Download presentation
Published byAmelia Milbourne Modified over 9 years ago
1
HIPAA Requirements for Patient Oriented Research
2
UPENN HIPAA Experts Contacts
Debbie Gilead Chief Privacy Officer UPHS, HIPPA Yvonne Higgins Office of Regulatory Affairs Lauren Steinfeld University Chief Privacy Officer HIPAA Resources for Researchers
3
Background - HIPAA Privacy Rule
HIPAA: Health Insurance Portability and Accountability Act outlines the Privacy Regulations Purpose: to protect privacy of patient records provided to health plans, doctors, hospitals and other health care providers Patients: provided with access to their records and more control over how their Protected Health Information (PHI) is used and disclosed Research: Includes specific rules surrounding clinical research and the collection and use of PHI for research purposes Owner: Developed by DHHS, enforced by OCR (Office of Civil Rights) Start date: April 14, 2003 University of Pennsylvania
4
University of Pennsylvania
Definitions Individually Identifiable Health Information Information about the physical or mental health of an individual Created or received by a covered entity Relates to individual’s health, health care or payment for care - past, present or future Reasonable belief that the information can be used to identify a particular individual Applies to defined standard transactions University of Pennsylvania
5
University of Pennsylvania
Definitions Protected Health Information (PHI) All individually identifiable health information transmitted or maintained by a covered entity, regardless of form or media Include oral communications Excludes education records Excludes employment records University of Pennsylvania
6
Definitions - Covered Entity
UPenn School of Medicine HUP CPUP (Clinical Practices) Presbyterian Hospital Graduate Hospital Pennsylvania Hospital Penn Center for Rehab CCA (Clinical Care Associates) Others… Does not include CHOP or VA University of Pennsylvania
7
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research: Authorization IRB Waiver of Authorization Limited Data Set De-Identified Data University of Pennsylvania
8
University of Pennsylvania
HIPAA Authorization The authorization must cover: Health information collected as part of the study Who may use or disclose the information Who may receive the information Purpose of the use or disclosure Duration of authorization (i.e. note expiration date or the fact that authorization does not expire) Right to revoke authorization Reference to the Notice of Privacy Practices Information disclosed outside the covered entity may not be protected by HIPAA Template can be downloaded from: University of Pennsylvania
9
University of Pennsylvania
HIPAA Authorization Authorization approaches: Stand-alone authorization form Authorization incorporated into study informed consent form Preferred approach: stand-alone form Current standard language not at 6 - 8th grade level Regulations may change, with resultant change to standard language (i.e. form can be changed without requiring IRB re-approval of ICF) IRBs are not required to approve authorization language Stand-alone Template can be downloaded from: University of Pennsylvania
10
University of Pennsylvania
HIPAA Authorization Individual Authorization is a one-time individual permission to use or disclose PHI for non-transaction and payment activities (includes research). The Authorization language requirements are very detailed and must be protocol specific. No accounting requirement for disclosures obtained with an authorization. University of Pennsylvania
11
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research: Authorization IRB Waiver of Authorization Limited Data Set De-Identified Data University of Pennsylvania
12
University of Pennsylvania
IRB Waiver of Authorization IRB must document review of the following waiver criteria: Use or disclosure involves no more than minimal risk to the individuals; The research could not be practicably conducted without the waiver, and; The research could not be practicably conducted without access to the PHI. University of Pennsylvania
13
University of Pennsylvania
IRB Waiver of Authorization Accounting Requirements: Disclosures made via a waiver must be subject to an accounting process Patients have the right to receive an account of disclosures made of their protected health information (PHI) PI’s or research staff must record all applicable disclosures of PHI as required University of Pennsylvania
14
Accounting for Disclosures
Date or range of dates of disclosure Name of entity to whom the information was disclosed The address of entity to whom PHI was disclosed Description of the PHI disclosed Statement explaining the purpose of the disclosure or a copy of the written request for disclosure if available University of Pennsylvania
15
University of Pennsylvania
IRB Waiver of Authorization When Do You Need a Waiver? Epidemiological Research where it is impractical to get authorization Research Chart Reviews (note Protocol Preparation Exception) Recruitment only if the subject’s contact information is being disclosed outside of SOM/UPHS. But note the following: Any subject recruitment within the SOM/UPHS should follow the HIPAA policy guidelines Also, “outside” SOM/UPHS includes the VA, CHOP, and other Schools of the University (except Nursing researchers) If the PI has a dual appointment and one appointment is in the SOM that individual is “inside” the covered entity. University of Pennsylvania
16
University of Pennsylvania
IRB Waiver of Authorization When Don’t You Need a Waiver? Protocol Preparation (refer to HIPAA exceptions slide) Recruitment “inside” the SOM/UPHS covered entity Research Using an Authorization - but note: A waiver may be required in addition to the authorization if PHI collected prior to authorization is disclosed outside of UPHS/SOM. Research Using De-identified Data University of Pennsylvania
17
University of Pennsylvania
IRB Waiver of Authorization How do you apply for a Waiver? Complete the Request for Waiver of IRB Authorization Form: Submit a complete protocol & grant application if the waiver is to be part of a funded proposal. University of Pennsylvania
18
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research: Authorization IRB Waiver of Authorization Limited Data Set De-Identified Data University of Pennsylvania
19
University of Pennsylvania
Limited Data Set The limited data set is PHI without facial or direct identifiers Only applies to research, public health and health care operations Research conducted as part of an IRB approved protocol Information may be used or disclosed without individual authorization “Data Use Agreement” required for disclosure University of Pennsylvania
20
University of Pennsylvania
Limited Data Set Facial identifiers name street address telephone and fax numbers address social security number certificate/license numbers vehicle identifiers and serial numbers URLs and IP addresses full face photos and any other comparable images medical record numbers (prescription numbers), health plan beneficiary numbers, and other account numbers device identifiers and serial numbers biometric identifiers, including finger and voice prints University of Pennsylvania
21
When do I need a Data Use Agreement?
When the following conditions are met: Disclosure of data in a "limited data set" Disclosure is for research purposes Individual authorization is not obtained As part of an IRB-approved protocol Who signs off on the Data Use Agreement? The UPenn Office of Research Services handles this agreement on behalf of the Trustees of the University of Pennsylvania. University of Pennsylvania
22
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research: Authorization IRB Waiver of Authorization Limited Data Set De-Identified Data University of Pennsylvania
23
University of Pennsylvania
De-Identified Data UPHS/SOM may use or disclose de-identified data for research purposes provided its done as part of an IRB approved protocol De-identified data is not covered by HIPAA and may be disclosed for research purposes A code may be applied to the data that would allow re-identification of data but only within the covered entity University of Pennsylvania
24
University of Pennsylvania
De-Identified Data Individually identifiable health information from which identifiers are removed for the individual, relatives, employers, or household members: Names Street address, city county, precinct, zip code & equivalent geocodes All elements of dates (except year) for dates directly related to an individual and all ages over 89 Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Health plan ID numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers/serial numbers Web addresses (URLs) Internet IP addresses Biometric identifiers, incl. finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code University of Pennsylvania
25
University of Pennsylvania
HIPAA Exceptions Use of PHI for Case Finding / Research Preparation Use of Decedent Information in Research Must ensure the following That the use or disclosure is sought solely to prepare a research protocol Documentation of the death of the individual The PHI will not be removed from the covered entity The PHI used or accessed is necessary for the research purposes University of Pennsylvania
26
University of Pennsylvania
Special Rules Research commenced prior to 2003 Obtain at time of annual continuing IRB review Research using databases, repositories and banks to include initial info into database authorization is required To utilize this data for research purposes the PI must obtain a waiver of authorization from the IRB PI may review the info in the database without approval if it is preparatory for research University of Pennsylvania
27
University of Pennsylvania
Special Rule - Subject Recruitment Required contact methods (in order of preference): By a physician or other Health Care Professional who has taken care of a patient By the UPENN School of Medicine using a cover letter signed by a Physician who has taken care of the patient, and using text approved by the UPENN IRB By the researcher using a script or cover letter using text approved by the UPENN IRB Direct recruitment by a researcher who has not taken care of the patient will require UPENN IRB approval and will only be permitted when both of the other two alternatives are impractical University of Pennsylvania
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.