Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sybil Ingram-Muhammad, Ph.D. Sr. Practice Director, Healthcare IntelliMark I.T. Business Solutions June, 2003 HIPAA Privacy: The Impact of HIPAA on Sponsors.

Published byBrianne Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Sybil Ingram-Muhammad, Ph.D. Sr. Practice Director, Healthcare IntelliMark I.T. Business Solutions June, 2003 HIPAA Privacy: The Impact of HIPAA on Sponsors."— Presentation transcript:

1 Sybil Ingram-Muhammad, Ph.D. Sr. Practice Director, Healthcare IntelliMark I.T. Business Solutions June, 2003 HIPAA Privacy: The Impact of HIPAA on Sponsors of Medical Research

2 HIPAA Structure Title II: Administrative Simplification Provider Health Plan Individual Identifiers Employer Standard Data Elements Transactions Formats Code Sets Transactions (Data at rest) (Data in transit) 12 Requirements Administrative Procedures Physical Safeguards 6 Requirements Technical Services 5 Requirements Technical Mechanisms 1 Requirement Rights of Individuals Disclosure Rules Administrative Practices 58 Standards Security Requirements Accrediting Agencies Civil Penalties -OCR Criminal Penalties - FBI Public Complaint/Image Privacy Standards Enforcement

3 CONFUSION

4 Research A systematic investigation, including research development, testing and evaluation designed to develop or contribute to general knowledge vs. Health Care Operations Conducting quality assessment and improvement activities including outcomes evaluation and development of clinical guidelines PROVIDED that the obtaining of generalizable knowledge is NOT the primary purpose of any studies resulting from such activities ……Hmmmmm????

5 Which do you do? What does it mean if you do what you do? Research; no treatment Research with treatment Research with treatment; no bill/claim Research with treatment, claim generated to be paid by third party Research…with treatment…claim generated …to be paid by a “health plan” as define by HIPAA

6 Hybrid Entity A single legal entity that is a covered entity whose business activities include both covered and non-covered function and designates health care components that would meet the definition of a covered entity if it were a single legal entity. Common Ownership Issues… Common Control Issues…

7 Covered Functions “Hybrid entities” with covered components-- that is, an entity with one or more divisions that provide covered functions Health Plans Clearinghouses Providers that conduct electronic transactions (billing, status queries, etc.)

8 Uses and Disclosures HI…IIHI…PHI What’s The Difference??? OHCA vs. ACE Research vs. Health Care Operations Designated Record Set vs. Shadow Record Business Associate Contract vs. Data Use Agreement

9 Individually Identifiable Health Information (IIHI) Protected Health Information (PHI) Electronic-Written/Printed-Verbal (A) Names; (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. (C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; ( D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan beneficiary numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers; (P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code

10 Limited Data Set -PHI that excludes specific, readily identifiable information, not only about the individual themselves but also their relatives, employers and members of their households. 16 IIHI must be excluded. Researchers may disclose information in the limited data set if the researcher's covered entity enters into a data use agreement with the recipient of the limited data set PHI in a limited data set may not be used to contact subjects

11 Limited Data Set & De Identification (i) Names; (i) Postal address information, other than town or city, state and zip code (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; (xvi) Full face photographic images and any comparable images

12 Authorizations -Must be obtained for each use or disclosure of PHI for research purposes -Treatment that occur during research trial may be conditioned based upon the patient signing an authorization - May be combined with an informed consent to participate in the study, another authorization or any other legal permission related to research -Authorizations received from research study participants must include a statement that the authorization will have no expiration date

13 Permitted Disclosures without Authorization Required by law Public health activities Reporting abuse Health oversight Judicial or administrative proceedings Law enforcement Deceased patients Organ transplants Threat or danger Specialized government functions Workers’ Compensation

14 Waiver Criteria IRB or Privacy board must use the following when approving request for a waiver of written authorization: use of the PHI involves no more than minimal risk* to the privacy of the individual the research could not practically be conducted without the waiver the research could not practically be conducted without accessto the PHI *= plans and assurances must be put in pace to protect identifiers from improper use or disclosures, will be destroyed at the earliest opportunity and will not be disclosed to a 3 rd party (EARBL)

15 Reviews Preparatory to Research Researcher must represent that: Use or disclosure is sought solely to prepare research protocol or similar purpose No protected information will be removed from the facility during review Information being sought is necessary for the research purposes

16 Research on Decedents Researcher must represent that: Use or disclosure is sought solely for research on decedents Upon request, will provide documentation of patient’s death Information being sought is necessary for the research purposes

17 Business Associates A business associate performs functions on behalf of the health care organization involving the use or disclosure of identifiable health information. Examples include: billing or management companies, attorneys, accountants, consultants, and companies providing claims processing, data analysis or aggregation, accreditation, or financial services, among other services.

18 164.530 (c) (1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. PAST DUE >>> APRIL 14, 2003 …research activities were not exempted from this duty

19 Where,oh where does my PHI Flow? Oh where, oh where could it be? Patient/ Subject Patient/ Subject Provider Researcher Clinic Sponsor Email VPN CDC FDA STATE NIH Business Associate Business Associate PHI Data Flows PHI - Contractual obligations - Trading partner readiness - Risk assessment - Contingency plans - Coordination issues REPORTING AGENCIES

20 (Alan Goldberg, J.D., November, 2002) CONSEQUENCES

21 …a threat or a promise? “ They said they were going to come and get me before. Why should I believe they’ll come and get me now?”

22 HIPAA Sanctions Civil penalties. Health plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated. Federal criminal penalties. Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Up to $50,000 and one year in prison for obtaining or disclosing protected health information; Up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; Up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

23 Who Goes To Jail? Page 82603 - Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations Extracted from the Preamble of the Final Privacy Rule: “However, we note that section 1128A(1) of the Social Security Act, which applies to the imposition of civil monetary penalties under HIPAA, provides that a principal is liable for penalties for the actions of its agent acting within the scope of the agency.”

24 (Alan Goldberg, J.D., November, 2002) OCR HIPAA Privacy Complaint Form (excerpts) Are you filing this compliant for someone else? Who ( or what agency or organization, eg., provider, health plan) do you believe violated your (or someone else's) health information privacy rights or committed another violation of the Privacy Rule? When do you believe that the violation of health privacy rights occurred? Describe briefly what happened? How and why do you believe your (or someone else’s) health information privacy rights were violated, or the privacy rule otherwise was violated? …mind answering a few questions please?

25 (Alan Goldberg, J.D., November, 2002) CONSENSUS

26 Three Important Considerations How compliant do you want to be? …in the absence of a de facto check list, how will you determine when you’re done?

27 Three Important Considerations … How much risk are you willing to accept? The answers to the questions help drive your: budget process $$$$ policy and procedure development defining your HCO

28 Next Steps… What Do I Do?

29 Research Impact Assessment A Balancing Act

30 Expect Changes… § 160.104 Modifications. (a)Except as provided in paragraph (b) of this section, the Secretary may adopt a modification to a standard or implementation specification adopted under this subchapter no more frequently than once every 12 months. (b) The Secretary may adopt a modification at any time during the first year after the standard or implementation specification is initially adopted, if the Secretary determines that the modification is necessary to permit compliance with the standard or implementation specification. (c) The Secretary will establish the compliance date for any standard or implementation specification modified under this section. (1)The compliance date for a modification is no earlier than 180 days after the effective date of the final rule in which the Secretary adopts the modification. (2) The Secretary may consider the extent of the modification and the time needed to comply with the modification in determining the compliance date for the modification. (3) The Secretary may extend the compliance date for small health plans, as the Secretary determines is appropriate

31 Basic HIPAA Compliance Remediation Elements Senior Management Endorsement and Active Participation Budget HRT Leader HRT Team Team Composition Team SME’s General Counsel Involvement Documentation Education Implementation ***Compliance*** Monitoring and Enforcement

32 Remediation Plan Contents -Identify responsible parties for each task -Identify change management process -Identify communication process -Policy and procedure creation /modification -Forms creation/modification -Job description review minimum necessary/need to know -Training Material Preparation -Training -Re-assessment -Mock Sentinel Event/Review/Re-plan -Implement -Repeat, repeat, incorporate, repeat, repeat…

33 Informative Web Sites www.snip.wedi.org- Strategic National Implementation Process/ Workgroup for Electronic Data Interchange www.aspe.os.hhs.gov/admnsimp - Department of Health and Human Services www.cms.gov/hipaa - Centers for Medicare and Medical Services www.edipartners.com – X12N 4010 Training www.wpc-edi.com - Washington Publishing Company – Implementation Guides www.aamc.org – Association of American Medical Colleges www.healthprivacy.org - Health Privacy Project www.ahima.org - American Health Information Management Assoc

34 Thank You! Sybil Ingram-Muhammad, MT(ASCP), MBA, Ph.D. Senior Practice Director, Healthcare IntelliMark I.T. Business Solutions www.intellimark-it.com smuhammad@intellimark-it.com 1-972-304-2260

Download ppt "Sybil Ingram-Muhammad, Ph.D. Sr. Practice Director, Healthcare IntelliMark I.T. Business Solutions June, 2003 HIPAA Privacy: The Impact of HIPAA on Sponsors."

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Similar presentations

Ads by Google