HCCA PRIVACY COMPLIANCE FOCUS GROUP

Similar documents
LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

The Queen s Medical Center HIPAA Training Packet for Researchers

The HIPAA Privacy Rule and Research: An Overview

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

HIPAA PRIVACY TRAINING

HIPAA COMPLIANCE APPLICATION

The Impact of The HIPAA Privacy Rule on Research

HIPAA Privacy Regulations Governing Research

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

The HIPAA privacy rule and long-term care : a quick guide for researchers

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

HIPAA Policies and Procedures Manual

Access to Patient Information for Research Purposes: Demystifying the Process!

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

System-wide Policy: Use and Disclosure of Protected Health Information for Research

CLINICIAN S GUIDE TO HIPAA PRIVACY

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Privacy Rule Overview

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

NOTICE OF PRIVACY PRACTICES

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Use And Disclosure Of Protected Health Information (PHI) For Research

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Notice of HIPAA Privacy Practices Updates

Health Information Privacy Policies and Procedures

Module: Research and HIPAA Privacy Protections ( )

HIPAA-HITECH HELPBOOK NJ Physician Practices

NOTICE OF PRIVACY PRACTICES

New Study Submissions to the IRB

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

Southwest Acupuncture College /PWFNCFS

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

A general review of HIPAA standards and privacy practices 2016

Information Privacy and Security

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Advanced HIPAA Communications and University Relations

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

NOTICE OF PRIVACY PRACTICES

HIPAA Education Program

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

Title: HIPAA PRIVACY ADMINISTRATIVE

Patient Privacy Requirements Beyond HIPAA

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

VHA Privacy Policy Training FY VHA Privacy Office

Parental Consent For Minors to Receive Services

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

FCSRMC 2017 HIPAA PRESENTATION

FAMILY PHARMACEUTICAL SERVICES NOTICE OF PRIVACY PRACTICES effective 9/23/2013

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

NOTICE OF PRIVACY PRACTICES

CHI Mercy Health. Definitions

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

NOTICE OF PRIVACY PRACTICES

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

MAIN STREET RADIOLOGY

HIPAA THE PRIVACY RULE

HIPAA Privacy Policies & Procedures Table of Contents

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

Roles & Responsibilities of Investigator & IRB

HIPAA Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

MCCP Online Orientation

Catholic Charities Disabilities Services. In-Home Behavioral Support Services (2017)

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices for Protected Health Information (PHI)

Privacy and Consent Primer

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

Balance Fitness and Nutrition

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

NEW BRIGHTON CARE CENTER

Notice of Privacy Practices

Johns Hopkins Notice of Privacy Practices for Health Care Providers

NOTICE OF PRIVACY PRACTICES

Compliance Program, Code of Conduct, and HIPAA

NOTICE OF PRIVACY PRACTICES

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

Notice of Privacy Practices

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

HIPAA Privacy Rule. Best PHI Privacy Practices

Transcription:

HCCA PRIVACY COMPLIANCE FOCUS GROUP Industry Immersion Session 2005 Annual Institute New Orleans April 2005 1

DISCUSSION LEADERS Betsy Hall Jodi Innocent Marti Arvin April 2005 2

AGENDA 1:45 to 3:15 HIPAA and Research 3:15 to 3:30 Break 3:30 to 4:30 JCAHO standards and HIPAA 4:30 to 5:00 HIPAA and the Minor 5:00 to 5:45 Open Q & A Forum April 2005 3

Research and HIPAA April 2005 4

Objectives Research Privacy Breaches Human Subjects Research Common Rule & FDA Regs Research under HIPAA State Law Pre-emption HIPAA Security Federal Penalties Where to Go for Help

Names of Donors Accidentally Included in letter to Kidney Patients University of Minnesota researchers violated the confidentiality of organ donors when they mailed surveys to 1,200 transplant recipients participating in a study and revealed the names of those who had donated their kidney to the recipients. A software upgrade was cited as the reason for the breach, apparently because it altered a feature that was supposed to suppress the donors names. ~ Minneapolis Star Tribune, January 15, 2002

Complaints Shut Down Research The federal Office for Protection from Research Risks suspended more than 1,000 studies at Virginia Commonwealth University, for violating privacy by failing to gain the consent of research subjects and failing to adequately safeguard data. ~ The Washington Post, January 12, 2000 Research Leads to Disclosure Robin Kaigh of New Jersey reported her father, a physician, agreed to allow slides of his cancer cells to be used in research. He was promised anonymity, but his name was entered into a computer associated with the slides, and colleagues quickly began calling to offer condolences. ~ National Journal, April 18, 1998

Human Subjects Research What is research? A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. The definition is identical under HIPAA (45 CFR 160, 164) and the Common Rule (45 CFR 46) What is a human subject? a living individual about whom an investigator who is conducting research obtains: data through intervention or interaction with the individual, or identifiable private information. Common Rule (45 CFR 46) April 2005 8

Your Actions Are Research When You plan to publish your results You plan to present your results at a conference Your actions are intended to improve upon medical device, pharmaceutical product, or diagnostic aid Your actions are intended to compare patient outcomes Your actions require collecting patient information April 2005 9

Your Actions Are Not Research When Making Public Health Disclosures to the FDA, local and state health departments and government authorities Reporting adverse events Tracking FDA-regulated products Recalling, repairing or replacing products Conducting post-marketing surveillance Related to safety, quality or effectiveness of FDAregulated product Does not permit disclosures to drug/device manufacturers to evaluate effectiveness of marketing Minimum Necessary applies April 2005 10

How Does HIPAA Affect Research? HIPAA impacts how researchers and IRBs conduct their business IRB oversight responsibilities increased Subject recruitment, getting PHI from providers impacted New paperwork, forms required Disclosure tracking required Relationship with sponsors affected

HIPAA Privacy Rule vs. the Common Rule & FDA Regulations The HIPAA Privacy Rule builds upon existing Federal protections the Common Rule and FDA Regulations and creates equal standards of privacy protection for: Human Subjects Research governed by existing Federal human subject regulations Human Subjects Research not funded by Federal Agencies. April 2005 12

Documentation Requirements: HIPAA: HIPAA vs. Common Rule Maintain records written or electronic of any communication, action, activity or designation required by the Privacy Rule for 6 years Common Rule: Maintain records for 3 years after completion of study (including data analysis) April 2005 13

Research under HIPAA 6 ways to obtain patient information for research: HIPAA Research Authorization Partial Waiver/Waiver of Authorization De-identified Data Limited Data Set & Data Use Agreement Preparatory Decedents

Research Authorization HIPAA Research Authorization allows researchers to access protected health information of a specific patient Blanket authorizations for research to be conducted in the future are not permitted Each new use requires a specific authorization Accounting of Disclosures not required April 2005 15

Research Authorization Must contain required elements Obtain in addition to IRB/Common Rule informed consent (Some IRBs combine consent and authorization) Exception for pre-existing written consent (see transition) Revocable Can condition treatment related to research on an Authorization in connection with the study Expiration date or an expiration event that relates to the use of disclosure ( end of study, none is sufficient)

Research Authorization Research-related situations when a HIPAA Research Authorization is not required: Approved waiver Decedent research Preparatory to research Limited data set Treatment, Payment and Healthcare Operations (TPO) When required by law April 2005 17

Waiver of Authorization Ideal for retrospective medical record or identifiable database research where authorization is impractical If used for recruitment, authorization must be obtained upon enrollment Waiver granted by IRB pursuant to criteria under normal or expedited review Different than informed consent waiver Minimum Necessary Rule applies Accounting of Disclosures required

Partial Waiver of Research Authorization Ideal for participant screening and recruitment Requires IRB approval Does not eliminate researcher s responsibility to obtain informed consent or authorization from the subject prior to enrollment. The use or disclosure of protected health information involves no more than minimal risk to the individuals. The research could not practicably be conducted without the waiver or alteration. The research could not practicably be conducted without access to and use of the protected health information. April 2005 19

De-identified Data Allows release of information without authorization Ideal for database research Not useful for longitudinal, epidemiological or outcomes studies Does not identify individual De-identification accomplished one of two ways: Statistical expert determines and documents risk is very small the information could be used to identify individual 18 identifiers removed ( safe harbor ), including dates (e.g., date of birth, admission, discharge, service) and geocode information No Accounting of Disclosures required De-identification satisfies HIPAA requirements and not IRB requirements. IRB oversight is required for de-identified data.

De-identification of Data: Remove all 18 identifiers below: 1. Names 2. All geographic subdivisions smaller than a state 3. All elements of dates 4. Telephone numbers 5. Fax numbers 6. Email addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. URLs 15. IP addresses 16. Biometric identifiers 17. Full face photographic images and comparable images 18. Any other unique identifying number, characteristic, or code April 2005 21

De-identification of Data Code allowed for re-identification of PHI if: Code or other means of identification is not derived from or related to information about the individual and cannot be used to identify the individual; AND The covered entity does not use/disclose the code for any other purpose; AND The covered entity does not disclose the reidentification code. April 2005 22

Limited Data Sets (LDS) Requires Data Use Agreement - Assures CE that information will only be used for: Research, public health, or health care operations, Disclosed to business associates Used/disclosed for limited purposes by the recipient April 2005 23

Limited Data Set Limited data set for research, public health and health care operations Can include: ZIP codes, geocodes, date of birth, date of admission/discharge/service, nonexcluded identifiers Excludes: name, postal address (other than state, city, precinct, ZIP code, geocode), telephone #, fax #, email address, social security number, certificate #, license #, vehicle ID/serial number, URLs, IP address, full face or comparable images, medical record #, prescription #, health plan beneficiary #, account #, medical device identifiers and serial numbers, biometric identifiers, fingerprints, voiceprints Minimum Necessary Rule applies No Accounting of Disclosures required Requires Data Use Agreement

Data Use Agreement Similar to Business Associate Agreement Defines who can use or receive data Defines for what purpose the data may be used Recipient agrees not to reidentify data or contact data subject Recipient agrees to report improper uses/disclosures Recipient agrees to pass on privacy obligations to contractors Assures data will be safeguarded and not used for unauthorized purposes

Preparatory Ideal for designing a research study, assessing the feasibility of doing a study, and planning recruitment activities Allows researchers to access PHI without authorization from the subject Researcher must provide covered entity written representation that the use/disclosure of PHI is solely to prepare a research protocol or for similar purposes preparatory to research and that the access is necessary to conduct the research Researcher may not remove, download, print or copy any PHI from the covered entity Identifying and contacting potential subjects is not permissible under this provision. Minimum Necessary Rule applies Accounting of Disclosures required

Research on Decedents Not subject to the Common Rule (45 CFR 46) Subject to HIPAA (45 CFR 164) To access PHI of decedents, the researcher must provide the covered entity with written assurances that: the use/disclosure is solely for research on PHI of decedents; the subject(s) is deceased (death certificate) the PHI is necessary for the research. Minimum Necessary Rule applies Accounting of Disclosures required April 2005 27

Minimum Necessary Standard Minimum Necessary Standard Does not apply to research conducted pursuant to an Authorization Applies to: Research conducted pursuant to a Waiver Research involving PHI of decedents Use of PHI preparatory to research Limited data set research

HIPAA and Subject Recruitment HIPAA impacts how potential research subjects are identified and recruited: Researchers who are employed by the covered entity may use the preparatory research provision to contact prospective subjects. Researchers who are not employed by the covered entity may not use the preparatory research provision. Outside researchers could obtain contact information through a partial waiver of authorization. General Rules: No authorization required: Clinicians may discuss enrolling in a study with their own patients Authorization or waiver required: Clinicians disclosure to a third party for purposes of recruitment April 2005 29

Databases & Tissue Repositories Is patient authorization or waiver required for this? No, if for treatment or health care operations; Yes, if for research When such databases/banks are used for research purposes, require authorizations or waivers; and IRB approval Review existing internal databases to determine whether sole purpose is research, or whether treatment or health care operations purposes exist April 2005 30

Transition Provisions Transition Provisions: CE may use/disclose PHI that was created or received for research, either before or after the compliance date, if the CE obtained any ONE of the following prior to the compliance date: Authorization or other legal permission from an individual to use or disclose PHI for the research; Informed consent of the individual to participate in the research; or Waiver by an IRB in accordance with the Common Rule or an exception under FDA s human subject protection regulations at 21 CFR 50.24.

Accounting of Disclosures Accounting Required Partial Waiver or Waiver Preparatory Work Decedents No Accounting Required Authorization Limited data set under a data use agreement To an individual about himself or herself

Accounting of Disclosures The Privacy Rule allows three methods for accounting for researchrelated disclosures: Standard Multiple-disclosures Alternative for disclosures involving 50 or more individuals. Accounting reports to individuals may include results from more than one accounting method.

Standard Accounting Standard accounting includes, for each disclosure, the following information: Date of disclosure. The name and, if known, address of the person or entity receiving the PHI. A brief description of the PHI disclosed. A brief statement of the reason for the disclosure.

Multiple Disclosures Accounting Permitted when the CE has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections 164.502(a)(2)(ii) or 164.512. For each disclosure, the following must be included: Date of initial disclosure. The name and, if known, address of the person or entity receiving the PHI. Brief description of the PHI disclosed. Brief statement of the reason for the disclosure. Frequency, periodicity, or number of the disclosures made during the accounting period. Date of the last disclosure during the accounting period.

Alternative Accounting Accounting may be limited to the following if the CE has disclosed PHI of 50 or more individuals for a research project under 164.512(i): Name of the protocol or research activity. Plain-language description of the research protocol or activity, purpose of the research, and criteria for selecting particular records. Description of the type of PHI disclosed. Date or period of time during which the disclosure(s) occurred or may have occurred, including the date of the last disclosure during the accounting period. Name, address, and phone number of the entity that sponsored the research and the researcher who received the PHI. A statement that the individual's PHI may or may not have been disclosed for a particular protocol or research activity.

Rule of 50 If the CE uses the Rule of 50, it must, if requested to by the individual, assist the individual in contacting the research sponsor and the researcher. Such assistance, however, is limited to those situations in which there is a reasonable likelihood that the individual's PHI was actually disclosed for the research protocol or activity.

Research & State Law Pre-emption Be mindful of state law requirements for use/ disclosure of PHI for research Some state laws may be more stringent, such as Kentucky Some state laws may be less stringent, such as Indiana

Kentucky Law Example Kentucky law more protective regarding physician s patients KRS 311.595(9) states: "unethical, or unprofessional conduct" shall include but not be limited to... (4) any departure from, or failure to conform to the principles of medical ethics of the American Medical Association or the code of ethics of the American Osteopathic Association. For the purposes of this subsection, actual injury to a patient need not be established.

Kentucky Law Example The following or excerpts from the AMA Ethics Opinions: The physician should not reveal confidential communications or information without express consent of the patient unless required to do so by law...e-5.05 Physicians must seek to protect patient privacy in all forms Such respect for patient privacy is a fundamental expression of patient autonomy and is a prerequisite to building the trust that is at the core of the patient-physician relationship. E-5.059 The record is a confidential document involving the patientphysician relationship and should not be communicated to a third party without the patient s prior written consent, unless required by law or to protect the welfare of the individual or the community E-7.02

Kentucky Law Example This does not preclude the use of information under the preparatory to research exemption if the records are reviewed by the physician or an employee of the physician. This does appear to prevent physicians from making disclosures to those outside of their practice under either a waiver or under the preparatory to research exemption.

Indiana Law Examples IC 16-38-2 Sections 5-7 Cancer Registry Research Purposes IC 16-38-4 Sections 11-12 Birth Problems Registry Research Purposes HIPAA pre-empts these Indiana laws which allowed researchers access to PHI of individual patients and to use the names of those patients to request further information Source: Hall, Render, Killian, Heath and Lyman, P.S.C. HIPAA Pre-emption Matrix April 2005 42

Research and HIPAA Security Researchers must take steps to develop appropriate safeguards to protect PHI Examples of safeguards include: Having researchers sign confidentiality agreements stating they will not share computer Ids and passwords Passwords on computers (setting computers to go into protected standby mode when left on and unattended) Securing data in databases, handhelds, Web sites Using locked file cabinets to store data Not leaving identified data in plain sight Shredding PHI April 2005 43

Research and HIPAA Security Security Rule requires audits Build HIPAA audits into research compliance billing and regulatory audits Authorizations Partial Waivers/Full Waivers Documentation of deceased individuals Data Use Agreements Accounting of Disclosures documentation April 2005 44

Federal HIPAA Penalties Federal Civil and Criminal Penalties Civil: $100 per violation, up to $25,000 per person, per year, for each requirement or prohibition violated Criminal (knowing violations): Up to $50,000 and one year in prison Under false pretenses up to $100,000, and up to five years in prison Intent to sell, transfer or use up to $250,000 and up to 10 years in prison

Private Right of Action HIPAA has no private right of action You can be sued under state law for alleged privacy breaches Kentucky example Texas example

Improper Disclosures Reporting improper uses or disclosures to patient not required under HIPAA unless accounting of disclosures requested Reporting improper uses or disclosures to OCR not required under HIPAA Reporting improper uses or disclosures for research may be required to other federal agencies OHRP, ORI, FDA - as well as the research sponsor and IRB of oversight Common Rule (45 CFR Part 46) requires institutions to report noncompliance to OHRP

For More Information NIH - http://privacyruleandresearch.nih.gov/ Clinical Research - http://privacyruleandresearch.nih.gov/clin_research.asp IRBs - http://privacyruleandresearch.nih.gov/irb_default.asp Privacy Boards - http://privacyruleandresearch.nih.gov/privacy_boards_hipaa_privacy_rule.asp Research Repositories and Databases - http://privacyruleandresearch.nih.gov/research_repositories_final.rtf Rule Booklet - http://privacyruleandresearch.nih.gov/pr_02.asp HIV/AIDS - http://hab.hrsa.gov/publications/hippa04.htm Public Health - http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm HHS - http://www.hhs.gov/ohrp/ PRIM&R - http://www.primr.org/ ARENA - http://www.primr.org/membership/overview.html April 2005 48

Research and HIPAA: Conflicts and Controversy in Sponsored Research April 2005 49

HIPAA and the Clinical Trial Agreement The issue: Resolution of the conflicting interest between the researcher, the research institution and the research sponsor over the future use of data and/or tissue and blood specimens. April 2005 50

SCENARIOS Number 1: Sponsor wishes to sponsor clinical trial and collect data solely for the purpose of that clinical trial Number 2: Sponsor wishes to sponsor clinical trial and use data and/or some of the specimens collected for possible unspecified future research Number 3: Sponsor wishes to sponsor clinical trial and in the process of collecting specimens for the clinical trial asks researcher to collect additional sample to include in tissue/blood repository for future unspecified research April 2005 51

Researcher s goals Conduct quality research for the greater good Obtain sponsorship for research Possible commercial benefit Personal recognition Comply with regulations April 2005 52

Institution s goals Conduct quality research for the greater good Obtain sponsorship for research Possible commercial benefit Institutional recognition Compliance with applicable regulations April 2005 53

Sponsor s goals Non commercial sponsors Conduct quality research for the greater good Commercial sponsors Conduct quality research for the good of the organization Commercial benefit Compliance with applicable regulations April 2005 54

What is the problem? Researcher s interest is in the research, not focused on compliance Researcher may consider sacrificing compliance if he/she feels the research is important Researcher does not always understand intricacies of the agreements they wish to enter April 2005 55

What is the problem? The institution has to consider all applicable regulations. What is beneficial to the researcher and the sponsor might not be possible. Applicable regulations differ according to the player. Institutional Review Board must consider ethical as well legal issues. April 2005 56

What is the problem? Sponsor is generally not a covered entity thus there may be no desire to comply with HIPAA privacy or security regulations. Sponsor might push to have language in CTA that permits future unspecified uses of data and/or specimens. April 2005 57

Scenario 1 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has no problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected April 2005 58

Scenario 2 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has not problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected However.... April 2005 59

Scenario 2 Additional issues: Is the institution obligated to inform the subject that their data will be included in the sponsor s research database for uses and/or disclosures unrelated to the current clinical trial? Is the institution obligated to ask the sponsor what, if any, additional uses or disclosures will occur from the data collected for the current trial? What if the sponsor wants to use it for purposes unrelated to research? Has the institution met its HIPAA obligation if the authorization informs the subjects that the sponsor will receive their data and if the sponsor is not a covered entity the data is no longer protected? April 2005 60

Scenario 3 The institution can enter a clinical trial agreement stating that the institution is in compliance with HIPAA. The institution has no problem crafting an authorization that informs the subject their data will be shared with the sponsor for this study. Once the sponsor gets the data, if HIPAA does not apply to the sponsor the information may no longer be protected However.... April 2005 61

Scenario 3 Additional issues: If participation in the underlying clinical trial is conditioned on the subject signing the authorization but provision of the additional blood or tissue specimen is not, a second authorization may be required. If the second authorization is solely for the purpose of collecting the blood or tissue specimen for the sponsor to include in a repository for future unspecified research, how can the researcher/research institution craft a valid authorization? April 2005 62

Scenario 3 The specificity requirements of an authorization will not permit an authorization for future, unspecified research. According to current guidance, the research purpose must be study or protocol specific. April 2005 63

Scenario 3 Possible solutions Get sponsor to treat research database or specimen repository as if they are a covered entity Data comes out as limited data set with data use agreement Submit future protocols to IRB Don t engage in research with sponsors who will not treat data as if they are a covered entity Prepare an authorization that informs the subject that their data and/or specimen is being collected for inclusion in the sponsors database/repository without addressing the intended future uses or disclosures. April 2005 64

JCAHO and HIPAA: A Crosswalk to Compliance April 2005 65

Objectives Understand the JCAHO Accreditation Process Compare/Contrast JCAHO standards and the HIPAA Privacy Rule Discuss Self-Assessment and Tracer Methodologies required by JCAHO April 2005 66

Understanding the JCAHO Accreditation Process JCAHO surveys for compliance with stated standards and performance expectations Standard = goal Compliant or non-compliant Elements of Performance = steps needed to achieve the standard April 2005 67

Elements of Performance ( EP s ) EPs are evaluated on the following scale: 0 insufficient compliance 1 partial compliance 2 satisfactory compliance N/A Non-applicable April 2005 68

Patient Rights JCAHO Standard RI.2.20: Patients receive information about their rights. Elements of Performance for RI.2.20 Information on rights is provided to each patient HIPAA: 164.520(a)(1) Notice of Privacy Practices April 2005 69

RI.2.20: Patient Rights EP s (cont d) The patient has the right to access, request amendment to and receive an accounting of disclosures regarding his or her own health information as permitted under applicable law. HIPAA: 164.524 Right to Access PHI 164.526 Right to Amend 164.528 Right to Accounting of Disclosures April 2005 70

Photography/Filming Consent JCAHO Standard RI.2.50: Consent obtained for recording or filming made for purposes other than identification, diagnosis or treatment Elements of performance 1) When used only for internal organizational purposes: Must document consent Can be part of a general consent for treatment 2) External purposes documentation of a specific, separate consent including the circumstances of use April 2005 71

Photography/Filming (cont d) HIPAA 164.506(b) & (c) Consent for TPO internal vs. external 164.508 When an authorization is required 164.508(a)(3) Marketing 164.512(c) Victims of abuse (forensic photographs for victims of child-abuse) 164.512(i)(1) Research April 2005 72

Informing Others of Care and Treatment JCAHO Standard RI.2.90: Patients, and when appropriate, their families are informed about the outcomes of care, treatment and services HIPAA: 164.510(b) uses and disclosures for involvement in the individual s care JCAHO outcomes vs. HIPAA specific circumstances April 2005 73

Complaint Management JCAHO Standard RI.2.120: The hospital addresses the resolution of complaints from patients and their families. HIPAA: 160.306 Complaints to the Secretary 164.520(b)(1)(vi) Complaint Process 164.530(d)(1) Documentation of Complaints April 2005 74

Complaint Management (cont d) JCAHO EP s for RI.2.120 Patients can freely voice complaints without being subject to coercion, discrimination, reprisal, or unreasonable interruption of care and treatment HIPAA: 164.530(g) covered entity must refrain from intimidating or retaliatory acts against individuals who file a complaint, participate in an investigation April 2005 75

Patient Privacy Needs JCAHO Standard RI.2.130 The hospital respects the needs of patients for confidentiality, privacy and security HIPAA 164.502(c) & 164.522 (a)(1) Right to Request Restrictions 164.502(h) & 164.522(b)(1) Confidential Communications 164.510(a) Facility Directory Opt Out 164.520 Notice of Privacy Practices HIPAA Security Standards April 2005 76

Research JCAHO Standard RI.2.180: The hospital protects research subjects and respects their rights during research, investigation, and clinical trials involving human subjects. HIPAA: 164.512(i) Research Purposes Waiver of authorization Preparatory to research activities April 2005 77

Correctional Institutions JCAHO Standard LD.3.150: The hospital plans for the appropriate care, treatment and services for patients under legal or correctional restrictions. Elements of performance for LD.3.150: Administrative and clinical decisions are coordinated as to disclosing PHI to correctional institutions and/or officers. April 2005 78

Correctional Institutions HIPAA 164.512(k)(5) disclosures to correctional institutions and law enforcement HIPAA 164.520(a)(3) NPP exception for inmates April 2005 79

Environment of Care JCAHO Standard EC.1.20: The hospital conducts environmental tours to identify.and unsafe practices (including privacy and security concerns) Must conduct environmental tours at least once every six months in all areas where individuals are served Must conduct environmental tours at least annually in areas where individuals are not served. April 2005 80

Environment of Care (cont d) HIPAA : no specific comparable regulation in Privacy Rule BUT. HIPAA auditing best practices would include such environmental tours or walkthroughs AND HIPAA Security Rule April 2005 81

Information Management JCAHO Standard IM.1.10 the hospital plans and designs information management processes to meet internal and external information needs April 2005 82

Information Management (cont d) Elements of Performance for IM.1.10 consider who is requesting the information and what is being requested: licensing, accrediting and regulatory bodies purchasers, payors, and employers participation in national research and databases patient safety reviews quality assessments April 2005 83

Information Management (cont d) HIPAA Notice of Privacy Practices HIPAA 164.502(e)1; 164.504(e)1: Business Associate Agreements April 2005 84

Information Management (cont d) 164.512 uses and disclosures for which an authorization or opportunity to object is not required Disclosures required by law Public health activities Health oversight 164.514(a) de-identification of data April 2005 85

Confidentiality and Security JCAHO Standard IM.2.10: Information privacy and confidentiality are maintained Elements for performance for IM.2.10: Hospital has written processes that address the privacy and confidentiality of information All HIPAA policies April 2005 86

Confidentiality and Security EP for IM.2.10: Policy has been effectively communicated to applicable staff HIPAA Training: 164.530(b)(1) EP for IM.2.10: Process to monitor compliance with its policy HIPAA Auditing and Monitoring April 2005 87

Confidentiality and Security EP for IM.2.10: Individuals about whom PHI may be maintained/collected are made aware of what uses and disclosures of the information will be made HIPAA NPP, authorizations For uses and disclosures of health information, the removal of personal identifiers is encouraged to the extent possible, consistent with maintaining the usefulness of the information 164.514(a) de-identification of data April 2005 88

Confidentiality and Security Elements for Performance of IM.2.10 Protected health information is used for the purposes identified or its required by law and not further disclosed without patient authorization HIPAA 164.508 uses and disclosures for which an authorization is required April 2005 89

Confidentiality and Security Elements for Performance for IM.2.10 The hospital preserves the confidentiality of data and information identified as sensitive and requires extraordinary means to preserve patient privacy. HIPAA Policy manual 164.508(a)(2) Psychotherapy notes Minimum Necessary Rule Limited data sets April 2005 90

Managing the JCAHO Self- Assessment Need hard data concrete and verifiable Audit data, not just that policies and procedures are in place Privacy Grid what documented data will show compliance? April 2005 91

JCAHO and Tracer Methodology JCAHO tracks real patients' experiences as they move through the hospital Your audits should mirror this methodology Pull random samples and see how PHI was accessed, used and disclosed throughout the hospital stay April 2005 92

The Self-Assessment: Getting Started Assemble a Team Privacy Officer Information Security Officer Internal Auditor Systems Administrators Administration External sources April 2005 93

Identify Tools Employee work schedules, attendance records, clock in/out Medical records Paper documentation related to area of review Emails and faxes Phone records land lines and cell Internal system-generated audits from computer systems Specific computer systems: registration (facility blocks); Disclosure Tracking April 2005 94

Identify Systems Locate all computer systems Determine audit functionality with vendor Obtain list of all User Ids for each system employees, contractors, physicians, office staff, medical students, etc. Create crosswalk of audit codes for each system Obtain list of computer terminal Ids and locations April 2005 95

System Audit by User System-generated audits focused on a User ID generally provide: List of patients accessed by name and medical record number Date, time, duration of access Computer terminal ID IP address of computers off site Details about info accessed, such as care provider list, results, contraindications, orders, charges, demographics, and financial Whether info was printed April 2005 96

System Audit by Medical Record System-generated audits focused on a patient s medical record generally provide: List of users who accessed the record Date, time, duration of access Computer terminal ID used on campus IP address of computer used off campus Details about info accessed, such as care provider list, results, orders, demographics, and financial Whether info was printed April 2005 97

Potential Areas of Focus Inappropriate Access Walkthroughs Garbage Patient Rights PHI with Special Protections (drug, alcohol, HIV) April 2005 98

Potential Areas of Focus Research Policies/Procedures Training and Education databases and logs April 2005 99

Inappropriate Access Athletes, VIPs, celebrities, politicians, public figures, other patients featured in the media Employees Co-worker access Self access Residents, Physicians, Physician Office staff Complaints, Hotline calls, Administrative requests Patients involved in lawsuits, sentinel events Special populations April 2005 100

Walk Throughs PHI visible in open, public areas PHI left unattended on fax, copy machines PHI transported unsecured Shredding bins overflowing or unlocked Fax cover sheets being used PHI being discussed in elevators, cafeteria Is Notice of Privacy Practices posted appropriately April 2005 101

Garbage Check for improper disposal of PHI in: Bags of trash that have not been compacted Trash cans in patient rooms Trash cans in clinical areas Trash cans in administrative areas that process health information Trash cans in doctors lounges, sleep rooms April 2005 102

Patient Rights Check medical records for appropriate documentation of: Notice of Privacy Practices acknowledgement Authorizations Access requests Amendment requests Accounting of Disclosures Restriction requests Confidential Communications requests Opt Out requests April 2005 103

Other PHI Check medical records for documentation of appropriate release of information for: Psychotherapy notes HIV/Aids Subpoenas/Orders of Court Victims of a crime Research Accounting of Disclosures April 2005 104

Research Check research patient medical records for proper documentation of: Informed consent and HIPAA authorization Accounting of disclosures Partial and full waivers Preparatory to research/screening Decedents April 2005 105

Policies & Procedures Review policies, procedures and processes to determine whether: they are accurate and consistent they are being followed as written Use sample audits to get concrete data revisions are required because of changes in federal and/or state law April 2005 106

Evaluate Results Was PHI accessed/used/disclosed appropriately? Sample data What caused the inappropriate access, use or disclosure? How can the inappropriate access, use or disclosure be prevented? April 2005 107

Report Results Report conclusions to business process owners Present recommendations to business process owners Draft a corrective action plan April 2005 108

Examples: Sanctions Recommendations Revise policies Re-educate, plan awareness campaign Revoke access privileges Assign new passwords Remove generic IDs and IDs of those who left the organization or no longer have business with it April 2005 109

Mitigation Follow through: Document improper disclosures in accounting of disclosures Implement recommendations Reinforce policy Re-audit Re-audit Re-audit April 2005 110

Improper Disclosures Reporting to patient not required unless accounting of disclosures requested Reporting improper disclosure to OCR not required under HIPAA Reporting improper disclosure for research may be required to other federal agencies OHRP, ORI, FDA - as well as the research sponsor and IRB of oversight ***Discuss with your legal counsel April 2005 111

Minor Child Issues Under HIPAA April 2005 112

Patient Rights Regarding Medical and Billing Records Right to receive hospital s Notice of Privacy Practices The Divorced Parents The Foster Parent The guardian Obtaining acknowledgement No parent or guardian present April 2005 113

Patient Rights: Access to PHI Access to PHI State minor consent laws Foster parents Child and Family Services Other county agencies The abusive parent Care providers April 2005 114

Patient Rights: Access to PHI Access to billing records Parent vs. Guarantor April 2005 115

Telephone Disclosures Difficulty in using social security numbers for children Inpatient: telephone disclosure code Outpatients: birthdate and current address The ED for security and operational purposes does not release any information over the telephone April 2005 116

Release of PHI Without an Authorization People involved in care or payment for care Designated by patient/parent Present during discussion Assumed by circumstances and in our best judgment this would be permitted by patient/parent April 2005 117

Disclosure of PHI: The HIPAA Authorization Components of a Valid Authorization HIPAA requires several new components April 2005 118

Requests for PHI by the Patient/Parent/Guardian Requests from the patient/parent/ guardian for disclosure of PHI, including copies of medical records, must be on a HIPAA Authorization Form or other form or in writing Copy fees can be charged in amounts in accordance with PA law April 2005 119

Requests By Minors Emancipated Minor PA Medical Consent of Minor Law April 2005 120

Requests By Minors Under Pennsylvania law, a minor has right to consent to medical treatment for him/herself or his/her child without parental consent if the minor: is or has been pregnant; has graduated from High School; April 2005 121

Requests By Minors is married; is in the military; or is seeking testing or treatment for Pregnancy Sexually transmitted or other reportable diseases April 2005 122

Requests By Minors Drug and alcohol abuse If 14 years or older, for mental health voluntary or involuntary inpatient treatment or involuntary outpatient treatment A minor that has been emancipated by order of court shall produce a copy of such order prior to the release of PHI. April 2005 123

Patient Rights Regarding Medical And Billing Records Patient Request for Confidential Communications Adolescent medicine Patient Request for an Accounting of Disclosures Counting requests when dealing with multiple parents What is once per year April 2005 124

Accounting of Disclosures of PHI Child Abuse Are such requests included? State preemption April 2005 125

CONTACT INFORMATION Betsy Hall betsy.hall@jhhs.org (502) 560-8404 Jodi Innocent jodi.innocent@chp.edu (412) 692-7842 Marti Arvin marti.arvin@louisville.edu (502) 852-3803 April 2005 126

QUESTIONS April 2005 127

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback