HIPAA Privacy Rule and Research Elizabeth A. Trias, MA, CIP Pam Joy, RN, MN, PNP November 2003 (rev. May 2004)
WA State Law & Privacy Rule Good News: Children’s researchers already operate in compliance with Washington State’s Uniform Health Care Information Act. Many of the HIPAA Privacy Rule requirements for research were already in place. Impact of HIPAA on researchers in the state of Washington is less than in other states.
Highlights of the Privacy Rule Effective April 14, 2003. Sets a federal floor for patient Protected Health Information (PHI), but: States may have more stringent privacy protections, and The more stringent law (HIPAA or state) governs. Today we’ll review privacy rule implications for research. Failure to comply can result in civil fines ($) and criminal penalties. (Remember to thank them, not us!)
Protected Health Information Privacy Rule protects health information identifying a person (or information that can be used to identify a person): All individually identifiable health information that Children’s creates, uses or receives. Includes information about: Past, present or future physical or mental health of a person, Provision of health care to that person, and Payment for care received. Includes information in written, electronic or oral form.
What is Patient Identifiable? Information containing any one of 18 identifiers: Name Social Security Number Device identifiers and serial numbers Geographic subdivisions smaller than state (street address, city, county, precinct, zip code, equivalent geo-codes except first 3 digits of a zip code) All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and ages over 89 Biometric identifiers (including finger or voice prints) Medical record numbers Health plan beneficiary numbers URL (Web Universal Resource Locator) Telephone numbers Account numbers Email addresses Fax numbers Certificate/license numbers Internal Protocol (IP) address numbers Full face photographs Vehicle identifiers and serial numbers, including license plate numbers Any other unique identifying number, characteristic, or code
Research is not considered to be treatment, payment or operations Use & Disclosure of PHI Use: Sharing within the entity. Disclosure: Sharing outside the entity. Privacy rule allows use and disclosure without specific authorization for Treatment, Payment, and Operations (TPO). Research is not considered to be treatment, payment or operations
Minimum Necessary Standard Must limit PHI use or disclosure to the minimum necessary to accomplish the intended purposes of the research. Minimum necessary applies: Pursuant to a waiver of authorization, Use or disclosure of decedent’s PHI, Uses preparatory to research, and for Limited Data Sets. Minimum necessary does not apply to: Treatment disclosures or requests, Use or disclosure made under an authorization, Disclosures to the patient of his/her PHI, Disclosures to DHHS for compliance, and Uses or disclosures required by law.
What are Research Implications?
Overview of Impact at Children’s Under the Privacy Rule, researchers must: Provide more detailed information to the IRB about how PHI will be created, used or shared, Provide more information to research participants during the consent process and gain specific authorization for the use of their PHI, and Track disclosures of PHI for studies that IRB has approved with waiver of authorization requirement Affects any research conducted under Children’s auspices that creates, uses or discloses PHI.
Impact on Clinical Research Gain IRB Approval Screen participants (Obtaining PHI) Recruit participants Conduct Research Generate Results & Reports Oath of Confidentiality for Recruitment Authorization signed for each subject and filed with Medical Records Design Research Study Documentation of IRB approval (IRB cover sheet) New Privacy Requirements
Screening Patients Obtain IRB approval Screen participants include signed “Oath of Confidentiality – Recruitment” if researchers need access to protected health information to identify, select and recruit patients Screen participants Present documentation of IRB approval (IRB cover sheet) & signed Oath of Confidentiality – Recruitment when requesting data or records on potential participants (e.g., Medical Records, Lab, Radiology), Obtain/Use only the minimum necessary PHI, and All PHI must remain within Children’s Recruit participants Obtain signed authorization for each subject (file original with original consent form in researchers’ file), or Destroy PHI for participants who do not take part, do not respond or are not eligible
Authorizations “Permission to Use, Create and Share Health information for Research” authorization form: Contains required elements of authorization under Privacy Rule, Signed by parent or legal guardian unless participant is a legal adult (18 years and older) Allows researchers to use subject’s PHI for a specific research study. At Children’s, authorization is separate from from the research consent: Avoids detracting from essential elements of consent form, and Ensures consistent compliance with privacy elements.
Signed Authorizations: Where to File Signed Original remains in the principal investigator’s research files along with original, signed consent form Signed Copy to parent or research participant (if 18 and older) Signed Copy to Children’s Medical Records – Filing 4P-2, if research participant is Children’s patient (patient information box must be completed)
Authorization Form Available on IRB Web Site under Forms and under HIPAA and Research – http://irb.seattlechildrens.org Versions in English, Vietnamese, Spanish, Somali, Russian, Korean, Simplified Chinese and Traditional Chinese. Researcher must complete the highlighted areas (e.g., study title, name and address of PI, name of sponsor, etc.) Researcher must complete the box at the end of the form if research participant is a Children’s patient. Required so that authorization can be filed in the participant’s medical record
Clinical Studies (with Authorization) Before & After 4/13/2003 Status of Research Study Action Required 1. New research study Enrollees need to sign authorization form and consent form 2. On-going analysis – Data collection complete No further HIPAA compliance activity required 3. On-going research – Consented No further compliance activity required 4. On-going research – Requiring re-consents All re-consenting enrollees need to sign authorization form and consent form 5. On-going research – Enrolling new participants All new enrollees need to sign authorization form and revised form New = Study initiated on or after April 14, 2003. On-Going = Study approved before April 14, 2003.
Research Under Waiver of Authorization Gain IRB Approval for Waivered Study Collect Data Analyzing Data Generate Results & Reports Signed Oath of Confidentiality Documentation of IRB approval (IRB cover sheet) If tracking required (IRB will advise) researcher keeps track of patients whose records are being used. Design Research Study New Privacy Requirement
Waiver of Authorization Researcher is asking IRB to waive authorization from patient or their parent to use their PHI in research: Almost exclusively used for retrospective records review research. Must meet HIPAA criteria for waiver of authorization. Must also meet Federal Regulations (Common Rule) and Washington State law for waiver of consent/permission.
HIPAA Criteria for Waiver of Authorization The use or disclosure of protected health information must involve no more than minimal risk to the privacy of the individual, based on at least the presence of the following: An adequate plan to protect the identifiers from improper use or disclosure An adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law; and Adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject.
Criteria for Waiver of Authorization cont. The research could not practicably be conducted without the waiver or alteration; and The research could not practicably be conducted without access to the protected health information
Implications for Research Under Waiver Obtain IRB approval Include signed “Oath of Confidentiality” Collect Data: Provide documentation of IRB approval (IRB cover sheet) to data sources (e.g., Medical Records, Lab, Radiology). Complete forms as required by providing department, e.g., ‘Research Chart Request Form’ for Medical Records; “Request for Tissue for Use in Research” for Laboratory If tracking required, record access on “Disclosure Tracking” form located at http://irb.seattlechildrens.org/hipaa.asp, (Medical Records will do tracking when researchers are requesting aper copies of the medical record). Obtain/Use only the minimum necessary PHI
Disclosures of PHI without Authorization Patients have right to request an accounting of how their/their child’s PHI was disclosed without their authorization. Disclosure means communicating information (PHI) outside the covered entity. Use means communicating information (PHI) within the covered entity
Children’s – Covered Entity Researchers would be considered part of Children’s workforce (the covered entity) if one of the following applies: Employee of Children’s Employee of Children’s University Medical Group (CUMG) Residents and Fellows working at Children’s
Tracking of Disclosures Children’s is responsible for tracking unauthorized disclosures. Disclosures are tracked; Uses are not. IRB will advise researchers at the time their research project is reviewed whether tracking is required.
Tracking Disclosures Unauthorized disclosures of PHI for research purposes must be tracked. Children’s has tracking form available on IRB web site (online version and Word version). The following information must be tracked: IRB # and Research Study Title List of individuals whose PHI was accessed, including their Medical Record #, Date of access, Name of person/entity accessing the PHI, and Brief description of PHI accessed.
Tracking of Disclosures is Not Required To carry out Treatment, Payment or Operations (TPO) of the Covered Entity Disclosure is to the individual or their legal representative (parent) Pursuant to an Authorization Limited Data Set De-identified Data
Research Under Waiver (of Authorization and Consent) Status of Research Study Action Required 1. Research study – All research team members are part of Children’s workforce No Tracking required. Departments providing PHI need documentation of IRB approval. 2. Research study – Not all members of research team are part of Children’s workforce Tracking required.** Departments providing PHI need documentation of IRB approval. **Tracking required means: Complete Disclosure Tracking Form If researcher is only using the paper medical records, i.e., patient charts, Medical Records will do tracking.
Limited Data Sets Contain limited direct identifiers that may include: Dates: admission, discharge and service dates, date of birth, date of death, Age (including age 90 or over), and Geographical subdivisions such as state, county, city, precinct and five digit zip code. Advantages: No need to track disclosures. But remember: Cannot use LDS information to contact individuals, Recipient must sign a data use agreement (DUA) (a kind of “super-confidentiality” agreement), Minimum necessary standard applies, and Still requires IRB approval.
De-Identified Data Previously known as anonymous data. How to de-identify data: Expert in statistical principles reviews and documents methods used to determine that risk is “very small” that data could be used alone or in combination with other reasonably available information to re-identify, or All 18 identifiers must be removed. You must know that remaining information cannot be used alone or in combination with other information to re-identify. Common Rule and State Law still apply!
Implications for De-Identified & Coded Data Common Rule considers coded information to be indirectly identifiable. A protocol must be submitted to the IRB even if a researcher plans to de-identify information. IRB will determine whether it qualifies for exempt or expedited IRB application.
Authorization or Waiver Tracking Disclosures* Requirements Summary Requirement Identifiable Data: Consented/ Authorized Identifiable Data: Waivered Study Limited Data Set De-Identified Data IRB Approval Required Required Required Required Authorization or Waiver Required Required Required Required Data Use Agreement Required Minimum Necessary Applies Applies Tracking Disclosures* Applies * PHI access is a disclosure if any member of research team is not part of Children’s workforce
Other Implications Case Studies: Departmental/Personal Databases: Children’s does not consider to be research or require IRB review. Privacy Rule does apply Must be de-identified when disclosed Consent/authorization is best Formal policy and approval process being discussed Departmental/Personal Databases: Purposes include patient care, education, and QA Privacy Rule applies Research using these databases requires IRB review Work is beginning to identify these databases to protect them to comply with the HIPAA Security Rule
Remember Rights of Participants Right to privacy of PHI Right to authorize use of identifiable PHI for research purposes Right to an accounting of how identifiable PHI was disclosed for research without authorization Right to revoke an authorization in writing. No further PHI may be collected for the research after the authorization is revoked Researchers may continue to use and disclose PHI that was collected under the authorization to maintain the integrity of the research
Questions? Additional Resources: IRB website http://irb.seattlechildrens.org: Outline of HIPAA-related responsibilities of researchers, Links to authorization form, disclosure tracking form, research chart request form, Oath of Confidentiality External resources: “Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (http://privacyruleandresearch.nih.gov/), and Privacy Rule Research FAQs (http://answers.hhs.gov). Search under “research”.