Notes
Outline
HIPAA – Privacy Rule and Research
USCRF Research Educational Series
March 19, 2003
HIPAA Overview
Health Insurance Portability and Accountability Act of 1996
Four Key Areas:
Privacy Standards
Electronic Transaction Standards
Security Standards
Unique Identifiers
Required Compliance – October 16, 2002 & April 14, 2003
HIPAA - Scope
Applies to
Health plans
Health care providers
Health care clearinghouses
Covered Entity = an organization that transmits health information in electronic form in connection with a “HIPAA transaction” (financial and administrative activities related to health care)
HIPAA - Scope
USC = “Hybrid Entity”
Covered Components
Affiliated covered entities include PHA, Dorn VA, USC Clinics
HIPAA - Scope
“Protected Health Information” (PHI):  All individually identifiable health information transmitted or maintained by an organization covered by the HIPAA regulations (a “covered entity) regardless of form
Privacy Rule
Limits the use and disclosure of PHI
Gives patients the right to access their medical records and to know who accessed their health information
Restricts most disclosures of PHI to the minimum necessary
Privacy Rule (cont.)
Establishes criminal and civil penalties for improper use or disclosure
Establishes new requirements for access to records by researchers
Use and Disclosure of PHI
Authorization
Plain language
Description of information to be disclosed
Purpose of disclosure
Identification of person(s) authorized to use
Expiration date or expiration event
Right to revoke
Statement regarding possible redisclosure
Signature and date
Authorization vs. Consent
A privacy authorization says: “It’s OK for you to look at my PHI and disclose it to a designated third party.”
A consent form says: “I agree to participate in your research project and I understand the risks, benefits etc.
Both are needed for research
May be combined
Disclosure Without Authorization
Waiver by IRB or Privacy Board
Reviews preparatory to research
De-identified Information
Use or disclosure of a limited data set
Decedent information
Public health disclosures
Waiver of Authorization
Disclosure poses no more than minimal risk to the privacy of individuals
Plan to protect identifiers from improper disclosure
Plan to destroy identifiers at earliest opportunity
Written assurance that PHI will not be reused or disclosed
Research could not practicably be done without the waiver
Research could not practicably be done without access to the PHI
Privacy risks are reasonable in relation to expected benefits
Reviews Preparatory to Research
For preparatory work, the researcher must submit a request to the covered entity documenting that:
Reviewing protected health information is necessary to prepare a research protocol;
Information will not be removed or recorded by the research during the review;
Information for which access is sought is necessary for research purposes.
De-identified Information
Names
All geographic subdivisions smaller than a state.
All dates (except year)
Telephone numbers
Fax numbers
Electronic mail addresses
Device identifiers and serial numbers
Web locators – URLs
Internet Protocol address nos.
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers, including license plate numbers
Biometric identifiers (finger and voice prints
Full-face photographic images
Any other unique identifying number or code
Limited Data Set
Used or disclosed for research, public health, or health care operations purposes only
Requires the removal of fewer identifiers – “facial identifiers”
May include
Dates related to admission, discharge, birth, death
City, state, five digit zip code
Data use agreement signed by recipient
Research on Decedents Information
Assurance that disclosure and use is solely for research on the PHI of decedents
Documentation, when requested by CE, of the death of such individuals
Assurance that the PHI is necessary for research purposes
Public Health Disclosures
Mandated reporting of contagious diseases
Disclosure regarding an FDA regulated activity
Registries
Government, academic and non-profit
Required by law, IRB waiver, authorization, limited data set
Development of registry for research is “research”
Specimens and Tissue Samples
HIPAA applies if the specimens/samples include identifying information.
Impact on Research
Researchers requiring access to PHI must request the information from and meet the requirements of the covered entity
Reluctance by health care providers to participate in research
Barriers to subject recruitment
Increased responsibility for IRB
Recruitment of Subjects
PHI cannot be disclosed to a third party for purposes of recruitment without IRB waiver or patient authorization
Recruitment is allowed for covered health care providers without authorization or waiver (i.e. physicians can recruit their own patients for research studies)
Transition – Prior Permission
Privacy Rule includes a transition provision
Allows for reliance on consent or IRB waiver obtained prior to 04/14/03
May use or disclose PHI created before or after 04/14/03 based on then valid consent
Can rely on existing consent for “future unspecified research”
Privacy and the Common Rule
Research with subject permission
Privacy Rule – subject authorization to use/disclose PHI
AND
Common Rule – IRB approval of protocol and informed consent process
Privacy and the Common Rule
Research without subject permission:
Privacy Rule – IRB/Privacy Board waiver based on specified criteria unless preparatory to research or de-identified information or limited data set with data use agreement
AND
Common Rule – Waiver of consent or other appropriate finding (i.e. exemption)
Waiver Approval - Documentation
Identification and date of action
Waiver criteria satisfied
Brief description of required PHI
Review and approval procedures
Signature of IRB/PB Chair
Researcher Responsibilities
Know the rules and be prepared for varying interpretations by covered entities
Authorization vs. waiver
Preparing a confidentiality plan
What information is required?
Who will have access to the data?
How long will access be needed?
Safeguards for protecting information
Alternatives to use of PHI?
Time to gain approval from an additional committee
IRB Responsibilities
Having appropriate expertise in privacy and confidentiality concerns.
Ensuring that consent forms contain appropriate authorization requirements if applicable.
Understand waiver criteria and document appropriately.
Coordinate communications with Privacy Board, if applicable.