HIPAA for Researchers

1
HIPAA for Researchers

• Protecting Patient Privacy at Methodist

2
How Does HIPAA Affect Research?

• HIPAA Privacy supplements the human subject
  protections of the Common Rule.
• HIPAA applies to covered entities and how they
  use and disclose Protected Health Information
  (PHI).

3
What is RESEARCH?

• HIPAAs Definition
• "systematic investigation, including research
  development, testing, and evaluation, designed to
  develop or contribute to generalizable
  knowledge."

In other words, if the answer to any of the
following questions is YES, then its
research. Am I looking for a good paper topic? Am
I going to publish the results of this study? Am
I making my findings widely known?
4
Six Ways to Access Health Information for Research

• Obtain patient authorization.
• Apply for an IRB waiver of the authorization
  requirement.
• Conduct preparatory research.
• Request de-identified data.
• Request a limited data set.
• Limit your research to decedents only.

Accessing PHI 6 WAYS
5
Authorization

• Differs from informed consent
• Under HIPAA, an authorization permits use and
  disclosure of PHI for research.
• Informed consent is the subjects consent to
  participate in a specific research study.
• Must be a written form signed by the patient.
• Can be combined into the informed consent
  document or can be a separate document.

Authorization 1
6
An Authorization Must Include

• Description of PHI to be used or disclosed
• The names of persons or classes of recipients
  (e.g. physician assistants) who may access, use,
  and disclose the patients PHI
• Description of the research purpose
• Expiration date for the authorization (usually
  when the study is over)
• Right to revoke authorization at any time
• Statement that HIPAA protections may not apply to
  information re-disclosed
• Consequences of a refusal to sign an
  authorization
• Signature of subject and date.

Authorization 1
7
IMPORTANT

• No authorization form can authorize future,
  unspecified research.
• In other words, you cant ask subjects to sign
  an authorization for general research. The
  authorization must specify a specific project and
  protocol.

Authorization 1
8
Applying for a Waiver

• Say you want to examine data for 250 patients
  over the last four years. It would be difficult
  and or even impossible to obtain authorization
  for every patient.
• This is the reason for a waiver exception.
  Waivers may be particularly appropriate for
• Studies involving the review of a large number of
  medical records
• Extensive database research
• Situations in which patients are deceased or
  difficult to locate.

Waiver 2
9
Requirements for a Waiver

• The study could not feasibly be conducted without
  a waiver.
• The PHI is necessary to the study.
• There is a minimal risk to privacy.
• To meet the last element, you must
• demonstrate to an IRB that
• You will not reuse or disclose PHI.
• You have an adequate plan to protect patient
  identifiers.
• You will destroy identifiers at the earliest
  opportunity

Waiver 2
10
Completing a Waiver Application

• Each IRB will have its own waiver application
  form. Generally, the form requires two key pieces
  of information
• Description of your protocol or study plan, and
• Data security plan.

Waiver 2
11
Data Security Plan

• A data security plan should provide an IRB with
  the following information
• How you will protect data from improper use and
  disclosure.
• After your study is complete, when you will
  destroy the data. (If you plan NOT to destroy the
  data, you will have to provide a good reason.)
• The measures you will take to ensure that PHI
  will not be reused or re-disclosed.

Waiver 2
12
Keeping Data Secure

• Protecting PHI means taking measures for
• Faxing
• Emailing
• Office files
• Disposal of PHI
• Reports
• Spreadsheets of PHI stored on computers.

13
Preparatory Research

• Often, you need access to PHI before you have
  even started a research study before you have
  written a protocol or identified potential
  subjects.
• HIPAA Privacy is sensitive to this need, so an
  exception allows researchers to review PHI for
  preparatory purposes without obtaining an
  authorization or a waiver from an IRB.

Preparatory research 3
14
Preparatory Research

• Activities considered to be preparatory to
• research
• Creating a research protocol
• Developing a research hypothesis
• Identifying subjects for a study within the
  investigators own practice.
• No authorization or waiver is needed to
  review
• PHI, but you must assure an IRB
• Your review of PHI is solely for purposes
  preparatory to research.
• Access to PHI is essential to the research.
• You will not remove PHI from Methodist.

Preparatory research 3
15
What About My Own Records?

• Can I review my own patients records or the
  medical records of my colleagues preparatory to
  research without going through an IRB?
• NO
• If youre reviewing records for a research
  purpose, including preparatory to research, you
  must follow the research rules. Even if theyre
  your records for your patients.

Preparatory research 3
16
Recruiting Subjects for Research

• Once your protocol is developed, you should
  submit an application to the IRB that describes
  your methods for identifying and recruiting
  subjects.
• When your application is approved, you may
  contact patients to invite them to participate in
  a study.

