University of Miami1 Privacy, Confidentiality & Security Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008

University of Miami2 Institutional Review Board for the Protection of Human Subjects Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students Includes ensuring compliance with University of Miami HIPAA policies Plan must contain elements required under HIPAA Documentation of compliance with Covered Entity source of PHI

University of Miami3 What is HIPAA?  Health Insurance Portability and Accountability Act (HIPAA) Effective on April 14, 2003  Federal law that protects the privacy of individually identifiable health information (PHI)  Title 45 of the Code of Federal Regulations Parts 160 and 164

University of Miami4 Who Must Comply with HIPAA? Covered Entity – Custodians of PHI They must make a good faith effort to comply with the rule Three types of “ Covered Entities”  Health Care Providers Includes organizations, individuals such as researchers when they provide health care, e.g. clinical trials  Health Care Plans Insurers and payors  Health Care Clearinghouses Billing services

University of Miami5 How is UM Approaching HIPAA?  Hybrid Covered Entity  The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”.

University of Miami6 UM – Hybrid Entity Covered Components Treatment Payment Health Care Operations Non-Covered Components Research

Important to Note Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations. Necessary compliance with State privacy laws and Institutional and IRB policies only. University of Miami7

UM Investigators and PHI those who create, use, or access health information while providing health care services to research subjects must comply with HIPAA regulations as well as state privacy, institutional and IRB policies. University of Miami8

Types of Studies Covered Clinical trials Chart reviews Epidemiological studies Behavioral and Social Science Studies Some basic science research activities Studies may include the provision of treatment but others may provide neither treatment or diagnosis. University of Miami9

HSRO Policies & Procedures HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”. Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6 th, Policies are available on our website under, “Investigator Resources”. University of Miami10

Definitions Section 24.2 contains some important terms related to HIPAA. PHI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care. University of Miami11

Definitions (cont’d). Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information. The term “privacy” applies to persons whereas the term “confidentiality” refers to the treatment of personal information. University of Miami12

Definitions (cont’d). Security: the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage. Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors. University of Miami13

University of Miami14 More About PHI Protected Health Information (PHI) is any individually identifiable information that is transmitted or maintained in electronic medium, or in any other form or medium  Medical Records E.g. Medical History, Diagnosis, Treatment  Payment Information E.g. Bills, Receipts  Ancillary Services E.g. X-Rays, Labs  Demographic Information (When Maintained with Health Information) E.g. Date of Birth, Social Security Number

PRIVACY University of Miami15

IRB Privacy Issue Evaluation Time and place where information is provided by participants to investigators; Nature of the information provided; Nature of the experience that participant will undergo from the study; Who is receiving, accessing, and using the information; Participants’s relationship to the investigator; Presence of others when gathering data. University of Miami16

Factors to Determine What is Private to Individuals Gender Ethnicity Age Socio-economic status Education Ability level University of Miami17 Social or verbal skill Health status Legal status Nationality Intelligence Personality

University of Miami18 What is De-Identified PHI? Information that does not identify the individual; and there is no reasonable basis to believe the information can be used to identify an individual.

University of Miami19  Remove 18 Specified Identifiers:  Name  All Geographic Subdivisions Smaller Than a State (Street, City, County, Precinct, Parish, Zip Code, & their Equivalent Geo-codes Except for Initial 3 Digits of a Zip Code)  All Elements of Dates, Except Year (Admission Date, Discharge Date, Date of Death)  All Ages Over 89 & Dates and Elements Related to such Ages (Unless Aggregated into a Single Category of Age over 90) How do you De-Identify PHI?

University of Miami20 How do you De-Identify PHI ?  Telephone & Fax Number  , IP Address & URL  Social Security #, Medical Record #, Health Plan Beneficiary #, & Account #  Certificate License #, VIN, Device Identifiers, & Serial #  Full Face Photographs, Biometric Identifiers  Any Other Unique Identifying Number, Characteristic, or Code

University of Miami21 Research procedures should be carefully designed to limit the personal information to be acquired to that which is minimally necessary and should be administered using procedures that will protect the subject's privacy. Example: Only the information pertaining to a specific use should be given to researcher. Minimum Necessary Requirement

University of Miami22 Responsibilities of The Principal Investigator Document research team has completed HIPAA Privacy/Security Training and HIPAA Training for Researchers Submit project application to the IRB Assume responsibility for compliance with HIPAA Maintain logs of all access to, uses of, & disclosures of PHI Submit Data Use Agreements to the IRB

SECURITY University of Miami23

GENERAL PRINCIPLES As custodian of a study’s research data, the Principal Investigator shall ensure compliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol ; The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI; Access to research data (including ePHI) should be restricted and controlled. The PI must ensure locks on files or password or other protections (as applicable) (note – access to e PHI must be by password) The PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity. University of Miami24

Security, Section 24.6 All research data (including PHI) must be secured and protected, as reasonable, against breaches in confidentiality, unpermitted uses and disclosures. HIPAA standards also apply after project completion when computers, devices, and/or media are destroyed or reformatted for other uses. Provides important requirements and methods to assure security of all research data. Additional requirements for ePHI (electronic PHI). University of Miami25

Security, Section 24.6 Specifically addresses concerns and safeguards for when dealing with ePHI, securing paper records, securing faxes, and unanticipated problems and reportable events related to breaches in ePHI University of Miami26

Security, Section 24.6 Paper records: PHI must be stored using locked filing system within a locked office or storage room. Shredding is required to discard printed materials with direct identifiers. Paper-based PHI should not be carried/sent unless necessary for research purposes. University of Miami27

Confidentiality, Section 24.7 Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of his/her research records. Examples: personality inventories, interviews, questionnaires, observations, photos and film, tape recordings, and stored data. University of Miami28

Certificates of Confidentiality In certain circumstances involving civil, criminal, administrative, legislative, or other proceedings at the federal, state, or local level, PIs and Institutions may be compelled to release information that could identify subjects within a research study. Certificates of Confidentiality protect PIs and Institutions from having to divulge this information. University of Miami29

Certificates of Confidentiality – Cont’d. Certificates of Confidentiality are provided by the National Institutes of Health and are awarded whether a research study is federally funded or not. University of Miami30

University of Miami31 Who do I contact about HIPAA Questions for Research? Evelyne Bital, MS, CIP Associate Director of Privacy & Regulatory Affairs, (305) For general HIPAA information or to access standard HIPAA forms for research: hsro.med.miami.edu

University of Miami32 References Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164 University of Miami HIPAA Policies and Procedures

University of Miami33 Questions?