|
|
|
USCRF Research Educational Series |
|
March 19, 2003 |
|
|
|
|
|
Health Insurance Portability and Accountability
Act of 1996 |
|
Four Key Areas: |
|
Privacy Standards |
|
Electronic Transaction Standards |
|
Security Standards |
|
Unique Identifiers |
|
Required Compliance – October 16, 2002
& April 14, 2003 |
|
|
|
|
|
Applies to |
|
Health plans |
|
Health care providers |
|
Health care clearinghouses |
|
Covered Entity = an organization that
transmits health information in electronic form in connection
with a “HIPAA transaction” (financial and administrative activities
related to health care) |
|
|
|
|
|
|
USC = “Hybrid Entity” |
|
Covered Components |
|
Affiliated covered entities include PHA,
Dorn VA, USC Clinics |
|
|
|
|
|
|
“Protected Health Information” (PHI): All individually identifiable health information
transmitted or maintained by an organization covered by the HIPAA
regulations (a “covered entity) regardless of form |
|
|
|
|
|
|
|
|
Limits the use and disclosure of PHI |
|
Gives patients the right to access their
medical records and to know who accessed their health information |
|
Restricts most disclosures of PHI to
the minimum necessary |
|
|
|
|
Establishes criminal and civil penalties
for improper use or disclosure |
|
Establishes new requirements for access
to records by researchers |
|
|
|
|
|
|
|
Authorization |
|
Plain language |
|
Description of information to be disclosed |
|
Purpose of disclosure |
|
Identification of person(s) authorized
to use |
|
Expiration date or expiration event |
|
Right to revoke |
|
Statement regarding possible redisclosure |
|
Signature and date |
|
|
|
|
A privacy authorization says: “It’s OK
for you to look at my PHI and disclose it to a designated third
party.” |
|
A consent form says: “I agree to participate
in your research project and I understand the risks, benefits
etc. |
|
Both are needed for research |
|
May be combined |
|
|
|
|
Waiver by IRB or Privacy Board |
|
Reviews preparatory to research |
|
De-identified Information |
|
Use or disclosure of a limited data set |
|
Decedent information |
|
Public health disclosures |
|
|
|
|
|
|
|
|
|
Disclosure poses no more than minimal
risk to the privacy of individuals |
|
Plan to protect identifiers from improper
disclosure |
|
Plan to destroy identifiers at earliest
opportunity |
|
Written assurance that PHI will not be
reused or disclosed |
|
Research could not practicably be done
without the waiver |
|
Research could not practicably be done
without access to the PHI |
|
Privacy risks are reasonable in relation
to expected benefits |
|
|
|
|
|
|
|
|
|
For preparatory work, the researcher
must submit a request to the covered entity documenting that: |
|
Reviewing protected health information
is necessary to prepare a research protocol; |
|
Information will not be removed or recorded
by the research during the review; |
|
Information for which access is sought
is necessary for research purposes. |
|
|
|
|
|
|
Names |
|
All geographic subdivisions smaller than
a state. |
|
All dates (except year) |
|
Telephone numbers |
|
Fax numbers |
|
Electronic mail addresses |
|
Device identifiers and serial numbers |
|
Web locators – URLs |
|
Internet Protocol address nos. |
|
|
|
Social Security numbers |
|
Medical record numbers |
|
Health plan beneficiary numbers |
|
Account numbers |
|
Certificate/license numbers |
|
Vehicle identifiers, including license
plate numbers |
|
Biometric identifiers (finger and voice
prints |
|
Full-face photographic images |
|
Any other unique identifying number or
code |
|
|
|
|
|
|
|
Used or disclosed for research, public
health, or health care operations purposes only |
|
Requires the removal of fewer identifiers
– “facial identifiers” |
|
May include |
|
Dates related to admission, discharge,
birth, death |
|
City, state, five digit zip code |
|
Data use agreement signed by recipient |
|
|
|
|
|
Assurance that disclosure and use is
solely for research on the PHI of decedents |
|
Documentation, when requested by CE,
of the death of such individuals |
|
Assurance that the PHI is necessary for
research purposes |
|
|
|
|
|
|
|
|
|
Mandated reporting of contagious diseases |
|
Disclosure regarding an FDA regulated
activity |
|
Registries |
|
Government, academic and non-profit |
|
Required by law, IRB waiver, authorization,
limited data set |
|
Development of registry for research
is “research” |
|
|
|
|
HIPAA applies if the specimens/samples
include identifying information. |
|
|
|
|
|
|
Researchers requiring access to PHI must
request the information from and meet the requirements of the
covered entity |
|
Reluctance by health care providers to
participate in research |
|
Barriers to subject recruitment |
|
Increased responsibility for IRB |
|
|
|
|
|
|
|
|
PHI cannot be disclosed to a third party
for purposes of recruitment without IRB waiver or patient authorization |
|
Recruitment is allowed for covered health
care providers without authorization or waiver (i.e. physicians
can recruit their own patients for research studies) |
|
|
|
|
Privacy Rule includes a transition provision |
|
Allows for reliance on consent or IRB
waiver obtained prior to 04/14/03 |
|
May use or disclose PHI created before
or after 04/14/03 based on then valid consent |
|
Can rely on existing consent for “future
unspecified research” |
|
|
|
|
|
Research with subject permission |
|
Privacy Rule – subject authorization
to use/disclose PHI |
|
AND |
|
Common Rule – IRB approval of protocol
and informed consent process |
|
|
|
|
|
Research without subject permission: |
|
Privacy Rule – IRB/Privacy Board waiver
based on specified criteria unless preparatory to research or
de-identified information or limited data set with data use agreement |
|
AND |
|
Common Rule – Waiver of consent or other
appropriate finding (i.e. exemption) |
|
|
|
|
Identification and date of action |
|
Waiver criteria satisfied |
|
Brief description of required PHI |
|
Review and approval procedures |
|
Signature of IRB/PB Chair |
|
|
|
|
|
Know the rules and be prepared for varying
interpretations by covered entities |
|
Authorization vs. waiver |
|
Preparing a confidentiality plan |
|
What information is required? |
|
Who will have access to the data? |
|
How long will access be needed? |
|
Safeguards for protecting information |
|
Alternatives to use of PHI? |
|
Time to gain approval from an additional
committee |
|
|
|
|
|
|
Having appropriate expertise in privacy
and confidentiality concerns. |
|
Ensuring that consent forms contain appropriate
authorization requirements if applicable. |
|
Understand waiver criteria and document
appropriately. |
|
Coordinate communications with Privacy
Board, if applicable. |
|
|
|
Notes