HIPAA Privacy Rule and Research Kaiser Permanente Researcher Training March 3, 2003

About this Training This HIPAA Privacy Rule Training Program provides a summary explanation to Kaiser Permanente (KP) researchers of new legislation that will have a significant effect on the conduct of research in KP. This summary also reflects the policies and procedures that KP has developed to implement the HIPAA Privacy Rule. This legislation is commonly referred to as HIPAA and more appropriately called the Privacy Rule. The Privacy Rule sets federal standards for KP control of access to and use and disclosure of individually identifiable health information. It also establishes rights for our members to access their health information and to know how KP is using and disclosing it. All KP employees must complete basic HIPAA Privacy Rule training appropriate to their role. Completion of this research training program qualifies as having met KP requirements for training on the Privacy Rule as it applies to research. It supplements but does not replace basic HIPAA Privacy Rule training that is required for all KP employees. All full-time KP researchers must have documented completion of this or another qualified training program specific to research by April 14, 2003. All other KP researchers must have documented completion of this or another qualified research training program as soon as possible and no later than June 14, 2003.

The HIPAA Privacy Rule and Kaiser Permanente The HIPAA Privacy Rule requires KP to set up new systems and procedures to assure that our members' privacy rights are protected. The Privacy Rule applies to health care treatment, payment, and operations as well as research. This training program addresses issues specific to research. The Privacy Rule requires KP to tell our Health Plan members if and how their health information will be used within the KP Region and disclosed outside the KP Region. If it will be disclosed, KP must tell them what information will be disclosed and to whom. Also, KP must ask members’ permission before we use their health information for purposes such as research. To the extent that non-members are involved as research participants, all Privacy Rule provisions apply to them, as well. The Privacy Rule provides our members with other rights such as the right to access and amend their health information and to receive an accounting of any release of their information outside the KP Region made without their written permission. KP has always been committed to protecting the privacy of our members’ health information, but this new regulation requires us to take certain additional steps.

HIPAA and the Privacy Rule HIPAA is the acronym for federal legislation passed in 1996 called the Health Insurance Portability and Accountability Act, which primarily addressed issues relating to health insurance. The act contained a provision requiring Congress to pass a new law by August 1999 to protect the privacy of identifiable health information. If Congress failed to meet this deadline, the Secretary of DHHS was required to write regulations. Congress did not pass a law by the deadline, and DHHS wrote the regulation that is known as the Privacy Rule. There are special provisions in the Privacy Rule that apply to research. The final Privacy Rule was issued on August 14, 2002. On December 3, 2002, the DHHS Office of Civil Rights issued guidance for KP and other entities to which the Rule applies on how to implement it. KP must be in compliance with the Privacy Rule by April 14, 2003. A subsequent and related regulation that you will be hearing about is called the Security Rule. The Security Rule is not addressed in this training program.

Who Must Comply with the Privacy Rule The Privacy Rule applies to health care providers and health care organizations such as KP. These entities are referred to under the Privacy Rule as covered entities. For the purposes of research, each KP Region, including all KP entities within the Region (e.g., Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Permanente Medical Group as applicable), functions as a separate covered entity. Everyone employed by any KP entity must comply with the Privacy Rule. Certain provisions of the Rule also extend to KP vendors and contractors. Because the Privacy Rule is federal regulation, compliance with the Rule is mandatory. Failure to comply with the provisions of the Privacy Rule can result in significant penalties levied by the federal government up to a fine of $250,000 and/or 10 years imprisonment. The Privacy Rule also requires Kaiser Permanente to apply sanctions up to and including termination of members of its workforce who violate KP’s policies and procedures. In order to protect the privacy of our members’ health information and to prevent sanctions to KP and ourselves, it is important to comply with all requirements of the Privacy Rule.

Research under the Privacy Rule The Privacy Rule defines research the same way the Common Rule does. (The Common Rule is DHHS regulation on the protection of human subjects, which requires review of research by IRBs and directs their processes.) The definition is “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” The kinds of research conducted at Kaiser Permanente that are subject to the Privacy Rule include but are not limited to clinical trials as well as clinical effectiveness, epidemiologic, behavioral, and health services research. Any research that is subject to IRB review under the Common Rule is also subject to provisions of the Privacy Rule. However, the Privacy Rule goes farther than the Common Rule. It covers research that is exempt from IRB review under the Common Rule. It also covers certain activities preparatory to research such as feasibility and pilot studies, and it covers research on decedents. Any research that uses individually identifiable health information or demographic information that could link health information with the identity of an individual must be conducted in compliance with the Privacy Rule.

Privacy Rule Terminology The Privacy Rule introduces a number of new terms with specific definitions under the Rule. It is important for KP researchers to learn what these terms mean. In particular, researchers should understand the three categories of information that are recognized by the Privacy Rule: protected health information (PHI), de-identified information, and limited data sets. Privacy Rule requirements differ for each of these categories. One of the Privacy Rule’s most important terms is protected health information or PHI. PHI is identifiable health information, including any demographic or other descriptive information that could link the identity of an individual to his or her health information. It includes information maintained in paper medical records and in electronic databases or disease registries. It also includes information communicated verbally. Identifiers specifically listed in the Privacy Rule that can make health information identifiable are on page 8. However, any information that could be used alone or in combination with other information to identify a research participant is PHI under the Privacy Rule.

PHI Identifiers Identifier # 1 Names 10 Account numbers 2 Addresses 11 Certificate or license numbers 3 All elements of dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89. 12 Vehicle identifiers and serial numbers, including license numbers 4 Telephone numbers 13 Device identifiers and serial numbers 5 Fax numbers 14 Web addresses (URLs) 6 E-mail addresses 15 Biometric identifiers, including voice and finger prints 7 Social Security numbers 16 Full-face photographs and any comparable images 8 Medical record numbers 17 Internet Protocol address numbers 9 Health Plan beneficiary numbers 18 Any other unique identifying characteristic or code

De-identified Information and Limited Data Sets Besides PHI, the Privacy Rule defines two other categories of information. De-identified information is a data set that contains none of the 18 identifiers listed on page 8. Removing all of these identifiers is referred to as the "safe harbor" method for de-identifying information. Privacy Rule provisions do not apply to de-identified information. The Privacy Rule also permits a statistician or other qualified person to determine that research information from which all 18 identifiers have not been removed is de-identified. This statistician must document the methods and results of analyses that were the basis of the determination. The third category of information is called a limited data set. A limited data set can include two categories of PHI identifiers: 1) dates, such as birth and death dates as well as admission, discharge, and service dates (it also can include a person’s age); and 2) limited geographic subdivisions such as state, county, city, precinct, and the 5-digit zip code. However, the limited data set must exclude all of the other 16 identifiers listed in the table on page 8.

More about Limited Data Sets Under the Privacy Rule, a limited data set can be used or disclosed for research purposes without written permission (authorization) from research participants or a waiver of authorization from the IRB as long as it is used or disclosed under a data use agreement. A limited data set is also exempt from the Privacy Rule requirement to track disclosures of PHI outside the covered entity. However, there are some restrictions that apply. For example, use of a limited data set is subject to the Privacy Rule’s minimum necessary standard that will be explained later. Regardless of whether limited data sets will be disclosed outside the Region, KP researchers must sign a data use agreement, providing certain assurances that Privacy Rules will be followed. If a limited data set is disclosed outside the Region, a data use agreement must be executed between the KP Region and the recipient of the information.

Definitions of Use and Disclosure The Privacy Rule provides specific definitions of these key terms. A use is defined as “sharing, using, applying, examining PHI within a Region.” In KP, a use includes sharing PHI between the KP entities (e.g., Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Permanente Medical Group, as applicable) that make up a Region. It also includes sharing information within a KP entity, such as a medical group, or even within a department. A disclosure is defined as, “releasing, transferring, providing access to, or divulging PHI to any individual or entity outside a KP Region.” This includes sharing PHI between KP Regions. It is also a disclosure if an individual who is not on KP’s workforce has access to PHI on KP premises. For example, disclosure occurs when a clinical trial monitor, representing the trial sponsor or a CRO, comes to the KP research site and looks at medical records in order to verify the accuracy of information recorded on case report forms. Anytime anyone who is not on KP’s workforce has access to identifiable information pertaining to one or more KP members for any reason, this is a disclosure, and this disclosure is subject to Privacy Rule provisions.

The Minimum Necessary Standard The Privacy Rule requires KP researchers to use and disclose the minimum PHI necessary to perform the research. This applies to all uses and disclosures of PHI except when participants give written authorization for the use or disclosure of their health information. Even when authorization is obtained, the minimum necessary standard is a good principle to follow, regardless of whether the Privacy Rule requires it. The minimum necessary standard applies to activities preparatory to research, research on decedents, and research conducted under an IRB-approved waiver of authorization. As said above, it also applies to a limited data set. KP researchers must be prepared to justify that the PHI they are using or disclosing meets the minimum necessary standard.

Authorization for Use or Disclosure of PHI Before KP researchers can use or disclose PHI, they must have either written authorization from the individuals to whom the identifiable health information pertains or an IRB-approved waiver or alteration of the authorization requirement. The IRB is permitted to approve a waiver only if the following criteria are met: The use or disclosure of PHI must have a minimal risk to the privacy rights of the subjects. There must be a plan to protect the PHI and to destroy the PHI at the earliest opportunity. And, the researcher must assure that PHI will not be reused for any other purpose, including for another research project. The other waiver criteria include: The research could not practicably be conducted without the waiver; The research could not practicably be conducted without access to the PHI; The rights and welfare of participants will not be adversely affected by the waiver; and The risks are reasonable in relation to the anticipated benefits of the research. IRBs also have authority under the Privacy Rule to alter the specific requirements of the written authorization. For the IRB to approve an alteration, the same criteria as used for waiving the authorization must be met.

More on Participant Authorization Using or disclosing a limited data set does not require written authorization as long as a data use agreement has been signed by the appropriate parties. Activities preparatory to research also do not require authorization as long as the researcher uses PHI according to Privacy Rule provisions and submits the required representation. Written authorization for use or disclosure of PHI will typically be provided as a new section at the back of the research consent form. The Privacy Rule has specific core requirements for this authorization. For example, it must describe the PHI being used or disclosed. If PHI will be disclosed, it must say who can disclose it, to whom, and why. This information must be in a separate section of the consent form, and it must be written in plain language. This authorization section requires a separate participant signature. Research participants who have signed a research consent form prior to April 14, 2003, do not need to sign a Privacy Rule authorization form. However, anyone enrolled after April 14, 2003, must provide written authorization unless the IRB waives or alters this requirement.

Research Participant Rights The Privacy Rule permits research participants to revoke their authorization during the study, subject to certain limitations. Such revocation must be protocol-specific, and it should be made in writing to the KP principal investigator. The research team may continue to use and disclose any PHI collected about the participant before authorization was revoked. Also, use or disclosure of PHI after revocation is allowed to assure the safety of any individual or as otherwise required by law. Research participants also have the right to access certain information collected about them in the study; however, certain limitations apply for clinical trials. Participants in research that involves treatment may be denied access to their PHI obtained in connection with the specific protocol provided that the PHI was obtained in the course of the research, the participants signed an authorization in which restrictions to their access was explained, and the right of access will be reinstated once the research study has ended and the authorization has expired. The Privacy Rule allows participants’ personal representative to authorize the use and/or disclosure of PHI by signing the authorization form. And, the Privacy Rule requires that the participant or the representative who signs the form be given a copy of the signed authorization form. The researcher must maintain a copy of the signed form for at least six years.

Activities Preparatory to Research The Privacy Rule has special provisions that affect the use of PHI in activities preparatory to research. Such activities include: assessing the feasibility of conducting a study, preparing a grant application, conducting a pilot study, and pre-screening clinical trial enrollees. For these and other activities preparatory to research, KP researchers must submit a representation to their Region agreeing to these principles: The use of PHI will be restricted to the minimum necessary to prepare a research protocol or for another purpose preparatory to research; No PHI will be removed from KP premises; and The PHI for which use or access is sought is necessary for the research purposes. Your regional research office will provide a representation form for you to complete before you access PHI for any purpose preparatory to research. They will also provide instructions for submitting it. If Privacy Rule provisions are followed, activities preparatory to research do not require participant authorization or a waiver of authorization. These activities are typically exempt from IRB review under the Common Rule because they are not considered to be research. Activities preparatory to research that involve a limited data set must be conducted under a data use agreement.

Research on Decedents Prior to the Privacy Rule, research on decedents was largely unregulated. It did not require IRB review because it did not pertain to “living individuals.” The Privacy Rule introduces regulations on this type of research when PHI will be used or disclosed. Before KP researchers can conduct research involving PHI on decedents, they must submit a written representation, agreeing to the following principles: The use or disclosure of PHI is sought solely for the purpose of conducting the research on decedents; Documentation of the death of such individuals will be provided to the KP Region or IRB on request; and The PHI for which use or disclosure of PHI is sought is the minimum necessary for the research. Your KP regional research office will provide a form and instructions for submitting it. If a limited data set will be used, a data use agreement must be signed. If PHI on decedents’ relatives, employers, or household members will be disclosed, prospective IRB approval is required. If PHI will be disclosed outside the Region, disclosure accounting rules apply.

The Privacy Rule and Exempt Research Research that is exempt from IRB review under the Common Rule is not necessarily exempt from the Privacy Rule. Researchers who believe that their activities are exempt from IRB review must submit a request for exemption form to the IRB. This form, recently expanded to enable determinations relating to the Privacy Rule, is available from your KP IRB. After April 14, 2003, when evaluating research to determine if it is exempt from IRB review, the reviewer (usually the IRB Chair or Administrator) must determine whether or not protected health information (PHI) will be used or disclosed. If it will, the reviewer will determine whether the research qualifies for a waiver of authorization. If it does not qualify for a waiver, the research will require written authorization from participants. Typically, this means that the study will require review by the convened IRB.

Business Associate Agreements The Privacy Rule requires that a special legal agreement, a business associate agreement, be executed between KP and its business associates that are receiving, using, or creating PHI. A business associate is an individual or entity external to KP, not acting as a researcher, providing services on behalf of KP. Business associates are typically vendors, independent contractors, or commercial entities that are providing support to KP such as mailing, survey, laboratory, radiology, or consulting services. A sponsor is not a business associate because it does not provide services on behalf of KP. Research collaborators, even those working under subcontract to KP, are not business associates because they are typically acting as researchers on the study. These individuals and companies need to sign other types of agreements with KP. Your KP regional research office should make the final determination about when a business associate agreement or any other type of research agreement is needed. KP investigators must not sign business associate agreements or other research agreements on behalf of KP.

Disclosure Accounting Under the Privacy Rule, KP is required to account for all research disclosures of PHI outside the Region except when participants have provided written authorization for the disclosure. This will allow KP to respond to member requests for reports on when PHI about them might have been disclosed outside KP. For research, this will be accomplished in two ways. For research involving 50 or more participants (or PHI on 50 or more individuals), the regional research office will maintain a database that meets Privacy Rule disclosure accounting requirements. The IRB application will ask new questions that are designed to obtain this information from KP researchers. For research involving fewer than 50 participants (or PHI on fewer than 50 individuals), each KP investigator will be required to provide certain information to their Region. Your regional research office will notify the Region of any studies that involve PHI on fewer than 50 participants for which no authorization is being sought. Disclosure accounting is required for exempt research, activities preparatory to research, research on decedents, and research conducted under a waiver of authorization.

Where to go for Additional Information Your regional research office is a good source of information on implementing the Privacy Rule. You can also contact the Kaiser Foundation Research Institute (KFRI) located in Oakland at 510/625-3431. For information on regional research contacts and guidance on conducting research in KP, consult the KFRI web site at http://kpnet.kp.org/kfri. This site now has a special HIPAA Privacy Rule section that includes relevant KP policies and procedures, a glossary of terms specific to research, and other guidance for researchers. For general information on the Privacy Rule for KP, consult the KP HIPAA website at http://kpnet.kp.org/hipaa. In addition, KFRI has established an e-mailbox for research-related questions: Submit your questions via Lotus Notes to HIPAA Research Questions. The Privacy Rule is new, and KP researchers can anticipate changes in interpretations of this regulation and in associated KP and IRB policies and procedures over time. It is the responsibility of all who conduct research in KP to become aware of these changes and modify their research practices accordingly. KP research and compliance leaders appreciate your efforts to understand and comply with these important new federal requirements.

Documentation of Completion In order to receive credit for completing this training, you must complete this page with your handwritten signature, indicating that you have read and understood the content of this HIPAA Privacy Rule Training Program for KP researchers. Step 1: Email a copy of this complete and signed Documentation of Completion Page in PDF format from your KP.ORG email to KPSC.IRB@kp.org. Step 2: After two weeks, you must upload in iRIS the complete and signed Documentation of Completion Page in PDF format to your iRIS My Account Information, under Education History. If you are a new user, go to http://irissupport.kp-scalresearch.org/ to get a username and password. Click on the orange “new users” button located on the right hand side of your screen. If you already have an iRIS username and password, log on to the iRIS home page http://iris.kp-scalresearch.org/. _____________________ _____________________ ________________ Printed Name Signature (in blue or black ink only) Date ____________________________________________ ________________ KP Location and Department Phone number