Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.

Published byHorace Greene Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008."— Presentation transcript:

1 HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008

2 Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students  Includes ensuring compliance with University of Miami HIPAA policies  Plan must contain elements required under HIPAA  Documentation of compliance with Covered Entity source of PHI University of Miami2

3  Health Insurance Portability and Accountability Act (HIPAA) Effective on April 14, 2003  Federal law that protects the privacy of individually identifiable health information (PHI)  Title 45 of the Code of Federal Regulations Parts 160 and 164 University of Miami3

4 Covered Entity – Custodians of PHI They must make a good faith effort to comply with the rule Three types of “ Covered Entities”  Health Care Providers Includes organizations, individuals such as researchers when they provide health care, e.g. clinical trials  Health Care Plans Insurers and payors  Health Care Clearinghouses Billing services University of Miami4

5  Hybrid Covered Entity  The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”. University of Miami5

6 6 UM – Hybrid Entity Covered Components Treatment Payment Health Care Operations Non-Covered Components Research

7 Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations.  Necessary compliance with State privacy laws and Institutional and IRB policies only. University of Miami7

8 Obtained and access to PHI from a “covered entity” – those who create, use, or access health information while providing health care services to research subjects - must comply with HIPAA regulations as well as state privacy, institutional and IRB policies. University of Miami8

9 Clinical trials Chart reviews Epidemiological studies Behavioral and Social Science Studies Some basic science research activities  Studies may include the provision of treatment but others may provide neither treatment or diagnosis. University of Miami9

10 Section 24.2 of the HSRO Policies & Procedures contains some important terms related to HIPAA: PHI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care. University of Miami10

11 Protected Health Information (PHI) is any individually identifiable information that is transmitted or maintained in electronic medium, or in any other form or medium  Medical Records E.g. Medical History, Diagnosis, Treatment  Payment Information E.g. Bills, Receipts  Ancillary Services E.g. X-Rays, Labs  Demographic Information (When Maintained with Health Information) E.g. Date of Birth, Social Security Number University of Miami11

12 When providing health care to individuals, researchers are considered health care providers When accessing existing protected health information, HIPAA privacy rules applies University of Miami12

13 1. Keep records of certain disclosures 2. Provide only minimally necessary information, including: a. Use pursuant to waiver b. Use preparatory to research c. Use of decedents’ PHI d. Use of limited data sets 3. Provide an accounting of certain disclosures, including: a. Use pursuant to waiver b. Use preparatory to research c. Use of decedents’ PHI Note: This requires significant resources, e.g. time and labor, as well as strong internal controls on the part of the covered entity. University of Miami13

14  Investigators will need to go through the covered entity’s “HIPAA-Hoops” to obtain data  UM IRB will need to consider research subjects’ privacy rights University of Miami14

15 University of Miami15 How Can PHI be Obtained for Research?  Authorization (Form B)  Limited Data Set / Data Use Agreement (Form C)  Waiver of Authorization (Form F)  Certification for Review Preparatory to Research (Form E)  Decedent Certification (Form D)  De-Identification To Access PHI for Research:

16 University of Miami16

17 University of Miami17

18  Each study participant permits Use & Disclosure of their PHI for research purposes  Must contain Privacy Notice provisions University of Miami18

19 University of Miami19 Authorization Core Elements:  Specific and meaningful description of information to be used or disclosed  Identification of the person or class of person releasing the information  Description of the investigator or class of persons receiving the information  Description of each purpose of the requested use or disclosure  Expiration date or event  Signature and date Authorization (Form B)

20 University of Miami20 Confidentiality Other Authorization Contents:  Individual right to revoke authorization  Covered entities are not permitted to condition treatment on the provision of authorization  Must explain potential for information to be re- disclosed by the recipient and that the recipient may not be required to comply with the Privacy Rule  Must be written in plain language  Copies must be provided to individual permitting the use and disclosure of PHI

21  The IRB waives the authorization requirement  PI must justify the request for the waiver Note: Most applicable when obtaining authorization is impracticable E.g. Retrospective Medical Research, Identifiable Database Research University of Miami21

22 In order to obtain the waiver, researchers must justify the following criteria: The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals  Describe plan to protect identifiers e.g. Who has access to PHI?  Describe plan to destroy identifiers or return identifying information to the covered entity  Provide assurance that PHI will not be re-used or disclosed to others The research could not practicably be conducted without the waiver or alteration to the authorization; and The research could not practicably be conducted without access to and use of the PHI University of Miami22

23 Decedent PHI is health information collected from deceased (prior to the study) subject’s records. Investigator’s Certification for Research with Decedents (Form D) must be submitted. University of Miami23

24 University of Miami24

25 University of Miami25 HIPAA requires that use and disclosure of, and requests for, protected health information (PHI) must be limited to the “minimum necessary to accomplish the intended purpose.” Example: Only the information pertaining to a specific use should be given to researcher. Minimum Necessary Requirement

26 University of Miami26 The requirements for de-identifying information are so extensive that often the data is of limited value to researchers. The Privacy Rule permits the use and disclosure of PHI via a “limited data set” with a “data use agreement”. Limited Data Set

27  Limited set of identifiers to be used for research, public health, and health care operations purposes  Permits use of some identifiable health information:  Five-Digit Zip Codes  City, State  Dates of Birth  Age Expressed in Years, Months, Days or Hours  Dates of Death  Dates of Admission/Discharge/Service  Excludes direct identifiers  Recipient enters into a “data use agreement” with covered entity in a form mandated by HIPAA (Form C)  Recipient enters into a “Business Associate Agreement” with covered entity University of Miami27

28 1. Defines who can use or receive data; 2. Defines for what purpose the data may be used; 3. Provides that PI will not re-identify the data or contact the subject; 4. Provides that data will be safeguarded & not used for unauthorized purposes; 5. Provides that researcher will report improper uses & disclosures; 6. Provides that researcher will “push down” privacy protection obligations to subcontractors. University of Miami28

29 University of Miami29  At UM, investigators will serve dual roles: BAs of the covered entity in order to access the PHI to create the limited data set; and investigator/recipient of the LDS.  Prior to disclosing PHI to the business associate, UM is required to enter into a written agreement with the BA that imposes specified safeguards on the PHI used or disclosed by the BA. HIPAA Business Associate (BA)

30  Form mandated by HHS, in which the recipients satisfactorily assures the covered entity (UM/JHS) that they will protect the information from further disclosure.  Before data is released, there needs to be specific descriptions of the methods the recipient will use to assure that the privacy of the information is protected. This is to be documented in a data use agreement or business associate agreement, depending on the situation. University of Miami30

31 University of Miami31

32 Physicians in the clinical setting may disclose identifying patient information to a researcher who wishes to recruit the patient for a study provided…  The physician first obtains the patient’s signed authorization to disclose the information to the researcher so the patient can be contacted. University of Miami32

33 Jackson Health System (JHS)  Physicians who identify patients eligible for a research study must use the JHS form to obtain the patient’s authorization to release information to the researcher  Form Available on HSRO Website, “JMH Research Authorization” UM  A research referral authorization form is still being devised. University of Miami33

34 HIPAA regulations grant individuals the right to receive an accounting of disclosures of their PHI made by a covered component for the six years prior to the request or since the applicable compliance date. Records must include specific information regarding each disclosure. University of Miami34 WAIVERS

35 The Privacy Rule allows a simplified accounting by Covered Entities for disclosures of PHI for research purposes without an individual’s authorization. Under simplified accounting provisions, covered entities may provide individuals with a list of all protocols for which PHI has been disclosed, as well as the researcher’s name and contact information. University of Miami35

36 University of Miami36 General Rules For Use and Disclosure of PHI for Research: Disclosures made pursuant to an IRB waiver of authorization Authorized disclosures (Authorization) Disclosures made pursuant to certifications PHI furnished in limited data sets Accounting Required Accounting NOT Required Accounting for Disclosures (Attachment 45):

37 University of Miami37 General Rules For Use and Disclosure of PHI for Research: Disclosures made pursuant to an IRB waiver of authorization Disclosures made pursuant to certifications Accounting Required  UM must complete an accounting for disclosures form (G) and submit form to privacy office and disclose PHI to research staff.  Disclosure forms must be completed by the PI for each patient participating in the study.

38 Covered Entities may use and disclose PHI that was received or created for research before the compliance date (April 14, 2003) if they obtained one or more of the following prior to the compliance date:  An authorization or other express legal permission from an individual to use or disclose PHI for research purposes  The informed consent of the individual to participate in research  A waiver of informed consent granted by the IRB University of Miami38

39 HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”. Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6 th, 2008. Policies are available on our website under, “Investigator Resources”. University of Miami39

40 Evelyne Bital, MS, CIP  Associate Director of Privacy & Regulatory Affairs, (305) 243- 3195  e-mail: ebital@med.miami.edu ebital@med.miami.edu For general HIPAA information or to access standard HIPAA forms for research:  hsro.med.miami.edu University of Miami40

41 Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164 University of Miami HIPAA Policies and Procedures University of Miami41 http://www.hhs.gov/ocr/hipaa/ http://www.hipaadvisory.com/ http://www.hipaadvisory.com/regs/

42 University of Miami42

Download ppt "HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008."

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Open Library June 4, 2004 Informed Consent Process and Federal Regulations That Must Be Met to Waive Informed Consent Tracey Craddock Regulatory Compliance.

Open Library June 4, 2004 Informed Consent Process and Federal Regulations That Must Be Met to Waive Informed Consent Tracey Craddock Regulatory Compliance.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Informed Consent.

Informed Consent.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Similar presentations

Ads by Google