Transcript HIPAA & RESEARCH - University of Vermont

HIPAA
and Research
and
YOU
1
INTRODUCTION
Rule #1:
Rule #2:
Rule #3:
Don’t Panic
Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and Good
Planning, and will become routine over time
- The biggest impact of HIPPA is that it requires researchers to
plan the data privacy and data sharing aspects of their studies more carefully,
specifically by identifying in advance all persons and entities who will need
access and getting the patient’s authorization (or IRB waiver) allowing that
access.
- Most other changes due to HIPAA
will be “standardized” ones – e.g. “boilerplate” consent
language, “standard” IRB findings for waivers, and standardized written
“ representations” or “data use agreements” signed by researchers in certain
situations.
- Changes will most affect
(a) “data access/use/disclosure planning”
(b) researcher/departmental databases and registries
(c) how you maintain/secure/treat your research records
(d) studies starting pre 4/03 and continuing after 4/03
But Beware – HIPAAs Bite
The Civil and Criminal Penalties
under HIPAA are significant
2
HIPAA OVERVIEW
THE VERY, VERY BASICS
• 1996 Federal Law
• Department of Health and Human Services
(DHHS) Regulations
• 4 Rules – Privacy, Security, Transaction and
E-Signatures
• Immediate Concern – Privacy Rule
• Effective Date of Privacy Rule: April 13,
2003
3
HIPAA OVERVIEW
THE VERY, VERY BASICS
• Essential Purposes/Goals of HIPAA Privacy Rule Broadly,
to specify how providers, (who bill insurers electronically)
health plans and medical billing intermediaries (clearing
houses)a/k/a (“Covered Entities”), must treat/handle
(use/disclose) an individual’s protected health information
(“phi”)
• To specify when, for what purposes and under what
conditions/circumstances phi can be used by the Covered
Entity or disclosed to a third party
• To specify what rights individuals have with respect to
their own phi.
• To specify what administrative procedures and safeguards
Covered Entities must implement to safeguard phi.
4
HIPAA OVERVIEW
THE VERY, VERY BASICS
Q: Is a Researcher a Covered Entity that has to comply with HIPAA?
• Answer: Maybe
• HIPAA Rule coverers “providers” who bill insurers for their services
electronically, and does not cover “researchers” per se.
• However, DHHS has said that if the researcher is engaged in a clinical
study involving “standard of care” or “routine” treatment (e.g. MRI or
liver function test) and the researcher bills insurers for the costs of that
treatment, then the researcher is a covered provider that needs to comply
with HIPAA
• In other cases, researchers will not be “covered by HIPAA”
Q: Are Researchers that are not Covered Entities still affected by HIPAA?
• Answer: Yes, if they need to receive and use phi held by a Covered Entity
(e.g. FAHC)
• In those cases, HIPAA rules must be followed by the CE before disclosing
the PHI to the researcher.
5
HIPAA OVERVIEW
THE VERY, VERY BASICS
What are the implications of a researcher being
“covered by HIPAA”?
• Research Records must be accounted for and
unauthorized disclosures must be tracked and an
accounting provided to the subject upon request
• “Minimum Necessary” and other rules must be
followed with respect to access to research records
and study-related phi.
6
HIPAA OVERVIEW
THE VERY, VERY BASICS
Some Key Concepts to Keep in Mind
• HIPPA “Default Rule”: Unless HIPAA
Rule specifically permits otherwise, a
Covered Entity (e.g. FAHC) can only
use/disclose phi for any purpose if
specifically authorized by the individual in
writing.
7
HIPAA OVERVIEW
THE VERY, VERY BASICS
• Some Key Exceptions: A Covered Entity can
use/disclose PHI without individual
authorizations:
– for treatment, payment, health care operations
– for certain public health, law enforcement or other
specified “public response” reasons
– for research with approval of an IRB (when
authorization is not “practicable” and other conditions
are met) or in other limited circumstances (described
below).
8
HIPAA OVERVIEW
THE VERY, VERY BASICS
Meaning of “Default Rule” for Researchers
• With very few exceptions, when a written
authorization can “practicably” be obtained from
research subjects, you have to get it.
• Always be sure to plan in advance by identifying
all persons/entities needing access to PHI and,
whenever possible, getting the patient’s
authorization to allow that access
• Remember, patient needs to authorize both (1) the
researcher getting and using the patient’s phi and
(2) the researcher disclosing phi to third parties.
9
HIPAA RESEARCH RULES
Definition of “Research”
• Same in HIPAA & Common Rule
• “A systematic investigation including research
development, testing, and evaluation, designed to
develop or contribute to generalizable knowledge”
• Distinct from QA/QI Activities (HIPAA permits
without patient authorization or IRB waiver)
10
HIPPA RESEARCH RULES
When can PHI be used/disclosed for research purposes?
•
With individual’s signed, written authorization
•
Upon waiver of authorization by IRB or PB
•
For “reviews preparatory to research”
•
For “research on decedent’s information”
•
If provided in a “Limited Data Set” (16 identifiers
removed) under a “Data Use Agreement”
•
Whenever PHI is completely de-identified (30 identifiers
removed)
11
HIPAA RESEARCH RULES
• What are some of the other key HIPAA rules re Research
– Authorizations - Content Requirements
– IRB Waivers of Authorization - Process, Required IRB Findings
and Documentation and Recordkeeping
– “Reviews Preparatory to Research” - When & How
– Research Involving “Decedents’ Information” - When & How
– Research Using “De-Identified Data” - When & How
– Research Using “Limited Data Sets” - When & How
– Registries & Databases - Creation & Use
12
HIPAA RESEARCH RULES
HIPAA “Transition Rule”
- All pre-compliance date authorizations and IRB waivers,
and resulting PHI , can continue to be utilized after 4/13/03
in both “treatment” and “records” studies that were
approved before 4/13/03.
- For studies approved after 4/13/03, HIPAA rules must be
followed
- However, for treatment studies approved and commenced
before 4/13/03, HIPAA-compliant authorizations must be
obtained for all patients enrolled after 4/13/03.
13
WHAT DOES IT MEAN FOR ME
AND MY STUDY?
• For “Treatment Studies”
– Follow applicable HIPAA rules (and applicable IRB rules) for recruitment
activities and “reviews preparatory to research”
– Make sure informed consent form contains HIPAA authorization language
and that it authorizes all researchers and necessary research staff to access
and use pre-existing phi and phi generated in the study, and that it
authorizes disclosures of records to all third parties requiring access (e.g.
study sponsor, IRB staff, study audit staff, etc).
– Also make sure authorization covers/permits access (as necessary) by
persons within FAHC and/or UVM needing access (e.g. Cancer Study
staff) as necessary . This is because (a) under the “HIPAA Default Rule” a
specific patient authorization is normally required, and (b) UVM and
FAHC are separate legal entities.
14
WHAT DOES IT MEAN FOR ME
AND MY STUDY?
• For “Records” or “Chart Review” Studies
– IRB Waiver of authorization under HIPAA must
be obtained in addition to waiver of consent
under the Common Rule
• Exceptions: Researcher receives only “Limited
Data Set” under Data Use Agreement
• Researcher receives only de-identified data
• Researcher receives only “decedents’ data” upon
filing required written representations
15
WHAT DOES IT MEAN FOR ME
AND MY STUDY?
• For Patient Recruitment Activities
• If researcher is “employee” of the Covered Entity holding
the phi (FAHC) no IRB approval is needed to access
medical records to identify patients and record contact
information.
• If researcher is not an employee of Covered Entity holding
the phi (e.g. employees of UVM or other third party)
researcher must obtain a partial IRB waiver to access
medical records to identify patients and record contact
information.
• In either case, IRB policy on “patient contact” (i.e. contact
only through treating physician) must still be followed.
16
WHAT DOES IT MEAN FOR ME
AND MY STUDY?
•For Keepers of Registries & Databases
- Registries and databases created with patient authorization continue to
be fully permissible before and after 4/03.
- Existing databases approved through an IRB waiver of consent are
“grandfathered” – old data can continue to be maintained and accessed
and new data added without further approval
- existing databases never authorized by patients or approved by an IRB
can continue to be maintained and accessed after 4/03, but an IRB waiver
or patient authorization is needed to add new phi after 4/03.
- In all cases, phi in a registry or database can only be later
used/disclosed for research upon a new/second patient authorization or
IRB waiver.
17
WHAT DOES IT MEAN FOR ME
AND MY STUDY ?
• For Pre-Approved Studies Continuing Past
4/13/03
– For “IRB Waiver” studies (mostly “record studies”) no
action needed; original waiver is deemed still valid
– For “patient authorization studies” (mostly treatment
studies), patients enrolling pre 4/03 need not be reconsented but patients enrolled after 4/03 must sign a
HIPAA-complaint consent.
18
WHAT DOES IT MEAN FOR ME
AND MY STUDY?
• For staff maintaining research records
– research records are different than treatment records
– need to determine whether HIPAA rules apply to your research records
– If research also involves “standard treatment” (e.g. in most clinical trials)
and insurance billing is involved, it is likely that some provisions of
HIPAA will apply to the research records.
– Otherwise, HIPAA will not apply to the research records
– If HIPAA does apply to the research records, you will, at a minimum have
to
- ensure institution knows of existence of records and their location
- account for all unauthorized disclosures
- keep phi secure
- be trained in HIPAA requirements
- failure could lead to institutional or personal liability
19
THE END
20