HIPAA Privacy Rule

and Research

Elizabeth A. Trias, MA, CIP

Pam Joy, RN, MN, PNPNovember 2003 (rev. May 2004)

2

WA State Law & Privacy Rule

Good News: Children’s researchers already

operate in compliance with Washington State’s Uniform Health Care Information Act.

Many of the HIPAA Privacy Rule requirements for research were already in place.

Impact of HIPAA on researchers in the state of Washington is less than in other states.

3

Highlights of the Privacy Rule

Effective April 14, 2003. Sets a federal floor for patient Protected Health Information (PHI), but: States may have more stringent privacy

protections, and The more stringent law (HIPAA or state)

governs.

Today we’ll review privacy rule implications for research. Failure to comply can result in civil fines ($) and criminal penalties.

(Remember to thank them, not

us!)

4

Protected Health Information

Privacy Rule protects health information identifying a person (or information that can be used to identify a person): All individually identifiable health information that

Children’s creates, uses or receives. Includes information about:

Past, present or future physical or mental health of a person,

Provision of health care to that person, and Payment for care received.

Includes information in written, electronic or oral form.

5

What is Patient Identifiable?

Information containing any one of 18 identifiers:

• Name • Social Security Number

• Device identifiers and serial numbers

• Geographic subdivisions smaller than state (street address, city, county, precinct, zip code, equivalent geo-codes except first 3 digits of a zip code)

• All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and ages over 89

• URL (Web Universal Resource Locator)

• Medical record numbers

• Health plan beneficiary numbers

• Biometric identifiers (including finger or voice prints)

• Telephone numbers • Account numbers

• Full face photographs

• Fax numbers • Certificate/license numbers

• Internal Protocol (IP) address numbers

• Email addresses

• Vehicle identifiers and serial numbers, including license plate numbers

• Any other unique identifying number, characteristic, or code

6

Use & Disclosure of PHI

Use: Sharing within the entity.

Disclosure: Sharing outside the entity.

Privacy rule allows use and disclosure without specific authorization for Treatment, Payment, and Operations (TPO).

Research is not considered to be treatment, payment or

operations

7

Minimum Necessary Standard

Must limit PHI use or disclosure to the minimum necessary to accomplish the intended purposes of the research.Minimum necessary applies: Pursuant to a waiver of authorization, Use or disclosure of decedent’s PHI, Uses preparatory to research, and for Limited Data Sets.

Minimum necessary does not apply to: Treatment disclosures or requests, Use or disclosure made under an authorization, Disclosures to the patient of his/her PHI, Disclosures to DHHS for compliance, and Uses or disclosures required by law.

8

What are Research Implications?

9

Overview of Impact at Children’s

Under the Privacy Rule, researchers must: Provide more detailed information to the IRB

about how PHI will be created, used or shared, Provide more information to research

participants during the consent process and gain specific authorization for the use of their PHI, and

Track disclosures of PHI for studies that IRB has approved with waiver of authorization requirement

Affects any research conducted under Children’s auspices that creates, uses or discloses PHI.

10

Impact on Clinical Research

• Oath of Confidentiality for Recruitment

GainIRB

Approval

Screen particip

ants(Obtaining

PHI)

Recruit particip

ants

Conduct Researc

h

Generate

Results &

Reports

Design Researc

hStudy

• Documentation of IRB approval (IRB cover sheet)

• Authorization signed for each subject and filed with Medical Records

New Privacy Requirements

11

Screening Patients

Obtain IRB approval include signed “Oath of Confidentiality – Recruitment” if

researchers need access to protected health information to identify, select and recruit patients

Screen participants Present documentation of IRB approval (IRB cover sheet)

& signed Oath of Confidentiality – Recruitment when requesting data or records on potential participants (e.g., Medical Records, Lab, Radiology),

Obtain/Use only the minimum necessary PHI, and All PHI must remain within Children’s

Recruit participants Obtain signed authorization for each subject (file original

with original consent form in researchers’ file), or Destroy PHI for participants who do not take part, do not

respond or are not eligible

12

Authorizations

“Permission to Use, Create and Share Health information for Research” authorization form: Contains required elements of authorization under

Privacy Rule, Signed by parent or legal guardian unless

participant is a legal adult (18 years and older) Allows researchers to use subject’s PHI for a

specific research study.At Children’s, authorization is separate from from the research consent: Avoids detracting from essential elements of

consent form, and Ensures consistent compliance with privacy

elements.

13

Signed Authorizations: Where to File

Signed Authorizations: Signed Original remains in the principal

investigator’s research files along with original, signed consent form

Signed Copy to parent or research participant (if 18 and older)

Signed Copy to Children’s Medical Records – Filing 4P-2, if research participant is Children’s patient (patient information box must be completed)

14

Authorization Form

Available on IRB Web Site under Forms and under HIPAA and Research – http://irb.seattlechildrens.orgVersions in English, Vietnamese, Spanish, Somali, Russian, Korean, Simplified Chinese and Traditional Chinese.Researcher must complete the highlighted areas (e.g., study title, name and address of PI, name of sponsor, etc.)Researcher must complete the box at the end of the form if research participant is a Children’s patient. Required so that authorization can be filed in the participant’s medical record

15

Clinical Studies (with Authorization) Before & After 4/13/2003

Status of Research Study

Action Required1. New research study Enrollees need to sign

authorization form and consent form

2. On-going analysis –

Data collection complete

No further HIPAA compliance activity required

3. On-going research – Consented

4. On-going research –

Requiring re-consents

All re-consenting enrollees need to sign authorization form and consent form

5. On-going research –

Enrolling new participants

All new enrollees need to sign authorization form and revised form

No further compliance activity required

New = Study initiated on or after April 14, 2003.On-Going = Study approved before April 14, 2003.

16

Research Under Waiver of Authorization

• Signed Oath of Confidentiality

GainIRB

Approval for

Waivered

Study

Collect Data Analyzing Data

Generate Results & Reports

Design Researc

hStudy

• Documentation of IRB approval (IRB cover sheet)

• If tracking required (IRB will advise) researcher keeps track of patients whose records are being used.

New Privacy Requirement

17

Waiver of Authorization

Researcher is asking IRB to waive authorization from patient or their parent to use their PHI in research: Almost exclusively used for

retrospective records review research. Must meet HIPAA criteria for waiver of

authorization. Must also meet Federal Regulations

(Common Rule) and Washington State law for waiver of consent/permission.

18

HIPAA Criteria for Waiver of AuthorizationThe use or disclosure of protected health information must involve no more than minimal risk to the privacy of the individual, based on at least the presence of the following:

An adequate plan to protect the identifiers from improper use or disclosure

An adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law; and

Adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject.

19

Criteria for Waiver of Authorization cont.

The research could not practicably be conducted without the waiver or alteration; and

The research could not practicably be conducted without access to the protected health information

20

Implications forResearch Under Waiver

Obtain IRB approval Include signed “Oath of Confidentiality” Collect Data: Provide documentation of IRB approval (IRB cover sheet)

to data sources (e.g., Medical Records, Lab, Radiology). Complete forms as required by providing department, e.g., ‘Research Chart Request Form’ for Medical Records; “Request for Tissue for Use in Research” for Laboratory

If tracking required, record access on “Disclosure Tracking” form located at http://irb.seattlechildrens.org/hipaa.asp, (Medical Records will do tracking when researchers are requesting aper copies of the medical record).

Obtain/Use only the minimum necessary PHI

21

Disclosures of PHI without Authorization

Patients have right to request an accounting of how their/their child’s PHI was disclosed without their authorization.

Disclosure means communicating information (PHI) outside the covered entity.

Use means communicating information (PHI) within the covered entity

22

Children’s – Covered Entity

Researchers would be considered part of Children’s workforce (the covered entity) if one of the following applies:

Employee of Children’s Employee of Children’s University Medical

Group (CUMG) Residents and Fellows working at Children’s

23

Tracking of Disclosures

Children’s is responsible for tracking unauthorized disclosures.

