HIPAA and the Common Rule - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

HIPAA and the Common Rule

Description:

Establish conditions whereby subject identity cannot be readily ascertained. ... conditions so the identity of a research subject cannot readily be ascertained. ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 27
Provided by: netwo145
Category:

less

Transcript and Presenter's Notes

Title: HIPAA and the Common Rule


1
HIPAA and the Common Rule
  • Christina Solis, JD
  • Elisa Fallows, MS
  • UTHSC-H Legal Affairs and Institutional
    Compliance
  • 2004 Mini-Ethics Course

2
Impact of the Privacy Rule
  • Does not reduce the effect of the Common Rule or
    FDA regulations.
  • Mandates more protections to ensure privacy of
    subjects and confidentiality of data.
  • Requires action whenever any PHI is used for
    research.

3
Definition of Research
  • A systematic investigation designed to develop
    or contribute to generalizable knowledge.
  • 45 CFF 46.102(d) and 45 CFR 164.501

4
Definition of Human Subject
  • A living individual about whom an investigator
    conducting research obtains (1) data through
    intervention or interaction with the individual,
    or (2) identifiable private information.
  • 45 CFR 46.102(f)

5
Definition of Human Subject Operational Change
due to Privacy Rule
  • A living individual about whom an investigator
    conducting research obtains (1) data through
    intervention or interaction with the individual,
    or (2) identifiable private information

6
Regarding Research, the Privacy Rule Applies to
  • Ascertainment of Potential Subjects
  • Recruitment of Subjects
  • Consent/Authorization Process
  • Study Amendments
  • Data Management
  • Decedent Research
  • Reuse of data for another study

7
Research Provisions
  • Covered entities may use and disclose PHI for
    research
  • With individual authorization, or
  • Without individual authorization under limited
    circumstances
  • 45 CFR 164.508, 164.512(i)

8
Relationship to other Research Rules
  • The Privacy Rule does not override the Common
    Rule or FDAs human subject protection
    regulations.

9
Ascertainment/Recruitment of Potential Subjects
  • Via Review of PHI
  • Notification of a Review Preparatory to Research
  • Description Justifying a Waiver of Authorization
  • Via Ad

10
  • If PHI or other identifiable private information
    is to be recorded during the ascertainment/recruit
    ment process, consent of the potential subject,
    or IRB approval of a Waiver of Consent, must be
    obtained.
  • (DHHS NIH Common Rule Guidance 8/03)

11
Ascertainment/Recruitment Satisfying Both Rules
  • Via a Review of Preparatory to Research
  • Do not record PHI, or
  • Record PHI and obtain Common Rule IRB waiver of
    consent, or
  • De-identify PHI, then deal with the Common Rule.
  • If the data now retains a link to subject
    identity, the Common Rule still applies.
  • If the data does not retain any identifying link
    (data anonymized or unlinked), the Common Rule
    does not apply.

12
Ascertainment/Recruitment Satisfying Both Rules
  • Via Waiver of Authorization
  • Do not record PHI usually not useful or
    practical, or
  • Record PHI and obtain IRB Waiver of Consent
  • De-identify PHI usually not useful or practical

13
Exception from Requirement for Informed Consent
  • An IRB may waive consent requirement or alter
    consent element if it finds and documents that
  • (1) Research involves no more than minimal risk
  • (2) Rights and welfare of subjects will not be
    adversely affected
  • (3) Research could not be practicably be carried
    out without waiver or alteration and
  • (4) When appropriate, the subjects will be
    provided pertinent information after
    participation.

14
Reducing the Impact
  • Ensure that Information Associated with
    Data/Samples is Modified so it does not relate to
    a Human Subject and either does not involve PHI
    or is presented as a limited data/sample set.

15
  • An Activity does not prompt the Common Rule or
    Privacy Rule Considerations Requiring IRB Review
    when
  • The activity is not research OR
  • The research does not involve a human subject AND
  • The research does not involve PHI.

16
Examples of how can a PI doing research reduce
the impact of the Common Rule and the Privacy Rule
  • Modify information associated with the
    Data/Samples so the information does not relate
    to a Human Subject, and the information does
    not involve PHI or PHI is presented as a limited
    data set.

17
How to modify data/samples so the information
does not relate to a human subject
  • Anonymize (unlink) the data/samples.
  • Establish conditions whereby subject identity
    cannot be readily ascertained.

18
Anonymize (unlink) the data/samples
  • Remove all identifiers or codes that directly or
    indirectly link a particular data point or sample
    to an identifiable person.
  • These data/samples then become irreversibly
    unlinked from any subject identifiers.

19
  • Modify Information Associated with the
    Data/Samples so the Information does not relate
    to a Human Subject, and The INFORMATION DOES
    NOT INVOLVE PHI or PHI is Presented as a Limited
    Data Set.

20
Modify Information Associated with the
Data/Samples so the information does not involve
PHI
  • Remove health information
  • De-identify data/samples

21
Information is health information when it
  • Relates to ones physical or mental health or
    condition or
  • Related to ones health care OR
  • Relates to ones payment for health care.
  • 45 CFR160.103

22
Items to Exclude for De-identification 45 CFR
64.514(b)(2)
  • ? Names ? E-mail address
  • ? Addresses ? SS
  • ? Zip codes ? Medical Record
  • ? Dates except years ? Health plan beneficiary
    s
  • ? Telephone s ? Account s
  • ? Fax s ? Certificate/license s
  • ? VIN s ? Device ID serial s
  • ? URLs ?Full face photo images
  • ? biometric identifiers ? internet protocol
    address s
  • ? any other unique identifying , characteristic
    or code

23
Modify information associated with the
data/samples so the information does not related
to a human subject, and the information does
not involve PHI or PHI IS PRESENTED AS A LIMITED
DATA SET
  • Establish a limited data set with a data/sample
    use agreement.
  • Remove direct personal identifiers.
  • Remove postal address information other than town
    or city, state or zip code.
  • Note Event dates, any age and an identifying
    code related to the person are permitted.

24
Anonymization vs HIPAA De-identification
  • The only setting where IRB approval of
    anonymization (unlinking) does not also confer
    approval of HIPAA de-identification is when the
    anonymized (unlinked) health information contains
    an event date more specific than the year, or a
    geocode more specific than a state or 3 digit zip
    code, or a subjects specific age is over 89 years
    (instead state as 90 years)

25
HIPAA De-identification vs Anonymization
  • The only setting where IRB approval of HIPAA
    de-identification does not also confer approval
    of anonymization (unlinking) is when a code with
    a key linking back to the subject is retained
    with the de-identified data.

26
Approach to satisfy both
  • Establish conditions so the identity of a
    research subject cannot readily be ascertained.
  • Establish a limited data/sample set and a
    data/sample use agreement.
Write a Comment
User Comments (0)
About PowerShow.com