3. WHAT IS HIPAA ?
HIPAA (Health Insurance Portability and
Accountability Act of 1996) is United States
legislation that provides data privacy and security
provisions for safeguarding medical information.
The act, which was signed into law by President Bill
Clinton on Aug. 21, 1996, contains five sections, or
titles.
3
4. Additional rules to HIPAA:
• ACA
By President Barack Obama on
March 23, 2010
Approach to regulation that can
be properly described as “new
governance”
ACA updated HIPAA with new
expanded requirements.
4
5. WHAT IS PHI ?
Protected health information
PHI is all individually identifiable health information
,including demographic data and biological specimens ,
that transmitted or maintained by a covered entity.
PHI Can be any form , including written electronic and
verbal.
5
6. WHAT INFORMATION SHOULD CONTAIN PHI ?
Name
Street address ,city Zip
code.
Date(DOB,DOD,
Admission Discharge date)
Phone NO.
Medical Record No.
Health plan number
Social security number
Account numbers
Internet protocol
Address
Biometric identifiers ,
including finger and
voice print
6
7. August 1996 – HIPAA
Signed into Law by
President Bill Clinton
April 2003 –
Effective Date of the
HIPAA Privacy Rule
April 2005 –
Effective Date
of the HIPAA
Security Rule.
March 2006
– Effective
Date of the
HIPAA
Breach
Enforcement
RuleSeptember 2009 – Effective
date of HITECH and the
Breach Notification Rule.
March 2013
Effective Date
of the Final
Omnibus
Rule.
Key Dates in HIPAA History
7
9. HIPAA was in 1996 with two
objectives.
The first part “Health Insurance Portability part of the Act” • To
ensure that individuals would be able to maintain their health
insurance between jobs.
The second part of the Act is the "Accountability" portion. To
ensure the security and confidentiality of patient information/data
and mandates uniform standards for electronic data transmission
of administrative and financial data relating to patient health
information
9
10. Title I: health care access, portability and
renewability
Title II: administrative simplification
Title III: tax related health provisions
Title IV: application and enforcement of group health
plan requirements
Title V: revenue offsets 10
11. CASE-1:
A Michigan –based health care system
accidentally posted the medical record of
thousand of subject on the internet
( Reference-the Ann Arbor News February 10,
1999)
11
12. Case -2 A Nevada woman who purchased a
used computer discovered that the previous owner
of the computer left a database with the names
addresses social security number and a list of all
prescription received by the individual (
Reference- New York Times April 4,1997)
12
13. New requirement to study clinical trial:
overview
Researchers who conduct interventional clinical
research have questioned how the Privacy Rule will affect
their research activities. Even before the Privacy Rule, of
course, physician-investigators have been concerned about
the privacy of the medical and research-related information of
their patients and subjects.
.
13
14. In fact, many have been required under the Department
of Health and Human Services (HHS) or the Food and
Drug Administration (FDA) Protection of Human
Subjects Regulations (45 CFR part 46 or 21 CFR parts
50 and 56, respectively) to take measures to protect
such personal health information from inappropriate use
or disclosure.
14
15. HIPAA Privacy Rule’s Impact on Clinical
Research:
• The Privacy Rule permits a covered entity to use or disclose
PHI for research under the following circumstances and
conditions:
• · If the subject of the PHI has granted specific written
permission through an Authorization that satisfies section
164.508.
• For reviews preparatory to research with representations
obtained from the researcher that satisfy section
164.512(i)(1)(ii) of the Privacy Rule
• For research solely on decedents’ information with certain
representations and, if requested, documentation obtained
from the researcher that satisfies section 164.512(i)(1)(iii) of
the Privacy Rule.
15
16. • If the covered entity obtains documentation of an IRB or
Privacy Board’s alteration of the Authorization
requirement as well as the altered
• Authorization from the individual
• If the PHI has been de-identified in accordance with the
standards set by the Privacy Rule at section
164.514(a)-(c) (in which case, the
• health information is no longer PHI)
•
• Under a “grandfathered” informed consent of the
individual to participate in the research, an IRB waiver of
such informed consent,
16
17. Requirements:
1.informed consent:
the HIPAA authorisation can be included with
informed consent document or can be separated form the
informed consent .see PHI authorisation page. Must contain
a specific description of the information to be disclosed
including;
• Name of the person or class of person that will receive
the disclosed information e.g principal investigator
• Statement that information received by the users may be
used for future.
Expiration date or expiration event when authorities may
disclose the information.
Statement containing a subject's right to revoke their
authorization for discloser.
17
18. • Statement containing a subject's right to revoke their
authorization for discloser.
• Statement documenting the ability to condition enrollment
on informed consent.
• Statement documenting the possibility that the
information may be re disclosed by recipient ( eg. To the
FDA).
• .Signature of subject and date of the signing of the HIPAA
agreement.
18
19. Institutional Review Boards
Where HIPAA requirements are combined with the informed
consent requirements, the entire document needs to be
reviewed by the Institutional Review Board (IRB).
The Office of Civil Rights as well as the FDA's General
Counsel, as April 7, 2003, had confirmed that IRB approval of
subject authorization for use or disclosure of protected health
information required by the HIPPA privacy rule is only required
if the authorization language is to be part of the IRB-approved
informed consent document for human subjects review.
19
20. Privacy Boards
In cases where IRBs are not responsible for reviewing, the HIPAA
Authorization Privacy Board may be formed to undertake this
task. Members of privacy boards should have varying
backgrounds and appropriate professional Competence. At least
one member must not be affiliated with the covered entity or
research sponsor. As with the IRB, there must be no conflicts of
interest on a case-by-case basis. A quorum consists of a majority
of members.
Expedited review by the chairperson or designees is allowed for
the waiver of authorization.
20
21. IRB or PrivacyWaivers of Authorization
Three criteria must be met for the IRB or Privacy Board to
waive authorization for research:
The use or disclosure of protected health information
involves no more than a minimal risk to the privacy of the
individual.
The research could not practicably be done without the
waiver.
The research could not practicably be conducted without
access to and use of the protected health information (PHI).
21
22. • The research will not adversely affect privacy rights or
welfare.
The privacy risks are reasonable in relation to anticipated
benefits and the importance of the knowledge of the
clinical results.
22
23. Waiver of a Research Database
Research database using protected health information may be
created by a non covered entity without individuals'
authorizations. Documentation must be obtained from the IRB
or the Privacy Board that the specified waiver Criteria were
satisfied.
Similarly, existing databases or repositories created prior to
the April 14, 2003, compliance data can be disclosed for
research either with individual authorizations or with a waiver
from either the IRB or the Privacy Bord. Approval from both
the IRB and the Privacy Board is not required for the covered
entity
23
24. Study Recruitment
The covered entity's workforce can use protected health information
to identify and contact prospective research subjects. The covered
entity's health care provider can discuss the enrollment in a clinical
trial with a potential subject before authorization is completed or there
has been an Institutional Review Board or Privacy Board waiver of
authorization. A clinician may use or disclose the PHI if such
information is being used to treat the subject or
using an experimental treatment that may benefit a subject.
24
25. However, at no time can the research health care provider remove
the protected data from the covered entity's site according to the
HIPAA requirements.
If a researcher is not employed by the covered entity, the
researcher can still have access to the protected information as a
result of a partial waiver of individual authorization by an IRB or
Privacy Board
25
26. If a CRO wishes to use a physician's records to recruit
patients, the study's principal investigator should seek a
partial waiver of HIPAA authorization from the institutional
review board. (The Privacy Rule waiver criteria are found
at 45 C.F.R.§164.512 [i][1][i].)
This waiver, if granted, will apply to the CRO's use of PHI
in recruitment. Written HIPAA authorization and informed
consent will still be required to enroll a patient in the actual
clinical trial.
26
27. Although not a HIPAA Requirement, Physicians
concerned about patients' privacy expectations
should consider limiting recruitment to calls
placed by the physician (or office staff), letters
signed by the physician, and brochures in the
waiting room instructing interested patients to
contact the CRO conducting the study.
27
28. Over $36 Million in resolution agreements and
fines for variety of issues
28
29. Sr
no
Coverd entity Type of breach Ammount
of fine
Date
1 QCA health plan Unencpted
laptop
$25000 Dec 2014
2 Columbia univarcity Discloser of
ePHI on the
internet
$15000 Jun 2014
3 Wellpoint e-PHI
published on
public sever
$1700000 July 2013
4 Shasta regional
medical center
Discloser to
media outlet
$275000 June 2013
5 Hospice of north ideho Laptop theft $50,000 Dec 2012
6 BCBS Tennessee Hard drive theft $1500000 March 2012
29
30. Breach
Impermissible acquisition, access, use, or disclosure of PHI
which compromises the security or privacy of the PHI.
Act of breaking or failing to observe a law, agreement, or code
of conduct
30
32. Conclusion:
• HIPAA is the federal Health Insurance Portability and
Accountability Act
• It consists of a set of standards that provide
prescriptive guidance for securing and protecting PHI.
• HIPAA provides standards for :
General Rules Administrative, Physical, and Technical
Safeguards Policies and Procedures Documentation
Requirements
32
33. References:
1.New Drug Approval Process, forth edition Accelelerating Global
Registration Edited by Richard A Guarino M.D Published by Marcel
Dekker, INC Page no 559
2. Clinical Research and the HIPAA Privacy Rule
Department Of Health and Human Services. USA
Nh Publication Number04-5495february 2004
3. HIPAA Informed Concent / authorization form
(http://www.fda.gov)
4. Privacy regulation
(http://www.hhs.gov/ocr/hipaa/.)
33