What is HIPAA ?

HIPAA with the DHPG

Research Medical Records Clinical Trials Business Associate Agreement

February 2003 Michael Shoob, Elizabeth Bankert

What is HIPAA?

• The Health Insurance Portability and Accountability Act of 1996; and • Three sets of regulations issued by the Department of Health and Human Services: –

Privacy Regulations

Deadline April 14, 2003 Compliance – Transaction Standards Deadline October 16,2002 Compliance – Security Regulations Pending

http://www.hhs.gov/ocr/hipaa/privacy.html

This guidance explains and answers questions about key elements of the requirements of the HIPAA

Standards for Privacy of Individually Identifiable Health Information

(the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.

PHI = Protected Health Information

PHI = Protected Health Information

Any information, created or received by us in any form, that identifies an individual and is related to the past, present, or future: 1) Physical or mental health of the individual 2) Provision of health care to the individual’ or 3) Payment for health care provided to the individual

The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

It gives patients more control over their health information.

It sets boundaries on the use and release of health records.

It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.

It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.

It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.

It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.

It empowers individuals to control certain uses and disclosures of their health information.

"Overall, these national standards required under HIPAA will make it easier and less costly for the health care industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential," Secretary Thompson said. "The security standards in particular will help safe guard confidential health information as the industry increasingly relies on computers for processing health care transactions."

William Braithwaite, MD, PhD “Doctor HIPAA” PriceWaterHouseCoopers

Rule #1: DON’T SURPRISE THE PATIENT

Rule #2: Use minimal amount of PHI necessary to conduct research

DHPG

Dartmouth Hitchcock Privacy Group: Dartmouth Hitchcock Clinics Mary Hitchcock Memorial Hospital Dartmouth Medical School Dartmouth-Hitchcock Psychiatric Associates Cheshire Medical Center Mt. Ascutney Hospital Upper Connecticut Valley Hospital Weeks Medical Center West Central Behavioral Health Other Affiliated Institutions Using the Dartmouth-Hitchcock Name to Provide Health Care Services to Patients

HIPAA / DHPG Privacy Officer = Peter Johnson

Linda Messman, Director of Medical Records

Privacy Notice

http://intranet.hitchcock.org/is/hdr/pages/hipaa.html

Scott Farr / (work in progress)

Privacy Notice: Treatment Payment Operations (TPO) Research not included !

Quality Assurance/ Peer Review

The process of reviewing, analyzing or evaluating patient and/or provider specific data which may indicate (the need for) changes in systems or procedures which would improve the quality of care.

Quality Assurance/ Peer Review Characteristics

• Confidential • Learn from individual cases • Involves patient and/or provider specific data • Protected from legal discoverability • Review often triggered by predetermined “thresholds”/criteria • Must be conducted within QA/PR committee structure • Knowledge generation typically for local, immediate application

Quality / Performance Improvement

• The process of reviewing, analyzing and evaluating aggregate data to understand patterns & trends • Process triggers a cycle of: – Analyzing a process – Identifying potential changes – Testing changes – Evaluating impact of changes on measures of success

QI / PI Characteristics

• Not protected from legal discoverability • Uses aggregate data, not patient identifiable information • Evaluates patterns & trends • Not usually triggered by specific event • Pre-data collection, a commitment to a corrective/improvement action plan • Knowledge generation typically for local, immediate application

Research:

a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.

What do researchers do when they want to access patient information for research purposes?

Obtain IRB approval !

How can researchers access patient information for research purposes?

HIPAA rules !

Six ways the IRB will allow researchers to access protected health information (PHI) 1. Obtain informed consent (authorization) from the patient 2. Waive the requirement for obtaining informed consent 3. The information is being collected only for preparatory work to research 4. Only a Limited Data Set is collected accompanied with a Data Use Agreement 5. Only decedent data is being collected 6. Information requested is “de-identified”

6. De-identification Requirements (Two Methods)

• • • • • • • • • • • • • • • • • • • • • HIPAA Safe Harbor Names 45 CFR 164.514(b)(2)(i) Geographic subdivisions smaller than a state Zip codes Dates (birth, admission, discharge, death) Age, if over 89 Telephone numbers Fax numbers E-mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate and license numbers Vehicle identification and serial numbers License plate numbers Device identifiers and serial numbers URLs Internet Protocol address numbers Biometric identifiers (finger and voice prints) Full face photos and comparable images Any other unique identifiers • • • Statistical 45 CRF 164.514(b)(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and Documents the methods and results.

5. Decedent Information Privacy Board or IRB

4. “Limited Use” Data Set

Not Allowed • Names • Postal info (OTHER than town, city, state, and zip code) • Telephone and Fax Number • e-Mail Addresses • Social Security Number • Medical Record Number • Health Plan Beneficiary Number • Account Number • Certificate / License Number • Vehicle ID (license plate) and Serial • Device ID and Serial Number • URLs and IP Addresses • Biometric ID (finger, voice prints) • Full Face Photos and Comparable Images

Data Use Agreement : Used with Limited Data Set Researcher must agree: a. to the use of the limited data set or PHI to the specified purpose as described b. to limit who can use or receive the data to the research team directly involved in this project c. not to re-identify the data or contact the individuals to whom the data belongs

3. Preparatory to Research

- Notice from the researcher 1. The use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research 2. Will not remove any PHI from the covered entity, 3. The PHI for which access is sought is necessary for the research purpose. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.

2.

IRB Waiver of IC – requirements: A. Use or disclosure involves no more than minimal risk to individuals; B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C. Research could not practicably be conducted without the alteration or waiver; D. Research could not practicably be conducted without access to and use of PHI; E. Adequate plan to protect identifiers from improper use and disclosure; F. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and G. Adequate written assurances that PHI will not be reused or disclosed for other purposes.

1. Obtain Consent (authorization) from the Patient 1. Description of Health Information to be gathered. 2. Identification of Person authorized to disclose 3. Identification of Recipient 4. Description of Purpose(s) 5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repository 6. Statement of Right to Revoke 7. (In)Ability to Condition Treatment on the Authorization statement 8. Statement Regarding Re-disclosure 9. Remuneration for Marketing Activity (if applicable) 10. Dated Patient Signature 11. if signed by Personal Representative, a description of that person's authority

Consent Forms for Clinical Trials:

Please remember each study is unique, thus the correct language for the consent form is dependent on the language in the protocol and/or contract. You will begin to see HIPAA language in sponsor provided consent form templates.

In the Consent Form under the section entitled:

Other Important Items You Should Know: Add a sub - section entitled:

Data Collection

Under the same section expand the current sub-section entitled:

Confidentiality

1. Data Collection: Add a general sentence about the data to be collected. And add the following sentences as applicable for the particular study:

The data collected in this study includes : The data collected in this study will be used for the purpose described in this form. Patient identifiable data will not be released beyond that required for the purposes of conducting this research study. By signing this form, you are allowing the research team access to your medical records. The research team includes the researchers listed in this consent form and other personnel involved in this study at DHMC and other entities as described in the "Confidentiality" section of this consent form. If you chose to withdraw from the study, you may revoke your approval for the use of your future medical information. To do this, you may contact the researcher in writing. Data which has already been collected will be maintained with the research records.

Explain how long data will be maintained: Examples:

Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA.

Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.

If there are limits to the patient access to research records describe here: Example:

During the course of this study participants may not have access to research records. If you chose, you may request this information after the research is completed.

2. Identification of Person authorized to disclose

The research team includes the researchers listed in this consent form and other personnel involved in this study at DHMC and other entities as described in the "Confidentiality" section of this consent form

3. Identification of Recipient

Describe as applicable who may have access to research data - this can be added to Confidentiality section: Example:

Research data may be shared, as required by law, with Dartmouth Hitchcock Medical Center authorities and ......

Examples:

Federal agencies such as the Food and Drug Administration, add as appropriate: National Co-operative Study Group, Multi center sites , Insurance Company.

If the research is sponsored or if the data is being sent anywhere outside of DHMC describe in some detail:

The sponsor of the study, xxx, and any corresponding entities involved in the monitoring of this study (name of CRO if applicable) or Data and Safety Monitoring Committee if applicable, will also have access to this research data. These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).

4. Description of Purpose(s)

Most consent forms describe the purpose of the research in the opening paragraphs. If not, please add.

5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repository

Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA.

Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.

6. Statement of Right to Revoke

If you choose to withdraw from the study, you may revoke your approval for the use of your future medical information. To do this, you may contact the researcher in writing. Data which has already been collected will be maintained with the research records.

7. (In)Ability to Condition Treatment on the Authorization statement If not already in the consent form, add in the "Other Important Items" section: o Your decision whether or not to participate in this

study, or a decision to withdraw will not involve any penalty or loss of benefits to which you are entitled.

8. Statement Regarding Re-disclosure

The wording in the contract with the sponsor will determine this statement in the consent form. If a sponsor will not re-disclose patient identifiable information, include that information or :

These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).

9. Remuneration for Marketing Activity (if applicable) The sponsor usually provides wording for this activity, which is usually something to the effect :

"You will not receive any compensation if the results of this research are used towards the development of a commercially available product."

10. Dated Patient Signature This is already required in the signature section. Please also add this sentence if it is not in the current consent form:

I have been given a copy of this consent document for my own records.

11. if signed by Personal Representative, a description of that person's authority

This is already required in the signature section.

PLEASE NOTE: The signed consent form must be maintained for at least 6 years after it is signed. This can be satisfied by placing the consent form in the medical record or by keeping it in the study's research files.

There is CIS team recently released a feature to create an electronic consent form and protocol summary.

Patients enrolled into a research study prior to April 14, 2003 do not have to sign another consent form. New patients enrolled into a clinical trial on or after April 14, 2003 will need to sign an IRB approved HIPAA compliant consent form OR the currently IRB approved consent form PLUS an IRB approved 'add on‘ form describing HIPAA information.

To be considered: 1. Departmentally maintained databases 2. Registries 3. Disclosures / Tracking

Committee for the Protection of Human Subjects

http://www.dartmouth.edu/~cphs/

a. NEW FORM: Research with PHI b. HIPAA Compliant Consent Form Template c. HIPAA powerpoint

d.

Additional HIPAA presentation/consent review dates

Additional HIPAA forum dates:

Review Consent Forms Café B 2/18 9-10 am Café B 2/21 9-10 am Café B Café C Café B Café A 3/5 3/10 3/17 3/26 9-10 am 9-10:30 am 2-3 pm 12-1:30 pm HIPAA EDUCATION DATES 3/4 Aud E 2:00 to 3:00 pm 2/18 3/26 L2B L2B 8:00 to 10:30am 10:30 to 1:00pm.

HIPAA applies to Covered Entities (CEs) only: - Health Care Providers - Health Care Plans - Health Care Clearinghouse

Business Associates of HIPAA Covered Entities

Business Associates of HIPAA Covered Entity:

• A person or entity (not a member of the Covered Entities workforce or plan) that provides services for a Covered Entity that involves the use of protected health information (PHI)

Business Associates could include:

• Pharmaceutical / Biotech Companies • • Data Entry Service Vendors Other covered entities

Business Associate Agreement

Does not pass through the same privacy requirements of Covered Entity to business associate. It requires in a written contract: • • • • Satisfactory assurance that PHI will be appropriately safeguarded and used only for the purposes of performing associate’s obligations Assure that agents of business associate agree to the same restriction Make PHI available as require by law Return or destroy all PHI at conclusion of contract

Business Associate Agreement

Requirements continued: • • Associate to advise Covered Entity when violations have occurred Take reasonable steps to cure a breach of privacy requirements • Covered Entity may terminate agreement if breach of privacy not cured

Chain-of-Trust Provisions

• Business Associate agrees to protect the integrity and confidentiality of PHI exchanged electronically

HIPAA

Health Insurance Portability and Accountability Act