Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.

Slides:

Advertisements

Similar presentations

H OGAN & H ARTSON, L.L.P.

Advertisements

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

NAU HIPAA Awareness Training

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Health Insurance Portability and Accountability Act (HIPAA)

2012 VA IRB Administrators Meeting Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy Privacy Officer.

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.

HIPAA Business Associates Leadership Group Meeting June 28, 2001.

1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance.

1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.

14 May Privacy Requirements Phoenix Ambulatory Blood Pressure Monitoring System © 2006 Christopher J. Adams Copying and distribution of this document.

Health Insurance Portability and Accountability Act (HIPAA)

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

Patient Protection and Affordable Care Act March 23, 2010.

Advanced HIPAA Issues for Biotech and Life Sciences Companies: Mark E. Schreiber Palmer & Dodge LLP 111 Huntington Avenue Boston, MA

HIPAA and Research Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer.

HIPAA – How Will the Regulations Impact Research?.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

1 HIPAA Compliance Strategies for Pharmaceutical Manufacturers, PBMs and Pharmacies Jean-Paul Hepp, Ph.D. Director, Global Privacy HIPAA Colloquium Harvard.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.

Health Insurance portability and Accountability Act (HIPAA)‏

HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.

A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.

1 The Impact of HIPAA on US Biomedical Research Presented To The: HIPAA SUMMIT Washington, DC March 28, 2003 Oliver Johnson, Chief Privacy Officer Merck.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.

PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.

Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:

HIPAA and RESEARCH 5 th Thursday May 31, Page 2.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

The HIPAA Privacy Rule: Implications for Medical Research

HIPAA Administrative Simplification

HOGAN & HARTSON, L.L.P. “Publications” “Health”

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

The HIPAA Privacy Rule and Research

HIPAA Privacy & Security: Medical Research Context

Issues in HIPAA Research Compliance

Analysis of Final HIPAA Privacy Modification Rule

Office of the Vice President for Research Human Subjects Protection Program IRB Submission Process Module 4 - Health Insurance Portability and Accountability.

The Health Insurance Portability and Accountability Act

Presentation transcript:

Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available for research, public health and health care operations Hogan & Hartson, L.L.P. American Hospital Association

H OGAN & H ARTSON, L.L.P. American Hospital Association Session Overview Research Uses of Data--Donna A. Boswell, Hogan & Hartson, L.L.P. The De-identification Safe Harbor -- Marcy Wilder, Hogan & Hartson, L.L.P. Hospitals Shared Health Care Operations -- Melinda Hatton, American Hospital Association The Business Associate Approach to Shared Health Care Operations --Melissa B. Levine, Hogan & Hartson, L.L.P. IRB waiver of authorization for Research and Public Health Analysis -- Bartley Barefoot, Hogan & Hartson, L.L.P. Panel Discussion of a new safe harbor: The Data Use Agreement for Public Health, Research, and Health Care Operations

H OGAN & H ARTSON, L.L.P. American Hospital Association Research Uses of Data Donna A. Boswell The public interest in-- –epidemiologic analyses and registries –outcomes research Patient identity is not needed by researcher –dates, geographical, and health information are needed but not direct identifiers –case codes to create longitudinal and cross- situational data sets are needed

H OGAN & H ARTSON, L.L.P. American Hospital Association A Balancing of Interests Measures that promote research but fail to protect the privacy interests of individuals do not serve the public interest because they undermine public trust in the motives of the research community. Measures that protect privacy interests by creating too much potential liability or cost for providers do not serve the public interest because the create disincentives for the public to support research.

H OGAN & H ARTSON, L.L.P. American Hospital Association The De-identification Safe Harbor Marcy Wilder The de-identification safe harbor-- –assumes widespread, unsupervised use and distribution of de-identified data -- including use in activities designed to identify and target data subjects. –was not intended to be used for research, public health or health care operations. The 18 identifiers are the criteria that, in todays world, would be used by a database jockey in attempting to identify individuals.

H OGAN & H ARTSON, L.L.P. American Hospital Association The Safe Harbor Does Not Work For Research or Public Health Uses The statistical alternative to safe harbor allows a covered entity to estimate and assume the risk of potential unauthorized use from release of a data set with some of the identifiers on the safe harbor list. A statistician is unlikely to be able to make the certification of very low probability so long as the fields needed by public health and research entities, e.g., birth date and zip code, are included. The uncertainty regarding the liability of a covered entity where the de-identification process is allegedly defective, makes it unlikely that researchers could rely on this method in asking covered entities to contribute data to the large data sets necessary for research and public health purposes.

