HIPAA 101 - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

HIPAA 101

Description:

Health Insurance Portability and Accountability Act of 1996 ... What is Protected Health Information? ... A public health clinic for indigent patients has ... – PowerPoint PPT presentation

Number of Views:890
Avg rating:3.0/5.0
Date added: 13 July 2020
Slides: 102
Provided by: but9
Learn more at: http://www.uchsc.edu
Category:
Tags: hipaa | health

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA 101


1
HIPAA 101
  • Presented by
  • Esther Henry
  • HIPAA Privacy Officer and Project Manager
  • University of Colorado Health Sciences Center
  • Bill Freud
  • HIPAA Security Officer AVC, Information Systems
  • University of Colorado Health Sciences Center
  • Developed in partnership with University
  • Leadership Development Institute, UCHSCs HIPAA
  • Compliance Office, and CU-Denvers Center for
  • Innovations in Teaching and Technology

2
What is HIPAA?
  • Nine segments to HIPAA, but our focus today is on
    the privacy and security rules.
  • The UCHSC must comply with HIPAA's Privacy Rule
    TODAY and with HIPAAs Security Rule by April 21,
    2005.

3
Why HIPAA 101?
  • Today we will cover
  • Background regarding HIPAA
  • The five HIPAA Privacy Principles
  • The four HIPAA Security Principles
  • Scenarios well discuss as a group.

4
The HIPAA Acronym What's In a Name?
  • Health Insurance Portability and Accountability
    Act of 1996
  • Purposes insurance portability (to allow
    individuals to carry their health insurance from
    job to job) standardization of claims and health
    information (forms and codes)
  • Increased risk requires increased protection

5
Who has to comply with HIPAA?
  • Health plans
  • Health care clearinghouses
  • Health care providers who transmit any health
    information in electronic form in connection with
    eight transactions

6
Why Comply?
  • Ethics - its the right thing to do!
  • Civil Penalties fines of 100 for every
    accidental violation
  • Criminal Penalties - up to 250,000 for
    violations committed knowingly/purposefully and
    up to 10 years in federal prison

7
What is Protected Health Information?
Health Information
IIHI
PHI
8
What items make information identifiable?
  • Name
  • Postal address (geographic subdivisions smaller
    than state)
  • All elements of dates, except year (birth date,
    if over 89, must be aggregated)
  • Phone number
  • Fax number
  • E-mail address
  • Social Security number
  • Medical Record number
  • Health Plan number
  • Account numbers
  • Certificate/license numbers
  • URL
  • IP address
  • Vehicle identifiers
  • Device ID
  • Biometric ID
  • Full face/identifying photo
  • Any other unique identifying number,
    characteristic, or code

9
What is Protected Health Information?
  • PHI is made up of all forms of health
    information oral, electronic, print, and video
    everything from hallway conversations to
    e-mails.
  • A doctor's audio transcriptions about her
    patients?
  • A filled prescription?
  • A patients medical record stripped of all
    identifiers (name, address, ID number, etc.)?
  • A prospective patient's treatment appointment
    record at a diabetes center?

10
Patient Rights
  • HIPAA grants patients six rights
  • Inspect their PHI (held in the designated record
    set) and receive a copy of it
  • Request Amendments to their PHI (held in the
    designated record set)
  • Request Restrictions of the uses and disclosures
    of their PHI
  • Request copies of their PHI via alternative means
    (fax, e-mail) or at alternate locations (home,
    office)
  • Obtain a list of disclosures of their PHI made
    after April 14, 2003, (six year period) and,
  • Receive a notice of UCHSC privacy practices from
    direct treatment providers.

11
Individual Information Access RightsSituation
  • A dermatologist scribbles a note about his
    patient's skin
  • condition and stores the note in the patient's
    medical record.
  • The patient sees the doctor do it and asks the
    receptionist for a
  • look at the note.
  • 1. Does the patient have a right to see the
    dermatologists note? 
  • 2. Does the patient's insuring agency have a
    right to see the dermatologists note if it needs
    the information to pay a claim? 
  • 3. What if the doctor were a psychiatrist
    treating the patient for depression and the note
    was a separately maintained psychotherapy note?
    Could the patient see the note?

12
The General HIPAA Privacy RuleYou may not use
or discloseProtected Health Information.
  • Major Exceptions
  • To the individual
  • For Treatment, Payment, health care Operations
    (TPO ? Research)
  • For mandatory reporting
  • With an authorization (research!).

13
HIPAA-Check True OR False
  • A conversation between two doctors about a
    patient is not covered under HIPAA, as long as it
    is not recorded on tape or in print.
  • If you don't see patients, HIPAA regulations
    don't apply to you.
  • The Basic HIPAA Privacy Rule is You may not use
    or disclose PHI.

14
Introduction to HIPAA Privacy The Five Privacy
Principles
  • Minimum Necessary Principle
  • Doing Your Job Principle
  • To Each According to His Needs Principle
  • Authorization Principle
  • Unidentified Patient Principle

15
1. The Minimum Necessary PrincipleUse or
disclose only the information necessary to the
task.
  • Access information only on a need-to-know basis.
    Ask What information do I need to know to do
    my job?
  • Two major exceptions to this principle
  • uses by health care providers using PHI for
    treatment
  • or uses or disclosures pursuant to an
    authorization.
  • However, treatment and care come first, then
    HIPAA. If you need the entire medical record
    request it!

16
The Minimum Necessary Principle Situation
  • A patient is brought into the emergency room
    with a gunshot wound to the chest and needs
    immediate medical attention. The ER doctor would
    like to see if the patient has any known
    allergies in her medical record. May the doctor
    look at the patient's entire record, without the
    patient's consent?
  •       - No, only the minimum necessary.
  •       - Yes, this is a treatment situation
    (TPO).
  •  
  •    

17
The Minimum Necessary Principle Situation
  • A patient is brought into the emergency room
    with a gunshot wound to the chest and needs
    immediate medical attention. The ER doctor would
    like to see if the patient has any known
    allergies in her medical record. May the doctor
    look at the patient's entire record, without the
    patient's consent?
  •       - No, only the minimum necessary.
  •       - Yes, this is a treatment situation
    (TPO).
  •  
  •    

18
The Minimum Necessary Principle Situation
  • Metropolis Hospital requests the medical
    history of OB/GYN patient Sally from Sally's HMO
    in Smallville to determine if Sally would qualify
    for a research study conducted by Metropolis. May
    the Smallville HMO release Sally's entire medical
    record to Metropolis?
  • - Release the record, this is a TPO situation.
  • - Release only selected parts of the record
    relevant to Metropolis study.
  •      - Dont release anything unless Sally has
    authorized it.

19
The Minimum Necessary Principle Situation
  • Metropolis Hospital requests the medical
    history of OB/GYN patient Sally from Sally's HMO
    in Smallville to determine if Sally would qualify
    for a research study conducted by Metropolis. May
    the Smallville HMO release Sally's entire medical
    record to Metropolis?
  • - Release the record, this is a TPO situation.
  • - Release only selected parts of the record
    relevant to Metropolis study.
  •      - Dont release anything unless Sally has
    authorized it.

20
Introduction to HIPAA Privacy The Five Privacy
Principles
  • Minimum Necessary Principle
  • Doing Your Job Principle
  • To Each According to His Needs Principle
  • Authorization Principle
  • Unidentified Patient Principle

21
2. Doing Your Job PrincipleWhen you need PHI
to do your job, use it.
  • If you need certain PHI to treat patients,
    complete insurance applications, or fill
    prescriptions, access that information.
    Similarly, release parts of PHI to those who need
    the information to perform their TPO duties for
    patients.
  •  
  • NOTE This does not apply to research situations
    because research is not TPO. An authorization is
    necessary.

22
The Doing Your Job Principle Situation
  • A blood draw laboratory worker wants to consult
    a patient's medication record before he issues
    the patient's blood draw report to the doctor.
    Can the lab worker access those records without
    obtaining the patient's authorization?
  • Yes, the lab worker needs the info to do his job.
  • No, the lab worker is not engaged in direct TPO.
  •  

23
The Doing Your Job Principle Situation
  • A blood draw laboratory worker wants to consult
    a patient's medication record before he issues
    the patient's blood draw report to the doctor.
    Can the lab worker access those records without
    obtaining the patient's authorization?
  • Yes, the lab worker needs the info to do his job.
  • No, the lab worker is not engaged in direct TPO.
  •  

24
The Doing Your Job Principle Situation
  • To advertise its new weight loss drug,
    Fischer-Prise Pharmaceuticals asks UCHSC for
    demographic data of children treated for obesity.
    Should UCHSC release the records so that Fischer
    Prise can "do its job" of marketing obesity loss
    treatments?
  • Yes, Fischer Prise needs the info to do its job.
  • No, Fischer Prise is not engaged in TPO.

25
The Doing Your Job Principle Situation
  • To advertise its new weight loss drug,
    Fischer-Prise Pharmaceuticals asks UCHSC for
    demographic data of children treated for obesity.
    Should UCHSC release the records so that Fischer
    Prise can "do its job" of marketing obesity loss
    treatments?
  • Yes, Fischer Prise needs the info to do its job.
  • No, Fischer Prise is not engaged in TPO.

