06/20/03- revised 1

Health Insurance Portability and Accountability Act(HIPAA)

HIPAA Privacy Rule:UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members

06/20/03- revised 2

What is the Basic Privacy Rule?HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI).PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient.Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA.PHI used in research obtained from the Covered Entity must be accessed in compliance with HIPAA.

06/20/03- revised 3

What is a Covered Entity at UC?

Under HIPAA, a Covered Entity (CE) is the health care provider, health plans, and health information clearinghouses.The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF.

NOTE: The definition of the Covered Entity is different for each institution, including theSFVAMC, SFGH and other UCSF affiliates.

06/20/03- revised 4

What is Protected Health Information (PHI)?

Individually identifiable informationPast, present, or future: Health status Treatment Payment for health care

Created, used, or disclosed by a covered entity (CE)In any form (electronic, paper, image)

Includes any one of the 18 identifiers as defined by HIPAA when created, used or disclosed by or to the Covered Entity

06/20/03- revised 5

Protected Health Information: 18 Identifiers defined by HIPAA

NamePostal addressAll elements of dates except year Telephone numberFax numberEmail addressURL addressIP addressSocial security numberAccount numbersLicense numbers

Medical record numberHealth plan beneficiary #Device identifiers and their serial numbersVehicle identifiers and serial numberBiometric identifiers (finger and voice prints)Full face photos and other comparable imagesAny other unique identifying number, code or characteristic

06/20/03- revised 6

How does the HIPAA Privacy Rule affect University Researchers?

Researchers will likely want to access, use or disclose PHI held by the CE in order to conduct research.

The Privacy Board must approve the above uses of PHI for research.

At UCSF the Privacy Board for research is the Committee on Human Research (CHR).

The Privacy rule applies to all active studies as of April 14, 2003.

06/20/03- revised 7

Does all human subjects research use PHI?Not at all. Some examples:

Non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records and results of which do not go to subjects; blood draws for protein binding studiesSome interview studies and focus group studies Some questionnaire studiesStudies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research

06/20/03- revised 8

What are the practical implications of HIPAA for Human Research at UCSF?

New and different vocabularyStricter control of access to Medical RecordsStricter limitations on how subjects are identified for recruitmentAdditional documentation required for CHR applications

06/20/03- revised 9

What are the patients’ rights under HIPAA?To restrict the use and disclosure of their PHI.To access and receive a copy of their PHI (for research purposes, if it will not cause psychological harm).To receive an accounting of disclosures of their PHI from the Covered Entity (CE).To request amendments to their PHI in their medical records.To file complaints with the University or Office of Civil Rights that may result in civil and criminal penalties for individuals as well as the CE.

06/20/03- revised 10

What is the Covered Entity’s Responsibility?

The Covered Entity is responsible for protecting PHI and for ensuring that PHI: Is only used or released for treatment,

payment, or operations or as otherwise permitted or required by law;

Is not released without the patient’s authorization; or

Is released only under one of the five exceptions to the authorization requirement.

Meets “minimum necessary” standard.

06/20/03- revised 11

What is the “Minimum Necessary” Standard for research?

Only the minimum information reasonably necessary for a specific research purpose may be used or disclosed by a Covered Entity.

This standard must be addressed in the research protocol.

06/20/03- revised 12

How can an investigator access PHI for research?

By obtaining one of the following: the subject’s individual authorization, a CHR-approved waiver of subject

authorization, a CHR-certified exemption to use de-

identified data, or a CHR-approved protocol to use a

Limited Data Set.

06/20/03- revised 13

Individual Subject’s Authorization for Research Access to PHI

Authorization is a separate document used in addition to the Consent Form. UCSF standard form is required by UCSF; VA form is required at VA.In rare cases, authorization language may be embedded in the consent form, but standard wording is required; and two separate subject signatures are required.

06/20/03- revised 14

Elements Required in Authorization*

Description of PHI to be disclosed;Why information is being released;Who is releasing this information;Who is receiving this information;How long the information will be kept; Signature of individual and date signed; andThree required authorization statements: subject’s right to revoke authorization, conditions on authorization, and potential risk of redisclosure.

06/20/03- revised 15

Research that Does Not Require Subject’s Authorization (or Consent)

Research that qualifies for a CHR-approved Waiver of Consent/Authorization

Research that qualifies for a CHR-certified exemption to use de-identified data, or

Research that qualifies for a CHR-approved protocol to use a Limited Data Set.

06/20/03- revised 16

#1: Waiver of Authorization

CHR and PI must certify that research: Could not practicably be conducted w/o

waiver; Could not practicably be conducted w/o PHI; Poses minimal risk to privacy and there is

an adequate plan to protect privacy; and Research release by waiver must be

tracked for disclosure to the subject.

06/20/03- revised 17

#2: De-Identified Data Sets

All 18 identifiers of PHI must be removed.

PI must apply for Exempt Certification

CHR certification of application is required

06/20/03- revised 18

#3: Limited Data Set

May include only the following PHI: Date(s) of service (admission, discharge) Dates of birth and death 5 digit zip codes and other geographic

subdivisions other than street address May include non-PHI information (i.e., diagnosis)Does not require a subject’s authorization Does require CHR approval and a Data Use Agreement form

NOTE: PI must submit Expedited Application to IRB.

06/20/03- revised 19

Why use a Limited Data Set?

The Limited Data Set (along with the Data Use Agreement) restricts the use of PHI but has the following advantages: The study does not require either a subject

authorization or a waiver of authorization. The PI does not have to track disclosures. The use of the date does not need to have an

expiration date. This is the most protective way to to transmit

data to sponsors or other entities.

06/20/03- revised 20

Data Use Agreements for Use of a Limited Data Set (LDS)

Are between CE and the recipient of the LDS.

