HIPAA Ready or Not, Here We Go

1
HIPAAReady or Not, Here We Go
Clinical Research Series

• Wesley G. Byerly, Pharm.D.
• Director, Institutional Review Board
• Wake Forest University Health Sciences

Nutrition Education Wing (Commons) Conference
Rooms 1-3 Noon, Wednesday, January 22,2003
2
The Health Insurance Portability and
Accountability Act of 1996AKA Public Law
104-191AKA HIPAA
Purpose Congressional attempt at incremental
health care reform portability administrative
simplification
3
HIPPA Components
4
Privacy Rule History

• 1996 - Passage of HIPAA Gave Congress 36 months
  to pass comprehensive privacy legislation for
  health information or DHHS was to promulgate
  final regulations Congress did not act by the
  deadlines, so
• November 3, 1999 - DHHS published proposed
  standards for individual identifiable health
  information in the Federal Register
• December 28, 2000 - First Privacy Rule issued
• January - December 2001 - Public hearings,
  advisory council findings
• March 27, 2002 - Notice of Public Rule Making
  (NPRM) published
• August 14, 2002 Second Privacy Rule issued
• April 14, 2003 - Compliance date for Privacy Rule

5
General Concepts Introduced by the Privacy Rule

• Protects the privacy of individually identifiable
  health information by establishing conditions for
  its use and disclosure by a health plan,
  healthcare clearinghouse and certain health care
  providers.
• An individuals written Authorization is required
  for Protected Health Information (PHI) use or
  disclosure for purposes other than Treatment,
  Payment or Operations (TPO) unless excepted under
  HIPAA regulations or waiver consistent with HIPAA
  regulations is granted.
• Waivers of written Authorization can be granted
  by IRBs or Privacy Boards.
• Decedents information is protected but
  Authorization is not required.
• Accounting and reporting of disclosures are
  required.

6
What are the Penalties for HIPAA Non-Compliance?
Federal Programs Exclusion from federal programs
anticipated
Accreditation Accrediting organizations will
require compliance
Wrongfully Obtains or Discloses Each Offense
(max.) 50,00 per offense 1 year
imprisonment False Pretense 100,000 per
offense 5 years imprisonment Intent to Sell,
Transfer, Use 250,000 per offense 10 years
imprisonment
Civil Monetary Penalties 100 for each
violation 25,000 maximum per year, per violation
7
Who is Covered in the Privacy Rule?

• A health care provider who transmits protected
  health information electronically for any covered
  HIPAA transaction
• Examples a physician who electronically bills
  for services a researcher who is employed by a
  covered entity
• A health plan
• A health care clearinghouse

8
What is Covered in the Privacy Rule?

• Protected Health Information (PHI)
• Health information Identifier PHI
• Transmitted or maintained in any form (paper,
  electronic, forms, web-based, etc.)
• Decedents information included
• Does not include de-identified health information

9
What is Health Information in the Privacy Rule?

• Any information, whether oral or recorded in any
  form or medium that
• Is created or received by a health care provider,
  health plan, public health authority, employer,
  life insurer, school or university, or health
  care clearinghouse and
• Relates to the past, present, or future physical
  or mental health or condition an individual the
  provision of health care to an individual or the
  past, present or future payment for the provision
  of health care to an individual and
• Which identifies the individual or
• Where there is a reasonable basis to believe that
  the information can be used to identify the
  individual

10
What is an Identifier in the Privacy Rule?
The Privacy Rule defines 18 identifiers

• Name
• Geographic information (including city, state and
  zip)
• Elements of dates (including admission/discharge
  dates service dates birth date, date of death)
• Telephone numbers
• FAX numbers
• E-mail addresses
• Social Security number
• Medical Record number, prescription number, etc.
• Health plan beneficiary number

• Account Numbers
• Certification numbers
• VIN and Serial numbers, license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (finger prints, voice
  prints, retinal scans, etc.)
• Full face or comparable photo images
• Unique identifying numbers

11
How does the Privacy Rule protect PHI?

• Establishes conditions for use of PHI
• Sharing, employment, application, utilization,
  examination, or analysis within the covered
  entity
• Establishes conditions for disclosure of PHI
• Release, transfer, provision of access to, or
  divulging outside the covered entity
• Has additional protections for uses and
  disclosures made without the persons permission
  (minimum necessary standard, for instance)
• Gives individuals rights to information about
  themselves and how it has been used and disclosed

