HIPAA Overview - USC Office of Research
Download
Report
Transcript HIPAA Overview - USC Office of Research
HIPAA – Privacy Rule and
Research
USCRF Research
Educational Series
March 19, 2003
HIPAA Overview
Health Insurance Portability and Accountability Act of
1996
Four Key Areas:
–
–
–
–
Privacy Standards
Electronic Transaction Standards
Security Standards
Unique Identifiers
Required Compliance – October 16, 2002 & April 14,
2003
HIPAA - Scope
Applies to
–
–
–
Health plans
Health care providers
Health care clearinghouses
Covered Entity = an organization that transmits
health information in electronic form in
connection with a “HIPAA transaction”
(financial and administrative activities related to
health care)
HIPAA - Scope
USC = “Hybrid Entity”
Covered Components
Affiliated covered entities include PHA, Dorn
VA, USC Clinics
HIPAA - Scope
“Protected Health Information” (PHI): All
individually identifiable health information
transmitted or maintained by an organization
covered by the HIPAA regulations (a
“covered entity) regardless of form
Privacy Rule
Limits the use and disclosure of PHI
Gives patients the right to access their
medical records and to know who accessed
their health information
Restricts most disclosures of PHI to the
minimum necessary
Privacy Rule (cont.)
Establishes criminal and civil penalties for
improper use or disclosure
Establishes new requirements for access to
records by researchers
Use and Disclosure of PHI
Authorization
–
–
–
–
–
–
–
–
Plain language
Description of information to be disclosed
Purpose of disclosure
Identification of person(s) authorized to use
Expiration date or expiration event
Right to revoke
Statement regarding possible redisclosure
Signature and date
Authorization vs. Consent
A privacy authorization says: “It’s OK for you to
look at my PHI and disclose it to a designated
third party.”
A consent form says: “I agree to participate in
your research project and I understand the
risks, benefits etc.
Both are needed for research
May be combined
Disclosure Without Authorization
Waiver by IRB or Privacy Board
Reviews preparatory to research
De-identified Information
Use or disclosure of a limited data set
Decedent information
Public health disclosures
Waiver of Authorization
Disclosure poses no more than minimal risk to the
privacy of individuals
– Plan to protect identifiers from improper disclosure
– Plan to destroy identifiers at earliest opportunity
– Written assurance that PHI will not be reused or
disclosed
Research could not practicably be done without the
waiver
Research could not practicably be done without access
to the PHI
Privacy risks are reasonable in relation to expected
benefits
Reviews Preparatory to Research
For preparatory work, the researcher must
submit a request to the covered entity
documenting that:
–
–
–
Reviewing protected health information is
necessary to prepare a research protocol;
Information will not be removed or recorded by the
research during the review;
Information for which access is sought is necessary
for research purposes.
De-identified Information
Names
All geographic subdivisions
smaller than a state.
All dates (except year)
Telephone numbers
Fax numbers
Electronic mail addresses
Device identifiers and serial
numbers
Web locators – URLs
Internet Protocol address nos.
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers, including
license plate numbers
Biometric identifiers (finger and
voice prints
Full-face photographic images
Any other unique identifying
number or code
Limited Data Set
Used or disclosed for research, public health, or
health care operations purposes only
Requires the removal of fewer identifiers – “facial
identifiers”
May include
–
–
Dates related to admission, discharge, birth, death
City, state, five digit zip code
Data use agreement signed by recipient
Research on Decedents Information
Assurance that disclosure and use is solely for
research on the PHI of decedents
Documentation, when requested by CE, of the
death of such individuals
Assurance that the PHI is necessary for research
purposes
Public Health Disclosures
Mandated reporting of contagious diseases
Disclosure regarding an FDA regulated
activity
Registries
–
–
–
Government, academic and non-profit
Required by law, IRB waiver, authorization, limited
data set
Development of registry for research is “research”
Specimens and Tissue Samples
HIPAA applies if the specimens/samples
include identifying information.
Impact on Research
Researchers requiring access to PHI must
request the information from and meet the
requirements of the covered entity
Reluctance by health care providers to
participate in research
Barriers to subject recruitment
Increased responsibility for IRB
Recruitment of Subjects
PHI cannot be disclosed to a third party for
purposes of recruitment without IRB waiver
or patient authorization
Recruitment is allowed for covered health
care providers without authorization or
waiver (i.e. physicians can recruit their own
patients for research studies)
Transition – Prior Permission
Privacy Rule includes a transition provision
Allows for reliance on consent or IRB waiver
obtained prior to 04/14/03
May use or disclose PHI created before or
after 04/14/03 based on then valid consent
Can rely on existing consent for “future
unspecified research”
Privacy and the Common Rule
Research with subject permission
Privacy Rule – subject authorization to
use/disclose PHI
AND
2. Common Rule – IRB approval of protocol and
informed consent process
1.
Privacy and the Common Rule
Research without subject permission:
Privacy Rule – IRB/Privacy Board waiver based
on specified criteria unless preparatory to
research or de-identified information or limited
data set with data use agreement
AND
2. Common Rule – Waiver of consent or other
appropriate finding (i.e. exemption)
1.
Waiver Approval - Documentation
Identification and date of action
Waiver criteria satisfied
Brief description of required PHI
Review and approval procedures
Signature of IRB/PB Chair
Researcher Responsibilities
Know the rules and be prepared for varying
interpretations by covered entities
Authorization vs. waiver
Preparing a confidentiality plan
–
–
–
–
What information is required?
Who will have access to the data?
How long will access be needed?
Safeguards for protecting information
Alternatives to use of PHI?
Time to gain approval from an additional committee
IRB Responsibilities
Having appropriate expertise in privacy and
confidentiality concerns.
Ensuring that consent forms contain appropriate
authorization requirements if applicable.
Understand waiver criteria and document
appropriately.
Coordinate communications with Privacy Board, if
applicable.