Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy and Research August 21, 2015

Published byMaria Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy and Research August 21, 2015"— Presentation transcript:

1 HIPAA Privacy and Research August 21, 2015
Laura LaCorte Office of Compliance

2 Regulatory Landscape HIPAA/HITECH State laws
Federal standards for protecting and securing health information Breach notification requirements HHS Office of Civil Rights (OCR) State laws

3 De-Coding HIPAA PHI: Protected Health Information Authorization Waiver
LDS: Limited Data Set DUA: Data Use Agreement De-Identification Designated Record Set

4 HIPAA Authorization requirements
Authorization Core Elements  Description of PHI to be used or disclosed The name(s) or other specific identification of person(s) authorized to make the requested use or disclosure. The name(s) or other specific identification of the person(s) who may use the PHI or to whom the covered entity may make the requested disclosure. Description of each purpose of the requested use or disclosure. Authorization expiration date (could be “end of study”) Signature of the individual and date. If the Authorization is signed by an individual's personal representative, a description of the representative's authority to act for the individual. Authorization Required Statements  The individual's right to revoke his/her Authorization in writing and exceptions Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization. The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule.

5 HITECH Compound authorizations Future research Decedents research

6 Steps to Complete Authorization
Step 1: Which providers are releasing health information to the research team? Check all boxes that apply Step 1 Revision Date 11/1/11

7 Step 2: Must check one of the two boxes to reflect PHI being used/released
Step 3: Must check boxes and have participant sign if using/releasing HIV test results, mental health records or substance abuse records Step 2 Step 3

8 Step 4 Step 4: Check box if research team intends to use health information for future research purposes.

9 Step 5 Step 6 Step 5: Must list the PI name and address as contact
Step 6: Research Participant, Legal Guardian or Personal Representative must sign and date document BEFORE PHI is used or released. Step 6

10 What if sponsor requests changes?
Need Office of Compliance written approval Submit approval to IRB

11

12 Limited Data Set Protected Health Information that excludes the following direct identifiers: (i) Names; (ii) Postal address information, other than town or city, State, and zip code; (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; and (xvi) Full face photographic images and any comparable images.

13 De-Identification: -ALL of the following identifiers must be removed
-HIPAA privacy rule does not apply if de-identified Name/Initials Street address, city*, county*, precinct*, zip code*, or equivalent geocodes* All elements of dates (except year) directly related to an individual (date of birth, admission date, discharge date, date of death)* Elements of date, including year, for persons 90 or older Telephone number Fax number Electronic mail address Social Security Number Medical record number Health plan identification number Account number Certificate/license number Vehicle identifiers and serial numbers, including license plate number Device identifiers and serial number Web addresses (URLs); Internet IP addresses Biometric identifiers, including finger and voice print Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code* See HIPAA policy for full definition

14 Designated Record Set Relationship to patients rights
Why is it important to consider in the research context

15

16 Protected Health Information: Individually identifiable health information in any form or medium that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Authorization: A detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. Waiver of Authorization: Permits a covered entity to use or disclose health data for research purposes without an authorization provided certain criteria are met. An IRB or Privacy Board must determine if the waiver criteria are met. Limited Data Set: Protected Health Information that excludes specified direct identifiers of individuals or their relatives, employers, or household members and is used for research, public health or health care operations.. A “limited data set” may include, zip codes, dates of service, dates of birth and death and geographic information. A limited data set may not be used/released without a Data Use Agreement. Data Use Agreement: An agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations.  The agreement must specify the permitted uses and disclosures, among other obligations. De-identification: Health information that does not identify an individual and to which there is no reasonable basis to believe that the information can be used to identify an individual. Health information shall be considered de-identified only if 18 identifiers as set forth in the privacy rule are removed; or via statistical methods as set forth in the rule. Designated Record Set: A DRS includes an individual’s patient records and billing records maintained by a covered entity and records used by providers, in whole or in part, to make decisions about individuals. This includes psychotherapy notes as well as records received from other providers but that are used in connection with clinical decision making. (See full definitions in USC HIPAA policies:

17 OCR Settlements New York hospitals pay $4.8 Million when a de-activated server left information on 6,800 patients accessible over the internet Stolen Laptops at Concentra Health Services lead to $1.7 million settlement WellPoint pays HHS $1.7 million for security weaknesses in an online application database leaving health information accessible over Internet Mass General pays $1 million when employee leaves highly sensitive health data on 192 patients on the subway Stanford and two vendors agree to pay $4.1 million to settle a class action lawsuit for vendor mismanagement of emergency room records

18 Where we are today Over 25,000 individuals completed training
Comprehensive HIPAA policies, procedures and template forms Integrated process with Purchasing to identify Business Associates and negotiate Business Associate Agreement Monitoring of risk areas, including access controls Active coordination with Fundraising, PR and Research Partnership with Keck IT in implementation of new systems Privacy issues incorporated into due diligence and integration of new health care practices Breach notification and sanctions process

Download ppt "HIPAA Privacy and Research August 21, 2015"

Similar presentations

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.

HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Protecting Client Data HIPAA, HITECH and PIPA Part 1A

Protecting Client Data HIPAA, HITECH and PIPA Part 1A
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Privacy and Information Security Essentials

Privacy and Information Security Essentials

Similar presentations

Ads by Google