Presentation on theme: "Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair."— Presentation transcript:
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair
Research and the Privacy Rule Before the HIPAA Privacy Rule, data privacy protections were not anywhere near as stringent as they are now. Many times a data research project was exempt from IRB review. A key change the Privacy Rule imposed is more control by the individual of how their Protected Health Information (PHI) (Identifiable health information maintained by a covered entity) is used. If PHI is used for treatment, payment or healthcare operations, the Privacy Rule does not require consent or authorization from the individual (except with certain types of information that has other higher protections under Federal or State law). However, outside of those purposes, the default is that a covered entity must seek to get the individual’s permission to use their PHI.
An important distinction Research is not considered by the Privacy Rule to be treatment, payment or healthcare operations. Any access to PHI for a research purpose is considered a disclosure of the information, even if no identifiers are abstracted.
Research and the Privacy Rule Therefore, Protected Health Information (PHI) disclosure is permitted for research only when: Authorization from the patient is obtained, or Authorization is not required by meeting certain conditions in the Privacy rule.
Why does Intermountain require a Privacy Board approval for data research? Primary Children’s has an agreement with the University of Utah allowing the U of U IRB to review and approve clinical projects. This makes sense, because the patients treated at PCMC are both Intermountain and Department of Pediatrics patients. That has not changed. With the advent of the Privacy Rule, however, there are additional questions that must be answered to Intermountain’s satisfaction in order to be sure they are in compliance with the Privacy Rule.
Why does Intermountain require a Privacy Board review? The University uses their own IRB to ask the required Privacy Rule questions regarding the disclosure of University Health Services data. However, Intermountain does not recognize any external entity’s authority to make a ruling on the adequacy of protections of Intermountain data.
Why doesn’t Intermountain use the U of U IRB to approve data projects? Intermountain has a strong history of stewardship of its data, going back before the Privacy Rule. As a consequence, Intermountain has its own mission criteria that must be met prior to the approval of data projects. Intermountain data include far more data than just PCMC’s. Agreements required by the Privacy Rule must be signed by Intermountain officers.
Research approval process up until October The researchers who needed access to Intermountain data were required to apply in the Intermountain RMS system. Researchers affiliated with the Department of Pediatrics were also required to submit applications in ERICA for approval by the University of Utah’s IRB.
Now A research application in ERICA from the Department of Pediatrics researcher will be reviewed by the Privacy Board at Intermountain without additional requirements to enter the project in Intermountain’s RMS system.
Important things you need to know …when and why to apply for waivers, and what we will look for
Would a clinical researcher ever still need a waiver of authorization? Yes, for recruitment. If a clinical researcher wants to use electronic data or chart review to identify, screen and contact research subjects, the researcher needs a limited waiver of authorization in order to obtain the subject’s contact information.
When would a full authorization waiver be needed? Health operations research or retrospective data research often requires access to large numbers of subject data. It is often impractical or extremely costly to consider obtaining the authorization from hundreds if not thousands of subjects.
Applying for Waivers A reason must be clearly stated why obtaining an authorization from the subject will not be possible, or at least impractical. Even though a waiver of CONSENT may be granted because the research is using existing data or records, or the fact that a subject’s treatment will not be changed as the result of the research, these are not valid reasons to obtain a wavier of AUTHORIZATION.
Criteria for Waivers of Authorization, continued: The risks must be low to the privacy of the subjects, because: The researcher presents a reasonable plan on how the subject’s identifiers will be protected, including enough information on how interim databases will be secured, for example; States that the identifiable information will be destroyed as soon as the research allows it, and That the identifiers will not be reused or redisclosed unless the law requires it, for research oversight, or for other approved research.
Criteria for Waivers of Authorization, continued: The researcher must state That a waiver is necessary for the research. What identifiers are necessary for the the research, and It is critical for the research to get access to and use the PHI and that a de-identified or limited data set will not work for the project.
How waivers are approved Most waivers are approved through an expedited process by the chair of the privacy board. The full privacy board meets when risks to patient privacy appear greater that usual. Approval by the privacy board is required before data is disclosed to the researcher. The privacy board may grant conditional approvals pending more information or that certain agreements be implemented. The results of the privacy board reviews will be reported back to the U of U IRB.
Subjects have a right to find out about research using their PHI. A patient may ask for an accounting of disclosures of their PHI. Research that is done with a waiver is considered a “disclosure”. Research done with an authorization, using de-identified data, or using a limited data set (which is de-identified except for dates or zip codes) does not need an to be included in an accounting of disclosures. Other Privacy Rule impacts
Accounting of Disclosures If the researcher plans on having less than 50 subjects and has a wavier of authorization, then each time a subject’s record is accessed, an Intermountain Accounting of Disclosures manual accounting form should be completed. These are available from Intermountain Healthcare’s Office of Research. Completed forms should be sent to the Intermountain Privacy Office.
Accounting of Disclosures For studies involving 50 or more subjects, once the waiver has been approved, the project’s information can be obtained for the accounting of disclosures from the RMS or ERICA systems without any additional action on the part of the researcher.
The Intermountain Privacy Office, who handles patient requests for accounting of disclosures, will provide the requesting subject with a list of research projects which may have used their information. If a subject seeks to know if their information was used in a project, the researcher may be contacted by the subject. Accounting of Disclosures in Intermountain, Continued
References 45 CFR (i) (Privacy Rule) 45 CFR (Common Rule) “Institutional Review Boards and the HIPAA Privacy Rule” available at (valid research authorizations)
Who should you call? PCMC (801) The Intermountain Healthcare Office of Research at