Transcript HIPAA Privacy Rule - Bowling Green State University

HIPAA Privacy
Rule
“Standards for Privacy of
Individually Identifiable Health
Information”
45 CFR 160 and 164*
*http://www.hhs.gov/ocr/combinedregtext.pdf (2.5 MB)
Privacy Rule

Establishes requirements relative to
the use and disclosure of protected
health information (PHI). This
includes uses in and disclosures for
research purposes.
 “A covered
entity may not use or
disclose protected health
information except as otherwise
permitted or required” – 45 CFR
164.502


Covered entities must be in
compliance by April 14, 2003
DHHS Office of Civil Rights is
responsible for enforcement
Definitions

Covered entity

Health plan

Health care clearinghouse

Health care provider who transmits any health
information in electronic form in connection with
transactions covered by the rule:

Health care claims, Health care payment &
remittance advice, Coordination of benefits,
Referral certification & authorization, Health care
claim status, Enrollment/disenrollment in health
plan, Eligibility for health plan, Premium
payments, First injury reports, Health claim
attachments, Anything else the Secretary
prescribes via regulation
Definitions

Protected Health Information (PHI)


Individually identifiable health information that is

Transmitted by electronic media (e.g., internet,
intranet, tape, disc, compact disc)

Maintained in electronic medium (e.g., tape, disc,
compact disc)

Transmitted or maintained in any other form or
medium
Note – de-identified information is not PHI
Definitions

Individually Identifiable Health
Information


Created or received by a health care provider,
health plan, employer or health care clearing
house and
Relates to past, present or future physical or
mental health condition of an individual;
provision of health care to an individual; or past,
present or future payment for provision of health
care of an individual and


Identifies the individual; or
For which there is a reasonable basis to believe
the information can be used to identify the
individual
Definitions

Health Information

Any information, whether oral or recorded
in any form or medium that



Is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or
health care clearinghouse and
Relates to the past, present, or future
physical or mental health or condition of an
individual; or the past, present or future
payment for the provision of health care to
the individual
Research

A systematic investigation, including
research development, testing and
evaluation, designed to develop or
contribute to generalizable knowledge.
Research Use

4 pathways for permission to use PHI
for research related purposes

With Authorization from Patient

Without Authorization from Patient

Waiver of Authorization by IRB or Privacy Board

Reviews Preparatory to Research

PHI of Decedents

Limited Data Set and Data Use Agreement

De-identified Data
Research Use – With Authorization

Authorization must have:
 At
least the following core elements:
 Description
of information to be used
 Name of persons authorized to make the
use or disclosure
 Name of persons to whom the covered
entity may make the use or disclosure
 Description of each purpose of the use or
disclosure
 An expiration date or event
• “End of the research study” or “none” are
acceptable for research purposes
 Signature
of the individual and date
Research Use – With Authorization

Authorization must include:
 The
following statements:
 Individual’s
right to revoke the
authorization in writing and exceptions to
the right to revoke and a description of
how the individual may revoke the
authorization
 Ability or inability to condition treatment,
payment, enrollment or eligibility benefits
on the authorization
 Potential for information disclosed
pursuant to the authorization to be
subject to redisclosure and no longer
protected
Research Use – With Authorization



The authorization must be written
in plain language
The authorization must be
provided to the individual as a
signed copy for them to keep.
The authorization may be
combined with any other type of
written permission for the same
research study, such as a consent
to participate in research.
Research Use – W/out Authorization

Documented Waiver by IRB or Privacy Board,
including:

ID of IRB and approval date of the waiver

Statement that IRB has determined waiver
satisfies 3 criteria:

Use/disclosure involves no more than minimal
risk to the individual

Adequate plan exists to protect identifiers from
improper use or disclosure

Adequate plan exists to destroy identifiers at
earliest opportunity consistent with conduct of
research unless there is justification to retain
Research Use – W/out Authorization

Documented Waiver by IRB or Privacy
Board
Adequate written assurances that the PHI
will not be reused or disclosed to anyone
else or for other research
 The research could not be practicably
carried out without the waiver
 The research could not be practicably
carried out without access to the PHI
 Brief description of the PHI for which the
use/access is necessary
 Statement that the waiver has been
reviewed under normal or expedited review
procedures
 Signature of IRB Chair or other member, as
designated by the Chair

Research Use – Reviews Preparatory
to Research

Requires representation (orally or
in writing) from researcher that:
 The
use/disclosure of PHI is solely
for research protocol preparation
and,
 The researcher will not remove any
PHI from the covered entity and,
 The PHI for which access is sought
is necessary for the research
purpose.
PHI of Decedents

Requires representation (orally or in
writing) from researcher that:
 The
use/disclosure sought is solely
for research on the PHI of
decedents and,
 The PHI for which access is sought
is necessary for the research
purpose and,
 At the request of the covered entity,
documentation of the death of the
individuals about whom the
information is sought.
Limited Dataset Use



Requires data use agreement
between covered entity and
researcher.
Covered entity may disclose a
limited data set to the researcher
Data set excludes specific direct
identifiers of the individual or of
relatives, employers, or
household members of the
individual
Limited Dataset Use

Data use agreement must:
Establish permitted uses of the data set
 Limit who can use or receive the data
 Requires recipient to agree to:

No use/disclose the information other than as
permitted in agreement
 Use appropriate safeguards to present
use/disclosure other than permitted in agreement
 Report to covered entity any use/disclosure not
provided for by agreement that recipient becomes
aware of
 Ensure that any agents to whom recipient
provides the data set agrees to same restrictions
and conditions
 Not identify the information or contact the
individual.

Limited Dataset Use

Data set must exclude variety of direct
identifiers of the individual, relatives,
employers or household members:

Names, addresses other than city, state & zip
code, telephone numbers, email addresses,
SSNs,medical record numbers, health plan
beneficiary numbers, account numbers,
certificate/license numbers, VINs, license
plate numbers, device identifiers and serial
numbers, web URLs, IP addresses, biometric
identifiers, full face photographic images
De-identified data - Requirements

Determination or documentation by a
person with “appropriate knowledge
of and experience with generally
accepted statistical and scientific
principles and methods for rendering
information not identifiable” that the
risk is “very small” that the
information could be used to identify
an individual
OR
De-identified data - Requirements

Removal of elements related to the
individual, relatives, employers or
household members:



Names, geographic subdivisions smaller than a
state except for first 3 zip code digits (if all zip
codes with those 1st 3 digits contain >20,000
people), all elements of dates (except year)
directly related to individual (birth, admission,
discharge, death), all ages over 89 and all
elements of dates (including year) indicative of
such age (can aggregate into single category
of age 90 and older) and
All those elements excluded from Limited Data
Sets, and
Any other unique identifying number,
characteristic or code, except as permitted for
re-identification by the covered entity