HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate...
-
Upload
horace-greene -
Category
Documents
-
view
216 -
download
0
Transcript of HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate...
![Page 1: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/1.jpg)
HIPAA SURVIVAL SKILLS: An
Update
University of Miami 1
Marisabel Davalos, M.S.Ed., CIPAssociate Director of Educational Initiatives
November, 2008
![Page 2: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/2.jpg)
Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students
Includes ensuring compliance with University of Miami HIPAA policies
Plan must contain elements required under HIPAA
Documentation of compliance with Covered
Entity source of PHI University of Miami
2
![Page 3: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/3.jpg)
Health Insurance Portability and Accountability Act (HIPAA)
Effective on April 14, 2003
Federal law that protects the privacy of individually identifiable health information (PHI)
Title 45 of the Code of Federal Regulations Parts 160 and 164
University of Miami 3
![Page 4: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/4.jpg)
Covered Entity – Custodians of PHI
They must make a good faith effort to comply with the rule
Three types of “ Covered Entities”
Health Care ProvidersIncludes organizations, individuals such as researchers when they provide health care, e.g. clinical trials
Health Care Plans Insurers and payors
Health Care ClearinghousesBilling services
University of Miami 4
![Page 5: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/5.jpg)
Hybrid Covered Entity
The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”.
University of Miami 5
![Page 6: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/6.jpg)
University of Miami 6
UM – Hybrid Entity
Covered Components
Treatment
Payment
Health Care Operations
Non-Covered
Components
Research
![Page 7: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/7.jpg)
Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations.
Necessary compliance with State privacy laws and Institutional and IRB policies only.
University of Miami 7
![Page 8: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/8.jpg)
Obtained and access to PHI from a “covered entity” – those who create, use, or access health information while providing health care services to research subjects - must comply with HIPAA regulations as well as state privacy, institutional and IRB policies.
University of Miami 8
![Page 9: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/9.jpg)
Clinical trials
Chart reviews
Epidemiological studies
Behavioral and Social Science Studies
Some basic science research activities
Studies may include the provision of treatment but others may provide neither treatment or diagnosis. University of Miami
9
![Page 10: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/10.jpg)
Section 24.2 of the HSRO Policies & Procedures contains some important terms related to HIPAA:
P
HI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity
RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care.
University of Miami 10
![Page 11: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/11.jpg)
Protected Health Information (PHI) is any individually
identifiable information that is transmitted or maintained
in electronic medium, or in any other form or medium
Medical RecordsE.g. Medical History, Diagnosis, Treatment
Payment InformationE.g. Bills, Receipts
Ancillary ServicesE.g. X-Rays, Labs
Demographic Information (When Maintained with Health Information)E.g. Date of Birth, Social Security Number
University of Miami 11
![Page 12: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/12.jpg)
When providing health care to individuals, researchers are considered health care providers
When accessing existing protected health information, HIPAA privacy rules applies
University of Miami 12
![Page 13: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/13.jpg)
1. Keep records of certain disclosures
2. Provide only minimally necessary information, including:
a. Use pursuant to waiverb. Use preparatory to researchc. Use of decedents’ PHI
d. Use of limited data sets
3. Provide an accounting of certain disclosures, including:
a. Use pursuant to waiverb. Use preparatory to researchc. Use of decedents’ PHI
Note: This requires significant resources, e.g. time and labor, as well as strong internal controls on the part of the covered entity.
University of Miami 13
![Page 14: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/14.jpg)
Investigators will need to go through the covered entity’s “HIPAA-Hoops” to obtain data
UM IRB will need to consider research subjects’ privacy rights
University of Miami 14
![Page 15: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/15.jpg)
University of Miami 15
How Can PHI be Obtained for Research?
Authorization (Form B)
Limited Data Set / Data Use Agreement (Form C)
Waiver of Authorization (Form F)
Certification for Review Preparatory to Research (Form E)
Decedent Certification (Form D)
De-Identification
To Access PHI for Research:
![Page 16: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/16.jpg)
University of Miami 16
![Page 17: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/17.jpg)
University of Miami 17
![Page 18: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/18.jpg)
Each study participant permits Use & Disclosure of their PHI for research purposes
Must contain Privacy Notice provisions
University of Miami 18
![Page 19: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/19.jpg)
University of Miami 19
Authorization Core Elements:
Specific and meaningful description of information to be used or disclosed
Identification of the person or class of person releasing the information
Description of the investigator or class of persons receiving the information
Description of each purpose of the requested use or disclosure
Expiration date or event Signature and date
Authorization (Form B)
![Page 20: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/20.jpg)
University of Miami 20
Confidentiality
Other Authorization Contents:
Individual right to revoke authorization Covered entities are not permitted to condition
treatment on the provision of authorization Must explain potential for information to be re-
disclosed by the recipient and that the recipient may not be required to comply with the Privacy Rule
Must be written in plain language Copies must be provided to individual permitting
the use and disclosure of PHI
![Page 21: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/21.jpg)
The IRB waives the authorization requirement
PI must justify the request for the waiver
Note: Most applicable when obtaining authorization is impracticableE.g. Retrospective Medical Research, Identifiable Database Research
University of Miami 21
![Page 22: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/22.jpg)
In order to obtain the waiver, researchers must
justify the following criteria:
The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals
Describe plan to protect identifiers e.g. Who has access to PHI?
Describe plan to destroy identifiers or return identifying information to the covered entity
Provide assurance that PHI will not be re-used or disclosed to others
The research could not practicably be conducted without the waiver or alteration to the authorization; and
The research could not practicably be conducted without access to and use of the PHI
University of Miami 22
![Page 23: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/23.jpg)
Decedent PHI is health information collected from deceased (prior to the study) subject’s records.
Investigator’s Certification for Research with Decedents (Form D) must be submitted.
University of Miami 23
![Page 24: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/24.jpg)
University of Miami 24
![Page 25: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/25.jpg)
University of Miami 25
HIPAA requires that use and disclosure of, and requests for, protected health information (PHI) must be limited to the “minimum necessary to accomplish the intended purpose.”
Example: Only the information pertaining to a specific use should be given to researcher.
Minimum Necessary Requirement
![Page 26: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/26.jpg)
University of Miami 26
The requirements for de-identifying information are so extensive that often the data is of limited value to researchers.
The Privacy Rule permits the use and disclosure of PHI via a “limited data set” with a “data use agreement”.
Limited Data Set
![Page 27: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/27.jpg)
Limited set of identifiers to be used for research, public health, and health care operations purposes
Permits use of some identifiable health information:
Five-Digit Zip Codes City, State Dates of Birth Age Expressed in Years, Months, Days or Hours Dates of Death Dates of Admission/Discharge/Service
Excludes direct identifiers
Recipient enters into a “data use agreement” with covered entity in a form mandated by HIPAA (Form C)
Recipient enters into a “Business Associate Agreement” with covered entity
University of Miami 27
![Page 28: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/28.jpg)
1. Defines who can use or receive data;
2. Defines for what purpose the data may be used;
3. Provides that PI will not re-identify the data or
contact the subject;
4. Provides that data will be safeguarded & not used
for unauthorized purposes;
5. Provides that researcher will report improper uses
& disclosures;
6. Provides that researcher will “push down” privacy
protection obligations to subcontractors.
University of Miami 28
![Page 29: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/29.jpg)
University of Miami 29
At UM, investigators will serve dual roles: BAs of thecovered entity in order to access the PHI to create the limited data set; and investigator/recipient of the LDS.
Prior to disclosing PHI to the business associate, UM is required to enter into a written agreement with the BA that imposes specified safeguards on the PHI used or disclosed by the BA.
HIPAA Business Associate (BA)
![Page 30: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/30.jpg)
Form mandated by HHS, in which the recipients satisfactorily assures the covered entity (UM/JHS) that they will protect the information from further disclosure.
Before data is released, there needs to be specific descriptions of the methods the recipient will use to assure that the privacy of the information is protected. This is to be documented in a data use agreement or business associate agreement, depending on the situation.
University of Miami 30
![Page 31: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/31.jpg)
University of Miami 31
![Page 32: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/32.jpg)
Physicians in the clinical setting may disclose identifying patient information to a researcher who wishes to recruit the patient for a study provided…
The physician first obtains the patient’s signed authorization to disclose the information to the researcher so the patient can be contacted.
University of Miami 32
![Page 33: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/33.jpg)
Jackson Health System (JHS)
Physicians who identify patients eligible for a research study must use the JHS form to obtain the patient’s authorization to release information to the researcher Form Available on HSRO Website, “JMH
Research Authorization”U
M A research referral authorization form is still
being devised.
University of Miami 33
![Page 34: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/34.jpg)
HIPAA regulations grant individuals the right to receive an accounting of disclosures of their PHI made by a covered component for the six years prior to the request or since the applicable compliance date.
Records must include specific information regarding each disclosure.
University of Miami 34
WAIVERS
![Page 35: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/35.jpg)
The Privacy Rule allows a simplified accounting by Covered Entities for disclosures of PHI for research purposes without an individual’s authorization.
Under simplified accounting provisions, covered entities may provide individuals with a list of all protocols for which PHI has been disclosed, as well as the researcher’s name and contact information.
University of Miami 35
![Page 36: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/36.jpg)
University of Miami 36
General Rules For Use and Disclosure of PHI for Research:
Disclosures made pursuant to an IRB waiver of authorization
Authorized disclosures (Authorization)
Disclosures made pursuant to certifications
PHI furnished in limited data sets
Accounting Required
Accounting NOTRequired
Accounting for Disclosures (Attachment 45):
![Page 37: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/37.jpg)
University of Miami 37
General Rules For Use and Disclosure of PHI for Research:
Disclosures made pursuant to an IRB waiver of authorization
Disclosures made pursuant to certifications
Accounting Required
UM must complete an accounting for disclosures form (G) and submit form to privacy office and disclose PHI to research staff.
Disclosure forms must be completed by the PI for each patient participating in the study.
![Page 38: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/38.jpg)
Covered Entities may use and disclose PHI that was received or created for research before the compliance date (April 14, 2003) if they obtained one or more of the following prior to the compliance date:
An authorization or other express legal permission from an individual to use or disclose PHI for research purposes
The informed consent of the individual to participate in research
A waiver of informed consent granted by the IRB
University of Miami 38
![Page 39: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/39.jpg)
HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”.
Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6th, 2008.
Policies are available on our website under, “Investigator Resources”.
University of Miami 39
![Page 40: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/40.jpg)
Evelyne Bital, MS, CIP
Associate Director of Privacy & Regulatory Affairs, (305) 243-3195
e-mail: [email protected]
For general HIPAA information or to access standard HIPAA forms for research:
hsro.med.miami.edu
University of Miami 40
![Page 41: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/41.jpg)
Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164
University of Miami HIPAA Policies and Procedures
University of Miami 41
http://www.hhs.gov/ocr/hipaa/
http://www.hipaadvisory.com/
http://www.hipaadvisory.com/regs/
![Page 42: HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.](https://reader036.fdocuments.us/reader036/viewer/2022062423/56649edf5503460f94befaaa/html5/thumbnails/42.jpg)
University of Miami 42