26
The Doing Your Job Principle Situation
  • Phil is the receptionist for CU Sports Injury
    Clinic. After
  • reading about the new HIPAA Privacy Rule, Phil
    has some
  • concerns about how he can protect patient privacy
    and still do
  • his job.
  • Can Phil call out a person's full name to summon
    her into the examining room?
  • Can Phil discuss a patient's appointment with
    other workers in the waiting area, where they may
    be overheard?
  • A doctor asks Phil to retrieve a medical record.
    Can Phil retrieve the record?
  • If a Clinic doctor asks Phil to schedule a
    patient to see a specialist (knee specialist,
    sports psychologist, etc.), is Phil violating the
    patients privacy by knowing the nature of the
    patients affliction?

27
Introduction to HIPAA Privacy The Five Privacy
Principles
  • Minimum Necessary Principle
  • Doing Your Job Principle
  • To Each According to His Needs Principle
  • Authorization Principle
  • Unidentified Patient Principle

28
3 To Each According to His Needs
PrincipleCreate authorizations for specific
needs and do not use PHI beyond the needs
specified.
  • Authorizations are usually required
  • To use or disclose PHI for research
  • For access to or disclosure of psychotherapy
    notes and
  • To use PHI for marketing or fundraising.

29
To Each According to His Needs Principle
Authorization Versus Consent to Treatment
  • Both are written permissions. However, there is
    a crucial distinction between the two
    documents an authorization
  • details what may be done with information about
    a patient
  • or human subject. A consent allows you to
    treat a
  • patient, enroll a subject in a study, etc.
  • A consent cannot be used in place of an
    authorization.
  • They have separate roles.

30
To Each According to His Needs Principle
  • Elements of an Authorization
  • In writing
  • In plain language
  • Is specific!
  • Describe info to be used/disclosed and why
  • Describe who can make the used/disclosure
  • Identify who will receive the info
  • Required statements
  • Expiration date or, for research, expiration
    event
  • Signature and date

31
To Each According to His Needs Principle
Situation
  • A public health clinic for indigent patients has
    patients sign an authorization that their names
    and treatment history can be used "for nonprofit
    research and treatment purposes." Can this
    document justify sharing information with a
    medical sociologist at the University of Colorado
    to further his research?
  •  
  • Suppose the clinic had to disclose the patient
    treatment information to meet state reporting
    requirements to the Colorado Department of Social
    Services? Could it release the treatment records
    without patient authorization?

32
Introduction to HIPAA Privacy The Five Privacy
Principles
  • Minimum Necessary Principle
  • Doing Your Job Principle
  • To Each According to His Needs Principle
  • Authorization Principle
  • Unidentified Patient Principle

33
4. Authorization PrincipleIf you are in
doubt about releasing PHI tosomeone, get an
authorization. "When in doubt, check it out."
  • If you are not sure whether you can release all
    or part of a
  • patient's PHI without an authorization (or you
    are not sure
  • what PHI you can access), remember the
    Authorization
  • Principle.
  •  
  • You may have to secure a new authorization from
    the
  • individual, or review his/her previous
    authorizations.
  • Remember Authorizations are not required to use
    PHI for
  • treatment, payment or health care operations
    (TPO).

34
The Authorization Principle Authorization
Frequency
  • Must we obtain an individuals authorization
    every time his or her PHI will be disclosed?
  • For example, if a patient signs an authorization
    to release PHI for research purposes, that
    authorization covers multiple releases to the
    same or different research entities, as long as
    they are all listed on the authorization.
  •  
  • However, if a research group wants parts of the
    patients PHI that are not listed on the
    authorization, a new authorization will be
    required before the group can access the
    information.
  • If in doubt, check it out!

35
Authorization Principle Designing the Proper
Authorization Form
  • I authorize Dr. Spock to use my child's medical
  • research record for whatever purpose she
  • deems appropriate for perpetuity.
  • Name ____________________
  • Signed ____________________
  • Date _______________

36
Authorization Principle Designing the Proper
Authorization Form
  • I authorize Dr. Spock to disclose my child's
    (name of child) height, weight, and disease
    history information to Dr. Seuss at the Barnes
    Children's Hospital in Carmel, Indiana, for
    Barnes Child Obesity research project, study
    number CN14864. This information may be disclosed
    until January 1, 2004.
  •  more

37
Authorization Principle Designing the Proper
Authorization Form
  • I understand that I have the right to revoke this
    authorization,
  • in writing, at any time by sending a written
    notification to
  • (Institutions) Privacy Officer at (address or
    e-mail). I
  • understand that such a revocation is not
    effective to the extent
  • that (Name of Practice) has relied on the use or
    disclosure of
  • the protected health information.
  • Name _____________ Signed _________________
  • Date ______________
  •  
  • I understand that information used or disclosed
    pursuant to this
  • authorization may be subject to redisclosure by
    the recipient,
  • and may no longer be protected by federal or
    state law.

38
Introduction to HIPAA Privacy The Five Privacy
Principles
  • Minimum Necessary Principle
  • Doing Your Job Principle
  • To Each According to His Needs Principle
  • Authorization Principle
  • Unidentified Patient Principle

39
5 Unidentified Patient Principle Dont
release or use patient identifiers avoid their
use whenever possible.
  • Individually innocuous data items, when viewed
    together, can be used to identify someone. For
    example, the three identifiers below, when
    combined, may point to only one patient
  • Age 89 Gender Male Residence
    Tinytown, Colorado
  • The best practice is to eliminate identifiers
    that are not absolutely necessary.

40
Unidentified Patient Principle
  • Here's a before-and-after table of Identified and
    Deidentified information
  •  
  • Identified (Original) Information Deidentified
    Version
  • Smithon Wesson Patient 6 (Coded number/
  • letter sequence.)
  • Birthdate 07/04/49 Birthdate 1949
  • Residence 1234 Main, Residence Colorado
  • Possum Trot, Colorado
  • Phone 634-5789 Phone (Omitted)
  • Zip code 80338 Zip Code Omitted if from a
  • small town(lt20,000)

41
Privacy Rule Summary
  • Do not use or disclose PHI.
  • Five Privacy Principles
  • Minimum Necessary Principle
  • Doing Your Job Principle
  • To Each According to His Needs Principle
  • Authorization Principle
  • Unidentified Patient Principle

42
HIPAA 101
  • Presented by
  • Esther Henry
  • HIPAA Privacy Officer and Project Manager
  • University of Colorado Health Sciences Center
  • Bill Freud
  • HIPAA Security Officer AVC, Information Systems
  • University of Colorado Health Sciences Center
  • Developed in partnership with University
  • Leadership Development Institute, UCHSCs HIPAA
  • Compliance Office, and CU-Denvers Center for
  • Innovations in Teaching and Technology

43
Introduction to the HIPAA Security Rule
Introduction and Objectives
  • Privacy and security go hand-in-hand.
  • Protect PHI from unauthorized disclosure at all
    times. 
  • Anyone who maintains PHI, in any form, is
  • responsible for compliance with the HIPAA
    security
  • practices.

44
Introduction to the HIPAA Security Rule
Introduction and Objectives
  •  Protect electronic PHI via
  • strong passwords, anti-virus software, data
    backup, and possibly encryption
  • Provide physical security
  • Properly dispose of paper and electronic PHI

45
The General HIPAA Security Rule
  • Protected Health Information
  • should be reasonably safeguarded
  • from intrusion or loss.

46
The General HIPAA Security RuleThe Four
Security Principles
  • Defense in Depth Principle 
  • Lock and Key Principle
  • Going Completely to Waste Principle
  • "Be Prepared" Principle

47
The General HIPAA Security RuleThe Four
Security Principles
  • Defense in Depth Principle
  • Lock and Key Principle
  • Going Completely to Waste Principle
  • "Be Prepared" Principle

48
Defense in Depth
  • Not hard on the outside and soft on the inside
  • Like an atomic fireball
  • Hard all the way through!

49
1 Defense in Depth PrincipleProvide
reasonable information security for your
computerized PHI.
  • How do you provide for "information
  • security?"
  • Strong passwords"
  • Password-protected screen savers
  • Anti-virus protection software
  • Data backup
  • Use extra care with e-mail

50
Defense in Depth Principle Strong Password
Protection Rules
  • Passwords "strong" enough to resist guessing
  • Use strong passwords on personal computer, to
  • access server, e-mail, and applications that
  • contain PHI.
  •  

51
Defense in Depth Principle E-mail Encryption
  • E-mail or documents attached to an e-mail sent
    within the
  • campus or hospital system do not need to be
    encrypted.
  • E-mail sent to or from UCHSC to UCH, TCH, UPI is
  • considered internal and doesnt need encryption.
  • Make reasonable efforts to either encrypt or
    de-identify
  • information if PHI must be sent over the
    Internet.
  •  

52
Defense in Depth Principle Backing up PHI Data
  • Back up your PHI on a regular basis, to floppy,
    CD, zip drive or tape.
  • UCHSC Information Systems offers a backup service
    for central and departmental servers, with data
    stored off-site.
  • Contact your LAN (local area network)
    administrator or Information Systems with
    questions regarding backup procedures.

53
Defense in Depth Principle Providing Virus
Protection
  • Protect computers from virus corruption.
  • Anti-virus software is installed on most UCHSC
    systems and configured to automatically update to
    combat the newest viruses.
  • If you don't know who sent you an unexpected
    e-mail message, don't open it. The e-mail may
    contain a computer virus.

54
Defense in Depth Principle Remote Access to PHI
  • If accessing campus PHI via a remote site (such
    as a home or
  • off-campus office), protect your PHI by
    installing
  • Anti-virus software, and configure it to update
    automatically.
  • And if using DSL or cable modem, a personal
    firewall too.

55
Defense in Depth PrincipleInformation System
Activity Review
  • If you use a computer or server that hosts PHI
  • Perform risk assessment
  • Develop unit-specific policies for handling PHI
  • Ensure physical security
  • Maintain patches and updates
  • Develop role based security minimum necessary
    access
  • Issue unique user IDs
  • Maintain and review audit logs
  • Maintain security incident tracking reports

56
Defense in Depth Principle Questions
  • Which is usually the most secure place to store
    PHI data?
  • on your personal computer.
  • on a floppy disk (Zip disk).
  • on your PDA (e.g., Palm Pilot).
  • on your organization's central server.
  • more

57
Defense in Depth Principle Questions
  • Which is usually the most secure place to store
    PHI data?
  • on your personal computer.
  • on a floppy disk (Zip disk).
  • on your PDA (e.g., Palm Pilot).
  • on your organization's central server.
  • more

58
Defense in Depth Principle Questions (cont.)
  • Which of these PHI communications will NOT
    require
  • encryption on your part?
  • Posting info on an Internet web page.
  • Sending e-mail from your UCHSC address to another
    UCHSC address.
  • Sending e-mail from your UCHSC e-mail address to
    a TCH e-mail address.
  • Sending the PHI as a file attachment via America
    Online.

59
Defense in Depth Principle Questions (cont.)
  • Which of these PHI communications will NOT
    require
  • encryption on your part?
  • Posting info on an Internet web page.
  • Sending e-mail from your UCHSC address to another
    UCHSC address.
  • Sending e-mail from your UCHSC e-mail address to
    a TCH e-mail address.
  • Sending the PHI as a file attachment via America
    Online.

60
The General HIPAA Security RuleThe Four
Security Principles
  • Defense in Depth Principle 
  • Lock and Key Principle
  • Going Completely to Waste Principle
  • "Be Prepared" Principle

61
2 Lock and Key Principle Lock up all PHI
that's not in immediate use.
  • Laptops and PDAs (e.g., Palm Pilots) with PHI
    files should be
  • locked away.
  •  
  • PHI stored on laptops or PDAs should be protected
    with
  • strong passwords and possibly encrypted files.
    And lock up
  • the laptop or PDA when not in use!
  • Paper PHI files should be stored in a locked
    cabinet or drawer.
  • Make sure your area is locked up before you
    leave.

62
Lock and Key Principle Visitors
  • If you work in a visible or public area
  • Properly position your desk and computer
  • Use a password-protected screen saver.
  • Protect printer and fax machine
  • Put away paper PHI

63
The General HIPAA Security RuleThe Four
Security Principles
  • Defense in Depth Principle 
  • Lock and Key Principle
  • Going Completely to Waste Principle
  • "Be Prepared" Principle

64
3. Going Completely to Waste PrincipleThoroughl
y and immediately dispose of PHI that you no
longer needand do not need to retain.
  • All paper PHI should be shredded before being
    trashed.
  •  
  • There should be a shredder within reasonable
    proximity of your
  • work area.
  •  
  • Note shredding by hand doesn't effectively
    destroy identifying
  • information.

65
Going Completely to Waste Principle Disposing of
Computers
  • Empty "trash bin"
  • If you are giving your computer away or throwing
    it
  • out, stronger clean-up measures are needed.
  • Use disk wiping tool
  • Contact Environmental Health and Safety (EHS)

66
The General HIPAA Security RuleThe Four
Security Principles
  • Defense in Depth Principle 
  • Lock and Key Principle
  • Going Completely to Waste Principle
  • "Be Prepared" Principle

67
4 "Be Prepared" PrinciplePrepare yourself,
your coworkers and your workplace for HIPAA
compliance.
  • Know
  • how to select and change your password
  • where your PHI is stored and how it is backed up
  • how to determine if your computer is running
    anti-virus software and how to find out if it is
    up-to-date.
  • Report repeated logon failures to LAN
    Administrator or Help Desk.
  • Notify Help Desk of use of web server (i.e. IIS,
    Apache, ColdFusion), web development software
    (i.e. Front Page, DreamWeaver), or SQL.

68
"Be Prepared" Principle Situation
  • Alvin has been through HIPAA training, but he is
    still confused
  • about his digital security needs. He's not sure
    if his PC has the
  • proper virus protection or which transmissions
    containing PHI
  • and being sent over the Internet need encryption.
    Who should
  • Alvin contact for help?
  • The HIPAA Privacy Officer
  • A department colleague who transmits similar PHI
    on his/her PC
  • Information Systems
  • The Department of Health and Human Services

69
"Be Prepared" Principle Situation
  • Alvin has been through HIPAA training, but he is
    still confused
  • about his digital security needs. He's not sure
    if his PC has the
  • proper virus protection or which transmissions
    containing PHI
  • and being sent over the Internet need encryption.
    Who should
  • Alvin contact for help?
  • The HIPAA Privacy Officer
  • A department colleague who transmits similar PHI
    on his/her PC
  • Information Systems
  • The Department of Health and Human Services

