HCCA PRIVACY COMPLIANCE FOCUS GROUP
|
|
- Beatrix Henderson
- 6 years ago
- Views:
Transcription
1 HCCA PRIVACY COMPLIANCE FOCUS GROUP Industry Immersion Session 2005 Annual Institute New Orleans April
2 DISCUSSION LEADERS Betsy Hall Jodi Innocent Marti Arvin April
3 AGENDA 1:45 to 3:15 HIPAA and Research 3:15 to 3:30 Break 3:30 to 4:30 JCAHO standards and HIPAA 4:30 to 5:00 HIPAA and the Minor 5:00 to 5:45 Open Q & A Forum April
4 Research and HIPAA April
5 Objectives Research Privacy Breaches Human Subjects Research Common Rule & FDA Regs Research under HIPAA State Law Pre-emption HIPAA Security Federal Penalties Where to Go for Help
6 Names of Donors Accidentally Included in letter to Kidney Patients University of Minnesota researchers violated the confidentiality of organ donors when they mailed surveys to 1,200 transplant recipients participating in a study and revealed the names of those who had donated their kidney to the recipients. A software upgrade was cited as the reason for the breach, apparently because it altered a feature that was supposed to suppress the donors names. ~ Minneapolis Star Tribune, January 15, 2002
7 Complaints Shut Down Research The federal Office for Protection from Research Risks suspended more than 1,000 studies at Virginia Commonwealth University, for violating privacy by failing to gain the consent of research subjects and failing to adequately safeguard data. ~ The Washington Post, January 12, 2000 Research Leads to Disclosure Robin Kaigh of New Jersey reported her father, a physician, agreed to allow slides of his cancer cells to be used in research. He was promised anonymity, but his name was entered into a computer associated with the slides, and colleagues quickly began calling to offer condolences. ~ National Journal, April 18, 1998
8 Human Subjects Research What is research? A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. The definition is identical under HIPAA (45 CFR 160, 164) and the Common Rule (45 CFR 46) What is a human subject? a living individual about whom an investigator who is conducting research obtains: data through intervention or interaction with the individual, or identifiable private information. Common Rule (45 CFR 46) April
9 Your Actions Are Research When You plan to publish your results You plan to present your results at a conference Your actions are intended to improve upon medical device, pharmaceutical product, or diagnostic aid Your actions are intended to compare patient outcomes Your actions require collecting patient information April
10 Your Actions Are Not Research When Making Public Health Disclosures to the FDA, local and state health departments and government authorities Reporting adverse events Tracking FDA-regulated products Recalling, repairing or replacing products Conducting post-marketing surveillance Related to safety, quality or effectiveness of FDAregulated product Does not permit disclosures to drug/device manufacturers to evaluate effectiveness of marketing Minimum Necessary applies April
11 How Does HIPAA Affect Research? HIPAA impacts how researchers and IRBs conduct their business IRB oversight responsibilities increased Subject recruitment, getting PHI from providers impacted New paperwork, forms required Disclosure tracking required Relationship with sponsors affected
12 HIPAA Privacy Rule vs. the Common Rule & FDA Regulations The HIPAA Privacy Rule builds upon existing Federal protections the Common Rule and FDA Regulations and creates equal standards of privacy protection for: Human Subjects Research governed by existing Federal human subject regulations Human Subjects Research not funded by Federal Agencies. April
13 Documentation Requirements: HIPAA: HIPAA vs. Common Rule Maintain records written or electronic of any communication, action, activity or designation required by the Privacy Rule for 6 years Common Rule: Maintain records for 3 years after completion of study (including data analysis) April
14 Research under HIPAA 6 ways to obtain patient information for research: HIPAA Research Authorization Partial Waiver/Waiver of Authorization De-identified Data Limited Data Set & Data Use Agreement Preparatory Decedents
15 Research Authorization HIPAA Research Authorization allows researchers to access protected health information of a specific patient Blanket authorizations for research to be conducted in the future are not permitted Each new use requires a specific authorization Accounting of Disclosures not required April
16 Research Authorization Must contain required elements Obtain in addition to IRB/Common Rule informed consent (Some IRBs combine consent and authorization) Exception for pre-existing written consent (see transition) Revocable Can condition treatment related to research on an Authorization in connection with the study Expiration date or an expiration event that relates to the use of disclosure ( end of study, none is sufficient)
17 Research Authorization Research-related situations when a HIPAA Research Authorization is not required: Approved waiver Decedent research Preparatory to research Limited data set Treatment, Payment and Healthcare Operations (TPO) When required by law April
18 Waiver of Authorization Ideal for retrospective medical record or identifiable database research where authorization is impractical If used for recruitment, authorization must be obtained upon enrollment Waiver granted by IRB pursuant to criteria under normal or expedited review Different than informed consent waiver Minimum Necessary Rule applies Accounting of Disclosures required
19 Partial Waiver of Research Authorization Ideal for participant screening and recruitment Requires IRB approval Does not eliminate researcher s responsibility to obtain informed consent or authorization from the subject prior to enrollment. The use or disclosure of protected health information involves no more than minimal risk to the individuals. The research could not practicably be conducted without the waiver or alteration. The research could not practicably be conducted without access to and use of the protected health information. April
20 De-identified Data Allows release of information without authorization Ideal for database research Not useful for longitudinal, epidemiological or outcomes studies Does not identify individual De-identification accomplished one of two ways: Statistical expert determines and documents risk is very small the information could be used to identify individual 18 identifiers removed ( safe harbor ), including dates (e.g., date of birth, admission, discharge, service) and geocode information No Accounting of Disclosures required De-identification satisfies HIPAA requirements and not IRB requirements. IRB oversight is required for de-identified data.
21 De-identification of Data: Remove all 18 identifiers below: 1. Names 2. All geographic subdivisions smaller than a state 3. All elements of dates 4. Telephone numbers 5. Fax numbers 6. addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. URLs 15. IP addresses 16. Biometric identifiers 17. Full face photographic images and comparable images 18. Any other unique identifying number, characteristic, or code April
22 De-identification of Data Code allowed for re-identification of PHI if: Code or other means of identification is not derived from or related to information about the individual and cannot be used to identify the individual; AND The covered entity does not use/disclose the code for any other purpose; AND The covered entity does not disclose the reidentification code. April
23 Limited Data Sets (LDS) Requires Data Use Agreement - Assures CE that information will only be used for: Research, public health, or health care operations, Disclosed to business associates Used/disclosed for limited purposes by the recipient April
24 Limited Data Set Limited data set for research, public health and health care operations Can include: ZIP codes, geocodes, date of birth, date of admission/discharge/service, nonexcluded identifiers Excludes: name, postal address (other than state, city, precinct, ZIP code, geocode), telephone #, fax #, address, social security number, certificate #, license #, vehicle ID/serial number, URLs, IP address, full face or comparable images, medical record #, prescription #, health plan beneficiary #, account #, medical device identifiers and serial numbers, biometric identifiers, fingerprints, voiceprints Minimum Necessary Rule applies No Accounting of Disclosures required Requires Data Use Agreement
25 Data Use Agreement Similar to Business Associate Agreement Defines who can use or receive data Defines for what purpose the data may be used Recipient agrees not to reidentify data or contact data subject Recipient agrees to report improper uses/disclosures Recipient agrees to pass on privacy obligations to contractors Assures data will be safeguarded and not used for unauthorized purposes
26 Preparatory Ideal for designing a research study, assessing the feasibility of doing a study, and planning recruitment activities Allows researchers to access PHI without authorization from the subject Researcher must provide covered entity written representation that the use/disclosure of PHI is solely to prepare a research protocol or for similar purposes preparatory to research and that the access is necessary to conduct the research Researcher may not remove, download, print or copy any PHI from the covered entity Identifying and contacting potential subjects is not permissible under this provision. Minimum Necessary Rule applies Accounting of Disclosures required
27 Research on Decedents Not subject to the Common Rule (45 CFR 46) Subject to HIPAA (45 CFR 164) To access PHI of decedents, the researcher must provide the covered entity with written assurances that: the use/disclosure is solely for research on PHI of decedents; the subject(s) is deceased (death certificate) the PHI is necessary for the research. Minimum Necessary Rule applies Accounting of Disclosures required April
28 Minimum Necessary Standard Minimum Necessary Standard Does not apply to research conducted pursuant to an Authorization Applies to: Research conducted pursuant to a Waiver Research involving PHI of decedents Use of PHI preparatory to research Limited data set research
29 HIPAA and Subject Recruitment HIPAA impacts how potential research subjects are identified and recruited: Researchers who are employed by the covered entity may use the preparatory research provision to contact prospective subjects. Researchers who are not employed by the covered entity may not use the preparatory research provision. Outside researchers could obtain contact information through a partial waiver of authorization. General Rules: No authorization required: Clinicians may discuss enrolling in a study with their own patients Authorization or waiver required: Clinicians disclosure to a third party for purposes of recruitment April
30 Databases & Tissue Repositories Is patient authorization or waiver required for this? No, if for treatment or health care operations; Yes, if for research When such databases/banks are used for research purposes, require authorizations or waivers; and IRB approval Review existing internal databases to determine whether sole purpose is research, or whether treatment or health care operations purposes exist April
31 Transition Provisions Transition Provisions: CE may use/disclose PHI that was created or received for research, either before or after the compliance date, if the CE obtained any ONE of the following prior to the compliance date: Authorization or other legal permission from an individual to use or disclose PHI for the research; Informed consent of the individual to participate in the research; or Waiver by an IRB in accordance with the Common Rule or an exception under FDA s human subject protection regulations at 21 CFR
32 Accounting of Disclosures Accounting Required Partial Waiver or Waiver Preparatory Work Decedents No Accounting Required Authorization Limited data set under a data use agreement To an individual about himself or herself
33 Accounting of Disclosures The Privacy Rule allows three methods for accounting for researchrelated disclosures: Standard Multiple-disclosures Alternative for disclosures involving 50 or more individuals. Accounting reports to individuals may include results from more than one accounting method.
34 Standard Accounting Standard accounting includes, for each disclosure, the following information: Date of disclosure. The name and, if known, address of the person or entity receiving the PHI. A brief description of the PHI disclosed. A brief statement of the reason for the disclosure.
35 Multiple Disclosures Accounting Permitted when the CE has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections (a)(2)(ii) or For each disclosure, the following must be included: Date of initial disclosure. The name and, if known, address of the person or entity receiving the PHI. Brief description of the PHI disclosed. Brief statement of the reason for the disclosure. Frequency, periodicity, or number of the disclosures made during the accounting period. Date of the last disclosure during the accounting period.
36 Alternative Accounting Accounting may be limited to the following if the CE has disclosed PHI of 50 or more individuals for a research project under (i): Name of the protocol or research activity. Plain-language description of the research protocol or activity, purpose of the research, and criteria for selecting particular records. Description of the type of PHI disclosed. Date or period of time during which the disclosure(s) occurred or may have occurred, including the date of the last disclosure during the accounting period. Name, address, and phone number of the entity that sponsored the research and the researcher who received the PHI. A statement that the individual's PHI may or may not have been disclosed for a particular protocol or research activity.
37 Rule of 50 If the CE uses the Rule of 50, it must, if requested to by the individual, assist the individual in contacting the research sponsor and the researcher. Such assistance, however, is limited to those situations in which there is a reasonable likelihood that the individual's PHI was actually disclosed for the research protocol or activity.
38 Research & State Law Pre-emption Be mindful of state law requirements for use/ disclosure of PHI for research Some state laws may be more stringent, such as Kentucky Some state laws may be less stringent, such as Indiana
39 Kentucky Law Example Kentucky law more protective regarding physician s patients KRS (9) states: "unethical, or unprofessional conduct" shall include but not be limited to... (4) any departure from, or failure to conform to the principles of medical ethics of the American Medical Association or the code of ethics of the American Osteopathic Association. For the purposes of this subsection, actual injury to a patient need not be established.
40 Kentucky Law Example The following or excerpts from the AMA Ethics Opinions: The physician should not reveal confidential communications or information without express consent of the patient unless required to do so by law...e-5.05 Physicians must seek to protect patient privacy in all forms Such respect for patient privacy is a fundamental expression of patient autonomy and is a prerequisite to building the trust that is at the core of the patient-physician relationship. E The record is a confidential document involving the patientphysician relationship and should not be communicated to a third party without the patient s prior written consent, unless required by law or to protect the welfare of the individual or the community E-7.02
41 Kentucky Law Example This does not preclude the use of information under the preparatory to research exemption if the records are reviewed by the physician or an employee of the physician. This does appear to prevent physicians from making disclosures to those outside of their practice under either a waiver or under the preparatory to research exemption.
42 Indiana Law Examples IC Sections 5-7 Cancer Registry Research Purposes IC Sections Birth Problems Registry Research Purposes HIPAA pre-empts these Indiana laws which allowed researchers access to PHI of individual patients and to use the names of those patients to request further information Source: Hall, Render, Killian, Heath and Lyman, P.S.C. HIPAA Pre-emption Matrix April
43 Research and HIPAA Security Researchers must take steps to develop appropriate safeguards to protect PHI Examples of safeguards include: Having researchers sign confidentiality agreements stating they will not share computer Ids and passwords Passwords on computers (setting computers to go into protected standby mode when left on and unattended) Securing data in databases, handhelds, Web sites Using locked file cabinets to store data Not leaving identified data in plain sight Shredding PHI April
44 Research and HIPAA Security Security Rule requires audits Build HIPAA audits into research compliance billing and regulatory audits Authorizations Partial Waivers/Full Waivers Documentation of deceased individuals Data Use Agreements Accounting of Disclosures documentation April
45 Federal HIPAA Penalties Federal Civil and Criminal Penalties Civil: $100 per violation, up to $25,000 per person, per year, for each requirement or prohibition violated Criminal (knowing violations): Up to $50,000 and one year in prison Under false pretenses up to $100,000, and up to five years in prison Intent to sell, transfer or use up to $250,000 and up to 10 years in prison
46 Private Right of Action HIPAA has no private right of action You can be sued under state law for alleged privacy breaches Kentucky example Texas example
47 Improper Disclosures Reporting improper uses or disclosures to patient not required under HIPAA unless accounting of disclosures requested Reporting improper uses or disclosures to OCR not required under HIPAA Reporting improper uses or disclosures for research may be required to other federal agencies OHRP, ORI, FDA - as well as the research sponsor and IRB of oversight Common Rule (45 CFR Part 46) requires institutions to report noncompliance to OHRP
48 For More Information NIH - Clinical Research - IRBs - Privacy Boards - Research Repositories and Databases - Rule Booklet - HIV/AIDS - Public Health - HHS - PRIM&R - ARENA - April
49 Research and HIPAA: Conflicts and Controversy in Sponsored Research April
50 HIPAA and the Clinical Trial Agreement The issue: Resolution of the conflicting interest between the researcher, the research institution and the research sponsor over the future use of data and/or tissue and blood specimens. April
51 SCENARIOS Number 1: Sponsor wishes to sponsor clinical trial and collect data solely for the purpose of that clinical trial Number 2: Sponsor wishes to sponsor clinical trial and use data and/or some of the specimens collected for possible unspecified future research Number 3: Sponsor wishes to sponsor clinical trial and in the process of collecting specimens for the clinical trial asks researcher to collect additional sample to include in tissue/blood repository for future unspecified research April
52 Researcher s goals Conduct quality research for the greater good Obtain sponsorship for research Possible commercial benefit Personal recognition Comply with regulations April
53 Institution s goals Conduct quality research for the greater good Obtain sponsorship for research Possible commercial benefit Institutional recognition Compliance with applicable regulations April
54 Sponsor s goals Non commercial sponsors Conduct quality research for the greater good Commercial sponsors Conduct quality research for the good of the organization Commercial benefit Compliance with applicable regulations April
55 What is the problem? Researcher s interest is in the research, not focused on compliance Researcher may consider sacrificing compliance if he/she feels the research is important Researcher does not always understand intricacies of the agreements they wish to enter April
56 What is the problem? The institution has to consider all applicable regulations. What is beneficial to the researcher and the sponsor might not be possible. Applicable regulations differ according to the player. Institutional Review Board must consider ethical as well legal issues. April
57 What is the problem? Sponsor is generally not a covered entity thus there may be no desire to comply with HIPAA privacy or security regulations. Sponsor might push to have language in CTA that permits future unspecified uses of data and/or specimens. April
58 Scenario 1 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has no problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected April
59 Scenario 2 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has not problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected However.... April
60 Scenario 2 Additional issues: Is the institution obligated to inform the subject that their data will be included in the sponsor s research database for uses and/or disclosures unrelated to the current clinical trial? Is the institution obligated to ask the sponsor what, if any, additional uses or disclosures will occur from the data collected for the current trial? What if the sponsor wants to use it for purposes unrelated to research? Has the institution met its HIPAA obligation if the authorization informs the subjects that the sponsor will receive their data and if the sponsor is not a covered entity the data is no longer protected? April
61 Scenario 3 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has no problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected However.... April
62 Scenario 3 Additional issues: If participation in the underlying clinical trial is conditioned on the subject signing the authorization but provision of the additional blood or tissue specimen is not, a second authorization may be required. If the second authorization is solely for the purpose of collecting the blood or tissue specimen for the sponsor to include in a repository for future unspecified research, how can the researcher/research institution craft a valid authorization? April
63 Scenario 3 The specificity requirements of an authorization will not permit an authorization for future, unspecified research. According to current guidance, the research purpose must be study or protocol specific. April
64 Scenario 3 Possible solutions Get sponsor to treat research database or specimen repository as if they are a covered entity Data comes out as limited data set with data use agreement Submit future protocols to IRB Don t engage in research with sponsors who will not treat data as if they are a covered entity Prepare an authorization that informs the subject that their data and/or specimen is being collected for inclusion in the sponsors database/repository without addressing the intended future uses or disclosures. April
65 JCAHO and HIPAA: A Crosswalk to Compliance April
66 Objectives Understand the JCAHO Accreditation Process Compare/Contrast JCAHO standards and the HIPAA Privacy Rule Discuss Self-Assessment and Tracer Methodologies required by JCAHO April
67 Understanding the JCAHO Accreditation Process JCAHO surveys for compliance with stated standards and performance expectations Standard = goal Compliant or non-compliant Elements of Performance = steps needed to achieve the standard April
68 Elements of Performance ( EP s ) EPs are evaluated on the following scale: 0 insufficient compliance 1 partial compliance 2 satisfactory compliance N/A Non-applicable April
69 Patient Rights JCAHO Standard RI.2.20: Patients receive information about their rights. Elements of Performance for RI.2.20 Information on rights is provided to each patient HIPAA: (a)(1) Notice of Privacy Practices April
70 RI.2.20: Patient Rights EP s (cont d) The patient has the right to access, request amendment to and receive an accounting of disclosures regarding his or her own health information as permitted under applicable law. HIPAA: Right to Access PHI Right to Amend Right to Accounting of Disclosures April
71 Photography/Filming Consent JCAHO Standard RI.2.50: Consent obtained for recording or filming made for purposes other than identification, diagnosis or treatment Elements of performance 1) When used only for internal organizational purposes: Must document consent Can be part of a general consent for treatment 2) External purposes documentation of a specific, separate consent including the circumstances of use April
72 Photography/Filming (cont d) HIPAA (b) & (c) Consent for TPO internal vs. external When an authorization is required (a)(3) Marketing (c) Victims of abuse (forensic photographs for victims of child-abuse) (i)(1) Research April
73 Informing Others of Care and Treatment JCAHO Standard RI.2.90: Patients, and when appropriate, their families are informed about the outcomes of care, treatment and services HIPAA: (b) uses and disclosures for involvement in the individual s care JCAHO outcomes vs. HIPAA specific circumstances April
74 Complaint Management JCAHO Standard RI.2.120: The hospital addresses the resolution of complaints from patients and their families. HIPAA: Complaints to the Secretary (b)(1)(vi) Complaint Process (d)(1) Documentation of Complaints April
75 Complaint Management (cont d) JCAHO EP s for RI Patients can freely voice complaints without being subject to coercion, discrimination, reprisal, or unreasonable interruption of care and treatment HIPAA: (g) covered entity must refrain from intimidating or retaliatory acts against individuals who file a complaint, participate in an investigation April
76 Patient Privacy Needs JCAHO Standard RI The hospital respects the needs of patients for confidentiality, privacy and security HIPAA (c) & (a)(1) Right to Request Restrictions (h) & (b)(1) Confidential Communications (a) Facility Directory Opt Out Notice of Privacy Practices HIPAA Security Standards April
77 Research JCAHO Standard RI.2.180: The hospital protects research subjects and respects their rights during research, investigation, and clinical trials involving human subjects. HIPAA: (i) Research Purposes Waiver of authorization Preparatory to research activities April
78 Correctional Institutions JCAHO Standard LD.3.150: The hospital plans for the appropriate care, treatment and services for patients under legal or correctional restrictions. Elements of performance for LD.3.150: Administrative and clinical decisions are coordinated as to disclosing PHI to correctional institutions and/or officers. April
79 Correctional Institutions HIPAA (k)(5) disclosures to correctional institutions and law enforcement HIPAA (a)(3) NPP exception for inmates April
80 Environment of Care JCAHO Standard EC.1.20: The hospital conducts environmental tours to identify.and unsafe practices (including privacy and security concerns) Must conduct environmental tours at least once every six months in all areas where individuals are served Must conduct environmental tours at least annually in areas where individuals are not served. April
81 Environment of Care (cont d) HIPAA : no specific comparable regulation in Privacy Rule BUT. HIPAA auditing best practices would include such environmental tours or walkthroughs AND HIPAA Security Rule April
82 Information Management JCAHO Standard IM.1.10 the hospital plans and designs information management processes to meet internal and external information needs April
83 Information Management (cont d) Elements of Performance for IM.1.10 consider who is requesting the information and what is being requested: licensing, accrediting and regulatory bodies purchasers, payors, and employers participation in national research and databases patient safety reviews quality assessments April
84 Information Management (cont d) HIPAA Notice of Privacy Practices HIPAA (e)1; (e)1: Business Associate Agreements April
85 Information Management (cont d) uses and disclosures for which an authorization or opportunity to object is not required Disclosures required by law Public health activities Health oversight (a) de-identification of data April
86 Confidentiality and Security JCAHO Standard IM.2.10: Information privacy and confidentiality are maintained Elements for performance for IM.2.10: Hospital has written processes that address the privacy and confidentiality of information All HIPAA policies April
87 Confidentiality and Security EP for IM.2.10: Policy has been effectively communicated to applicable staff HIPAA Training: (b)(1) EP for IM.2.10: Process to monitor compliance with its policy HIPAA Auditing and Monitoring April
88 Confidentiality and Security EP for IM.2.10: Individuals about whom PHI may be maintained/collected are made aware of what uses and disclosures of the information will be made HIPAA NPP, authorizations For uses and disclosures of health information, the removal of personal identifiers is encouraged to the extent possible, consistent with maintaining the usefulness of the information (a) de-identification of data April
89 Confidentiality and Security Elements for Performance of IM.2.10 Protected health information is used for the purposes identified or its required by law and not further disclosed without patient authorization HIPAA uses and disclosures for which an authorization is required April
90 Confidentiality and Security Elements for Performance for IM.2.10 The hospital preserves the confidentiality of data and information identified as sensitive and requires extraordinary means to preserve patient privacy. HIPAA Policy manual (a)(2) Psychotherapy notes Minimum Necessary Rule Limited data sets April
91 Managing the JCAHO Self- Assessment Need hard data concrete and verifiable Audit data, not just that policies and procedures are in place Privacy Grid what documented data will show compliance? April
92 JCAHO and Tracer Methodology JCAHO tracks real patients' experiences as they move through the hospital Your audits should mirror this methodology Pull random samples and see how PHI was accessed, used and disclosed throughout the hospital stay April
93 The Self-Assessment: Getting Started Assemble a Team Privacy Officer Information Security Officer Internal Auditor Systems Administrators Administration External sources April
94 Identify Tools Employee work schedules, attendance records, clock in/out Medical records Paper documentation related to area of review s and faxes Phone records land lines and cell Internal system-generated audits from computer systems Specific computer systems: registration (facility blocks); Disclosure Tracking April
95 Identify Systems Locate all computer systems Determine audit functionality with vendor Obtain list of all User Ids for each system employees, contractors, physicians, office staff, medical students, etc. Create crosswalk of audit codes for each system Obtain list of computer terminal Ids and locations April
96 System Audit by User System-generated audits focused on a User ID generally provide: List of patients accessed by name and medical record number Date, time, duration of access Computer terminal ID IP address of computers off site Details about info accessed, such as care provider list, results, contraindications, orders, charges, demographics, and financial Whether info was printed April
97 System Audit by Medical Record System-generated audits focused on a patient s medical record generally provide: List of users who accessed the record Date, time, duration of access Computer terminal ID used on campus IP address of computer used off campus Details about info accessed, such as care provider list, results, orders, demographics, and financial Whether info was printed April
98 Potential Areas of Focus Inappropriate Access Walkthroughs Garbage Patient Rights PHI with Special Protections (drug, alcohol, HIV) April
99 Potential Areas of Focus Research Policies/Procedures Training and Education databases and logs April
100 Inappropriate Access Athletes, VIPs, celebrities, politicians, public figures, other patients featured in the media Employees Co-worker access Self access Residents, Physicians, Physician Office staff Complaints, Hotline calls, Administrative requests Patients involved in lawsuits, sentinel events Special populations April
101 Walk Throughs PHI visible in open, public areas PHI left unattended on fax, copy machines PHI transported unsecured Shredding bins overflowing or unlocked Fax cover sheets being used PHI being discussed in elevators, cafeteria Is Notice of Privacy Practices posted appropriately April
102 Garbage Check for improper disposal of PHI in: Bags of trash that have not been compacted Trash cans in patient rooms Trash cans in clinical areas Trash cans in administrative areas that process health information Trash cans in doctors lounges, sleep rooms April
103 Patient Rights Check medical records for appropriate documentation of: Notice of Privacy Practices acknowledgement Authorizations Access requests Amendment requests Accounting of Disclosures Restriction requests Confidential Communications requests Opt Out requests April
104 Other PHI Check medical records for documentation of appropriate release of information for: Psychotherapy notes HIV/Aids Subpoenas/Orders of Court Victims of a crime Research Accounting of Disclosures April
105 Research Check research patient medical records for proper documentation of: Informed consent and HIPAA authorization Accounting of disclosures Partial and full waivers Preparatory to research/screening Decedents April
106 Policies & Procedures Review policies, procedures and processes to determine whether: they are accurate and consistent they are being followed as written Use sample audits to get concrete data revisions are required because of changes in federal and/or state law April
107 Evaluate Results Was PHI accessed/used/disclosed appropriately? Sample data What caused the inappropriate access, use or disclosure? How can the inappropriate access, use or disclosure be prevented? April
108 Report Results Report conclusions to business process owners Present recommendations to business process owners Draft a corrective action plan April
109 Examples: Sanctions Recommendations Revise policies Re-educate, plan awareness campaign Revoke access privileges Assign new passwords Remove generic IDs and IDs of those who left the organization or no longer have business with it April
110 Mitigation Follow through: Document improper disclosures in accounting of disclosures Implement recommendations Reinforce policy Re-audit Re-audit Re-audit April
111 Improper Disclosures Reporting to patient not required unless accounting of disclosures requested Reporting improper disclosure to OCR not required under HIPAA Reporting improper disclosure for research may be required to other federal agencies OHRP, ORI, FDA - as well as the research sponsor and IRB of oversight ***Discuss with your legal counsel April
112 Minor Child Issues Under HIPAA April
113 Patient Rights Regarding Medical and Billing Records Right to receive hospital s Notice of Privacy Practices The Divorced Parents The Foster Parent The guardian Obtaining acknowledgement No parent or guardian present April
114 Patient Rights: Access to PHI Access to PHI State minor consent laws Foster parents Child and Family Services Other county agencies The abusive parent Care providers April
115 Patient Rights: Access to PHI Access to billing records Parent vs. Guarantor April
116 Telephone Disclosures Difficulty in using social security numbers for children Inpatient: telephone disclosure code Outpatients: birthdate and current address The ED for security and operational purposes does not release any information over the telephone April
117 Release of PHI Without an Authorization People involved in care or payment for care Designated by patient/parent Present during discussion Assumed by circumstances and in our best judgment this would be permitted by patient/parent April
118 Disclosure of PHI: The HIPAA Authorization Components of a Valid Authorization HIPAA requires several new components April
119 Requests for PHI by the Patient/Parent/Guardian Requests from the patient/parent/ guardian for disclosure of PHI, including copies of medical records, must be on a HIPAA Authorization Form or other form or in writing Copy fees can be charged in amounts in accordance with PA law April
120 Requests By Minors Emancipated Minor PA Medical Consent of Minor Law April
121 Requests By Minors Under Pennsylvania law, a minor has right to consent to medical treatment for him/herself or his/her child without parental consent if the minor: is or has been pregnant; has graduated from High School; April
122 Requests By Minors is married; is in the military; or is seeking testing or treatment for Pregnancy Sexually transmitted or other reportable diseases April
123 Requests By Minors Drug and alcohol abuse If 14 years or older, for mental health voluntary or involuntary inpatient treatment or involuntary outpatient treatment A minor that has been emancipated by order of court shall produce a copy of such order prior to the release of PHI. April
124 Patient Rights Regarding Medical And Billing Records Patient Request for Confidential Communications Adolescent medicine Patient Request for an Accounting of Disclosures Counting requests when dealing with multiple parents What is once per year April
125 Accounting of Disclosures of PHI Child Abuse Are such requests included? State preemption April
126 CONTACT INFORMATION Betsy Hall (502) Jodi Innocent (412) Marti Arvin (502) April
127 QUESTIONS April
LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research
LifeBridge Health HIPAA Policy 4 Uses of Protected Health Information for Research This Policy contains the following Sections: I. Policy II. III. IV. Definitions Applicability Procedures A. Individual
More informationThe Queen s Medical Center HIPAA Training Packet for Researchers
The Queen s Medical Center HIPAA Training Packet for Researchers 1 The Queen s Medical Center HIPAA Training Packet for Researchers Table of Contents Overview of HIPAA and Research 3 Penalties for violations
More informationThe HIPAA Privacy Rule and Research: An Overview
The HIPAA Privacy Rule and Research: An Overview Joy Pritts, JD Research Associate Professor Health Policy Institute Georgetown University jlp@georgetown.edu 1 Topics HIPAA Background Overview of Privacy
More informationYALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996
YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA Health Insurance Portability and Accountability Act of 1996 Handbook Table of Contents I. Introduction What is HIPAA? What is PHI? What is a Covered Entity
More informationINSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.
HIPAA PRIVACY RULE & AUTHORIZATION Definitions Breach. The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy
More informationSCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training
SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative
More informationHIPAA PRIVACY TRAINING
HIPAA PRIVACY TRAINING HIPAA Privacy Training Objective Present a general overview of HIPAA and define important terms Understand the purpose of HIPAA and the Privacy Rule Understand the term Protected
More informationHIPAA COMPLIANCE APPLICATION
1 HIPAA COMPLIANCE APPLICATION PROJECT TITLE: PRINCIPAL INVESTIGATOR Name (Last, First): Please complete this form if you intend to use/disclose protected health information (PHI) in your research. An
More informationThe Impact of The HIPAA Privacy Rule on Research
The Impact of The HIPAA Privacy Rule on Research This is simplification? Upstate Medical University WHAT HASN T CHANGED All research involving human subjects must be reviewed and approved by the IRB. The
More informationHIPAA Privacy Regulations Governing Research
HIPAA Privacy Regulations Governing Research HIPAA Health Insurance Portability and Accountability Act In a Nutshell The Privacy Regulations govern a provider s use and disclosure of health information
More informationWhat is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationNew HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance
New HIPAA Privacy Regulations Governing Research Karen Blackwell, MS Director, HIPAA Compliance kblackwe@kumc.edu 913-588 588-0942 HIPAA Health Insurance Portability and Accountability Act In a Nutshell
More informationThe HIPAA privacy rule and long-term care : a quick guide for researchers
Scripps Gerontology Center Scripps Gerontology Center Publications Miami University Year 2005 The HIPAA privacy rule and long-term care : a quick guide for researchers Jane Straker Patricia Faust Miami
More informationNavigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections
Navigating HIPAA Regulations Michelle C. Stickler, DEd Director, Research Subjects Protections mcstickler@vcu.edu 828-0131 Key Definitions Covered Entity: Organization that handles identifiable health
More informationIRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix
IRB 101 Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix Contents Brief discussion of regulations IRB Structure Levels of Approval Informed Consent HIPAA/HITECH
More informationHIPAA Policies and Procedures Manual
UNIVERSITY of NORTH CAROLINA at CHAPEL HILL SCHOOL of NURSING HIPAA Policies and Procedures Manual November 2015 1 Table of Contents I. INTRODUCTION... 3 A. GENERAL POLICY... 3 B. SCOPE... 3 II. DEFINITIONS...
More informationAccess to Patient Information for Research Purposes: Demystifying the Process!
Access to Patient Information for Research Purposes: Demystifying the Process! Cynthia Nappa Institutional Privacy Administrator State University of New York Upstate Medical University 1 Administrative
More informationAPPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION
FORM W/H-01 APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION Research for which this form is appropriate generally involves only existing patient records or specimens.
More informationPrivacy and Security Orientation for Visiting Observers. DUHS Compliance Office
Privacy and Security Orientation for Visiting Observers DUHS Compliance Office 919-668-2573 compliance@dm.duke.edu Introduction This orientation is to provide new Visiting Observers with the HIPAA Privacy
More informationSystem-wide Policy: Use and Disclosure of Protected Health Information for Research
System-wide Policy: Use and Disclosure of Protected Health Information for Research Origination Date: May 2016 Next Review Date: May 2019 Effective Date: May 2016 Reference #: SYS ADMIN-RA-005 Approval
More informationCLINICIAN S GUIDE TO HIPAA PRIVACY
CLINICIAN S GUIDE TO HIPAA PRIVACY Introduction... 2 What is HIPAA?... 2 Health Information Privacy... 2 Protected Health Information... 3 Identifiers... 3 HIPAA s Impact on Clinical Practice, Treatment,
More informationTHE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH
THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH Helenemarie Blake, Esq. Chief Privacy Officer, Interim Office of HIPAA & Privacy Security August 2016 SCENARIO You are putting a study together
More informationUNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE
May 19, 2016 UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE Table of Contents DIRECTIVE INFORMATION... 4 BACKGROUND... 4 APPLICABILITY...
More informationPrivacy Rule Overview
Privacy Rule Overview Protected Health Information (PHI) is private information that is subject to special treatment under the HIPAA Privacy Regulations. PHI can only be used or disclosed in research if
More informationPennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL
Page 1 Issued: POLICY: Committee Approval: HIPAA Administrative Policy Review Committee: April 2003 April 2005 April 2006 April 2007 April 2008 Attachment(s): For purposes of this policy, Pennsylvania
More informationNOTICE OF PRIVACY PRACTICES
Our Responsibilities Notice of Privacy Practices - Page 1 NOTICE OF PRIVACY PRACTICES Our Responsibilities. Your Information. Your Rights. This Notice of Privacy Practices ( Notice ) explains how University
More informationHIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance
HIPAA Health Insurance Portability and Accountability Act Presented by the UMMC Office of Integrity and Compliance Rules and Regulations to ensure Privacy Set Federally recognized standards to ensure both
More informationUse And Disclosure Of Protected Health Information (PHI) For Research
Current Status: Pending PolicyStat ID: 2558954 Origination: Last Approved: Last Revised: Next Review: Owner: Policy Area: References: Applicability: N/A N/A N/A 1 year after approval PAIGE ENGLISH: ASSOCIATE
More informationRelease of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA
Release of Medical Records in Ohio OHIMA March, 2010 Ann Hubbuch, JD, RHIA Vice President Corporate Compliance Licking Memorial Health Systems Ohio Revised Code (ORC) One part of the puzzle What controls.hipaa
More informationSan Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10
Page 1 of 10 TITLE: HIPAA COMPLIANCE: PRIVACY AND THE CONDUCT OF RESEARCH POLICY It is the policy of the San Francisco Department of Public Health (DPH) to maintain the privacy of Protected Health Information
More informationNotice of HIPAA Privacy Practices Updates
Notice of HIPAA Privacy Practices Updates The following is a summary of the updates to the privacy notice for Meridian Hospitals Corporation, Meridian Home Care Services, Inc., Meridian Nursing & Rehabilitation,
More informationHealth Information Privacy Policies and Procedures
University of the Pacific Arthur A. Dugoni School of Dentistry Health Information Privacy Policies and s These Health Information Privacy Policies & s implement our obligations to protect the privacy of
More informationModule: Research and HIPAA Privacy Protections ( )
Module: Research and HIPAA Privacy Protections (7-18-11) HIPAA's protections focus on individually identifiable health information HIPAA defines identifiable health information as (1) any form or medium"
More informationHIPAA-HITECH HELPBOOK NJ Physician Practices
NOTICE OF PRIVACY PRACTICES Montgomery Medical Associates LLC Effective Date: 04/01/13 Version 2 SUMMARY WHAT IS THIS NOTICE FOR? This Notice of Privacy Practices (Notice) describes how Montgomery Medical
More informationNOTICE OF PRIVACY PRACTICES
THIS NOTICE OF PRIVACY PRACTICES ( NOTICE ) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Respect for
More informationNew Study Submissions to the IRB
New Study Submissions to the IRB Tufts-New England Medical Center Tufts University Health Sciences IRB Education Series 2006 Presentation may only be reused or reprinted with written permission from the
More informationDE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)
PRIVACY 8.0 DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI) Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have
More informationSouthwest Acupuncture College /PWFNCFS
Southwest Acupuncture College /PWFNCFS This replaces policies in the catalogue and any other documents to date. Boulder Santa Fe TABLE OF CONTENTS STATEMENT OF PURPOSE... 1 I. RIGHT TO A NOTICE OF PRIVACY
More informationGeisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance
Geisinger IRB Member Orientation Session 2 Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance 1 How does the IRB make decisions? Guiding Ethical Principles Regulatory Considerations
More informationA general review of HIPAA standards and privacy practices 2016
A general review of HIPAA standards and privacy practices 2016 45 CFR, 164 Health Insurance Portability and Accountability Act Treatment, Payment and Healthcare Operations 42 CFR, Part 2, Confidentiality
More informationInformation Privacy and Security
Information Privacy and Security 2015 Purpose of HIPAA HIPAA stands for the Health Insurance Portability and Accountability Act. Its purpose is to establish nationwide protection of patient confidentiality,
More informationERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016
ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES Effective Date : April 14, 2003 Revised: August 22, 2016 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationAdvanced HIPAA Communications and University Relations
Advanced HIPAA Communications and University Relations accepts no liability of any use reliance placed on it, as it is warranty, express, or implied, or completeness of 1 the HIPAA Health Insurance Portability
More informationPresented by the UAMS HIPAA Office August 2013 Anita B. Westbrook
HIPAA and Social Media and other PHI Safeguards Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook Social Networking Let s Talk Facebook More than 750 million users Average user has 130
More informationNOTICE OF PRIVACY PRACTICES
VII-07B Notice of Privacy Practices (p) The MetroHealth System 2500 MetroHealth Drive Cleveland, OH 44109-1998 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW WE MAY USE AND DISCLOSE YOUR PROTECTED
More informationHIPAA Education Program
HIPAA Education Program 2017-2018 Assurance and Compliance Services HIPAA Training Requirement This HIPAA Training Program is intended for and will satisfy the training requirement for the: Mount Sinai
More informationWAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES
WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised February 17, 2010 Revised September 23, 2013 Revised July 1, 2016 This Notice of Privacy Practices applies to the
More informationTitle: HIPAA PRIVACY ADMINISTRATIVE
Administrative-HIPAA Privacy Title: HIPAA PRIVACY ADMINISTRATIVE Scope: All MultiCare Health System (MHS) workforce members, which includes but not limited to, employees, residents, students, volunteers
More informationPatient Privacy Requirements Beyond HIPAA
Patient Privacy Requirements Beyond HIPAA Jane Hyatt Thorpe, J.D. School of Public Health and Health Services George Washington University Carrie Bill, J.D. Feldesman Tucker Leifer Fidell LLP The George
More informationHH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices
HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationVHA Privacy Policy Training FY VHA Privacy Office
VHA Privacy Policy Training Applicable Confidentiality Statutes and Regulations The following legal provisions govern the collection, use, maintenance, and disclosure of information from VHA records. The
More informationParental Consent For Minors to Receive Services
Parental Consent For Minors to Receive Services Welcome to the University of San Diego s Wellness Area! We appreciate your coming our way, and look forward to working with you. The following provides important
More informationHIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD
HIPAA & Research Overview for the Privacy Board March 22, 2011 UAMS HIPAA Office Vera M. Chenault, JD The Privacy Board - YOU HIPAA Privacy Rule establishes the requirements for membership and role of
More informationFCSRMC 2017 HIPAA PRESENTATION
FCSRMC 2017 HIPAA PRESENTATION BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international
More informationFAMILY PHARMACEUTICAL SERVICES NOTICE OF PRIVACY PRACTICES effective 9/23/2013
FAMILY PHARMACEUTICAL SERVICES NOTICE OF PRIVACY PRACTICES effective 9/23/2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationPrivacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016
Privacy Rio Grande Valley HIE Policy: P1 Effective Date 01/15/2014 Last date Revised/Updated 02/18/2016 Date Board Approved: 02/18/2016 Subject: Authorization to Use and/or Disclose Protected Health Information
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: May 31, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationCHI Mercy Health. Definitions
CHI Mercy Health Definitions If you have any questions about this notice, please contact the CHI Mercy Health s Privacy Office at (701) 845-6540 or 570 Chautauqua Blvd, Valley City ND 58072. Notice of
More informationWRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS
WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS Jeffrey Staton Attorney at Law Legal Aid Society of Louisville 416 W. Muhammad Ali Blvd., Ste. 300 Louisville, KY 40202 Phone: 502.614.3146 Jstaton@laslou.org
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 Revised: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More informationOffice of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18
Version: 4/4/18 Signatures on File for the Approval of Revisions to the Policy and Procedures Table of Contents 100 General Administration (GA)... 5 Policy GA 101: The Authority and Purpose of the Institutional
More informationMAIN STREET RADIOLOGY
MAIN STREET RADIOLOGY PATIENT REGISTRATION FORM **OFFICE USE ONLY** TODAY S DATE: MR#: LAST NAME: FIRST NAME: ADDRESS: APT: CITY: STATE: ZIP CODE: HOME PHONE #: ( ) - CELL PHONE#: ( ) - DATE OF BIRTH:
More informationHIPAA THE PRIVACY RULE
HIPAA THE PRIVACY RULE Reviewed December 2012 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of antidepressant medications in their mail. 2 HISTORY Many
More informationHIPAA Privacy Policies & Procedures Table of Contents
HIPAA POCKET GUIDE HIPAA Privacy Policies & Procedures Table of Contents I. Clinical Policies A. Accounting of Disclosures..Pg 6 B. De-Identification of Information..Pg 7 C. Facility Directory...Pg 7
More informationUpdated FY15 Dignity Health General Compliance Education for Staff Module 2
Updated FY15 Dignity Health General Compliance Education for Staff Module 2 This course will provide you with important information about the laws and regulations that affect the healthcare industry, our
More informationIf you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at
Notice of Privacy Practices For Deep Eddy Psychotherapy THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
More informationRoles & Responsibilities of Investigator & IRB
Roles & Responsibilities of Investigator & IRB Jaranit Kaewkungwal Mahidol University Regulatory & Guidelines Regulatory & Guidelines GCP & Computer / Database Management Systems International Conference
More informationHIPAA Notice of Privacy Practices
HIPAA Notice of Privacy Practices Georgia Mountains Hospice understands that your health information is highly personal and we are committed to safeguarding your privacy. Please read this Notice of Privacy
More informationNOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018
NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More information[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]
CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW I. Policy: Policy Number: [Enter] Effective Date: [Enter] A. Purpose This policy establishes consent requirements for the disclosure of health
More informationWHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline
Education &Training WHAT IS AN IRB? Introduction to the UofL Institutional Review Boards & Human Subjects Protection Program IRB Review Process Post Approval Monitoring March 2015 1 Presentation Outline
More informationNOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM
NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM Effective Date: 9/23/ 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationIf you have any questions about this notice, please contact the SSHS Privacy Officer at:
Notice of Privacy Practices 0 Effective Date: April 14, 2003 Revision Date: July 15, 2016 South Shore Health System ( SSHS ) is an integrated health care delivery system. For a list of entities which comprise
More informationMCCP Online Orientation
1 Objectives At the conclusion of this presentation, students will be able to: Discuss application of HIPAA to student s role. Describe the federal requirements of the HIPAA/HITECH regulations that protect
More informationCatholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)
Catholic Charities Disabilities Services In-Home Behavioral Support Services (2017) A Program funded through a Family Support Services Grant from OPWDD Submit Application and supporting documentation to:
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. WHAT IS A NOTICE
More informationNotice of Privacy Practices for Protected Health Information (PHI)
Notice of Privacy Practices for Protected Health Information (PHI) Dermatology Associates of Colorado, PC THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationPrivacy and Consent Primer
Privacy and Consent Primer Bob Johnson e-health Project Manager, Minnesota Department of Health Stacie Christensen Director, Information Policy Analysis Division, Minnesota Department of Administration
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: July 12, 2017 THIS NOTICE OF PRIVACY PRACTICES ( NOTICE ) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Who Presents this
More informationFailure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.
HIPAA Privacy Procedure #1 Effective Date: April 14. 2003 Reviewed Date: February, 2011 Accountabilities for Compliance to HIPAA Privacy Revised Date: February, 2011 Rules Scope: Radiation Oncology ************************************************************************************************
More informationNOTICE OF PRIVACY PRACTICES
Amended September 2013 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
More informationPRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
PRIVACY POLICY As of April 14, 2003, the Federal regulation on patient information privacy, known as the Health Insurance Portability and Accountability Act (HIPAA), requires that we provide (in writing)
More informationValley Regional Medical Center HIPAA AND HITECH EDUCATION
Valley Regional Medical Center HIPAA AND HITECH EDUCATION Privacy and Security of Protected Health Information 1 HIPAA and Its Purpose What is HIPAA? Health Insurance Portability and Accountability Act
More informationBalance Fitness and Nutrition
Balance Fitness and Nutrition HIPPA Notice of Privacy Practices Effective Date: January 29, 2012 THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationNOTICE OF PRIVACY PRACTICES
535 East 70th Street New York, NY 10021 (212) 606-1000 Specialists in Mobility NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES 1 Effective Date: April 14, 2003 Revision Date: September 23, 2013 Revision Date: January 17, 2018 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationCommission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program
Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program The Commission strongly encourages attempts at informal or formal resolution through the program's
More informationNEW BRIGHTON CARE CENTER
NEW BRIGHTON CARE CENTER 805 6 th Ave NW, New Brighton, MN 55112 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationNotice of Privacy Practices
2269 CHERRY VALLEY ROAD, NEWARK, OH 43055 (740) 788-1400 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationJohns Hopkins Notice of Privacy Practices for Health Care Providers
Johns Hopkins Notice of Privacy Practices for Health Care Providers This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: 2013 Wisconsin Dental Association (800) 243-4675 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationCompliance Program, Code of Conduct, and HIPAA
Compliance Program, Code of Conduct, and HIPAA Agenda Introduction to Compliance The Compliance Program Code of Conduct Reporting Concerns HIPAA Why have a Compliance Program Procedures to follow applicable
More informationNOTICE OF PRIVACY PRACTICES
Effective 10-9-2013 This notice of privacy practices describes how Family Chiropractic Health Care manages and protects your personal information. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU
More informationBreach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook
Breach Reporting and Safeguarding PHI Outpatient Services August, 2012 UAMS HIPAA Office Anita Westbrook Breaches and Breach Reporting Real Life Example An employee of a large hospital accidentally left
More informationThis notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.
MRN: FIN: FLORIDA HOSPITAL DELAND HIPAA NOTICE OF PRIVACY PRACTICES Effective Date: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationManaging Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer
Managing Privacy Risk in Your Research and Development Enterprise Sujata Dayal, Abbott Justin McCarthy, Pfizer Why Privacy Matters Human subject data is extremely sensitive Access to data is critical to
More informationNotice of Privacy Practices
Notice of Privacy Practices Effective September 23, 2013 TCHC.org An equal opportunity employer and provider. CLINICS Baxter Bertha Henning Ottertail Sebeka Verndale Wadena HOSPITAL Wadena 415 Jefferson
More informationRECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.
Central Texas Institute Of Plastic Surgery, PA Dr. Andy Hand, M.D. Plastic and Reconstructive Surgery Cosmetic Plastic Surgery RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM I,, have
More informationHIPAA Privacy Rule. Best PHI Privacy Practices
HIPAA Privacy Rule Best PHI Privacy Practices Learning Objectives Define the acronym HIPAA. Understand your role and responsibilities under the privacy regulations. Know what patient s rights are in terms
More information