Presentation is loading. Please wait.

Presentation is loading. Please wait.

The HIPAA Privacy Rule: Implications for Medical Research

Published byRose Walker Modified over 6 years ago

Similar presentations

Presentation on theme: "The HIPAA Privacy Rule: Implications for Medical Research"— Presentation transcript:

1 The HIPAA Privacy Rule: Implications for Medical Research
The Second Annual Research Summit March 25, 2002 Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:

2

3 Topics Background and Status Who and What is Covered
Research Provisions For More Information

4 Background: Privacy Rule
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Publish privacy rule if no Congressional action by August 1999 First Proposed Rule issued November 3, 1999 Over 52,000 comments received One goal of HIPAA was to encourage and facilitate electronic transfer of medical information to improve patient care Raised concerns about lack of Federal Medical Records Privacy Law due to increasing interstate practice of medicine. HIPAA Privacy Rule overrides State medical records privacy laws that are conflicting with Privacy Rule, UNLESS THE STATE LAW IS MORE STRINGENT.

5 Background: The “Final” Privacy Rule
Issued on December 28, 2000 Effective date: April 14, 2001 Compliance date: April 14, 2003 (small health plans April 14, 2004)

6 Status of the Privacy Rule
In response to public comments on the December 28 Final Rule, a new NPRM was released March 21, 2002. 30-day comment period begins March 27. Several proposed modifications to the Rule’s research provisions.

7 How would the current Privacy Rule affect research?
What is the impact of the proposed modifications?

8 Who is Covered? Health care providers who
Public health officials Researchers Health care providers who transmit health information in electronic transactions, including researchers who provide treatment to research participants Health plans Health care clearinghouses Law enforcement Marketers

9 What is Covered? Protected health information (PHI):
Human biological tissue De-identified information Protected health information (PHI): Individually identifiable health information Transmitted or maintained in any form or medium Decedents’ health information

10 Key Point In general, the Privacy Rule requires patient authorization for the use or disclosure of PHI. However, there are several exceptions…

11 Uses and Disclosures: Specific Public Purposes
Subject to various conditions: For research As required by law For public health To avert serious threats to health or safety For health oversight activities For law enforcement Other

12 Research Provisions The Privacy Rule permits covered entities to use and disclose protected health information (PHI) for research conducted: with individual authorization, or without individual authorization under limited circumstances.

13 What Research is Affected?
Research that uses existing PHI, such as: Health services research Clinical trials Research that includes treatment of research participants, such as:

14 Note: The Privacy Rule does not override the Common Rule or FDA’s human subjects regulations.

15 How the NPRM would change patient authorization requirements
NPRM would require only a single authorization form for all uses and disclosures. NPRM would allow all required authorization forms to be combined with the informed consent. NPRM would eliminate separate authorization for research that involves treatment. NPRM would eliminate requirement to state if the use or disclosure will result in direct or indirect remuneration.

16 Research Use and Disclosure of PHI With Individual Authorization
Patient authorization elements under the NPRM: The information, Who may use or disclose the information Who may receive the information Purpose of the use or disclosure Expiration date or event (NPRM: unless for a research database or repository) Individual’s signature and date Right to revoke authorization Right to refuse to sign authorization HIPAA Privacy Rule focuses only on use/disclosure of information—NOT CONSENT FOR THE RESEARCH ITSELF. Some of the authorization elements may raise some issues for PATIENT FOLLOW-UP

17 Common Rule vs. Privacy Rule
Research WITH patient permission Common Rule/FDA Regulated Privacy Rule IRB review Informed consent Patient authorization

18 Research Use and Disclosure of PHI Without Individual Authorization
Under current Final Rule: Obtain documentation that an IRB or privacy board has determined specified criteria were satisfied; Obtain representation that the use or disclosure is necessary to prepare a research protocol or for similar purposes preparatory to research; or Obtain representation that the use or disclosure is solely for research on decedents’ protected health information. Regarding exception for “preparatory research” – Has implications for PATIENT RECRUITMENT because does not allow research to remove PHI (I.e. name, address, phone number) from covered entity’s site. Options: have c.e. distribute recruitment letter have c.e. inform patient about trial and have pt. Make contact seek IRB/PB waiver for recruitment only

19 Research Use and Disclosure of PHI Without Individual Authorization
One additional option under NPRM: Only use or disclose “indirect identifiers” (e.g. zip codes, dates of service, dates of birth, death) for research, public health, or health care operations; AND Require a data use agreement from recipient agreeing to use only for purpose provided and not to re-identify or contact individual. Regarding exception for “preparatory research” – Has implications for PATIENT RECRUITMENT because does not allow research to remove PHI (I.e. name, address, phone number) from covered entity’s site. Options: have c.e. distribute recruitment letter have c.e. inform patient about trial and have pt. Make contact seek IRB/PB waiver for recruitment only

20 8 3 Waiver criteria under NPRM
1) The use or disclosure of protected health information involves no more than a minimal risk to the individuals, based on, at least, the presence of the following elements…

21 Waiver criteria… Continued…
an adequate plan to protect the identifiers from improper use/disclosure; an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining identifiers or such retention is otherwise required by law; and adequate written assurances that PHI will not be reused/disclosed to any other person or entity, except as required by law, for authorized oversight of research project, or for other research for which use/disclosure of PHI would be permitted by this subpart.

22 Waiver criteria… The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals; 2) The research could not practicably be conducted without the alteration or waiver; 3) The research could not practicably be conducted without access to and use of the protected health information;

23 Waiver criteria… (5) The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

24 Waiver criteria… There is an adequate plan to protect the identifiers from improper use and disclosure; There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

25 Waiver criteria… (8) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.

26 Review and Approval Procedures
To review and approve research proposals, IRBs and privacy boards may use: “Normal” review procedures, or Expedited review procedures.

27 Common Rule vs. Privacy Rule
Research WITHOUT patient permission Common Rule Privacy Rule IRB review— 4 waiver criteria IRB/Privacy Board Review— 8 3 waiver criteria Preparatory research; Research on decedents; or Indirect identifiers and data use agreement.

28 Individual Access to Research Information
In general research participants have a right to access a subset PHI about themselves—some exceptions include: If a covered entity is subject to CLIA and state law prohibits individuals from obtaining access; If a covered entity is exempt from CLIA; i.e some research laboratories; While a trial is in progress, if the individual has agreed, and has been informed that their right of access will be reinstated at the end of the research.

29 Ongoing Research at Time of Compliance Date (4/14/03)
Under current Final Rule: Different “grandfathering”provisions depending on whether research involves treatment or not.

30 Ongoing Research at Time of Compliance Date (4/14/03)
Under NPRM: No distinction between research that involves treatment or and research that does not. Grandfathers-in all research uses/disclosures if prior to the compliance date: Legal permission or informed consent; or An IRB waiver of informed consent under the Common Rule.

31 For More Information OCR Privacy Website:

Download ppt "The HIPAA Privacy Rule: Implications for Medical Research"

Similar presentations

Presented to Second Annual Medical Research Summit Washington, D.C. by Mark Barnes ROPES & GRAY March 25, 2002 APPLICABILITY OF HIPAA TO RESEARCH AND CLIINICAL.

Presented to Second Annual Medical Research Summit Washington, D.C. by Mark Barnes ROPES & GRAY March 25, 2002 APPLICABILITY OF HIPAA TO RESEARCH AND CLIINICAL.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
Eric S. Marks, M.D Associate Dean for Faculty Affairs.

Eric S. Marks, M.D Associate Dean for Faculty Affairs.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
HIPAA Privacy Rule Paul Below Clinical Research Consultant.

HIPAA Privacy Rule Paul Below Clinical Research Consultant.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Informed Consent.

Informed Consent.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June.

ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.

Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Similar presentations

Ads by Google