Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA: A YEAR LATER, APPLICATION STRATEGIES FOR SUCCESSFUL CLINICAL TRIALS SAM Sather Vice-president C LINICAL P ATHWAYS, LLC 09-MARCH-2004 Session 5.07.

Published byEvan Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "1 HIPAA: A YEAR LATER, APPLICATION STRATEGIES FOR SUCCESSFUL CLINICAL TRIALS SAM Sather Vice-president C LINICAL P ATHWAYS, LLC 09-MARCH-2004 Session 5.07."— Presentation transcript:

1 1 HIPAA: A YEAR LATER, APPLICATION STRATEGIES FOR SUCCESSFUL CLINICAL TRIALS SAM Sather Vice-president C LINICAL P ATHWAYS, LLC 09-MARCH-2004 Session 5.07

2 2 3 Objectives of Session 5.07 The participants will: 1.Apply the HIPAA Privacy & Security terminology to running a clinical trial: Identify when authorization or waiver of authorization is acceptable,Identify when authorization or waiver of authorization is acceptable, Define recruitment activities where authorization or waiver of authorization is not required.Define recruitment activities where authorization or waiver of authorization is not required.

3 3 Objectives of Session 5.07 (cont.) The participants will: 2. Apply the HIPAA Privacy & Security Regulations to the responsibilities of the study team: Research Site, Sponsor, IRB, VendorsResearch Site, Sponsor, IRB, Vendors

4 4 Final Objective of Session 5.07 The participants will: 3. Identify successful study management strategies post HIPAA. *Refer to Handout: HIPAA TERMINOLOGY RELATED TO CLINICAL RESEARCH

5 5 Security & Privacy Rule Distinctions: They are inextricably linked. They are inextricably linked. The protection of the privacy of information depends on the security measures to protect the information. The protection of the privacy of information depends on the security measures to protect the information. Difference = is the scope of the Security Rule only applies to information in electronic form. The Privacy Rule looks at information in any form. Difference = is the scope of the Security Rule only applies to information in electronic form. The Privacy Rule looks at information in any form. 21 CFR part 11 preparedness for sponsors, sites & vendors. 21 CFR part 11 preparedness for sponsors, sites & vendors.

6 6 Security Rule: Designed to be Scalable & Flexible enough to meet different CE circumstances Designed to be Scalable & Flexible enough to meet different CE circumstances Standards: Standards: Written to be as generic as possible to allow for various approaches or technologies. Written to be as generic as possible to allow for various approaches or technologies. Internal & External networks to be dealt with the same Internal & External networks to be dealt with the same Security Incident Security Incident Implementation Specifications: Implementation Specifications: Provide Instruction on implementation of security standards Provide Instruction on implementation of security standards Required or Addressable (flexible) Required or Addressable (flexible) Risk analysis to determine need for addressable specifications Risk analysis to determine need for addressable specifications Smaller CEs compared to larger CEs Smaller CEs compared to larger CEs

7 7 First You Must Have a Clear Answer to the Question (s): Am I a Covered Entity (CE) Am I a Covered Entity (CE)and/or Am I working with or for a Covered Entity (CE)? Am I working with or for a Covered Entity (CE)?

8 8 Covered Entity (CE) A person, group or organization that must comply with HIPAA A person, group or organization that must comply with HIPAA Covered functions: Covered functions: Treatment, Payment & Operations (TPO). Treatment, Payment & Operations (TPO). NOT Research itself. But if the research involves treatment by a CE or storage of records with identifiable PHI by the CE then the Use & Disclosure of that PHI is covered under HIPAA.

9 9 Covered Entities Qualifications of a CE: Qualifications of a CE: Transmit health information in electronic transactions. Electronically transmit at least one of the following: Transmit health information in electronic transactions. Electronically transmit at least one of the following: Health care claims or equivalent encounter information Health care claims or equivalent encounter information Health care payment & remittance advice Health care payment & remittance advice Coordination of Benefits Coordination of Benefits Health care claim status Health care claim status Referral certificate & Authorization Referral certificate & Authorization First Report of Injury First Report of Injury Health claims attachments Health claims attachments

10 10 Covered Entities Types: Types: Health care providers Health care providers Research Research Health Plans Health Plans Health care clearinghouses Health care clearinghouses Hybrid Entities Hybrid Entities A company or person with one or more components that fit into one of the categories of a covered entity. They will have some functions covered and some not. A company or person with one or more components that fit into one of the categories of a covered entity. They will have some functions covered and some not.

11 11 Consider When Answering the Question (s): Do I have Clear definitions Of your Entity Independent Research Site Blood & Tissue Repositories Hybrid Entities Of your Associates Research Sponsors Consultants Vendors Sales Reps

12 12 Covered Entity Decision Tool: Refer to table 1-2 Refer to table 1-2

13 13 Am I A Covered Health Care Provider?: A. Does the entity furnish, bill, or Receive Payment for, healthcare in the normal course of business? NO YES STOP The entity is NOT a covered healthcare provider STOP The entity IS a covered healthcare provider B. Does the entity conduct covered transactions? YES C. Are any of the covered Transactions Transmitted in any electronic form?

14 14 TABLE 1-3A: Scenario An incorporated internal medicine practice has a second business, a clinical research site. The practice has two satellite offices where patients are seen for both office and study visits. Patients are referred to the research site from the medical practice & from outside advertising. An incorporated internal medicine practice has a second business, a clinical research site. The practice has two satellite offices where patients are seen for both office and study visits. Patients are referred to the research site from the medical practice & from outside advertising. What is the covered entity(s) in this situation? What is the covered entity(s) in this situation?

15 15 TABLE 1-3B: Scenario An independent research facility contracts physicians to serve as investigators to various sponsors’ clinical trial protocols. An independent research facility contracts physicians to serve as investigators to various sponsors’ clinical trial protocols. What is the covered entity(s) in this situation? What is the covered entity(s) in this situation?

16 16 TABLE 1-3C: Scenario A pharmacy within an academic medical center serves most clinical departments within the institution, including the outpatient clinics and clinical research department. A pharmacy within an academic medical center serves most clinical departments within the institution, including the outpatient clinics and clinical research department. What is the covered entity(s) in this situation? What is the covered entity(s) in this situation?

17 17 TABLE 1-3D: Scenario A central lab is contracted to be a vendor for a drug sponsors clinical trial. The central lab also serves as a local lab for many physicians’ offices. A central lab is contracted to be a vendor for a drug sponsors clinical trial. The central lab also serves as a local lab for many physicians’ offices. What is the covered entity(s) in this situation? What is the covered entity(s) in this situation?

18 18 HOW PHI CAN BE USED FOR CLINICAL RESEARCH CEs PERMITED TO USE OR DISCLOSE PHI FOR RESEARCH: 45 CFR 164.512 CEs PERMITED TO USE OR DISCLOSE PHI FOR RESEARCH: 45 CFR 164.512 With Individual Authorization, or With Individual Authorization, or Of Decedents’ information: Not covered by The Privacy Rule (refer to handout), or Of Decedents’ information: Not covered by The Privacy Rule (refer to handout), or Without Individual Authorization Under Limited Circumstances: Without Individual Authorization Under Limited Circumstances: With an approved Waiver of Authorization, Review Preparatory to Research, or Under a Limited Data Set Agreement. With an approved Waiver of Authorization, Review Preparatory to Research, or Under a Limited Data Set Agreement. Minimum Necessary Standard Minimum Necessary Standard

19 19 INDIVIDUAL AUTHORIZATION TO USE OR DISCLOSURE PHI: 9 mandatory elements: See table 1-4 9 mandatory elements: See table 1-4 May be a separate document or combined with the ICF. May be a separate document or combined with the ICF. Must be specific to the disclosure. Not a blanket authorization. Must be specific to the disclosure. Not a blanket authorization. Must announce & offer review of the CE Notice of Privacy Practices document. Must announce & offer review of the CE Notice of Privacy Practices document. No Mandatory review required by IRB or Privacy Board under HIPAA. No Mandatory review required by IRB or Privacy Board under HIPAA.

20 20 TABLE 1-5A Scenario INDIVIDUAL AUTHORIZATION TO USE OR DISCLOSURE PHI: During a pre-study visit, a sponsor discusses the informed consent process and states that the authorization for disclosure of PHI is included in the ICF. During a pre-study visit, a sponsor discusses the informed consent process and states that the authorization for disclosure of PHI is included in the ICF. As a research site, what should be considered? As a research site, what should be considered?

21 21Authorizations Combined or Not to combine? Combined or Not to combine? When combined does not work When combined does not work Who Decides? Who Decides? Flexibility Flexibility Who determines language? Who determines language? Does it contain the required components? Does it contain the required components? Does the subject understand? Does the subject understand? Where to find examples of combined examples? Where to find examples of combined examples? NETWORK NETWORK WEBSITES WEBSITES

22 22 WAIVER OF AUTHORIZATION: Requested for access to PHI from an IRB or Privacy Board. Requested for access to PHI from an IRB or Privacy Board. Must prove no more than minimal risk of the disclosure without authorization or obtaining authorization would be impracticable. Must prove no more than minimal risk of the disclosure without authorization or obtaining authorization would be impracticable. Partial waivers may be practical where authorization for use or disclosure of all PHI is thought to be not necessary deemed by the privacy board or IRB. Partial waivers may be practical where authorization for use or disclosure of all PHI is thought to be not necessary deemed by the privacy board or IRB. Alterations in authorizations may be approved or requested by the privacy board or IRB for removal of certain PHI from disclosed or used information. Alterations in authorizations may be approved or requested by the privacy board or IRB for removal of certain PHI from disclosed or used information.

23 23 Required Documentation of the Waiver or Alteration: Must include a statement identifying the IRB or Privacy Board that made the approval. Must include a statement identifying the IRB or Privacy Board that made the approval. The date of the approval. The date of the approval. Statement that no more than minimal risk to the privacy of the individual was evaluated and the required elements are in place. (refer to handout) Statement that no more than minimal risk to the privacy of the individual was evaluated and the required elements are in place. (refer to handout) Statement that the research could not be practically conducted without the waiver or alteration and without access to and use of the PHI. Statement that the research could not be practically conducted without the waiver or alteration and without access to and use of the PHI.

24 24 TABLE 1-5B Scenario WAIVER OF AUTHORIZATION: During a clinical trial, a procedure is added to the protocol where the sponsor hires an additional outside vendor to analyze the results. During a clinical trial, a procedure is added to the protocol where the sponsor hires an additional outside vendor to analyze the results. Discuss this event and what the CE would have to consider relating to the HIPAA Regulations. Discuss this event and what the CE would have to consider relating to the HIPAA Regulations.

25 25 REVIEW PREPARATORY TO RESEARCH: Considered part of Operations (TPO) Considered part of Operations (TPO) No Authorization needed if No PHI leaves the CE. No Authorization needed if No PHI leaves the CE. If the review is done by an outside source, no PHI in any form can be removed from the CE. (i.e. Sponsor) If the review is done by an outside source, no PHI in any form can be removed from the CE. (i.e. Sponsor) Reviewer can take notes, but no PHI in any form can be removed or used by the researcher if not an employee of the CE. (may give notes to site staff) Reviewer can take notes, but no PHI in any form can be removed or used by the researcher if not an employee of the CE. (may give notes to site staff) The CE may hire a BA to do the review. The CE may hire a BA to do the review. CE needs Assurance from outside researcher that the PHI will not be removed or used. (SOP & QA) CE needs Assurance from outside researcher that the PHI will not be removed or used. (SOP & QA)

26 26 TABLE 1-5C Scenario REVIEW PREPARATORY TO RESEARCH: A research site for a sponsor protocol has been asked by the sponsor to provide them the number of patients they have seen in the last 6 months with elevated RBCs that weigh over 200 pounds. A research site for a sponsor protocol has been asked by the sponsor to provide them the number of patients they have seen in the last 6 months with elevated RBCs that weigh over 200 pounds. Considering HIPAA Regulations what are the sites options, list at least 4 options. Considering HIPAA Regulations what are the sites options, list at least 4 options.

27 27 LIMITED DATA SET & DATA USE AGREEMENT: Signed agreement with recipient of PHI for limited use and safeguards. Signed agreement with recipient of PHI for limited use and safeguards. How will it be used and how will it be protected. How will it be used and how will it be protected. Agreements cannot include allowances for future uses or disclosures of the data set. Agreements cannot include allowances for future uses or disclosures of the data set. Only used for the purposes of Research, Public Health or Health Care Operations. Only used for the purposes of Research, Public Health or Health Care Operations. No authorization necessary. But agreement needed even with direct employees of CE.* No authorization necessary. But agreement needed even with direct employees of CE.* PHI with Limited identifiers allowed: Year, zip code, city, See Table 1-5A for restrictions. PHI with Limited identifiers allowed: Year, zip code, city, See Table 1-5A for restrictions. Requires tracking of disclosures. Requires tracking of disclosures.

28 28 LIMITED DATA SET & DATA USE AGREEMENT: May be good to use if pre-screening information needed by researchers prior to authorization = proof of fair sampling and verifying site pre- screening efforts for sponsor. May be good to use if pre-screening information needed by researchers prior to authorization = proof of fair sampling and verifying site pre- screening efforts for sponsor. A CE may hire a BA to create the Limited Data Set. A CE may hire a BA to create the Limited Data Set. Specific Provisions in the agreement: See Table 1-6B Specific Provisions in the agreement: See Table 1-6B

29 29 TABLE 1-5D Scenario LIMITED DATA SET & DATA USE AGREEMENT: You are on a committee to write the new SOP for HIPAA regulations in regard to Limited Data Set & Data Use Agreements. You are on a committee to write the new SOP for HIPAA regulations in regard to Limited Data Set & Data Use Agreements. What would your SOP include? What would your SOP include?

30 30 INVESTIGATION & ENFORCEMENT: Department of Health & Human Services Office of Civil Rights (DHHS OCR) Department of Health & Human Services Office of Civil Rights (DHHS OCR) Civil Penalties have been established for non- compliance Civil Penalties have been established for non- compliance 4/15/03 HIPPA Privacy Procedural Enforcement Rule 4/15/03 HIPPA Privacy Procedural Enforcement Rule Penalties may be waived or reduced if the compliance failure is due to reasonable cause and not willful neglect and correction within 30 days. Penalties may be waived or reduced if the compliance failure is due to reasonable cause and not willful neglect and correction within 30 days. CEs need to show good faith efforts. CEs need to show good faith efforts.

31 31 RESPONSIBILITIES OF THE STUDY TEAM Clinical Research Sites & IRBs Clinical Research Sites & IRBs Sponsors of Research & Associates Sponsors of Research & Associates

32 32 PART I: The Clinical Research Sites Assess current compliance of existing SOPs Assess current compliance of existing SOPs Plan a compliance strategy Plan a compliance strategy Identify resources to help with compliance Identify resources to help with compliance Develop training for site staff Develop training for site staff Implement required activities for compliance Implement required activities for compliance Apply GCP and GPP to study management Apply GCP and GPP to study management List methods to stay current with regulations List methods to stay current with regulations Audit site privacy and security practices Audit site privacy and security practices

33 33 PART II: Sponsors of Research & Associates Assess compliance of current or potential sites Assess compliance of current or potential sites Identify when provisions of assurance of protection of privacy of PHI is needed. Identify when provisions of assurance of protection of privacy of PHI is needed. Recognize study practices that may create conflict in site compliance Recognize study practices that may create conflict in site compliance Defend the need for previously collected data after subject revocation of authorization Defend the need for previously collected data after subject revocation of authorization

34 34 Part I Clinical Research Sites Development & Approval of Policies & Procedures to Support HIPAA: Guidelines: Guidelines: Policy Creation and Maintenance Mandatory: (164.530j) Policy Creation and Maintenance Mandatory: (164.530j) Infers knowledge of good policy & procedure development Infers knowledge of good policy & procedure development Must store 6 years from creation or last in effect Must store 6 years from creation or last in effect All documents, templates, authorizations, agreements All documents, templates, authorizations, agreements Annual Compliance Report (160.310) Annual Compliance Report (160.310) Content not specified/ Send When requested by DHHS Content not specified/ Send When requested by DHHS Disclosure Tracking Disclosure Tracking IRB relationships IRB relationships

35 35 Part I Clinical Research Sites Minimal Requirement of Policy: Approved by Senior Management Approved by Senior Management Appoint Security and/or Privacy Official Appoint Security and/or Privacy Official Required Training Required Training How Much? How Much? How Often? How Often? Certification? Certification? Covers All Requirements of Law Covers All Requirements of Law Can be more impacting Can be more impacting Cannot contradict Cannot contradict

36 36 Examples Employees will attend the companies yearly 1 st quarter Privacy and Security Rule Training within their assigned department. Employees will attend the companies yearly 1 st quarter Privacy and Security Rule Training within their assigned department. Workers will satisfactorily pass the company’s HIPAA Privacy & Security Rule Exam 30 from first day of employment and thereafter within 30 days of their annual performance review Workers will satisfactorily pass the company’s HIPAA Privacy & Security Rule Exam 30 from first day of employment and thereafter within 30 days of their annual performance review

37 37 Part I Clinical Research Sites Procedure Development: Tailored to CE Tailored to CE Procedures Cannot Procedures Cannot Excuse actions required by law or Excuse actions required by law or Permit actions against the law Permit actions against the law May be changed with modification to Privacy Practices May be changed with modification to Privacy Practices Be sure that your Privacy Practices can be changed Be sure that your Privacy Practices can be changed & this fact is noted. & this fact is noted. Separate or within SOPs? Separate or within SOPs?

38 38 Part I Clinical Research Sites Technical and Operational Considerations: Officer Appointment Officer Appointment Job Descriptions Job Descriptions Task Force Members Task Force Members Finance, Regulatory, Clinical, Management, Marketing, Technical Writers, Consultants, and... Finance, Regulatory, Clinical, Management, Marketing, Technical Writers, Consultants, and...

39 39 Part I Clinical Research Sites Documentation Compliance: Assess what you currently have and identify additions and edits: Assess what you currently have and identify additions and edits: Approaches: Approaches: Document Inventory Document Inventory Current SOPs as Tool Current SOPs as Tool

40 40 Examples Document Inventory Document Inventory TABLE 2-1 TABLE 2-1 SOP Table of Contents SOP Table of Contents Which Sections Affected by HIPAA Which Sections Affected by HIPAA Terminology Terminology Review Procedures Review Procedures Determine revision vs. creation Determine revision vs. creation TABLE 2-2 TABLE 2-2

41 41 Part I Clinical Research Sites PLAN:  Task Force  Purchase or Create (Combo)  Detailed Timeline  Meeting Minutes

42 42 Part I Clinical Research Sites IMPLEMENT: Privacy/Security Official Appointment Privacy/Security Official Appointment Writing the policy Writing the policy Examples: Waiver of Authorization Application, Tracking & Reporting Privacy Violations Examples: Waiver of Authorization Application, Tracking & Reporting Privacy Violations Review the Regulations Review the Regulations Goal Identification Goal Identification Write & Test Draft Write & Test Draft Develop Procedures from policies Develop Procedures from policies

43 43 Part I Clinical Research Sites Development of Procedures: Foundation of Training Foundation of Training Senior Management Wants to Know: Probability of Risk Threat occurring Probability of Risk Threat occurring Impact of the Threat Impact of the Threat Resources to Reduce the Risk Resources to Reduce the Risk

44 44 Part I Clinical Research Sites Monitor: Circular Process According to timelinesAccording to timelines Make ModificationsMake Modifications Track ChangesTrack Changes ImplementImplement Repeat processRepeat process

45 45 The Circle of Implementation & Monitoring Compliance: CE SOPs that include Monitoring Reporting & All Documentation Implement Design & Test Changes Feedback/ Dept Meet Continuous Periodic Triggered Reminders & Training Awareness Virus scanning Intrusion detection Alarm systems Employee testing Internal Audits External Assessment Self Assessment Loss of Password Virus detected Patient c/o Security incident Breach of Confid

46 46 Part I Clinical Research Sites Resources: Template Creation Template Creation Guidance Documents Guidance Documents Network Network Staff Training: Classroom Classroom Application: On the Job & Test Application: On the Job & Test Documentation: Training Files Documentation: Training Files Dynamic Process Dynamic Process

47 47 Good Clinical Practice & Good Privacy Practice GCP & GPP  HIPAA Regulations do Not override The Common Rule or FDA ’ s Human Subject ’ s Regulations Scenario Scenario

48 48 TABLE 2-3A Scenario You are contacted by a Sponsor requesting copies of source documents supporting CRF entries for all subjects enrolled in Protocol XXX123 for unapproved product ABC123. This protocol has been closed for 3 years at the site. The correspondence states that this was requested by the FDA in response to their NDA for product ABC123.  Research Site: What would be your response to this request? What policies at your company apply to this situation? What HIPAA Privacy Regulations are applicable here? What FDA Regulations are applicable here? Does this contradict any HIPAA Privacy Regulations?  Sponsor: How would you respond to the FDA request considering FDA & HIPAA Regulations?

49 49 GCP & GPP  HIPAA Regulations Preempts State Laws that are contrary to the Privacy Rule or offer individuals lesser protection for medical privacy or fewer right to access to health information. Scenario Scenario

50 50 TABLE 2-3B Scenario You are a CE that is conducting medical device studies. During the procedure for insertion of the device the medical liaison must be present to shadow during the procedure. You are a CE that is conducting medical device studies. During the procedure for insertion of the device the medical liaison must be present to shadow during the procedure. What regulations should be considered when screening the subjects? What regulations should be considered when screening the subjects?

51 51 TABLE 2-3C Scenario You are a CE that is using a central IRB arranged by the sponsor. What study documents does the IRB have to review prior to subject enrollment? You are a CE that is using a central IRB arranged by the sponsor. What study documents does the IRB have to review prior to subject enrollment? Reference Regulation sources FDA & HIPAA. Reference Regulation sources FDA & HIPAA.

52 52 Part II Sponsors of Research & Associates Assess Site and Vendor Compliance Assess Site and Vendor Compliance Risk of Knowingly using Non-Compliant Sites Risk of Knowingly using Non-Compliant Sites Proof of Compliance/ Good Faith Effort Proof of Compliance/ Good Faith Effort SOPs, References SOPs, References Assurance of PHI Protection from Recipients Assurance of PHI Protection from Recipients Sponsors of Research to Site-Contract Sponsors of Research to Site-Contract BA Agreements BA Agreements Review Prep to Research Review Prep to Research Data Use Agreements Data Use Agreements Authorizations Authorizations Waivers of Authorizations Waivers of Authorizations

53 53 Practices that Cause Conflict in Compliance Pre-screening Logs Pre-screening Logs Sponsor SOPs that require sites to ? if GPP Sponsor SOPs that require sites to ? if GPP Why asking for the information Why asking for the information Protection of the Integrity of Study Data  Revoking Authorization Must be in writing Need policy Sponsor to provide proof need data to protect integrity of the study VS. Withdrawal pf Informed Consent Part II Sponsors of Research & Associates

54 54 Withdrawal of Consent/ Revoking of Authorization: Flow Chart Patient Consented and Authorization Obtained for Use and Disclosure of PHI Subject Randomized Subject withdrew consent Ask: When the subject withdrew consent, did they also withdraw Authorization to PHI? Evaluate what has not been reviewed. If the subject has any related to study drug AEs that need follow-up, this PHI can still reviewed and used for this purpose only without authorization. Do we need the unreviewed data to support the endpoints of the study? If so, the CE will need proof the data remaining needs review and collection prior to the revoking of Authorization. NO Was the subject asked if they were revoking authorization also? If so, was it documented in the source? YES If Not: What is the site’s policy? What is your policy? What is the Ethical Concern here? Is the CE requesting documentation that this information is needed for the safety profile of the data or to protect the integrity of the data?

55 55 Part II Sponsors of Research & Associates Development & Approval of Policies and Procedures Same as Clinical Research Sites Same as Clinical Research Sites TABLE 2-5 Scenario: You are a Sponsor conducting a multi-center trial. One of the site milestone payments is based on pre-screening activity. You require the sites to send a weekly pre-screening log in by fax. What would the CE be able to supply on a log and why?

56 56 Strategies for Successful Site Management Post HIPAA

57 57 SITE & SPONSOR REACTION AND INTERACTION “My Monitor does not understand HIPAA” “My Monitor does not understand HIPAA” “I need help with the development of the Authorization” “I need help with the development of the Authorization” “Our IRB must review all our Authorizations; the approval will be delayed.” “Our IRB must review all our Authorizations; the approval will be delayed.” “I need more money in my study budget.” “I need more money in my study budget.” “I am confused. I see different levels of compliance on by sites and by sponsors due to varied interpretation.” “I am confused. I see different levels of compliance on by sites and by sponsors due to varied interpretation.”

58 58 SITE & SPONSOR REACTION AND INTERACTION “The sponsor will supply the authorization for my studies for us to participate. “The sponsor will supply the authorization for my studies for us to participate. “This is the straw that broke the camel’s back. We will not do research. It is too risky & regulated.” “This is the straw that broke the camel’s back. We will not do research. It is too risky & regulated.” “You do not have access to all the subjects medical record, due to minimal necessary.” “You do not have access to all the subjects medical record, due to minimal necessary.” “ALL who enter here are BAs.” “ALL who enter here are BAs.” “Our Authorization must be separate from the ICF.” “Our Authorization must be separate from the ICF.”

59 59 SITE & SPONSOR REACTION AND INTERACTION Do We Need to Re-evaluate? Do We Need to Re-evaluate? Site/ Sponsor Training Vary Site/ Sponsor Training Vary Coffee break Coffee break Huge t-con where no one could hear Huge t-con where no one could hear General Intro for company re:to Personnel Department General Intro for company re:to Personnel Department

60 60 HIPAA & Affect on Work Responsibilities : Project Managers Project Managers Policy Development Policy Development Study Vendor Selection Study Vendor Selection CRO CRO Central IRB Central IRB Central Lab Central Lab More More Contract Negotiations Contract Negotiations Sites, vendors, contractors Sites, vendors, contractors Study Budgets Study Budgets IRB costs, Overhead IRB costs, Overhead Protocol Timelines Protocol Timelines Site Selection Site Selection Study Documentation Study Documentation Training Training

61 61 HIPAA & Work Responsibilities (cont.): CRA Managers CRA Managers Training Training Hiring, permanent & Contract Hiring, permanent & Contract Policy Development Policy Development CRAs CRAs Site Selection Site Selection Site Visit Prep Site Visit Prep Documentation Where & What Documentation Where & What Transporting Patient Data Transporting Patient Data Training Training

62 62 HIPAA & Work Responsibilities (cont.): CRCs/Investigators CRCs/Investigators Policy Development Policy Development Visit Prep Visit Prep QA QA Privacy Officer Appointment Privacy Officer Appointment Sponsor/ Study Selection Sponsor/ Study Selection Budget Negotiations Budget Negotiations Working as a CE Working as a CE BA agreements BA agreements Tracking Disclosures Tracking Disclosures IRB/ Privacy Board Selection IRB/ Privacy Board Selection Training Training IRBs IRBs Privacy Board Role? Privacy Board Role? Policy Development Policy Development Training Training Review of Waivers, Data Use Agreements Review of Waivers, Data Use Agreements

63 63 HIPAA & Work Responsibilities (cont.): Site, Sponsors, Vendors will need to evaluate each other’s preparedness and policy development. Site, Sponsors, Vendors will need to evaluate each other’s preparedness and policy development. Scenarios Scenarios

64 64 TABLE 3-1A Scenario During a phase III study the sponsor adds a new lab test. This requires blood that has already been drawn be sent to another lab not currently on the 1572 for analysis. During a phase III study the sponsor adds a new lab test. This requires blood that has already been drawn be sent to another lab not currently on the 1572 for analysis. List what should be considered in this situation prior to implementation? List what should be considered in this situation prior to implementation?

65 65 TABLE 3-1B Scenario The sponsor is in the selection process for a central IRB for a new study. What additional information would the Sponsor need to assess prior to making the decision? What information would the site need to find out about the central IRB prior to accepting the study or use of the central IRB?

66 66 TABLE 3-1C Scenario During a study a subject calls the investigator and states they want to withdraw from the study. During a study a subject calls the investigator and states they want to withdraw from the study. List what actions should be taken at this point? List what actions should be taken at this point?

67 67 TABLE 3-1D Scenario During site selection, a CE requested the sponsor explain how they would assure the protection of the subject’s PHI during and after the study. During site selection, a CE requested the sponsor explain how they would assure the protection of the subject’s PHI during and after the study. What would be an acceptable answer and why? What would be an acceptable answer and why?

68 68 Strategies for Training the Project Team: The content is not exciting and may even produce frustration, boredom?? You know your audience. Make it something to remember. The content is not exciting and may even produce frustration, boredom?? You know your audience. Make it something to remember. Preliminary Questions to Answer Preliminary Questions to Answer Are we responsible for this? Are we responsible for this? Is it necessary? Is it necessary? If so, to what level? If so, to what level? How detailed? How detailed? How to track it? How to track it? How to test it? How to test it?

69 69 Strategies for Training the Project Team: Balancing Time, Cost and Effectiveness Balancing Time, Cost and Effectiveness Incorporate into corporate orientation (do we have time for one more thing?) Incorporate into corporate orientation (do we have time for one more thing?) Lunch & Learn Sessions: (Participation?) Lunch & Learn Sessions: (Participation?) Each clinical department to come up with plan for training: (How do we assure consistency in content) Each clinical department to come up with plan for training: (How do we assure consistency in content) Send out a scout & bring back to department to present Send out a scout & bring back to department to present Regulatory department’s role Regulatory department’s role SOP revision? Yields training/ EVR or IVR SOP revision? Yields training/ EVR or IVR Train Contractors? Require Contractors proof of training. Train Contractors? Require Contractors proof of training. SOP Revision SOP Revision Will this be revision or creation? Will this be revision or creation? Follow your Procedure for Revision of SOPs Follow your Procedure for Revision of SOPs

70 70 Site Visit Report Revisions: Evaluation Pre-Study Visits Evaluation Pre-Study Visits Addition of Site HIPAA Compliance Questions Addition of Site HIPAA Compliance Questions Include Action Plans for Compliance and Timelines for Assurance Requirements Include Action Plans for Compliance and Timelines for Assurance Requirements Questions: Questions: Privacy Practices Privacy Practices Pre-screening Practices Pre-screening Practices Authorization Authorization Training Documentation Training Documentation Minimal Necessary Minimal Necessary Vendors Vendors Assurance Assurance

71 71 Example Questions: Example Questions: 1. Does your facility have a policy relating to the process of obtaining AUTHORIZATION FOR TO USE OR DISCLOSE PROTECTED HEALTH INFORMATION? Yes or No If yes, describe:________________________ 2. Do you have a Privacy Officer? Yes, No If yes list: Name:________________ Telephone #: ___________ 3. Do you have A Notice of Privacy Practices? Yes or No/ Copy obtained?

72 72 Initiation Visits and/or Investigator Meeting: Addition of Site HIPAA Compliance Questions: Addition of Site HIPAA Compliance Questions: SOPs, Timelines, Documents, Activation date SOPs, Timelines, Documents, Activation date Include Action Plans for Compliance: Risk of Unresolved Action Items Include Action Plans for Compliance: Risk of Unresolved Action Items Document Statement of Assurance of Protection of PHI for all patients. Document Statement of Assurance of Protection of PHI for all patients. Sites’ requirements for assurance? Sites’ requirements for assurance? Early Identification and follow-up Early Identification and follow-up

73 73 Interim Monitoring Visits: List How, When, and by Whom Authorization was obtained List How, When, and by Whom Authorization was obtained Monitor for an Revoking of Authorization and Changes in Privacy Practices Monitor for an Revoking of Authorization and Changes in Privacy Practices Monitor for Privacy Officer Appointment & Changes Monitor for Privacy Officer Appointment & Changes Careful to Resolve/ Add Action Items for GPP and Follow through Careful to Resolve/ Add Action Items for GPP and Follow through

74 74 Close-out Visit:  Reassurance  Action Item Resolution

75 75 Follow-Up Letter :  Include Assurance/ End date on Authorization  Document Authorizations/ with ICFs  Document GPP  How often?

76 76 Sponsors: Help sites obtain the information they need up front on the disclosed PHI. Sites: Let Sponsors know up front what assurances are needed & policies you have in place.

77 77 Summary: Let’s work better together to uphold the Privacy & Security of Subject Data; then ultimately we will increase the confidence of the general public in Clinical Trials.

78 78 Question & Answer Session

79 79 Extra Questions Which of the following is a Covered Entity under HIPAA? Which of the following is a Covered Entity under HIPAA? A Central Laboratory as a vendor of the sponsor of a clinical trail. A Central Laboratory as a vendor of the sponsor of a clinical trail. A Pharmaceutical Companies Phase I Oncology Unit. A Pharmaceutical Companies Phase I Oncology Unit. A Contract Research Organization Clinical Data Management Department. A Contract Research Organization Clinical Data Management Department. The Health Plan Administrator of a Pharmaceutical Company The Health Plan Administrator of a Pharmaceutical Company a & c only a & c only a & d only a & d only b & c only b & c only b & d only b & d only

80 80 Which of the following is always Protected Health Information under HIPAA? Which of the following is always Protected Health Information under HIPAA? Information used by a sponsor collected at site. Information used by a sponsor collected at site. Information regarding a decedent’s family member. Information regarding a decedent’s family member. Electronic medical records maintained at an Academic Medical center. Electronic medical records maintained at an Academic Medical center. Data collected in CRFs. Data collected in CRFs. a & c only a & c only a & d only a & d only b & c only b & c only b & d only b & d only

81 81 The project team can document assurance for the CE of maintaining the subject’s privacy rights by which of the following: The project team can document assurance for the CE of maintaining the subject’s privacy rights by which of the following: Adding a summary statement in visit follow-up letters Adding a summary statement in visit follow-up letters Adding a question addressing this issue to the monitoring report template Adding a question addressing this issue to the monitoring report template Provide a written statement of how & for what time period the PHI will be protected Provide a written statement of how & for what time period the PHI will be protected Include a statement in the ICF that documents the assurance of the protection of the PHI Include a statement in the ICF that documents the assurance of the protection of the PHI a, b & c a, b & c b, c & d b, c & d a, c & d a, c & d

82 82 An independent consultant is hired by a free- standing research facility not affiliated with a medical facility to enter data into electronic CRFs for three different studies. Under HIPAA, this research facility: An independent consultant is hired by a free- standing research facility not affiliated with a medical facility to enter data into electronic CRFs for three different studies. Under HIPAA, this research facility: would initiate a Business Associate Agreement with the consultant. would initiate a Business Associate Agreement with the consultant. must initiate a confidentiality disclosure agreement with the consultant. must initiate a confidentiality disclosure agreement with the consultant. is not governed directly under HIPAA. is not governed directly under HIPAA. Is a hybrid entity and must initiate a Data Use Agreement Is a hybrid entity and must initiate a Data Use Agreement

83 83 A CE office has restricted access controlled by a receptionist, open storage of PHI is acceptable if: A CE office has restricted access controlled by a receptionist, open storage of PHI is acceptable if: The office is locked and alarmed after work hours The office is locked and alarmed after work hours There is a security guard in the facility There is a security guard in the facility Everyone, including the receptionist, are required access to all patient records in order to do their jobs Everyone, including the receptionist, are required access to all patient records in order to do their jobs It is deemed secure by the HIPAA compliance officer It is deemed secure by the HIPAA compliance officer When conducting a clinical trial, as a CE what regulations should be followed? When conducting a clinical trial, as a CE what regulations should be followed? ICH Guidelines ICH Guidelines FDA Regulations or Common Rule FDA Regulations or Common Rule Applicable State Law Applicable State Law Privacy & Security Rule Regulations Privacy & Security Rule Regulations a, b & c a, b & c a, c & d a, c & d b, c & d b, c & d All of the above All of the above

Download ppt "1 HIPAA: A YEAR LATER, APPLICATION STRATEGIES FOR SUCCESSFUL CLINICAL TRIALS SAM Sather Vice-president C LINICAL P ATHWAYS, LLC 09-MARCH-2004 Session 5.07."

Similar presentations

Tips to a Successful Monitoring Visit

Tips to a Successful Monitoring Visit
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google