Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014.

Published byFrank Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014."— Presentation transcript:

1 The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014

2 1 Research vs. Operations  HIPAA –Health care operations includes “conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.” (emphasis added) Also includes “population-based activities relating to improving health or reducing health care costs, and protocol development. –Research is a “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”  Common Rule has the same definition for research. Addressing Privacy | Manatt, Phelps & Phillips, LLP

3 2 Paradox  Two studies using data for quality improvement purposes: both use the same data points, are done to address the same question or sets of questions, and are done by the same institution. They will be: –Treated as operations if the results are only intended to be used internally –Treated as research if a primary purpose is to share the results with others so that “learning” may occur. –OCR Guidance on “primary purpose” allows for a later change in plans – but initially you have to intend to be doing only operations  How does this advance both the learning healthcare system and protections for data? Addressing Privacy | Manatt, Phelps & Phillips, LLP

4 3 Health IT Policy Committee (HITECH) Comments to Common Rule ANPRM  Use of clinical data to evaluate safety, quality and efficacy should be treated like operations, even if the intent is to share results for generalizable knowledge, as long as provider entity maintains oversight and control over data use decisions.  Entities should follow the full complement of fair information practices in using PHI for these purposes.  Recommendations provided some examples of activities with clinical data that should be treated as operations – but also acknowledged further work was needed to determine a new line for when analytics with EHR data should be treated under more robust rules. Recommendation letter of 10/18/11 - http://www.healthit.gov/policy-researchers- implementers/health-it-policy-committee-recommendations-national-coordinator-heal Addressing Privacy | Manatt, Phelps & Phillips, LLP

5 4 Fixing the Paradox?  Modify HIPAA regulations for data re-use so that regulations more directly address privacy and confidentiality risks. –Potentially could also do through waiver guidance.  Impose greater regulation of re-uses of data that present greater risk to privacy, confidentiality and security. What factors trigger greater risk? –Where is the data analyzed? (Internal vs. external; physical location vs. control) –Sensitivity of the data (type of data, vulnerable populations) –Failure to establish and adhere to FIPPs-based policies  Transparency  Data minimization (“minimum necessary”), collection & use limitations  Security Safeguards  Accountability and oversight Addressing Privacy | Manatt, Phelps & Phillips, LLP

6 5 Fixing the Paradox  Guidance with respect to the distinction between operations and research – and/or when waivers can be granted  Experiment (federal HIPAA waivers?) to experiment with different models for protecting privacy in research.  Rely less on consent and instead pursue other models of patient engagement (e.g., input into research; greater transparency re: research uses of data; requirements to share results with patients).  Mechanisms of accountability/oversight (Canadian model (PHIPA), voluntary research network governance models, accreditation)  Incentives to pursue privacy-enhancing data sharing architectures.  Study their efficacy in building and maintaining public trust in research. Addressing Privacy | Manatt, Phelps & Phillips, LLP

7 6 Bloomberg BNA Webinar | Manatt, Phelps & Phillips, LLP Questions? Deven McGraw Partner Manatt, Phelps & Phillips LLP dmcgraw@manatt.com

Download ppt "The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014."

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Evaluation and Human Subjects Research Julie M. Aultman, Ph.D. Chair, Institutional Review Board Associate Professor, Family and Community Medicine Northeast.

Evaluation and Human Subjects Research Julie M. Aultman, Ph.D. Chair, Institutional Review Board Associate Professor, Family and Community Medicine Northeast.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
Ethical Considerations when Developing Human Research Protocols A discipline “born in scandal and reared in protectionism” Carol Levine, 1988.

Ethical Considerations when Developing Human Research Protocols A discipline “born in scandal and reared in protectionism” Carol Levine, 1988.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.

Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
The Role of IRBs in Ensuring Ethical Conduct of QI Activities Mary Ann Baily, PhD Columbia IRB Conference April 1, 2011.

The Role of IRBs in Ensuring Ethical Conduct of QI Activities Mary Ann Baily, PhD Columbia IRB Conference April 1, 2011.
Human Investigation Committee 2013.  Is it research?  If yes, does it involve human subjects?  If yes, can it be exempt?  If no, will a Request for.

Human Investigation Committee  Is it research?  If yes, does it involve human subjects?  If yes, can it be exempt?  If no, will a Request for.
ONC HIT Policy Committee Interoperability and HIE Workgroup Panel 3: State/Federal Perspectives August 22, 2014 Jennifer Fritz, MPH Deputy Director Office.

ONC HIT Policy Committee Interoperability and HIE Workgroup Panel 3: State/Federal Perspectives August 22, 2014 Jennifer Fritz, MPH Deputy Director Office.
The IRB's Position on Quality Projects vs. Research R. Peter Iafrate, Pharm.D. Chairman, Health Center IRB University of Florida.

The IRB's Position on Quality Projects vs. Research R. Peter Iafrate, Pharm.D. Chairman, Health Center IRB University of Florida.
Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University 202-687-0880.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University
Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families www.nationalpartnership.org.

Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families

Similar presentations

Ads by Google