06/20/03- revised1 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members

06/20/03- revised2 What is the Basic Privacy Rule? HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI). PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient. Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA. PHI used in research obtained from the Covered Entity must be accessed in compliance with HIPAA.

06/20/03- revised3 What is a Covered Entity at UC? Under HIPAA, a Covered Entity (CE) is the health care provider, health plans, and health information clearinghouses. The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF. NOTE: The definition of the Covered Entity is different for each institution, including the SFVAMC, SFGH and other UCSF affiliates.

06/20/03- revised4 What is Protected Health Information (PHI)? Individually identifiable information Past, present, or future: Health status Treatment Payment for health care Created, used, or disclosed by a covered entity (CE) In any form (electronic, paper, image) Includes any one of the 18 identifiers as defined by HIPAA when created, used or disclosed by or to the Covered Entity

06/20/03- revised5 Protected Health Information : 18 Identifiers defined by HIPAA Name Postal address All elements of dates except year Telephone number Fax number address URL address IP address Social security number Account numbers License numbers Medical record number Health plan beneficiary # Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers (finger and voice prints) Full face photos and other comparable images Any other unique identifying number, code or characteristic

06/20/03- revised6 How does the HIPAA Privacy Rule affect University Researchers? Researchers will likely want to access, use or disclose PHI held by the CE in order to conduct research. The Privacy Board must approve the above uses of PHI for research. At UCSF the Privacy Board for research is the Committee on Human Research (CHR). The Privacy rule applies to all active studies as of April 14, 2003.

06/20/03- revised7 Does all human subjects research use PHI? Not at all. Some examples: Non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records and results of which do not go to subjects; blood draws for protein binding studies Some interview studies and focus group studies Some questionnaire studies Studies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research

06/20/03- revised8 What are the practical implications of HIPAA for Human Research at UCSF? New and different vocabulary Stricter control of access to Medical Records Stricter limitations on how subjects are identified for recruitment Additional documentation required for CHR applications

06/20/03- revised9 What are the patients’ rights under HIPAA? To restrict the use and disclosure of their PHI. To access and receive a copy of their PHI (for research purposes, if it will not cause psychological harm). To receive an accounting of disclosures of their PHI from the Covered Entity (CE). To request amendments to their PHI in their medical records. To file complaints with the University or Office of Civil Rights that may result in civil and criminal penalties for individuals as well as the CE.

06/20/03- revised10 What is the Covered Entity’s Responsibility? The Covered Entity is responsible for protecting PHI and for ensuring that PHI: Is only used or released for treatment, payment, or operations or as otherwise permitted or required by law; Is not released without the patient’s authorization; or Is released only under one of the five exceptions to the authorization requirement. Meets “minimum necessary” standard.

06/20/03- revised11 What is the “ Minimum Necessary ” Standard for research? Only the minimum information reasonably necessary for a specific research purpose may be used or disclosed by a Covered Entity. This standard must be addressed in the research protocol.

06/20/03- revised12 How can an investigator access PHI for research? By obtaining one of the following: the subject’s individual authorization, a CHR-approved waiver of subject authorization, a CHR-certified exemption to use de- identified data, or a CHR-approved protocol to use a Limited Data Set.

06/20/03- revised13 Individual Subject’s Authorization for Research Access to PHI Authorization is a separate document used in addition to the Consent Form. UCSF standard form is required by UCSF; VA form is required at VA. In rare cases, authorization language may be embedded in the consent form, but standard wording is required; and two separate subject signatures are required.

06/20/03- revised14 Elements Required in Authorization* Description of PHI to be disclosed; Why information is being released; Who is releasing this information; Who is receiving this information; How long the information will be kept; Signature of individual and date signed; and Three required authorization statements: subject’s right to revoke authorization, conditions on authorization, and potential risk of redisclosure.

06/20/03- revised15 Research that Does Not Require Subject’s Authorization (or Consent)  Research that qualifies for a CHR-approved Waiver of Consent/Authorization  Research that qualifies for a CHR-certified exemption to use de-identified data, or  Research that qualifies for a CHR-approved protocol to use a Limited Data Set.

06/20/03- revised16 #1: Waiver of Authorization CHR and PI must certify that research: Could not practicably be conducted w/o waiver; Could not practicably be conducted w/o PHI; Poses minimal risk to privacy and there is an adequate plan to protect privacy; and Research release by waiver must be tracked for disclosure to the subject.

06/20/03- revised17 #2: De-Identified Data Sets All 18 identifiers of PHI must be removed. PI must apply for Exempt Certification CHR certification of application is required

06/20/03- revised18 #3: Limited Data Set May include only the following PHI: Date(s) of service (admission, discharge) Dates of birth and death 5 digit zip codes and other geographic subdivisions other than street address May include non-PHI information ( i.e., diagnosis) Does not require a subject’s authorization Does require CHR approval and a Data Use Agreement form NOTE : PI must submit Expedited Application to IRB.

06/20/03- revised19 Why use a Limited Data Set? The Limited Data Set (along with the Data Use Agreement) restricts the use of PHI but has the following advantages: The study does not require either a subject authorization or a waiver of authorization. The PI does not have to track disclosures. The use of the date does not need to have an expiration date. This is the most protective way to to transmit data to sponsors or other entities.

