Access to Patient Information for Research Purposes: Demystifying the Process!

Similar documents
HIPAA: Is Your Institution In Compliance? NCURA Annual Meeting November 4, State University of New York

The Impact of The HIPAA Privacy Rule on Research

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

HIPAA Privacy Regulations Governing Research

Module: Research and HIPAA Privacy Protections ( )

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

The HIPAA Privacy Rule and Research: An Overview

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

The Queen s Medical Center HIPAA Training Packet for Researchers

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

HIPAA Policies and Procedures Manual

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

HIPAA COMPLIANCE APPLICATION

The HIPAA privacy rule and long-term care : a quick guide for researchers

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

System-wide Policy: Use and Disclosure of Protected Health Information for Research

Privacy Rule Overview

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

HIPAA Privacy Policies & Procedures Table of Contents

New Study Submissions to the IRB

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Use And Disclosure Of Protected Health Information (PHI) For Research

HCCA PRIVACY COMPLIANCE FOCUS GROUP

HIPAA PRIVACY TRAINING

NOTICE OF PRIVACY PRACTICES

PROTECTING PATIENT PRIVACY IS NOT ONLY

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

CLINICIAN S GUIDE TO HIPAA PRIVACY

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Advanced HIPAA Communications and University Relations

Recruiting subjects for clinical research outside the academic setting

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

HIPAA Privacy Rule. Best PHI Privacy Practices

Privacy Board Standard Operating Procedures

SCREENING PROCEDURES: WHAT IS COVERED BY A

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Saint Joseph Mercy Health System Institutional Review Board

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

Southwest Acupuncture College /PWFNCFS

JOINT NOTICE OF PRIVACY PRACTICES

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

Roles & Responsibilities of Investigator & IRB

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Professional Compliance Program Grievance Report

1303A West Campus Drive

CAPITAL SURGEONS GROUP, PLLC

Institutional Review Board (previously referred to as Human Participants Research Board) Updated January 2004

Senior Care Pharmacy Wichita

Authorization and Waiver Frequently Asked Questions

Parental Consent For Minors to Receive Services

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

Balance Fitness and Nutrition

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

HIPAA and HITECH: Privacy and Security of Protected Health Information

Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

HIPAA Privacy Training for Non-Clinical Workforce

1. Department of Defense (DoD) Human Subjects Protection Regulatory Requirements

A Study on Personal Health Information De-identification Status for Big Data

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

Notice of HIPAA Privacy Practices Updates

ADMINISTRATIVE MANUAL

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

HIPAA Privacy & Security Training

HIPAA Privacy & Security Training

OREGON HIPAA NOTICE FORM

HIPAA and Joint Commission Requirements Compared and Contrasted

HIPAA Compliancy Group, LLC. 2017

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHOUT AUTHORIZATION

Research Compliance Oversight in the Department of Veterans Affairs

HIPAA Training

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

SEATTLE CHILDREN S RESEARCH INSTITUTE OPERATING POLICIES / PROCEDURES

Compliance Program, Code of Conduct, and HIPAA

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Protecting Patient Privacy It s Everyone s Responsibility

MCCP Online Orientation

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

UT Southwestern Medical Center Human Research Protection Program Policy, Procedure and Guidance Documents

General Procedure - Institutional Review Board

Current Status: Active PolicyStat ID: Origination: 09/2004 Last Approved: 02/2017 Last Revised: 09/2013 Next Review: 02/2019

Business Risk Planning

Transcription:

Access to Patient Information for Research Purposes: Demystifying the Process! Cynthia Nappa Institutional Privacy Administrator State University of New York Upstate Medical University 1

Administrative Simplification? Unfunded Mandate State Preemption Intersection with other Federal Laws Reasonableness Test Determination Correlation between Intent, and Standard, and Implementation The Privacy Rule is approximately 39,000 words long and requires 406,000 words to explain! 2

Not a One Size Fits All Approach! The Privacy Rule is flexible and scalable to account for the nature of each organization s culture, size, and resources Each organization must determine its own privacy policies and practices within the context of the Privacy Rule requirements and its own capabilities and needs 3

Research and Health Care: The Fit at SUNY Upstate? 1. Clinical Research may Involve Treatment 3. Co-Mingling of Research and Treatment Information 5. Dual Role of Providers: Health Care and Research 7. Research Supports Mission of Academic Medical Center 5. Consumer Expectations 4

Recognizing The Information Overlap... Hospital Research Treatment Screening Payment -Workforce - Medical Record -Individual Protocol Development Operations Recruitment 5

*Organized Health Care Arrangement Faculty Providers (Full-time & Volunteers) SUNY UPSTATE MEDICAL UNIVERSITY HIPAA Organizational Structure State University of New York *Hybrid Covered Entity Upstate Medical University * Component of SUNY Hybrid *Health Care Component Provider Functions Research * Education * UH PHI Business Functions PHI Univ. Counsel *Business Associate Relationships Emp/Labor Relations Public Safety Public/ MediaRelation s Institut. Internal Audit Compliance IMT Diversity Executive Aff. Action Council *Non Health Care Components Firewall MSG RF Other Vendors *Involving IIHI of University Hospital 6

Information Flow Impact Health Care Component Non-Health Care Component Subject to HIPAA Ex: Research Records Firewall Not Subject to HIPAA Ex: Employment Records Authorization Required 7

Navigating the Information Maze: Show Me the Way.. 1. Research or Health Care Operations? 2. PHI or Deidentified Information? 3. Subject Alive or Deceased? 4. Researcher a SUNY Workforce Member or External? 5. Privacy Education Completed and Confidentiality Agreement Signed? 6. Use and/or Disclosure of PHI? 7. IRB or Privacy Board Approval? 8

Research? Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge 45 CFR 164.501 9

Or Health Care Operations? Health Care Operations includes conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, providing that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities. 45 CFR 164.501 10

Protected Health Information? Protected Health Information ( PHI ) is IIHI in any form (oral or recorded) that is: Created or received by a covered entity; and Related to the past, present, or future physical or mental health of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and Either identifies the individual or is reasonably likely to allow identification of the individual 45 CFR 160.103, 160.501 11

Or De-Identified Information? Health Information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. 45 CFR 164.514 (a) 12

Individually Identifiable Data Elements Names Geographic subdivisions smaller than a state (see rule for details concerning use of zip codes) Dates of birth, admission, discharge, and death Telephone numbers Fax numbers E-mail addresses Social security numbers Medical Record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers (e.g., of healthcare professionals) Vehicle identifiers Device identifiers (e.g. of pacemakers) URLs IP addresses Biometric identifiers Full face photographs Any j other unique identifying number, characteristic, or code (e.g. blue-eyed, blond oriental who is 7 feet tall) 13

Subject Alive or Deceased? The Common Rule protects the rights and welfare of human research subjects, defined as living individuals. However The Privacy Rule extends some limited privacy protection after death, permitting access to PHI based on obtaining certain reassurances from the researcher. 45 CFR 164.512 (i) (1) (ii) 14

Researcher A SUNY Workforce Member? Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. 45 CFR 160.103 15

Workforce Member? In or Out, No In Between! Authorization IIHI may be used and disclosed regardless of status if denoted on Authorization No Authorization IIHI may be used and disclosed if the following conditions are met: Must be Workforce Members Must Complete Privacy Education & Sign a Confidentiality Agreement Must Have IRB or Privacy Board Approval Granted Verification by Department Chair if Researcher is Voluntary Faculty 16

Use and/or Disclosure of PHI? Use Employment, application, utilization, examination, or analysis of information within an entity that maintains the information Disclosure Release, transfer, provision of access to, or divulging in any other manner, information outside the entity holding the information 45 CFR 164.501 17

Research and Privacy Compliance: A Joint Effort IRB Privacy Office - Authorizations - Waivers of Authorization -Exemptions - LDU - De-id -Preparatory Reviews -Decedent PHI -Limited Data Use Agreements Human Subject Research Privacy Oversight & Compliance 18

Unlocking The Door to PHI.... De-Identification Authorization Waiver of Authorization RESEARCH Transition Provision Review Preparatory to Research PHI Decedent PHI Limited Data Set 19

Deidentification of PHI Researcher must complete a Deidentification Certification Form Removal of ALL 18 identifying elements The information cannot reasonably identify the individual If statistically de-identify, must provide attestation of qualifications and methodology of statistician REMEMBER: Anonymous and Deidentified are not synonymous! 20

Authorization Gold Standard for disclosure of PHI May be combined with informed consent Revocation right balanced with Reliance exception Authorization specific to disclosure required for external research Subjects given a Notice of Privacy Practices 21

Waiver of Authorization The Researcher must complete a Waiver of Authorization Form The use or disclosure involves no more than minimal risk to the privacy of the individual The research could not practicably be conducted without the waiver The research could not practicably be conducted without access to and use of the PHI 22

Transition Provision Permits the use and disclosure of PHI created or received before or after April 14, 2003 if one of the following was obtained prior: Authorization to use and disclose PHI for research Informed consent to participate in research Waiver of informed consent by IRB 23

Review Preparatory to Research Researcher must complete a Review Preparatory to Research Request Form and submit to Privacy Office The PHI will be used solely to prepare a research protocol or similar purpose The PHI is necessary for the research The PHI is not to be recorded by the researcher The review may only be performed by SUNY Upstate workforce members Does not provide a ticket to ride the research train! 24

Decedent PHI Researcher must complete a Research on Decedents Information Request Form and submit to the Privacy Office The use or disclosure is solely for research The PHI is necessary to conduct the research The individual is a decedent The PHI of living person contained in decedents records will not be used or disclosed In God we trust, all others need proof! 25

Limited Data Set The Researcher must complete a Limited Data Set Form The data elements must be limited to those that could not be reasonably used to identify the individual The request is specific to the study/project Disclosures are made pursuant to a Limited Data Use Agreement executed by the Privacy Office Must specify what, as well as what not! 26

Use and Disclosure of PHI for Recruitment? Treatment provider may discuss with patient Patient initiated contact with researcher Authorization permitting discussion with researcher Waiver of Authorization from IRB permitting discussion with researcher Researcher post flyers and advertises 27

Tissue, PHI or Both? Neither blood nor tissue, in and of itself, is considered individually identifiable health information (IIHI); therefore, research involving only the collection of blood or tissue is not subject to the Privacy Rule requirements. Unless Labeled with IIHI Results from analysis contain or are associated with IIHI NIH Publication 04-5489 January 2004 Impact: Information comes with strings attached! 28

Requirements for Use & Disclosure of PHI MINIMUM NECESSARY ACCOUNTING Authorization No No Waiver of Authorization Yes Yes * Preparatory Reviews Yes Yes Decedent PHI Yes Yes Limited Data Set Yes No De-identification No No Transition Consent/Auth. Yes Yes *Modified Accounting for Research Disclosures Tracking may be used 29 for studies involving disclosures of 50 or more individuals

SUNY Upstate - Access To Research Data Research Protocol Submission Review by IRB/Privacy Office Appropriate Use & Disclosure Method Approved Determination Letter Issued Approval or Denial Decision Submitted Data Request Form & Determination Letter Reviewed By Privacy Officer Denial Researcher Completes Data Request Form Appropriate Department & Researcher notified PHI Provided to Researcher if Approved Compliance Auditing 30

Monitoring & Oversight Organizational Controls Implement Remediation Process Continuous Monitoring -Data requests -Systems Access -Uses/Disclosures -Protocol Review Proactive Auditing - User Activity Audits - Audit Trails -Role-Based Access -Protocol Compliance Triggered Reviews -Patient Complaints -Reported Breaches -Violation of Protocols Workforce Education Audits -CITI Training -Confid. Agreements -HIPAA Privacy Rule Feedback Management Reporting And Documentation -Incident Occurrence -Trend Identification -Process Reviews -Mitigation Findings 31

Don t Surprise The Patient! Receipt of the Notice of Privacy Practices Ethical Recruitment Practices Permitted Use and Disclosure of PHI Accounting of Disclosures 32

Consequences of Inadequate Privacy Protections Violate Individual s Right to Privacy Loss of Public Trust Professional Misconduct [New York State Education Law 6530(23)] Sanctions Suspension of Research Activities 33

Privacy and Research: A Balancing Act Covered entities [should] be mindful of the often highly sensitive nature of research information and the impact of individuals privacy concerns on their willingness to participate in research. Standards for the Privacy of Individually Identifiable Health Information; Final Rule (Privacy Rule), 65 F.R. at 82520, December 28, 2000 34

Who do I Call? Contacting the Privacy Administrator: E-mail: Nappac@upstate.edu Phone: 464-6135 Hotline: 464-6444 Visit the HIPAA Website at Upstate.edu/hipaa 35

CONCLUSIONS & QUESTIONS 36

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback