PRIM&R Privacy Panel II “Privacy/Confidentiality Challenges in the HIPAA Era” Pearl O’Rourke, Moderator Bartley Barefoot Oliver Johnson Lora Kutkat.

Slides:



Advertisements
Similar presentations
Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.
Advertisements

Advanced Issues in HIPAA Research Compliance The Sixth National HIPAA Summit March 27, 2003 Kim P. Gunter Senior Consultant.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
Defensible IEPs Douglas County School District 1 Module V: Documentation and Timelines.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Informed Consent.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
Privacy and Information Security Essentials
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
IRB 101: Informed Consent Columbia University Medical Center IRB September 22, 2005.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
Informed Consent and HIPAA Tim Noe Coordinating Center.
Health Insurance Portability and Accountability Act (HIPAA)
2012 VA IRB Administrators Meeting Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy Privacy Officer.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
1 Defense Health Agency Privacy and Civil Liberties Office HIPAA Privacy Board Overview August 6, 2015.
SACHRP HIPAA Recommendations: September 2004 Mark Barnes Huron Consulting Group March 3, 2009.
DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs.
Advanced HIPAA Issues for Biotech and Life Sciences Companies: Mark E. Schreiber Palmer & Dodge LLP 111 Huntington Avenue Boston, MA
PwC Tissue Banking and Repositories – Human Subject Protections Privacy Protections Medical Research Summit Tom Puglisi, Ph.D. Friday March 7 – 9:15 am.
HIPAA and Research Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer.
HIPAA – How Will the Regulations Impact Research?.
May I have your permission please? The consent process: What, Where, When, Who and Why Valerie Smith OHRP IRB Program Manager
Joyce Mull, MPM Director, Regulatory Affairs National Surgical Adjuvant Breast and Bowel Project Consent Form and IRB Challenges that Arise with Specimen.
H I P A A T R A I N I N G Self Directed Module 7 Research Disclosures For Data Custodians START Click to begin…
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
AAMC HIPAA Survey Project Steering Committee Members Academy for Health Services Research American College of Epidemiology International Society of Pharmaco-
Health Insurance portability and Accountability Act (HIPAA)‏
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
VETERANS HEALTH ADMINISTRATION SLIDE 0 New Requirements for VA ORD Investigators: Implementation of Data Management and Access Plans.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.
CAN THE CANNED FORMS: Practical Advice in Implementing HIPAA Privacy Policies and Forms Margaret Marchak, Esq. Rachel Nosowsky, Esq. HIPAA Summit West.
Minding HIPAA & IRBs Cave Fatuis!. Elements HIPAA definitions of identifiable data Reducing risk of identifying people Research and IRB approval Business.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA and RESEARCH 5 th Thursday May 31, Page 2.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA 2017 JHSPH IRB Clarifications and Changes
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
HIPAA Privacy & Security: Medical Research Context
Issues in HIPAA Research Compliance
Analysis of Final HIPAA Privacy Modification Rule
Office of the Vice President for Research Human Subjects Protection Program IRB Submission Process Module 4 - Health Insurance Portability and Accountability.
Presentation transcript:

PRIM&R Privacy Panel II “Privacy/Confidentiality Challenges in the HIPAA Era” Pearl O’Rourke, Moderator Bartley Barefoot Oliver Johnson Lora Kutkat

Assessments of HIPAA’s Impact on Research AAMC assessed the negative effects of HIPAA on research activities. These effects include an impact on: Patient recruitment Multi-center, collaborative research Data quality/integrity

To document the effects of HIPAA on biomedical and health sciences research by – Creating database of case reports – Documenting research delayed, hindered, abandoned, foregone, or benefited – Probing costs, broadly defined AAMC HIPAA Survey -- Purposes

Types of Research Affected by HIPAA (n = 331)

Research Functions Affected by HIPAA (n = 331)

Patient recruitment – Negative impact on informed consent process – Confusion of subjects – Diminished access to patients – Informed consent process burdened

S ample – Authorizations and Confusion/Distraction for Subjects “... additional consent form tends to confuse more than inform participants.” “... the required HIPAA Authorization is confusing for participants to understand.” “Subjects are overwhelmed by added length to consent form and repetition of several points already made in body of main consent….”

Sample – Authorization Impact on Informed Consent process “My greatest concern is that the requirement for all these various authorizations to be signed overshadows the importance of the research informed consent document and process.” “I am worried, actually, that subjects are now paying LESS attention to the consent process because they are given so many pages to read and sign.”

Sample – Recruitment “HIPAA has just about made it impossible to obtain research participants.” Recruitment of clinic patients has become a large issue that has yet to be resolved.” “Recruitment is more difficult and obtaining patient information from other providers has become more difficult.” “HIPAA has shut down our recruitment of subjects for a phase III chemoprevention study.”

S ample – Informed Consent “... Instructions/information is laborious for a family to read when already needing to read a 4- 6 page consent for emergency tx. in times of crisis/trauma... my fear is that they will not take the time to thoroughly read the consents as they are overwhelmed by the situation, all the pages to read and will just want to sign without being fully informed….”

Must a separate Authorization be obtained for each research use or disclosure of PHI? No. As long as each use or disclosure is part of a specific research activity and the Authorization describes the types of uses or disclosures that will occur as part of that research activity, only one Authorization is required from each subject. That Authorization will generally be obtained at the time of enrollment in the trial itself, as part of the informed consent process. It is important, therefore, that researchers, research nurses, or others involved in informed consent discussions with subjects also understand the Authorization and its meaning so that subjects' questions and concerns can be answered accurately.

Example “If you sign this document, you give permission to [name or other identification of specific health care provider(s) or description of classes of persons, e.g., all doctors, all health care providers] at [name of covered entity or entities] to use or disclose (release) your health information that identifies you for the research study described below: [Provide a description of the research study, such as the title and purpose of the research.] The health information that we may use or disclose (release) for this research includes [complete as appropriate]: Provide a description of information to be used or disclosed for the research project. This may include, for example, all information in a medical record, results of physical examinations, medical history, lab tests, or certain health information indicating or relating to a particular condition.]

HHS Guidance on Authorization Matters When a covered entity chooses to combine the Authorization with the informed consent document for a research study, can the compound document cross-reference required elements for both permissions (i.e., to minimize redundant language)? Yes. The Privacy Rule permits the compound Authorization to cross-reference relevant sections of an informed consent document, so long as the compound document includes the core elements and statements required by section (c). In addition, under the HHS and FDA Protection of Human Subjects Regulations, all of the required elements for informed consent would need to be in included in the informed consent document, unless an IRB alters or waives the requirements.

HHS Guidance on Identifying Research Participants Under the "preparatory to research" provision, covered entities may use or disclose PHI to researchers to aid in study recruitment. The covered entity may allow a researcher, either within or outside the covered entity, to identify, but not contact, potential study participants under the "preparatory to research" provision. However, before permitting this activity, a covered entity must receive proper representation, as described above, from the researcher. Under the "preparatory to research" provision, no PHI may leave the covered entity.

HHS Guidance on Contacting Research Participants In order to contact potential study participants, a researcher may do so, without Authorization from the individual. If the researcher is a workforce member of a covered entity, the researcher may contact the potential study participant: (1) as part of the covered entity's health care operations. (2) discuss treatment alternatives, which may include participating in a clinical trial, with the patient as part of the patient's treatment or the covered entity's health care operations. If the researcher is NOT a workforce member of a covered entity, the researcher may contact the potential study participant: (3) under contract with a business associate. (4) Pursuant to a waiver of the Authorization requirement.

Q&A from Clinical Research Fact Sheet May a covered entity obtain an individual's Authorization to include his or her PHI in a clinical research recruitment database of possible research participants, such as a pre-screening log? Yes. The Privacy Rule permits a covered entity to include an individual's PHI in a clinical research recruitment database and permit researchers access to the recruitment database, provided the individual has given his or her permission through a written Authorization. The Authorization must inform the individual of the purpose for which (e.g., for the pre-screening log for one or more clinical trials) and what PHI will be used and meet the other requirements at section of the Privacy Rule. Alternatively, a covered entity may provide a researcher access to the PHI for reviews preparatory to research, provided the required representations are obtained. See section (i) of the Privacy Rule. Unless otherwise permitted by the Privacy Rule, a subsequent Authorization must be obtained from the individual before a covered entity may use or disclose the individual's PHI for the clinical trial itself.

Multi-center, collaborative research – Impaired ability to collaborate – Impaired data access – Differing interpretations – Authorization form issues

Sample – Multiple Organizations and Collaborations “ The major difficulty for us has been establishing multi-site trials and getting everyone to collaborate in this newly derived, fear-of-litigation driven system. We have no solution and I fear good research will begin to die out soon.”

Sample – Multiple Organizations and Collaborations “ Many health care providers no longer participate/submit data to several observational pregnancy exposure registries as a result of HIPAA.” “... am now limited in my collaborations with researchers….” “Multi-site trials used to be more feasible.”

Sample – HIPAA Interpretations “Solutions are just guesses.” “... considerable heterogeneity in the interpretation of the HIPAA confidentiality rules, and in their implementation across covered entities….” “higher level of uncertainty that the correct procedures are being followed.”

HHS Guidance on Multi-site Matters A waiver or an alteration of the Privacy Rule's Authorization requirements could be obtained from a single IRB in connection with a multisite research activity or where the PHI necessary for the research is to be used or disclosed by more than one covered entity. A covered entity's ability reasonably to rely on documentation of an Authorization waiver or alteration may be especially important for research projects taking place at multiple sites and/or requiring the use and disclosure of PHI created or maintained by more than one covered entity (collectively, multisite projects).

Does the Privacy Rule specify who must develop the Authorization form? No. The Privacy Rule does not specify who may draft the Authorization, so a researcher could draft it. However, in order to comply with the Privacy Rule, an Authorization must be written in plain language and contain the core elements and required statements specified at section of the Privacy Rule. A covered entity may disclose PHI as specified in a valid Authorization that has been created by another covered entity or a third party, such as a researcher.

Data quality/integrity – Errors due to use of de-identified information – Possible increase in selection bias – Reduced long-term follow-up

Sample -- Bias “The complexity of the authorization form intimidates some potential participants. My concern is that by not including those people in the study, we are not including a ‘true’ cross-section of the population…. Will this lead to only including college-educated people in studies?... ‘form comprehension’ bias….”

Sample – De-identification and Quality of Research “... Increases errors when using only de- identified material….” “It has severely limited my ability to obtain long term follow-up for patients participating in national registries….”

Can a covered entity use or disclose PHI to identify the whereabouts of a research participant (e.g., subjects who are "lost to follow-up")? A covered entity is permitted to use or disclose PHI to identify or locate the whereabouts of a research participant during the study as long as the use or disclosure is not limited in the individual's Authorization (or "grandfathered" prior permission, if relevant) or waiver or alteration of Authorization. In addition, such use or disclosure is permissible if, for example, it is necessary for treatment of the individual or for a permissible public health purpose.

Sample – De-identification and Research Direction “Increase in... time and money for redacting identifiable information for limited data sets and deidentified data, forced to make decisions about current need for data items when research is open ended and has unforeseen questions that will later arise….”

Does “Unique Identifier” Include a Re-identification Code? A covered entity may assign a code to allow information de-identified under the Privacy Rule to be re-identified by the covered entity, as long as: – The code is not derived from or related to information about the individual. – The code is not otherwise capable of being translated to identify the individual. And – The covered entity does not use or disclose the code for any other purpose, and does not disclose the mechanism for re-identification. Disclosure of a code or other means of record identification designed to enable coded (or otherwise de-identified information) to be re-identified is a disclosure of PHI. And If de-identified information is re-identified, a covered entity must use or disclose such re-identified information in accordance with the Privacy Rule.

Q&A from Repository/Database Fact Sheet Are an individual's initials considered to be identifiers under the Privacy Rule? Yes, because an individual's name is an identifier and initials are derived from the individual's name, initials are considered identifiers under the Privacy Rule. Thus, for information to be de-identified using the safe harbor method of the Privacy Rule, an individual's initials must be stripped from the information. However, it may be possible for initials to remain as part of de-identified information if the statistical method for de-identification at section (b)(1) allows it. A researcher requests data that assigns a code derived from the last four digits of the social security number. This code is necessary to link individual records from different data sources. The data contain none of the other listed HIPAA identifiers at section (b)(2). Are the data de-identified under the Privacy Rule? No. Under the Privacy Rule, a de-identified data set may not contain unique identifying codes, except for codes that have not been derived from or do not relate to information about the individual and that cannot be translated so as to identify the individual. A code derived from part of a social security number, medical record number, or other identifier would not meet this test.

Q&A from Repository/Database Fact Sheet Does the Privacy Rule permit a covered entity to de-identify health information or create a limited data set without obtaining Authorization, waiver of the Authorization requirement from an IRB or Privacy Board, or representations for reviews preparatory to research? Yes. In the Privacy Rule, creating de-identified health information or a limited data set is a health care operation of the covered entity, and thus, does not require the covered entity to obtain an individual's Authorization, a waiver of the Authorization requirement, or representations for reviews preparatory to research. If a business associate is hired by a covered entity to de-identify health information or create a limited data set, such activity must be conducted in accordance with the business associate requirements at sections (e) and (e). Can a limited data set include the geographic subdivision code with the five-digit ZIP code (or a nine-digit ZIP code)? Yes, the limited data set may include the five-digit or nine-digit ZIP code plus any other geographic subdivision, such as state, county, city, precinct, and their equivalent geocodes, except for street name or street address or post office box.

Limited Data Set with Data Use Agreement The Privacy Rule permits limited types of identifiers (e.g., city, state, zip, dates) to be released for research with health information (referred to as a Limited Data Set). Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient.

Types of Research Affected by HIPPA as Reported by Roles of Respondents

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.