Presentation is loading. Please wait.

Presentation is loading. Please wait.

Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone:301-402-7565 Fax: 301-402-0527 Email:

Published byCalvin McDowell Modified over 7 years ago

Similar presentations

Presentation on theme: "Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone:301-402-7565 Fax: 301-402-0527 Email:"— Presentation transcript:

1

2 Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone:301-402-7565 Fax: 301-402-0527 Email: jakaneshiro@osophs.dhhs.gov National Research Summit Audio Conference February 20, 2003

3 On August 14, 2002, the Revised Final Privacy Rule was born.

4 3 Compliance Date  April 14, 2003  April 14, 2004 for small health plans

5 The Privacy Rule has important implications for human research.

6 5 Topics  Research Provisions  For More Information  Questions

7 6 Research Provisions  The Privacy Rule permits covered entities to use and disclose protected health information (PHI) for research conducted: –with individual authorization, or –without individual authorization under limited circumstances.

8 Note: The Privacy Rule does not override the Common Rule or FDA’s human subjects regulations.

9 8 Authorization Must Describe…  The information  Who may use or disclose the information  Who may receive the information  Purpose of the use or disclosure (must be limited to a specific research study)  Expiration date or event (can state “none” for research)  Individual’s signature and date  Right to revoke authorization (“reliance exception” permits continued use/disclosure to maintain integrity of research study)  Inability to condition treatment, payment, enrollment or eligibility for benefits—except for research-related tx  Redisclosures may no longer be protected by Rule

10 9 Individual Authorization  Allows all required authorization forms to be combined with the informed consent for research.

11 10 Common Rule vs. Privacy Rule Common Rule/FDA RegulatedPrivacy Rule IRB review Informed consent Patient authorization Research WITH patient permission

12 11 Research Use and Disclosure of PHI Without Individual Authorization: Four Options:  OPTION 1: Obtain documentation that an IRB or privacy board has determined that the following waiver criteria were satisfied:

13 12 3 Waiver Criteria 1) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements…

14 13 Waiver criteria… a)an adequate plan to protect the identifiers from improper use/disclosure; b)an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining identifiers or such retention is otherwise required by law; and c)adequate written assurances that PHI will not be reused/disclosed to any other person or entity, except as required by law, for authorized oversight of research project, or for other research for which use/disclosure of PHI would be permitted by this subpart.

15 14 Waiver criteria… 2) The research could not practicably be conducted without the alteration or waiver; 3) The research could not practicably be conducted without access to and use of the protected health information;

16 15 Research Use and Disclosure of PHI Without Individual Authorization  OPTION 2: Obtain representation that the use or disclosure is necessary to prepare a research protocol or for similar purposes preparatory to research;  OPTION 3: Obtain representation that the use or disclosure is solely for research on decedents’ protected health information; OR

17 16 Research Use and Disclosure of PHI Without Individual Authorization  OPTION 4: Only use or disclose limited data set/“indirect identifiers” (e.g. zip codes, dates of service, age, death) for research, public health, or health care operations; AND Require a data use agreement from recipient agreeing to use only for purpose provided and not to re-identify or contact individual.

18 17 Limited Data Set Must EXLUDE: (1) names; (2) postal address information, other than town or city, State and zip code; (3) telephone numbers; (4) fax numbers; (5) electronic mail addresses; (6) SSNs (7) medical record numbers; (8) health plan beneficiary numbers (9) account numbers; (10) certificate/license numbers; (11) vehicle identifiers and serial numbers, including license plate numbers; (12) device identifiers and serial numbers; (13) Web Universal Resources Locators (URLs); (14) internet protocol (IP) address numbers; (15) biometric identifiers, including finger and voice prints; and (16) full face photographic images and any comparable images.

19 18 Data Use Agreement Must: (1) Establish the permitted uses and disclosures of such information by the recipient (i.e. for research, health care operations or public health); (2) Establish who is permitted to use or receive the limited data set; and (3) Provide that the limited data set recipient will…

20 19 Data Use Agreement… (3) Continued: (a) not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; (b) use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; (c) report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; (d) ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and (e) not identify the information or contact the individuals.

21 20 Common Rule vs. Privacy Rule Research WITHOUT patient permission Common RulePrivacy Rule IRB review— 4 waiver criteria IRB/Privacy Board Review— 3 waiver criteria Preparatory research; Research on decedents; or Limited data set and data use agreement.

22 21 Research Provisions: Accounting for Disclosures  Upon request, must provide accounting for research disclosures made without individual authorization (except for disclosures of the limited data set).  For 50+ records:  List of protocols for which PHI may have been disclosed, and  Researcher contact information.

23 22 Ongoing Research at Time of Compliance Date (4/14/03)  No distinction between research that involves treatment or and research that does not.  Grandfathers-in the following if obtained prior to the compliance date:  Legal permission for the use or disclosure PHI;  informed consent for the research; or  An IRB waiver of informed consent under the Common Rule.

24 23 For More Information OCR Privacy Website: http://www.hhs.gov/ocr/hipaa/

Download ppt "Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone:301-402-7565 Fax: 301-402-0527 Email:"

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.

HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.

THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center

Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

Similar presentations

Ads by Google