SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004

Research and Privacy Common Rule –adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data 45 CFR §46.111(a)(7) FDA –informed consent include statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained and … not[ing] the possibility that the [FDA] may inspect the records 21 CFR §50.25(a)(5)

Health Insurance Portability and Accountability Act of 1996 Title I: Health Care Access, Portability, and Renewability Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform aspe.hhs.gov/admnsimp

Administrative Simplification Components

TIMELINE Transactions and Code Set Standards –October 16, 2002 (providers, large health plans) extension but must file compliance plan –October 16, 2003 (health Plans < $ 5 million) Privacy Rule –April 14, 2003 –April 14, 2003 (providers, large health plans) –April 14, 2004 –April 14, 2004 (small health plans) Security Rule –April 20, 2005 (providers, large health plans) –April 20, 2006 (small health plans)

Who is Covered? Health care providers who transmit any health information in electronic transactions Health plans Health care clearinghouses [Prescription drug discount sponsor] Business associate relationships

What is covered? Protected health information (PHI) that is: –individually identifiable health information –transmitted or maintained in any form or medium Held by a covered entity in any form or medium De-identified information - NOT COVERED

Key Points Federal rule sets floor –covered entities may provide greater protection –More protective state law applies –California law permitted research uses & disclosures without specific authorization Required disclosures limited to: –subject of information –DHHS for compliance All other disclosures are permissive

Privacy Rule - in brief Notice of Privacy Practices Uses and disclosures permitted for treatment, payment, health care operations Minimum necessary requirements Individual rights Patient authorization Organizational requirements Business associates

Individual Rights Right to inspect and receive copy of PHI Right to request restrictions of uses/disclosures Right to request amendment Right to an accounting of disclosures Right to have reasonable requests for confidential communications accommodated Right to written notice of information practices from providers and plans Right to file complaint with DHHS or covered entity

Enforcement Civil Monetary Penalties –$100/violation –Capped at $25,000/calendar year for each requirement or prohibition that is violated –Enforced by DHHS Office of Civil Rights Criminal Penalties –Greater penalties for certain knowing violations –Enforced by Department of Justice Other liability

Permitted Uses/Disclosures Research 45 CFR §§ (i), (a), (e) Subject authorization Approved waiver Reviews preparatory to research Research on decedents information - NEW De-identified information –Not subject to Privacy Rule requirements Limited data set

Patient Authorization – Core Elements description of PHI CE authorized to make use/disclosure authorized recipient of PHI description of each purpose expiration date or event signature and date –personal representatives authority

Patient Authorization - Required Statements Right to revoke in writing –How, describe exceptions OR –Refer to CEs Notice of Privacy Practices Research participation may be conditioned on signing authorization Potential of information to be redisclosed by recipient and no longer protected by Privacy Rule

Patient Authorization – Additional Requirements Plain language Copy of signed authorization

Criteria for Approval of Waiver Minimal risk to subjects privacy –Adequate plan to protect identifiers from improper use/disclosure –Adequate plan to destroy identifiers at earliest opportunity consistent with conduct of research, unless health, research or legal justification for retention –Adequate written assurances that PHI will not be reused or redisclosed to any other person or entity except as required by law, authorized oversight of research, or other permissible research Could not be practicably conducted without waiver Could not be practicably conducted without access to or use of PHI

Documentation Requirements Identification and date of action Waiver criteria PHI needed Review and approval procedures Required signature

Additional Requirements Notice of privacy practices Accounting of disclosures Minimum necessary standard

Reviews Preparatory for Research Permitted if CE obtains from researcher representations that: –use or disclosure sought solely to prepare a research protocol or for similar purposes –no PHI will be removed from CE by researcher in course of review –PHI necessary for research purposes

Research Decedents Information Permitted if CE obtains from researcher: –representation that use or disclosure solely for research –documentation, upon request, of individuals deaths –representation that PHI necessary for research purposes

Common Rule - Waiver No more than minimal risk to subjects; Will not adversely affect the rights and welfare of the subjects; Research not practicably carried out without waiver or alteration; and Subjects provided with additional pertinent information after participation, when appropriate

Privacy Rule vs. Common Rule De-identified information is not subject to privacy rule requirements –Certain exempt research now subject to IRB review Coded information still subject to IRB review under Common Rule

De-identification Requirements Expert Opinion Person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable –determination that risk is very small; and –documents methods and results of analysis. 45 CFR §

De-identification Removal of Identifiers

Limited Data Set Research, public health, health care operations CE may contract with business associate to create LDS Data Use Agreement –Privacy Rule requirements

Limited Data Set Removal of Direct Identifiers

Common Issues Health care operations or research –QA, QI activities Outcomes evaluation, development of clinical guidelines –Population-based activities relating to improving health or reducing cost –Protocol development, case management, case coordination –Cost management and planning-related analysis Formulary development Improved payment methodologies Intent is key! – obtain generalizable knowledge not primary purpose

Common Issues Covered Entity, Hybrid Entity, or non-Covered Entity –Cities, counties, states, agencies –Schools, universities –Non-health care employers Databases Decedent research De-identification

WEBSITES Privacyruleandresearch.nih.gov –HIPAA & Research Aspe.hhs.gov/admnsimp –HIPAA Administrative Simplification Components –HIPAA Privacy Rule