Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.

Published byLenard McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy."— Presentation transcript:

1 1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy Official gaye.smith@vanderbilt.edu 343-3019

2 2 Vanderbilt as a Hybrid Entity HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically. Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity. HIPAA regulations only apply to the Covered Entity functions.

3 3 Hybrid Entity Covered Entity Designation As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes: Vanderbilt Medical Center hospitals, clinics, and practices Vanderbilt Medical Group (VMG) Vanderbilt School of Medicine (SOM) Vanderbilt School of Nursing (SON) Vanderbilt Health Plan VUMC Administration for covered functions that involve the use and disclosure of PHI. In July of 2006, the VACE was expanded to include the affiliated entities for which VUMC has a controlling ownership interest or management accountable. Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VACE is determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.

4 4

5 5 Data Categories Individually Identifiable Health Information (IIHI) – information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual. Protected Health Information (PHI) – IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.

6 6 Data Categories Research Health Information (RHI) – a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA. IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.

7 7 WHAT PARTS OF RESEARCH ARE INSIDE THE HEALTHCARE COMPONENT OF THE HYBRID ENTITY? INSIDE THE HEALTHCARE COMPONENT PHI is health information created, used, and/or stored as a by- product of the delivery of health care services (stored in the designated record set) Human Subjects Research using PHI Clinical Trials Health Information created as RHI and conveyed to the medical record to support treatment purposes OUTSIDE THE HEALTHCARE COMPONENT Research Health Information is created, used, stored, or disclosed from a research data file or system distinctly separate from the patient’s medical record Animal and Basic Sciences Research Human Subjects Research not using PHI

8 8 PHI RHI (prepared by Daniel Masys, M.D.) PHI RHI HIPAA Authorization RHIPHI Research creates new information added to medical records Subject to HIPAA requirements (and potentially, penalties) Authorization converts PHI to RHI whose use is governed by terms of authorization or IRB waiver Internal disclosure

9 9 Data Handling Implications for PHI vs. RHI PHI is subject to the HIPAA for the Privacy Rule and the Security Rule. RHI is subject to best practices for maintaining confidentiality of research records, but not subject to HIPAA. Subsequent uses and disclosures of RHI are governed by the terms of the authorization or waiver, not by HIPAA.

10 10 Uses and Disclosures for Research HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections. PHI can be used or disclosed for research purposes if one of the following conditions is met: With a specific authorization signed by the patient With an IRB waiver of this authorization Under the “Preparatory to Research” criteria in IRB Policy X.A As a limited data set in conjunction with a Data Use Agreement As fully de-identified data For research on decedents Disclosures related to FDA-regulated products.

11 11 PHILimited Data SetDe- identified Data Waiver from IRB IRB waiver Exempt research, no PHI Accounting of disclosure NOT required Patient Authorization Disclosure Accounting IS REQUIRED or Requirements for Use or Disclosure of Data for Human Research IRB Exemption or and Data Use Agreement Accounting of disclosure is NOT required

12 12 If you have privacy or information security concerns or questions contact: Privacy Office (936-3594) or email Privacy.Office@vanderbilt.edu Privacy.Office@vanderbilt.edu Help Desk (343-4357) Your manager Compliance Reporting Line (343-0135) Always forward patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office.

Download ppt "1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy."

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.

1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Similar presentations

Ads by Google