Module: Research and HIPAA Privacy Protections ( )

Similar documents
HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

Recruiting subjects for clinical research outside the academic setting

Privacy Rule Overview

Use And Disclosure Of Protected Health Information (PHI) For Research

The Impact of The HIPAA Privacy Rule on Research

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

HIPAA COMPLIANCE APPLICATION

The HIPAA Privacy Rule and Research: An Overview

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA Policies and Procedures Manual

HIPAA Privacy Regulations Governing Research

The Queen s Medical Center HIPAA Training Packet for Researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Access to Patient Information for Research Purposes: Demystifying the Process!

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Authorization and Waiver Frequently Asked Questions

Privacy Board Standard Operating Procedures

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

SCREENING PROCEDURES: WHAT IS COVERED BY A

1303A West Campus Drive

System-wide Policy: Use and Disclosure of Protected Health Information for Research

HIPAA PRIVACY TRAINING

CCSS: HIPAA-Compliant Recruitment. Dennis Deapen, DrPH CCSS Annual Investigators Meeting Memphis, TN October 9-11, 2005

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Southwest Acupuncture College /PWFNCFS

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

1. Contacts and Title

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

PRIVACY IMPACT ASSESSMENT (PIA) For the. Department of Defense Consolidated Cancer Registry (CCR) System. Defense Health Agency (DHA)

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

OREGON HIPAA NOTICE FORM

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

UA New Common Rule Implementation

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

HIPAA: Is Your Institution In Compliance? NCURA Annual Meeting November 4, State University of New York

An Introduction to the HIPAA Privacy Rule. Prepared for

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Patient Privacy Requirements Beyond HIPAA

JOINT NOTICE OF PRIVACY PRACTICES

Senior Care Pharmacy Wichita

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

******************************************************************** Policy Expectation:

Notice of Privacy Practices

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

California HIPAA Privacy Implementation Survey

Notice of Privacy Practices for Protected Health Information

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Notice of Privacy Practices for Protected Health Information (PHI)

Balance Fitness and Nutrition

ADMINISTRATIVE MANUAL

Utilizing the NCI CIRB

UC IRVINE INSTITUTIONAL REVIEW BOARD NON-HUMAN SUBJECT RESEARCH DETERMINATION FORM HRP Version: July 2018

(Type inside gray boxes, cells will expand) A. EIGHT POINT CRITERIA for IRB Review

Changes to the Common Rule

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Exempt & Expedited Reviews. February 2017 IRB Member Training

HIPAA. The. Privacy Regulations. The Fetal and Infant Mortality Review Process:

Laverne Estañol, M.S., CHRC, CIP, CCRP Assistant Director Human Research Protections

Yale University Institutional Review Boards

Saint Joseph Mercy Health System Institutional Review Board

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

Compliance with HIPAA Administrative Simplification

Human Subjects Research Policy Update. Naomi Coll Director of Research Policy and Compliance

Common Rule Overview (Final Rule)

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

DO I NEED TO SUBMIT FOR THIS?... & OTHER FREQUENTLY ASKED QUESTIONS. March 2015 IRB Forum

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

SUMMARY OF NOTICE OF PRIVACY PRACTICES

always legally required to follow the privacy practices described in this Notice.

NOTICE OF PRIVACY PRACTICES

FAQs March 12, 2012 FREQUENTLY ASKED QUESTIONS

HIPAA Privacy Training for Non-Clinical Workforce

AAHRPP Accreditation Procedures Approved April 22, Copyright AAHRPP. All rights reserved.

Institutional Review Board Manual. University of the Incarnate Word

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Submitting Requests for Exemption and Expedited Review to the IRB

Section 11. Recruitment of Study Subjects (Revised 7/1/10)

HCCA PRIVACY COMPLIANCE FOCUS GROUP


SEATTLE CHILDREN S RESEARCH INSTITUTE OPERATING POLICIES / PROCEDURES

ETHICAL AND REGULATORY CONSIDERATIONS

FAMILY MEDICAL ASSOCIATES OF RALEIGH 3500 Bush Street Raleigh, NC P: (919) F: (919)

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

HIPAA P12 CMS Data Use Agreements & Data Management Plans

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

HIPAA PRIVACY NOTICE

NOTICE OF PRIVACY PRACTICES

Transcription:

Module: Research and HIPAA Privacy Protections (7-18-11)

HIPAA's protections focus on individually identifiable health information HIPAA defines identifiable health information as (1) any form or medium" that "relates to the past, present, or future physical or mental health or condition of an individual; (2)the provision of health care to an individual; or (3) the past, present, or future payment for the provision of health care to an individual."

HIPAA's protections reach only a subset of individually-identifiable health information formally called protected health information or simply "PHI" created in or by what HIPAA calls covered entities. Covered entities include: individual health providers health provider organizations health plans health information clearinghouses that engage in electronic health care transactions.

HIPAA's regulations set requirements for use and disclosure of PHI by covered entities, and by extension on all members of a covered entity's workforce that have contact with PHI. Covered entities must also establish contractual requirements for data protection on business associates (and by extension on the workforce of business associates) that perform functions using PHI on the covered entity's behalf.

HIPAA defines research as any "systematic investigation, including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge." Not all kinds of research-like activity are included in this definition.

A covered entity may choose to rely on: An IRB to assess compliance with both the FDA/Common Rule requirements and the HIPAA research requirements. A Privacy Board to handle some research-related issues. determinations about eligibility for waivers alterations and exemptions from authorization processes. A designated Privacy Officer.

1. Waiver or alteration of the authorization requirement is granted by an IRB/Privacy Board because of minimal risk, and other criteria are met. 2. Research is used solely for activities preparatory to research, and certain representations are obtained from the researcher. 3. Only deceased persons information is used, and certain representations are obtained.

4. Only de-identified data is involved, by meeting set criteria or with independent validation of de-identification (a.k.a., anonymization ). 5. Research is conducted with limited data set under an approved data use agreement. 6. It is grandfathered research where all legal permissions were in place before HIPAA took effect.

Use or disclosure of the PHI involves no more than minimal risk to the privacy of the research subjects, based on the following elements: An adequate plan to protect any data identifiers from improper use and disclosure. An adequate plan to destroy data identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law).

Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project or for other research for which the use or disclosure of PHI would be permitted by HIPPA. The research could not practicably be conducted without the PHI. The research could not practicably be conducted without the waiver.

HIPAA provides for two more exceptions to the authorization requirement for identifiable data: Where the PHI will be used solely for reviews preparatory to research (e.g., for protocol development) and will not leave the covered entity. Where the PHI refers solely to deceased persons (the covered entity may ask for documentation of death of all data subjects).

A researcher may use fully de-identified information without any authorization. De-identified information is no longer considered PHI, because it is no longer individually identifiable.

A limited data use set must have all direct identifiers removed; however, it may still include information that could "indirectly" identify the subject using statistical methods.

If all informed consents and other legal permissions required at the time were in place before HIPAA took effect (April 2003 in most cases), and have not changed since, no new HIPAA authorization is required.

The minimum necessary standard states that the uses/disclosures must be no more than the minimum required for the described research purpose. Uses and disclosures of data for research that are allowed to bypass the authorization requirement are still subject to the minimum necessary standard.

Where the study involves more than 50 subjects records, the disclosure accounting requirement can be met by the covered entity providing data subjects with: A list of all protocols for which their PHI may have been disclosed, along with the timeframe for those disclosures. The purpose of those protocols, and the types of PHI sought. The researcher's name and contact information for each study.

If a research activity meets none of the bypassing criteria, an authorization is required. When they are required, authorizations must be: In "plain language" so that individuals can understand the information contained in the form, and thus able to make an informed decision. Executed in writing, and signed by the research subject.

Like other kinds of HIPAA authorizations, those for research may be revoked by the subject at any time, provided that the revocation is in writing.

It is still permissible under HIPAA to discuss recruitment into research with patients for whom such involvement might be appropriate. This common practice is considered to fall within the definition of treatment, at least when the conversation is undertaken by one of the patient's health care providers.

HHS has reiterated in its guidance that use or disclosure of PHI for retrospective research studies may be done only with (1) patient authorization or a waiver, (2) alteration or exception determination from an IRB or Privacy Board.

HIPAA privacy protections supplement those of other federal regulations (e.g., the Common Rule and FDA), state law, and certification/accreditation requirements. HIPAA only protects identifiable health information from covered entities. Not all identifiable health information is protected health information (PHI).

Under HIPAA, research activity using PHI generally requires authorization. However, there are several alternatives that allow bypassing the authorization requirement. Minimum necessary standards, disclosure accounting requirements, and the characteristics of authorizations (when required) must be understood by researchers when HIPAA applies.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback