Presentation is loading. Please wait.

Presentation is loading. Please wait.

Main Line Hospitals Institutional Review Board HIPAA Policy Changes 2013 Anne Marie Hobson, BSN, JD, ORA Director.

Similar presentations


Presentation on theme: "Main Line Hospitals Institutional Review Board HIPAA Policy Changes 2013 Anne Marie Hobson, BSN, JD, ORA Director."— Presentation transcript:

1 Main Line Hospitals Institutional Review Board HIPAA Policy Changes 2013 Anne Marie Hobson, BSN, JD, ORA Director

2 2 Background for Policy Revisions 1.First major revision since 2003. 2.Changes based in part on the HIPAA Omnibus* Final Rule published on January 25, 2013 and effective on September 23, 2013. 3.Majority of changes are managed by MLH Compliance Office and have no direct impact on research. 4.MLH IRB serves as the Privacy Board at MLH and oversees the use and disclosure of PHI under the HIPAA Privacy Rule. *Omnibus Rules-Summary 1.) Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health or (HITECH) Act. 2.) Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil monetary penalty structure provided by the HITECH Act. 3.) Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's “harm” threshold with a more objective standard. 4.) Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.* * Direct Impact on HIPAA in Research

3 3 Key Changes Under the Omnibus Rule 1.Patient’s Rights –Expanded an individual’s right to receive electronic copies of health information at the patient’s request. –Restricted disclosures to health plans concerning treatment for which the individual has paid the out-of-pocket amount in full. –Required modifications to, and redistribution of, a covered entity’s notice of privacy practices. –Modified the individual authorization and other requirements to facilitate research* and disclosure of child immunization proof to schools –Enable access to decedent information by family members or others (PHI protections cease 50 years from date of death)* * Direct Impact on HIPAA in Research

4 4 Key Changes Under the Omnibus Rule (Cont.) 2.Definition of Business Associate (BA) Expanded - includes any downstream subcontractor that creates, receives, maintains or transmits PHI including those with an indirect relationship 3.Liability and Obligations of Business Associates Expanded - BA and subcontractors who have access to PHI are directly liable for compliance with Rule 4.Revised Breach Notification Standard - now presumes that a reportable breach has occurred unless the covered entity or BA determines low probability that PHI has been compromised 5.Changes to Enforcement Rules – eliminated exceptions and may impose civil penalties 6.Marketing, Fundraising and Sale of PHI – imposed stricter limitations for marketing and limited circumstances for fundraising use and sale

5 5 IRB Policy Revisions - “HIPAA: Use of Protected Health Information (PHI) for Research” No. XXIX 1.Included flexibility to combine a HIPAA authorization for research purposes into a study specific informed consent. 2.Included additional requirements for compound authorizations. 3.Added provisions for obtaining authorizations for future research purposes. 4.Added requirements for use of decedent PHI for research purposes and clarified PHI of a deceased individual is protected for a period of 50 years after death.

6 6 IRB Policy Revisions (Cont.) 5.Expanded provision for use of PHI preparatory to research. 6.Described exceptions for psychotherapy therapy notes under the HIPAA regulations. 7.Added provision for accounting of disclosures. 8.Clarified that Business Associates Agreements are generally not required to share PHI with a researcher but may be employed as required by other MLH Policy. 9.Added references to corresponding MLH policies and departments.

7 7 Procedural Issues 1.Combined HIPAA authorization and study specific informed consent: HIPAA language can be embedded in text of consent or in separate section Must include language that “There is no expiration date for the use and/or disclosure of your protected health information.” 2.Compound authorizations: Compound authorizations which contain research-related treatment conditioned on the provision of one of the authorizations must clearly differentiate between the conditioned and unconditioned and conditioned components –For example, an optional sub-study involving collection of additional blood/tissue samples for banking. provide the individual with an opportunity to “opt in” to the research activities described in the unconditioned authorization. “Opt-out” only not permitted.

8 8 Procedural Issues (cont.) 3.Authorizations for Future Research Authorizations for future research must contain each of the core elements and describe the purpose for the use and disclosure of PHI such that it would be reasonable for a subject to expect that PHI could be used or disclosed for future research purposes. 4.Research on Decedents Permitted without an authorization after 50 years after death Researchers must certify that the use or disclosure is sought solely for research on PHI of decedents (i.e. researchers may not request a decedent’s medical history to obtain health information about a decedent’s living relative) Must provide documentation of death when requested by IRB

9 99 5.Use of PHI Preparatory to Research Researcher certifies* that use or disclosure is necessary and is sought solely to review PHI as necessary to prepare a research protocol for the research purpose No PHI may be removed from Main Line Health, Main Line Hospitals, or other MLH Affiliate by the researcher in the course of the review; During the preparatory review, those granted access may only record health information in a form that is “de-identified.” 6.Exceptions for Psychotherapy Notes The use and disclosure of psychotherapy notes for research is permissible only if the subject signs an authorization specifically authorizing the use of psychotherapy notes. * Certification in not required for preparatory activities conducted by non-employee researchers on private medical records/charts (i.e. PHI which has not been collected, stored or maintained by any Main Line Health, Main Line Hospitals, or other MLH Affiliate). Procedural Issues (cont.)

10 10 7.Accounting of disclosures Individuals have right to receive an accounting of certain disclosures* (not “uses”**) including research involving PHI that occurred during the six years prior to the individual’s request for an accounting. Accounting for research purposes is required in: –1) connection with a protocol for which the MLH IRB approved a waiver/alteration of authorization, –2) research on decedents’ information and –3) reviews preparatory to research. When the records of 50 or fewer individuals are disclosed a researcher is responsible for providing MLH Health Information Management with a listing containing date of disclosure; name of the recipient, and address if known; brief description of the PHI disclosed; brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for disclosure, or a copy of the request for the disclosure. Abbreviated reporting for more than 50 records permitted *\Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. **Use means, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. Procedural Issues (cont.)

11 11 8.Clarified that Business Associates Agreements are generally not required to share PHI with a researcher but may be employed as required by other MLH Policy. 9.Added references to corresponding MLH policies and departments, for example: Research related PHI disclosures subject to accounting will follow the process outlined in the MLH Compliance Office: HIPAA – Patient’s Right to Full Accounting of Disclosures Policy.HIPAA – Patient’s Right to Full Accounting of Disclosures Policy Any request involving PHI may require review by the Chief Privacy Officer for MLH. Users are prohibited under any circumstance to use personal electronic equipment to access MLH proprietary data or download PHI. Refer to Information Systems Policy: Personal Electronic Equipment Information Systems Policy: Personal Electronic Equipment Procedural Issues (cont.)

12 12 Please contact us… Office of Research Affairs Suite G-44, NEB Alia Dudley484-476-2678 Theresa Greaves 484-476-3414 Anne Marie Hobson, JD484-476-2692 Dana LaRosa484-476-3983


Download ppt "Main Line Hospitals Institutional Review Board HIPAA Policy Changes 2013 Anne Marie Hobson, BSN, JD, ORA Director."

Similar presentations


Ads by Google