications “soon.” Final Security Rule Likely publication in Summer 2002. Likely compliance date Summer 2004. Privacy rule requires some security ‘now’ “covered entity must reasonably safeguard PHI.”

Questions? William.R.Braithwaite@us.PwCglobal.com http://www.pwchealth.com/hipaa.html http://aspe.hhs.gov/admnsimp http://www.hhs.gov/ocr/hipaa