The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014.

Slides:

Advertisements

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

Advertisements

Evaluation and Human Subjects Research Julie M. Aultman, Ph.D. Chair, Institutional Review Board Associate Professor, Family and Community Medicine Northeast.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Ethical Considerations when Developing Human Research Protocols A discipline “born in scandal and reared in protectionism” Carol Levine, 1988.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.

Informed Consent and HIPAA Tim Noe Coordinating Center.

The Role of IRBs in Ensuring Ethical Conduct of QI Activities Mary Ann Baily, PhD Columbia IRB Conference April 1, 2011.

Human Investigation Committee  Is it research?  If yes, does it involve human subjects?  If yes, can it be exempt?  If no, will a Request for.

ONC HIT Policy Committee Interoperability and HIE Workgroup Panel 3: State/Federal Perspectives August 22, 2014 Jennifer Fritz, MPH Deputy Director Office.

The IRB's Position on Quality Projects vs. Research R. Peter Iafrate, Pharm.D. Chairman, Health Center IRB University of Florida.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families

Cornell Evaluation Network The Use of Human Participants in Research Office of Research Integrity and Assurance ~ May 14, 2007.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair September 14,

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

Submitting IRB Applications (or “Do I have to do an IRB?”) Linda A. Detman, Ph.D. Research Associate Lawton & Rhea Chiles Center for Healthy Mothers and.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INSTITUTIONAL REVIEW BOARD HISTORY AND ETHICS. 2 Ethical History : Holocaust : Nuremburg Trials 1964: Declaration of Helsinki :

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

The Institutional Review Board: A Community College Toolkit Dr. Geri J Anderson.

Human Subject Research View from the IRB Anthony J. Filipovitch Minnesota State University Mankato.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Working with HIT Systems

Institutional Review Board Issues for Classroom Research Sharon McWhorter IRB Administrator, The University of Akron (With assistance from Phil Allen,

Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 22, 2015.

Integrating a Federated Healthcare Data Query Platform With Electronic IRB Information Systems Shan He IPHIE 2010.

NAVIGATING THE IRB PROCESS University Institutional Review Board California State University, Stanislaus.

TISSUE REPOSITORIES: THE COMMON RULE and THE HIPAA PRIVACY RULE Mark A. Rothstein, J.D. Herbert F. Boehl Chair of Law and Medicine Director, Institute.

Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 8, 2015.

A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.

Student Proposal Preparation and IRB Basics Rebecca Novak UTSPH Office of Research October 20, 2015.

AAHRPP ACCREDITATION (Association for the Accreditation of Human Protection Programs)

What Institutional Researchers Should Know about the IRB Susan Thompson Senior Research Analyst Office of Institutional Research Presented at the Texas.

HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

PwC Issues in HIPAA Research Compliance William R. Braithwaite, MD, PhD “Dr. HIPAA” HIPAA Summit 6 Washington, DC 27 March 2003.

Human Subjects Update E. Wethington, Chair, UCHS.

0 Ethics Lecture Research. ACADEMY OF OPHTHALMOLOGY Disclosures  The speaker has no financial interest in the subject matter of this.

THE INSTITUTIONAL REVIEW BOARD. WHAT IS AN IRB? An IRB is committee set up by an institution to review, approve, and regulate research conducted under.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 Public Health Practice vs. Research A Report for Public Health Practitioners Including Case Studies and Guidance for Making Distinctions James G. Hodge,

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Research Ethics Matthew Billington

Ethical Principles of Research

PSO Overview for (name of organization’s) PSES Workgroup

Concerns of a Privacy Advocate – and How to Respond

Healthcare Privacy: The Perspective of a Privacy Advocate

American Public Health Association

Enforcement and Policy Challenges in Health Information Privacy

Making Your IRBs and Clinical Investigators HIPAA-Ready

Issues in HIPAA Research Compliance

PSO Overview for (name of organization’s) PSES Workgroup

Research with Human Subjects

Presentation transcript:

The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014

1 Research vs. Operations  HIPAA –Health care operations includes “conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.” (emphasis added) Also includes “population-based activities relating to improving health or reducing health care costs, and protocol development. –Research is a “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”  Common Rule has the same definition for research. Addressing Privacy | Manatt, Phelps & Phillips, LLP

2 Paradox  Two studies using data for quality improvement purposes: both use the same data points, are done to address the same question or sets of questions, and are done by the same institution. They will be: –Treated as operations if the results are only intended to be used internally –Treated as research if a primary purpose is to share the results with others so that “learning” may occur. –OCR Guidance on “primary purpose” allows for a later change in plans – but initially you have to intend to be doing only operations  How does this advance both the learning healthcare system and protections for data? Addressing Privacy | Manatt, Phelps & Phillips, LLP

3 Health IT Policy Committee (HITECH) Comments to Common Rule ANPRM  Use of clinical data to evaluate safety, quality and efficacy should be treated like operations, even if the intent is to share results for generalizable knowledge, as long as provider entity maintains oversight and control over data use decisions.  Entities should follow the full complement of fair information practices in using PHI for these purposes.  Recommendations provided some examples of activities with clinical data that should be treated as operations – but also acknowledged further work was needed to determine a new line for when analytics with EHR data should be treated under more robust rules. Recommendation letter of 10/18/ implementers/health-it-policy-committee-recommendations-national-coordinator-heal Addressing Privacy | Manatt, Phelps & Phillips, LLP

4 Fixing the Paradox?  Modify HIPAA regulations for data re-use so that regulations more directly address privacy and confidentiality risks. –Potentially could also do through waiver guidance.  Impose greater regulation of re-uses of data that present greater risk to privacy, confidentiality and security. What factors trigger greater risk? –Where is the data analyzed? (Internal vs. external; physical location vs. control) –Sensitivity of the data (type of data, vulnerable populations) –Failure to establish and adhere to FIPPs-based policies  Transparency  Data minimization (“minimum necessary”), collection & use limitations  Security Safeguards  Accountability and oversight Addressing Privacy | Manatt, Phelps & Phillips, LLP

5 Fixing the Paradox  Guidance with respect to the distinction between operations and research – and/or when waivers can be granted  Experiment (federal HIPAA waivers?) to experiment with different models for protecting privacy in research.  Rely less on consent and instead pursue other models of patient engagement (e.g., input into research; greater transparency re: research uses of data; requirements to share results with patients).  Mechanisms of accountability/oversight (Canadian model (PHIPA), voluntary research network governance models, accreditation)  Incentives to pursue privacy-enhancing data sharing architectures.  Study their efficacy in building and maintaining public trust in research. Addressing Privacy | Manatt, Phelps & Phillips, LLP

6 Bloomberg BNA Webinar | Manatt, Phelps & Phillips, LLP Questions? Deven McGraw Partner Manatt, Phelps & Phillips LLP