Disclosures are tracked; Uses are not.

IRB will advise researchers at the time their research project is reviewed whether tracking is required.

24

Tracking Disclosures

Unauthorized disclosures of PHI for research purposes must be tracked.

Children’s has tracking form available on IRB web site (online version and Word version). The following information must be tracked: IRB # and Research Study Title List of individuals whose PHI was accessed,

including their Medical Record #, Date of access, Name of person/entity accessing the PHI, and Brief description of PHI accessed.

25

Tracking of Disclosures isNot Required

To carry out Treatment, Payment or Operations (TPO) of the Covered Entity

Disclosure is to the individual or their legal representative (parent)

Pursuant to an Authorization

Limited Data Set

De-identified Data

26

Research Under Waiver (of Authorization and Consent)

Status of Research Study Action Required

1. Research study – All research team members are part of Children’s workforce

No Tracking required.Departments providing PHI need documentation of IRB approval.

2. Research study –Not all members of research team are part of Children’s workforce

•Tracking required.**•Departments providing PHI need documentation of IRB approval.

**Tracking required means:• Complete Disclosure Tracking Form • If researcher is only using the paper medical records,

i.e., patient charts, Medical Records will do tracking.

27

Limited Data Sets

Contain limited direct identifiers that may include: Dates: admission, discharge and service dates, date of

birth, date of death, Age (including age 90 or over), and Geographical subdivisions such as state, county, city,

precinct and five digit zip code.Advantages: No need to track disclosures.

But remember: Cannot use LDS information to contact individuals, Recipient must sign a data use agreement (DUA) (a kind

of “super-confidentiality” agreement), Minimum necessary standard applies, and Still requires IRB approval.

28

De-Identified Data

Previously known as anonymous data.How to de-identify data: Expert in statistical principles reviews and

documents methods used to determine that risk is “very small” that data could be used alone or in combination with other reasonably available information to re-identify, or

All 18 identifiers must be removed. You must know that remaining information cannot be used alone or in combination with other information to re-identify.

Common Rule and State Law still apply!

29

Implications for De-Identified & Coded Data

Common Rule considers coded information to be indirectly identifiable.

A protocol must be submitted to the IRB even if a researcher plans to de-identify information.

IRB will determine whether it qualifies for exempt or expedited IRB application.

30

Requirements Summary

Requirement

IRB Approval

Identifiable Data:

Consented/AuthorizedRequired

Identifiable Data:

Waivered Study

Required

LimitedData SetRequired

De-Identified

DataRequired

Authorization or Waiver

Required Required Required Required

Data Use Agreement

Required

Minimum Necessary

Applies

Tracking Disclosures*

Applies

Applies

* PHI access is a disclosure if any member of research team is not part of Children’s workforce

31

Other Implications

Case Studies: Children’s does not consider to be research or require IRB

review. Privacy Rule does apply Must be de-identified when disclosed Consent/authorization is best Formal policy and approval process being discussed

Departmental/Personal Databases: Purposes include patient care, education, and QA Privacy Rule applies Research using these databases requires IRB review Work is beginning to identify these databases to protect

them to comply with the HIPAA Security Rule

32

Remember Rights of Participants

1. Right to privacy of PHI2. Right to authorize use of identifiable PHI

for research purposes3. Right to an accounting of how identifiable

PHI was disclosed for research without authorization

4. Right to revoke an authorization in writing. No further PHI may be collected for the research after the authorization is revoked Researchers may continue to use and disclose

PHI that was collected under the authorization to maintain the integrity of the research

33

Questions?

Additional Resources: IRB website http://irb.seattlechildrens.org:

Outline of HIPAA-related responsibilities of researchers,

Links to authorization form, disclosure tracking form, research chart request form, Oath of Confidentiality

External resources: “Protecting Personal Health Information in Research:

Understanding the HIPAA Privacy Rule (http://privacyruleandresearch.nih.gov/), and

Privacy Rule Research FAQs (http://answers.hhs.gov). Search under “research”.