Presentation on theme: "HIPAA Privacy Rule and Research"— Presentation transcript:
1HIPAA Privacy Rule and Research Elizabeth A. Trias, MA, CIPPam Joy, RN, MN, PNPNovember 2003 (rev. May 2004)
2WA State Law & Privacy Rule Good News:Children’s researchers already operate in compliance with Washington State’s Uniform Health Care Information Act.Many of the HIPAA Privacy Rule requirements for research were already in place.Impact of HIPAA on researchers in the state of Washington is less than in other states.
3Highlights of the Privacy Rule Effective April 14, Sets a federal floor for patient Protected Health Information (PHI), but:States may have more stringent privacy protections, andThe more stringent law (HIPAA or state) governs.Today we’ll review privacy rule implications for research. Failure to comply can result in civil fines ($) and criminal penalties.(Remember to thank them, not us!)
4Protected Health Information Privacy Rule protects health information identifying a person (or information that can be used to identify a person):All individually identifiable health information that Children’s creates, uses or receives.Includes information about:Past, present or future physical or mental health of a person,Provision of health care to that person, andPayment for care received.Includes information in written, electronic or oral form.
5What is Patient Identifiable? Information containing any one of 18 identifiers:NameSocial Security NumberDevice identifiers and serial numbersGeographic subdivisions smaller than state (street address, city, county, precinct, zip code, equivalent geo-codes except first 3 digits of a zip code)All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and ages over 89Biometric identifiers (including finger or voice prints)Medical record numbersHealth plan beneficiary numbersURL (Web Universal Resource Locator)Telephone numbersAccount numbersaddressesFax numbersCertificate/license numbersInternal Protocol (IP) address numbersFull face photographsVehicle identifiers and serial numbers, including license plate numbersAny other unique identifying number, characteristic, or code
6Research is not considered to be treatment, payment or operations Use & Disclosure of PHIUse: Sharing within the entity.Disclosure: Sharing outside the entity.Privacy rule allows use and disclosure without specific authorization for Treatment, Payment, and Operations (TPO).Research is not considered to be treatment, payment or operations
7Minimum Necessary Standard Must limit PHI use or disclosure to the minimum necessary to accomplish the intended purposes of the research.Minimum necessary applies:Pursuant to a waiver of authorization,Use or disclosure of decedent’s PHI,Uses preparatory to research, and forLimited Data Sets.Minimum necessary does not apply to:Treatment disclosures or requests,Use or disclosure made under an authorization,Disclosures to the patient of his/her PHI,Disclosures to DHHS for compliance, andUses or disclosures required by law.
9Overview of Impact at Children’s Under the Privacy Rule, researchers must:Provide more detailed information to the IRB about how PHI will be created, used or shared,Provide more information to research participants during the consent process and gain specific authorization for the use of their PHI, andTrack disclosures of PHI for studies that IRB has approved with waiver of authorization requirementAffects any research conducted under Children’s auspices that creates, uses or discloses PHI.
10Impact on Clinical Research GainIRB ApprovalScreen participants(Obtaining PHI)Recruit participantsConduct ResearchGenerate Results & ReportsOath of Confidentiality for RecruitmentAuthorization signed for each subject and filed with Medical RecordsDesignResearchStudyDocumentation of IRB approval (IRB cover sheet)New Privacy Requirements
11Screening Patients Obtain IRB approval Screen participants include signed “Oath of Confidentiality – Recruitment” if researchers need access to protected health information to identify, select and recruit patientsScreen participantsPresent documentation of IRB approval (IRB cover sheet) & signed Oath of Confidentiality – Recruitment when requesting data or records on potential participants (e.g., Medical Records, Lab, Radiology),Obtain/Use only the minimum necessary PHI, andAll PHI must remain within Children’sRecruit participantsObtain signed authorization for each subject (file original with original consent form in researchers’ file), orDestroy PHI for participants who do not take part, do not respond or are not eligible
12Authorizations“Permission to Use, Create and Share Health information for Research” authorization form:Contains required elements of authorization under Privacy Rule,Signed by parent or legal guardian unless participant is a legal adult (18 years and older)Allows researchers to use subject’s PHI for a specific research study.At Children’s, authorization is separate from from the research consent:Avoids detracting from essential elements of consent form, andEnsures consistent compliance with privacy elements.
13Signed Authorizations: Where to File Signed Original remains in the principal investigator’s research files along with original, signed consent formSigned Copy to parent or research participant (if 18 and older)Signed Copy to Children’s Medical Records – Filing 4P-2, if research participant is Children’s patient (patient information box must be completed)
14Authorization FormAvailable on IRB Web Site under Forms and under HIPAA and Research –Versions in English, Vietnamese, Spanish, Somali, Russian, Korean, Simplified Chinese and Traditional Chinese.Researcher must complete the highlighted areas (e.g., study title, name and address of PI, name of sponsor, etc.)Researcher must complete the box at the end of the form if research participant is a Children’s patient. Required so that authorization can be filed in the participant’s medical record
15Clinical Studies (with Authorization) Before & After 4/13/2003 Status of Research StudyAction Required1. New research studyEnrollees need to sign authorization form and consent form2. On-going analysis – Data collection completeNo further HIPAA compliance activity required3. On-going research – ConsentedNo further compliance activity required4. On-going research – Requiring re-consentsAll re-consenting enrollees need to sign authorization form and consent form5. On-going research – Enrolling new participantsAll new enrollees need to sign authorization form and revised formNew = Study initiated on or after April 14, 2003.On-Going = Study approved before April 14, 2003.
16Research Under Waiver of Authorization GainIRB Approval for Waivered StudyCollect DataAnalyzing DataGenerate Results & ReportsSigned Oath of ConfidentialityDocumentation of IRB approval (IRB cover sheet)If tracking required (IRB will advise) researcher keeps track of patients whose records are being used.DesignResearchStudyNew Privacy Requirement
17Waiver of Authorization Researcher is asking IRB to waive authorization from patient or their parent to use their PHI in research:Almost exclusively used for retrospective records review research.Must meet HIPAA criteria for waiver of authorization.Must also meet Federal Regulations (Common Rule) and Washington State law for waiver of consent/permission.
18HIPAA Criteria for Waiver of Authorization The use or disclosure of protected health information must involve no more than minimal risk to the privacy of the individual, based on at least the presence of the following:An adequate plan to protect the identifiers from improper use or disclosureAn adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law; andAdequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject.
19Criteria for Waiver of Authorization cont. The research could not practicably be conducted without the waiver or alteration; andThe research could not practicably be conducted without access to the protected health information
20Implications for Research Under Waiver Obtain IRB approvalInclude signed “Oath of Confidentiality”Collect Data:Provide documentation of IRB approval (IRB cover sheet) to data sources (e.g., Medical Records, Lab, Radiology). Complete forms as required by providing department, e.g., ‘Research Chart Request Form’ for Medical Records; “Request for Tissue for Use in Research” for LaboratoryIf tracking required, record access on “Disclosure Tracking” form located at (Medical Records will do tracking when researchers are requesting aper copies of the medical record).Obtain/Use only the minimum necessary PHI
21Disclosures of PHI without Authorization Patients have right to request an accounting of how their/their child’s PHI was disclosed without their authorization.Disclosure means communicating information (PHI) outside the covered entity.Use means communicating information (PHI) within the covered entity
22Children’s – Covered Entity Researchers would be considered part of Children’s workforce (the covered entity) if one of the following applies:Employee of Children’sEmployee of Children’s University Medical Group (CUMG)Residents and Fellows working at Children’s
23Tracking of Disclosures Children’s is responsible for tracking unauthorized disclosures.Disclosures are tracked; Uses are not.IRB will advise researchers at the time their research project is reviewed whether tracking is required.
24Tracking DisclosuresUnauthorized disclosures of PHI for research purposes must be tracked.Children’s has tracking form available on IRB web site (online version and Word version). The following information must be tracked:IRB # and Research Study TitleList of individuals whose PHI was accessed, including their Medical Record #,Date of access,Name of person/entity accessing the PHI, andBrief description of PHI accessed.
25Tracking of Disclosures is Not Required To carry out Treatment, Payment or Operations (TPO) of the Covered EntityDisclosure is to the individual or their legal representative (parent)Pursuant to an AuthorizationLimited Data SetDe-identified Data
26Research Under Waiver (of Authorization and Consent) Status of Research StudyAction Required1. Research study – All research team members are part of Children’s workforceNo Tracking required.Departments providing PHI need documentation of IRB approval.2. Research study – Not all members of research team are part of Children’s workforceTracking required.**Departments providing PHI need documentation of IRB approval.**Tracking required means:Complete Disclosure Tracking FormIf researcher is only using the paper medical records, i.e., patient charts, Medical Records will do tracking.
27Limited Data Sets Contain limited direct identifiers that may include: Dates: admission, discharge and service dates, date of birth, date of death,Age (including age 90 or over), andGeographical subdivisions such as state, county, city, precinct and five digit zip code.Advantages:No need to track disclosures.But remember:Cannot use LDS information to contact individuals,Recipient must sign a data use agreement (DUA) (a kind of “super-confidentiality” agreement),Minimum necessary standard applies, andStill requires IRB approval.
28De-Identified Data Previously known as anonymous data. How to de-identify data:Expert in statistical principles reviews and documents methods used to determine that risk is “very small” that data could be used alone or in combination with other reasonably available information to re-identify, orAll 18 identifiers must be removed. You must know that remaining information cannot be used alone or in combination with other information to re-identify.Common Rule and State Law still apply!
29Implications for De-Identified & Coded Data Common Rule considers coded information to be indirectly identifiable.A protocol must be submitted to the IRB even if a researcher plans to de-identify information.IRB will determine whether it qualifies for exempt or expedited IRB application.
30Authorization or Waiver Tracking Disclosures* Requirements SummaryRequirementIdentifiable Data:Consented/AuthorizedIdentifiable Data:WaiveredStudyLimitedData SetDe-Identified DataIRB ApprovalRequiredRequiredRequiredRequiredAuthorization or WaiverRequiredRequiredRequiredRequiredData Use AgreementRequiredMinimum NecessaryAppliesAppliesTracking Disclosures*Applies* PHI access is a disclosure if any member of research team is not part of Children’s workforce
31Other Implications Case Studies: Departmental/Personal Databases: Children’s does not consider to be research or require IRB review.Privacy Rule does applyMust be de-identified when disclosedConsent/authorization is bestFormal policy and approval process being discussedDepartmental/Personal Databases:Purposes include patient care, education, and QAPrivacy Rule appliesResearch using these databases requires IRB reviewWork is beginning to identify these databases to protect them to comply with the HIPAA Security Rule
32Remember Rights of Participants Right to privacy of PHIRight to authorize use of identifiable PHI for research purposesRight to an accounting of how identifiable PHI was disclosed for research without authorizationRight to revoke an authorization in writing. No further PHI may be collected for the research after the authorization is revokedResearchers may continue to use and disclose PHI that was collected under the authorization to maintain the integrity of the research
33Questions? Additional Resources: IRB websiteOutline of HIPAA-related responsibilities of researchers,Links to authorization form, disclosure tracking form, research chart request form, Oath of ConfidentialityExternal resources:“Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (http://privacyruleandresearch.nih.gov/), andPrivacy Rule Research FAQs (http://answers.hhs.gov). Search under “research”.