70
HIPAA Security Rule Summary
  • "Privacy" and "security" go hand-in-hand.
  • Protected Health Information should be reasonably
    safeguarded from intrusion or loss.
  • Remember the Four Security Principles
  • Defense in Depth Principle
  • Lock and Key Principle
  • Going Completely to Waste Principle
  • "Be Prepared" Principle

71
HIPAA Privacy and Security
  • What do I do if I have questions about HIPAAs
    Rules?
  • Attend a HIPAA Drop-In Question and Answer
    Session (scheduled upon request)
  • Look for answers on UCHSC HIPAA web page at
    http//www.uchsc.edu/hipaa/
  • Contact UCHSC HIPAA Privacy or Security Officers
    see info at http//www.uchsc.edu/hipaa/contacts.ht
    m

72
THE END!
  • http//www.uchsc.edu/hipaa General
  • http//comirbweb.uchsc.edu Research
  • Esther.Henry_at_UCHSC.edu Privacy
  • Sherry.Fischer_at_UCHSC.edu Security
  • William.Freud_at_UCHSC.edu Security
  • Lisa.Jensen_at_UCHSC.edu Research
  • Kim.Buda_at_UCHSC.edu Research
  • Lawellin.David_at_tchden.org Research
  • Steve.Zweck-Bronner_at_UCHSC.edu Legal

73
HIPAA 201 Research
Presented by Esther Henry HIPAA Privacy Officer
and Project Manager University of Colorado Health
Sciences Center Lisa Jensen Director, COMIRB

74
Is Anything Grandfathered?
  • Yes!
  • Individuals who were consented into a study prior
    to April 14, 2003 or studies that received a
    waiver of consent prior to April 14, 2003.
  • Databases with PHI for which you received some
    kind of legal permission from the subject of the
    PHI to use his or her information.
  • HIPAA will apply to
  • All individuals consented or re-consented into a
    study after April 14, 2003 must sign an
    authorization and,
  • Exempt research needs waiver of authorization
    from COMIRB unless the study is closed or you are
    not using PHI.

75
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • 5. Researcher Certification Situations

76
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • 5. Researcher Certification Situations

77
Option 1 De-identify!
  • If your data is de-identified it is not subject
    to HIPAA as it is not PHI.
  • De-identified means all 18 identifiers are
    stripped!

78
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • 5. Researcher Certification Situations

79
Option 2 Limited Data Set
  • A limited data set excludes 16 of the 18
    identifying fields.
  • It lets you use two of the 18 fields that make
    information identifiable
  • Dates and
  • Zip code, town, city, and state.
  • If you have a limited data set you do not need
    patient authorization.
  • You do need a data use agreement.

80
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • 5. Researcher Certification Situations

81
Authorization for Research Page 1
I ________________________(Patients Full Name) authorize __________________________ (PI or Physician Name) and staff members of ________________________________ (Facility Name) working for him/her to use the following health information about me for research (check all that apply and describe type and number of the procedures done, where applicable)
? Name and phone number ? Demographic information (age, sex, ethnicity, address, etc.) ? Diagnosis(es) ? History and Physical ? Laboratory or Tissue Studies __________________________________________________________ ? Radiology Studies ___________________________________________________________________ ? AIDS or HIV test (or results) __________________________________________________________ ? Procedure results _______________________________________________________________ ? Psychological tests _________________________________________________________________ ? Survey/Questionnaire _________________________________________________________________ ? Research Visit records ? Portions of previous Medical Records that are relevant to this study____________________________ ? Billing or financial information________________________________________________________ ? Other (Specify) _____________________________________________________________________ For the Specific Purpose of ? Collecting data for this research project ? Other ___________________________________________________________________________ Cannot say for any and all research, for any purpose, etc. If my health information is also going to be given out to others outside the facility, the recipients are described on the next page(s). ? No health information about me will be disclosed to others

82
Authorization for Research Page 1
I ________________________(Patients Full Name) authorize __________________________ (PI or Physician Name) and staff members of ________________________________ (Facility Name) working for him/her to USE the following health information about me for research (check all that apply and describe type and number of the procedures done, where applicable)

83
Authorization for Research Page 1
I ________________________(Patients Full Name) authorize __________________________ (PI or Physician Name) and staff members of ________________________________ (Facility Name) working for him/her to use the following health information about me for research (check all that apply and describe type and number of the procedures done, where applicable)
? Name and phone number ? Demographic information (age, sex, ethnicity, address, etc.) ? Diagnosis(es) ? History and Physical ? Laboratory or Tissue Studies __________________________________________________________ ? Radiology Studies ___________________________________________________________________ ? AIDS or HIV test (or results) __________________________________________________________ ? Procedure results _______________________________________________________________ ? Psychological tests _________________________________________________________________ ? Survey/Questionnaire _________________________________________________________________ ? Research Visit records ? Portions of previous Medical Records that are relevant to this study____________________________ ? Billing or financial information________________________________________________________ ? Other (Specify) _____________________________________________________________________

