HIPAA Privacy and Some Research Maria J. Pekar, MBA, JD Associate General Counsel Loyola University Health System March 27, 2019
Objectives Describe how the Health Insurance Portability and Accountability Act (HIPAA) applies to Loyola University Health System and you. List State of Illinois laws that require stricter confidentiality than described in HIPAA. Describe the federal rules on human subject research.
HIPAA
What is the HIPAA law? Allows employees to change jobs without a gap in health insurance coverage Standardizes electronic health care transactions Regulates the privacy and security of health information Speak to intent of the law Remember Arthur Ashe 4
A Physician’s HIPAA Hats Provider Teacher Researcher
Physician as Provider No minimum necessary requirement for treatment “Need to know” still applies Provider to provider contact may continue Need to account for some disclosures Remember state laws may be more stringent Still need patient consent to treat Incidental disclosures are OK
Physician as Teacher Physicians may discuss a patient’s condition during training rounds Physicians and students should consider surroundings during instruction Notes count too (students or otherwise) Use appropriate security for notes w/PHI Keep notes in confidence Those who have access to PHI with no direct patient contact still have to keep PHI confidential.
Physician as Researcher HIPAA regulates the privacy of the patient information related to research There are other laws that regulate the conduct of research DHHS Common Rule FDA Part 21 LUMC may condition study participation on obtaining the study participant’s authorization to use and disclose PHI How can you participate in a study if the Researcher can’t use your information? Disclosures to sponsors must be the same as what study participants have been told sponsors will receive
Electronic Environment Emails Transmitting PHI electronically must be accomplished securely Understand system-wide policy on email communications containing PHI Sending unencrypted email containing PHI over the internet violates LUMC policy (including gmail) Internal communication can take place via internal email systems External patient communication can take place via My Loyola, which is password protected and behind our fire wall
Epic Access Login ID and password Log-off or else you are accountable for inappropriate access Don’t share your passwords Avoid looking up a friend or colleague’s record out of curiosity Refrain from viewing a family member’s record out of concern Don’t look back-post service
Social Media No tweets, Facebook statuses or Instagram posts should contain PHI Don’t blog interesting cases Don’t upload or text pictures of patients
Best Practices in General Password protect phones & lap tops Select “logon” screen savers for computers Avoid saving PHI to CD ROMs , thumb or hard drives (including desktops and laptops) Ensure it’s OK w/the patient to discuss care w/family & friends Verify callers where necessary Avoid faxing when possible Don’t leave Epic print-outs in odd places
State Information Laws
State Laws Generally federal law “trumps” or “pre-empts” State law HIPAA pre-empts State law unless the State law: Provides greater privacy protections to a patient’s information; OR Affords great access to information rights to a patient
State “Information” Laws Mental Health & Developmental Disabilities Confidentiality Act AIDS Confidentiality Act Genetic Information Privacy Act Medical Patient Rights Act Alcohol & Substance Abuse Act Personal Information Privacy Act From your 2011 SEP lecture 15
Human Subject Research
Common Rule (1981) Federal law governing human subject research Many federal agencies follow this research rule Baseline standard of ethics by which any government-funded research is held Regulates oversight board (IRB) Applies to federally funded research activities Contains additional protections for vulnerable populations (e.g., pregnant women, children, prisoners)
FDA & Human Subjects Research FDA Part 21 contains many of the FDA regulations related to human subject research FDA mostly regulates food, drugs, cosmetics and device research FDA regulations parallel many sections of the Common Rule but are not identical IRB responsibilities are mostly consistent There are additional reporting responsibilities too
Institutional Review Board Committee formally designated to approve, monitor and review research involving humans They conduct some form of risk-benefit analysis Number one priority is to protect human subjects from physical or psychological harm Determines whether study requires full board or expedited review or is exempt
Principle Investigator Role May design a protocol or conduct an externally sponsored study Responsible for ensuring: the protocol is followed; informed consent is obtained; subjects are protected; and, investigational product/device is controlled Common Rule unlike FDA rules does not directly address PI responsibilities
Medical Student as Researcher Possible Research Role Collect or coordinate research data Identify and compile lists of potential research subjects in accordance with study objectives Review or edit data for completeness and accuracy Integrity of study results depends on data collection Professional competency may be enhanced by understanding evidence-based medicine
Summary Patients have a Federal right to privacy State laws may afford greater protections Research is regulated; know the rules https://www.youtube.com/watch?v=915YsKGvHec&feature=youtu.be
Questions?