Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research.

Published byJob Black Modified over 8 years ago

Similar presentations

Presentation on theme: "Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research."— Presentation transcript:

1 Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members

2 Revised February 4, 20042 In the Beginning The emphasis was on the “portability” of insurance, and medical records. The issue was how to keep electronic medical records private. Little thought was given to the implications of HIPAA for research. Institutions with electronic records or electronic transmission of medical information would be charged with the responsibility of protecting the privacy and security of these records.

3 Revised February 4, 20043 What Is the Basic Privacy Rule? HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI). PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient. Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA. PHI used in research must be obtained from the Covered Entity in compliance with HIPAA.

4 Revised February 4, 20044 What is a Covered Entity at UC? A Covered Entity (CE) is the health care provider, health plans, and health information clearninghouses. The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF. NOTE: The definition of the “Covered Entity” is different for each institution, including the SFVAMC, SFGH, Kaiser, CPMC, St. Luke’s, the Haight-Ashbury Free Clinic, and so on.

5 Revised February 4, 20045 What is PHI? Individually identifiable information Past, present, or future: Health status Treatment Payment for health care Created, used, or disclosed by a covered entity (CE) In any form Includes any one of the 18 identifiers as defined by HIPAA

6 Revised February 4, 20046 Protected Health Information (PHI): 18 Identifiers defined by HIPAA Name Postal address All elements of dates except year Telephone number Fax number Email address URL address IP address Social security number Account numbers License numbers Medical record number Health plan beneficiary # Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers (finger and voice prints) Full face photos and other comparable images Any other unique identifying number, code, or characteristic.

7 Revised February 4, 20047 How does HIPAA Privacy Rule affect University Researchers? Researchers will likely want to access PHI held by the CE in order to conduct research. The Privacy Board must approve use of PHI for research. At UCSF the Privacy Board for research is the IRB, that is, the CHR. The Privacy rule applies to all active studies as of April 14, 2003.

8 Revised February 4, 20048 Does all human subjects research use PHI? Not at all! Some examples: Some non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records; blood draws for protein binding studies) Some interview studies and focus group studies Some questionnaire studies Studies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research

9 Revised February 4, 20049 Covered Entity (CE): UCSF Medical Center, Hospitals and Clinics If information from the study is added to the CE i.e., information is added to Medical Records or used to make health care decisions If information is obtained for the study from the CE i.e., medical records review for recruitment, data analysis Do HIPAA regulations apply?

10 Revised February 4, 200410 What are the practical implications of HIPAA for Human Research at UCSF? New and different vocabulary Stricter control of access to Medical Records (HIMS and Faculty Practices) Stricter limitations to identifying subjects for recruitment Additional documentation for PI, IRB, and CE. Important Note: Most research being done can continue, but with additional documentation!

11 Revised February 4, 200411 What are the patients’ rights under HIPAA? To restrict the use and disclosure of their PHI To access and receive a copy of their PHI used for research purposes (unless it will cause psychological harm) To receive an accounting of disclosures of their PHI by the CE To request amendments to their PHI in their medical records To file complaints with the University or OCR that may result in civil and criminal penalties for individuals as well as the covered entities

12 Revised February 4, 200412 What is the Covered Entity’s Responsibility? The covered entity (CE) is responsible for protecting PHI and for ensuring that PHI: Is only used or released for TPO or as otherwise permitted or required by law; Is not released without the patient’s authorization; or Is released only under an IRB approved waiver of consent/authorization Meets “minimum necessary” standard.

13 Revised February 4, 200413 How can an investigator access PHI for research? Through a HIPAA Authorization signed by the subject (or legal representative) -OR- Through a Waiver of Authorization requested by the PI and approved by the IRB. Note: UCSF polices require IRB approval for access to PHI for human subjects research.

14 Revised February 4, 200414 Individual Subject’s Authorization for Research Access to PHI Authorization must be a separate document used along with the Consent Form for biomedical and treatment studies. For some behavioral studies, Authorization may be combined with the Consent Form, but requires two separate signature lines: one for consent, and one for authorization.

15 Revised February 4, 200415 What does a HIPAA authorization look like? The standard UC HIPAA authorization is a two- page document available on the HIPAA Forms section of the CHR website.HIPAA FormsCHR website The standard SFVAMC form is also available on that site. Other Covered Entities may require their own versions of the HIPAA authorizations. Note: Some sponsors also have their own versions of the forms, but with rare exception UCSF researchers must use the UC version.

16 Revised February 4, 200416 What Elements Are Required in the HIPAA Authorization? Description of PHI to be disclosed Name or class of recipients of information and of those authorized to disclose PHI Description of research purpose Expiration date, though at UC this is stated as “when study is completed.” Right to cancel authorization Advise subject that HIPAA protections may not apply to redisclosed information although other protections apply Consequences of a refusal to sign an authorization Signature of subject and date

17 Revised February 4, 200417 Which Research Does Not Require a Subject’s Authorization? 1. Research granted a Waiver of Consent/Authorization by the CHR 2. Research using De-Identified Data 3. Research using a Limited Data Set 4. Research not using PHI

18 Revised February 4, 200418 #1: Waiver of Authorization PI and IRB must certify that research: 1. Could not practicably be conducted w/o waiver 2. Could not practicably be conducted w/o PHI 3. Poses minimal risk to privacy based on written assurance that the PHI will not be reused or disclosed and that there is an adequate plan to protect identifiers. To accomplish this, PI fills out Waiver of Consent/Authorization Form available on CHR website and submits with application. Research released by a waiver, must be tracked for disclosure to the subject.

19 Revised February 4, 200419 #2: De-Identified Data Sets There are two HIPAA-approved methods of de- identifying datasets: All 18 identifiers of PHI must be removed, or A qualified statistician documents the methods and analysis used to determine that  data is de-identified or  risk is very small that information can be used to identify an individual IRB approval of protocol is still required PI should apply for Exempt Certification from IRB.

20 Revised February 4, 200420 #3: Limited Data Set May include only the following PHI: Date(s) of service (admission, discharge) Dates of birth and death 5 digit zip codes and other geographic subdivisions other than street address May include non-PHI information ( i.e., diagnosis) Does not require a subject’s authorization Does require IRB approval which includes a Waiver of Consent/Authorization NOTE : IRB applications must include a request for a wavier of consent/authorization.

21 Revised February 4, 200421 Covered Entity (CE): UCSF Medical Center, Hospitals and Clinics If information from the study is NOT added to the CE If information obtained for the study does NOT come from the CE i.e., NO medical records review for recruitment or data analysis == #4: Research Not Using PHI

22 Revised February 4, 200422 How does a researcher gain access to PHI in Medical Records at UCSF? Copy of CHR approval letter with: statement of Waiver of Authorization of individual consent --or-- statement that Individual Subject Authorization will be obtained

23 Revised February 4, 200423 What types of CHR approvals are needed for these types of studies? PHI: Full Committee or Expedited De-identified PHI (no PHI used): CHR Exempt Certification Limited Data Sets (limited PHI allowed): Expedited with Waiver of Authorization NOTE: Medical Records will require CHR approval to release PHI for research.

24 Revised February 4, 200424 What information is now required by the CHR to address HIPAA? PIs should complete and submit the HIPAA Supplement with all full committee and expedited applications, even if no PHI is being used; Waiver of consent/authorization form if applicable (usually for recruitment purposes) The pilot application (required as of January 2004) embeds HIPAA information within it. Exempt applications do not require any additional information about HIPAA.

25 Revised February 4, 200425 What are the 8 Most Common and Acceptable Recruitment Methods? PIs recruit their own patients directly PIs provides PCPs a “Dear Patient” letter that instructs any interested patients how to contact PI about enrollment PIs ask PCPs for referrals and may contact patients if there is documented patient permission to do so PI used CHR-approved ads, notices, and/or media

26 Revised February 4, 200426 Recruitment Methods (continued) Faculty Practices/Clinics develop a CHR- approved recruitment protocol so subjects agree ahead of time to be contacted for research PIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods. PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed websiteUCSF Seeking Clinical Trials Volunteer PIs do not access PHI for recruitment purposes.

27 Revised February 4, 200427 Conclusion-The HIPAA Privacy Rule Greater emphasis on privacy and confidentiality of medical records in both health care and research. Researcher’s responsibilities are more clearly defined. Subject’s have more clearly defined legal rights to protect their privacy.

28 Revised February 4, 200428 UCSF HIPAA Websites UCSF: http://www.ucsf.edu/hipaahttp://www.ucsf.edu/hipaa HIPAA Handbook (pdf) HIPAA Training Modules Privacy Officer CHR: http://www.research.ucsf.edu/chr/index.asp http://www.research.ucsf.edu/chr/index.asp  Application and Consent templates/Guidelines  Research Training, FAQ, information UCSF Medical Center IT: http://it.ucsfmedicalcenter.org/ http://it.ucsfmedicalcenter.org/ UCSF Information Security: http://isecurity.ucsf.edu http://isecurity.ucsf.edu

Download ppt "Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research."

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Similar presentations

Ads by Google