SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

Similar documents
DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

The Queen s Medical Center HIPAA Training Packet for Researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers

HIPAA Privacy Training for Non-Clinical Workforce

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

The Impact of The HIPAA Privacy Rule on Research

HIPAA COMPLIANCE APPLICATION

The HIPAA Privacy Rule and Research: An Overview

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA Policies and Procedures Manual

HIPAA PRIVACY TRAINING

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

HIPAA Privacy Regulations Governing Research

Access to Patient Information for Research Purposes: Demystifying the Process!

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

System-wide Policy: Use and Disclosure of Protected Health Information for Research

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

New Study Submissions to the IRB

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHOUT AUTHORIZATION

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

Professional Compliance Program Grievance Report

The University of Chicago Medicine Privacy Program Accounting of Disclosures Definition Table

HIPAA PRIVACY NOTICE

Patient Privacy Requirements Beyond HIPAA

CLINICIAN S GUIDE TO HIPAA PRIVACY

Module: Research and HIPAA Privacy Protections ( )

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

Notice of Privacy Practices for Protected Health Information (PHI)

Privacy Rule Overview

always legally required to follow the privacy practices described in this Notice.

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

Southwest Acupuncture College /PWFNCFS

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Advanced HIPAA Communications and University Relations

I. Preamble: II. Parties:

Compliance Program, Code of Conduct, and HIPAA

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

FINANCIAL CONFLICT OF INTEREST POLICY Public Health Services SECTION 1 OVERVIEW, APPLICABILITY AND RESPONSIBILITIES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Orthopedic Specialty Clinic, Ltd. Updated 05/2014

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

Notice of Privacy Practices

HIPAA Privacy Rule. Best PHI Privacy Practices

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

Mobile Mammo Registration Instructions

Massachusetts Department of Public Health. Privacy of Health Data

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

HIPAA Compliancy Group, LLC. 2017

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

NOTICE OF PRIVACY PRACTICES

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

NOTICE OF HOSPICE EL PASO S PRIVACY PRACTICES

ETHICAL AND REGULATORY CONSIDERATIONS

ISDN. Over the past few years, the Office of the Inspector General. Assisting Network Members Develop and Implement Corporate Compliance Programs

Information Privacy and Security

Florida Statewide Guardian ad Litem Program PO Box Tallahassee, FL Telephone: (850) GuardianadLitem.org

R. Gregory Cochran, MD, JD

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

Johns Hopkins Notice of Privacy Practices for Health Care Providers

NOTICE OF PRIVACY PRACTICES

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Notice of Privacy Practices for Protected Health Information

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

SENATE, No STATE OF NEW JERSEY. 216th LEGISLATURE INTRODUCED APRIL 28, 2014

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

PATIENT INFORMATION. In Case of Emergency Notification

Best practices in using secondary analysis as a method

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

1303A West Campus Drive

MAIN STREET RADIOLOGY

Balance Fitness and Nutrition

University of Wisconsin-Madison Policy and Procedure

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

HIPAA and HITECH: Privacy and Security of Protected Health Information

Saint Joseph Mercy Health System Institutional Review Board

Serious Notable Occurrence:. Serious notable occurrences include;

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

HIPAA Privacy & Security Training

Section 1 Conflicts of Interest Introduction

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA RIVERSIDE CAMPUS HEALTH CENTER

Department of Juvenile Justice Guidance Document COMPLIANCE MANUAL 6VAC REGULATION GOVERNING JUVENILE SECURE DETENTION CENTERS

Transcription:

SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training

Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative to comply with the HIPAA Privacy Rule in all aspects in order to ensure the public s trust and cooperation in School of Public Health activities.

School of Public Health Roles When interacting with patients, SOPH can take on a number of different roles. These include, but are not limited to: Public health researcher Federal grant recipient Health educator State oversight agency Each role carries with it unique regulatory responsibilities when protecting patient privacy.

School of Public Health Activities Louisiana Breast and Cervical Health Program Louisiana Cancer Control Partnership Louisiana Tumor Registry AIDS Education and Training Center (AETC) Nurse Family Partnership Tobacco Control Initiative SILLY Study (Study of Insulin sensitivity in Low-birth weight Louisiana Youth)

Research Some public health activities may fall under the definition of research. When in doubt as to whether the public health activity undertaken is research, the LSUHSC-NO IRB must make a determination of whether the activity is human subjects research under the Common Rule and therefore, the Privacy Rule. The following activities are not research : Quality assessment and improvement activities, including outcomes evaluation, and development of clinical guidelines or protocols, fall under the category of health care operations provided the primary aim is not obtaining generalizable knowledge. Activities that aim primarily for generalizable knowledge of population health can fall into the category of public health activity.

Research (cont.) Research is defined by the Common Rule as systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported under a program which is considered research for other purposes. For example, some demonstration and service programs may include research activities. 45 CFR 46.102 If the activity is research under the Common Rule, please contact the Office of Research Services and reference the HIPAA and Human Subjects Research Training Module for the proper handling of PHI.

Public Health Data Collection Public Health data collection is not directly linked to disease control activities. Data Collection includes but is not limited to: Vital Records (births, deaths) Disease registries

Public Health Surveillance Public Health Surveillance is the systematic collection, analysis, interpretation, and dissemination of health data on an ongoing basis, to gain knowledge of the pattern of disease occurrence and potential in a community, in order to control and prevent disease in the community Source: Centers for Disease Control (CDC)

HIPAA Privacy Rules affect Public Health Surveillance Public Health Authorities Definition of Public Health Authority Minimum Necessary Requirement Public Health Disclosures without an Authorization Child Abuse or Neglect Person at risk of contracting or spreading a disease Quality, safety or effectiveness of a product or activity regulated by the FDA. Ways to Submit Information to Public Health Authorities De-identified Information Limited Data Sets Full Data Sets NOTE: Additional regulations affecting the Juvenile Justice Program are addressed in a separate presentation.

Disclosures for Public Health Activities When disclosing information for public health purposes, LSUHSC-NO must consider the following: Whether the entity requesting the information is a public health authority or other agencies that are authorized by law to collect under HIPAA? Whether the disclosure is subject to the minimum necessary requirement? Whether the disclosure requires a signed HIPAA authorization form from the individual?

What is a Public Health Authority? A public health authority is: an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, an Indian tribe, a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors ; or persons or entities to whom it has granted authority, that is responsible for public health matters, as part of its official mandate.

Examples of Public Health Authorities Examples of Public Health Authorities are: Department of Health and Human Services (DHHS), National Institute of Health (NIH), Health Resources and Services Administration (HRSA); State and local health departments (Louisiana Department of Health and Hospitals) the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC) Occupational Safety and Health Administration (OSHA) Contact the LSUHSC-NO Privacy Officer if you are unsure whether the entity requesting information is a public health authority.

Public Health Authorities (cont.) Additionally, there may be some instances where LSUHSC-NO is the public health authority. For example, LSUHSC-NO is the a public health authority in its role as the administrator of the Louisiana Tumor Registry. The Legislature created the Tumor Registry, therefore, as an entity the Tumor Registry is acting under a grant of authority from the State and qualifies as a public health authority.

Minimum Necessary Requirement When disclosing PHI for public health purposes, LSUHSC-NO is required to reasonably limit the information disclosed to the minimum necessary to accomplish the purpose. LSUHSC-NO is not required to make a minimum necessary determination if the public health disclosures are made pursuant to an individual s authorization or for a disclosure that is required by other law.

Minimum Necessary Requirement (cont.) LSUHSC-NO may reasonably rely on a minimum necessary determination made by a public health authority in requesting PHI. LSUHSC-NO may develop for specific procedures that address the types and amounts of PHI disclosed for routine and recurring public health disclosures. Should your area need assistance in developing procedures, contact the LSUHSC-NO Privacy Officer.

Authorization Requirement In general, the HIPAA Privacy requires LSUHSC-NO to obtain a signed HIPAA authorization form from the individual to disclose his/her PHI. However, there are certain health disclosures where obtaining an authorization is not required, such as treatment, payment, operations, and to the individual whom the information is about. If in doubt to whether an authorization is needed, contact the LSUHSC-NO Privacy Officer or obtain an authorization from the individual.

Public Health Disclosures LSUHSC-NO may make the following disclosures of PHI, without a signed HIPAA authorization form from the individual: May report to a public health authority that is authorized by law to collect and receive information for the purposes of: preventing or controlling disease, injury, or disability, including but not limited to: the reporting of disease, injury, vital events, such as birth or death, the conduct of public health surveillance, public health investigations, and public health interventions at the discretion of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

Public Health Disclosures (cont.) Under the Privacy Rule, LSUHSC-NO can also make public health disclosures without a signed HIPAA authorization form by the individual in cases where required by law. For example, The Louisiana Legislature passed R.S. 40:1299.80 et seq. which mandates the collection of information on cancer cases in the state of Louisiana. This law requires healthcare providers to submit diagnostic, treatment, and follow-up information on cancer cases to the Louisiana Tumor Registry or its regional registries.

Public Health Disclosures (cont.) Reporting of child abuse and neglect LSUHSC-NO may report known or suspected child abuse or neglect, if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such reports. For example, the Louisiana Department of Social Services has the legal authority to receive reports of child abuse or neglect. The Privacy Rule allows LSUHSC-NO to report such cases to that authority without obtaining an authorization from the individual.

Public Health Disclosures (cont.) Persons at risk of contracting or spreading a disease LSUHSC-NO may disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if other law authorizes LSUHSC- NO to notify such individuals as necessary to carry out public health interventions or investigations.

Public Health Disclosures (cont.) Quality, safety, or effectiveness of a product or activity regulated by the FDA. Examples of purposes or activities for which such disclosures may be made include, but are not limited to: Collecting and reporting adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product) or biological product deviations Tracking FDA-regulated products Enabling product recalls, repairs, or replacement or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are subject of lookback.) Conducting post-marketing surveillance

Ways to Submit the Information to Public Health Authorities De-identified Data Limited Data Sets Full Data Sets

De-identified Information To submit to a public health authority, LSUHSC-NO may take PHI and remove all direct and indirect identifiers to eliminate or make highly improbable, re-identification using statistical techniques. Once the PHI is de-identified, the information is no longer subject to the Privacy Rule and may be disclosed freely.

Direct Identifiers Names Postal address information, other than town or city, State, and zip code Telephone numbers Fax numbers Electronic mail addresses Social Security numbers Medical records numbers Health plan beneficiary numbers Account numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code. Certificate/license numbers

Indirect Identifiers All geographic subdivisions smaller than a state including street address, city, county, precinct, zip code, and their equivalent, except for the initial three digits of zip code, if according to the current publicly available data from the Bureau of Census; the geographical unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographical units containing 20,000 or fewer people is changed to 000. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of age, except that such ages and elements may be aggregated into a single category of age 90 or older.

Statistical Standard Option HIPAA provides that LSUHSC-NO may determine that health information is not individually identifiable if: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and that person documents the methods and results of the analysis that justify such determination. If you feel you need to utilize this option, you must contact the LSUHSC-NO Privacy Officer BEFORE any disclosure of information occurs.

Re-identification of Data LSUHSC-NO may assign a code or other means of record identification to allow de-identified information to be re-identified, if the code is not derived from, or related to, the removed identifiers. Only LSUHSC-NO will have the re-identification information and must be closely guarded to prevent unauthorized disclosure of PHI. If the data is re-identified, the information once again becomes subject to all the requirements of the Privacy Rule.

Where to find LSUHSC-NO policy and procedures on De-identification of PHI? LSUHSC-NO s HIPAA Policies and Procedures on De-identification of PHI are contained in Chancellor s Memorandum (CM) 53 and may be found at: Policy O: De-identification of Protected Health Information http://www.lsuhsc.edu/no/administration/cm/cm- 53/Deidentification1.aspx Policy O Attachment A: Request for De-identified Information http://www.lsuhsc.edu/no/administration/cm/cm- 53/pdf/AttachmentA-Deidentification.pdf Policy S Attachment D: Principal Investigator s Request De-identification form for Approved Exempt Research http://www.lsuhsc.edu/no/administration/cm/cm- 53/pdf/AttachmentD-InstitutionalReviewBoard.pdf

Limited Data Sets LSUHSC-NO may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate data use agreement LDS must have all direct identifiers removed; they may still include information that could indirectly identify the subject using statistical methods.

Data Use Agreement LSUHSC-NO must condition the disclosure of the LDS on the execution of a data use agreement. Data use agreement must establish: the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research; limit who can use or receive the data; require the recipient to agree not to re-identify the data or contact the individuals.

Where to find LSUHSC-NO s HIPAA policies and procedures on Limited Data Sets and Data Use Agreements? LSUHSC-NO s HIPAA Policies and Procedures on Limited Data Sets and Data Use Agreements are contained in Chancellor s Memorandum (CM) 53 and may be found at: Policy N: Limited Data Set http://www.lsuhsc.edu/no/administration/cm/cm- 53/LimitedDataSet14.aspx Policy N Attachment A: Limited Data Set Request and Data Use Agreement http://www.lsuhsc.edu/no/administration/cm/cm- 53/pdf/AttachmentA-LimitedDataSetRequest.pdf

Full Data Sets The Privacy Rules allows LSUHSC-NO to disclose directly identifiable PHI, such as name, address and social security number for public health purposes. However, because of the security and privacy risks of associated with the transfer of this sensitive information, the LSUHSC-NO Privacy Officer and LSUHSC-NO Security Officer MUST be contacted before any transmission of full data sets takes place.

Penalties for HIPAA violations There is a tiered system for assessing the level and penalty of each violation: Tier A-violations that are accidental not intentional-fines of $100 per violation up to $25,000 for violations of an identical type per calendar year. Tier B-violations due to reasonable cause and not willful neglect- fines of $1000 per violation up to $50,000 for violations of an identical type per calendar year.

Penalties for HIPAA violations (cont.) Tier C- violations that the hospital corrected, but were due to willful neglect of the policies/procedures-fines $10,000 per violation up to $250,000 for violations of an identical type per calendar year. Tier D- violations due to willful neglect that the hospital did not correct-fines $50,000 per violation up to $1.5 million for violations of an identical type per calendar year.

Additional Penalties Loss of your job or student status. Individuals and health care providers (hospitals, etc.) can also face civil and criminal prosecution, depending on the facts of the case.

Role of Privacy Officer Responds to HIPAA privacy complaints Implements policies and procedures Conducts educational programs Reviews LSUHSC s privacy program Is available to answer any privacy questions or concerns.

Reporting a HIPAA violation If anyone suspects or knows of mishandling or misuse of patient PHI, a complaint can be made to: Contact the LSUHSC-NO Privacy Officer or the Office of Compliance Programs by: Telephone at: Office: (504) 568-2350 Confidential reporting hotline: (504)568-2347, or E-mail at: nocompliancehotline@lsuhsc.edu

Questions? We Are Here to Help! Office of Compliance Programs 433 Bolivar St. Suite 807 New Orleans, LA. 70112 568-2350

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback