Presentation on theme: "HIPAA Review for Research Susan Bouregy Chief HIPAA Privacy Officer Director, Human Subjects Committee."— Presentation transcript:
HIPAA Review for Research Susan Bouregy Chief HIPAA Privacy Officer Director, Human Subjects Committee
What is HIPAA? Health Insurance Portability and Accountability Act
Why does insurance portability affect research? Insurance portability costs money Electronic submission of standardized claims Huge databases and electronic data flowing over the web made people nervous Privacy and Security Rules of HIPAA
The Privacy Rule Applies to health care providers and health plans that bill electronically Limits how health information can be used (internally) or disclosed (externally) Provides patients certain rights with respect to their health information
HIPAA at Yale At Yale, HIPAA applies to: –YSM –EPH –YSN –YUHS –Psychology clinics –YUHP –Benefits Office
Protected Health Information (PHI) Individually identified AND Past, present or future physical or mental health or condition; healthcare; or payment for healthcare AND Created or received by a covered entity (including PHI created in research)
18 HIPAA identifiers Facial identifiers Name Address SSN phone Fax e-mail full face photo Less obvious identifiers any dates MRN health plan # account #’s license # VIN device # URL’s IP address finger/voice print Any other unique identifying numbers, characteristics or codes
What’s not covered? De-identified health information Research outside covered components (e.g. anthropology etc) Studies that don’t involve health information
How PHI can be used/disclosed Healthcare providers can use/disclose for treatment, payment and healthcare operations (TPO) Patient can authorize any use or disclosure Privacy Rule defines other circumstances when PHI can be disclosed without patient authorization – public health, abuse, research, etc. Allowed list does not include blanket ok for research disclosures
How PHI can be used for research Patient authorization (RAF) IRB approved waiver of authorization De-identified data Limited data sets with Data Use Agreement Decedent information Preparatory to Research Use “Request Access to PHI for Research Purposes” form
Research authorization What specific information will be used/disclosed by whom and to whom (classes) Purpose of use/disclosure How long the authorization is valid (can be forever if justified by the research) Ability to revoke Potential for re-disclosure if data shared with non-HIPAA covered entity Ability (or not) to condition treatment on signing Signature & date
Common Rule consent Statement that this is research Purpose and duration Procedures Risks and benefits Alternative procedures Confidentiality Compensation for injury Who to contact Voluntary participation Potential for unknown risks Potential to be pulled from study Costs Consequences of withdrawal Ongoing information to be provided Number of subjects
Research authorization Use Yale RAF template on HIC site Can be combined with consent form = “Compound Authorization” Can not be combined with other authorizations Must be specific – can’t authorize future unspecified research Can use “standard” authorization in addition to RAF to get copies of records from other sites who don’t need to know about research involvement
Unauthorized disclosures that are ok under HIPAA Adverse event reporting to FDA (public health exception) Child or elder abuse reporting (state mandated preemption) Mandated public health reporting (gunshot wounds, communicable diseases) Serious threat to health or safety Billing insurance (TPO)
Sign here! I consent to this emergency surgery and authorize any scientist anywhere to have access to my records and tissues for any research purpose.
Waiver of authorization IRB must determine –Minimal risk to privacy –Research couldn’t be conducted without access and without waiver –Written assurance PHI won’t be re- disclosed or re-used except as required/permitted by law –Limited to minimum necessary
“Partial waivers” and alterations Recruitment may require access to PHI but no patient contact Phone eligibility screens where no written authorization possible Can waive authorization for these initial research processes and then subjects consented later No provisions for waiving documentation only
Minimum Necessary Standard Only that information required for the research is collected No fishing expeditions
De-Identified vs Anonymous De-identified = HIPAA, lacks 18 identifiers Anonymous = IRB term, not actually in Common Rule; identity of the subject may not readily be ascertained Anonymous data may or may not be de-identified
Secondary use of study data Colleague requests copies of PET scans created in a research project to perform meta analysis. No other data requested Scans have date of scan embedded in image which can’t be removed What is required to release the data to external researcher?
Ex: PET scan including date of scan Common Rule Anonymous Not human subjects research No IRB approval No consent requirements HIPAA Date + scan = PHI HIPAA applies Authorization or waiver Accounting for disclosures
Coded data HIPAA allows a covered entity to code data and then release the coded data as “de-identified” as long as the code is secured and not distributed with the data Common Rule considers coded data with agreement/policy that PI can’t access code to not involve human subjects When the PI codes the data it is not de-identified but it may be Common Rule exempt if PI does not hold the code Codes can not be derived from identifiers (e.g. last 4 digits of SSN)
Limited Data Sets “Almost” de-identified Can have dates and geographic info Requires signed data use agreement Does not require accounting for disclosures
“Internal” data use agreements Yale construct Useful when data collected outside HIPAA context (international, schools etc) Don’t concern yourself with HIPAA until you return to Yale Leave identifiers at site/outside Yale covered entity
Preparatory and Decedents Preparatory to research requires no PHI leave the covered entity Useful for feasibility determinations, grant prep, etc. Decedent information requires PI certification that only decedents’ information requested Covered entity can ask for proof of death Use “Request Access to PHI for Research” form
Ways to recruit subjects Treating clinician tells patient about the study and how to contact researcher Treating clinician obtains authorization allowing researcher to contact patient Partial waiver
Data and specimen banks Authorization must be for specific purpose Banks don’t know at time of collection how data/specimens will be used. Therefore, can’t obtain valid authorization for research uses Can get authorization to bank Access then requires a waiver for the use or disclosure of the information
Patient rights in research context Notice of Privacy Practices –NOPP describes our clinical uses/disclosures –Required to distribute in treatment studies Access and amendment –Access is to “Designated Record Set” (information used to make treatment decisions), research data isn’t automatically included in DRS –HIPAA allows access to be denied in the course of a blinded study Accounting for disclosures –Provide list of disclosures of PHI that are not TPO and not authorized –Data accessed under a waiver of authorization must be listed
Privacy and Security Privacy relies on adequate security Subjects promised certain level of confidentiality in consent documents HIPAA Security Rule specifies that we have administrative, technical and physical safeguards of ePHI State law requires notification if “personal information” is accessed/stolen (identified financial information) VA security directives
Data classification Low risk –No regulatory or contractual requirements for confidentiality/security –Can be released to the public Sensitive –Contractual or other obligation to protect the data or deemed sensitive by Yale Restricted –Data protect by law (HIPAA, FERPA) or deemed restricted by Yale
Low risk data Publicly available De-identified data Data collected in an “exempt” study
Sensitive data Minimal risk studies Linking codes related to restricted data Coded data stored separately from code Sponsor requires data be maintained confidentially (trade secrets)
Restricted data Identified data collected in collaboration with VA Identified HIV, mental health, genetic predisposition to disease, substance abuse, criminal history ID theft information – social security numbers, financial account numbers Data held under a Certificate of Confidentiality
Above-Threshold Systems Primary source, sensitive, or restricted data ePHI critical for treatment, payment or healthcare operations Sensitive or restricted information held in a multi-user system
Above Threshold examples A PC with database including social security numbers Server with health information collected for research that is accessed by several members of the research team Computer housing primary copy of patient medical record
Basic System (below threshold) Doesn’t contain above threshold information Single user De-identified data Public information
Above threshold requirements Registration with Information Security Annual review of security safeguards Contingency plans, emergency mode operation, access controls etc.
Ways to secure data Striping identifiers Coding data Encryption Secure servers (Yale data center) Lock and key for paper records Secure data transfer (encrypted e- mail, FedEx of encrypted CD)
Other data security issues Frequent data back-ups to ensure access Back-up stored off-site or in secure location Secure access to Yale systems by external collaborators Appropriate disposal at end of life
Getting the information You need an IDX report of all patients seen in the last 5 years who have been diagnosed with breast cancer. You e-mail your administrative assistant to get the report so you can call patients for enrollment.
Getting the information Do you have an IRB approved partial waiver? Providing the list requires accounting by the holder of the records Cold calls are generally considered inappropriate.
Lost or stolen laptop Help my laptop (flashdrive, CD back- ups, PDA, etc) is missing! Do I need to do anything?
Lost or stolen laptop Report to police (YU and local) Report to Information Security Report to IRB Was it encrypted? Was it backed up? What was on it and how sensitive?
Old samples We have a freezer full of old tissue blocks that have built up over the years and we want to use them for our new exciting research.
Old samples Freezer full of samples is a repository. Requires IRB protocol outlining how obtained and maintained. Was there consent/authorization to keep the samples when they were collected? Is the proposed use consistent with any prior consent/authorization?
I got a great new job! I’m leaving tomorrow for a new position and all my data, samples and equipment are loaded into my rental truck. See Ya!
Great new job Has IRB approval been obtained from the new institution? Has Yale approved the transfer of equipment? Are there grant funds that will be transferred? Are there Yale personnel that rely on or have ownership interest in the equipment/data/specimens? Has the removal of data/specimens been approved and accounted for? Has OEHS made sure equipment and materials can be safely transported?