84
Authorization for Research Page 1
I ________________________(Patients Full Name) authorize __________________________ (PI or Physician Name) and staff members of ________________________________ (Facility Name) working for him/her to use the following health information about me for research (check all that apply and describe type and number of the procedures done, where applicable)
? Name and phone number ? Demographic information (age, sex, ethnicity, address, etc.) ? Diagnosis(es) ? History and Physical ? Laboratory or Tissue Studies __________________________________________________________ ? Radiology Studies ___________________________________________________________________ ? AIDS or HIV test (or results) __________________________________________________________ ? Procedure results _______________________________________________________________ ? Psychological tests _________________________________________________________________ ? Survey/Questionnaire _________________________________________________________________ ? Research Visit records ? Portions of previous Medical Records that are relevant to this study____________________________ ? Billing or financial information________________________________________________________ ? Other (Specify) _____________________________________________________________________ For the Specific Purpose of ? Collecting data for this research project ? Other ___________________________________________________________________________ Cannot say for any and all research, for any purpose, etc.

85
Authorization for Research Page 1
I ________________________(Patients Full Name) authorize __________________________ (PI or Physician Name) and staff members of ________________________________ (Facility Name) working for him/her to use the following health information about me for research (check all that apply and describe type and number of the procedures done, where applicable)
? Name and phone number ? Demographic information (age, sex, ethnicity, address, etc.) ? Diagnosis(es) ? History and Physical ? Laboratory or Tissue Studies __________________________________________________________ ? Radiology Studies ___________________________________________________________________ ? AIDS or HIV test (or results) __________________________________________________________ ? Procedure results _______________________________________________________________ ? Psychological tests _________________________________________________________________ ? Survey/Questionnaire _________________________________________________________________ ? Research Visit records ? Portions of previous Medical Records that are relevant to this study____________________________ ? Billing or financial information________________________________________________________ ? Other (Specify) _____________________________________________________________________ For the Specific Purpose of ? Collecting data for this research project ? Other ___________________________________________________________________________ Cannot say for any and all research, for any purpose, etc. If my health information is also going to be given out to others outside the facility, the recipients are described on the next page(s). ? No health information about me will be disclosed to others

86
Authorization for Research Page 2
  • The PI (or staff acting on behalf of the PI) will
    also make the following health information about
    me available to (check all that apply and
    describe type and number of the procedures done
    where applicable)
  • Recipient (name person or class of
    persons)___________________________________
  • ? All Research Data Collected in this Study
  • ? Name and phone number
  • ? Demographic information (age, sex, ethnicity,
    address, etc.)
  • ? Diagnosis(es)
  • ? History and Physical
  • ? Laboratory or Tissue Studies ___________________
    __________________________
  • ? Radiology Studies_______________________________
    _______________________
  • ? AIDS or HIV test (or results)
    ____________________________________________
  • ? Psychological tests ___________________________
    __________________________
  • ? Survey__________________________________________
    ______________________
  • ? Research Visit records
  • ? Portions of previous Medical Records that are
    relevant to this study
  • ? Billing/Charges
  • ? Other (Specify) ________________________________
    ______________________
  • For the Specific Purpose of
  • ? Evaluation of this research project
  • ? Evaluation of laboratory/tissue samples


87
Authorization for Research Page 2
  • The PI (or staff acting on behalf of the PI) will
    also make the following health information about
    me available to (check all that apply and
    describe type and number of the procedures done
    where applicable)
  • Recipient (name person or class of
    persons)___________________________________
  • ? All Research Data Collected in this Study
  • ? Name and phone number
  • ? Demographic information (age, sex, ethnicity,
    address, etc.)
  • ? Diagnosis(es)
  • ? History and Physical
  • ? Laboratory or Tissue Studies ___________________
    __________________________
  • ? Radiology Studies_______________________________
    _______________________
  • ? AIDS or HIV test (or results)
    ____________________________________________
  • ? Psychological tests ___________________________
    __________________________
  • ? Survey__________________________________________
    ______________________
  • ? Research Visit records
  • ? Portions of previous Medical Records that are
    relevant to this study
  • ? Billing/Charges
  • ? Other (Specify) ________________________________
    ______________________
  • For the Specific Purpose of
  • ? Evaluation of this research project
  • ? Evaluation of laboratory/tissue samples


88
Authorization for Research Page 3
  • I give my authorization knowing that I do not
    have to sign this authorization. But if I do not
    sign it the researcher has the right to not let
    me be in the research study.
  • I can cancel this authorization any time. I have
    to cancel it in writing.
  • If I cancel it, the researchers and the people
    the information was given to will still be able
    to use it because I had given them my permission,
    but they wont get any more information about me.
  • I can read the Notice of Privacy Practices at the
    facility where the research is being conducted to
    find out how to cancel my authorization.
  • The records given out to other people may be
    given out by them and might no longer be
    protected.
  • I will be given a copy of this form after I have
    signed it.
  • This authorization will expire on _____(Date)
  • OR ? The end of the research study ? Will
    not expire
  • ______________________Patients Signature Date
    _________________________

89
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • 5. Researcher Certification Situations

90
Option 4 Waiver of Authorization
  • Seek a waiver of authorization from COMIRB
  • Qualify for this option if
  • There is no practicable way to get an
    authorization
  • There is no more than a minimal risk to the
    privacy of the individual and,
  • The research could not be conducted without
    access to the PHI.

