HIPAA and Research What do you need to know and do before April 14, 2003

1
HIPAA and ResearchWhat do you need to know and
do before April 14, 2003?  

• Wesley G. Byerly, Pharm.D.
• Director, Institutional Review Board
• Wake Forest University Health Sciences

2
The Health Insurance Portability and
Accountability Act of 1996AKA Public Law
104-191AKA HIPAA
Congressional attempt at incremental health care
reform through portability administrative
simplification
3
HIPPA Components
4
Privacy Rule History

• August 1996 - Passage of HIPAA Gave Congress 36
  months to pass comprehensive privacy legislation
  for health information or DHHS was to promulgate
  final regulations Congress did not act by the
  deadlines, so
• November 3, 1999 - DHHS published proposed
  regulation for individual identifiable health
  information in the Federal Register more than
  52,000 comments received
• December 28, 2000 - Final Privacy Rule issued
  established an effective date of April 14, 2001
• January 2001 Final Privacy Rule put on hold
• February 2001 Privacy Rule reopened for
  comments
• March 27, 2002 - Notice of Public Rule Making
  (NPRM) published
• August 14, 2002 Revised Final Privacy Rule issued
• December 3, 2002 New guidance from Office of
  Civil Rights
• April 14, 2003 - Compliance date for Privacy Rule

5
Who is Covered in the Privacy Rule?

• A health care provider who transmits protected
  health information electronically for any covered
  HIPAA transaction
• Examples a physician who electronically bills
  for services a researcher who is employed by a
  covered entity
• A health plan
• A health care clearinghouse

6
What is Covered in the Privacy Rule?

• Protected Health Information (PHI)
• Health information Identifier PHI
• Transmitted or maintained in any form (paper,
  electronic, forms, web-based, etc.)
• Decedents information included
• Does not include de-identified health information

7
What is Health Information in the Privacy Rule?

• Any information, whether oral or recorded in any
  form or medium that
• Is created or received by a health care provider,
  health plan, public health authority, employer,
  life insurer, school or university, or health
  care clearinghouse and
• Relates to the past, present, or future physical
  or mental health or condition an individual the
  provision of health care to an individual or the
  past, present or future payment for the provision
  of health care to an individual and
• Which identifies the individual or
• Where there is a reasonable basis to believe that
  the information can be used to identify the
  individual

8
What is an Identifier in the Privacy Rule?
The Privacy Rule defines 18 identifiers

• Name
• Geographic information (including city, state and
  zip)
• Elements of dates (including admission/discharge
  dates service dates birth date, date of death)
• Telephone numbers
• FAX numbers
• E-mail addresses
• Social Security number
• Medical Record number, prescription number, etc.
• Health plan beneficiary number

• Account Numbers
• Certification numbers
• VIN and Serial numbers, license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (finger prints, voice
  prints, retinal scans, etc.)
• Full face or comparable photo images
• Unique identifying numbers

9
How does the Privacy Rule protect PHI?

• Establishes conditions for use of PHI
• Sharing, employment, application, utilization,
  examination, or analysis within the covered
  entity
• Establishes conditions for disclosure of PHI
• Release, transfer, provision of access to, or
  divulging outside the covered entity
• Has additional protections for uses and
  disclosures made without the persons permission
  (minimum necessary standard, for instance)
• Gives individuals rights to information about
  themselves and how it has been used and disclosed

10
What is the Minimum Necessary Standard in the
Privacy Rule?

• Minimum Necessary Requirement
• Policies procedures must be in place to limit
  access and disclosure of PHI to the minimum
  necessary to achieve the purpose of non-treatment
  activities.
• Applies to
• Use or disclosure of PHI
• Requests made for PHI
• EXCEPT for
• Treatment
• When the person requests his/her own PHI
• With an Authorization
• Some others

11
What are the Penalties for HIPAA Non-Compliance?
Federal Programs Exclusion from federal programs
anticipated
Accreditation Accrediting organizations will
require compliance
Wrongfully Obtains or Discloses Each Offense
(max.) 50,000 per offense 1 year
imprisonment False Pretense 100,000 per
offense 5 years imprisonment Intent to Sell,
Transfer, Use 250,000 per offense 10 years
imprisonment
Civil Monetary Penalties 100 for each
violation 25,000 maximum per year, per violation
12
Key Terms

• Privacy
• Having control over the extent, timing, and
  circumstances of sharing oneself (physically,
  behaviorally, or intellectually) with others.
• Confidentiality
• The treatment of information that an individual
  has disclosed in a relationship of trust with the
  expectation that it will not be divulged to
  others in ways that are inconsistent with the
  understanding of the original disclosure without
  permission.

OPRR Guidebook, 1993
13
Key Terms in HIPAA

• Use
• Sharing of PHI within or among the Medical Center
  departments
• Disclosure
• Sharing of PHI to external entities
• Incidental Disclosures
• Patient logs
• Waiting/Patient rooms
• Non-Specific Telephone conversations

14
Key Terms in HIPAA

• Treatment, Payment, Health Care Operations (TPO)
• Treatment-the provision, coordination, or
  management of health care and related services by
  one or more health care provider, (i.e.
  consultation, referrals)
• Payment-activities of a health care provider to
  obtain reimbursement for the provision of health
  care (i.e. eligibility, coverage, billing, claims
  management, collections)
• Healthcare Operations-such activities as quality
  assessment and improvement, reviewing
  qualification of employees and students, for
  underwriting activities, medical/legal/compliance
  reviews, cost-management, internal grievances,
  customer service, education.

15
Key Terms in HIPAA

• Research
• A systematic investigation, including research
  development, testing and evaluation, designed to
  develop or contribute to generalizable knowledge
• Authorization
• A customized document that gives permission to
  use PHI for specific purposes other than TPO.
  (i.e. Marketing, Fundraising, Research)
• Must use approved Medical Centers Authorization
  Form(s)
• Must retain Medical Centers Authorization Form
• Patient Authorization is NOT synonymous with
  patient consent for either research or clinical
  care.

16
Key Terms in HIPAA

• Notice of Privacy Practices (NPP)
• A document that explains how patients
  information is used disclosed in the Medical
  Center.
• Explains patients rights.
• Will be available to each patient who enters the
  Medical Center.
• RESEARCHERS MUST MAKE SURE THIS IS AVAILABLE TO
  RESEARCH SUBJECTS
• Is NOT an Authorization for the use and
  disclosure of PHI
• Patients Rights include
• Inspect Copy
• Amended
• An Accounting of Disclosures
• Request Restrictions
• Request Confidential Contacts
• Paper Copy of the Notice of Patient Privacy
• Opt out of Hospital Directory
• Any of the above requests should be forwarded to
  the Privacy Office at 713-2320 or 716-5578.

17
Privacy Rule and ResearchGeneral Concepts

• HIPAA protects the privacy of PHI by establishing
  conditions for its use and disclosure in research
• Applies to all research regardless of funding
• HIPAA exceeds other privacy protections in the
  Common Rule and FDA regulations
• An individuals written Authorization is required
  for the use or disclosure of PHI unless
  Authorization is waived or excepted
• Authorization waivers can be granted by IRBs or
  Privacy Boards under limited circumstances
• Decedents information is protected but
  Authorization is not required
• Accounting and reporting of disclosures are
  required

18
Research under HIPAA

• Situation in which PHI may be used for research
  purposes
• With individual Authorization
• With waiver of Authorization by IRB or Privacy
  Board
• By De-Identification of PHI
• As a Limited Data Set with Data Use Agreement
• As an activity preparatory to research
• For research on decedents information

19
Research Use and Disclosure of PHI With
AuthorizationAuthorizations for Research

• Must be for a specific research study blanket
  Authorization are NOT permitted
• Review/approval by IRB or Privacy Board not HIPAA
  required but likely to be IRB required
• Different from but may be combined with the
  research study informed consent.
• Must contain core elements and required
  statements in the Rule
• Research authorizations need not expire
• Needed for creation of a repository (data or
  biological material) for future research

20
Elements of an Authorization

• Core HIPAA Elements
• Description of PHI to be used or disclosed
• Person(s) authorized to make and receive
  requested use or disclose
• Purpose for the use or disclosure
• Expiration date or event (e.g. end of the
  research study or none)
• Subject or legally authorized representative
  signature and date

• Required HIPAA Statements
• Right to revoke Authorization plus exceptions and
  process
• Ability/Inability to condition treatment,
  payment, or enrollment/eligibility for benefits
  on Authorization
• PHI may no longer be protected by Privacy Rule
  once it is disclosed by the covered entity

21
Advantages of Authorization

• Written permission
• Described path of PHI flow
• No minimum necessary standard
• No accounting for disclosures

22
Research Use and Disclosure of PHI Without
Authorization

• IRB or Privacy Board waiver of Authorization
  requirement
• De-identify PHI
• Limited Data Set with Data Use Agreement
• Activity preparatory to research
• Research is on decedents information
• Disclosure to a public health authority or as
  required by law
• Research that qualifies for the Transition
  Provisions

23
Research Use and Disclosure of PHI Without
Authorization Waiver of Authorization

• Obtain documentation that an IRB or Privacy Board
  has determined that each of the following waiver
  criteria were satisfied
• The use or disclosure involves no more than
  minimal risk because of an adequate
  plan/assurance
• To protect PHI from improper use or disclosure
• To destroy identifiers at earliest opportunity
• That PHI will not be inappropriately reused or
  disclosed
• The research could not practicably be conducted
  without the waiver
• The research could not practicably be conducted
  without access to and use of PHI

24
Waiver of Authorization

• HIPAA
• Waiver of requirement for Authorization to use or
  disclose PHI
• No more than minimal risk to privacy based on at
  least
• Plan to protect identifiers
• Plan to destroy identifiers at earliest
  opportunity
• Written assurance that PHI will not be
  used/disclosed with few exceptions
• Research cannot be done without waiver
• Research cannot be done without the PHI

• OHRP
• Waiver of requirements for informed consent
• Research involves no more that minimal risk - the
  probability and magnitude of harm or discomfort
  anticipated in the research are not greater in
  and of themselves than those ordinarily
  encountered in daily life or during the
  performance of routine physical or psychological
  examinations or tests
• Waiver or alteration of informed consent will not
  adversely affect the rights and welfare of the
  subject
• FDA
• No comparable waiver of informed consent allowed

25
Research Use and Disclosure of PHI Without
Authorization De-identified Health Information

• Completely de-identified information (18 elements
  removed) and no knowledge that remaining
  information can identify the individual
• De-identified is NOT the same as anonymous!
• Statistically de-identified information where a
  statistician certifies that there is a very
  small risk that the information could be used to
  identify the individual.
• Identification by Inference
• The combination of several data fields makes the
  data identifiable
• Rule of Thumb if sorting data according to any
  variables produces subsets with ten or fewer
  members, then these individuals are at risk for
  identification by inference

26
De-identified Data
Excludes the following identifiers

• Health plan beneficiary number
• Account Numbers
• Certification numbers
• VIN and Serial numbers, license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (finger prints, voice
  prints, retinal scans, etc.)
• Full face or comparable photo images
• Unique identifying numbers

• Name
• Geographic information (other than state or the
  initial three digits of the zip code)
• Elements of dates except for year (including
  admission/discharge dates service dates birth
  date, date of death) and age over 89
• Telephone numbers
• FAX numbers
• E-mail addresses
• Social Security number
• Medical Record number, prescription number, etc.

27
Research Use and Disclosure of PHI Without
AuthorizationLimited Data Set with Data Use
Agreement

• The Privacy Rule permits limited types of
  identifiers to be released with health
  information (referred to as a Limited Data Set).
• Excludes direct or facial identifiers
• Includes full elements of dates (e.g.
  admission/discharge dates, service dates, birth
  date, date of death) all ages town/city state
  full zip code
• Limited Data Sets can only be used and released
  in accordance with a Data Use Agreement between
  the covered entity and the recipient.

28
Limited Use Data Set
Excludes the following direct identifiers

• Name
• Geographic information (other than city, state
  and zip)
• Telephone numbers
• FAX numbers
• E-mail addresses
• Social Security number
• Medical Record number, prescription number, etc.
• Health plan beneficiary number
• Account Numbers

• Certification numbers
• VIN and Serial numbers, license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (finger prints, voice
  prints, retinal scans, etc.)
• Full face or comparable photo images
• Unique identifying numbers

29
Data Use AgreementREQUIRED for Limited Use Data
Sets

• The Data Use Agreement must
• Describe the permitted uses and disclosures
  (recipient cannot use or disclose PHI in a way
  that the covered entity cannot)
• Identify who can use and disclose the PHI
• Require the recipient to
• Use or disclose information for specified
  purposes only
• Apply safeguards to protect the information
• Report known violations to the covered entity
• Hold subcontractors to the same standards as in
  the agreement
• Not re-identify the information or contact the
  individuals

30
Research Use and Disclosure of PHI Without
Authorization Preparatory to Research

• Requires notification of the entity holding the
  PHI
• Researcher must provide representation that
• The PHI is to be used solely to prepare a
  protocol or for a similar purpose
• The PHI will not be removed from the covered
  entity
• The PHI is necessary for research
• May be used to develop hypothesis, protocol or
  characteristics of research cohort
• May not be summarized, used or presented as a
  research study without prior IRB approval
• May allow access to PHI to identify subjects for
  recruitment

31
Research Use and Disclosure of PHI Without
Authorization Decedents Information

• The research must provide representation that
• The use and disclosure is solely for research
• The PHI is necessary for research
• The individual is deceased and provide
  documentation upon request

32
The Privacy Rule and ResearchDisclosure to a
Public Health Authority or Required by Law

• Disclosure without Authorization permitted if
  required by law or for public health activities.
• Examples
• Adverse event reporting to a sponsor, FDA, NIH
• Public health reporting of communicable diseases
• Tracking of FDA regulated products (e.g. devices)
• Reporting abuse, neglect or domestic violence
• A covered entity may disclose PHI related to an
  adverse event if required to do so by regulation.
  Even if not required to do so, the researcher may
  disclose adverse events as a public health
  authority.

33
Privacy Rule and ResearchTransition
ProvisionsGrandfathered Research

• Permits use or disclosure of PHI if pre-existing
  permission or IRB waiver was obtained BEFORE
  April 14, 2003
• Pre-existing Permission
• Signed, IRB approved research informed consent
• IRB waiver of the requirement to obtain informed
  consent
• Express legal permission to use or disclose PHI
  for research.
• Do NOT need to re-consent, get Authorization, or
  obtain waiver if an IRB already approved the
  waiver or if consent signed BEFORE April 14,
  2003.
• Use or disclosure of PHI ON or AFTER April 14,
  2003 requires Authorization, Waiver of
  Authorization by IRB or Privacy Board, or other
  Privacy Rule exemption or waiver to apply

34
Privacy Rule and ResearchIRBs/Privacy Boards
Review under the Privacy Rule

• Because the Privacy Rule assumes Authorization
  will be obtained, IRBs/Privacy Boards will see
  Requests to WAIVE Authorization requirement.
• IRBs will see Authorizations that are combined
  with informed consent documents.
• IRBs will likely request to see Authorizations
  that are separate from the informed consent
  documents.

35
Privacy Rule and ResearchAccess to Research
Records

• Individuals generally have a right to view and
  copy their health records maintained by covered
  entities.
• For research records, patients may have right to
  access records if
• The records involve treatment (e.g., some
  clinical trials) or they are used to make
  decisions about individuals. AND
• The researcher is a covered entity.
• EXCEPT While a trial is ongoing, covered
  researchers may deny access if the individual
  agrees in advance (e.g., in an Authorization).

36
Privacy Rule and ResearchAccounting for
Disclosures

• In general, an accounting is required for PHI
  disclosures made without Authorization
• Including for research disclosures of PHI for
• Reviews preparatory to research
• Research using decedents PHI
• Research under a waiver of Authorization
  (including waivers that meet the transition
  provision requirements)
• Disclosures to public health authorities or
  sponsors
• Most disclosures mandated by law
• The individual or entity holding the PHI is
  responsible for the accounting

37
Types of Accounting

• Generally
• (Date, recipient, recipient address if known,
  purpose)
• Multiple disclosures to same person for same
  purpose
• (Date recipient recipient address if known
  purpose frequency, periodicity or no. of
  disclosures, date of last disclosure)
• Research accounting for PHI of 50 or more
  individuals
• (Name of protocol, description of protocol or
  research activity and PHI disclosed, date or
  period of time during which disclosure occurred
  or may have occurred and last date of disclosure,
  name, address, and phone no. of sponsor and
  recipient, statement that the PHI may or may not
  have been disclosed for a particular protocol or
  research activity)

38
Accounting When NOT needed

• Accounting is NOT needed for disclosures of
• PHI to the individual
• PHI made pursuant to an Authorization (or
  informed consent that meets the transition
  provision requirements)
• De-identified health information
• PHI in Limited Data Sets with Data Use Agreement
• Disclosures made before April 14, 2003

39
Privacy Rule and ResearchRevoking an
Authorization

• Individuals have the right to revoke their
  Authorization.
• EXCEPT, covered entities may continue to use or
  disclose PHI that was obtained before a
  revocation if necessary to maintain the
  integrity of the research study. (Reliance
  exception)
• For example, researcher can continue using PHI to
  account for a subjects withdrawal from study.

40
Privacy Rule and ResearchSubject Recruitment

• A patients direct treatment provider may discuss
  possible research participation with a patient
• A patients direct treatment provider may NOT
  discuss the patient with research colleagues for
  potential enrollment purposes without the
  patients Authorization or Waiver of
  Authorization by IRB or Privacy Board
• Can a researcher search through medical records
  to identify potential research subjects?
• Only if
• They are the subjects direct treatment provider
• Individual Authorization has been provided
• A Waiver of Authorization has been granted by the
  IRB or Privacy Board
• As Preparatory to Research
• All subject recruitment strategies and material
  MUST be approved by the IRB (Common Rule
  requirement)

41
Privacy Rules and ResearchDocument Retention
Requirements

• The following must be retained for 6 years from
  date of creation or from date when last in
  effect, whichever is later
• Authorization form (or consent form if
  authorization is incorporated into the consent
  document)
• Waiver of Authorization
• Data Use Agreement
• Accounting for disclosures
• Written revocation of Authorization
• Statistical certification of de-identification

42
Privacy Rule and ResearchSecurity of PHI

• It is the principal investigators responsibility
  to ensure
• The security of research related PHI
• Research team members access
• Security of transmitted data
• Security of on site data
• Destruction of data
• Compliance with HIPAA regulations
• Compliance with Medical Center Security and
  Privacy Policies, including
• Mandatory training
• Signed agreement of confidentiality

43
Where to Get More Information

• If you have questions, or hear of patient
  complaints regarding privacy and security please
  call the Privacy Office at 713-2320 or 716-5578,
  for security issues call the IS Security Office
  at 716-5401.
• Or you can call the Medical Centers Compliance
  Hotline at 1-877-880-7888.
• If you have questions regarding research issues
  please call the IRB Office at 716-4542.
• If you see any activities that are not compliant
  with our Privacy and Security policies you must
  report them to one of the above areas immediately.