A health care provider becomes a covered entity only if it transmits health information in electronic form in connection with a “HIPAA transaction” HIPAA transaction = the electronic transmission of information “to carry out financial or administrative activities related to health care”.  Sample transactions – claims information, enrollment in a health plan, payment, billing, etc. Electronic transmission is required to be considered a covered entity, but once a provider is a covered entity all of its health information is subject to the rule

Hybrid Entity option allows the University to treat its health care components as separate legal entities with regard to HIPAA compliance and implementation of Privacy Rule. Parts of USC qualify as Health Care Components (Student Health Center and Speech and Hearing Clinic). Coverage extends to supporting functions that create or receive PHI on behalf of an HCC (e.g. billing offices, benefits office, business office personnel) Extend coverage to non-covered entities through “business associate” agreements – (e.g. attorneys

Before HIPAA, no national standard existed for the protection of a person’s medical information. The Privacy Rule establishes a minimum level (“floor”) of protection nationwide.  HIPAA does not preempt  existing laws but allows the application of more stringent state laws. Seeks to protect the privacy of individually identifiable health information while ensuring that researchers continue to have access to medical information necessary to conduct research Before the Privacy Rule, protection of human subjects in research focused primarily on assuring that the research project was performed ethically and that the human subjects participated on the basis of informed consent.

Authorization must be in writing and include certain minimum elements including; description of information (can’t say all records), name of person authorized to receive information, expiration date for use of information... Authorization for research does not require a specific end date or event may state none or “end of study”

A CE is permitted to disclose PHI for research purposes without authorization if an IRB or Privacy Board has either waived authorization or approved a modified authorization.  CE may use its own IRB or Privacy Board or accept the review of some other IRB/PB. Privacy Board functions much like an IRB with regard to the review of requests for waivers of authorization.  Role is to assure that there is legitimate and compelling reason for allowing access to health information without patients consent IRB granting waiver must follow Common Rule plus added privacy criteria using either full or expedited review. Waiver of authorization criteria similar to that already used by IRB to waive informed consent Some university IRBs have already expressed an unwillingness to take on the dual role and responsibilities of a privacy board.  Not yet decided at USC, but initial inclination is to serve dual role.

Recognition that study design and feasibility must be assessed prior to undertaking research.

Authorization not required for disclosure of PHI that has been “de-identified” in one of two ways.  1) The CE could use a qualified expert to apply scientific criteria to determine that the risk of is very small that the information could be used to identify an individual. 2) Meet a “safe harbor” standard by stripping the health information of 18 enumerated identifiers. Recognizing the limited value of de-identified information to researchers, HHS created a new category of information called the “limited data set”

Explain difference in limited and de-identified (What can you get in the limited data set) Data use agreement = “super confidentiality agreement” – specifies that information will be used only for stated purpose, implement appropriate safeguards, not to re-identify data or contact the individual (s) Generally, the disclosing CE is not liable for breaches of the data agreement – but must take reasonable steps to cure the breach HHS has no jurisdiction to enforce data use agreements unless the recipient is a CE

Registries do not have to be government sponsored.  Academic and non-profit registries qualify. Currently can use data in registry for research with IRB approval (and approval of the registry holder). Need patient authorization or waiver etc. under HIPAA. FDA – Disclosures related to safety, quality and effectiveness of an FDA regulated product – adverse events, product recalls, post marketing surveillance

Demand change in means and methods for recruiting subjects

HIPAA requires specific authorization for well-defined information (usually not entire medical record).  Prior consent giving access to entire record is still valid Allows access to information in hand and information that will be obtained in course of study – even after effective date. CE may use or disclose PHI that was created or received for research, either before or after the compliance date, if the CE obtained any one of the following prior to the compliance date - Authorization or other legal permission to use or disclose PHI information for research - A waiver of informed consent by an IRB in accordance with the Common Rule