91
Option 4 Waiver of AuthorizationWaiver Request
Form
  • Describe the protected health information (PHI)
    that will be collected
  • IN ORDER FOR THIS WAIVER TO BE APPROVED, THERE
    MUST BE NO MORE THAN MINIMAL RISK TO PRIVACY OF
    THE SUBJECT, BASED ON THE ANSWERS TO THE
    FOLLOWING QUESTIONS
  • 1. How will subject identifiers be protected?
  • 2. What is the plan to destroy the identifiers
    ASAP? Please state if there is a health or
    research justification for retaining the
    identifiers of if retention is required by law.
  • 3. Will the data be made available to anyone
    other than the study personnel? If so, to whom?
    And if so, why?
  • Can this project be done without PHI?
  • Why is it not possible to get the authorization
    of the subjects whose PHI you want to use?
  • CONFIRMATION
  • I confirm that the Protected Health Information
    (PHI) will not be re-used or disclosed except as
    required by law, for authorized oversight of the
    research or for other research that has been
    reviewed and approved by the IRB with specific
    approval regarding access to this PHI.
  • ___________________________________ _____________
    _________
  • PI Signature Date

92
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • 5. Researcher Certification Situations

93
The Five Ways to do Research in HIPAA
  • 1. De-identify Your Data
  • 2. Limited Data Set
  • 3. Authorization
  • 4. Waiver of Authorization
  • Researcher Certification Situations
  • Decedent Research
  • Reviews Preparatory to Research

94
Option 5 Decedent Research
  • Researcher must certify
  • Decedents PHI only
  • Decedents are actually deceased! and
  • PHI is necessary for research.
  • At the HSC, there will be a form to complete for
    this option.

95
Option 5 Reviews Preparatory to Research
  • Researcher must certify
  • No PHI will be recorded, nor will PHI be removed
    from the premises where the PHI was accessed
  • Use or disclosure is solely to prepare a research
    protocol, assess a population, etc. and,
  • PHI is necessary for research.
  • Acceptable methods for reviews preparatory to
    research are dictated by each institution. You
    must comply with the requirements of the
    institution that owns the research data.
  • At the HSC, there will be a form to complete for
    this option.

96
Can you use Review Prep Option to Recruit
Patients?
  • No! Accessing medical records to identify
    potential participants is considered to be
    research activity (not pre-research) so it
    requires prior IRB approval.
  • Review Prep Option does not permit you to contact
    the patients! Just to determine if they are
    there. (Catch and Release!)

97
Patient Recruitment Provider access to his/her
own patient records
  • Once a study is approved by COMIRB a health care
    provider may review his/her current and former
    patient records to identify potential
    participants and may contact those individuals
    without the need for an authorization.
  • At enrollment, subjects should sign an
    authorization.

98
Patient Recruitment Provider access to records
of patients treated in the same clinical service
but not seen by the physician
  • Current Patients after receiving COMIRB
    approval the provider may review the records and
    contact the patients without authorization
  • Former Patients cannot access records of
    patients who have not been seen in five years by
    the service and cannot contact those patients
    without COMIRB approval and HIPAA authorization

99
Patient Recruitment Provider access to records
of patients outside of his/her clinical service
  • May ask provider with relationship to patient to
  • Get recruitment authorization for you to contact
    patient (Authorization to pass patients name
    and contact info to you.) or,
  • Ask patient to contact you.

100
Patient RecruitmentAdvertisements
  • Patients may contact you in response to an
    advertisement.
  • Situation if patient doesnt enroll You may not
    send any PHI to study sponsors without an
    authorization from the individual who is the
    subject of the PHI.

101
THE END!
  • http//www.uchsc.edu/hipaa General
  • http//comirbweb.uchsc.edu Research
  • Esther.Henry_at_UCHSC.edu Privacy
  • Sherry.Fischer_at_UCHSC.edu Security
  • William.Freud_at_UCHSC.edu Security
  • Lisa.Jensen_at_UCHSC.edu Research
  • Kim.Buda_at_UCHSC.edu Research
  • Lawellin.David_at_tchden.org Research
  • Steve.Zweck-Bronner_at_UCHSC.edu Legal
About PowerShow.com