Revised February 4, Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members
Revised February 4, In the Beginning The emphasis was on the “portability” of insurance, and medical records. The issue was how to keep electronic medical records private. Little thought was given to the implications of HIPAA for research. Institutions with electronic records or electronic transmission of medical information would be charged with the responsibility of protecting the privacy and security of these records.
Revised February 4, What Is the Basic Privacy Rule? HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI). PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient. Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA. PHI used in research must be obtained from the Covered Entity in compliance with HIPAA.
Revised February 4, What is a Covered Entity at UC? A Covered Entity (CE) is the health care provider, health plans, and health information clearninghouses. The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF. NOTE: The definition of the “Covered Entity” is different for each institution, including the SFVAMC, SFGH, Kaiser, CPMC, St. Luke’s, the Haight-Ashbury Free Clinic, and so on.
Revised February 4, What is PHI? Individually identifiable information Past, present, or future: Health status Treatment Payment for health care Created, used, or disclosed by a covered entity (CE) In any form Includes any one of the 18 identifiers as defined by HIPAA
Revised February 4, Protected Health Information (PHI): 18 Identifiers defined by HIPAA Name Postal address All elements of dates except year Telephone number Fax number address URL address IP address Social security number Account numbers License numbers Medical record number Health plan beneficiary # Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers (finger and voice prints) Full face photos and other comparable images Any other unique identifying number, code, or characteristic.
Revised February 4, How does HIPAA Privacy Rule affect University Researchers? Researchers will likely want to access PHI held by the CE in order to conduct research. The Privacy Board must approve use of PHI for research. At UCSF the Privacy Board for research is the IRB, that is, the CHR. The Privacy rule applies to all active studies as of April 14, 2003.
Revised February 4, Does all human subjects research use PHI? Not at all! Some examples: Some non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records; blood draws for protein binding studies) Some interview studies and focus group studies Some questionnaire studies Studies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research
Revised February 4, Covered Entity (CE): UCSF Medical Center, Hospitals and Clinics If information from the study is added to the CE i.e., information is added to Medical Records or used to make health care decisions If information is obtained for the study from the CE i.e., medical records review for recruitment, data analysis Do HIPAA regulations apply?
Revised February 4, What are the practical implications of HIPAA for Human Research at UCSF? New and different vocabulary Stricter control of access to Medical Records (HIMS and Faculty Practices) Stricter limitations to identifying subjects for recruitment Additional documentation for PI, IRB, and CE. Important Note: Most research being done can continue, but with additional documentation!
Revised February 4, What are the patients’ rights under HIPAA? To restrict the use and disclosure of their PHI To access and receive a copy of their PHI used for research purposes (unless it will cause psychological harm) To receive an accounting of disclosures of their PHI by the CE To request amendments to their PHI in their medical records To file complaints with the University or OCR that may result in civil and criminal penalties for individuals as well as the covered entities
Revised February 4, What is the Covered Entity’s Responsibility? The covered entity (CE) is responsible for protecting PHI and for ensuring that PHI: Is only used or released for TPO or as otherwise permitted or required by law; Is not released without the patient’s authorization; or Is released only under an IRB approved waiver of consent/authorization Meets “minimum necessary” standard.
Revised February 4, How can an investigator access PHI for research? Through a HIPAA Authorization signed by the subject (or legal representative) -OR- Through a Waiver of Authorization requested by the PI and approved by the IRB. Note: UCSF polices require IRB approval for access to PHI for human subjects research.
Revised February 4, Individual Subject’s Authorization for Research Access to PHI Authorization must be a separate document used along with the Consent Form for biomedical and treatment studies. For some behavioral studies, Authorization may be combined with the Consent Form, but requires two separate signature lines: one for consent, and one for authorization.
Revised February 4, What does a HIPAA authorization look like? The standard UC HIPAA authorization is a two- page document available on the HIPAA Forms section of the CHR website.HIPAA FormsCHR website The standard SFVAMC form is also available on that site. Other Covered Entities may require their own versions of the HIPAA authorizations. Note: Some sponsors also have their own versions of the forms, but with rare exception UCSF researchers must use the UC version.
Revised February 4, What Elements Are Required in the HIPAA Authorization? Description of PHI to be disclosed Name or class of recipients of information and of those authorized to disclose PHI Description of research purpose Expiration date, though at UC this is stated as “when study is completed.” Right to cancel authorization Advise subject that HIPAA protections may not apply to redisclosed information although other protections apply Consequences of a refusal to sign an authorization Signature of subject and date
Revised February 4, Which Research Does Not Require a Subject’s Authorization? 1. Research granted a Waiver of Consent/Authorization by the CHR 2. Research using De-Identified Data 3. Research using a Limited Data Set 4. Research not using PHI
Revised February 4, #1: Waiver of Authorization PI and IRB must certify that research: 1. Could not practicably be conducted w/o waiver 2. Could not practicably be conducted w/o PHI 3. Poses minimal risk to privacy based on written assurance that the PHI will not be reused or disclosed and that there is an adequate plan to protect identifiers. To accomplish this, PI fills out Waiver of Consent/Authorization Form available on CHR website and submits with application. Research released by a waiver, must be tracked for disclosure to the subject.
Revised February 4, #2: De-Identified Data Sets There are two HIPAA-approved methods of de- identifying datasets: All 18 identifiers of PHI must be removed, or A qualified statistician documents the methods and analysis used to determine that data is de-identified or risk is very small that information can be used to identify an individual IRB approval of protocol is still required PI should apply for Exempt Certification from IRB.
Revised February 4, #3: Limited Data Set May include only the following PHI: Date(s) of service (admission, discharge) Dates of birth and death 5 digit zip codes and other geographic subdivisions other than street address May include non-PHI information ( i.e., diagnosis) Does not require a subject’s authorization Does require IRB approval which includes a Waiver of Consent/Authorization NOTE : IRB applications must include a request for a wavier of consent/authorization.
Revised February 4, Covered Entity (CE): UCSF Medical Center, Hospitals and Clinics If information from the study is NOT added to the CE If information obtained for the study does NOT come from the CE i.e., NO medical records review for recruitment or data analysis == #4: Research Not Using PHI
Revised February 4, How does a researcher gain access to PHI in Medical Records at UCSF? Copy of CHR approval letter with: statement of Waiver of Authorization of individual consent --or-- statement that Individual Subject Authorization will be obtained
Revised February 4, What types of CHR approvals are needed for these types of studies? PHI: Full Committee or Expedited De-identified PHI (no PHI used): CHR Exempt Certification Limited Data Sets (limited PHI allowed): Expedited with Waiver of Authorization NOTE: Medical Records will require CHR approval to release PHI for research.
Revised February 4, What information is now required by the CHR to address HIPAA? PIs should complete and submit the HIPAA Supplement with all full committee and expedited applications, even if no PHI is being used; Waiver of consent/authorization form if applicable (usually for recruitment purposes) The pilot application (required as of January 2004) embeds HIPAA information within it. Exempt applications do not require any additional information about HIPAA.
Revised February 4, What are the 8 Most Common and Acceptable Recruitment Methods? PIs recruit their own patients directly PIs provides PCPs a “Dear Patient” letter that instructs any interested patients how to contact PI about enrollment PIs ask PCPs for referrals and may contact patients if there is documented patient permission to do so PI used CHR-approved ads, notices, and/or media
Revised February 4, Recruitment Methods (continued) Faculty Practices/Clinics develop a CHR- approved recruitment protocol so subjects agree ahead of time to be contacted for research PIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods. PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed websiteUCSF Seeking Clinical Trials Volunteer PIs do not access PHI for recruitment purposes.
Revised February 4, Conclusion-The HIPAA Privacy Rule Greater emphasis on privacy and confidentiality of medical records in both health care and research. Researcher’s responsibilities are more clearly defined. Subject’s have more clearly defined legal rights to protect their privacy.
Revised February 4, UCSF HIPAA Websites UCSF: HIPAA Handbook (pdf) HIPAA Training Modules Privacy Officer CHR: Application and Consent templates/Guidelines Research Training, FAQ, information UCSF Medical Center IT: UCSF Information Security: