Presentation on theme: "What is HIPAA ? HIPAA with the DHPG Research Medical Records"— Presentation transcript:
1What is HIPAA ? HIPAA with the DHPG Research Medical Records Clinical TrialsBusiness Associate AgreementFebruary 2003Michael Shoob, Elizabeth Bankert
2What is HIPAA?The Health Insurance Portability and Accountability Act of 1996; andThree sets of regulations issued by the Department of Health and Human Services:Privacy Regulations - April 14, 2003 Compliance DeadlineTransaction Standards - October 16,2002 Compliance DeadlineSecurity Regulations - Pending
3PHI = Protected Health Information This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.PHI = Protected Health Information
4PHI = Protected Health Information Any information, created or received by us in any form, thatidentifies an individual and is related to the past, present, orfuture:Physical or mental health of the individualProvision of health care to the individual’ orPayment for health care provided to the individual
5The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.It gives patients more control over their health information.It sets boundaries on the use and release of health records.It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights
6For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.It empowers individuals to control certain uses and disclosures of their health information.
7under HIPAA will make it easier and less costly "Overall, these national standards requiredunder HIPAA will make it easier and less costlyfor the health care industry to process healthclaims and handle other transactions whileassuring patients that their information willremain secure and confidential," SecretaryThompson said. "The security standards inparticular will help safe guard confidential healthinformation as the industry increasingly relieson computers for processing health caretransactions."
8Rule #1: DON’T SURPRISE THE PATIENT William Braithwaite, MD, PhD“Doctor HIPAA”PriceWaterHouseCoopersRule #1: DON’T SURPRISE THE PATIENT
9Rule #2: Use minimal amount of PHI necessary to conduct research
10DHPG Dartmouth Hitchcock Privacy Group: Dartmouth Hitchcock Clinics Mary Hitchcock Memorial HospitalDartmouth Medical SchoolDartmouth-Hitchcock Psychiatric AssociatesCheshire Medical CenterMt. Ascutney HospitalUpper Connecticut Valley HospitalWeeks Medical CenterWest Central Behavioral HealthOther Affiliated Institutions Using theDartmouth-Hitchcock Name to ProvideHealth Care Services to Patients
11Privacy Officer = Peter Johnson HIPAA / DHPGPrivacy Officer = Peter JohnsonLinda Messman, Director of Medical RecordsPrivacy NoticeScott Farr / (work in progress)
12Privacy Notice:TreatmentPaymentOperations(TPO)Research not included !
13Quality Assurance/ Peer Review The process of reviewing, analyzing or evaluating patient and/or provider specific data which may indicate (the need for) changes in systems or procedures which would improve the quality of care.
14Quality Assurance/ Peer Review Characteristics ConfidentialLearn from individual casesInvolves patient and/or provider specific dataProtected from legal discoverabilityReview often triggered by predetermined “thresholds”/criteriaMust be conducted within QA/PR committee structureKnowledge generation typically for local, immediate application
15Quality / Performance Improvement The process of reviewing, analyzing and evaluating aggregate data to understand patterns & trendsProcess triggers a cycle of:Analyzing a processIdentifying potential changesTesting changesEvaluating impact of changes on measures of success
16QI / PI Characteristics Not protected from legal discoverabilityUses aggregate data, not patient identifiable informationEvaluates patterns & trendsNot usually triggered by specific eventPre-data collection, a commitment to a corrective/improvement action planKnowledge generation typically for local, immediate application
17Research: a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.What do researchers do when they want to access patient information for research purposes?Obtain IRB approval !
18How can researchers access patient information for research purposes? HIPAA rules !
19Six ways the IRB will allow researchers to access protected health information (PHI)1. Obtain informed consent (authorization) from the patient2. Waive the requirement for obtaining informed consent3. The information is being collected only for preparatory work to researchOnly a Limited Data Set is collectedaccompanied with a Data Use Agreement5. Only decedent data is being collected6. Information requested is “de-identified”
206. De-identification Requirements (Two Methods) HIPAA Safe Harbor 45 CFR (b)(2)(i)NamesGeographic subdivisions smaller than a stateZip codesDates (birth, admission, discharge, death)Age, if over 89Telephone numbersFax numbersaddressesSocial security numbersMedical record numbersHealth plan beneficiary numbersAccount numbersCertificate and license numbersVehicle identification and serial numbersLicense plate numbersDevice identifiers and serial numbersURLsInternet Protocol address numbersBiometric identifiers (finger and voice prints)Full face photos and comparable imagesAny other unique identifiersStatistical 45 CRF (b)(1)A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; andDocuments the methods and results.
224. “Limited Use” Data Set Not Allowed Names Postal info (OTHER than town, city, state, and zip code)Telephone and Fax NumberAddressesSocial Security NumberMedical Record NumberHealth Plan Beneficiary NumberAccount NumberCertificate / License NumberVehicle ID (license plate) and SerialDevice ID and Serial NumberURLs and IP AddressesBiometric ID (finger, voice prints)Full Face Photos and Comparable Images
23Data Use Agreement : Used with Limited Data Set Researcher must agree:a. to the use of the limited data set or PHI to the specifiedpurpose as describedto limit who can use or receive the data to theresearch team directly involved in this projectnot to re-identify the data or contact the individualsto whom the data belongs
243. Preparatory to Research - Notice from the researcher 1. The use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research2. Will not remove any PHI from the covered entity,3. The PHI for which access is sought is necessary for the research purpose.This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.
25IRB Waiver of IC – requirements: A. Use or disclosure involves no more than minimal risk to individuals;Alteration or waiver will not adversely affect privacy rights and welfare of individuals;C. Research could not practicably be conducted without the alteration or waiver;Research could not practicably be conducted without access to and use of PHI;Adequate plan to protect identifiers from improper use and disclosure;Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; andG. Adequate written assurances that PHI will not be reused or disclosed for other purposes.
261. Obtain Consent (authorization) from the Patient 1. Description of Health Information to be gathered.2. Identification of Person authorized to disclose3. Identification of Recipient4. Description of Purpose(s)5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure isfor research, including for the creation and maintenance of a research database or research repository6. Statement of Right to Revoke7. (In)Ability to Condition Treatment on the Authorization statement8. Statement Regarding Re-disclosure9. Remuneration for Marketing Activity (if applicable)10. Dated Patient Signature11. if signed by Personal Representative, a description of that person's authority
27Consent Forms for Clinical Trials: Please remember each study is unique,thus the correct language for the consentform is dependent on the language in theprotocol and/or contract.You will begin to see HIPAA languagein sponsor provided consent formtemplates.
28Data Collection In the Consent Form under the section entitled: Other Important Items You Should Know:Add a sub - section entitled:Data CollectionUnder the same section expand thecurrent sub-section entitled:Confidentiality
29The data collected in this study will be used for the purpose Data Collection: Add a general sentence about the data to be collected.And add the following sentences as applicable for the particular study:The data collected in this study includes :The data collected in this study will be used for the purposedescribed in this form. Patient identifiable data will not be releasedbeyond that required for the purposes of conducting this researchstudy. By signing this form, you are allowing the research teamaccess to your medical records. The research team includes theresearchers listed in this consent form and other personnelinvolved in this study at DHMC and other entities as described inthe "Confidentiality" section of this consent form. If you chose towithdraw from the study, you may revoke your approval for theuse of your future medical information. To do this, you maycontact the researcher in writing. Data which has already beencollected will be maintained with the research records.
30Explain how long data will be maintained: Examples: Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA.Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.If there are limits to the patient access to research records describe here: Example:During the course of this study participants may not have access to research records.If you chose, you may request this information after the research is completed.
312. Identification of Person authorized to disclose The research team includes the researchers listed inthis consent form and other personnel involved in thisstudy at DHMC and other entities as described in the"Confidentiality" section of this consent form
323. Identification of Recipient Describe as applicable who may have access to research data - this can be added to Confidentiality section:Example:Research data may be shared, as required by law, with Dartmouth Hitchcock Medical Center authorities andExamples: Federal agencies such as the Food and Drug Administration, add as appropriate: National Co-operative Study Group, Multi-center sites , Insurance Company.If the research is sponsored or if the data is being sent anywhere outside of DHMC describe in some detail: The sponsor of the study, xxx, and any corresponding entities involved in the monitoring of this study (name of CRO if applicable) or Data and Safety Monitoring Committee if applicable, will also have access to this research data. These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).
334. Description of Purpose(s) Most consent forms describe the purpose of the researchin the opening paragraphs.If not, please add.
345. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repositoryData gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA.Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.
356. Statement of Right to Revoke If you choose to withdraw from the study, you mayrevoke your approval for the use of your future medicalinformation. To do this, you may contact the researcherin writing. Data which has already been collected willbe maintained with the research records.
367. (In)Ability to Condition Treatment on the Authorization statementIf not already in the consent form, add in the"Other Important Items" section:o Your decision whether or not to participate in thisstudy, or a decision to withdraw will not involve anypenalty or loss of benefits to which you are entitled.
378. Statement Regarding Re-disclosure The wording in the contract with the sponsor will determine this statement in the consent form. If a sponsor will not re-disclose patient identifiable information, include that information or :These organizations do not have a regulatory obligation to protectthe data. (however if the data being released is not patient identifiableor the sponsor agrees not to redisclose patient identifiable information,a statement to that effect should be included here).
389. Remuneration for Marketing Activity (if applicable) The sponsor usually provides wording for this activity, which is usually something to the effect :"You will not receive any compensation if the results of this research are used towards the development of a commercially available product."
3910. Dated Patient Signature This is already required in the signature section.Please also add this sentence if it is not in the currentconsent form:I have been given a copy of this consent documentfor my own records.
4011. if signed by Personal Representative, a description of that person's authorityThis is already required in the signature section.
41PLEASE NOTE:The signed consent form must bemaintained for at least 6 years after it is signed. This can be satisfied by placing the consent form in the medical record or by keeping it in the study's research files.There is CIS team recently released a feature to create an electronic consent form and protocol summary.
42Patients enrolled into a research study prior to April 14, 2003 do not have to signanother consent form.New patients enrolled into a clinical trial on or after April 14, 2003 will need to sign an IRB approved HIPAA compliant consent form OR the currently IRB approved consent form PLUS an IRB approved 'add on‘ form describingHIPAA information.
44Committee for the Protection of Human Subjectsa. NEW FORM: Research with PHIb. HIPAA Compliant Consent Form Templatec. HIPAA powerpointAdditional HIPAApresentation/consent review dates
45Additional HIPAA forum dates: Review Consent FormsCafé B 2/ amCafé B 2/ amCafé B 3/ amCafé C 3/ :30 amCafé B 3/ pmCafé A 3/ :30 pmHIPAA EDUCATION DATES3/4 Aud E 2:00 to 3:00 pm2/18 L2B 8:00 to 10:30am3/26 L2B 10:30 to 1:00pm.
46HIPAA applies to Covered Entities (CEs) only: - Health Care Providers- Health Care Plans- Health Care Clearinghouse
47of HIPAA Covered Entities Business Associatesof HIPAA Covered Entities
48Business Associates of HIPAA Covered Entity: • A person or entity (not a member of the Covered Entities workforce or plan) that provides services for a Covered Entity that involves the use of protected health information (PHI)
49Business Associates could include: • Pharmaceutical / Biotech Companies• Data Entry Service Vendors• Other covered entities
50Business Associate Agreement Does not pass through the same privacy requirements of Covered Entity to business associate. It requires in a written contract:• Satisfactory assurance that PHI will beappropriately safeguarded and used only for the purposes of performing associate’s obligations• Assure that agents of business associate agree to the same restriction• Make PHI available as require by law• Return or destroy all PHI at conclusion of contract
51Business Associate Agreement Requirements continued:• Associate to advise Covered Entity when violations have occurred• Take reasonable steps to cure a breach of privacy requirements• Covered Entity may terminate agreement if breach of privacy not cured
52Chain-of-Trust Provisions • Business Associate agrees to protect the integrity and confidentiality of PHI exchanged electronically
53HIPAA Health Insurance Portability and Accountability Act