Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding and Applying New HIPAA Policy Requirements

Published byGyles Wilson Modified over 7 years ago

Similar presentations

Presentation on theme: "Understanding and Applying New HIPAA Policy Requirements"— Presentation transcript:

1 Understanding and Applying New HIPAA Policy Requirements
May 15, 2017 WSU IRB Member Retreat

2 New IRB Member Toolbox Webpage
IRB Member Resources New IRB Member Toolbox Webpage

3 WSU IRB Policy Human Subject Research Use and Disclosure of Protected Health Information Policy - P19 Approved March 21, 2017

4 Privacy Board A Privacy Board is a review body empowered to oversee Privacy Rule requirements for the use and disclosure of PHI for a particular research study. For many institutions, the Institutional Review Board (IRB) is charged with acting as the Privacy Board for all human subject research.

5 Implementing Policy

6 Covered Entity A Covered Entity is a health plan, a health care clearinghouse, or health care provider who transmits health information. A covered entity can be an institution, organization, or person. The covered entity is responsible for implementing Privacy Rule protections for PHI collected, generated, or stored under its auspices.

7 HIPAA and Research It is important to be aware that a Covered Entity’s Notice of Privacy Practices and non-research HIPAA processes, in of themselves, do not adequately address all of the requirements to use PHI for research. For example, Premier’s HIPAA requirements for healthcare do not include provisions for obtaining written authorization from research subjects or for obtaining waivers of authorization from the Privacy Board. Therefore, if you review research involving PHI you must take additional steps to be in compliance with HIPAA.

8 Workforce Member Employees, volunteers, trainees, and other persons whose work performance is under the direct control of a covered entity (i.e., Miami Valley or Dayton Children’s), regardless of whether they are paid by the covered entity.

9 Health Information + Identifiers = PHI
Common Misconception PHI ≠ Identifiers Health Information + Identifiers = PHI

10 Protected Health Information
PHI is individually identifiable health information, including demographic data that is collected from an individual, and: Is created or received by a covered entity (i.e., MVH, Good Sam, Dayton Children’s etc.…); AND Relates to past present or future physical or mental health or condition of the individual; or the provision of health care to an individual; or the past present, or future payment for the provision of health care to an individual; AND Identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual; AND Is transmitted or maintained in any form or medium, whether electronic, paper or oral.

11 HIPAA De-Identified To be considered “de-identified” under the Privacy Rule, EITHER: all of the following 18 identifiers of the individual, their relatives, employers, or household members must have been removed from the individual’s data set by an individual that is not a member of the study team (e.g., medical records official, administrator of a database): 1. Names (including the patient’s name and names of other individuals connected to the patient) 2. Geographic subdivisions smaller than a state (zip-code, street address, etc.…) 3. All elements of a date (except year) including birth date, admission date, discharge date, date of death, and all ages over 89) 4. Telephone numbers 5. Fax numbers 6. address

12 De-Identified 7. Social security number 8. Medical record number
9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers including license plates 13. Device identifiers and serial numbers 14. Web universal resource locators (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers including fingerprints and voice prints 17. Full face photographic (or comparable) images 18. Any other unique identifying number, characteristic, or code unless otherwise permitted by the Privacy Rule for re- identification, and

13 De-Identified The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. OR The data is grouped in such a way that a qualified statistician using accepted analytic techniques concludes that the risk of identification based on the information in the data set is substantially limited, and that if the information is used alone or in combination with other reasonably available information, it does not identify an individual subject (e.g., aggregate data) [45 CFR (b)].

14 Coded Coded means that:
Identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a number, letter, symbol, or combination thereof (i.e., the code); and A key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens. - OHRP 2008 Guidance

15 Is it PHI? First and Last Name
Blood Pressure, Date of Cardiac Surgery, Chest X-Rays Electronic survey of Wright State students by a Wright State student as to date of flu shot in past twelve months Chart review where Miami Valley researcher only recorded age, weight and smoking status from medical records Utilizing a data set that had been extracted by the medical records department at Dayton Children’s Hospital that only contains age, cancer diagnosis, weight, and medications taken in past 12 months

16 Authorization Researchers are required to obtain a written authorization for the use and disclosure of a human subject’s PHI for a research study unless the IRB has granted a waiver. The purpose of a written authorization is to inform a potential human subject: How his/her PHI and research information (collected or created) is to be used, and With whom the information will be shared All required elements and statements must be included in the document, if not waived by the IRB.

17 Issues with Sponsor Authorization Language
Sponsor Not Covered Entity/Business Associate Legalistic Language Prohibited (8th grade reading level) Separate Decision Example Policy Language: Any proposed deviation to template language must be submitted according to the IRB’s current study application requirements for review and approval.

18 Screening Questions What specific data will be collected and used for the research study? Is the source(s) of the data a covered entity? Does the source exist as a de-identified data set or identifiable? Who will be recording it from an identifiable source? Does all of the data already exist? If it doesn’t all already exist, will prospective data be generated for non-research purposes?

19 Expedited Review Refresher
May 15, 2017 WSU IRB Member Retreat

20 Types of Review Administrative Review - Exempt Determinations, NHSR, Miscellaneous Submissions Expedited Review Full Board Review

21 Is it human subject research?
Human subject means a living individual about whom an investigator (whether professional or student) conducting research obtains: Data through intervention or interaction with the individual, or Identifiable private information.

22 Is it human subject research?
Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.

23 Exempt from IRB Review 6 Categories
Not applicable to research involving prisoners Categories 1-5 not applicable to FDA-regulated research

24 Exempt Category #2 Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behavior, unless: (i) information obtained is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects;

25 Exempt Category #2 and (ii) any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation. Research Involving Children: #2 can only apply to observational research where investigators do not participate in activities being observed.

26 Exempt Category #4 Research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.

27 Data De-Identified Data (HIPAA – Not PHI or HSR) vs. Not Readily Identifiable Data (OHRP/FDA – PHI and HSR )

28 Consent Not Required However, institution may require the following if exempt research involves interactions with subjects: There will be a consent process that will disclose such information as: That the activities involve research. The procedures to be performed. That participation is voluntary. Name and contact information for the investigator

29 Expedited Review Minor Modifications to Previously Approved Research 45 CFR46.110(b)(2) Research conducted under Categories 1-9 Consent is required unless waived or modified

30 Expedited Category #5 Research involving materials (data, documents, records, or specimens) that have been collected, or will be collected solely for non-research purposes (such as medical treatment or diagnosis). (NOTE: Some research in this category may be exempt from the HHS regulations for the protection of human subjects. 45 CFR (b)(4). This listing refers only to research that is not exempt.)

31 Expedited Category #8 Continuing review of research previously approved by the convened IRB as follows: where (i) the research is permanently closed to the enrollment of new subjects; (ii) all subjects have completed all research-related interventions; and (iii) the research remains active only for long-term follow-up of subjects; or where no subjects have been enrolled and no additional risks have been identified; or where the remaining research activities are limited to data analysis.

32 Expedited Category #9 Continuing review of research, not conducted under an investigational new drug application or investigational device exemption where categories two (2) through eight (8) do not apply but the IRB has determined and documented at a convened meeting that the research involves no greater than minimal risk and no additional risks have been identified.

33 Documenting Determinations
InfoED Reviewer Module – Provisions Box Category 1-9 or Minor Mods Children 45 CFR Prisoners Pregnant Women, Neonates and Fetuses Waiver of Consent and/or Authorization Waiver of Consent Documentation Approving in InfoED = Signature and Date

Download ppt "Understanding and Applying New HIPAA Policy Requirements"

Similar presentations

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Privacy and Information Security Essentials

Privacy and Information Security Essentials
Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center

Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Exempt Research Mary Banks BS, BSN IRB Director CRC IRB and BUMC IRB.

Exempt Research Mary Banks BS, BSN IRB Director CRC IRB and BUMC IRB.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
 Federal regulations specify “engagement” at the institutional level  Cornell has a Federalwide Assurance specifying its commitment to comply with regulations.

 Federal regulations specify “engagement” at the institutional level  Cornell has a Federalwide Assurance specifying its commitment to comply with regulations.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Similar presentations

Ads by Google