HIPAA Privacy Rule and Research Elizabeth A. Trias, MA, CIP Pam Joy, RN, MN, PNP November 2003 (rev....
-
Upload
gael-matthewson -
Category
Documents
-
view
216 -
download
1
Transcript of HIPAA Privacy Rule and Research Elizabeth A. Trias, MA, CIP Pam Joy, RN, MN, PNP November 2003 (rev....
HIPAA Privacy Rule
and Research
Elizabeth A. Trias, MA, CIP
Pam Joy, RN, MN, PNPNovember 2003 (rev. May 2004)
2
WA State Law & Privacy Rule
Good News: Children’s researchers already
operate in compliance with Washington State’s Uniform Health Care Information Act.
Many of the HIPAA Privacy Rule requirements for research were already in place.
Impact of HIPAA on researchers in the state of Washington is less than in other states.
3
Highlights of the Privacy Rule
Effective April 14, 2003. Sets a federal floor for patient Protected Health Information (PHI), but: States may have more stringent privacy
protections, and The more stringent law (HIPAA or state)
governs.
Today we’ll review privacy rule implications for research. Failure to comply can result in civil fines ($) and criminal penalties.
(Remember to thank them, not
us!)
4
Protected Health Information
Privacy Rule protects health information identifying a person (or information that can be used to identify a person): All individually identifiable health information that
Children’s creates, uses or receives. Includes information about:
Past, present or future physical or mental health of a person,
Provision of health care to that person, and Payment for care received.
Includes information in written, electronic or oral form.
5
What is Patient Identifiable?
Information containing any one of 18 identifiers:
• Name • Social Security Number
• Device identifiers and serial numbers
• Geographic subdivisions smaller than state (street address, city, county, precinct, zip code, equivalent geo-codes except first 3 digits of a zip code)
• All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and ages over 89
• URL (Web Universal Resource Locator)
• Medical record numbers
• Health plan beneficiary numbers
• Biometric identifiers (including finger or voice prints)
• Telephone numbers • Account numbers
• Full face photographs
• Fax numbers • Certificate/license numbers
• Internal Protocol (IP) address numbers
• Email addresses
• Vehicle identifiers and serial numbers, including license plate numbers
• Any other unique identifying number, characteristic, or code
6
Use & Disclosure of PHI
Use: Sharing within the entity.
Disclosure: Sharing outside the entity.
Privacy rule allows use and disclosure without specific authorization for Treatment, Payment, and Operations (TPO).
Research is not considered to be treatment, payment or
operations
7
Minimum Necessary Standard
Must limit PHI use or disclosure to the minimum necessary to accomplish the intended purposes of the research.Minimum necessary applies: Pursuant to a waiver of authorization, Use or disclosure of decedent’s PHI, Uses preparatory to research, and for Limited Data Sets.
Minimum necessary does not apply to: Treatment disclosures or requests, Use or disclosure made under an authorization, Disclosures to the patient of his/her PHI, Disclosures to DHHS for compliance, and Uses or disclosures required by law.
9
Overview of Impact at Children’s
Under the Privacy Rule, researchers must: Provide more detailed information to the IRB
about how PHI will be created, used or shared, Provide more information to research
participants during the consent process and gain specific authorization for the use of their PHI, and
Track disclosures of PHI for studies that IRB has approved with waiver of authorization requirement
Affects any research conducted under Children’s auspices that creates, uses or discloses PHI.
10
Impact on Clinical Research
• Oath of Confidentiality for Recruitment
GainIRB
Approval
Screen particip
ants(Obtaining
PHI)
Recruit particip
ants
Conduct Researc
h
Generate
Results &
Reports
Design Researc
hStudy
• Documentation of IRB approval (IRB cover sheet)
• Authorization signed for each subject and filed with Medical Records
New Privacy Requirements
11
Screening Patients
Obtain IRB approval include signed “Oath of Confidentiality – Recruitment” if
researchers need access to protected health information to identify, select and recruit patients
Screen participants Present documentation of IRB approval (IRB cover sheet)
& signed Oath of Confidentiality – Recruitment when requesting data or records on potential participants (e.g., Medical Records, Lab, Radiology),
Obtain/Use only the minimum necessary PHI, and All PHI must remain within Children’s
Recruit participants Obtain signed authorization for each subject (file original
with original consent form in researchers’ file), or Destroy PHI for participants who do not take part, do not
respond or are not eligible
12
Authorizations
“Permission to Use, Create and Share Health information for Research” authorization form: Contains required elements of authorization under
Privacy Rule, Signed by parent or legal guardian unless
participant is a legal adult (18 years and older) Allows researchers to use subject’s PHI for a
specific research study.At Children’s, authorization is separate from from the research consent: Avoids detracting from essential elements of
consent form, and Ensures consistent compliance with privacy
elements.
13
Signed Authorizations: Where to File
Signed Authorizations: Signed Original remains in the principal
investigator’s research files along with original, signed consent form
Signed Copy to parent or research participant (if 18 and older)
Signed Copy to Children’s Medical Records – Filing 4P-2, if research participant is Children’s patient (patient information box must be completed)
14
Authorization Form
Available on IRB Web Site under Forms and under HIPAA and Research – http://irb.seattlechildrens.orgVersions in English, Vietnamese, Spanish, Somali, Russian, Korean, Simplified Chinese and Traditional Chinese.Researcher must complete the highlighted areas (e.g., study title, name and address of PI, name of sponsor, etc.)Researcher must complete the box at the end of the form if research participant is a Children’s patient. Required so that authorization can be filed in the participant’s medical record
15
Clinical Studies (with Authorization) Before & After 4/13/2003
Status of Research Study
Action Required1. New research study Enrollees need to sign
authorization form and consent form
2. On-going analysis –
Data collection complete
No further HIPAA compliance activity required
3. On-going research – Consented
4. On-going research –
Requiring re-consents
All re-consenting enrollees need to sign authorization form and consent form
5. On-going research –
Enrolling new participants
All new enrollees need to sign authorization form and revised form
No further compliance activity required
New = Study initiated on or after April 14, 2003.On-Going = Study approved before April 14, 2003.
16
Research Under Waiver of Authorization
• Signed Oath of Confidentiality
GainIRB
Approval for
Waivered
Study
Collect Data Analyzing Data
Generate Results & Reports
Design Researc
hStudy
• Documentation of IRB approval (IRB cover sheet)
• If tracking required (IRB will advise) researcher keeps track of patients whose records are being used.
New Privacy Requirement
17
Waiver of Authorization
Researcher is asking IRB to waive authorization from patient or their parent to use their PHI in research: Almost exclusively used for
retrospective records review research. Must meet HIPAA criteria for waiver of
authorization. Must also meet Federal Regulations
(Common Rule) and Washington State law for waiver of consent/permission.
18
HIPAA Criteria for Waiver of AuthorizationThe use or disclosure of protected health information must involve no more than minimal risk to the privacy of the individual, based on at least the presence of the following:
An adequate plan to protect the identifiers from improper use or disclosure
An adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law; and
Adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject.
19
Criteria for Waiver of Authorization cont.
The research could not practicably be conducted without the waiver or alteration; and
The research could not practicably be conducted without access to the protected health information
20
Implications forResearch Under Waiver
Obtain IRB approval Include signed “Oath of Confidentiality” Collect Data: Provide documentation of IRB approval (IRB cover sheet)
to data sources (e.g., Medical Records, Lab, Radiology). Complete forms as required by providing department, e.g., ‘Research Chart Request Form’ for Medical Records; “Request for Tissue for Use in Research” for Laboratory
If tracking required, record access on “Disclosure Tracking” form located at http://irb.seattlechildrens.org/hipaa.asp, (Medical Records will do tracking when researchers are requesting aper copies of the medical record).
Obtain/Use only the minimum necessary PHI
21
Disclosures of PHI without Authorization
Patients have right to request an accounting of how their/their child’s PHI was disclosed without their authorization.
Disclosure means communicating information (PHI) outside the covered entity.
Use means communicating information (PHI) within the covered entity
22
Children’s – Covered Entity
Researchers would be considered part of Children’s workforce (the covered entity) if one of the following applies:
Employee of Children’s Employee of Children’s University Medical
Group (CUMG) Residents and Fellows working at Children’s
23
Tracking of Disclosures
Children’s is responsible for tracking unauthorized disclosures.
