The HIPAA Privacy Rule and Research: An Overview

Similar documents
HIPAA Privacy Regulations Governing Research

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

The Queen s Medical Center HIPAA Training Packet for Researchers

The Impact of The HIPAA Privacy Rule on Research

Module: Research and HIPAA Privacy Protections ( )

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

HIPAA Policies and Procedures Manual

HIPAA COMPLIANCE APPLICATION

The HIPAA privacy rule and long-term care : a quick guide for researchers

Privacy Rule Overview

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

Use And Disclosure Of Protected Health Information (PHI) For Research

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Access to Patient Information for Research Purposes: Demystifying the Process!

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

HIPAA PRIVACY TRAINING

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

New Study Submissions to the IRB

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

System-wide Policy: Use and Disclosure of Protected Health Information for Research

HIPAA-HITECH HELPBOOK NJ Physician Practices

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

HCCA PRIVACY COMPLIANCE FOCUS GROUP

R. Gregory Cochran, MD, JD

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

APPLICATION FOR RESEARCH REQUESTING AN IRB WAIVER OF CONSENT AND HIPAA AUTHORIZATION

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

HIPAA Privacy Rule. Best PHI Privacy Practices

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

MCCP Online Orientation

Recruiting subjects for clinical research outside the academic setting

Privacy Board Standard Operating Procedures

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

HIPAA PRIVACY NOTICE

Notice of Privacy Practices for Protected Health Information

CLINICIAN S GUIDE TO HIPAA PRIVACY

Notice of HIPAA Privacy Practices Updates

HIPAA THE PRIVACY RULE

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

An Introduction to the HIPAA Privacy Rule. Prepared for

Patient Privacy Requirements Beyond HIPAA

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices for Protected Health Information (PHI)

HIPAA Privacy Training for Non-Clinical Workforce

Southwest Acupuncture College /PWFNCFS

PATIENT INFORMATION. In Case of Emergency Notification

Senior Care Pharmacy Wichita

Lutheran Brethren Homes, Inc. NOTICE OF PRIVACY PRACTICES

Compliance with HIPAA Administrative Simplification

SUMMARY OF NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

HIPAA. The. Privacy Regulations. The Fetal and Infant Mortality Review Process:

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Are you participating in any other research studies? Yes No

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

CHI Mercy Health. Definitions

Roles & Responsibilities of Investigator & IRB

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

Advanced HIPAA Communications and University Relations

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

OREGON HIPAA NOTICE FORM

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Changes to the Common Rule

CINCINNATI CHILDREN S HOSPITAL MEDICAL CENTER CONSENT TO PARTICIPATE IN A RESEARCH STUDY

MAIN STREET RADIOLOGY

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

Saint Joseph Mercy Health System Institutional Review Board

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

VHA Privacy Policy Training FY VHA Privacy Office

Human Subjects Research Policy Update. Naomi Coll Director of Research Policy and Compliance

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

The SOP applies to all human subject research falling under the purview of the University of Missouri Institutional Review Board.

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

I. Preamble: II. Parties:

Authorization and Waiver Frequently Asked Questions

Balance Fitness and Nutrition

JOINT NOTICE OF PRIVACY PRACTICES

HIPAA and HITECH: Privacy and Security of Protected Health Information

Professional Compliance Program Grievance Report

Transcription:

The HIPAA Privacy Rule and Research: An Overview Joy Pritts, JD Research Associate Professor Health Policy Institute Georgetown University jlp@georgetown.edu 1

Topics HIPAA Background Overview of Privacy Rule HIPAA and Research Consumer Views on Privacy Rule and Research 2

HIPAA: The Act Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification Provisions l Encourage standardized electronic claims filing and record-keeping to reduce health care costs l Require Congress or HHS to issue rules with respect to the privacy of individually identifiable health information 3

HIPAA: The Act Establishes scope of who must comply with privacy standards Creates preemption framework l Public health exception Sets out penalties 4

Implications Only Congress can change core scope of Who is covered by HIPAA Preemption of state law Penalties Most privacy standards are in Privacy Rule and can be changed by HHS 5

Overview of Privacy Rule: Timeline Who Is Covered? What Information Is Protected? What Standards Does the Privacy Rule Set? 6

HIPAA: The Privacy Rule First issued by HHS in December 2000 Modified August 2002 l Limited Data Sets introduced Compliance Deadline l April 14, 2003 (most covered entities) 45 C.F.R. Parts 160 & 164 7

Who Is Directly Regulated? Covered entities Health plans Health care clearinghouses Health care providers who transmit health claims-related information electronically 8

What Is Covered? Protected Health Information Information about a person s: Health, health care, or payment of health care Which identifies (or could identify) the person; and Was created or received by a covered health plan or health care provider 9

Protected Health Information Includes health information on decedents l Note: Common Rule only applies to living subjects Excludes l De-identified information l Cells and biological tissue But includes analyses, communications or other identifying information related to such physical items 10

What Standards Does the Privacy Rule Set? Establishes individuals rights with respect to their own identifiable health information Creates standards for how covered entities may use (internal review and communications) and disclose (share with others) protected health information 11

Individuals Rights Notice of privacy practices See and copy own health information Amend own health information Receive an accounting of certain disclosures Others 12

Responsibilities of Covered Entities Respect individuals rights in relation to their protected health information Safeguard protected health information Comply with restrictions on use and disclosure of protected health information Implement administrative requirements 13

Use and Disclosure Rules May only use (internally) or disclose (externally) PHI With the individual s written authorization Pursuant to a provision of the Privacy Rule that expressly permits use or disclosure 14

Uses & Disclosures Permitted without Individual s Permission Treatment, payment, health care operations Public interest purposes, subject to detailed conditions Public health Law enforcement Health oversight Research Others 15

Accounting of Disclosures Covered entity must record and provide, upon request, an accounting of certain disclosures made within the last 6 years (after April 2003) Excludes l Uses (internal reviews or communications) l Certain disclosures (e.g., treatment, payment, health care operations) Generally includes disclosures for research 16

Interaction With State Laws Conflict Preemption Overrides provisions of state law (statutes, regulations) relating to the privacy of health information that are contrary to (less protective) State laws that protect privacy Privacy Rule remain in effect 17

Exception for State Public Health Laws HIPAA does not preempt state laws that provide for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention 18

Interaction with Other Federal Laws Leaves in place laws that do not conflict with Privacy Rule Covered entities must comply with multiple sets of laws 19

Enforcement No personal right to sue Civil penalties l $100 per violation/ $25,000 maximum per year per standard violated Criminal penalties l For knowing wrongful disclosures l Graduated penalties: maximum for wrongful disclosures with intent to sell/use for commercial purposes, personal gain or malicious harm l $250,000/ 10 year imprisonment 20

Enforcement Office for Civil Rights, HHS Complaint-driven Compliance audits l Authorized l Not currently being utilized 21

Enforcement: Reality Check No civil fines have been assessed to date Only criminal prosecutions have been for egregious medical identity theft 22

HIPAA and Research 23

HIPAA Privacy Rule Places limits and conditions on when and how a covered entity can use or disclose health information for research 24

Research Defined A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. 25

HIPAA and Other Research Regulations Privacy Rule does not replace the l Common Rule ( Federal Policy for the Protection of Human Subjects ) or l FDA Regulations on Protection of Human Subjects 26

How Does the Privacy Rule Generally Affect Researchers? Directly if they otherwise meet the definition of a covered entity l Health care provider who bills electronically l Health plan employee Indirectly must meet certain criteria to be able to obtain health information from a covered entity for research 27

Key Privacy Rule Use and Disclosure Provisions Affecting Research De-identified health information is not protected by Privacy Rule PHI may be used/disclosed with the individual s written permission ( Authorization ) 28

Key Privacy Rule Use and Disclosure Provisions Affecting Research PHI may be used/disclosed without authorization As a limited data set Under a waiver of the Authorization requirement Preparatory to research For research on decedent s information 29

De-Identified Information All 18 identifiers removed Name Geographic subdivision smaller than a state Related dates (except year) Telephone number FAX number e-mail address Social security number Medical record number Health plan beneficiary number Account number Certificate/license number Vehicle ID and serial numbers Device identifiers and serial numbers URLs Internet Protocol addresses Biometric identifiers Full face photos Any other unique identifying number, characteristic or code (except random codes, not derived from info. related to person that permit reidentification) 30

De-Identified Information Statistical determination by qualified person that there is a very small risk that the information could be used, alone or with other reasonably available info, by recipient to identify the subject 31

De-Identified Information Not protected health information under HIPAA Restrictions on use and disclosure don t apply No requirement to account for disclosures 32

Research with Individual s Permission Common Rule + IRB review of research Informed consent for research Privacy Rule Authorization to use or disclose PHI for research 33

Privacy Rule Authorization:Scope Can pertain only to a specific research study Cannot be used to give permission for l Nonspecific research or l Future, unspecified projects 34

Authorizations for Research Databases Authorization can permit use/disclosure for creation and maintenance of a research database or repository l Subsequent use/disclosure from database for a research study must be pursuant to new authorization or permitted without authorization under Privacy Rule 35

Authorization to Use/Disclose PHI for Research Requires specific core elements and statements l E.g., id of persons authorized to disclose and receive data, right to revoke Must include expiration date/event. For research can be l end of research study or l none Can be combined with informed consent 36

Authorizations & Accounting of Disclosures Disclosures made pursuant to authorizations are not subject to accounting of disclosures requirements 37

Right to Revoke Authorization Revocation is effective, except to extent that covered entity has relied upon authorization prior to revocation This means that continued use/disclosure of PHI is permitted to the extent necessary to protect the integrity of the research l Report adverse events l Report withdrawal of patient from study 38

Waiver of Authorization Covered entity may use/disclose PHI for research without authorization when it receives documentation that an Institutional Review Board (IRB) or Privacy Board has approved a waiver of the authorization required by the Privacy Rule. 39

Authorization Waiver Criteria Similar to, yet different than, the criteria for waiving informed consent 40

Authorization Waiver Criteria Use/disclosure involves no more than minimal risk to privacy of individual demonstrated by adequate l Plan to protect PHI from improper use/disclosure l Plan to destroy identifiers at the earliest opportunity consistent with conduct of research l Written assurances that PHI will not be reused or disclosed to others except as required by law, for authorized oversight, other research permitted under Rule 41

Authorization Waiver Criteria Research could not practicably be conducted without the waiver Research could not practicably be conducted without access to and use of PHI 42

Multiple Site Research and Authorizations Privacy Rule allows a waiver obtained from a single IRB or Privacy Board to be used to obtain PHI in connection with a multisite project but also Permits covered entities to require duplicate reviews prior to disclosing PHI to researchers 43

Limited Data Set Protected health information that excludes most specified identifiers, but can include City, state, zip code Dates Coded information and other numbers or characteristics not listed as direct identifiers 44

Limited Data Set Can be used/disclosed for research without individual authorization Requires a data use agreement under which recipient agrees l Use/disclose only as agreement permits l Use appropriate safeguards l Not identify the info. or contact the individuals Not subject to accounting of disclosures requirement 45

Reviews Preparatory to Research Covered entities may use or disclose PHI to a researcher for activities involved in preparing for research without the individual s authorization 46

Reviews Preparatory to Research Covered entity must obtain from researcher oral or written representations that l Use/disclosure is requested solely to review PHI to prepare research protocol or similar activity prior to research l PHI will not be removed from the premises l PHI is necessary for the research 47

Identifying Research Participants Covered entity may allow researcher (within or outside covered entity) to identify potential study participants as an activity preparatory to research. 48

Contacting Research Participants Privacy Rule permits a researcher who is a workforce member of a covered entity to contact potential study participants (considered health care operations)for purposes of seeking Authorization. Covered health care providers may discuss treatment alternatives, including participating in a clinical trial with patients. 49

Preparatory to Research Privacy Rule s permission to contact prospective research subjects does not override Common Rule which may require such activity (if not exempt) to be reviewed and approved by an IRB and may require informed consent. 50

Research on Decedent s Information No authorization of next of kin or waiver required under Privacy Rule Must obtain representations that l Use/disclosure is sought solely for research on PHI of decedents l PHI is necessary for research l Documentation, at request of covered entity of the death of the individuals 51

Patient/Consumer Views on Privacy Rule and Research Veterans Administration Study Rodney A. Hayward, M.D. l Co-PI; Director, VA Center for Practice Management & Outcomes Research Laura Damschroder, M.S., M.P.H. l Co-PI, Univ. Mich., VA Center for Practice Michael A. Neblo, Ph.D. Ohio State Univ. John Creswell, Ph.D. Univ. of Nebraska, Lincoln 52

Study Aims Determine the range of informed opinions and recommendation of veterans for optimal criteria for allowing researchers access to protected health information l and how the HIPAA Privacy Rule should be interpreted and implemented 53

Deliberative Democracy Model People are concerned about privacy But they know little about: l How or why their medical records are used l Medical records research 3 HIPAA waiver criteria are complicated and impossible to understand out of context Complex and value-laden policy questions 54

Deliberation Protocol Non-facilitated deliberation l Spontaneous idea generation Written protocol A volunteer participant helped keep their group on track Privacy and research experts l Balanced presentations l Q&A 55

Pre-Deliberation Survey Results 39% of vets had NOT heard of the HIPAA Privacy Rule 75% of vets did not know that their medical records could be used in research without their permission 73% are very/somewhat concerned about invasion of privacy Minorities more concerned than nonminorities 56

Privacy Rule Waiver Criteria Most of the deliberation groups thought the following 2 factors were most important to determine practicable l If the study would be less scientifically accurate l If results would be less meaningful Many participants had a strong reaction to practicable l weasel word l It could mean anything you want it to 57

Willingness to share Would you be inclined to allow someone to use your medical records for the following? VA researchers conducting a study about a serious medical condition (n=160) Baseline 89% Follow-up 96% Researchers at a university conducting a study about a serious medical condition (n=146) 75% 80% 58

Views on Need for Authorization for Research Pre-deliberation 74% agree that it was critically/very important to obtain permission for each and every study Post-deliberation 25% wanted researchers to obtain permission for each and every study 59

Views on Need for Authorization for Research Post-deliberation 40% wanted more general opt-in or opt-out model 34% thought waiver model should be kept 60

Findings So Far Willingness to share = equal willingness to cede control Veterans want a say in deciding how their medical records can be used for research l and in whether their records are used Veterans placed highest level of trust in VA researchers and were most willing to share their medical records with them Higher trust means less stringent consent procedures 61

Trust Impacted by Direct Interaction with Providers Most do not have direct interaction with researchers l A clerk couldn t pull up your file. The doctor could. Okay. But there is a safeguard against that... l all of these people are printing a piece of paper on you and they all have access to too much information about you. providers, clerks, etc. are proxies for researchers 62

Informed Patients: Opportunity to Increase Participation Wanted to know how their information had been used l Sense of altruism Consistent with findings that providing feedback to participants about research findings More likely to participate in research if they are promised feedback 1 l General l Individual 1. Purdy, S., Finkelstein, J. A., Fletcher, R., Christiansen, C., & Inui, T. S. (2000). Patient participation in research in the managed care environment: Key perceptions of members in an HMO. Journal of General Internal Medicine, 15(7), 492-495. 63

Questions? 64

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback