Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Similar documents
LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Regulations Governing Research

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

The HIPAA privacy rule and long-term care : a quick guide for researchers

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

HIPAA COMPLIANCE APPLICATION

The Impact of The HIPAA Privacy Rule on Research

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

HIPAA Policies and Procedures Manual

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

The HIPAA Privacy Rule and Research: An Overview

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

The Queen s Medical Center HIPAA Training Packet for Researchers

CLINICIAN S GUIDE TO HIPAA PRIVACY

System-wide Policy: Use and Disclosure of Protected Health Information for Research

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Access to Patient Information for Research Purposes: Demystifying the Process!

HIPAA PRIVACY TRAINING

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

New Study Submissions to the IRB

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Privacy Board Standard Operating Procedures

HIPAA Privacy & Security Training

Advanced HIPAA Communications and University Relations

FCSRMC 2017 HIPAA PRESENTATION

Privacy Rule Overview

Module: Research and HIPAA Privacy Protections ( )

HIPAA Privacy & Security Training

HIPAA and HITECH: Privacy and Security of Protected Health Information

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

Compliance Policy C-FMS Clinical Research Project Approval Application

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Saint Joseph Mercy Health System Institutional Review Board

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

HIPAA Privacy Rule. Best PHI Privacy Practices

Guidelines for Requesting an Increase in Enrollment in a Predoctoral Dental Education Program

Patient Privacy Requirements Beyond HIPAA

Professional Compliance Program Grievance Report

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

Guidelines for Requesting an Increase in Authorized Enrollment in Orthodontics and Dentofacial Orthopedics Residency and Fellowship Programs

COMMISSION ON DENTAL ACCREDITATION GUIDELINES FOR PREPARING REQUESTS FOR TRANSFER OF SPONSORSHIP

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

COMMISSION ON DENTAL ACCREDITATION REPORTING PROGRAM CHANGES IN ACCREDITED PROGRAMS

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Use And Disclosure Of Protected Health Information (PHI) For Research

HIPAA Compliancy Group, LLC. 2017

COMMISSION ON DENTAL ACCREDITATION POLICY ON REPORTING AND APPROVAL OF SITES WHERE EDUCATIONAL ACTIVITY OCCURS

Best practices in using secondary analysis as a method

MCCP Online Orientation

HIPAA Privacy Training for Non-Clinical Workforce

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

POLICY ON ENROLLMENT INCREASES IN ADVANCED DENTAL SPECIALTY PROGRAMS

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

HCCA PRIVACY COMPLIANCE FOCUS GROUP

HIPAA Privacy Policies & Procedures Table of Contents

Written Financial Policy

Recruiting subjects for clinical research outside the academic setting

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

1 LAWS of MINNESOTA 2014 Ch 250, s 3. CHAPTER 250--H.F.No BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

Chapter 9 Legal Aspects of Health Information Management

HIPAA. The. Privacy Regulations. The Fetal and Infant Mortality Review Process:

PROTECTING PATIENT PRIVACY IS NOT ONLY

System of Records Notice (SORN) Checklist

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

DUTIES OF A CUSTODIAN

Matching Accuracy of Patient Tokens in De-Identified Health Data Sets

2514 Stenson Dr Cedar Park TX Fax

SCREENING PROCEDURES: WHAT IS COVERED BY A

Protecting Patient Privacy It s Everyone s Responsibility

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Information Privacy and Security

Information Sharing and HIPAA Compliance

The Privacy & Security of Protected Health Information

NOTICE OF PRIVACY PRACTICES

******************************************************************** Policy Expectation:

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Security Risk Analysis

HIPAA Privacy and Security Training for Researchers

Yale University. HIPAA PRIVACY FAQs

Roles & Responsibilities of Investigator & IRB

PRIVACY IMPACT ASSESSMENT (PIA) For the

University of Wisconsin-Madison Policy and Procedure

PRIVACY IMPACT ASSESSMENT (PIA) For the. Department of Defense Consolidated Cancer Registry (CCR) System. Defense Health Agency (DHA)

Health Information Privacy Policies and Procedures

Transcription:

Navigating HIPAA Regulations Michelle C. Stickler, DEd Director, Research Subjects Protections mcstickler@vcu.edu 828-0131

Key Definitions Covered Entity: Organization that handles identifiable health information AND participates in certain electronic transactions (e.g., payments, billing, claims, etc.) VCU Affiliated Covered Entity (VCUACE): VCUHS and parts of VCU have combined for the purposes of compliance with the Privacy Act

VCU Affiliated Covered Entity

Key Definitions Protected Health Information (PHI): Individually identifiable health information that is obtained or used for treatment, payment or health care operations in a covered entity. Research Related Health Information (RRHI): Health information that is identifiable AND obtained entirely for research purposes.

Individually Identifiable Data Any one of 18 identifiers make health information identifiable

HIPAA Identifiers 1. Names 2. All geographic subdivisions smaller than a state Some exceptions for 1 st 3 digits of zipcode 3. All elements of dates (except year) for dates directly related to an individual: Birth date Admission & discharge dates Date of death All ages over 89 and all elements of dates (including year) indicative of such age Ages 90+ can be categorized into 90 4. Telephone numbers 5. Facsimile numbers 6. Electronic mail addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal resource locators (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers, including fingerprints and voiceprints 17. Full-face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification

Pathways to Access PHI for Research De-identified data (none of 18 identifiers) Review preparatory to research Limited data set Signed participant authorization Partial waiver of authorization Waiver of authorization Research with decedents

De-identified Data Any health information that does not contain any of the 18 identifiers De-identified data is not subject to HIPAA regulations Two methods of de-identification Safe harbor (no identifiers) Statistical analysis with attestation If an identifier is present, a statistician can use accepted methods for analysis and certify that there is little likelihood of re-identification

De-Identified Data Coded data If all 18 identifiers are coded or removed and the individual cannot be reasonably identified considered de-identified Link field cannot be related to any identifiers Researcher cannot maintain the key or code link

De-Identified Data & Approval Submit IRB Appendix A - HIPAA with IRB application

Review Preparatory to Research Used to review PHI for study feasibility Not intended for collecting contact information for recruitment May not remove PHI from the covered entity

Review Prep to Research Approval Submit Review Prep form to ORSP for administrative approval Expires 6 months after approval; may reapply

Limited Data Set Excludes all identifiers EXCEPT: Geographic information (city, state, zip but not street address) Dates such as birth dates, admission dates, etc. Other unique identifiers, not including the other 16 identifiers on the list Encourage use when direct participant contact is not required and can get by with limited identifiers

Limited Data Set Approval Submit with IRB application: Appendix A HIPAA Data Use Agreement IRB will approve use and signed data use agreement will be returned to PI Applies to VCU / VCUHS researchers when accessing limited data set from VCU ACE

Signed Authorization Required Elements: Identify what PHI is being requested Study specific Who will release it Who it be released to Why/what you will do with it Expiration (date or event) Signature and date Right to revoke Cannot condition treatment on release but can refuse research unless access is authorized

Signed Authorization Approval Submit: Appendix A HIPAA Integrated ICF / Authorization OR Separate ICF / Authorization Templates available Biomedical ICF template includes authorization language option Stand-alone HIPAA authorization template available on HIPAA guidance page

Partial Waiver of Authorization Means waiving authorization to make initial contact, followed by signed authorization at time of enrollment Used for review of PHI to collect contact information for recruitment purposes

Partial Waiver Approval Submit with IRB application: Appendix A HIPAA Integrated ICF / Authorization OR Separate ICF / Authorization

Waiver of Authorization or Elements Used when obtaining signed authorization for use of PHI in study is not practicable or feasible Generally would apply when waiver of consent is appropriate

Waiver of Authorization Approval Submit with IRB application: Appendix A - HIPAA

Research on Decedents PHI Unlike Common Rule, HIPAA regulations cover PHI of deceased individuals Applies to studies accessing PHI of decedents ONLY Does not apply if study will access PHI of both decedents and living individuals IRB application will cover this situation

Research on Decedents Approval Submit Research with Decedents form to ORSP for administrative approval Does not require IRB approval

Accounting of Disclosures Patients have a right to know to whom PHI has been disclosed Applies when using: Waiver of authorization Disclosures required by law Disclosures for public health purposes

Accounting of Disclosures If you are conducting research with a waiver of authorization, you need to keep a record of any and all disclosures outside of research team Names/lists Dates of disclosures To whom disclosure was made Brief description of what was disclosed Brief description of why disclosed Retain records for a minimum of 6 years past study closure

Accounting of Disclosures Modified Tracking Mechanism 50 or more participants (with waived authorization) Do not need a list of each participant Do need to record: Name of protocol Types of PHI disclosed Dates of disclosure Contact info for recipients State that specific individual s PHI may / may not have been disclosed

HIPAA Record Keeping HIPAA authorizations and accounting of disclosure information must be maintained for 6 years past study closure

Security of PHI Data Storage Prevent unauthorized access Do not leave computer or research folders unattended Store in locked files or locked rooms (at all times) Do not store in publicly accessible areas Do not take home on unencrypted laptop For more information on securing data via technology: http://www.medschool.vcu.edu/technology/infosecur ity/

Security of PHI Data Transfer Electronic PHI transfer securely encrypted Make sure it goes to the right person Make sure it remains secure until received Questions contact Ground mail Send encrypted data (jump drives available from Office of Compliance) Insured carrier Receiving signature required Package tracking service

Security of PHI Data Destruction Paper: dispose of by shredding Electronic records Must destroy with multiple overwrite steps to erase Contact IT for assistance

Non-Compliance Violation Category Each Violation All such violations of an identical provision in a calendar year Did not know $100-$50,000 $1,500,000 Reasonable cause $1,000-$50,000 $1,500,000 Willful Neglect Corrected $10,000-$50,000 $1,500,000 Willful Neglect Not Corrected $50,000 $1,500,000

Non-Compliance Examples $4.3 Million penalty to Cignet Health for denying patients access to their medical records and not cooperating with the investigation $1 Million penalty to Massachusetts General for failing to implement appropriate safeguards to protect privacy of PHI Uncovered via loss of unencrypted laptop containing sensitive data

Questions or Comments?

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback