The Impact of The HIPAA Privacy Rule on Research

Similar documents
HIPAA COMPLIANCE APPLICATION

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Module: Research and HIPAA Privacy Protections ( )

Privacy Rule Overview

HIPAA Privacy Regulations Governing Research

The Queen s Medical Center HIPAA Training Packet for Researchers

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Access to Patient Information for Research Purposes: Demystifying the Process!

The HIPAA Privacy Rule and Research: An Overview

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

HIPAA Policies and Procedures Manual

System-wide Policy: Use and Disclosure of Protected Health Information for Research

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

The HIPAA privacy rule and long-term care : a quick guide for researchers

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Saint Joseph Mercy Health System Institutional Review Board

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

SCREENING PROCEDURES: WHAT IS COVERED BY A

HIPAA PRIVACY TRAINING

Use And Disclosure Of Protected Health Information (PHI) For Research

Privacy Board Standard Operating Procedures

Recruiting subjects for clinical research outside the academic setting

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

New Study Submissions to the IRB

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

Authorization and Waiver Frequently Asked Questions

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

HCCA PRIVACY COMPLIANCE FOCUS GROUP

Human Subject Regulations Decision Charts

Roles & Responsibilities of Investigator & IRB

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

CLINICIAN S GUIDE TO HIPAA PRIVACY

Exempt & Expedited Reviews. February 2017 IRB Member Training

HIPAA Compliancy Group, LLC. 2017

An Introduction to the HIPAA Privacy Rule. Prepared for

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA: Is Your Institution In Compliance? NCURA Annual Meeting November 4, State University of New York

PRIVACY IMPACT ASSESSMENT (PIA) For the. Department of Defense Consolidated Cancer Registry (CCR) System. Defense Health Agency (DHA)

Guidelines for Requesting an Increase in Enrollment in a Predoctoral Dental Education Program

COMMISSION ON DENTAL ACCREDITATION GUIDELINES FOR PREPARING REQUESTS FOR TRANSFER OF SPONSORSHIP

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

ADMINISTRATIVE MANUAL

Guidelines for Requesting an Increase in Authorized Enrollment in Orthodontics and Dentofacial Orthopedics Residency and Fellowship Programs

Professional Compliance Program Grievance Report

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

EXEMPT RESEARCH. 1. Overview

Implementing the Revised Common Rule Exemptions with Limited IRB Review

UC IRVINE INSTITUTIONAL REVIEW BOARD NON-HUMAN SUBJECT RESEARCH DETERMINATION FORM HRP Version: July 2018

Advanced HIPAA Communications and University Relations

COMMISSION ON DENTAL ACCREDITATION REPORTING PROGRAM CHANGES IN ACCREDITED PROGRAMS

COMMISSION ON DENTAL ACCREDITATION POLICY ON REPORTING AND APPROVAL OF SITES WHERE EDUCATIONAL ACTIVITY OCCURS

POLICY ON ENROLLMENT INCREASES IN ADVANCED DENTAL SPECIALTY PROGRAMS

HIPAA Privacy Training for Non-Clinical Workforce

Utilizing the NCI CIRB

The Revised Common Rule

Regulatory Basics Ins2tu2onal Review Board Research Requirements & Common Audit Findings

(Type inside gray boxes, cells will expand) A. EIGHT POINT CRITERIA for IRB Review

UA New Common Rule Implementation

Approval of your study will expire at the end of the day (midnight) on August 2, 2016.

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Compliance Policy C-FMS Clinical Research Project Approval Application

Waiver of Informed Consent when Using Medical Records or Other Secondary Data or Specimens UNC-CH OHRE Guidance Document

HIPAA Privacy Rule. Best PHI Privacy Practices

Common Rule Overview (Final Rule)

Newborn Genetic Testing & Surveillance System

IRB Process for SURF April 21, 2015

MCCP Online Orientation

Record or Document Type Retention Period Relevant Legal Citation(s) IRB Records: Training Records;

Changes to the Common Rule

BANKS ON BANKS. Clinical Research Seminar March 20, 2013 Mary A. Banks Director BUMC IRB

Consent Form Requirements for Multicenter studies when CHOP Relies on an external IRB

Encouraging the Use of, and Rethinking Protections for De-Identified (and Anonymized ) Health Data

Health Information Privacy Policies and Procedures

Human Subjects Research Policy Update. Naomi Coll Director of Research Policy and Compliance

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

1. Contacts and Title

INSPIRing Changes to the IRB Process: New templates and more

A Study on Personal Health Information De-identification Status for Big Data

Submitting Requests for Exemption and Expedited Review to the IRB

1303A West Campus Drive

HIPAA and HITECH: Privacy and Security of Protected Health Information

DO I NEED TO SUBMIT FOR THIS?... & OTHER FREQUENTLY ASKED QUESTIONS. March 2015 IRB Forum

FAQs March 12, 2012 FREQUENTLY ASKED QUESTIONS

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Transcription:

The Impact of The HIPAA Privacy Rule on Research This is simplification? Upstate Medical University

WHAT HASN T CHANGED All research involving human subjects must be reviewed and approved by the IRB. The common rule (45 CFR 46) is still our guide.

The Privacy Rule Protects the privacy of individually identifiable health information by establishing conditions for its use and disclosure. When/If the regs conflict, the one with the highest privacy protection for the subject wins.

The Privacy Rule & Research The Privacy rule adds an additional layer of protection and regulations to human subject research.

HIPAA SPEAK 1. Individually Identifiable Health Information (IIHI) Health information + Identifiers (18 defined) = IIHI 2. De-identified information Health Information Identifiers (all 18) = De-identified 3. Use (of IIHI) Sharing within the entity. For example, when members of the covered entity s workforce share IIHI. 4. Disclosure (of IIHI) Sharing outside the entity. For example, sharing IIHI with someone who is not a member of the covered entity s workforce.

What Are The 18 Identifiers? 1. Name- including initials (of the individual, relatives, employer, etc.) 2. Address (street, town or city, state, and zip) 3. Telephone numbers 4. Fax numbers 5. Social security numbers 6. Dates related to an individual, except for years (birth date, admission date, date of death, ages > 89 and all elements of dates indicative of such age). 7. Electronic mail (e-mail) addresses 8. Web universal resource locators (URLs) 9. Internet protocol (IP) address #s 10. Medical record numbers 11. Health plan beneficiary numbers 12. Account numbers 13. Certificate/license numbers 14. Vehicle identifiers and Serial numbers (e.g., VINs, license plate numbers) 15. Medical device identifiers and serial numbers. 16. Biometric identifiers (e.g.,finger or voice prints) 17. Full face photographic images (and any comparable images) 18. Any other unique identifying number, characteristic, or code*

HIPAA SPEAK The Minimum Necessary Standard Uses and disclosures of IIHI must be limited to the Minimum Necessary to achieve the research purpose. The minimum necessary requirement is applicable in certain situations.

HIPAA SPEAK Accounting For Disclosures A covered entity is generally required to account for disclosures of IIHI made without Authorization. The accounting requirement also includes: Disclosures to public health authorities Most disclosures mandated by law.

What Research Is Subject to The Privacy Rule? All human subject research which involves the use of IIHI. Decedent s IIHI

What Research Is Not Subject to The Privacy Rule? De-identified health information. Biological specimens (may apply to associated information).

The Impact of the Privacy Rule on Research The Privacy Rule permits covered entities to use and disclose IIHI for research under the following conditions: 1. With individual authorization, or 2. Without individual authorization- under certain limited circumstances.

Using and/or disclosing IIHI WITH Authorization @ Upstate Authorization is combined with the informed consent document. Must contain required information & statements. Must be for a specific research study blanket Authorization NOT permitted. Requests to bank AND use data/specimens for future unknown research will not be allowed. You can only ask permission to bank. No expiration date for the authorization is required.

Retention of Signed Authorization Signed authorizations must be retained for six years from the date signed or from the date when last in effect, whichever is later. If there is no specific expiration date, the authorization form should be kept indefinitely.

Additional Requirements when Obtaining Consent/Authorization Research subjects must be given a copy of the Notice of Privacy Practices (NOPP) when consent/ authorization is obtained. The researcher must provide the subject with a signed copy of the consent/authorization document.

Using and/or disclosing IIHI WITH Authorization If you obtain authorization: The Minimum Necessary Requirement does not apply. The Accounting for Disclosures Requirement does not apply (if consent/authorization form is correct).

Options for using and/or disclosing IIHI WITHOUT Authorization 1. De-identification. 2. Limited Data Set with Data Use Agreement. 3. Waiver of Authorization.

De-identification The Privacy Rule does not apply to deidentified health information. The Privacy Rule does not apply to coded health information. To de-identify: 1. Remove all 18 defined identifiers and no knowledge that remaining information can identify the individual. 2. Statistically de-identified information where a statistician certifies that there is a very small risk that the information could be used to identify the individual.

De-identification 3. Code information- may assign a code or other means of record identification to allow information to be reidentified provided that: i. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and ii. The code is not used or disclosed for any other purpose and the mechanism for re-identification is not disclosed. NOTE: Even though the Privacy Rule does not apply to such coded information, the common rule considers coded information to be indirectly identifiable. Therefore, even if a researcher de-identifies information via coding, a protocol should be submitted to the IRB.

Options for using and/or disclosing IIHI WITHOUT Authorization 1. De-identification. 2. Limited Data Set with Data Use Agreement. 3. Waiver of Authorization.

Limited Data Set A set of data which is not fully de-identified To use a limited data set, a Data Use Agreement (DUA) must first be in place with the recipient of the information (can be researcher or outside entity, e.g., registry).

Identifiers which may be used and disclosed with a Limited Data Set 1. Names (any, and all elements of) 2. Address (street, town or city, state, and zip) 3. Telephone numbers 4. Fax numbers 5. Social security numbers 6. Dates related to an individual, except for years (birth date, admission date, date of death, ages > 89 and all elements of dates indicative of such age). 7. Electronic mail (e-mail) addresses 8. Web universal resource locators (URLs) 9. Internet protocol (IP) address numbers Institutional Review Board 10. Medical record numbers 11. Health plan beneficiary numbers 12. Account numbers 13. Certificate/license numbers 14. Vehicle identifiers and Serial numbers (e.g., VINs, license plate numbers) 15. Medical device identifiers and serial numbers. 16. Biometric identifiers (e.g.,finger or voice prints) 17. Full face photographic images (and any comparable images) 18. Any other unique identifying number, characteristic, or code.

Data Use Agreement The Data Use Agreement defines the permissible uses/disclosures of the LDS by the recipient, defines who can use or receive the data, and requires the recipient to assure that data will not be re-identified and that individuals will not be contacted.

Limited Data Set If you use a Limited Data Set: The Minimum Necessary Requirement does apply. The Accounting for Disclosures Requirement does not apply.

Options for using and/or disclosing IIHI WITHOUT Authorization 1. De-identification. 2. Limited Data Set with Data Use Agreement. 3. Waiver of Authorization.

Waiver of authorization The IRB can waive the requirement to obtain authorization for use or disclosure of IIHI if the following criteria are met: 1. The use and/or disclosure of IIHI for the research involves no more than minimal risk to the privacy of individuals, based on: an adequate plan to protect identifiers from improper use an adequate plan to destroy identifiers at the earliest opportunity, and adequate written assurances that health information will be protected 2. The research could not practicably be conducted without the waiver or alteration; and 3. The research could not be practicably be conducted without access to and use of the health information.

Waiver of authorization If you have a waiver: The Minimum Necessary Requirement applies. The Accounting for Disclosures Requirement applies.

Accounting for Disclosures The researcher must record for each disclosure: List of individuals. Date of disclosure. Name of person/entity to whom the disclosure was made (including their address, if known). Description of the IIHI disclosed. Statement regarding the purpose for the disclosure.

Accounting for Disclosures Modified Tracking For research involving the disclosure of IIHI from 50 or more subjects - modified tracking allowed. Do not have to maintain a list of specific individuals.

Accounting for Disclosures Modified Tracking The researcher must report to the Privacy Officer: Name of the protocol or research activity. Description (in plain language) of the research protocol/ activity, purpose of the research, and criteria for selecting particular records. A description of the type of IIHI disclosed. Date or time period during which the disclosure(s) occurred, including the date of the last disclosure. Contact information (name address and phone number) of the research sponsor and the recipient of the IIHI.

Research on Decedent s Not required to obtain authorization (from next of kin), waiver of authorization (from an IRB), or data use agreement. The researcher must provide written representation that: the use/disclosure is sought solely for research on the IIHI of decedents, The IIHI requested for the use/disclosure is necessary for the research purposes, AND At the request of the covered entity, the researcher must provide documentation of the death of the individuals whose IIHI is sought.

Research on Decedent s The Minimum Necessary Requirement applies. The Accounting for Disclosures Requirement applies.

Studies which are exempt from IRB review under the Common Rule The IRB will continue to screen studies for which an exemption from IRB review is requested. The IRB will continue to issue exemption letters, which confirm that studies meet the criteria for exemption under the common rule and comply with the Privacy Rule.

Requesting an exemption from IRB review for Chart Review or Specimen Research Studies In order to be eligible for an exemption from IRB review, the research must be retrospective and anonymous. 1. Submit a letter, signed by a faculty member, requesting an exemption from IRB review to the IRB office, which briefly describes the project and includes the following information: The dates of records/specimens to be reviewed (to establish that the study is retrospective). 2. Attach a completed de-identification form (IRB web site) to establish that the study is anonymous and to certify that the de-identification will only be done by Upstate faculty, staff or students. Institutional Review Board

Access to IIHI to Prepare a Research Proposal Members of the Upstate workforce (faculty, staff & students) may access IIHI, without authorization, provided that: The IIHI is to be used solely to prepare a research protocol or for a similar purpose The IIHI will not be removed from the covered entity The IIHI is necessary for the research purposes.

Access to IIHI to Prepare a Research Proposal The Minimum Necessary Requirement applies. The Accounting for Disclosures Requirement applies.

Access to individually identifiable health information for research Access to IIHI for research will be possible via one of the acceptable routes: authorization waiver of authorization de-identification limited data set

Access to individually identifiable health information for recruitment purposes Most currently approved plans for recruiting research subjects will be in compliance with the Privacy rule.

Common Rule Institutional Review Board Privacy Rule 1. Choose an Entree EXEMPT EXPEDITED FULL BOARD 2. Choice must be based on criteria outlined in the common rule (45CFR 46). IRB Review is based on the ethical principles (respect, beneficence, justice) 3. Pick an appropriate wine to complement your entree AUTHORIZATION WAIVER DE-IDENTIFICATION LIMITED DATA SET

IRB functions: Review all human subjects research. Review combined consent/authorization forms. Review exemptions using de-identified data (or LDS s when appropriate). Review requests for waivers of authorization. functions: Privacy Board Review requests for access to IIHI for reviews preparatory to research. Review requests for access to decedent s IIHI for research. Execute data use agreements.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback