HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* * (2.5 MB)

Privacy Rule n Establishes requirements relative to the use and disclosure of protected health information (PHI). This includes uses in and disclosures for research purposes. u “A covered entity may not use or disclose protected health information except as otherwise permitted or required” – 45 CFR n Covered entities must be in compliance by April 14, 2003 n DHHS Office of Civil Rights is responsible for enforcement

Definitions n Covered entity u Health plan u Health care clearinghouse u Health care provider who transmits any health information in electronic form in connection with transactions covered by the rule: F Health care claims, Health care payment & remittance advice, Coordination of benefits, Referral certification & authorization, Health care claim status, Enrollment/disenrollment in health plan, Eligibility for health plan, Premium payments, First injury reports, Health claim attachments, Anything else the Secretary prescribes via regulation

Definitions n Protected Health Information (PHI) u Individually identifiable health information that is F Transmitted by electronic media (e.g., internet, intranet, tape, disc, compact disc) F Maintained in electronic medium (e.g., tape, disc, compact disc) F Transmitted or maintained in any other form or medium u Note – de-identified information is not PHI

Definitions n Individually Identifiable Health Information u Created or received by a health care provider, health plan, employer or health care clearing house and u Relates to past, present or future physical or mental health condition of an individual; provision of health care to an individual; or past, present or future payment for provision of health care of an individual and F Identifies the individual; or F For which there is a reasonable basis to believe the information can be used to identify the individual

Definitions n Health Information u Any information, whether oral or recorded in any form or medium that F Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and F Relates to the past, present, or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to the individual n Research u A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.

Research Use n 4 pathways for permission to use PHI for research related purposes u With Authorization from Patient u Without Authorization from Patient F Waiver of Authorization by IRB or Privacy Board F Reviews Preparatory to Research F PHI of Decedents u Limited Data Set and Data Use Agreement u De-identified Data

Research Use – With Authorization n Authorization must have: u At least the following core elements: F Description of information to be used F Name of persons authorized to make the use or disclosure F Name of persons to whom the covered entity may make the use or disclosure F Description of each purpose of the use or disclosure F An expiration date or event “End of the research study” or “none” are acceptable for research purposes F Signature of the individual and date

Research Use – With Authorization n Authorization must include: u The following statements: F Individual’s right to revoke the authorization in writing and exceptions to the right to revoke and a description of how the individual may revoke the authorization F Ability or inability to condition treatment, payment, enrollment or eligibility benefits on the authorization F Potential for information disclosed pursuant to the authorization to be subject to redisclosure and no longer protected

Research Use – With Authorization n The authorization must be written in plain language n The authorization must be provided to the individual as a signed copy for them to keep. n The authorization may be combined with any other type of written permission for the same research study, such as a consent to participate in research.

Research Use – W/out Authorization n Documented Waiver by IRB or Privacy Board, including: u ID of IRB and approval date of the waiver u Statement that IRB has determined waiver satisfies 3 criteria: F Use/disclosure involves no more than minimal risk to the individual F Adequate plan exists to protect identifiers from improper use or disclosure F Adequate plan exists to destroy identifiers at earliest opportunity consistent with conduct of research unless there is justification to retain

Research Use – W/out Authorization n Documented Waiver by IRB or Privacy Board u Adequate written assurances that the PHI will not be reused or disclosed to anyone else or for other research u The research could not be practicably carried out without the waiver u The research could not be practicably carried out without access to the PHI u Brief description of the PHI for which the use/access is necessary u Statement that the waiver has been reviewed under normal or expedited review procedures u Signature of IRB Chair or other member, as designated by the Chair

Research Use – Reviews Preparatory to Research n Requires representation (orally or in writing) from researcher that: u The use/disclosure of PHI is solely for research protocol preparation and, u The researcher will not remove any PHI from the covered entity and, u The PHI for which access is sought is necessary for the research purpose.

PHI of Decedents n Requires representation (orally or in writing) from researcher that: u The use/disclosure sought is solely for research on the PHI of decedents and, u The PHI for which access is sought is necessary for the research purpose and, u At the request of the covered entity, documentation of the death of the individuals about whom the information is sought.

Limited Dataset Use n Requires data use agreement between covered entity and researcher. n Covered entity may disclose a limited data set to the researcher n Data set excludes specific direct identifiers of the individual or of relatives, employers, or household members of the individual

Limited Dataset Use n Data use agreement must: u Establish permitted uses of the data set u Limit who can use or receive the data u Requires recipient to agree to: F No use/disclose the information other than as permitted in agreement F Use appropriate safeguards to present use/disclosure other than permitted in agreement F Report to covered entity any use/disclosure not provided for by agreement that recipient becomes aware of F Ensure that any agents to whom recipient provides the data set agrees to same restrictions and conditions F Not identify the information or contact the individual.

Limited Dataset Use n Data set must exclude variety of direct identifiers of the individual, relatives, employers or household members: u Names, addresses other than city, state & zip code, telephone numbers, addresses, SSNs,medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, VINs, license plate numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full face photographic images

De-identified data - Requirements n Determination or documentation by a person with “appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not identifiable” that the risk is “very small” that the information could be used to identify an individual OR

De-identified data - Requirements n Removal of elements related to the individual, relatives, employers or household members: u Names, geographic subdivisions smaller than a state except for first 3 zip code digits (if all zip codes with those 1 st 3 digits contain >20,000 people), all elements of dates (except year) directly related to individual (birth, admission, discharge, death), all ages over 89 and all elements of dates (including year) indicative of such age (can aggregate into single category of age 90 and older) and u All those elements excluded from Limited Data Sets, and u Any other unique identifying number, characteristic or code, except as permitted for re-identification by the covered entity