06/20/03- revised20 Data Use Agreements for Use of a Limited Data Set (LDS) Are between CE and the recipient of the LDS. List the permitted uses and disclosures of the LDS. Establish who is permitted to use or receive the LDS. Provide that researcher or recipient will: Not use or further disclose the information other than as in agreement or as required by law; Use appropriate safeguards; Report to the CE any unpermitted uses or disclosures; Ensure that anyone to whom he/she provides the data agrees to the same restrictions; and Not identify the information or contact the individuals.

06/20/03- revised21 How does a researcher gain access to PHI in Medical Records at UCSF? Copy of CHR approval letter with: statement of Waiver of Authorization of individual consent --or-- statement that Individual Subject Authorization will be obtained --or-- a statement that a Limited Data Set will be used. An Exempt Application certified by the CHR.

06/20/03- revised22 What types of CHR approvals do different types of studies need? PHI is used: Full Committee or Expedited De-identified PHI (no PHI used): CHR Exempt Certification Limited Data Sets (limited PHI allowed): Expedited with Data Use Agreement NOTE: Medical Records will require CHR approval or certification to release PHI for research.

06/20/03- revised23 What information is now required in the CHR application to address HIPAA? Protocol and Consent or Authorization to include discussion of PHI: (Procedures, Recruitment, Confidentiality, Consent) what type of PHI will be used how the PHI will be accessed/used who will see the PHI (sponsors, FDA, other PIs) protection plan (physical and electronic security) retention time for keeping PHI in project destruction plan (or “none” if for database) NOTE: In addition, HIPAA Supplement posted on CHR website is required for all but exempt applications.

06/20/03- revised24 8 Acceptable Recruitment Methods PIs recruit their own patients directly. PIs provides Primary Care Physician (PCP) with a “Dear Patient” letter that instructs interested patients how to contact PI about enrollment. PIs ask PCPs for referrals and may contact patients if there is documented patient. permission to do so (Note: Patient permission may be verbal.) PI uses CHR-approved ads, notices, and/or media.

06/20/03- revised25 Recruitment Methods (continued) PIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods. Faculty Practices/Clinics develop a CHR- approved recruitment protocol so subjects agree ahead of time to be contacted for research. PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed website. PIs do not access PHI for recruitment purposes.

06/20/03- revised26 Protocols approved before April 14, 2003—if PHI is involved If a study is active before April 14 th, the pre-existing consent form meets the authorization requirement. New subjects entered after April 14 th must sign a separate Authorization to be used in conjunction with the CHR-approved consent form. The standard UC Authorization is posted on the CHR website. NOTE: Do NOT submit the protocol or Authorization or any other HIPAA forms to the CHR until renewal time as long as the protocol is unchanged and the standard UC authorization is used.

06/20/03- revised27 New or modified protocol approved after April 14, 2003—if PHI is involved Subject must sign separate HIPAA Authorization (recommended) –or- Standard UC authorization language may be embedded in the consent form. Note: Authorization language in the consent form must have a separate signature in addition to the consent form signature. CHR may require additional forms and/or application supplements.

06/20/03- revised28 Conclusion-The HIPAA Privacy Rule Allows the subject or the CHR to determine when health information may used for research Places responsibility on the CHR to provide the Covered Entity with assurances that PHI will be protected. Does not override other existing federal regulations to protect human subjects in research. Does not override any California Law that provides greater protection for the privacy of health information.

06/20/03- revised29 UCSF HIPAA Websites UCSF: HIPAA Handbook (pdf) HIPAA Training Modules Privacy Officer Committee on Human Research:  Research Training, FAQ, information  Application and Consent templates/guidelines UCSF Information Security:

06/20/03- revised30 UCSF HIPAA Decision Tree for Before and After April 14, 2003

06/20/03- revised31 Does research use PHI? NO, if none of the 18 identifiers are to be used, accessed or created for delivery of health care purposes THEN HIPAA does not apply Submit CHR application as usual Submit HIPAA Supplement

06/20/03- revised32 Does research use PHI? YES, if any of the 18 identifiers are to be used, accessed, or created (from or for medical record) THEN, if study is approved before April 14, 2003: Continue CHR-approved study until time of next renewal or until requesting consent modification Use currently approved consent (if any) Any new subjects enrolled on or after April 14, 2003 will have to sign a Subject Authorization in addition to consent form (PI keeps until study ended; CHR does not review if standard UCSF Subject Authorization form used) NOTE: CHR will revisit Consent/Authorization plan and language at renewal time

06/20/03- revised33 Does research use PHI? YES, if any of the 18 identifiers are to be used, accessed, or created THEN, if study is approved on or after April 14, 2003: If using full or expedited committee application,  Submit HIPAA Supplement  Submit separate Subject Authorization (recommended) or consent form with HIPAA language embedded and/or  If waiver of consent of individual authorization is requested for either screening and recruitment or for conduct of study, submit Waiver of Consent/Authorization Form

06/20/03- revised34 Does research use PHI? (continued) If study was previously approved as exempt, it may no longer qualify as exempt since HIPAA definitions of de- identified are now more strictly defined. It may need to be resubmitted for expedited review. If using a limited data set, submit expedited form and data use agreement.

06/20/03- revised35 Optional Slide (for those who want just a little more): How do Common Rule (45 CFR 46) and Privacy Rule (45 CFR 164) differ?