Research Coordinator Education Program (RCEP)

Download Report

Transcript Research Coordinator Education Program (RCEP)

Research & Accounting for Disclosures

March 12, 2008 Leslie J. Pfeffer, BS, CHP

Office of the Vice President for Research Administration Office of Compliance Services Indiana University, Indianapolis

1

HIPAA

• HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L. 104-191).

• First comprehensive federal health privacy protection law.

2

Two Key Privacy Rule Goals

• Provide strong Federal protections for privacy rights • Preserve quality healthcare 3

Why did the Government want the Privacy & Security Regulations?

4

Major Concepts

• Notice of the Use/Disclosure – Notice of Privacy Practices – Authorization • Safeguarding PHI during its use and disclosure – Researchers are entrusted with this sensitive information.

– Policies that address how PHI is accessed, stored and transferred so that unauthorized use or disclosure is prevented.

5

Creates Rights for Patients

• • • • • • Right to inspect & copy protected health information Right to amend Right to have reasonable requests for confidential communications accommodated Right to file a complaint with the Office for Civil Rights or with the covered entity Right to written notice of information practices from providers and health plans

Right to an accounting of disclosures

6

Accounting for Uses/Disclosures

• Upon a patient’s request, a covered entity must provide an accounting of all uses and disclosures of PHI without an authorization 7

Protected Health Information (PHI)

• PHI Individually identifiable health information, Created or received by a Covered Entity, • Relates to the: provision of health care to an individual; past, present, or future physical or mental health or condition of an individual; or payment for the provision of health care to an individual; • Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. 8

Access to PHI

A covered entity may use/disclose PHI to carry out essential health care functions (TPO)

– Treatment – Payment – Health Care Operations 9

Treatment

• •

Treatment

means the provision, coordination or management of health care by one or more health care providers.

– Consultation between health care providers – Patient referrals Important for – Continuity of Care – Quality of Care 10

Payment

• Payment means activities of: – Health care providers to obtain payment or be reimbursed for their services – Necessary to release information to Medicare/Medicaid and Commercial Insurance Plans to be reimbursed for services provided 11

Health Care Operations

Administrative, financial, legal and quality improvement activities necessary to run business and to support core functions of treatment and payment • • • • Fraud and abuse detection Conducting or arranging for medical review, legal services, auditing or monitoring Business management and general administrative activities Quality assessment and improvement activities Training, accreditation, certification, credentialing, licensing, reviewing, competence, evaluating performance 12

Access to PHI for Research

Research ≠

TPO •

To Use PHI for Research purposes must:

– Obtain an Authorization or – Waiver of authorization approved by the Privacy Board (IU’s IRBs) – Meet one of the exceptions 13

Access to PHI for Research

• Must comply with the

Minimum Necessary Rule

– must take reasonable steps to limit the use, disclosure of, and requests for PHI to the

minimum necessary

to accomplish the – intended purpose.

what PHI is

reasonably

necessary is determined on a case by case basis by the covered entity 14

Exceptions to obtaining an Authorization or Waiver of Authorization

• Reviews preparatory to research • Research solely on decedents’ information • Limited Data Set • De-identified Data 15

Reviews Preparatory to Research

Covered entity must obtain representation from the researcher that: • The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose. • PHI will not be removed from the covered entity. AND • PHI is necessary for research purposes • Even though an authorization is not required, this access requires an Accounting of Disclosure 16

Research Solely on Decedents’ Information

Researcher must represent that: • Use or disclosure solely for research on decedents' information. • PHI is necessary for research, and • Individual is a decedent, and provide documentation upon covered entity's request.

• Even though an authorization is not required, this access requires an Accounting of Disclosure 17

Limited Data Sets

• • • Limited types of identifiers can be released for research purposes (a Limited Data Set). Limited Data Sets can only be used and released in accordance with a

Data Use Agreement

between the covered entity and the recipient. The Limited Data Set can contain: – Elements of Dates. – – City, town, state, and ZIP. Other unique identifiers, characteristics and codes not previously listed as direct identifiers (next slide). 18

A Limited Data Set excludes the following direct or facial identifiers

• • • • • • • • Names Postal address info (if other than city, town, state, and ZIP) Telephone and fax #s E-mail address Social Security # Medical record numbers Health plan #s Account #s • • • • • • • Certificate/license #s VIN and Serial #s, license plate #s Device identifiers, serial #s Web URLs IP address #s Biometric identifiers (finger prints) Full face photographic images and any comparable images 19

Data Use Agreement

• Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way that the covered entity cannot) • Identify who can use and receive the Limited Data Set • Does not require an Accounting of Disclosure

More . . .

20

PHI has been de-identified

• • 18 identifiers removed from data and no knowledge that remaining information can (alone or in combination with other information) identify the individual.

OR

Statistically "de-identified" information. A qualified statistician determines that there is a "very small" risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis. • Does not require an Accounting of Disclosure 21

Identifiers

• • • • • • • • • • Names. All geographic subdivisions smaller than a state, street address, city, county, precinct, ZIP Code etc. All elements of dates (except year) Telephone numbers. Facsimile numbers. Electronic mail addresses. Social security numbers.

Medical record numbers. Health plan beneficiary numbers. Account numbers. Certificate/license numbers. • • • • • • • Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locators (URLs). Internet protocol (IP) address numbers. Biometric identifiers, including fingerprints and voiceprints. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code.

22

Six Mechanisms Use of De Identified Data (Section 5.5) Minimum Necessary Standard 4.9

Does Not Apply

Research Using Limited Data Set (Section 5.6) Authorization (Section 5.7) Waiver of Authorization (Section 5.8) Research Involving Decedent Information (Section 5.9) Review Preparatory to Research (Section 5.10)

Applies Does Not Apply Applies Applies Applies No

Accounting for Disclosures (Section 5.16) HIPAA Documentation Requirements IRB Requirements

No No (Note: Accounting for disclosure is required for psychotherapy notes G20 ) Yes, but simplified if 50 or more records will be utilized Yes, but simplified if 50 or more records will be utilized Researcher documents that all 19 identifiers are removed under Safe Harbor Method (see section 5.5.2), or demonstrate how the data is statistically de-identified. Researcher documents in Exempt Checklist. Data Use Agreement 4.5

between researcher and data source required.

Patient-Subject Authorization Requirements as listed in 5.8

Researcher documents in description of study.

IRB approval required for the process of de identification; in nearly all cases this will be an exempt application.

IRB approval required; in nearly all cases this will be an exempt application.

IRB approval required.

Use of template authorization recommended.

IRB approval required; may use this mode for recruitment purposes in addition to authorization and informed consent for the actual study procedures.

IRB approval required (exempt application).

Yes, but simplified if 50 or more records will be utilized Researcher documents to covered entity supplying information.

No IRB approval necessary.

Other Uses and Disclosures of PHI w/o Authorization

• This includes the following: – Disclosures required by law – Disclosures to public health authorities • Authorized by law to collect or receive such information for public health activities – Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA All the above require Accounting of Disclosure 24

HIPAA & Recruitment

Recruitment is considered research Therefore, the special provisions for research apply to recruitment 25

Accounting for Uses & Disclosures

Information required to be provided in each patient’s record for an accounting: – – – – – The date of the disclosure The name of the entity or person who received the PHI and, if known, the address of such entity or person A brief description of the PHI disclosed A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure 26

Accounting for Uses & Disclosures

If for research purposes 50 or more records are reviewed: – – – – – – the name of the protocol or other research activity; a plain language description of the protocol or other research activity, including the research purpose and the criteria for selecting the records; brief description of the type of PHI disclosed; date or time period during which the disclosures occurred or may have occurred, including at least the last date; name, address and phone number of the entity that sponsored the research and the PI to which the information was disclosed; and a statement that the PHI may or may not have been disclosed for the particular protocol or other research activity. 27

Accounting for Uses & Disclosures

• Documentation of a Use or Disclosure must be placed in the patient’s “official record” – If the record is housed by Clarian, must be documented in the Clarian record 28

More Information

• Clarian Contact Accounting for Disclosures: Roxanne Binford Compliance Services & HIPAA Send Accountings to: WH 322A Scan & email: [email protected]

or fax: 962-0304 29

More Information

• R&S website: http://www.iupui.edu/~resgrad/hipaa/hipaa_menu.htm

http://www.iupui.edu/%7Eresgrad/human-sop/human-sop-menu.htm

Subject Confidentiality & Privacy Policy HIPAA Information FAQ’s SOP’s Summary Safeguard Statement Recruitment Checklist 30