HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003
HIPAA Overview Health Insurance Portability and Accountability Act of 1996 Four Key Areas: – Privacy Standards – Electronic Transaction Standards – Security Standards – Unique Identifiers Required Compliance – October 16, 2002 & April 14, 2003
HIPAA - Scope Applies to – Health plans – Health care providers – Health care clearinghouses Covered Entity = an organization that transmits health information in electronic form in connection with a “HIPAA transaction” (financial and administrative activities related to health care)
HIPAA - Scope USC = “Hybrid Entity” Covered Components Affiliated covered entities include PHA, Dorn VA, USC Clinics
HIPAA - Scope “Protected Health Information” (PHI): All individually identifiable health information transmitted or maintained by an organization covered by the HIPAA regulations (a “covered entity) regardless of form
Privacy Rule Limits the use and disclosure of PHI Gives patients the right to access their medical records and to know who accessed their health information Restricts most disclosures of PHI to the minimum necessary
Privacy Rule (cont.) Establishes criminal and civil penalties for improper use or disclosure Establishes new requirements for access to records by researchers
Use and Disclosure of PHI Authorization – Plain language – Description of information to be disclosed – Purpose of disclosure – Identification of person(s) authorized to use – Expiration date or expiration event – Right to revoke – Statement regarding possible redisclosure – Signature and date
Authorization vs. Consent A privacy authorization says: “It’s OK for you to look at my PHI and disclose it to a designated third party.” A consent form says: “I agree to participate in your research project and I understand the risks, benefits etc. Both are needed for research May be combined
Disclosure Without Authorization Waiver by IRB or Privacy Board Reviews preparatory to research De-identified Information Use or disclosure of a limited data set Decedent information Public health disclosures
Waiver of Authorization Disclosure poses no more than minimal risk to the privacy of individuals – Plan to protect identifiers from improper disclosure – Plan to destroy identifiers at earliest opportunity – Written assurance that PHI will not be reused or disclosed Research could not practicably be done without the waiver Research could not practicably be done without access to the PHI Privacy risks are reasonable in relation to expected benefits
Reviews Preparatory to Research For preparatory work, the researcher must submit a request to the covered entity documenting that: – Reviewing protected health information is necessary to prepare a research protocol; – Information will not be removed or recorded by the research during the review; – Information for which access is sought is necessary for research purposes.
De-identified Information Names All geographic subdivisions smaller than a state. All dates (except year) Telephone numbers Fax numbers Electronic mail addresses Device identifiers and serial numbers Web locators – URLs Internet Protocol address nos. Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, including license plate numbers Biometric identifiers (finger and voice prints Full-face photographic images Any other unique identifying number or code
Limited Data Set Used or disclosed for research, public health, or health care operations purposes only Requires the removal of fewer identifiers – “facial identifiers” May include – Dates related to admission, discharge, birth, death – City, state, five digit zip code Data use agreement signed by recipient
Research on Decedents Information Assurance that disclosure and use is solely for research on the PHI of decedents Documentation, when requested by CE, of the death of such individuals Assurance that the PHI is necessary for research purposes
Public Health Disclosures Mandated reporting of contagious diseases Disclosure regarding an FDA regulated activity Registries – Government, academic and non-profit – Required by law, IRB waiver, authorization, limited data set – Development of registry for research is “research”
Specimens and Tissue Samples HIPAA applies if the specimens/samples include identifying information.
Impact on Research Researchers requiring access to PHI must request the information from and meet the requirements of the covered entity Reluctance by health care providers to participate in research Barriers to subject recruitment Increased responsibility for IRB
Recruitment of Subjects PHI cannot be disclosed to a third party for purposes of recruitment without IRB waiver or patient authorization Recruitment is allowed for covered health care providers without authorization or waiver (i.e. physicians can recruit their own patients for research studies)
Transition – Prior Permission Privacy Rule includes a transition provision Allows for reliance on consent or IRB waiver obtained prior to 04/14/03 May use or disclose PHI created before or after 04/14/03 based on then valid consent Can rely on existing consent for “future unspecified research”
Privacy and the Common Rule Research with subject permission 1. Privacy Rule – subject authorization to use/disclose PHI AND 2. Common Rule – IRB approval of protocol and informed consent process
Privacy and the Common Rule Research without subject permission: 1. Privacy Rule – IRB/Privacy Board waiver based on specified criteria unless preparatory to research or de-identified information or limited data set with data use agreement AND 2. Common Rule – Waiver of consent or other appropriate finding (i.e. exemption)
Waiver Approval - Documentation Identification and date of action Waiver criteria satisfied Brief description of required PHI Review and approval procedures Signature of IRB/PB Chair
Researcher Responsibilities Know the rules and be prepared for varying interpretations by covered entities Authorization vs. waiver Preparing a confidentiality plan – What information is required? – Who will have access to the data? – How long will access be needed? – Safeguards for protecting information Alternatives to use of PHI? Time to gain approval from an additional committee
IRB Responsibilities Having appropriate expertise in privacy and confidentiality concerns. Ensuring that consent forms contain appropriate authorization requirements if applicable. Understand waiver criteria and document appropriately. Coordinate communications with Privacy Board, if applicable.