Privacy and Confidentiality in Clinical Research BY HEMANG PATEL YOGESH PATEL JAIMIN PATEL TEJAS GOSWAMIICRI- AHMEDABAD MSc. CT & CR (2011-13)
Whatsoever things I see or hear, in my attendance on the sick or even apart therefrom, which on no account one must spread abroad, I will keep to myself holding such things as sacred secrets. - Hippocratic Oath, 4th Century, B.C.E.
The desire of a person to control the disclosure of personal health information.The federal regulations define ‘private information’ as“information about behaviour that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public.”
Confidentiality has been defined as the of maintaining the security ofinformation elicited from an individual in the privileged circumstances of a professional Relationship.
The delicate balance between all employee‟s, physician‟s and volunteer‟s need to know and the patient‟s right to privacy is at the heart of HIPAA – Privacy.
It helps establish trust between the research participant and the researcher. It reduces worry on the part of the individual. It maintains the participant‟s dignity. The participant feels respected. It gives the participant control and promotes autonomy.
Privacy Applies to the Confidentiality Applies to the Data:Person: o An extension of privacyo The way potential participants o Pertains to identifiable data are identified and contacted o An agreement about maintenanceo The setting that potential and who has access to identifiable participants will interact with the data researcher team and who is o What procedures will be put in present during research place to ensure that only procedures authorized individuals will haveo The methods used to collect access to the information, and information about participants o Limitations (if any) to theseoThe type of information being confidentiality procedures Collected oIn regards to HIPAA, protection ofo Access to the minimum amount of patients from inappropriate information necessary to conduct disclosures of Protected Health the research Information (PHI)
Title 45, Part 46 of the Code of Federal Regulations (45 CFR 46) also known as the Common Rule. The common rule is clear that these data need to be protected. data through intervention/interaction with the individual, or identifiable private information. Protecting data is the key to protecting privacy
The Food and Drug Administration (FDA) requires statements in the Informed Consent Form: that describe the extent to which confidentiality of records that can identify the participant in the research will be maintained, and that inform the participant that the FDA may view the research records.
Certificates of Confidentiality (CoCs), issued by the National Institutes of Health (NIH), allow the researcher to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level, unless the participant consents.
The U.S. Federal government passed a law in 1996 that created national standards to protect patient medical records and other personal health information. This Federal legislation is called theHealth Insurance Portability and Accountability Act (HIPAA) 12
The Health Insurance Portability and AccountabilityAct (HIPAA) is a federal law that specifiesadministrative simplification provisions that: Protect the privacy of patient information Provide for electronic and physical security of patient health information Require “minimum necessary” use and disclosure Specify patient rights to approve the access and use of their medical information
At the completion of this study packet, the participant will:• Have a basic understanding of HIPAA Privacy Standards• Be able to provide examples of patient privacy protection• Be able to define Protected Health Information (PHI)• Have a basic understanding of the role of the Facility Privacy Official (FPO)
1996 - In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV. 2000 - Darryl Strawberry‟s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care. 2001 – An e-mail was sent out to a Prozac informational listserv members revealing the identities of other Prozac users.
Theft of Patient Data Identity Theft Stolen lap top Loss of Patient Data incorrect disposal of documents Portable devices increases the possibility of data loss Misuse of Patient Data Privacy Breach
HIPAA guarantees these rights to patients: Right to privacy Right to confidential use of protected health information (PHI) for treatment, billing, and other health care operations (such as quality improvement) Right to access and amend their health information upon request 17
Right to provide specific authorization for use of their health information other than for treatment, billing and other operation. Right to have their name withheld from patient directories (having their name not listed as being present in a facility other than for treatment, billing, and other operations). Right to request that information concerning their care is not released to specific individuals. Right to request that specific individuals are not told of their presence in a facility.
Every patient should receive a document called a Notice and be asked to sign an Authorization.This Notice gives patients: Information about their rights. A description of how their PHI may be used by the facility. A comprehensive list of others to whom their health information may be disclosed. The Notice must be given to the patient on the first treatment date or as soon as is practical in an emergent situation. 19
Continue… An Authorization is a form: signed by the patient for use and disclosure of specific PHI that are not related to treatment, payment, or health care operations. There are some uses and disclosures where an authorization is not required. When in doubt about information for which a signed authorization is required…. ~ Please ASK your instructor ~ 20
o Every health care organization is expected to develop policies and procedures to guide HIPAA practices within their facility.o Every person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations. It is essential that all patient health information be kept confidential.oOrganizations or individuals that violate HIPAA rules are subject to monetary fines (up to $250,000!) and civil or criminal charges (up to 10 years in jail!).oFailure to comply may also: o hurt the reputation of the facility o put accreditation at risk o result in costly lawsuits 21
Patients have the right to register complaints with Federal agencies and with the facility if they feel their rights have been violated. Every facility has a Privacy Officer who is responsible for overseeing HIPAA implementation. If you are uncertain about what information may be given out, talk to your instructor, a nurse on the unit where you are assigned, or contact the Privacy Officer. 22
One of the biggest threats to patient privacy isUNINTENTIONAL disclosure of information ~Examples include: Discussing patient information where other patients, visitors or staff may overhear ~ such as in elevators, hallways, dining facilities, or other common areas. Leaving sensitive information in a location where patients or visitors could possibly see it. 23
continue….Another threat to patient privacy is when a staff member intentionally uses or discloses information in an unauthorized way: Copying information and taking it home Removing medical records and giving them to those with no legal right of possession Deliberately sharing information with unauthorized person(family members, friends, colleagues, news reporters, etc) Using confidential information to gossip about patients Leaving a computer unattended after logging in to an application 24
continue…. Always be cognizant of: • Where you are • Who is around you • What information can be seen or heard • How you can “minimize possible incidental disclosure to others” You must ensure that PHI is only shared: • With those who need to know • At the minimum level necessary 25
continue….As a Nurse: • Don’t browse through a patient charts or files out of curiosity • Access only portions of medical record that you need to perform your role as a student nurseIt is essential that everyone with access to PHI beaware of what is going on in their surroundings.
1. User ID or Log-In Name (aka. User Access Controls)2. Passwords3. Workstation Security4. Portable Device Security – USB, Laptops5. Data Management, e.g., back-up, archive, restore.6. Remote Access - VPN7. Recycling Electronic Media & Computers8. E-Mail –9. Safe Internet Use – virus10. Reporting Security Incidents / Breach
Laptop and File Encryption:o WinZip (password protect + encrypt)o 7-zip (free, password protect + encrypt)oTrue crypt (free, complete folder encryption)oFile Vault (folder encryption on Macintosh)Encrypted USB Drives: Kingston Data Traveler Iron Key (Fully encrypted) 28
Sharing Passwords– You are responsible for your password. If you shared your password, you will be disciplined even if other person does no inappropriate access Not signing off systems– You are responsible and will be disciplined if another person uses your „not-signed-off‟ system and application 29
continue…. Sending EPHI outside the institution without encryption– Under HITECH you may be personally liable for losing EPHI data Losing PDA and Laptop in transit with unencrypted PHI or PII– Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII
Study on Data Breaches (Nov 2007) Malicious code 4% Undisclosed Hacked system 2% 5%Electronic backup 7% Malicious insider Lost 9% laptop/Device 48% Paper records 9% Third Party/Outsourcer 16% 31
This section explains: • What information must be protected • PHI identifiers • The Notice of Privacy Practices (NOPP) for PHI • Purposes other than Treatment, Payment, or Operations (TPO) • Examples of TPO • Exceptions to the “Minimum Necessary” standard • When you should view, use, or share PHI
You must protect an individual’s PHI which is collected or created as a consequence of a health care PHI: provision. Is information related to a patient‟s past, present or future physical and/or mental health or condition Can be in any form: written, spoken, or electronic (including video, photographs, and x-rays) Includes at least one of the 18 personal identifiers in association with health information
continue….These rules apply to you when you view, use, and share PHIAny health information with identifiers (on the following page) is Protected Health Information (PHI)
The 18 Identifiers defined by HIPAA are: Name Medical record number Postal address Health plan beneficiary # All elements of dates except year Device identifiers and their serial numbers Telephone number Vehicle identifiers and Fax number serial number Email address Biometric identifiers URL address (finger and voice prints) IP address Full face photos and Social security other comparable images number Any other unique Account numbers identifying License numbers number, code, or characteristic
The Notice of Privacy Practices (NOPP) allows PHI to be used and disclosed for purposes of TPO Treatment (T), Payment (P), Operations (O) TPO includes teaching, medical staff/peer review, legal, auditing, customer service, business management, and releases mandated by law
Patients have the right to: Request restrictions on release of their PHI Receive confidential communications Inspect and copy medical records (access) Request amendment to medical records Make a complaint Receive an accounting of any external releases. Obtain a paper copy of the Notice of Privacy Practices on request
Written Authorization required torelease medical informationPhysician or care team may shareinformation with referring physicianwithout an authorization “patient incommon”All legal requests for release ofinformation should be forwarded tothe HIPAA Compliance Office forreview 40
Good Clinical Practice (GCP) is an international ethical andscientific quality standard for designing, conducting, recording andreporting trials that involve the participation of human subjects.Compliance with this standard provides public assurance that therights, safety and well-being of trial subjects areprotected, consistent with the principles that have their origin in theDeclaration of Helsinki, and that the clinical trial data arecredible” ICH HARMONISED TRIPARTITE GUIDELINE ,GUIDELINE FOR GOOD CLINICAL PRACTICE , E6 (http://www.ich.org/LOB/media/MEDIA482.pdf) 41
Department Health and Human Services (HHS) FDA Regulated Federally Funded21 Code of Federal Regulations (CFR) 45 CFR 46, “Common Rule”21 CFR Parts 50: Human Subject The Federal Policy for the protection of Protection human subjects and is codified by a number of federal agencies.21 CFR PART 54: Financial Disclosure 45 CFR subpart B: Protection for Pregnant21 CFR 56: Institutional Review Boards Women, Human Fetuses & Neonates21 CFR 312: Investigational New Drug 45 CFR subpart C: Protection for Application Prisoners 45 CFR subpart D: Protection for Children21 CFR 803,812: Devices • Health Insurance Portability and Accountability Act (HIPAA) – Office of Civil Rights • National Coverage Decision (NCD) –Office of Inspector General (OIG) • VA Policies & Procedures 42
PATIENT PRIVACYAt some point in our lives we will all be a patientTreat all information as though it was your own 43