12
What is the Minimum Necessary Standard in the
Privacy Rule?

• Minimum Necessary Requirement
• Policies procedures must be in place to limit
  access and disclosure of PHI to the minimum
  necessary to achieve the purpose of non-treatment
  activities.
• Applies to
• Use or disclosure of PHI
• Requests made for PHI
• EXCEPT for
• Treatment
• When the person requests his/her own PHI
• With an Authorization
• Some others

13
Key Terms

• Privacy
• Having control over the extent, timing, and
  circumstances of sharing oneself (physically,
  behaviorally, or intellectually) with others.
• Confidentiality
• The treatment of information that an individual
  has disclosed in a relationship of trust with the
  expectation that it will not be divulged to
  others in ways that are inconsistent with the
  understanding of the original disclosure without
  permission.

OPRR Guidebook, 1993
14
Key Terms in HIPAA

• Use
• Sharing of PHI within or among the Medical Center
  departments
• Disclosure
• Sharing of PHI to external entities
• Incidental Disclosures
• Patient logs
• Waiting/Patient rooms
• Non-Specific Telephone conversations

15
Key Terms in HIPAA

• Treatment, Payment, Health Care Operations (TPO)
• Treatment-the provision, coordination, or
  management of health care and related services by
  one or more health care provider, (i.e.
  consultation, referrals)
• Payment-activities of a health care provider to
  obtain reimbursement for the provision of health
  care (i.e. eligibility, coverage, billing, claims
  management, collections)
• Healthcare Operations-such activities as quality
  assessment and improvement, reviewing
  qualification of employees and students, for
  underwriting activities, medical/legal/compliance
  reviews, cost-management, internal grievances,
  customer service, education.

16
Key Terms in HIPAA

• Research
• A systematic investigation, including research
  development, testing and evaluation, designed to
  develop or contribute to generalizable knowledge
• Authorization
• A customized document that gives permission to
  use PHI for specific purposes other than TPO.
  (i.e. Marketing, Fundraising, Research)
• Must use approved Medical Centers Authorization
  Form(s)
• Must retain Medical Centers Authorization Form
• Patient Authorization is NOT synonymous with
  patient consent.

17
Key Terms in HIPAA

• Notice of Privacy Practices (NPP)
• A document that explains how patients
  information is used disclosed in the Medical
  Center.
• Explains patients rights.
• Will be available to each patient who enters the
  Medical Center.
• Patients Rights include
• Inspect Copy
• Amended
• An Accounting of Disclosures
• Request Restrictions
• Request Confidential Contacts
• Paper Copy of the Notice of Patient Privacy
• Opt out of Hospital Directory
• Any of the above requests should be forwarded to
  the Privacy Office at 713-2320 or 716-5578.

18
Privacy Rule and ResearchGeneral Concepts

• HIPAA protects the privacy of PHI by establishing
  conditions for its use and disclosure in research
• Applies to all research regardless of funding
• HIPAA exceeds other privacy protections in the
  Common Rule and FDA regulations
• An individuals written Authorization is required
  for the use or disclosure of PHI unless
  Authorization is waived or excepted
• Authorization waivers can be granted by IRBs or
  Privacy Boards under limited circumstances
• Decedents information is protected but
  Authorization is not required
• Accounting and reporting of disclosures are
  required

19
Research under HIPAA

• Situation in which PHI may be used for research
  purposes
• With individual Authorization
• With waiver of Authorization by IRB or Privacy
  Board
• By De-Identification of PHI
• As a Limited Data Set with Data Use Agreement
• As an activity preparatory to research
• For research on decedents information

20
Research Use and Disclosure of PHI With
AuthorizationAuthorizations for Research

• Must be for a specific research study blanket
  Authorization are NOT permitted
• Review/approval by IRB or Privacy Board not HIPAA
  required but likely to be IRB required
• Different from but may be combined with the
  research study informed consent.
• Must contain core elements and required
  statements in the Rule
• Research authorizations need not expire
• Needed for creation of a repository (data or
  biological material) for future research

21
Common Rule vs. Privacy Rule
Research WITH patient permission
22
Elements of an Authorization

• Core HIPAA Elements
• Description of PHI to be used or disclosed
• Person(s) authorized to make and receive
  requested use or disclose
• Purpose for the use or disclosure
• Expiration date or event (e.g. end of the
  research study or none)
• Subject or legally authorized representative
  signature and date

• Required HIPAA Statements
• Right to revoke Authorization plus exceptions and
  process
• Ability/Inability to condition treatment,
  payment, or enrollment/eligibility for benefits
  on Authorization
• PHI may no longer be protected by Privacy Rule
  once it is disclosed by the covered entity

23
Advantages of Authorization

• Written permission
• Described path of PHI flow
• No minimum necessary standard
• No accounting for disclosures

24
Research Use and Disclosure of PHI Without
Authorization

• IRB or Privacy Board waiver of Authorization
  requirement
• De-identify PHI
• Limited Data Set with Data Use Agreement
• Activity preparatory to research
• Research is on decedents information
• Disclosure to a public health authority or as
  required by law
• Research qualifies for the Transition Provisions

25
If Authorization is NOT obtained

• Written permission from person is not needed
• May need IRB or Privacy Board waiver
• May need to provide representation
• Minimum necessary applies (in general)
• Accounting for disclosures applies, except for
  limited data sets

26
Research Use and Disclosure of PHI Without
Authorization Waiver of Authorization

• Obtain documentation that an IRB or Privacy Board
  has determined that each of the following waiver
  criteria were satisfied
• The use or disclosure involves no more than
  minimal risk because of an adequate
  plan/assurance
• To protect PHI from improper use or disclosure
• To destroy identifiers at earliest opportunity
• That PHI will not be inappropriately reused or
  disclosed
• The research could not practicably be conducted
  without the waiver
• The research could not practicably be conducted
  without access to and use of PHI

27
Waiver of Authorization

• HIPAA
• Waiver of requirement for Authorization to use or
  disclose PHI
• Requires minimal risk to the individuals privacy
• Waiver or alteration of authorization will not
  adversely affect the privacy rights of the
  individual

• OHRP
• Waiver of requirements for informed consent
• Research involves no more that minimal risk - the
  probability and magnitude of harm or discomfort
  anticipated in the research are not greater in
  and of themselves than those ordinarily
  encountered in daily life or during the
  performance of routine physical or psychological
  examinations or tests
• Waiver or alteration of informed consent will not
  adversely affect the rights and welfare of the
  subject
• FDA
• No comparable waiver of informed consent allowed

28
Criteria for Exempt Research

• Research on instructional strategies conducted in
  established or commonly accepted educational
  settings
• Research, except research involving minors,
  involving the use of educational tests
  (cognitive, diagnostic, aptitude, achievement),
  survey procedures, interview procedures or
  observation of public behavior
• Research involving the collection or study of
  existing data, documents, records, pathological
  specimens, or diagnostic specimens, if these
  sources are publicly available, or if the
  information is recorded by the investigator in
  such a manner that subjects cannot be identified
• Research and demonstration projects, which are
  conducted by or subject to the approval of
  department or agency heads and
• Taste and food quality evaluation and consumer
  acceptance studies,
• if wholesome foods without additives, or
• if a food is consumed that contains a food
  ingredient at or below the level and for a use
  found to be safe, or agricultural chemical or
  environmental contaminant or below the level
  found to be safe, by the Food and Drug
  Administration

45 CFR 46.101(b)
29
Criteria for Expedited Review

• Minimal Risk of Harm and meets one of the
  following criteria
• Blood samples
• Healthy subjects 550 ml in 8 week period, no
  more frequently than 2 times per week
• Others lesser of 50 ml or 3 ml/kg in an 8 week
  period, no more frequently than 2 times per week
• Prospective collection of biological specimens
  for research purposes by noninvasive means
• Collection of data through routine clinical
  noninvasive procedures
• Research involving materials that have been
  collected or will be collected solely for
  nonresearch purposes
• Collection of data from voice, video, digital or
  image recordings made for research purposes
• Research on individual or group characteristics
  or behavior or research employing survey,
  interview, oral history, focus group, program
  evaluation, human factors evaluation, or quality
  assurance methodologies

45 CFR 46.110
30
Research Use and Disclosure of PHI Without
Authorization De-identified Health Information

• Completely de-identified information (18 elements
  removed) and no knowledge that remaining
  information can identify the individual
• Statistically de-identified information where a
  statistician certifies that there is a very
  small risk that the information could be used to
  identify the individual.
• Identification by Inference
• The combination of several data fields makes the
  data identifiable
• Rule of Thumb if sorting data according to any
  variables produces subsets with ten or fewer
  members, then these individuals are at risk for
  identification by inference

IOM Report Institutional Review Boards
and Health Services Research Data Privacy, 2000
31
De-identified Data
Excludes the following identifiers

• Health plan beneficiary number
• Account Numbers
• Certification numbers
• VIN and Serial numbers, license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (finger prints, voice
  prints, retinal scans, etc.)
• Full face or comparable photo images
• Unique identifying numbers

• Name
• Geographic information (other than state or the
  initial three digits of the zip code)
• Elements of dates except for year (including
  admission/discharge dates service dates birth
  date, date of death) and age over 89
• Telephone numbers
• FAX numbers
• E-mail addresses
• Social Security number
• Medical Record number, prescription number, etc.

32
Research Use and Disclosure of PHI Without
AuthorizationLimited Data Set with Data Use
Agreement

• The Privacy Rule permits limited types of
  identifiers to be released with health
  information (referred to as a Limited Data Set).
• Excludes direct or facial identifiers
• Includes full elements of dates (e.g.
  admission/discharge dates, service dates, birth
  date, date of death) all ages town/city state
  full zip code
• Limited Data Sets can only be used and released
  in accordance with a Data Use Agreement between
  the covered entity and the recipient.

33
Limited Use Data Set
Excludes the following direct identifiers

• Name
• Geographic information (other than city, state
  and zip)
• Telephone numbers
• FAX numbers
• E-mail addresses
• Social Security number
• Medical Record number, prescription number, etc.
• Health plan beneficiary number
• Account Numbers

• Certification numbers
• VIN and Serial numbers, license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (finger prints, voice
  prints, retinal scans, etc.)
• Full face or comparable photo images
• Unique identifying numbers

34
Data Use AgreementREQUIRED for Limited Use Data
Sets

• The Data Use Agreement must
• Describe the permitted uses and disclosures
  (recipient cannot use or disclose PHI in a way
  that the covered entity cannot)
• Identify who can use and disclose the PHI
• Require the recipient to
• Use or disclose information for specified
  purposes only
• Apply safeguards to protect the information
• Report known violations to the covered entity
• Hold subcontractors to the same standards as in
  the agreement
• Not re-identify the information or contact the
  individuals

35
Research Use and Disclosure of PHI Without
Authorization Preparatory to Research

• Requires notification of the entity holding the
  PHI
• Researcher must provide representation that
• The PHI is to be used solely to prepare a
  protocol or for a similar purpose
• The PHI will not be removed from the covered
  entity
• The PHI is necessary for research
• May be used to develop hypothesis, protocol or
  characteristics of research cohort
• May not be summarized, used or presented as a
  research study without prior IRB approval

36
Research Use and Disclosure of PHI Without
Authorization Decedents Information

• The research must provide representation that
• The use and disclosure is solely for research
• The PHI is necessary for research
• The individual is deceased and provide
  documentation upon request

37
The Privacy Rule and ResearchDisclosure to a
Public Health Authority or Required by Law

• Disclosure without Authorization permitted if
  required by law or for public health activities.
• Examples
• Adverse event reporting to a sponsor, FDA, NIH
• Public health reporting of communicable diseases
• Tracking of FDA regulated products (e.g. devices)
• Reporting abuse, neglect or domestic violence
• A covered entity may disclose PHI related to an
  adverse event if required to do so by regulation.
  Even if not required to do so, the researcher may
  disclose adverse events as a public health
  authority.

38
Privacy Rule and ResearchTransition
ProvisionsGrandfathered Research

• Permits use or disclosure of PHI if pre-existing
  permission or IRB waiver was obtained BEFORE
  April 14, 2003
• Pre-existing Permission
• Signed, IRB approved research informed consent
• IRB waiver of the requirement to obtain informed
  consent
• Express legal permission to use or disclose PHI
  for research.
• Do NOT need to re-consent, get Authorization, or
  obtain waiver if an IRB already approved the
  waiver or if consent signed BEFORE April 14,
  2003.
• Use or disclosure of PHI ON or AFTER April 14,
  2003 requires Authorization, Waiver of
  Authorization by IRB or Privacy Board, or other
  Privacy Rule exemption or waiver to apply

39
Privacy Rule and ResearchIRBs/Privacy Boards
Review under the Privacy Rule

• Because the Privacy Rule assumes Authorization
  will be obtained, IRBs/Privacy Boards will see
  Requests to WAIVE Authorization requirement.
• IRBs will see Authorizations that are combined
  with informed consent documents.
• IRBs will likely request to see Authorizations
  that are separate from the informed consent
  documents.

