HIPAA Privacy Regulations Governing Research

Similar documents
New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

The Impact of The HIPAA Privacy Rule on Research

The HIPAA Privacy Rule and Research: An Overview

The Queen s Medical Center HIPAA Training Packet for Researchers

HIPAA COMPLIANCE APPLICATION

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Module: Research and HIPAA Privacy Protections ( )

Privacy Rule Overview

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

System-wide Policy: Use and Disclosure of Protected Health Information for Research

HIPAA PRIVACY TRAINING

HIPAA Policies and Procedures Manual

Access to Patient Information for Research Purposes: Demystifying the Process!

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

SCREENING PROCEDURES: WHAT IS COVERED BY A

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Use And Disclosure Of Protected Health Information (PHI) For Research

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

The HIPAA privacy rule and long-term care : a quick guide for researchers

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

POLICY ON ENROLLMENT INCREASES IN ADVANCED DENTAL SPECIALTY PROGRAMS

Guidelines for Requesting an Increase in Enrollment in a Predoctoral Dental Education Program

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

HIPAA Privacy Training for Non-Clinical Workforce

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Guidelines for Requesting an Increase in Authorized Enrollment in Orthodontics and Dentofacial Orthopedics Residency and Fellowship Programs

New Study Submissions to the IRB

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

CLINICIAN S GUIDE TO HIPAA PRIVACY

Compliance Program, Code of Conduct, and HIPAA

Professional Compliance Program Grievance Report

Roles & Responsibilities of Investigator & IRB

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Commission on Dental Accreditation Guidelines for Filing a Formal Complaint Against an Educational Program

COMMISSION ON DENTAL ACCREDITATION GUIDELINES FOR PREPARING REQUESTS FOR TRANSFER OF SPONSORSHIP

HIPAA Privacy Rule. Best PHI Privacy Practices

Advanced HIPAA Communications and University Relations

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Saint Joseph Mercy Health System Institutional Review Board

HIPAA and HITECH: Privacy and Security of Protected Health Information

HIPAA Compliancy Group, LLC. 2017

COMMISSION ON DENTAL ACCREDITATION POLICY ON REPORTING AND APPROVAL OF SITES WHERE EDUCATIONAL ACTIVITY OCCURS

Privacy Board Standard Operating Procedures

Safeguarding PHI Nutrition Services. UAMS HIPAA Office May 2015

COMMISSION ON DENTAL ACCREDITATION REPORTING PROGRAM CHANGES IN ACCREDITED PROGRAMS

MCCP Online Orientation

******************************************************************** Policy Expectation:

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Patient-Level Data. February 4, Webinar Series Goals. First Fridays Webinar Series: Medical Education Group (MEG)

HCCA PRIVACY COMPLIANCE FOCUS GROUP

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

Authorization and Waiver Frequently Asked Questions

Notice of Privacy Practices

PRIVACY IMPACT ASSESSMENT (PIA) For the

Compliance Policy C-FMS Clinical Research Project Approval Application

Section 11. Recruitment of Study Subjects (Revised 7/1/10)

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Information Sharing and HIPAA Compliance

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

PRIVACY IMPACT ASSESSMENT (PIA) For the

NOTICE OF PRIVACY PRACTICES

1303A West Campus Drive

CENTRAL TEXAS MEDICAL CENTER

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

HIPAA Privacy & Security Training

HIPAA Privacy & Security Training

DURABLE POWER OF ATTORNEY FOR HEALTH CARE DECISIONS (Medical Power of Attorney) I,, born, designate

HIPAA: Is Your Institution In Compliance? NCURA Annual Meeting November 4, State University of New York

Notice of Privacy Practices for Protected Health Information

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA


FAQs March 12, 2012 FREQUENTLY ASKED QUESTIONS

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA?

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

PROTECTING PATIENT PRIVACY IS NOT ONLY

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

PRIVACY IMPACT ASSESSMENT (PIA) For the

HIPAA Privacy Policies & Procedures Table of Contents

Southwest Medical Thermal Imaging & Ultrasound, LLC. Informed Consent for Thermal Imaging. Patient Name: DOB:

The Privacy & Security of Protected Health Information

New Patient Information

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

Pablo Tebas, M.D. Joseph Quinn, RN, BSN Yan Jiang, RN, BSN, MSN

Pennsylvania State Board of Barber Examiners

Transcription:

HIPAA Privacy Regulations Governing Research HIPAA Health Insurance Portability and Accountability Act In a Nutshell The Privacy Regulations govern a provider s use and disclosure of health information and grant individuals new rights of access and control. The regulations also establish civil and criminal penalties for violations of patient privacy. The History of the Privacy Rule Proposed - November 1999 Finalized - December 2000 On Hold February 2001 Effective April 2001 Guidance July 2001 Proposed changes March 2002 Modified Final Rule August 2002 More Guidance October 2002 Much More Guidance December 2002 HIPAA: The Terminology Covered entity Protected Health Information (PHI) Use and disclosure Role-based access Minimum necessary Covered Entities Health plans Health care clearinghouses Health care providers who conduct electronic transactions related to thirdparty billing Protected Health Information (PHI) Relates to past, present, or future health, or health care, or payment for health care Identifies the individual, directly or indirectly PHI can be paper, electronic, or oral. Examples include clinic charts, billing records, rounding lists, medical media, clinic or research databases, and hallway conversations.

Use and Disclosure Uses occur within the covered entity. Disclosures are releases outside the entity that is responsible for holding the information. Role-based Access Identify the persons or classes of persons who need access to PHI, and the categories of PHI that they need access to, in order to carry out their duties. Covered entities must limit the PHI used or disclosed to the minimum necessary to achieve the purpose of the use or disclosure. o Doesn t apply to disclosures made for treatment or to the individual Minimum Necessary Make reasonable efforts not to use, disclose, or request more than the minimum amount of information necessary to achieve the purpose In the research context, this applies to studies that do not obtain written authorization from the subject Examples: recent visits instead of the entire Medical Record; age instead of DOB Basic Requirements: Research Issues New review process for privacy issues HIPAA requirements are in addition to Common Rule regulations HIPAA governs how PHI is used for research and the conditions that must be met in order for covered entities to release PHI for research purposes Underlying Principles for Privacy Health information belongs to the patient Patients have a right to know how their information is being used. When does HIPAA apply to research? The rules apply if we access PHI to initiate the study or if we create PHI during the course of the study. What makes it PHI? Health Info + Identifying Elements Names Street address, city, county, precinct, zip code Dates (e.g. DOB, DOD, admission, discharge, procedure dates) Ages over 89 Phone and numbers Fax numbers

E- mail addresses Social security numbers Medical record number Health Plan Numbers Account numbers Certificate/license numbers; VIN/License plate number Device identifiers and serial numbers URLs Internet Protocol (IP) address Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code Allowable Conditions for Use of PHI in Research Obtain written authorization from the patient OR Meet one of the following criteria: o De-identified data o IRB waiver of individual authorization o Limited data set + data use agreement o Activities that are preparatory to research o Research on decedents Required Elements for Authorizations A specific description of the purpose of the authorization and the information to be used or disclosed The names or classes of individuals authorized to make the use or disclosure The names or classes of individuals authorized to receive the use or disclosure An expiration date for the authorization A statement that the individual has a right to revoke the authorization The consequences of refusal to sign A statement that the information used or disclosed pursuant to the authorization may be subject to re-disclosure and no longer protected by the Privacy Rule Conditions Not Requiring Authorization De-identified data Waiver of authorization by an IRB or Privacy Board Limited data sets Activities that are preparatory to research Research on decedents

De-identified data All eighteen identifiers must be removed Not necessarily designed for research purposes If you are accessing or receiving only de-identified data for your project, HIPAA rules do not apply Waiver of the Authorization Requirement* Examples: retrospective chart review; accessing medical records to screen subjects for a clinical trial Application for waiver must be approved by an IRB or Privacy Board Use and disclosure poses no more than minimal risk to privacy o Adequate data protection plan o Adequate plan to destroy identifiers o Adequate assurances against re-use or disclosure Research is not practicable w/o waiver Research is not practicable w/o PHI *DHHS has promised more guidance on implementation of the waiver criteria. Limited data set Example: receiving tissue samples w/ partial identifiers Remove certain direct identifiers o Name, street address, phone, fax, email, IP, SSN, MR#, insurance and billing #, device serial numbers, full-face photos, biometrics (DOB, service dates are OK; City, zip code, precinct are OK) Provide a Data Use Agreement o Specific uses and planned disclosures o No further disclosures allowed o Agreement not to identify or contact individuals Preparatory to Research Example: reviewing medical records to determine adequacy of patient base PHI may be viewed, but only de-identified data can be recorded. Covered entity must obtain an attestation from the researcher: o Review of PHI is solely to prepare a protocol or formulate hypotheses o PHI will not be removed from the covered entity o PHI being reviewed is necessary for research purposes This activity generally precedes HSC application, if there is no formal protocol developed. Research on Decedents Covered entity must obtain an attestation from the researcher: o Research is solely on decedents o PHI is necessary for research purposes Covered entity may stipulate that documentation of death be provided

Recruitment Questions Are you using PHI to identify subjects? If so, what permissions do you need to gain access to the PHI? Do you have a treatment relationship with the prospective subject? Allowable Recruitment Practices Providers can always talk to their own patients about studies they are conducting. Providers can notify the patient that they might qualify for a particular study, and the patient can initiate the contact with the researcher. Provider or Medical Records Dept. can release information to researchers if: o The patient signs a pre-approved authorization so that the provider can give PHI to researcher, or o The IRB approves a partial waiver of authorization for recruitment purposes. (The HIPAA waiver criteria must be met.) Researcher identifies subjects, and member of treatment team makes initial contact. Patients can self-refer from ads, flyers, etc. Other Issues Pre-screening logs Future unspecified research Research repositories Accounting of disclosures Subjects access to the research record Computer security for research records Pre-screening Logs PHI in logs cannot be disclosed because consent has not been obtained. Options include de-identification or negotiation of a Data Use Agreement. Future Unspecified Research Future unspecified research will no longer be allowed Consents for tissue, blood banking, etc. need to be specific Contacting subjects for future studies must follow new recruitment guidelines Research Repositories Creation of a research repository requires HSC approval: allowed with written authorization, waiver, or a limited data set. Subsequent studies using the repository must go through HSC.

Accounting Requirement Covered entities must track disclosures made under a waiver of authorization, a review preparatory to research, or research on decedents. Patients may request the name of the study, the purpose of the study, type of PHI disclosed, timeframe of disclosure HIPAA Compliance Office will assign a tracking number. Subjects Access to Research Records Patients have right to access their designated record set the set of medical and billing records that are used to make decisions about them. Any temporary denial of access must be accepted by the patient. Research records generally are not part of the designated record set. Be sure to put any clinically-relevant information into the medical record. Computer Security for Research Records Practice role-based access Password-protect files Store records on secured networks or servers Obtain certification for hard drives that contain PHI Planning Your Study What type of data do you need? What s the minimum necessary? Who holds the data you need to access? How will you identify subjects? What data protections will you put into place?

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback