Presentation on theme: "1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and."— Presentation transcript:
1 HIPAA and Research and YOU
2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and Good Planning, and will become routine over time - The biggest impact of HIPPA is that it requires researchers to plan the data privacy and data sharing aspects of their studies more carefully, specifically by identifying in advance all persons and entities who will need access and getting the patient’s authorization (or IRB waiver) allowing that access. - Most other changes due to HIPAA will be “standardized” ones – e.g. “boilerplate” consent language, “standard” IRB findings for waivers, and standardized written “ representations” or “data use agreements” signed by researchers in certain situations. - Changes will most affect (a) “data access/use/disclosure planning” (b) researcher/departmental databases and registries (c) how you maintain/secure/treat your research records (d) studies starting pre 4/03 and continuing after 4/03 Rule #3:But Beware – HIPAAs Bite The Civil and Criminal Penalties under HIPAA are significant
3 HIPAA OVERVIEW THE VERY, VERY BASICS 1996 Federal Law Department of Health and Human Services (DHHS) Regulations 4 Rules – Privacy, Security, Transaction and E-Signatures Immediate Concern – Privacy Rule Effective Date of Privacy Rule: April 13, 2003
4 HIPAA OVERVIEW THE VERY, VERY BASICS Essential Purposes/Goals of HIPAA Privacy Rule Broadly, to specify how providers, (who bill insurers electronically) health plans and medical billing intermediaries (clearing houses)a/k/a (“Covered Entities”), must treat/handle (use/disclose) an individual’s protected health information (“phi”) To specify when, for what purposes and under what conditions/circumstances phi can be used by the Covered Entity or disclosed to a third party To specify what rights individuals have with respect to their own phi. To specify what administrative procedures and safeguards Covered Entities must implement to safeguard phi.
5 HIPAA OVERVIEW THE VERY, VERY BASICS Q: Is a Researcher a Covered Entity that has to comply with HIPAA? Answer: Maybe HIPAA Rule coverers “providers” who bill insurers for their services electronically, and does not cover “researchers” per se. However, DHHS has said that if the researcher is engaged in a clinical study involving “standard of care” or “routine” treatment (e.g. MRI or liver function test) and the researcher bills insurers for the costs of that treatment, then the researcher is a covered provider that needs to comply with HIPAA In other cases, researchers will not be “covered by HIPAA” Q: Are Researchers that are not Covered Entities still affected by HIPAA? Answer: Yes, if they need to receive and use phi held by a Covered Entity (e.g. FAHC) In those cases, HIPAA rules must be followed by the CE before disclosing the PHI to the researcher.
6 HIPAA OVERVIEW THE VERY, VERY BASICS What are the implications of a researcher being “covered by HIPAA”? Research Records must be accounted for and unauthorized disclosures must be tracked and an accounting provided to the subject upon request “Minimum Necessary” and other rules must be followed with respect to access to research records and study-related phi.
7 HIPAA OVERVIEW THE VERY, VERY BASICS Some Key Concepts to Keep in Mind HIPPA “Default Rule”: Unless HIPAA Rule specifically permits otherwise, a Covered Entity (e.g. FAHC) can only use/disclose phi for any purpose if specifically authorized by the individual in writing.
8 HIPAA OVERVIEW THE VERY, VERY BASICS Some Key Exceptions: A Covered Entity can use/disclose PHI without individual authorizations: –for treatment, payment, health care operations –for certain public health, law enforcement or other specified “public response” reasons –for research with approval of an IRB (when authorization is not “practicable” and other conditions are met) or in other limited circumstances (described below).
9 HIPAA OVERVIEW THE VERY, VERY BASICS Meaning of “Default Rule” for Researchers With very few exceptions, when a written authorization can “practicably” be obtained from research subjects, you have to get it. Always be sure to plan in advance by identifying all persons/entities needing access to PHI and, whenever possible, getting the patient’s authorization to allow that access Remember, patient needs to authorize both (1) the researcher getting and using the patient’s phi and (2) the researcher disclosing phi to third parties.
10 HIPAA RESEARCH RULES Definition of “Research” Same in HIPAA & Common Rule “A systematic investigation including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge” Distinct from QA/QI Activities (HIPAA permits without patient authorization or IRB waiver)
11 HIPPA RESEARCH RULES When can PHI be used/disclosed for research purposes? With individual’s signed, written authorization Upon waiver of authorization by IRB or PB For “reviews preparatory to research” For “research on decedent’s information” If provided in a “Limited Data Set” (16 identifiers removed) under a “Data Use Agreement” Whenever PHI is completely de-identified (30 identifiers removed)
12 HIPAA RESEARCH RULES What are some of the other key HIPAA rules re Research –Authorizations - Content Requirements –IRB Waivers of Authorization - Process, Required IRB Findings and Documentation and Recordkeeping –“Reviews Preparatory to Research” - When & How –Research Involving “Decedents’ Information” - When & How –Research Using “De-Identified Data” - When & How –Research Using “Limited Data Sets” - When & How –Registries & Databases - Creation & Use
13 HIPAA RESEARCH RULES HIPAA “Transition Rule” - All pre-compliance date authorizations and IRB waivers, and resulting PHI, can continue to be utilized after 4/13/03 in both “treatment” and “records” studies that were approved before 4/13/03. - For studies approved after 4/13/03, HIPAA rules must be followed - However, for treatment studies approved and commenced before 4/13/03, HIPAA-compliant authorizations must be obtained for all patients enrolled after 4/13/03.
14 WHAT DOES IT MEAN FOR ME AND MY STUDY? For “Treatment Studies” –Follow applicable HIPAA rules (and applicable IRB rules) for recruitment activities and “reviews preparatory to research” –Make sure informed consent form contains HIPAA authorization language and that it authorizes all researchers and necessary research staff to access and use pre-existing phi and phi generated in the study, and that it authorizes disclosures of records to all third parties requiring access (e.g. study sponsor, IRB staff, study audit staff, etc). –Also make sure authorization covers/permits access (as necessary) by persons within FAHC and/or UVM needing access (e.g. Cancer Study staff) as necessary. This is because (a) under the “HIPAA Default Rule” a specific patient authorization is normally required, and (b) UVM and FAHC are separate legal entities.
15 WHAT DOES IT MEAN FOR ME AND MY STUDY? For “Records” or “Chart Review” Studies –IRB Waiver of authorization under HIPAA must be obtained in addition to waiver of consent under the Common Rule Exceptions: Researcher receives only “Limited Data Set” under Data Use Agreement Researcher receives only de-identified data Researcher receives only “decedents’ data” upon filing required written representations
16 WHAT DOES IT MEAN FOR ME AND MY STUDY? For Patient Recruitment Activities If researcher is “employee” of the Covered Entity holding the phi (FAHC) no IRB approval is needed to access medical records to identify patients and record contact information. If researcher is not an employee of Covered Entity holding the phi (e.g. employees of UVM or other third party) researcher must obtain a partial IRB waiver to access medical records to identify patients and record contact information. In either case, IRB policy on “patient contact” (i.e. contact only through treating physician) must still be followed.
17 WHAT DOES IT MEAN FOR ME AND MY STUDY? For Keepers of Registries & Databases - Registries and databases created with patient authorization continue to be fully permissible before and after 4/03. - Existing databases approved through an IRB waiver of consent are “grandfathered” – old data can continue to be maintained and accessed and new data added without further approval - existing databases never authorized by patients or approved by an IRB can continue to be maintained and accessed after 4/03, but an IRB waiver or patient authorization is needed to add new phi after 4/03. - In all cases, phi in a registry or database can only be later used/disclosed for research upon a new/second patient authorization or IRB waiver.
18 WHAT DOES IT MEAN FOR ME AND MY STUDY ? For Pre-Approved Studies Continuing Past 4/13/03 –For “IRB Waiver” studies (mostly “record studies”) no action needed; original waiver is deemed still valid –For “patient authorization studies” (mostly treatment studies), patients enrolling pre 4/03 need not be re- consented but patients enrolled after 4/03 must sign a HIPAA-complaint consent.
19 WHAT DOES IT MEAN FOR ME AND MY STUDY? For staff maintaining research records –research records are different than treatment records –need to determine whether HIPAA rules apply to your research records –If research also involves “standard treatment” (e.g. in most clinical trials) and insurance billing is involved, it is likely that some provisions of HIPAA will apply to the research records. –Otherwise, HIPAA will not apply to the research records –If HIPAA does apply to the research records, you will, at a minimum have to - ensure institution knows of existence of records and their location - account for all unauthorized disclosures - keep phi secure - be trained in HIPAA requirements - failure could lead to institutional or personal liability