HIPAA 101: An Overview Of The HIPAA Privacy And Security Rules As They Apply To Research

1
HIPAA 101 An Overview Of The HIPAA Privacy And
Security Rules As They Apply To Research
November 2004
2
HIPAA

• A Brief Overview of HIPAA
• HIPAA forms available and an Overview of their
  use
• Resources
• Whats Next? A Brief Overview of the Security Rule

3
What HIPAA Stands For

• Health Insurance Portability and Accountability
  Act
• The rule applies to covered entities (i.e. a
  healthcare clearinghouse, health plan or a
  healthcare provider that transmits any health
  information in electronic form in connection with
  healthcare transactions)
• A researcher is considered a covered entity
  when he/she provides health care that is billed
  to an insurance plan in addition to conducting
  research.
• Protected Health Information (PHI) Is
  individually identifiable health information. PHI
  is health information that contains any of the 18
  individual identifiers that meet the definition
  of de-identified data.

4
Brief Overview of HIPAA

• HIPAA Privacy Rule went into effect April 14,
  2003
• Applies to Protected Health Information in all
  forms (written, oral) and addresses the use and
  disclosure of an individuals health information.
  Electronic data will be addressed by the Security
  Law in April 2005
• The aim of the Privacy Rule is to assure
  individuals health information is properly
  protected and for individuals to understand and
  control how their health information is used
• Penalties for non-compliance are a) fines up to
  250,000 and/or b) jail time

5
HIPAA forms Points to Remember

• Only completely anonymous research studies or
  studies that do not contain any PHI whatsoever do
  not need HIPAA (rarity)
• Submitting a HIPAA Waiver or any other HIPAA form
  does not take the place of submitting an IRB
  protocol
• HIPAA requires researchers be as specific as
  possible on all forms (i.e. specify tests to be
  done do not refer back to the consent form) AND
  only use the minimal necessary to complete the
  study
• HIPAA does not hold up conducting OR recruiting
  for an IRB approved research study

6

• HIPAA Forms
• Available For Use

7
Form 1Authorization to Use or Disclose
Protected Health Information

• If you are obtaining consent you need to have the
  subject sign a HIPAA Authorization in addition to
  the consent form
• All subjects enrolled or followed-up since
• April 14, 2003 need to have signed this form
• The Research Privacy Coordinator needs a copy of
  this form in order to do a confirmatory review.
  It needs to be on file in the IRB office. You
  will get a letter either asking for revisions or
  approving the submitted HIPAA paperwork

8
Form 1 (contd)Authorization to Use or
Disclose Protected Health Information For
Research Repository Option

• Check YES when the Principal Investigator is
  planning on holding on to data/specimens
  collected during this research study for possible
  use in future research study(ies) (hence creating
  a repository).

9
Form 1 (contd) Authorization to Use or
Disclose Protected Health Information For
Research Psychotherapy Notes

• Check YES when the Principal Investigator plans
  to collect Psychotherapy notes during the study

10
Form 2Request for Waiver or Alteration of
Authorization to Use or Disclose Protected Health
Information

• RULES OF THUMB
• There are 2 kinds of Waivers
• 1) Complete Not obtaining consent from subjects,
  no subject contact. Asking permission to Waive
  obtaining consent from subjects to use PHI for a
  study. (ex) Retrospective chart review, study
  using waste material)
• 2) Partial Plan on obtaining consent once a
  subject is enrolled consented. You are asking
  permission to initially Waive obtaining consent
  from subjects in order to determine eligibility.
  ex) Chart review to determine eligibility

11
Form 2 (contd)Request for Waiver or Alteration
of Authorization to Use or Disclose Protected
Health Information

• The Research Privacy Coordinator and the IRB
  Chairman review the request
• In order for the Waiver to be in effect it needs
  official approval from the IRB Chairman (via the
  Research Privacy Coordinator)

12
Form 3Request for Waiver or Alteration of
Authorization toUse or Disclose Protected Health
Information in Research That Only Uses Coded
Samples

• Used in studies when the Principal Investigators
  only role in the study is to receive and process
  coded samples. While these samples are not
  de-identified, the PI does not and will not have
  access to the identities of the samples that will
  be processed.
• In order for the Waiver to be in effect it needs
  official approval from the IRB Chairman (via the
  Research Privacy Coordinator).

13
Form 4 Investigator Representation for Research
on De-Identified Protected Health Information

• PROTOCOLS NOT USING ANY OF
  THE 18 IDENTIFIERS BELOW
• Names
• All geographic subdivisions smaller than a State
  (including street address, county, precinct, zip
  codes)
• All elements of dates (except year) for dates
  directly related to an individual all ages over
  89 and all elements of dates (including year)
  for ages over 89, except that all such ages and
  elements may be aggregated into a single category
  for age 90 or older
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including
  license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers (i.e. DNA), including
  finger and voice prints
• Full face photographic images and any comparable
  images
• Any other unique identifying number,
  characteristic, or code

14
Form 4 (contd)Investigator Representation for
Research on De-Identified Protected Health
Information

• Ask yourself Is there any way anyone can ever
  figure out who a particular record/sample belongs
  to? If the answer is yes it does not qualify
  for this form. (not many studies qualify for this
  form)

15
Form 5Investigator Representation for Research
on Limited Data Sets (LDS) of Protected Health
Information

• Data collected for the protocol in question must
  not contain any of the 16 identifiers listed on
  the form. (only difference between LDS and
  De-Identified form is LDS ALLOWS 1) Elements of
  dates (i.e. city, state, zip code) 2) any unique
  identifying codes or characteristics not listed
  as direct identifiers) and the De-Identified form
  does not.
• Must be used in conjunction with a Data Use
  Agreement

16
Form 6Data Use Agreement for A Limited Use
Agreement

• A covered entity must use a Data Use Agreement
  with the researcher in order to provide a Limited
  Data Set to the an outside researcher/entity.
• The data use agreement defines the purposes for
  which the data will be used and obtains
  assurances from the researcher that it will not
  be re-disclosed, except under the same
  restrictions and conditions.
• Requires that the researcher will not attempt to
  identify or contact the individuals whose PHI is
  contained in the Limited Data Set.

17
Form 7 Investigator Representation for Research
onProtected Health Information of Decedents

• To obtain data on decedents, authorizations from
  the next of kin are necessary or a Waiver of
  authorization
• Purpose for viewing PHI must be documented and
  how it is related to research
• Documentation of the death of the individuals
  whose PHI is sought by researchers

18
Form 8 Investigator Representation for Review
of Protected Health Information Preparatory to
Research

• Used for activities preparing for research
• Use of data is solely to review PHI as necessary
  to prepare a research study protocol

19
Form 9Authorization to Include Protected
Health Information in a Research Repository

• This is a newly created form used specifically
  for the situation when a Research Repository is
  created that is not yet connected to a specific
  research project.
• Many times researchers would like to hold onto
  PHI from patients medical or research study
  visits for possible use in a future research
  study. However, the patient has the right to be
  informed that their medical information is being
  held for future use. Even if it is only for
  chart reviews or publications. This is where
  this form comes into play.
• Soon the IRB will release a corresponding IRB
  Repository Protocol? . Any time a
  researcher/physician would like to retain a
  persons PHI for possible future use in a
  research study an IRB Repository Protocol would
  need to be completed and approved by the IRB. It
  would then also be necessary each subject sign a
  HIPAA Authorization to Include Protected Health
  Information in a Research Repository form or
  their information could not be saved for research
  purposes.
• This also includes the instance when a physician
  sees a patient for medical purposes, and enters
  more information into a database than is
  necessary for treatment with the hopes of using
  the data in a future research study.

20
Oral HIPAA Language

• If you are obtaining oral consent from a subject
  this language must be incorporated into the oral
  consent.
• Once the language is deemed acceptable by the
  Research Privacy Coordinator, the consent still
  needs to be officially approved by the IRB as
  this is an official consenting document. (you
  need to submit this separately to the IRB for
  review)

21
Resources

• Cornell IRB HIPAA webpage/forms
• http//intranet.med.cornell.edu/research/irb/hi
  paa.html
• Department of Health and Human Services National
  Institutes of Health (HIPAA Privacy Rule
  Information for Researchers)
• http//privacyruleandresearch.nih.gov/
• United States Department of Health and Human
  Services Office for Civil Rights HIPAA (HIPAA
  Security Rule)
• http//www.os.dhhs.gov/ocr/hipaa/

22
Whats Next? A Brief Overview of the Security Rule

• Compliance deadline is April 2005, to have the
  necessary safeguards in place
• The rule requires implementing administrative,
  technical and physical safeguards to protect the
  security of health information maintained
  electronically

23
Whats Next? A Brief Overview of the Security Rule

• PASSWORDS
• Choose passwords that are not easy to guess
• Are eight characters long
• Use a combination of letters and numbers
• Change the password every 3-6 months
• Use in conjunction with another security method
• Encryption
• Check every e-mail for viruses and filter for
  spam
• Use an up-to-date antivirus scanner on your
  computer/network

24
Whats Next? A Brief Overview of the Security Rule

• E-MAIL (interim policy)
• Prior to using e-mail to communicate with a
  patient/subject they must be informed it may not
  be safe
• Never use e-mail with a patient in an urgent
  situation
• Patient/subject must complete a separate form
  authorizing e-mail transmission (which can also
  be revoked)
• Never hit forward or reply all and double
  check the attachments being sent
• Never use any PHI in the subject line (only use
  the word Confidential)
• Try to avoid using names, dates, social security
  numbers and other unique identifiers in case the
  e-mail is misdirected

25
Whats Next? A Brief Overview of the Security Rule

• Security Standards General Rules
• Ensure the confidentiality, integrity and
  availability of all electronic protected health
  information
• Protect against any reasonably anticipated
  threats or hazards to security or integrity of
  such information
• Administrative Safeguards
• Risk analysis, risk management, vulnerability
  (study specific)
• Physical Safeguards
• Limit access to electronic information systems
  and the facility in which they are housed while
  ensuring that properly authorized access is
  allowed.
• Technical Safeguards
• Automatic log-off, encryption, decryption
• Organizational Requirements
• Contracts, business associate
• Cornell will be coming out with policies and
  procedures (broadcast e-mails)

26
REMEMBER

• You are not alone!
• We are here to help!

27
Contact Information

• HIPAA Research Privacy Coordinator
• Phone (212) 821-0629
• Fax (212)821-0660
• E-mail HIPAA Research_at_med.cornell.edu
• Interoffice BOX 5
• External Address 425 East 61st Street
• Suite DV301
• NY, NY 10021