Columbia Columbia University Health University Health

SciencesSciencesResearch under the Health Research under the Health Insurance Portability and Insurance Portability and Accountability Act of 1996 Accountability Act of 1996

(“HIPAA”)(“HIPAA”)

Administrative Simplification

[Accountability]

InsuranceReform

[Portability]

HIPAA OverviewHIPAA Overview

Transactions, Code Sets, & Identifiers

Compliance Date: 10/16/2002 and

10/16/03

Transactions, Code Sets, & Identifiers

Compliance Date: 10/16/2002 and

10/16/03

Privacy

Compliance Date: 4/14/2003

Privacy

Compliance Date: 4/14/2003

Security

Compliance Date:4/20/2005

Security

Compliance Date:4/20/2005

Health Insurance Portability and

Accountability Act (HIPAA)

PRIVACYPRIVACY

Refers to Refers to WHATWHAT is protected — Health information about an is protected — Health information about an individual and the determination of WHO is permitted to use, individual and the determination of WHO is permitted to use, disclose, or access the informationdisclose, or access the information

PRIVACY vs. SECURITYPRIVACY vs. SECURITY

SECURITYSECURITYRefers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.

PRIVACYPRIVACY

WHAT does the Privacy Rule WHAT does the Privacy Rule COVERCOVER??WHAT does the Privacy Rule WHAT does the Privacy Rule COVERCOVER??

PProtected rotected HHealthealth IInformationnformation (PHI)PHI) = = Individual (Patient) identifiable information relating to the past, present or future health condition of the individual

ALL information whether maintained in electronic, paper or oral format

PRIVACYPRIVACY

WHAT does the Privacy Rule WHAT does the Privacy Rule MEANMEAN??WHAT does the Privacy Rule WHAT does the Privacy Rule MEANMEAN??

Limits the UseUse and DisclosureDisclosure of PHI Most uses or disclosures outside of treatment

or payment require actual patient authorization or an exception to authorization—e.g., research

Establishes Individual’s (Patient) rightIndividual’s (Patient) right to control access and use of PHI Right to inspect or copy PHI Right to amend incorrect information, etc…

PRIVACYPRIVACY

WHATWHAT does the Privacy Rule does the Privacy Rule MEANMEAN? (cont’d)? (cont’d)WHATWHAT does the Privacy Rule does the Privacy Rule MEANMEAN? (cont’d)? (cont’d)

Balances health information protection and individual Balances health information protection and individual rights against public health and safety needs rights against public health and safety needs

Administrative RequirementsAdministrative Requirements Privacy OfficerPrivacy Officer Privacy Board to review researchPrivacy Board to review research NoticeNotice Training & SanctionsTraining & Sanctions SafeguardsSafeguards Policies & ProceduresPolicies & Procedures

RASCAL HIPAA FormsRASCAL HIPAA FormsHuman subjects research using identifiable health information must meet one of the following criteria:

Form A) HIPAA Clinical Research AuthorizationForm A - Spanish Version HIPAA Clinical Research Authorization Form B) HIPAA Application for Waiver of AuthorizationForm C) Request for Recruitment Waiver of Authorization Form D) Investigator's Certification for Reviews Preparatory to ResearchForm E) Investigator's Certification for Research with Decedents' InformationForm F) Data Use Agreement for Disclosure of a Limited Data Set for Research PurposesForm G) Investigator's Certification for Research with De-Identified Data     

HIPAA and ResearchHIPAA and Research

HIPAA mandates that a Privacy Board HIPAA mandates that a Privacy Board ensure institutional compliance with HIPAAensure institutional compliance with HIPAA

The Privacy Board function can be The Privacy Board function can be administered by an IRB or as a separate administered by an IRB or as a separate functionfunction

For research involving human subjects at For research involving human subjects at CUMC, this function is fulfilled by a Privacy CUMC, this function is fulfilled by a Privacy Board function separate from the IRB—meets Board function separate from the IRB—meets every two weeksevery two weeks

HIPAA and ResearchHIPAA and Research

Privacy Board

Authorization signed by patient for

all clinical research

Waiver Criteriaapplied before

records research

Exceptions • Preparatory to research

• Decedent• De-identified

• Limited Data Set

HIPAA AuthorizationHIPAA Authorization

Patient authorization elementsPatient authorization elements The informationThe information Who may use or disclose the informationWho may use or disclose the information Who may receive the informationWho may receive the information Purpose of the use or disclosurePurpose of the use or disclosure Expiration date or event Expiration date or event Individual’s signature and dateIndividual’s signature and date Right to revoke authorizationRight to revoke authorization Right to refuse to sign authorizationRight to refuse to sign authorization Redisclosure statementRedisclosure statement

Authorization signed by patient for

all clinical research

HIPAA Authorization HIPAA Authorization

The informationThe information Relates to “minimum necessary standard” (we Relates to “minimum necessary standard” (we

will use only the PHI we need to for the will use only the PHI we need to for the research)research)

Who may use or disclose the Who may use or disclose the informationinformation ““the PI and the research team”the PI and the research team”

Who may receive the informationWho may receive the information The sponsor/CRO/central labs/etc.The sponsor/CRO/central labs/etc.

HIPAA Authorization HIPAA Authorization

Purpose of the use of disclosurePurpose of the use of disclosure Short description of researchShort description of research

Expiration date or eventExpiration date or event ““end of study”; “never” for databasesend of study”; “never” for databases

Individual’s signature and dateIndividual’s signature and date Subject must receive signed copySubject must receive signed copy Must be retained for 6 yearsMust be retained for 6 years

HIPAA Authorization HIPAA Authorization Right to revoke authorizationRight to revoke authorization

Must be made in writingMust be made in writing Reliance exceptionReliance exception

Right to refuse to sign authorizationRight to refuse to sign authorization If refusal exercised, research related If refusal exercised, research related

treatment can be withheld—note you cannot treatment can be withheld—note you cannot as a provider condition signing an as a provider condition signing an authorization for research on the provision of authorization for research on the provision of non-research related treatmentnon-research related treatment

Redisclosures not protectedRedisclosures not protected Statement that redisclosures may happen and Statement that redisclosures may happen and

their PHI would no longer be protectedtheir PHI would no longer be protected

Problem areasProblem areas

Creation of research databases from Creation of research databases from treatment encounterstreatment encounters

Compound authorizations not permitted—e.g., Compound authorizations not permitted—e.g., to build a research database and do specific to build a research database and do specific research from that databaseresearch from that database

Future unspecified research cannot be Future unspecified research cannot be authorized—particular problem with Sponsor authorized—particular problem with Sponsor requested languagerequested language

Patients general right to their health Patients general right to their health information—does this extend to research information—does this extend to research related treatment?related treatment?

HIPAA Waiver of HIPAA Waiver of AuthorizationAuthorization

Most likely to be used in cases of research Most likely to be used in cases of research involving retrospective chart reviewsinvolving retrospective chart reviews

IRB/Privacy Board may also waive IRB/Privacy Board may also waive authorization to allow use of PHI by third authorization to allow use of PHI by third parties to recruit study subjects—no parties to recruit study subjects—no waiver or authorization needed to recruit waiver or authorization needed to recruit a researcher’s patients into a clinical triala researcher’s patients into a clinical trial

Waiver Criteriaapplied before

records research

HIPAA Waiver CriteriaHIPAA Waiver Criteria

1.1. Use or disclosure involves no more Use or disclosure involves no more than minimal risk to privacy of the than minimal risk to privacy of the subject based on, at least:subject based on, at least:

Adequate plan to protect the information Adequate plan to protect the information from improper use and disclosure;from improper use and disclosure;

Adequate plan to destroy identifiers; andAdequate plan to destroy identifiers; and Written assurances that the PHI will not Written assurances that the PHI will not

be disclosed further than as set forth in be disclosed further than as set forth in the waiverthe waiver

Waiver requires IRB/Privacy Board approval Waiver requires IRB/Privacy Board approval and documentation of three (3) waiver and documentation of three (3) waiver

criteria:criteria:

HIPAA Waiver Criteria, HIPAA Waiver Criteria, con’tcon’t

2.2. The research could not practicably The research could not practicably be conducted without waiver or be conducted without waiver or alterationalteration

3.3. The research could not practicably The research could not practicably be conducted without access to and be conducted without access to and use of the PHIuse of the PHI

Waiver problem areasWaiver problem areas

Case studies or—case studies generally not Case studies or—case studies generally not research must be de-identifiedresearch must be de-identified

Limited # of subject studiesLimited # of subject studies Your research involves the disclosure of Your research involves the disclosure of

health information which the patient has to health information which the patient has to authorize—e.g., HIV statusauthorize—e.g., HIV status

Your requesting a waiver for research where Your requesting a waiver for research where the Privacy Board believes you have ample the Privacy Board believes you have ample opportunity to get actual authorization—opportunity to get actual authorization—e.g., research database creatione.g., research database creation

Recruitment IssuesRecruitment Issues

PI who is also subjects MD may contact PI who is also subjects MD may contact his/her patients directly about researchhis/her patients directly about research

IRB approved recruitment letters ok—IRB approved recruitment letters ok—should be signed by treating MD—active should be signed by treating MD—active versus passive consentversus passive consent

IRB approved advertisement—subjects IRB approved advertisement—subjects call investigator or screening servicecall investigator or screening service

Not OK—recruiting out of waiting rooms; Not OK—recruiting out of waiting rooms; investigators with no relationship calling investigators with no relationship calling patients directlypatients directly

Authorization and Waiver Authorization and Waiver exceptionsexceptions

There can be no disclosure of PHI to There can be no disclosure of PHI to researchers from CU or NYPH researchers from CU or NYPH without authorization or waiver unless without authorization or waiver unless the disclosure is for:the disclosure is for:

1.1. Preparatory research—i.e., to assess Preparatory research—i.e., to assess feasibility of research; formulate a feasibility of research; formulate a research hypothesis; or define research hypothesis; or define recruitment cohortrecruitment cohort

2.2. Or an exception applies—e.g., Or an exception applies—e.g., decedent; de-identified; limited data setdecedent; de-identified; limited data set

Exceptions Documented• Preparatory to research

Reviews Preparatory to Research

CE obtains a representation from the CE obtains a representation from the researcher that:researcher that: Use or disclosure is sought solely to review Use or disclosure is sought solely to review

protected health information as necessary protected health information as necessary to prepare a research protocol; to prepare a research protocol;

No protected health information is to be No protected health information is to be removed from the covered entity by the removed from the covered entity by the researcher in the course of the review; and researcher in the course of the review; and

The protected health information is The protected health information is necessary for the research purposes. necessary for the research purposes.

De-Identified Health De-Identified Health InformationInformation

1.1. If information is “de-identified” in If information is “de-identified” in accordance with “generally accepted accordance with “generally accepted statistical and scientific principles or statistical and scientific principles or methods”methods”

2.2. If all identifiers listed in a “safe harbor” are If all identifiers listed in a “safe harbor” are removed—this safe harbor requires the removed—this safe harbor requires the removal of 18 identifiers (of limited use)removal of 18 identifiers (of limited use)

3.3. Dummy identifier to facilitate linkage within Dummy identifier to facilitate linkage within CE permittedCE permitted

Research on a decedentDe-identified

Limited data set

Limited Data SetLimited Data Set Permits identifiers not permitted by de-Permits identifiers not permitted by de-

identification safe harbor such as:identification safe harbor such as:

Zip code, town, city & state, date of Zip code, town, city & state, date of birth/death and dates of servicebirth/death and dates of service

Benefit: no need for waiver or authorization Benefit: no need for waiver or authorization if only disclosing a limited data set to a if only disclosing a limited data set to a researcher; accounting rule doesn’t applyresearcher; accounting rule doesn’t apply

Requires a “data use agreement” with the Requires a “data use agreement” with the intended recipientintended recipient

Limited Data SetLimited Data Set Authorized for public health, research, Authorized for public health, research,

and health care operations purposes:and health care operations purposes:

1.1. Public health uses—disease registries Public health uses—disease registries maintained by private sector or universities or maintained by private sector or universities or other types of studies for public health purposesother types of studies for public health purposes

2.2. Possible health care operations use—hospital Possible health care operations use—hospital sharing of limited data set information with local sharing of limited data set information with local hospital associationhospital association

3.3. Possible research use—establishment of Possible research use—establishment of research databases and repositoriesresearch databases and repositories

HIPAA SecurityHIPAA Security

Soumitra SenguptaSoumitra SenguptaInformation Security OfficerInformation Security Officer

Columbia University Biomedical and Columbia University Biomedical and Health Information Services (CUBHIS)Health Information Services (CUBHIS)

HIPAA RecapHIPAA Recap

Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act ( (HIPAAHIPAA) - ) - 19961996 Administrative SimplificationAdministrative Simplification

Transaction code standards (November Transaction code standards (November 2003)2003)

Privacy (April 2003)Privacy (April 2003) Information SecurityInformation Security (April 2005) (April 2005)

DefinitionsDefinitions PProtected rotected HHealth ealth IInformation (nformation (PHIPHI))

Health or medical information identifiably linked Health or medical information identifiably linked to a specific individual, such as information about: to a specific individual, such as information about:

their identity –their identity – demographic and financial data demographic and financial data their medical condition and treatment –their medical condition and treatment – clinical clinical

datadata EElectronic lectronic PHIPHI ((EPHIEPHI))

PHI PHI stored on or transmittedstored on or transmitted via our computers via our computers andand networks, networks, includingincluding CDs, PDAs, tapes, CDs, PDAs, tapes, andand clinical equipmentclinical equipment

Goal of HIPAA Security regulation is to – Goal of HIPAA Security regulation is to –

Secure EPHISecure EPHI

CConfidentialityonfidentiality Prevent unauthorized access or release of Prevent unauthorized access or release of

EPHIEPHI Prevent abuse of access (identity theft, Prevent abuse of access (identity theft,

gossip)gossip) IIntegrityntegrity

Prevent unauthorized changes to EPHIPrevent unauthorized changes to EPHI AAvailabilityvailability

Prevent service disruption due to malicious Prevent service disruption due to malicious or accidental actions, or natural disasters.or accidental actions, or natural disasters.

Concepts of Info SecurityConcepts of Info Security

Administrative SafeguardsAdministrative Safeguards Policies and ProceduresPolicies and Procedures ResponsibilityResponsibility Awareness and TrainingAwareness and Training Incident Processing, SanctionsIncident Processing, Sanctions

Physical SafeguardsPhysical Safeguards Workstation Use and SecurityWorkstation Use and Security Facility Access ControlFacility Access Control Device and Media ControlDevice and Media Control

Technical SafeguardsTechnical Safeguards Access ControlAccess Control Audit ControlAudit Control Encryption and Integrity controlEncryption and Integrity control

Regulation specificationRegulation specification

Development of Policies and ProceduresDevelopment of Policies and Procedures

Information Security Information Security Mgmt ProcessMgmt Process

Information Access Information Access Mgmt & ControlMgmt & Control

General Info SecurityGeneral Info Security Info Sec: Audit and Info Sec: Audit and EvaluationEvaluation

Workstation Use and Workstation Use and SecuritySecurity

Workforce Security Workforce Security Clearance, Term and Clearance, Term and AuthAuth

Info Sec: Backup, Info Sec: Backup, Device & Media Device & Media ControlControl

Info Sec: Facility Access Info Sec: Facility Access Control & SecurityControl & Security

Info Sec: Disaster Info Sec: Disaster Contingency & Contingency & Recovery PlanRecovery Plan

Info Sec: Security Info Sec: Security Incident ProcedureIncident Procedure

Action items to Action items to compliancecompliance

Information Security Best Practices

Infrastructure securityInfrastructure security Computer network and systems securityComputer network and systems security

Firewalls, Intrusion Detection/Prevention Firewalls, Intrusion Detection/Prevention systemssystems

Secure remote access – VPNSecure remote access – VPN Assuring availability: Bandwidth restrictions to Assuring availability: Bandwidth restrictions to

the Internetthe Internet Anti-virus (Symantec)Anti-virus (Symantec) Anti-spyware (Pest Patrol)Anti-spyware (Pest Patrol) Host Integrity Check (Tripwire)Host Integrity Check (Tripwire) Communication with patients (Relay Health)Communication with patients (Relay Health)

Facilities SecurityFacilities Security Data Centers (planned upgrade)Data Centers (planned upgrade)

Action items to Action items to compliancecompliance

Infrastructure securityInfrastructure security Workforce SecurityWorkforce Security Authentication and TerminationAuthentication and Termination

Columbia UNI, CUMC/NYP LDAP, Weill Columbia UNI, CUMC/NYP LDAP, Weill Cornell LDAPCornell LDAP

Termination from NYP, CU, WC Human Termination from NYP, CU, WC Human Resources, CU Student Information Services, Resources, CU Student Information Services, WC Students, Service Corporation, WC Students, Service Corporation, Private/Temp employees, etc.Private/Temp employees, etc.

Security Incident Processing and SanctionsSecurity Incident Processing and Sanctions OthersOthers

Action items to Action items to compliancecompliance

Information Information Asset OwnerAsset Owner Responsibility Responsibility Risk Assessment and managementRisk Assessment and management Tier A – Tier A – More than 20 usersMore than 20 users – –

A A Detailed Security QuestionnaireDetailed Security Questionnaire and a set of and a set of formalformal DocumentationDocumentation about security of the assetabout security of the asset

Tier B – Tier B – Less than 20 usersLess than 20 users – – A A Limited Security Questionnaire Limited Security Questionnaire – – 11 security 11 security questionsquestions

Implementation of Security ControlsImplementation of Security Controls Audit and evaluationAudit and evaluation Disaster Contingency and Recovery PlanDisaster Contingency and Recovery Plan Additional information in Policy documentsAdditional information in Policy documents

Responsibility action Responsibility action itemsitems

Report Report EPHI applications with more EPHI applications with more than 20 usersthan 20 users to us to initiate rigorous to us to initiate rigorous security risk assessmentsecurity risk assessment

For applications with less than 20 users, For applications with less than 20 users, CUBHIS is scheduling for an external CUBHIS is scheduling for an external agency to conduct security sessions for agency to conduct security sessions for asset owners to asset owners to

Learn about necessary security methodsLearn about necessary security methods Help fill out the limited QuestionnaireHelp fill out the limited Questionnaire

CUBHIS is also available for server and CUBHIS is also available for server and workstation management services for workstation management services for assets that need better management assets that need better management (“(“Custodial functionsCustodial functions”)”)

Action itemsAction items

We will incorporate security training with We will incorporate security training with privacy training; call upon us to discuss HIPAA privacy training; call upon us to discuss HIPAA security to your department.security to your department.

All new Clinical Systems must be technically All new Clinical Systems must be technically evaluated and approved by Dr. Randy Barrows evaluated and approved by Dr. Randy Barrows Jr., Asst VP, CUBHIS Clinical Resources.Jr., Asst VP, CUBHIS Clinical Resources. Approval criteria includes Approval criteria includes HIPAA Security HIPAA Security checkcheck requirements. requirements.

All EPHI assets are required to be registeredAll EPHI assets are required to be registered We are working with IRB and Privacy Board to We are working with IRB and Privacy Board to

incorporate Security checks for research incorporate Security checks for research systems, Expect a guidance from IRB about systems, Expect a guidance from IRB about security of all research, not just EPHI research.security of all research, not just EPHI research.

Action itemsAction items

ManagerManager responsibility responsibility Workforce Clearance, Termination and Workforce Clearance, Termination and

AuthorizationAuthorization Facilities access to sensitive information Facilities access to sensitive information

assetsassets Education, security reminders, sanctionsEducation, security reminders, sanctions

End UserEnd User responsibility responsibility ““Acceptable UseAcceptable Use”” Safe practicesSafe practices Sensitivity towards patient privacySensitivity towards patient privacy

Responsibility action Responsibility action itemsitems

Disruption of Patient CareDisruption of Patient Care Increased cost to the institutionIncreased cost to the institution Legal liability and lawsuitsLegal liability and lawsuits Negative PublicityNegative Publicity Identity theft (monetary loss, credit Identity theft (monetary loss, credit

fraud)fraud) Disciplinary actionDisciplinary action

Consequences of Consequences of Security FailureSecurity Failure

Intentional AttacksIntentional Attacks Malicious SoftwareMalicious Software (Virus, Spyware) (Virus, Spyware) Stolen PasswordsStolen Passwords (Keyloggers, Trojans) (Keyloggers, Trojans) Impostors Impostors e-mailing to infect and steale-mailing to infect and steal

info (Phishing)info (Phishing) TheftTheft (Laptop, PDA, CD/USB storage (Laptop, PDA, CD/USB storage

devices, etc.)devices, etc.) Abuse of privilegeAbuse of privilege (Employee/VIP (Employee/VIP

clinical data)clinical data) Theft of copyrighted materialTheft of copyrighted material (Kazaa) (Kazaa)

Types of Security FailureTypes of Security Failure

Employee CarelessnessEmployee Carelessness Sharing PasswordsSharing Passwords Not signing offNot signing off systems systems Downloading and Downloading and executing unknown executing unknown

softwaresoftware Sending EPHI outside the institution Sending EPHI outside the institution

without encryptionwithout encryption LosingLosing PDA and Laptop in transit PDA and Laptop in transit Pursuing risky behaviorPursuing risky behavior – Improper web – Improper web

surfing, and instant messagingsurfing, and instant messaging Not questioning, reporting, or challengingNot questioning, reporting, or challenging

suspicious or improper behaviorsuspicious or improper behavior

Types of Security FailureTypes of Security Failure

Install Install anti-virus, anti-spywareanti-virus, anti-spyware solutions, solutions, Install Install security patchessecurity patches Update definitions dailyUpdate definitions daily Use cautionUse caution when viewing web pages, e- when viewing web pages, e-

mail attachments, and using games and mail attachments, and using games and programsprograms

Chose strong passwords, refuse to share it,Chose strong passwords, refuse to share it, change if you suspect a breachchange if you suspect a breach

Protect your laptop or PDA Protect your laptop or PDA with a with a password, and turn on encryptionpassword, and turn on encryption on on sensitive folders, including copies in CD, sensitive folders, including copies in CD, Floppy, USB storage devices, etc.Floppy, USB storage devices, etc.

Methods to Protect against Methods to Protect against FailuresFailures

Do not abuse clinical access privilegeDo not abuse clinical access privilege, , report if you observe an abuse (if report if you observe an abuse (if necessary, anonymously)necessary, anonymously)

Do not be responsible for another Do not be responsible for another person’s abuse by neglecting to sign person’s abuse by neglecting to sign off, this negligence off, this negligence may easily lead to may easily lead to your suspension and terminationyour suspension and termination

Do not copyDo not copy, duplicate, or move EPHI , duplicate, or move EPHI without a proper authorizationwithout a proper authorization

Do not email EPHI without encryption Do not email EPHI without encryption to addresses outside the institutionto addresses outside the institution

Methods to Protect against Methods to Protect against FailuresFailures

Strictly follow principles of Strictly follow principles of ‘Minimum ‘Minimum necessary’necessary’ and and ‘Need-to-know’‘Need-to-know’ for all accesses– for all accesses– the 3 fundamental missions of the institution the 3 fundamental missions of the institution are are Care, Education Care, Education andand Research. Research.

Challenge improper behaviorChallenge improper behavior, question , question suspicious behavior, report violations and suspicious behavior, report violations and security problems to proper authorities – email security problems to proper authorities – email to to hipaa@columbia.eduhipaa@columbia.edu or or security@cumc.columbia.edusecurity@cumc.columbia.edu or call or call Privacy Privacy Office (1-212-305-7315)Office (1-212-305-7315) or call or call CUBHIS CUBHIS Helpdesk (1-212-305-HELP)Helpdesk (1-212-305-HELP)

Communicate with colleagues and staff about Communicate with colleagues and staff about secure and ethical behaviorsecure and ethical behavior

Methods to Protect against Methods to Protect against FailuresFailures

Current WebsiteCurrent Website Go to Go to

http://www.cumc.columbia.edu/cubhis/http://www.cumc.columbia.edu/cubhis/ Select Select SecuritySecurity, and then , and then CUMC HIPAACUMC HIPAA

Email toEmail to security@cumc.columbia.edusecurity@cumc.columbia.edu or or

sen@columbia.edusen@columbia.edu

More InformationMore Information