HIPAA%20Privacy%20Rule

1
HIPAA Privacy Rule

• Standards for Privacy of Individually
  Identifiable Health Information
• 45 CFR 160 and 164
• http//www.hhs.gov/ocr/combinedregtext.pdf (2.5
  MB)

2
Privacy Rule

• Establishes requirements relative to the use and
  disclosure of protected health information (PHI).
  This includes uses in and disclosures for
  research purposes.
• A covered entity may not use or disclose
  protected health information except as otherwise
  permitted or required 45 CFR 164.502
• Covered entities must be in compliance by April
  14, 2003
• DHHS Office of Civil Rights is responsible for
  enforcement

3
Definitions

• Covered entity
• Health plan
• Health care clearinghouse
• Health care provider who transmits any health
  information in electronic form in connection with
  transactions covered by the rule
• Health care claims, Health care payment
  remittance advice, Coordination of benefits,
  Referral certification authorization, Health
  care claim status, Enrollment/disenrollment in
  health plan, Eligibility for health plan, Premium
  payments, First injury reports, Health claim
  attachments, Anything else the Secretary
  prescribes via regulation

4
Definitions

• Protected Health Information (PHI)
• Individually identifiable health information that
  is
• Transmitted by electronic media (e.g., internet,
  intranet, tape, disc, compact disc)
• Maintained in electronic medium (e.g., tape,
  disc, compact disc)
• Transmitted or maintained in any other form or
  medium
• Note de-identified information is not PHI

5
Definitions

• Individually Identifiable Health Information
• Created or received by a health care provider,
  health plan, employer or health care clearing
  house and
• Relates to past, present or future physical or
  mental health condition of an individual
  provision of health care to an individual or
  past, present or future payment for provision of
  health care of an individual and
• Identifies the individual or
• For which there is a reasonable basis to believe
  the information can be used to identify the
  individual

6
Definitions

• Health Information
• Any information, whether oral or recorded in any
  form or medium that
• Is created or received by a health care provider,
  health plan, public health authority, employer,
  life insurer, school or university, or health
  care clearinghouse and
• Relates to the past, present, or future physical
  or mental health or condition of an individual
  or the past, present or future payment for the
  provision of health care to the individual
• Research
• A systematic investigation, including research
  development, testing and evaluation, designed to
  develop or contribute to generalizable knowledge.

7
Research Use

• 4 pathways for permission to use PHI for research
  related purposes
• With Authorization from Patient
• Without Authorization from Patient
• Waiver of Authorization by IRB or Privacy Board
• Reviews Preparatory to Research
• PHI of Decedents
• Limited Data Set and Data Use Agreement
• De-identified Data

8
Research Use With Authorization

• Authorization must have
• At least the following core elements
• Description of information to be used
• Name of persons authorized to make the use or
  disclosure
• Name of persons to whom the covered entity may
  make the use or disclosure
• Description of each purpose of the use or
  disclosure
• An expiration date or event
• End of the research study or none are
  acceptable for research purposes
• Signature of the individual and date

9
Research Use With Authorization

• Authorization must include
• The following statements
• Individuals right to revoke the authorization in
  writing and exceptions to the right to revoke and
  a description of how the individual may revoke
  the authorization
• Ability or inability to condition treatment,
  payment, enrollment or eligibility benefits on
  the authorization
• Potential for information disclosed pursuant to
  the authorization to be subject to redisclosure
  and no longer protected

10
Research Use With Authorization

• The authorization must be written in plain
  language
• The authorization must be provided to the
  individual as a signed copy for them to keep.
• The authorization may be combined with any other
  type of written permission for the same research
  study, such as a consent to participate in
  research.

11
Research Use W/out Authorization

• Documented Waiver by IRB or Privacy Board,
  including
• ID of IRB and approval date of the waiver
• Statement that IRB has determined waiver
  satisfies 3 criteria
• Use/disclosure involves no more than minimal risk
  to the individual
• Adequate plan exists to protect identifiers from
  improper use or disclosure
• Adequate plan exists to destroy identifiers at
  earliest opportunity consistent with conduct of
  research unless there is justification to retain

12
Research Use W/out Authorization

• Documented Waiver by IRB or Privacy Board
• Adequate written assurances that the PHI will not
  be reused or disclosed to anyone else or for
  other research
• The research could not be practicably carried out
  without the waiver
• The research could not be practicably carried out
  without access to the PHI
• Brief description of the PHI for which the
  use/access is necessary
• Statement that the waiver has been reviewed under
  normal or expedited review procedures
• Signature of IRB Chair or other member, as
  designated by the Chair

13
Research Use Reviews Preparatory to Research

• Requires representation (orally or in writing)
  from researcher that
• The use/disclosure of PHI is solely for research
  protocol preparation and,
• The researcher will not remove any PHI from the
  covered entity and,
• The PHI for which access is sought is necessary
  for the research purpose.

14
PHI of Decedents

• Requires representation (orally or in writing)
  from researcher that
• The use/disclosure sought is solely for research
  on the PHI of decedents and,
• The PHI for which access is sought is necessary
  for the research purpose and,
• At the request of the covered entity,
  documentation of the death of the individuals
  about whom the information is sought.

15
Limited Dataset Use

• Requires data use agreement between covered
  entity and researcher.
• Covered entity may disclose a limited data set to
  the researcher
• Data set excludes specific direct identifiers of
  the individual or of relatives, employers, or
  household members of the individual

16
Limited Dataset Use

• Data use agreement must
• Establish permitted uses of the data set
• Limit who can use or receive the data
• Requires recipient to agree to
• No use/disclose the information other than as
  permitted in agreement
• Use appropriate safeguards to present
  use/disclosure other than permitted in agreement
• Report to covered entity any use/disclosure not
  provided for by agreement that recipient becomes
  aware of
• Ensure that any agents to whom recipient provides
  the data set agrees to same restrictions and
  conditions
• Not identify the information or contact the
  individual.

17
Limited Dataset Use

• Data set must exclude variety of direct
  identifiers of the individual, relatives,
  employers or household members
• Names, addresses other than city, state zip
  code, telephone numbers, email addresses,
  SSNs,medical record numbers, health plan
  beneficiary numbers, account numbers,
  certificate/license numbers, VINs, license plate
  numbers, device identifiers and serial numbers,
  web URLs, IP addresses, biometric identifiers,
  full face photographic images

18
De-identified data - Requirements

• Determination or documentation by a person with
  appropriate knowledge of and experience with
  generally accepted statistical and scientific
  principles and methods for rendering information
  not identifiable that the risk is very small
  that the information could be used to identify an
  individual
• OR

19
De-identified data - Requirements

• Removal of elements related to the individual,
  relatives, employers or household members
• Names, geographic subdivisions smaller than a
  state except for first 3 zip code digits (if all
  zip codes with those 1st 3 digits contain gt20,000
  people), all elements of dates (except year)
  directly related to individual (birth, admission,
  discharge, death), all ages over 89 and all
  elements of dates (including year) indicative of
  such age (can aggregate into single category of
  age 90 and older) and
• All those elements excluded from Limited Data
  Sets, and
• Any other unique identifying number,
  characteristic or code, except as permitted for
  re-identification by the covered entity