HIPAA For Research Understanding how the Health Insurance Portability & Accountability Act of 1996  Affects Clinical Resea...
HIPAA History <ul><li>Health Insurance Portability & Accountability Act of 1996 (Kennedy-Kassebaum Act) </li></ul><ul><li>...
HIPAA – General Provisions  <ul><li>Standardization of electronic patient health, administrative and financial data; </li>...
What Is PHI? * PHI is all individually identifiable health information, including demographic data and biological specimen...
Protected Health Information (PHI) <ul><ul><li>Is created or received by a health care provider, health plan, or health ca...
De-identification of PHIs <ul><li>Medical institutions can release de-identified health information without patient author...
De-identification <ul><li>Names </li></ul><ul><li>All geographic subdivisions smaller than a state. </li></ul><ul><li>All ...
De-identification cont… <ul><li>Device identifiers and serial numbers </li></ul><ul><li>URLs </li></ul><ul><li>Internet Pr...
Impact on WVSOM Human Subject Research -Access to PHI Researcher must understand the permissible routes of access to PHI f...
<ul><li>The Privacy Rule permits a covered entity (WVSOM or Affiliated Hospitals) to use and disclose PHI for research </l...
<ul><li>There are other limited situations where PHI can be used/disclosed without an Authorization e.g use of PHI on dece...
Existing IRB-Approved Studies <ul><li>The ‘Transition Provision’ in the Privacy Rule permits covered entities (USF) to con...
New Studies To use/disclose PHI in research, the researcher must obtain 1) An Authorization from the individual participan...
AUTHORIZATIONS <ul><li>Valid authorization must include the following </li></ul><ul><li>elements: </li></ul><ul><li>A desc...
Patient Authorization (Cont.) <ul><li>An expiration date/event that relates to the purpose of the use or disclosure; </li>...
Patient Authorization (Cont.) <ul><li>A statement that information used may be subject to re-disclosure by the recipient a...
Patient Authorization (Cont.) <ul><li>The authorization must be written in plain language. </li></ul><ul><li>Can be combin...
Waiver <ul><li>Disclosure involves no more than minimal risk to the individual </li></ul><ul><li>The waiver will not adver...
Waiver (Cont.) <ul><li>The privacy risks are reasonable in relation to the anticipated benefits to the individuals and the...
Waiver (Cont.) <ul><li>There are adequate written assurances that protected health information will not be reused or discl...
Research Use/Disclosures That Do Not Require Authorizations or Waivers 1. Review of PHI Preparatory to Research 2.  Use of...
Special Rules Regarding Databases <ul><li>Creating and maintaining databases containing PHI is considered research. </li><...
Research Subject Recruitment <ul><li>Recruitment for research is subject to the general authorization requirement unless t...
<ul><li>A researcher who has a  direct treatment relationship  with the patient can engage in conversations related to rec...
Revocation of Authorization <ul><li>Research subjects can revoke their Authorization in writing at any time.  This is subj...
<ul><li>If the subject does not sign and return the form, then the researcher may continue to use the PHI and treat the Au...
Reliance Exception to Revocation <ul><li>The Reliance Exception allows researchers to use and disclose a subject’s PHI tha...
Research Subject’s Rights <ul><li>Accounting of the following research related disclosures of PHI are required: </li></ul>...
Research Subject’s Rights cont… <ul><li>The Following Disclosures are NOT required: </li></ul><ul><li>Disclosures made to ...
Summary Yes No Decedents  No No Record Review (No Identifiers) Yes Exempt No Record Review (Identifiers) Yes (2) Preexisti...
Sanctions for Non-Compliance <ul><li>Significant penalties may be imposed against WVSOM, Affiliate Hospitals, and individu...
<ul><li>Criminal Penalties:  </li></ul><ul><ul><li>Knowingly wrongful disclosures: fines up to $50,000 and/or up to 1 year...
Summary: Researcher Responsibilities <ul><li>Preparing an extensive confidentiality plan </li></ul><ul><ul><li>Who will ha...
Summary: IRB Responsibilities <ul><li>Have appropriate expertise in privacy and confidentiality concerns. </li></ul><ul><l...
<ul><li>Understand waiver criteria and document appropriately. </li></ul><ul><li>Coordinate with Privacy Board, if applica...
HIPAA &IRB AT WVSOM David Brown, Ph.D. Chair of the IRB [email_address] Brentz Thompson HIPAA Compliance Officer [email_ad...
You must demonstrate both IRB and HIPAA Compliance by Passing the Following Courses and Quizzes: IRB:  http://cme.nci.nih....
QUESTIONS!? Prepared By: Jason S. Wrench, Ed. D. Medical Education Specialist West Virginia School of Osteopathic Medicine
Upcoming SlideShare
Loading in …5
×

Hipaa

767 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
767
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hipaa

  1. 1. HIPAA For Research Understanding how the Health Insurance Portability & Accountability Act of 1996 Affects Clinical Research
  2. 2. HIPAA History <ul><li>Health Insurance Portability & Accountability Act of 1996 (Kennedy-Kassebaum Act) </li></ul><ul><li>Effective April 14, 2001 </li></ul><ul><li>Compliance Required by April 14, 2003 (October 2003) </li></ul>
  3. 3. HIPAA – General Provisions <ul><li>Standardization of electronic patient health, administrative and financial data; </li></ul><ul><li>Unique identifiers for individuals, employers, health plans, and health care providers; </li></ul><ul><li>Security standards protecting the confidentiality and integrity of health information. </li></ul>
  4. 4. What Is PHI? * PHI is all individually identifiable health information, including demographic data and biological specimens, that is transmitted or maintained by a covered entity. * PHI can be in any form, including written, electronic, and verbal.
  5. 5. Protected Health Information (PHI) <ul><ul><li>Is created or received by a health care provider, health plan, or health care clearinghouse </li></ul></ul><ul><ul><li>Relates to past, present, or future: </li></ul></ul><ul><ul><ul><li>Provision of care to an individual </li></ul></ul></ul><ul><ul><ul><li>Physical or mental condition(s) </li></ul></ul></ul><ul><ul><ul><li>Payment for provision of health care to an individual </li></ul></ul></ul>
  6. 6. De-identification of PHIs <ul><li>Medical institutions can release de-identified health information without patient authorization. </li></ul><ul><li>The following 18 specific identifiers must be deleted: </li></ul>
  7. 7. De-identification <ul><li>Names </li></ul><ul><li>All geographic subdivisions smaller than a state. </li></ul><ul><li>All dates (except year) </li></ul><ul><li>Telephone numbers </li></ul><ul><li>Fax numbers </li></ul><ul><li>Electronic mail addresses </li></ul><ul><li>Social Security numbers </li></ul><ul><li>Medical record numbers </li></ul><ul><li>Health plan beneficiary numbers </li></ul><ul><li>Account numbers </li></ul><ul><li>Certificate/license numbers </li></ul><ul><li>Vehicle identifiers, including license plate numbers </li></ul>
  8. 8. De-identification cont… <ul><li>Device identifiers and serial numbers </li></ul><ul><li>URLs </li></ul><ul><li>Internet Protocol (IP) Addresses </li></ul><ul><li>Biometric identifiers, including finger and voice prints </li></ul><ul><li>Full face photographic images and any comparable images </li></ul><ul><li>Any other unique identifying number, characteristic, or code. </li></ul>
  9. 9. Impact on WVSOM Human Subject Research -Access to PHI Researcher must understand the permissible routes of access to PHI for research activity AND -Restrictions on Use and Disclosure of PHIs Researcher must implement necessary safeguards to protect the PHI
  10. 10. <ul><li>The Privacy Rule permits a covered entity (WVSOM or Affiliated Hospitals) to use and disclose PHI for research </li></ul><ul><li>When an individual Authorization has been obtained from a research participant, OR </li></ul><ul><li>When a Waiver of Authorization has been obtained. </li></ul>
  11. 11. <ul><li>There are other limited situations where PHI can be used/disclosed without an Authorization e.g use of PHI on decedents, use of PHI for Reviews Preparatory to Research, limited data sets, etc. </li></ul>
  12. 12. Existing IRB-Approved Studies <ul><li>The ‘Transition Provision’ in the Privacy Rule permits covered entities (USF) to continue to use and disclose PHI for research, if it has obtained prior to April 14, 2003, </li></ul><ul><li>An IRB approved consent form, or </li></ul><ul><li>An IRB approved waiver of consent, or </li></ul><ul><li>An express legal permission (e.g., a signed authorization) </li></ul>
  13. 13. New Studies To use/disclose PHI in research, the researcher must obtain 1) An Authorization from the individual participant. OR 2) A Waiver of Authorization for the study. An Authorization is the HIPAA equivalent of consent to use and disclose data.
  14. 14. AUTHORIZATIONS <ul><li>Valid authorization must include the following </li></ul><ul><li>elements: </li></ul><ul><li>A description that identifies the information in a specific and meaningful fashion; </li></ul><ul><li>The name of the person(s) authorized to make the requested use or disclosure </li></ul><ul><li>The name of the person(s) to whom the covered entity may make the requested use or disclosure </li></ul>
  15. 15. Patient Authorization (Cont.) <ul><li>An expiration date/event that relates to the purpose of the use or disclosure; </li></ul><ul><li>A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization; </li></ul>
  16. 16. Patient Authorization (Cont.) <ul><li>A statement that information used may be subject to re-disclosure by the recipient and no longer be protected by this rule; </li></ul><ul><li>Signature of the individual and date; </li></ul><ul><li>If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual; </li></ul>
  17. 17. Patient Authorization (Cont.) <ul><li>The authorization must be written in plain language. </li></ul><ul><li>Can be combined with consent if research involves treatment, but not at WVSOM. </li></ul><ul><li>Research including existing records would require a separate authorization. </li></ul>
  18. 18. Waiver <ul><li>Disclosure involves no more than minimal risk to the individual </li></ul><ul><li>The waiver will not adversely affect the privacy rights of the individual </li></ul><ul><li>Research could not be conducted without the waiver </li></ul><ul><li>Research could not be conducted without access to protected health information </li></ul>
  19. 19. Waiver (Cont.) <ul><li>The privacy risks are reasonable in relation to the anticipated benefits to the individuals and the importance of the knowledge gained through research </li></ul><ul><li>There is a plan to protect patient identifiers from improper use and disclosure </li></ul><ul><li>There is a plan to destroy patient identifiers at the earliest opportunity </li></ul>
  20. 20. Waiver (Cont.) <ul><li>There are adequate written assurances that protected health information will not be reused or disclosed to others except as provided by the regulations and restricts most disclosures of information to the minimum intended purpose. </li></ul>
  21. 21. Research Use/Disclosures That Do Not Require Authorizations or Waivers 1. Review of PHI Preparatory to Research 2. Use of PHI of Decedents for Research Purposes
  22. 22. Special Rules Regarding Databases <ul><li>Creating and maintaining databases containing PHI is considered research. </li></ul><ul><li>If you will use existing databases containing PHI for research after April 14, 2003, you must obtain Authorizations or Waivers. </li></ul><ul><li>If you will create or maintain databases for future analysis, you must comply with HIPAA in addition to obtaining IRB approval. </li></ul>
  23. 23. Research Subject Recruitment <ul><li>Recruitment for research is subject to the general authorization requirement unless the researcher has a direct treatment relationship with the patient. </li></ul><ul><li>Researchers could use the Waiver of Authorization mechanism to access PHI for recruiting prospective research subjects. </li></ul>
  24. 24. <ul><li>A researcher who has a direct treatment relationship with the patient can engage in conversations related to recruitment without having to obtain Authorizations or Waivers. </li></ul>Research Subject Recruitment cont…
  25. 25. Revocation of Authorization <ul><li>Research subjects can revoke their Authorization in writing at any time. This is subject to an exception know as the ‘Reliance Exception.’ </li></ul><ul><li>A subject wishing to revoke the Authorization must be given a form for Revocation of Authorization </li></ul>
  26. 26. <ul><li>If the subject does not sign and return the form, then the researcher may continue to use the PHI and treat the Authorization as valid. </li></ul>Revocation of Authorization cont…
  27. 27. Reliance Exception to Revocation <ul><li>The Reliance Exception allows researchers to use and disclose a subject’s PHI that was obtained before the subject’s revocation in the following ways: </li></ul><ul><ul><li>To account for a subject’s withdrawal from the study </li></ul></ul><ul><ul><li>To conduct investigations of scientific misconduct </li></ul></ul><ul><ul><li>To report adverse events </li></ul></ul><ul><ul><li>As necessary to incorporate the information of a marketing application to FDA </li></ul></ul>
  28. 28. Research Subject’s Rights <ul><li>Accounting of the following research related disclosures of PHI are required: </li></ul><ul><li>Disclosures as allowed by a Waiver of Authorization </li></ul><ul><li>Reviews preparatory to research </li></ul><ul><li>Research on PHI of decedents </li></ul><ul><li>Disclosures made as allowed by law </li></ul>
  29. 29. Research Subject’s Rights cont… <ul><li>The Following Disclosures are NOT required: </li></ul><ul><li>Disclosures made to the individual subject. </li></ul><ul><li>Disclosures authorized by the subject (i.e., the research subject has signed an Authorization for this use/disclosure of PHI). </li></ul><ul><li>De-identified data and limited data sets. </li></ul>
  30. 30. Summary Yes No Decedents No No Record Review (No Identifiers) Yes Exempt No Record Review (Identifiers) Yes (2) Preexisting and Research Yes Clinical Research HIPAA IRB
  31. 31. Sanctions for Non-Compliance <ul><li>Significant penalties may be imposed against WVSOM, Affiliate Hospitals, and individual researchers. </li></ul><ul><li>Civil Penalties: </li></ul><ul><ul><li>Based on patient complaints: $100 per violation with $25,000 maximum per year </li></ul></ul>
  32. 32. <ul><li>Criminal Penalties: </li></ul><ul><ul><li>Knowingly wrongful disclosures: fines up to $50,000 and/or up to 1 year in prison </li></ul></ul><ul><ul><li>Under false pretenses: fines up to $100,000 and/or up to 5 years in prison </li></ul></ul><ul><ul><li>With intent to sell: fines up to $250,000 and/or up to 10 years in prison </li></ul></ul>
  33. 33. Summary: Researcher Responsibilities <ul><li>Preparing an extensive confidentiality plan </li></ul><ul><ul><li>Who will have access to the data? </li></ul></ul><ul><ul><li>How long will access be needed? </li></ul></ul><ul><ul><li>Will third party payers or other administrators need to have access? </li></ul></ul><ul><li>Time to gain approval from an additional committee </li></ul><ul><li>Alternatives </li></ul>
  34. 34. Summary: IRB Responsibilities <ul><li>Have appropriate expertise in privacy and confidentiality concerns. </li></ul><ul><li>Ensure that consent forms contain appropriate authorization requirements if applicable. </li></ul>
  35. 35. <ul><li>Understand waiver criteria and document appropriately. </li></ul><ul><li>Coordinate with Privacy Board, if applicable. </li></ul>Summary: IRB Responsibilities
  36. 36. HIPAA &IRB AT WVSOM David Brown, Ph.D. Chair of the IRB [email_address] Brentz Thompson HIPAA Compliance Officer [email_address]
  37. 37. You must demonstrate both IRB and HIPAA Compliance by Passing the Following Courses and Quizzes: IRB: http://cme.nci.nih.gov/ HIPAA: http://www.wvu.edu/~rc/irb/hipwebct.htm
  38. 38. QUESTIONS!? Prepared By: Jason S. Wrench, Ed. D. Medical Education Specialist West Virginia School of Osteopathic Medicine

×