1. HIPAA Privacy and Some Research
Maria J. Pekar, MBA, JD
Associate General Counsel
Loyola University Health System
March 27, 2019

2. Objectives
Describe how the Health Insurance Portability and Accountability Act (HIPAA) applies to Loyola University Health System and you.
List State of Illinois laws that require stricter confidentiality than described in HIPAA.
Describe the federal rules on human subject research.

3. HIPAA

4. What is the HIPAA law?
Allows employees to change jobs without a gap in health insurance coverage
Standardizes electronic health care transactions
Regulates the privacy and security of health information
Speak to intent of the law
Remember Arthur Ashe 4

5. A Physician’s HIPAA Hats
Provider
Teacher
Researcher

6. Physician as Provider No minimum necessary requirement for treatment
“Need to know” still applies
Provider to provider contact may continue
Need to account for some disclosures
Remember state laws may be more stringent
Still need patient consent to treat
Incidental disclosures are OK

7. Physician as Teacher
Physicians may discuss a patient’s condition during training rounds
Physicians and students should consider surroundings during instruction
Notes count too (students or otherwise)
Use appropriate security for notes w/PHI
Keep notes in confidence
Those who have access to PHI with no direct patient contact still have to keep PHI confidential.

8. Physician as Researcher
HIPAA regulates the privacy of the patient information related to research
There are other laws that regulate the conduct of research
DHHS Common Rule
FDA Part 21
LUMC may condition study participation on obtaining the study participant’s authorization to use and disclose PHI
How can you participate in a study if the Researcher can’t use your information?
Disclosures to sponsors must be the same as what study participants have been told sponsors will receive

9. Electronic Environments
Transmitting PHI electronically must be accomplished securely
Understand system-wide policy on communications containing PHI
Sending unencrypted containing PHI over the internet violates LUMC policy (including gmail)
Internal communication can take place via internal systems
External patient communication can take place via My Loyola, which is password protected and behind our fire wall

10. Epic Access Login ID and password
Log-off or else you are accountable for inappropriate access
Don’t share your passwords
Avoid looking up a friend or colleague’s record out of curiosity
Refrain from viewing a family member’s record out of concern
Don’t look back-post service

11. Social Media
No tweets, Facebook statuses or Instagram posts should contain PHI
Don’t blog interesting cases
Don’t upload or text pictures of patients

12. Best Practices in General
Password protect phones & lap tops
Select “logon” screen savers for computers
Avoid saving PHI to CD ROMs , thumb or hard drives (including desktops and laptops)
Ensure it’s OK w/the patient to discuss care w/family & friends
Verify callers where necessary
Avoid faxing when possible
Don’t leave Epic print-outs in odd places

13. State Information Laws

14. State Laws Generally federal law “trumps” or “pre-empts” State law
HIPAA pre-empts State law unless the State law:
Provides greater privacy protections to a patient’s information; OR
Affords great access to information rights to a patient

15. State “Information” Laws
Mental Health & Developmental Disabilities Confidentiality Act
AIDS Confidentiality Act
Genetic Information Privacy Act
Medical Patient Rights Act
Alcohol & Substance Abuse Act
Personal Information Privacy Act
From your 2011 SEP lecture 15

16. Human Subject Research

17. Common Rule (1981) Federal law governing human subject research
Many federal agencies follow this research rule
Baseline standard of ethics by which any government-funded research is held
Regulates oversight board (IRB)
Applies to federally funded research activities
Contains additional protections for vulnerable populations (e.g., pregnant women, children, prisoners)

18. FDA & Human Subjects Research
FDA Part 21 contains many of the FDA regulations related to human subject research
FDA mostly regulates food, drugs, cosmetics and device research
FDA regulations parallel many sections of the Common Rule but are not identical
IRB responsibilities are mostly consistent
There are additional reporting responsibilities too

19. Institutional Review Board
Committee formally designated to approve, monitor and review research involving humans
They conduct some form of risk-benefit analysis
Number one priority is to protect human subjects from physical or psychological harm
Determines whether study requires full board or expedited review or is exempt

20. Principle Investigator Role
May design a protocol or conduct an externally sponsored study
Responsible for ensuring: the protocol is followed; informed consent is obtained; subjects are protected; and, investigational product/device is controlled
Common Rule unlike FDA rules does not directly address PI responsibilities

21. Medical Student as Researcher
Possible Research Role
Collect or coordinate research data
Identify and compile lists of potential research subjects in accordance with study objectives
Review or edit data for completeness and accuracy
Integrity of study results depends on data collection
Professional competency may be enhanced by understanding evidence-based medicine

22. Summary Patients have a Federal right to privacy
State laws may afford greater protections
Research is regulated; know the rules

23. Questions?