HIPAA Privacy Rule - Bowling Green State University
Download
Report
Transcript HIPAA Privacy Rule - Bowling Green State University
HIPAA Privacy
Rule
“Standards for Privacy of
Individually Identifiable Health
Information”
45 CFR 160 and 164*
*http://www.hhs.gov/ocr/combinedregtext.pdf (2.5 MB)
Privacy Rule
Establishes requirements relative to
the use and disclosure of protected
health information (PHI). This
includes uses in and disclosures for
research purposes.
“A covered
entity may not use or
disclose protected health
information except as otherwise
permitted or required” – 45 CFR
164.502
Covered entities must be in
compliance by April 14, 2003
DHHS Office of Civil Rights is
responsible for enforcement
Definitions
Covered entity
Health plan
Health care clearinghouse
Health care provider who transmits any health
information in electronic form in connection with
transactions covered by the rule:
Health care claims, Health care payment &
remittance advice, Coordination of benefits,
Referral certification & authorization, Health care
claim status, Enrollment/disenrollment in health
plan, Eligibility for health plan, Premium
payments, First injury reports, Health claim
attachments, Anything else the Secretary
prescribes via regulation
Definitions
Protected Health Information (PHI)
Individually identifiable health information that is
Transmitted by electronic media (e.g., internet,
intranet, tape, disc, compact disc)
Maintained in electronic medium (e.g., tape, disc,
compact disc)
Transmitted or maintained in any other form or
medium
Note – de-identified information is not PHI
Definitions
Individually Identifiable Health
Information
Created or received by a health care provider,
health plan, employer or health care clearing
house and
Relates to past, present or future physical or
mental health condition of an individual;
provision of health care to an individual; or past,
present or future payment for provision of health
care of an individual and
Identifies the individual; or
For which there is a reasonable basis to believe
the information can be used to identify the
individual
Definitions
Health Information
Any information, whether oral or recorded
in any form or medium that
Is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or
health care clearinghouse and
Relates to the past, present, or future
physical or mental health or condition of an
individual; or the past, present or future
payment for the provision of health care to
the individual
Research
A systematic investigation, including
research development, testing and
evaluation, designed to develop or
contribute to generalizable knowledge.
Research Use
4 pathways for permission to use PHI
for research related purposes
With Authorization from Patient
Without Authorization from Patient
Waiver of Authorization by IRB or Privacy Board
Reviews Preparatory to Research
PHI of Decedents
Limited Data Set and Data Use Agreement
De-identified Data
Research Use – With Authorization
Authorization must have:
At
least the following core elements:
Description
of information to be used
Name of persons authorized to make the
use or disclosure
Name of persons to whom the covered
entity may make the use or disclosure
Description of each purpose of the use or
disclosure
An expiration date or event
• “End of the research study” or “none” are
acceptable for research purposes
Signature
of the individual and date
Research Use – With Authorization
Authorization must include:
The
following statements:
Individual’s
right to revoke the
authorization in writing and exceptions to
the right to revoke and a description of
how the individual may revoke the
authorization
Ability or inability to condition treatment,
payment, enrollment or eligibility benefits
on the authorization
Potential for information disclosed
pursuant to the authorization to be
subject to redisclosure and no longer
protected
Research Use – With Authorization
The authorization must be written
in plain language
The authorization must be
provided to the individual as a
signed copy for them to keep.
The authorization may be
combined with any other type of
written permission for the same
research study, such as a consent
to participate in research.
Research Use – W/out Authorization
Documented Waiver by IRB or Privacy Board,
including:
ID of IRB and approval date of the waiver
Statement that IRB has determined waiver
satisfies 3 criteria:
Use/disclosure involves no more than minimal
risk to the individual
Adequate plan exists to protect identifiers from
improper use or disclosure
Adequate plan exists to destroy identifiers at
earliest opportunity consistent with conduct of
research unless there is justification to retain
Research Use – W/out Authorization
Documented Waiver by IRB or Privacy
Board
Adequate written assurances that the PHI
will not be reused or disclosed to anyone
else or for other research
The research could not be practicably
carried out without the waiver
The research could not be practicably
carried out without access to the PHI
Brief description of the PHI for which the
use/access is necessary
Statement that the waiver has been
reviewed under normal or expedited review
procedures
Signature of IRB Chair or other member, as
designated by the Chair
Research Use – Reviews Preparatory
to Research
Requires representation (orally or
in writing) from researcher that:
The
use/disclosure of PHI is solely
for research protocol preparation
and,
The researcher will not remove any
PHI from the covered entity and,
The PHI for which access is sought
is necessary for the research
purpose.
PHI of Decedents
Requires representation (orally or in
writing) from researcher that:
The
use/disclosure sought is solely
for research on the PHI of
decedents and,
The PHI for which access is sought
is necessary for the research
purpose and,
At the request of the covered entity,
documentation of the death of the
individuals about whom the
information is sought.
Limited Dataset Use
Requires data use agreement
between covered entity and
researcher.
Covered entity may disclose a
limited data set to the researcher
Data set excludes specific direct
identifiers of the individual or of
relatives, employers, or
household members of the
individual
Limited Dataset Use
Data use agreement must:
Establish permitted uses of the data set
Limit who can use or receive the data
Requires recipient to agree to:
No use/disclose the information other than as
permitted in agreement
Use appropriate safeguards to present
use/disclosure other than permitted in agreement
Report to covered entity any use/disclosure not
provided for by agreement that recipient becomes
aware of
Ensure that any agents to whom recipient
provides the data set agrees to same restrictions
and conditions
Not identify the information or contact the
individual.
Limited Dataset Use
Data set must exclude variety of direct
identifiers of the individual, relatives,
employers or household members:
Names, addresses other than city, state & zip
code, telephone numbers, email addresses,
SSNs,medical record numbers, health plan
beneficiary numbers, account numbers,
certificate/license numbers, VINs, license
plate numbers, device identifiers and serial
numbers, web URLs, IP addresses, biometric
identifiers, full face photographic images
De-identified data - Requirements
Determination or documentation by a
person with “appropriate knowledge
of and experience with generally
accepted statistical and scientific
principles and methods for rendering
information not identifiable” that the
risk is “very small” that the
information could be used to identify
an individual
OR
De-identified data - Requirements
Removal of elements related to the
individual, relatives, employers or
household members:
Names, geographic subdivisions smaller than a
state except for first 3 zip code digits (if all zip
codes with those 1st 3 digits contain >20,000
people), all elements of dates (except year)
directly related to individual (birth, admission,
discharge, death), all ages over 89 and all
elements of dates (including year) indicative of
such age (can aggregate into single category
of age 90 and older) and
All those elements excluded from Limited Data
Sets, and
Any other unique identifying number,
characteristic or code, except as permitted for
re-identification by the covered entity