Disclosures are tracked; Uses are not.
IRB will advise researchers at the time their research project is reviewed whether tracking is required.
24
Tracking Disclosures
Unauthorized disclosures of PHI for research purposes must be tracked.
Children’s has tracking form available on IRB web site (online version and Word version). The following information must be tracked: IRB # and Research Study Title List of individuals whose PHI was accessed,
including their Medical Record #, Date of access, Name of person/entity accessing the PHI, and Brief description of PHI accessed.
25
Tracking of Disclosures isNot Required
To carry out Treatment, Payment or Operations (TPO) of the Covered Entity
Disclosure is to the individual or their legal representative (parent)
Pursuant to an Authorization
Limited Data Set
De-identified Data
26
Research Under Waiver (of Authorization and Consent)
Status of Research Study Action Required
1. Research study – All research team members are part of Children’s workforce
No Tracking required.Departments providing PHI need documentation of IRB approval.
2. Research study –Not all members of research team are part of Children’s workforce
•Tracking required.**•Departments providing PHI need documentation of IRB approval.
**Tracking required means:• Complete Disclosure Tracking Form • If researcher is only using the paper medical records,
i.e., patient charts, Medical Records will do tracking.
27
Limited Data Sets
Contain limited direct identifiers that may include: Dates: admission, discharge and service dates, date of
birth, date of death, Age (including age 90 or over), and Geographical subdivisions such as state, county, city,
precinct and five digit zip code.Advantages: No need to track disclosures.
But remember: Cannot use LDS information to contact individuals, Recipient must sign a data use agreement (DUA) (a kind
of “super-confidentiality” agreement), Minimum necessary standard applies, and Still requires IRB approval.
28
De-Identified Data
Previously known as anonymous data.How to de-identify data: Expert in statistical principles reviews and
documents methods used to determine that risk is “very small” that data could be used alone or in combination with other reasonably available information to re-identify, or
All 18 identifiers must be removed. You must know that remaining information cannot be used alone or in combination with other information to re-identify.
Common Rule and State Law still apply!
29
Implications for De-Identified & Coded Data
Common Rule considers coded information to be indirectly identifiable.
A protocol must be submitted to the IRB even if a researcher plans to de-identify information.
IRB will determine whether it qualifies for exempt or expedited IRB application.
30
Requirements Summary
Requirement
IRB Approval
Identifiable Data:
Consented/AuthorizedRequired
Identifiable Data:
Waivered Study
Required
LimitedData SetRequired
De-Identified
DataRequired
Authorization or Waiver
Required Required Required Required
Data Use Agreement
Required
Minimum Necessary
Applies
Tracking Disclosures*
Applies
Applies
* PHI access is a disclosure if any member of research team is not part of Children’s workforce
31
Other Implications
Case Studies: Children’s does not consider to be research or require IRB
review. Privacy Rule does apply Must be de-identified when disclosed Consent/authorization is best Formal policy and approval process being discussed
Departmental/Personal Databases: Purposes include patient care, education, and QA Privacy Rule applies Research using these databases requires IRB review Work is beginning to identify these databases to protect
them to comply with the HIPAA Security Rule
32
Remember Rights of Participants
1. Right to privacy of PHI2. Right to authorize use of identifiable PHI
for research purposes3. Right to an accounting of how identifiable
PHI was disclosed for research without authorization
4. Right to revoke an authorization in writing. No further PHI may be collected for the research after the authorization is revoked Researchers may continue to use and disclose
PHI that was collected under the authorization to maintain the integrity of the research
33
Questions?
Additional Resources: IRB website http://irb.seattlechildrens.org:
Outline of HIPAA-related responsibilities of researchers,
Links to authorization form, disclosure tracking form, research chart request form, Oath of Confidentiality
External resources: “Protecting Personal Health Information in Research:
Understanding the HIPAA Privacy Rule (http://privacyruleandresearch.nih.gov/), and
Privacy Rule Research FAQs (http://answers.hhs.gov). Search under “research”.