40
Privacy Rule and ResearchAccess to Research
Records

• Individuals generally have a right to view and
  copy their health records maintained by covered
  entities.
• For research records, patients may have right to
  access records if
• The records involve treatment (e.g., some
  clinical trials) or they are used to make
  decisions about individuals. AND
• The researcher is a covered entity.
• EXCEPT While a trial is ongoing, covered
  researchers may deny access if the individual
  agrees in advance (e.g., in an Authorization).

41
Privacy Rule and ResearchAccounting for
Disclosures

• In general, an accounting is required for PHI
  disclosures made without Authorization
• Including for research disclosures of PHI for
• Reviews preparatory to research
• Research using decedents PHI
• Research under a waiver of Authorization
  (including waivers that meet the transition
  provision requirements)
• Disclosures to public health authorities or
  sponsors
• Most disclosures mandated by law
• The individual or entity holding the PHI is
  responsible for the accounting

42
Types of Accounting

• Generally
• (Date, recipient, recipient address if known,
  purpose)
• Multiple disclosures to same person for same
  purpose
• (Date recipient recipient address if known
  purpose frequency, periodicity or no. of
  disclosures, date of last disclosure)
• Research accounting for PHI of 50 or more
  individuals
• (Name of protocol, description of protocol or
  research activity and PHI disclosed, date or
  period of time during which disclosure occurred
  or may have occurred and last date of disclosure,
  name, address, and phone no. of sponsor and
  recipient, statement that the PHI may or may not
  have been disclosed for a particular protocol or
  research activity)

43
Accounting When NOT needed

• Accounting is NOT needed for disclosures of
• PHI in Limited Data Sets with Data Use Agreement
• PHI made pursuant to an Authorization (or
  informed consent that meets the transition
  provision requirements)
• PHI to the individual
• Disclosures made before April 14, 2003
• De-identified health information

44
Privacy Rule and ResearchRevoking an
Authorization

• Individuals have the right to revoke their
  Authorization.
• EXCEPT, covered entities may continue to use or
  disclose PHI that was obtained before a
  revocation if necessary to maintain the
  integrity of the research study. (Reliance
  exception)
• For example, researcher can continue using PHI to
  account for a subjects withdrawal from study.

45
Privacy Rule and ResearchSubject Recruitment

• A patients direct treatment provider may discuss
  possible research participation with a patient
• A patients direct treatment provider may NOT
  discuss the patient with research colleagues for
  potential enrollment purposes without the
  patients Authorization or Waiver of
  Authorization by IRB or Privacy Board
• A researcher may NOT search through medical
  records to identify potential research subjects
  unless they are the subjects direct treatment
  provider, individual Authorization has been
  provided or Waiver of Authorization has been
  granted by the IRB or Privacy Board

46
Privacy Rules and ResearchDocument Retention
Requirements

• The following must be retained for 6 years from
  date of creation or from date when last in
  effect, whichever is later
• Authorization form (or consent form if
  authorization is incorporated into the consent
  document)
• Waiver of Authorization
• Data Use Agreement
• Accounting for disclosures
• Written revocation of Authorization
• Statistical certification of de-identification

47
Privacy Rule and ResearchSecurity of PHI

• It is the principal investigators responsibility
  to ensure
• The security of research related PHI
• Research team members access
• Security of transmitted data
• Security of on site data
• Destruction of data
• Compliance with HIPAA regulations
• Compliance with Medical Center Security and
  Privacy Policies, including
• Mandatory training
• Signed agreement of confidentiality

48
Where to Get More Information

• If you have questions, or hear of patient
  complaints regarding privacy and security please
  call the Privacy Office at 713-2320 or 716-5578,
  for security issues call the IS Security Office
  at 716-5401.
• Or you can call the Medical Centers Compliance
  Hotline at 1-877-880-7888.
• If you have questions regarding research issues
  please call the IRB Office at 716-4542.
• If you see any activities that are not compliant
  with our Privacy and Security policies you must
  report them to one of the above areas immediately.

49
The Privacy Rule and ResearchSummary

• Situation in which PHI may be used for research
  purposes
• With individual Authorization
• With waiver of Authorization by IRB or Privacy
  Board
• By De-Identification of PHI
• As a Limited Data Set with Data Use Agreement
• As an activity preparatory to research
• For research on decedents information

• The disclosure and use of an individuals
  protected health information for research or any
  other purpose is subject to regulation by HIPAA
• All research involving human subjects must be
  reviewed by the IRB