SACHRP HIPAA Recommendations: September 2004 Mark Barnes Huron Consulting Group March 3, 2009.

Slides:



Advertisements
Similar presentations
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Advertisements

Ann Johnson IRB Administrator, IRB Member. Objectives 1. Identify the components necessary for management and oversight of tissue repositories used for.
TISSUE BANKING Challenging to Say the Least
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
PRIM&R Privacy Panel II “Privacy/Confidentiality Challenges in the HIPAA Era” Pearl O’Rourke, Moderator Bartley Barefoot Oliver Johnson Lora Kutkat.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
Subcommittee on Harmonization Mark Barnes David Forster.
Office of Research Oversight. Working Group Report Slide 2.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
Informed Consent and HIPAA Tim Noe Coordinating Center.
IRB Monthly Investigator Meeting Columbia University Medical Center IRB October 11, 2005.
Health Insurance Portability and Accountability Act (HIPAA)
April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.
Quick Facts about Exempt Research No continuing review required IRB Reviewer makes Exempt determination 6 OHRP & 4 FDA categories(1 category overlaps)
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
Human Research Protection Programs 1a: How to Navigate Human Subject Protection Regulations Sponsored by the American Society for Investigative Pathology.
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
1 Disclosures © HIPAA Pros 2002 All rights reserved.
1 Defense Health Agency Privacy and Civil Liberties Office HIPAA Privacy Board Overview August 6, 2015.
HIPAA and Research Basics for IRB Tim Atkinson Director, Research and Sponsored Programs Director, Institutional Review Board Research Privacy Officer.
HIPAA – How Will the Regulations Impact Research?.
H I P A A T R A I N I N G Self Directed Module 7 Research Disclosures For Data Custodians START Click to begin…
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
1 Ethical issues in genomics research Bernard Lo, M.D. March 3, 2009.
Health Insurance portability and Accountability Act (HIPAA)‏
HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
Case Studies: Puzzles in Human Research Kevin L. Nellis, M.S., M.T. (A.S.C.P.) Program Analyst, Program for Research Integrity Development and Education.
Use of Data from the Electronic Medical Record in Research Opportunities & Pit Falls Kristin West.
Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,
Privacy/Confidentiality – Principles and Regulations in the Social Sciences and Behavioral Research Moira Keane, MA, CIP University of Minnesota May 4,
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
Privacy and Security Considerations in Research and Clinical Trials February 28, 2013 Joanna K. Napp, J.D., M.P.H. Chief Privacy Officer and Compliance.
THE INSTITUTIONAL REVIEW BOARD. WHAT IS AN IRB? An IRB is committee set up by an institution to review, approve, and regulate research conducted under.
Minding HIPAA & IRBs Cave Fatuis!. Elements HIPAA definitions of identifiable data Reducing risk of identifying people Research and IRB approval Business.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA and RESEARCH 5 th Thursday May 31, Page 2.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
Honest Brokers for Secure De- identification of Patient Records Project – CSE 5810 – Introduction to Biomedical Informatics Krishna Kalaparti Date: 04/20/2016.
HIPAA 2017 JHSPH IRB Clarifications and Changes
Upcoming Changes to the Common Rule
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
Changes to Exempt Categories
HIPAA Pros - Disclosures
Overview of Changes to the Common Rule
Changes to Exempt Categories
Overview of Important Changes to the Final Rule
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
Secondary Research with Identifiable Information and Biospecimens
Overview of Important Changes to the Final Rule
Revised Common Rule: Informed Consent Changes
Analysis of Final HIPAA Privacy Modification Rule
Which Projects Do – and do Not – Require IRB Review?
Office of Research Integrity and Protections
Research with Human Subjects
Office of the Vice President for Research Human Subjects Protection Program IRB Submission Process Module 4 - Health Insurance Portability and Accountability.
Presentation transcript:

SACHRP HIPAA Recommendations: September 2004 Mark Barnes Huron Consulting Group March 3, 2009

Accounting Requirement Disclosures of PHI for research purposes should be exempted from HIPAA accounting requirements.

IOM Analog HHS should reform the requirements for the accounting of disclosures of PHI for research.

De-identification Requirements HHS should reduce the number of data categories that must be eliminated for data to be regarded as de- identified. Among those data categories that should be strongly considered for deletion are zip codes, geographic subdivisions, and dates. While the specific addresses of persons should not be included in de-identified information, more general areas of residence, work or origin, may, in fact, be essential to epidemiologic and other studies of, for example, disease incidence. Additionally, most dates, including admission and discharge dates, provide essential endpoints for much research without directly identifying the individual.

IOM Analog HHS should encourage greater use of partially deidentified data called “limited datasets” and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identifiers removed.

Additional IOM Analog HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security.

Standards for Recruitment Contact with Potential Research Subjects HIPAA distinguishes between, on the one hand, all researchers who are affiliated with the Covered Entity through membership in the Covered Entity’s “workforce,” making them “internal” to the Covered Entity, and on the other hand, those who otherwise are subject to the Covered Entity’s policies and procedures (for example, by virtue of being a member of the Covered Entity’s faculty or medical staff) but who are not employed by the Covered Entity, making then “external.” Rather than focusing on the distinction between “internal” and “external” researchers, HHS should key any distinction in the ability of researchers to use PHI to contact potential subjects without the additional requirement of Institutional Review Board (IRB) waiver or a business associate agreement around whether the Covered Entity exercises effective control over the researcher through application of its policies and procedures.

IOM Analog HHS guidance documents should simplify the HIPAA Privacy Rule’s provisions regarding the use of PHI in activities preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.

Authorization for “Future Research Uses” of PHI When an IRB has considered and approved a research consent form that permits consent to certain future uses under the Common Rule standard, the Final Privacy Rule should likewise permit subjects to authorize the use and disclosure of their PHI for the same future uses. Any subsequent research using the PHI that goes beyond the scope of the authorization to future uses or disclosures would require IRB or Privacy Board waiver of the Privacy Rule’s Authorization requirements, or subsequent authorization from each subject.

IOM Analog HHS should develop guidance that clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB/PrivacyBoard oversight, as is allowed under the Common Rule, in order to facilitate use of repositories for health research.

Additional Related IOM Recommendation HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research.

“Compound” Authorizations HHS should revise HIPAA’s compound authorization rules to permit the combining of research authorizations into one form when researchers seek to bank data and materials collected as part of an underlying clinical trial. In order to promote subject choice, the rules should require that subjects be given the ability to “opt into” the banking portion of the authorization.

IOM Analog HHS should develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their biospecimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities.

Making HIPAA Authorization Exemptions Consistent with Common Rule Exemptions HHS should revise the categories of research for which authorization is not required, so that those categories are consistent with research determined by an IRB or other appropriate institutional authority to be exempt from the requirements of the Common Rule.

IOM Analog HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research.

Does HIPAA Apply to Non-U.S.- Based Research? HHS should clarify that PHI collected from foreign nationals outside the United States by researchers engaged in international research who are affiliated with Covered Entities is not subject to HIPAA’s requirements solely as a result of the researchers’ affiliation with the Covered Entity. Alternatively, SACHRP recommends that there be guidance as to how research conducted outside the United States can be insulated from HIPAA’s applicability so that Covered Entities and their affiliated researchers can continue to participate in this important research without triggering HIPAA’s requirements.

IOM Charge Examine the potential impact of the Rule on public health research, on the recruitment of research subjects for studies, on carrying out research internationally, and on research using data and biomaterials in databases and tissue repositories.

Related IOM Finding A report by Dutch researchers suggests that the Privacy Rule, or its interpretation, has made it more difficult for international researchers to collaborate with U.S. research centers (Kompanje and Maas, 2006). The authors recorded their experiences operating under the Privacy Rule in an international, multicenter, Phase III trial on the safety and efficacy of a neuroprotective agent in traumatic brain injury. The researchers compared the completion of screening logs between research centers in the United States and Europe. Because of the Privacy Rule, many of the U.S. screening logs had a large amount of missing data. All the European sites reported the actual age of the research participants on their screening logs, but only 5 of the 15 U.S. sites reported the age. The remaining 10 U.S. sites only reported whether the patient met the inclusion criteria for the study. Also, all the European sites reported the date and time of the injury, while only 10 U.S. sites provided this information. Information on secondary insults and the Glasgow Coma Scale were often omitted from the screening logs of U.S. sites. Overly conservative or variable interpretations of the Privacy Rule prevented many U.S. sites from providing the requisite data to the researchers and made it difficult for the researchers to monitor their study for selection bias and quality (Kompanje and Maas, 2006). In many situations, having international data is important to study a health problem. How often the Privacy Rule, or its interpretation, hinders U.S. collaboration in international research is unclear. But it is very conceivable that other international researchers have experienced frustrations similar to the Dutch researchers over collecting data from U.S. sites, or have even abandoned attempts to work with U.S. research centers due to the restrictions of the Privacy Rule.

Public Health Activities under HIPAA HHS should revisit both the definition of public health authority as well as the exception for uses and disclosures for public health activities. Revisions should broaden them sufficiently to ensure that federal and state agencies whose primary purpose is the prevention or control of disease, injury, or disability or the analysis of data in alliance with public health and public benefits agencies fall under this exception, even if the legal authority establishing such agencies does not explicitly authorize them to “compel the collection of PHI” in the course of their duties.

IOM Analog HHS should clarify the distinctions between “research” and “practice” to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities.

Transition Provisions: No Longer Topical HHS should revise the transition Rules to grandfather not only research that received IRB waiver of informed consent under the Common Rule prior to HIPAA’s compliance date but also research that did not receive IRB review or oversight as a result of having met an exemption under the Common Rule.

SACHRP HIPAA Recommendations: September 2004 Mark Barnes Huron Consulting Group March 3, 2009