HIPAA Privacy and Research August 21, 2015 Laura LaCorte Office of Compliance

Regulatory Landscape HIPAA/HITECH State laws Federal standards for protecting and securing health information Breach notification requirements HHS Office of Civil Rights (OCR) State laws

De-Coding HIPAA PHI: Protected Health Information Authorization Waiver LDS: Limited Data Set DUA: Data Use Agreement De-Identification Designated Record Set

HIPAA Authorization requirements Authorization Core Elements  Description of PHI to be used or disclosed The name(s) or other specific identification of person(s) authorized to make the requested use or disclosure. The name(s) or other specific identification of the person(s) who may use the PHI or to whom the covered entity may make the requested disclosure. Description of each purpose of the requested use or disclosure. Authorization expiration date (could be “end of study”) Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the representative's authority to act for the individual. Authorization Required Statements  The individual's right to revoke his/her Authorization in writing and exceptions Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization. The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule.

HITECH Compound authorizations Future research Decedents research

Steps to Complete Authorization Step 1: Which providers are releasing health information to the research team? Check all boxes that apply Step 1 Revision Date 11/1/11

Step 2: Must check one of the two boxes to reflect PHI being used/released Step 3: Must check boxes and have participant sign if using/releasing HIV test results, mental health records or substance abuse records Step 2 Step 3

Step 4 Step 4: Check box if research team intends to use health information for future research purposes.

Step 5 Step 6 Step 5: Must list the PI name and address as contact Step 6: Research Participant, Legal Guardian or Personal Representative must sign and date document BEFORE PHI is used or released. Step 6

What if sponsor requests changes? Need Office of Compliance written approval Submit approval to IRB

Limited Data Set Protected Health Information that excludes the following direct identifiers: (i) Names; (ii) Postal address information, other than town or city, State, and zip code; (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; and (xvi) Full face photographic images and any comparable images.

De-Identification: -ALL of the following identifiers must be removed -HIPAA privacy rule does not apply if de-identified Name/Initials Street address, city*, county*, precinct*, zip code*, or equivalent geocodes* All elements of dates (except year) directly related to an individual (date of birth, admission date, discharge date, date of death)* Elements of date, including year, for persons 90 or older Telephone number Fax number Electronic mail address Social Security Number Medical record number Health plan identification number Account number Certificate/license number Vehicle identifiers and serial numbers, including license plate number Device identifiers and serial number Web addresses (URLs); Internet IP addresses Biometric identifiers, including finger and voice print Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code* See HIPAA policy for full definition

Designated Record Set Relationship to patients rights Why is it important to consider in the research context

Protected Health Information: Individually identifiable health information in any form or medium that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Authorization: A detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. Waiver of Authorization: Permits a covered entity to use or disclose health data for research purposes without an authorization provided certain criteria are met. An IRB or Privacy Board must determine if the waiver criteria are met. Limited Data Set: Protected Health Information that excludes specified direct identifiers of individuals or their relatives, employers, or household members and is used for research, public health or health care operations.. A “limited data set” may include, zip codes, dates of service, dates of birth and death and geographic information. A limited data set may not be used/released without a Data Use Agreement. Data Use Agreement: An agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations.  The agreement must specify the permitted uses and disclosures, among other obligations. De-identification: Health information that does not identify an individual and to which there is no reasonable basis to believe that the information can be used to identify an individual. Health information shall be considered de-identified only if 18 identifiers as set forth in the privacy rule are removed; or via statistical methods as set forth in the rule. Designated Record Set: A DRS includes an individual’s patient records and billing records maintained by a covered entity and records used by providers, in whole or in part, to make decisions about individuals. This includes psychotherapy notes as well as records received from other providers but that are used in connection with clinical decision making. (See full definitions in USC HIPAA policies: www.usc.edu/policies)

OCR Settlements New York hospitals pay $4.8 Million when a de-activated server left information on 6,800 patients accessible over the internet Stolen Laptops at Concentra Health Services lead to $1.7 million settlement WellPoint pays HHS $1.7 million for security weaknesses in an online application database leaving health information accessible over Internet Mass General pays $1 million when employee leaves highly sensitive health data on 192 patients on the subway Stanford and two vendors agree to pay $4.1 million to settle a class action lawsuit for vendor mismanagement of emergency room records

Where we are today Over 25,000 individuals completed training Comprehensive HIPAA policies, procedures and template forms Integrated process with Purchasing to identify Business Associates and negotiate Business Associate Agreement Monitoring of risk areas, including access controls Active coordination with Fundraising, PR and Research Partnership with Keck IT in implementation of new systems Privacy issues incorporated into due diligence and integration of new health care practices Breach notification and sanctions process