List the permitted uses and disclosures of the LDS.

Establish who is permitted to use or receive the LDS.

Provide that researcher or recipient will: Not use or further disclose the information other than

as in agreement or as required by law; Use appropriate safeguards; Report to the CE any unpermitted uses or disclosures; Ensure that anyone to whom he/she provides the data

agrees to the same restrictions; and Not identify the information or contact the individuals.

06/20/03- revised 21

How does a researcher gain access to PHI in Medical Records at UCSF?

Copy of CHR approval letter with: statement of Waiver of Authorization of

individual consent --or-- statement that Individual Subject

Authorization will be obtained --or-- a statement that a Limited Data Set will

be used.

An Exempt Application certified by the CHR.

06/20/03- revised 22

What types of CHR approvals do different types of studies need?

PHI is used: Full Committee or Expedited De-identified PHI (no PHI used): CHR Exempt CertificationLimited Data Sets (limited PHI allowed): Expedited with Data Use Agreement

NOTE: Medical Records will require CHR approval or certification to release PHI for research.

06/20/03- revised 23

What information is now required in the CHR application to address HIPAA?Protocol and Consent or Authorization to includediscussion of PHI: (Procedures, Recruitment, Confidentiality, Consent)

what type of PHI will be usedhow the PHI will be accessed/used who will see the PHI (sponsors, FDA, other PIs)protection plan (physical and electronic security)retention time for keeping PHI in projectdestruction plan (or “none” if for database)

NOTE: In addition, HIPAA Supplement posted on CHR website is required for all but exempt applications.

06/20/03- revised 24

8 Acceptable Recruitment Methods

PIs recruit their own patients directly.PIs provides Primary Care Physician (PCP) with a “Dear Patient” letter that instructs interested patients how to contact PI about enrollment.PIs ask PCPs for referrals and may contact patients if there is documented patient. permission to do so (Note: Patient permission may be verbal.)PI uses CHR-approved ads, notices, and/or media.

06/20/03- revised 25

Recruitment Methods (continued)

PIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods.Faculty Practices/Clinics develop a CHR-approved recruitment protocol so subjects agree ahead of time to be contacted for research.PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed website.PIs do not access PHI for recruitment purposes.

06/20/03- revised 26

Protocols approved before April 14, 2003—if PHI is involved

If a study is active before April 14th, the pre-existing consent form meets the authorization requirement.

New subjects entered after April 14th must sign a separate Authorization to be used in conjunction with the CHR-approved consent form.

The standard UC Authorization is posted on the CHR website.

NOTE: Do NOT submit the protocol or Authorization or any other HIPAA forms to the CHR until renewal time as long as the protocol is unchanged and the standard UC authorization is used.

06/20/03- revised 27

New or modified protocol approved after April 14, 2003—if PHI is involved

Subject must sign separate HIPAA Authorization (recommended) –or-

Standard UC authorization language may be embedded in the consent form. Note: Authorization language in the consent form must have a separate signature in addition to the consent form signature.

CHR may require additional forms and/or application supplements.

06/20/03- revised 28

Conclusion-The HIPAA Privacy Rule

Allows the subject or the CHR to determine when health information may used for researchPlaces responsibility on the CHR to provide the Covered Entity with assurances that PHI will be protected.Does not override other existing federal regulations to protect human subjects in research.Does not override any California Law that provides greater protection for the privacy of health information.

06/20/03- revised 29

UCSF HIPAA Websites

UCSF: http://www.ucsf.edu/hipaa HIPAA Handbook (pdf) HIPAA Training Modules Privacy Officer

Committee on Human Research: http://www.research.ucsf.edu./chr/HIPAA/HIPAA.htmResearch Training, FAQ, informationApplication and Consent templates/guidelines

•UCSF Information Security: http://isecurity.ucsf.edu

06/20/03- revised 30

UCSF HIPAA Decision Tree for Before and After April 14, 2003

06/20/03- revised 31

Does research use PHI?

NO, if none of the 18 identifiers are to be used, accessed or created for delivery of health care purposes

THEN HIPAA does not apply Submit CHR application as usual Submit HIPAA Supplement

06/20/03- revised 32

Does research use PHI?

YES, if any of the 18 identifiers are to be used, accessed, or created (from or for medical record)THEN, if study is approved before April 14, 2003: Continue CHR-approved study until time of next

renewal or until requesting consent modification Use currently approved consent (if any) Any new subjects enrolled on or after April 14, 2003

will have to sign a Subject Authorization in addition to consent form (PI keeps until study ended; CHR does not review if standard UCSF Subject Authorization form used)

NOTE: CHR will revisit Consent/Authorization plan and language at renewal time

06/20/03- revised 33

Does research use PHI?

YES, if any of the 18 identifiers are to be used, accessed, or createdTHEN, if study is approved on or after April 14, 2003: If using full or expedited committee application,

Submit HIPAA Supplement Submit separate Subject Authorization

(recommended) or consent form with HIPAA language embedded and/or

If waiver of consent of individual authorization is requested for either screening and recruitment or for conduct of study, submit Waiver of Consent/Authorization Form

06/20/03- revised 34

Does research use PHI? (continued)

If study was previously approved as exempt, it may no longer qualify as exempt since HIPAA definitions of de-identified are now more strictly defined. It may need to be resubmitted for expedited review.If using a limited data set, submit expedited form and data use agreement.

06/20/03- revised 35

Optional Slide (for those who want just a little more): How do Common Rule (45 CFR 46) and Privacy Rule (45 CFR 164) differ?

Common Rule Privacy Rule Informed Consent

Authorization

To participate in research based on risks and benefits

To use or disclose PHI

8 required elements

6 core elements

Signed consent

Signed authorization

Waiver of consent Waiver of authorization