H OGAN & H ARTSON, L.L.P. American Hospital Association Shared Health Care Operations Melinda Hatton Data pooled from multiple providers in a region is necessary for-- Using others experience to benchmark ones own performance for self-study and goal setting in –financial collections and administration –reducing dependence on public payers –improving the quality of care Community health planning –determining unmet community health needs –developing business plans to make efficient use of health care resources.

H OGAN & H ARTSON, L.L.P. American Hospital Association Excess Liability or Cost of Data Analysis Activities for Covered Entities... Is not an appropriate balancing of the public interest in high quality, efficient care and the privacy interests of individual patients Shifts dollars from patient care to administrative concerns Creates disincentives to develop community planning initiatives and shared quality improvement initiatives.

H OGAN & H ARTSON, L.L.P. American Hospital Association The Business Associate Approach Melissa B. Levine The rule permits CEs to each contract separately with a BA to aggregate PHI The BA that they have in common can use the PHI from all of the participating CEs to do analyses for the health care operations of the participating CEs However, the reports available to each CE cannot include any PHI from another CE.

H OGAN & H ARTSON, L.L.P. American Hospital Association Why BA Agreements Fail to Provide the Appropriate Balance for Health Care Operations... The need for a third party to do all analyses makes it too costly-- –No pooling of data permitted by CEs without a third party: Can one CE be the BA of all others –Patient specific data that includes the suspect fields is PHI –No disclosure if PHI to another covered entity (even under the NPRM such disclosure is extremely limited)

H OGAN & H ARTSON, L.L.P. American Hospital Association Waiver of authorization for Research and Public Health Analysis Bartley Barefoot Individual authorization for research use of PHI, unless waived by an IRB or privacy board. Waiver of authorization –is based on subjective criteria –must be documented as prescribed by the regulation to show that the CE verified that the criteria have been met. –must be annotated with respect to each record made available in order for the CE to be able to provide the data subject with an accounting of disclosures.

H OGAN & H ARTSON, L.L.P. American Hospital Association Why Waiver of Authorization Does Not Provide an Appropriate Balance for Research and Public Health Public health analyses, such as those used in epidemiology or for identifying exposure to a pathogen such as anthrax, need large data sets compiled from multiple sources. The need to obtain multiple waivers of authorization, and the need for each CE to be satisfied that the minimum necessary data are being made available, may introduce corruption into the data set, as well as excess cost.

H OGAN & H ARTSON, L.L.P. American Hospital Association The Need for a New Safe Harbor Panel and Audience Discussion A data use agreement imposing obligations on the recipient regarding appropriate use of the data only for public health, research, and health care operations and not in activities to identify or contact data subjects. A requirement that the CE arrange for deletion of direct identifiers to protect the privacy of individuals while the data are in routine, authorized use.

Proposal for a Safe Harbor Data Use Agreement governing use of a Limited Data Set plus Creation of Limited Use Data Set by stripping Direct Identifiers

H OGAN & H ARTSON, L.L.P. American Hospital Association In a Data Use Agreement, the recipient must agree... To use the Limited Data Set only for public health, research and health care operations Not to use the data to identify or contact data subjects To arrange for secure, supervised use of the data, and not to disclose or transfer the data for other purposes.

H OGAN & H ARTSON, L.L.P. American Hospital Association A Limited Data Set could be... Any set of PHI stripped of direct identifiers Direct identifiers are -- –namesocial security number –street addressvehicle IDs/serial #s – addressWeb URLs –telephone numberIP addresses –fax number Full face photos –certificate/license #s

H OGAN & H ARTSON, L.L.P. American Hospital Association Implementation Issues: The Data Use Agreement Safe Harbor... Is a proposal for discussion only HHS requested comments in the preamble to the NPRM May or may not be adopted in the final rule If it is not established by HHS in the August final rule-- –CEs, researchers and public health personnel will need to be prepared to bear the costs and limitations of using BAs and IRB waivers if the quality and efficiency of our health care system is not to be compromised by the rules prohibitions and limitations on use of data for health care operations, research and public health analyses.

H OGAN & H ARTSON, L.L.P.