1 Research & Accounting for Disclosures March 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance Services Indiana University, Indianapolis
2 HIPAA HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L ). HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L ). First comprehensive federal health privacy protection law. First comprehensive federal health privacy protection law.
3 Two Key Privacy Rule Goals Provide strong Federal protections for privacy rights Provide strong Federal protections for privacy rights Preserve quality healthcare Preserve quality healthcare
4 Why did the Government want the Privacy & Security Regulations?
5 Major Concepts Notice of the Use/Disclosure Notice of the Use/Disclosure – Notice of Privacy Practices – Authorization Safeguarding PHI during its use and disclosure Safeguarding PHI during its use and disclosure – Researchers are entrusted with this sensitive information. – Policies that address how PHI is accessed, stored and transferred so that unauthorized use or disclosure is prevented.
6 Creates Rights for Patients Right to inspect & copy protected health information Right to inspect & copy protected health information Right to amend Right to amend Right to have reasonable requests for confidential communications accommodated Right to have reasonable requests for confidential communications accommodated Right to file a complaint with the Office for Civil Rights or with the covered entity Right to file a complaint with the Office for Civil Rights or with the covered entity Right to written notice of information practices from providers and health plans Right to written notice of information practices from providers and health plans Right to an accounting of disclosures Right to an accounting of disclosures
7 Accounting for Uses/Disclosures Upon a patient’s request, a covered entity must provide an accounting of all uses and disclosures of PHI without an authorization Upon a patient’s request, a covered entity must provide an accounting of all uses and disclosures of PHI without an authorization
8 Protected Health Information (PHI) PHI PHI Individually identifiable health information, Created or received by a Covered Entity, Relates to the: Relates to the: provision of health care to an individual; past, present, or future physical or mental health or condition of an individual; or payment for the provision of health care to an individual; Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
9 Access to PHI A covered entity may use/disclose PHI to carry out essential health care functions (TPO) A covered entity may use/disclose PHI to carry out essential health care functions (TPO) – Treatment – Payment – Health Care Operations
10 Treatment Treatment means the provision, coordination or management of health care by one or more health care providers. Treatment means the provision, coordination or management of health care by one or more health care providers. – Consultation between health care providers – Patient referrals Important for Important for – Continuity of Care – Quality of Care
11 Payment Payment means activities of: Payment means activities of: – Health care providers to obtain payment or be reimbursed for their services – Necessary to release information to Medicare/Medicaid and Commercial Insurance Plans to be reimbursed for services provided
12 Health Care Operations Administrative, financial, legal and quality improvement activities necessary to run business and to support core functions of treatment and payment Fraud and abuse detection Fraud and abuse detection Conducting or arranging for medical review, legal services, auditing or monitoring Conducting or arranging for medical review, legal services, auditing or monitoring Business management and general administrative activities Quality assessment and improvement activities Business management and general administrative activities Quality assessment and improvement activities Training, accreditation, certification, credentialing, licensing, reviewing, competence, evaluating performance Training, accreditation, certification, credentialing, licensing, reviewing, competence, evaluating performance
13 Access to PHI for Research Research ≠ TPO Research ≠ TPO To Use PHI for Research purposes must: To Use PHI for Research purposes must: – Obtain an Authorization or – Waiver of authorization approved by the Privacy Board (IU’s IRBs) – Meet one of the exceptions
14 Access to PHI for Research Must comply with the Minimum Necessary Rule Must comply with the Minimum Necessary Rule – must take reasonable steps to limit the use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. – what PHI is reasonably necessary is determined on a case by case basis by the covered entity
15 Exceptions to obtaining an Authorization or Waiver of Authorization Reviews preparatory to research Reviews preparatory to research Research solely on decedents’ information Research solely on decedents’ information Limited Data Set Limited Data Set De-identified Data De-identified Data
16 Reviews Preparatory to Research Covered entity must obtain representation from the researcher that: The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose. The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose. PHI will not be removed from the covered entity. AND PHI will not be removed from the covered entity. AND PHI is necessary for research purposes PHI is necessary for research purposes Even though an authorization is not required, this access requires an Accounting of Disclosure Even though an authorization is not required, this access requires an Accounting of Disclosure
17 Research Solely on Decedents’ Information Researcher must represent that: Use or disclosure solely for research on decedents' information. Use or disclosure solely for research on decedents' information. PHI is necessary for research, and PHI is necessary for research, and Individual is a decedent, and provide documentation upon covered entity's request. Individual is a decedent, and provide documentation upon covered entity's request. Even though an authorization is not required, this access requires an Accounting of Disclosure Even though an authorization is not required, this access requires an Accounting of Disclosure
18 Limited Data Sets Limited types of identifiers can be released for research purposes (a Limited Data Set). Limited types of identifiers can be released for research purposes (a Limited Data Set). Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient. Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient. The Limited Data Set can contain: The Limited Data Set can contain: – Elements of Dates. – City, town, state, and ZIP. – Other unique identifiers, characteristics and codes not previously listed as direct identifiers (next slide).
19 A Limited Data Set excludes the following direct or facial identifiers Names Names Postal address info (if other than city, town, state, and ZIP) Postal address info (if other than city, town, state, and ZIP) Telephone and fax #s Telephone and fax #s address address Social Security # Social Security # Medical record numbers Medical record numbers Health plan #s Health plan #s Account #s Account #s Certificate/license #s Certificate/license #s VIN and Serial #s, license plate #s VIN and Serial #s, license plate #s Device identifiers, serial #s Device identifiers, serial #s Web URLs Web URLs IP address #s IP address #s Biometric identifiers (finger prints) Biometric identifiers (finger prints) Full face photographic images and any comparable images Full face photographic images and any comparable images
20 Data Use Agreement Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way that the covered entity cannot) Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way that the covered entity cannot) Identify who can use and receive the Limited Data Set Identify who can use and receive the Limited Data Set Does not require an Accounting of Disclosure Does not require an Accounting of Disclosure More...
21 PHI has been de-identified 18 identifiers removed from data and no knowledge that remaining information can (alone or in combination with other information) identify the individual. 18 identifiers removed from data and no knowledge that remaining information can (alone or in combination with other information) identify the individual.OR Statistically "de-identified" information. A qualified statistician determines that there is a "very small" risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis. Statistically "de-identified" information. A qualified statistician determines that there is a "very small" risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis. Does not require an Accounting of Disclosure Does not require an Accounting of Disclosure
22 Identifiers Names. Names. All geographic subdivisions smaller than a state, street address, city, county, precinct, ZIP Code etc. All geographic subdivisions smaller than a state, street address, city, county, precinct, ZIP Code etc. All elements of dates (except year) Telephone numbers. All elements of dates (except year) Telephone numbers. Facsimile numbers. Facsimile numbers. Electronic mail addresses. Electronic mail addresses. Social security numbers. Social security numbers. Medical record numbers. Medical record numbers. Health plan beneficiary numbers. Health plan beneficiary numbers. Account numbers. Account numbers. Certificate/license numbers. Certificate/license numbers. Vehicle identifiers and serial numbers, including license plate numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Device identifiers and serial numbers. Web universal resource locators (URLs). Web universal resource locators (URLs). Internet protocol (IP) address numbers. Internet protocol (IP) address numbers. Biometric identifiers, including fingerprints and voiceprints. Biometric identifiers, including fingerprints and voiceprints. Full-face photographic images and any comparable images. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code. Any other unique identifying number, characteristic, or code.
Six MechanismsMinimum Necessary Standard Accounting for Disclosures (Section 5.16) HIPAA Documentation Requirements IRB Requirements Use of De- Identified Data (Section 5.5) Does Not Apply NoResearcher documents that all 19 identifiers are removed under Safe Harbor Method (see section 5.5.2), or demonstrate how the data is statistically de-identified. IRB approval required for the process of de- identification; in nearly all cases this will be an exempt application. Research Using Limited Data Set (Section 5.6) AppliesNoResearcher documents in Exempt Checklist. Data Use Agreement 4.5 between researcher and data source required. 4.5 IRB approval required; in nearly all cases this will be an exempt application. Authorization (Section 5.7) Does Not Apply No (Note: Accounting for disclosure is required for psychotherapy notes G20 ) G20 Patient-Subject Authorization IRB approval required. Use of template authorization recommended. Waiver of Authorization (Section 5.8) AppliesYes, but simplified if 50 or more records will be utilized Requirements as listed in 5.8 IRB approval required; may use this mode for recruitment purposes in addition to authorization and informed consent for the actual study procedures. Research Involving Decedent Information (Section 5.9) AppliesYes, but simplified if 50 or more records will be utilized Researcher documents in description of study. IRB approval required (exempt application). Review Preparatory to Research (Section 5.10) AppliesYes, but simplified if 50 or more records will be utilized Researcher documents to covered entity supplying information. No IRB approval necessary.
24 Other Uses and Disclosures of PHI w/o Authorization This includes the following: This includes the following: – Disclosures required by law – Disclosures to public health authorities Authorized by law to collect or receive such information for public health activities Authorized by law to collect or receive such information for public health activities – Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA All the above require Accounting of Disclosure
25 HIPAA & Recruitment Recruitment is considered research Therefore, the special provisions for research apply to recruitment
26 Accounting for Uses & Disclosures Information required to be provided in each patient’s record for an accounting: – The date of the disclosure – The name of the entity or person who received the PHI and, if known, – the address of such entity or person – A brief description of the PHI disclosed – A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure
27 Accounting for Uses & Disclosures If for research purposes 50 or more records are reviewed: – the name of the protocol or other research activity; – a plain language description of the protocol or other research activity, including the research purpose and the criteria for selecting the records; – brief description of the type of PHI disclosed; – date or time period during which the disclosures occurred or may have occurred, including at least the last date; – name, address and phone number of the entity that sponsored the research and the PI to which the information was disclosed; and – a statement that the PHI may or may not have been disclosed for the particular protocol or other research activity.
28 Accounting for Uses & Disclosures Documentation of a Use or Disclosure must be placed in the patient’s “official record” Documentation of a Use or Disclosure must be placed in the patient’s “official record” – If the record is housed by Clarian, must be documented in the Clarian record
29 More Information Clarian Contact Clarian Contact Accounting for Disclosures: Roxanne Binford Compliance Services & HIPAA Send Accountings to: WH 322A Scan & or fax:
30 More Information R&S website: R&S website: Subject Confidentiality & Privacy Policy HIPAA Information FAQ’sSOP’s Summary Safeguard Statement Recruitment Checklist