> - CTSPedia
Download
Report
Transcript > - CTSPedia
HIPAA Requirements for
Patient Oriented Research
UPENN HIPAA Experts
Contacts
Debbie Gilead
Yvonne Higgins
Lauren Steinfeld
Chief Privacy Officer
UPHS, HIPPA
215-615-0643
[email protected]
Office of Regulatory Affairs
215-898-0082
[email protected]
www.upenn.edu/regulatoryaffairs
University Chief Privacy
Officer 215-573-3348
HIPAA Resources for Researchers
www.med.upenn.edu/ohr/hipaa
[email protected]
Background - HIPAA Privacy Rule
• HIPAA: Health Insurance Portability and Accountability Act outlines the
Privacy Regulations
• Purpose: to protect privacy of patient records provided to health
plans, doctors, hospitals and other health care providers
• Patients: provided with access to their records and more control over
how their Protected Health Information (PHI) is used and disclosed
• Research: Includes specific rules surrounding clinical research and
the collection and use of PHI for research purposes
• Owner: Developed by DHHS, enforced by OCR (Office of Civil Rights)
• Start date: April 14, 2003
University of Pennsylvania
Definitions
Individually Identifiable Health Information
• Information about the physical or mental health of an
individual
• Created or received by a covered entity
• Relates to individual’s health, health care or payment for
care - past, present or future
• Reasonable belief that the information can be used to
identify a particular individual
• Applies to defined standard transactions
University of Pennsylvania
Definitions
Protected Health Information (PHI)
• All individually identifiable health information transmitted
or maintained by a covered entity, regardless of form or
media
– Include oral communications
– Excludes education records
– Excludes employment records
University of Pennsylvania
Definitions - Covered Entity
UPenn School of Medicine
Pennsylvania Hospital
HUP
Penn Center for Rehab
CPUP (Clinical Practices)
CCA (Clinical Care Associates)
Presbyterian Hospital
Others…
Graduate Hospital
Does not include CHOP or VA
University of Pennsylvania
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
HIPAA Authorization
The authorization must cover:
•
•
•
•
•
Health information collected as part of the study
Who may use or disclose the information
Who may receive the information
Purpose of the use or disclosure
Duration of authorization (i.e. note expiration date or the
fact that authorization does not expire)
• Right to revoke authorization
• Reference to the Notice of Privacy Practices
• Information disclosed outside the covered entity may not
be protected by HIPAA
Template can be downloaded from:
www.med.upenn.edu/ohrtrain/hipaa
University of Pennsylvania
HIPAA Authorization
Authorization approaches:
Stand-alone authorization form
Authorization incorporated into study informed consent form
Preferred approach: stand-alone form
Current standard language not at 6 - 8th grade level
Regulations may change, with resultant change to standard
language (i.e. form can be changed without requiring IRB re-approval of ICF)
IRBs are not required to approve authorization language
Stand-alone Template can be downloaded from:
www.med.upenn.edu/ohrtrain/hipaa
University of Pennsylvania
HIPAA Authorization
Individual Authorization is a one-time individual permission
to use or disclose PHI for non-transaction and payment
activities (includes research).
The Authorization language requirements are very detailed
and must be protocol specific.
No accounting requirement for disclosures obtained with an
authorization.
University of Pennsylvania
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
IRB Waiver of Authorization
IRB must document review of the following waiver criteria:
– Use or disclosure involves no more than minimal risk
to the individuals;
– The research could not be practicably conducted
without the waiver, and;
– The research could not be practicably conducted
without access to the PHI.
University of Pennsylvania
IRB Waiver of Authorization
Accounting Requirements:
• Disclosures made via a waiver must be subject to an
accounting process
• Patients have the right to receive an account of
disclosures made of their protected health information
(PHI)
• PI’s or research staff must record all applicable
disclosures of PHI as required
University of Pennsylvania
Accounting for Disclosures
• Date or range of dates of disclosure
• Name of entity to whom the information was disclosed
• The address of entity to whom PHI was disclosed
• Description of the PHI disclosed
• Statement explaining the purpose of the disclosure or a
copy of the written request for disclosure if available
University of Pennsylvania
IRB Waiver of Authorization
When Do You Need a Waiver?
• Epidemiological Research where it is impractical to get
authorization
• Research Chart Reviews (note Protocol Preparation Exception)
• Recruitment only if the subject’s contact information is being
disclosed outside of SOM/UPHS. But note the following:
– Any subject recruitment within the SOM/UPHS should follow the HIPAA
policy guidelines
– Also, “outside” SOM/UPHS includes the VA, CHOP, and other Schools of
the University (except Nursing researchers)
– If the PI has a dual appointment and one appointment is in the SOM that
individual is “inside” the covered entity.
University of Pennsylvania
IRB Waiver of Authorization
When Don’t You Need a Waiver?
• Protocol Preparation (refer to HIPAA exceptions slide)
• Recruitment “inside” the SOM/UPHS covered entity
• Research Using an Authorization - but note:
– A waiver may be required in addition to the authorization if
PHI collected prior to authorization is disclosed outside of
UPHS/SOM.
• Research Using De-identified Data
University of Pennsylvania
IRB Waiver of Authorization
How do you apply for a Waiver?
• Complete the Request for Waiver of IRB Authorization
Form:
www.upenn.edu/regulatoryaffairs/human/forms.html
www.med.upenn.edu/ohrtrain/hipaa
• Submit a complete protocol & grant application if the
waiver is to be part of a funded proposal.
University of Pennsylvania
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
Limited Data Set
The limited data set is PHI without facial or direct identifiers
• Only applies to research, public health and health care
operations
• Research conducted as part of an IRB approved protocol
• Information may be used or disclosed without individual
authorization
• “Data Use Agreement” required for disclosure
University of Pennsylvania
Limited Data Set
Facial identifiers
•
•
•
•
•
•
•
•
•
•
name
street address
telephone and fax numbers
e-mail address
social security number
certificate/license numbers
vehicle identifiers and serial numbers
URLs and IP addresses
full face photos and any other comparable images
medical record numbers (prescription numbers), health
plan beneficiary numbers, and other account numbers
• device identifiers and serial numbers
• biometric identifiers, including finger and voice prints
University of Pennsylvania
When do I need a Data Use Agreement?
•
•
•
•
•
When the following conditions are met:
Disclosure of data in a "limited data set"
Disclosure is for research purposes
Individual authorization is not obtained
As part of an IRB-approved protocol
• Who signs off on the Data Use Agreement?
The UPenn Office of Research Services handles this
agreement on behalf of the Trustees of the University
of Pennsylvania.
University of Pennsylvania
Uses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
De-Identified Data
• UPHS/SOM may use or disclose de-identified
data for research purposes provided its done
as part of an IRB approved protocol
• De-identified data is not covered by HIPAA
and may be disclosed for research purposes
• A code may be applied to the data that would
allow re-identification of data but only within
the covered entity
University of Pennsylvania
De-Identified Data
Individually identifiable health information from which
identifiers are removed for the individual, relatives,
employers, or household members:
1. Names
2. Street address, city county, precinct, zip
code & equivalent geocodes
3. All elements of dates (except year) for
dates directly related to an individual and
all ages over 89
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan ID numbers
University of Pennsylvania
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers,
including license plate numbers
13. Device identifiers/serial numbers
14. Web addresses (URLs)
15. Internet IP addresses
16. Biometric identifiers, incl. finger and voice
prints
17. Full face photographic images and any
comparable images
18. Any other unique identifying number,
characteristic, or code
HIPAA Exceptions
• Use of PHI for Case Finding / Research Preparation
• Use of Decedent Information in Research
Must ensure the following
• That the use or disclosure is sought solely to prepare a
research protocol
• Documentation of the death of the individual
• The PHI will not be removed from the covered entity
• The PHI used or accessed is necessary for the research
purposes
University of Pennsylvania
Special Rules
• Research commenced prior to 2003
– Obtain at time of annual continuing IRB review
• Research using databases, repositories and
banks
– to include initial info into database authorization is
required
– To utilize this data for research purposes the PI must
obtain a waiver of authorization from the IRB
– PI may review the info in the database without approval
if it is preparatory for research
University of Pennsylvania
Special Rule - Subject Recruitment
Required contact methods (in order of preference):
– By a physician or other Health Care Professional who has
taken care of a patient
– By the UPENN School of Medicine using a cover letter signed
by a Physician who has taken care of the patient, and using
text approved by the UPENN IRB
– By the researcher using a script or cover letter using text
approved by the UPENN IRB
Direct recruitment by a researcher who has not taken care of the
patient will require UPENN IRB approval and will only be
permitted when both of the other two alternatives are impractical
University of Pennsylvania