Preparatory research 3
17
What Are Those Rules Again?

• No authorization or waiver is needed when
  conducting reviews preparatory to research. To
  meet this exception, you must assure the IRB
  that
• You are reviewing the records solely for
  preparatory research purposes.
• Access to the PHI is essential to the research
  purpose.
• You will not remove the records from Methodist.

Preparatory research 3
18
Requesting De-identified Information

• De-identified data does not include any of these
• 18 personal identifiers

• Name
• Postal address
• All elements of dates except year
• Telephone number
• Fax number
• Email address
• URL address
• IP address
• Social security number
• Account numbers
• License numbers

• Medical record number
• Health plan beneficiary
• Device identifiers and their serial numbers
• Vehicle identifiers and serial number
• Biometric identifiers (finger and voice prints)
• Full face photos and other comparable images
• Any other unique identifying number, code, or
  characteristic.

De-identified information 4
19
Requesting De-identified Information

• De-identified information is not PHI.
• Obtaining de-identified information does not
  require patient authorization or an IRB waiver.
• Contact the applicable IRB if you have specific
  questions about what constitutes de-identified
  information.

De-identified information 4
20
Two Ways to De-identify Data
Safe harbor method
All 18 identifiers are scrubbed from the
information. Only non-identifying information
remains.
De-identified information 4
Statistical Method
A qualified statistician de-identifies the
information and verifies that risk of someone
using the information to identify an individual
is very small. The statistician must document his
methods and analysis.
21
IMPORTANT

• You need an authorization or waiver if you are
  accessing PHI, even if you plan to de-identify
  the information later. An exemption for
  de-identified information can only be obtained if
  you are requesting de-identified information.

De-identified information 4
22
Limited Data Sets

• A limited data set (LDS) is useful when you need
  some PHI because it allows you to identify
  subjects using
• Date of service (e.g., admission,
  treatment, discharge)
• Date of birth and death
• Five-digit zip codes and other geographic
  subdivisions (CANNOT include street address).

Limited Data Sets 5
23
LDS Requirements

• No authorization from the subject is required,
  but you will need a waiver from an IRB.
• You will also need to complete and sign a data
  use agreement. This agreement tells how you
  plan to use the information and how you will
  protect it.

Limited Data Sets 5
24
Data Use Agreements

• A written data use agreement is needed if you
  are requesting an LDS or disclosing an LDS to
  another party
• The agreement must state that data will not be
  further used or disclosed beyond initial
  recipient.
• The recipient must agree to use appropriate
  safeguards to prevent use or disclosure other
  than those permitted in the agreement.
• Recipient must tell the covered entity about any
  PHI that is improperly disclosed.

Limited Data Sets 5
25
Research of Decedents

• If all the subjects are deceased, you can apply
  to the IRB for a waiver of consent and
  authorization.
• You must document that
• The records are necessary for research.
• The records will be used solely for research.
• You can provide documentation of death upon
  request.

Decedent Research 6
26
Role of an IRB

• An IRB must approve informed consent documents
  that include an authorization to disclose PHI.
  The IRB will review the authorization form to
  ensure all requirements are met.
• An IRB must approve any waiver of the
  authorization requirement.

27
IRB Approval Chart
28
How it Works at Methodist

• Apply to TMHRI for credentialing to perform
  research at Methodist.
• Submit an Administrative Review and Approval Form
  to TMHRI.
• Submit your protocol, along with your
  authorization form or application for a waiver or
  exemption application to an IRB.
• An IRB approves your project OR grants your
  waiver request OR provides you with an exemption
  certificate.
• Take your IRB paperwork to the Health Information
  Management Department to access medical records
  for your research.

Step by Step
29
Process for Accessing PHI at Methodist for
Research

• Before you can access medical records for
  research, you must present the Health Information
  Management Department with a valid approval
  letter from an IRB, which addresses
• The time period for your record access
• The specific PHI you should access
• Who may access the PHI.

30
Research at Methodist
1. Get credentialed by the Research Institute.
2. Submit your application to the Research
Institute
3. Submit your protocol to the appropriate IRB.
4. IRB approves your project or grants
waiver/exemption.
5. Take IRB paperwork to Health Information
Management.
31
For More Information, Contact

• Research at Methodist
• Lee Seabrooke
• Director of Research Protection
• 713.441.7548
• Obtaining Access to Methodist Medical Records
• Cassie Gauthier
• HIM Operations Manager
• 713.441.3175
• Methodist Business Practices and HIPAA Privacy
• Kathi Lopez
• TMHS Business Practices
• 713.383.5130