Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Requirements for Patient Oriented Research.

Similar presentations


Presentation on theme: "HIPAA Requirements for Patient Oriented Research."— Presentation transcript:

1 HIPAA Requirements for Patient Oriented Research

2 UPENN HIPAA Experts Contacts Lauren Steinfeld University Chief Privacy Officer Yvonne Higgins Office of Regulatory Affairs Debbie Gilead Chief Privacy Officer UPHS, HIPPA HIPAA Resources for Researchers

3 University of Pennsylvania Background - Background - HIPAA Privacy Rule HIPAA: Health Insurance Portability and Accountability Act outlines the Privacy Regulations Purpose: to protect privacy of patient records provided to health plans, doctors, hospitals and other health care providers Patients: provided with access to their records and more control over how their Protected Health Information (PHI) is used and disclosed Research: Includes specific rules surrounding clinical research and the collection and use of PHI for research purposes Owner: Developed by DHHS, enforced by OCR (Office of Civil Rights) Start date: April 14, 2003

4 University of Pennsylvania Definitions Individually Identifiable Health Information Information about the physical or mental health of an individual Created or received by a covered entity Relates to individual’s health, health care or payment for care - past, present or future Reasonable belief that the information can be used to identify a particular individual Applies to defined standard transactions

5 University of Pennsylvania Protected Health Information (PHI) All individually identifiable health information transmitted or maintained by a covered entity, regardless of form or media – Include oral communications – Excludes education records – Excludes employment records Definitions

6 University of Pennsylvania Definitions - Definitions - Covered Entity UPenn School of Medicine HUP CPUP (Clinical Practices) Presbyterian Hospital Graduate Hospital Pennsylvania Hospital Penn Center for Rehab CCA (Clinical Care Associates) Others … Does not include CHOP or VA

7 University of Pennsylvania Uses and Disclosures of PHI in Research There are FOUR ways to use PHI in Research: 1)Authorization 2)IRB Waiver of Authorization 3)Limited Data Set 4)De-Identified Data

8 University of Pennsylvania The authorization must cover: Health information collected as part of the study Who may use or disclose the information Who may receive the information Purpose of the use or disclosure Duration of authorization (i.e. note expiration date or the fact that authorization does not expire) Right to revoke authorization Reference to the Notice of Privacy Practices Information disclosed outside the covered entity may not be protected by HIPAA Template can be downloaded from: HIPAA Authorization

9 University of Pennsylvania Authorization approaches:  Stand-alone authorization form  Authorization incorporated into study informed consent form Preferred approach: stand-alone form  Current standard language not at 6 - 8th grade level  Regulations may change, with resultant change to standard language (i.e. form can be changed without requiring IRB re-approval of ICF)  IRBs are not required to approve authorization language Stand-alone Template can be downloaded from: HIPAA Authorization

10 University of Pennsylvania  Individual Authorization is a one-time individual permission to use or disclose PHI for non-transaction and payment activities (includes research).  The Authorization language requirements are very detailed and must be protocol specific.  No accounting requirement for disclosures obtained with an authorization. HIPAA Authorization

11 University of Pennsylvania Uses and Disclosures of PHI in Research There are FOUR ways to use PHI in Research: 1)Authorization 2)IRB Waiver of Authorization 3)Limited Data Set 4)De-Identified Data

12 University of Pennsylvania IRB Waiver of Authorization IRB must document review of the following waiver criteria: –Use or disclosure involves no more than minimal risk to the individuals; –The research could not be practicably conducted without the waiver, and; –The research could not be practicably conducted without access to the PHI.

13 University of Pennsylvania IRB Waiver of Authorization Accounting Requirements: Disclosures made via a waiver must be subject to an accounting process Patients have the right to receive an account of disclosures made of their protected health information (PHI) PI’s or research staff must record all applicable disclosures of PHI as required

14 University of Pennsylvania Accounting for Disclosures Date or range of dates of disclosure Name of entity to whom the information was disclosed The address of entity to whom PHI was disclosed Description of the PHI disclosed Statement explaining the purpose of the disclosure or a copy of the written request for disclosure if available

15 University of Pennsylvania IRB Waiver of Authorization When Do You Need a Waiver? Epidemiological Research where it is impractical to get authorization Research Chart Reviews (note Protocol Preparation Exception) Recruitment only if the subject’s contact information is being disclosed outside of SOM/UPHS. But note the following: –Any subject recruitment within the SOM/UPHS should follow the HIPAA policy guidelines –Also, “outside” SOM/UPHS includes the VA, CHOP, and other Schools of the University (except Nursing researchers) –If the PI has a dual appointment and one appointment is in the SOM that individual is “inside” the covered entity.

16 University of Pennsylvania IRB Waiver of Authorization When Don’t You Need a Waiver? Protocol Preparation (refer to HIPAA exceptions slide) Recruitment “inside” the SOM/UPHS covered entity Research Using an Authorization - but note: –A waiver may be required in addition to the authorization if PHI collected prior to authorization is disclosed outside of UPHS/SOM. Research Using De-identified Data

17 University of Pennsylvania IRB Waiver of Authorization How do you apply for a Waiver? Complete the Request for Waiver of IRB Authorization Form: Submit a complete protocol & grant application if the waiver is to be part of a funded proposal.

18 University of Pennsylvania Uses and Disclosures of PHI in Research There are FOUR ways to use PHI in Research: 1)Authorization 2)IRB Waiver of Authorization 3)Limited Data Set 4)De-Identified Data

19 University of Pennsylvania The limited data set is PHI without facial or direct identifiers Only applies to research, public health and health care operations Research conducted as part of an IRB approved protocol Information may be used or disclosed without individual authorization “Data Use Agreement” required for disclosure Limited Data Set

20 University of Pennsylvania Facial identifiers name street address telephone and fax numbers address social security number certificate/license numbers vehicle identifiers and serial numbers URLs and IP addresses full face photos and any other comparable images medical record numbers (prescription numbers), health plan beneficiary numbers, and other account numbers device identifiers and serial numbers biometric identifiers, including finger and voice prints Limited Data Set

21 University of Pennsylvania When do I need a Data Use Agreement? When the following conditions are met: Disclosure of data in a "limited data set" Disclosure is for research purposes Individual authorization is not obtained As part of an IRB-approved protocol Who signs off on the Data Use Agreement? The UPenn Office of Research Services handles this agreement on behalf of the Trustees of the University of Pennsylvania.

22 University of Pennsylvania Uses and Disclosures of PHI in Research There are FOUR ways to use PHI in Research: 1)Authorization 2)IRB Waiver of Authorization 3)Limited Data Set 4)De-Identified Data

23 University of Pennsylvania De-Identified Data UPHS/SOM may use or disclose de-identified data for research purposes provided its done as part of an IRB approved protocol De-identified data is not covered by HIPAA and may be disclosed for research purposes A code may be applied to the data that would allow re-identification of data but only within the covered entity

24 University of Pennsylvania Individually identifiable health information from which identifiers are removed for the individual, relatives, employers, or household members: De-Identified Data 1.Names 2.Street address, city county, precinct, zip code & equivalent geocodes 3.All elements of dates (except year) for dates directly related to an individual and all ages over 89 4.Telephone numbers 5.Fax numbers 6.Electronic mail addresses 7.Social security numbers 8.Medical record numbers 9.Health plan ID numbers 10.Account numbers 11.Certificate/license numbers 12.Vehicle identifiers and serial numbers, including license plate numbers 13.Device identifiers/serial numbers 14.Web addresses (URLs) 15.Internet IP addresses 16.Biometric identifiers, incl. finger and voice prints 17.Full face photographic images and any comparable images 18.Any other unique identifying number, characteristic, or code

25 University of Pennsylvania Use of PHI for Case Finding / Research Preparation Use of Decedent Information in Research Must ensure the following That the use or disclosure is sought solely to prepare a research protocol Documentation of the death of the individual The PHI will not be removed from the covered entity The PHI used or accessed is necessary for the research purposes HIPAA Exceptions

26 University of Pennsylvania Special Rules Research commenced prior to 2003Research commenced prior to 2003 –Obtain at time of annual continuing IRB review Research using databases, repositories and banksResearch using databases, repositories and banks –to include initial info into database authorization is required –To utilize this data for research purposes the PI must obtain a waiver of authorization from the IRB –PI may review the info in the database without approval if it is preparatory for research

27 University of Pennsylvania Special Rule - Subject Recruitment Required contact methods (in order of preference): –By a physician or other Health Care Professional who has taken care of a patient –By the UPENN School of Medicine using a cover letter signed by a Physician who has taken care of the patient, and using text approved by the UPENN IRB –By the researcher using a script or cover letter using text approved by the UPENN IRB Direct recruitment by a researcher who has not taken care of the patient will require UPENN IRB approval and will only be permitted when both of the other two alternatives are impractical


Download ppt "HIPAA Requirements for Patient Oriented Research."

Similar presentations


Ads by Google