11

Research & Accounting for Research & Accounting for DisclosuresDisclosures

March 12, 2008March 12, 2008

Leslie J. Pfeffer, BS, CHPLeslie J. Pfeffer, BS, CHP

Office of the Vice President for Research AdministrationOffice of the Vice President for Research AdministrationOffice of Compliance ServicesOffice of Compliance ServicesIndiana University, IndianapolisIndiana University, Indianapolis

22

HIPAAHIPAA

• HIPAA – Health Insurance Portability & HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L. 104-191).Accountability Act of 1996 (P.L. 104-191).

• First comprehensive federal health privacy First comprehensive federal health privacy protection law.protection law.

33

Two Key Privacy Rule GoalsTwo Key Privacy Rule Goals

• Provide strong Federal protections for Provide strong Federal protections for privacy rightsprivacy rights

• Preserve quality healthcarePreserve quality healthcare

44

Why did the Government want the Why did the Government want the Privacy & Security Regulations?Privacy & Security Regulations?

55

Major ConceptsMajor Concepts

• Notice of the Use/DisclosureNotice of the Use/Disclosure– Notice of Privacy PracticesNotice of Privacy Practices– AuthorizationAuthorization

• Safeguarding PHI during its use and disclosureSafeguarding PHI during its use and disclosure

– Researchers are entrusted with this sensitive Researchers are entrusted with this sensitive information.information.

– Policies that address how PHI is accessed, Policies that address how PHI is accessed, stored and transferred so that unauthorized stored and transferred so that unauthorized use or disclosure is prevented.use or disclosure is prevented.

66

Creates Rights for PatientsCreates Rights for Patients

• Right to inspect & copy protected health Right to inspect & copy protected health informationinformation

• Right to amendRight to amend• Right to have reasonable requests for Right to have reasonable requests for

confidential communications accommodatedconfidential communications accommodated• Right to file a complaint with the Office for Civil Right to file a complaint with the Office for Civil

Rights or with the covered entityRights or with the covered entity• Right to written notice of information practices Right to written notice of information practices

from providers and health plansfrom providers and health plans• Right to an accounting of disclosuresRight to an accounting of disclosures

77

Accounting for Uses/DisclosuresAccounting for Uses/Disclosures

• Upon a patient’s request, a covered entity Upon a patient’s request, a covered entity must provide an accounting of all uses and must provide an accounting of all uses and disclosures of PHI without an authorizationdisclosures of PHI without an authorization

88

Protected Health Information (PHI)Protected Health Information (PHI)• PHIPHI

Individually identifiable health information, Individually identifiable health information, Created or received by a Covered Entity,Created or received by a Covered Entity,

• Relates to the: Relates to the: provision of health care to an individual; provision of health care to an individual; past, present, or future past, present, or future physical or mental health or condition of an physical or mental health or condition of an

individual; or payment for the provision of health individual; or payment for the provision of health care to an individual;care to an individual;

• Identifies the individual or there is a reasonable basis to Identifies the individual or there is a reasonable basis to believe the information can be used to identify the believe the information can be used to identify the individual. individual.

99

Access to PHIAccess to PHI

• A covered entity may use/disclose A covered entity may use/disclose PHI to carry out essential health care PHI to carry out essential health care functions (TPO)functions (TPO)– TreatmentTreatment

– PaymentPayment

– Health Care OperationsHealth Care Operations

1010

TreatmentTreatment

• TreatmentTreatment means the provision, means the provision, coordination or management of health coordination or management of health care by one or more health care providers.care by one or more health care providers.– Consultation between health care providersConsultation between health care providers– Patient referralsPatient referrals

• Important for Important for – Continuity of CareContinuity of Care– Quality of CareQuality of Care

1111

PaymentPayment

• Payment means activities of:Payment means activities of:

– Health care providers to obtain payment or be Health care providers to obtain payment or be reimbursed for their servicesreimbursed for their services

– Necessary to release information to Necessary to release information to Medicare/Medicaid and Commercial Medicare/Medicaid and Commercial Insurance Plans to be reimbursed for services Insurance Plans to be reimbursed for services providedprovided

1212

Health Care OperationsHealth Care Operations

Administrative, financial, legal and quality improvementAdministrative, financial, legal and quality improvementactivities necessary to run business and to support coreactivities necessary to run business and to support corefunctions of treatment and paymentfunctions of treatment and payment

• Fraud and abuse detectionFraud and abuse detection• Conducting or arranging for medical review, legal Conducting or arranging for medical review, legal

services, auditing or monitoringservices, auditing or monitoring• Business management and general administrative Business management and general administrative

activities Quality assessment and improvement activitiesactivities Quality assessment and improvement activities• Training, accreditation, certification, credentialing, Training, accreditation, certification, credentialing,

licensing, reviewing, competence, evaluating licensing, reviewing, competence, evaluating performanceperformance

1313

Access to PHI for ResearchAccess to PHI for Research

• Research Research ≠ ≠ TPOTPO

• To Use PHI for Research purposes To Use PHI for Research purposes must:must:– Obtain an Authorization or Obtain an Authorization or – Waiver of authorization approved by the Privacy Waiver of authorization approved by the Privacy

Board (IU’s IRBs)Board (IU’s IRBs)– Meet one of the exceptionsMeet one of the exceptions

1414

Access to PHI for ResearchAccess to PHI for Research

• Must comply with the Must comply with the Minimum Necessary Minimum Necessary RuleRule– mustmust take reasonable steps to limit the use, take reasonable steps to limit the use,

disclosure of, and requests for PHI to the disclosure of, and requests for PHI to the minimum necessaryminimum necessary to accomplish the to accomplish the intended purpose.intended purpose.

– what PHI is what PHI is reasonablyreasonably necessary is necessary is determined on a case by case basis by the determined on a case by case basis by the covered entitycovered entity

1515

Exceptions to obtaining an Exceptions to obtaining an Authorization or Waiver of Authorization or Waiver of

AuthorizationAuthorization

• Reviews preparatory to researchReviews preparatory to research

• Research solely on decedents’ informationResearch solely on decedents’ information

• Limited Data SetLimited Data Set

• De-identified DataDe-identified Data

1616

Reviews Preparatory to ResearchReviews Preparatory to Research

Covered entity must obtain representation from theCovered entity must obtain representation from theresearcher that:researcher that:

• The use or disclosure of PHI is sought solely to prepare The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose. a protocol or for a similar preparatory purpose.

• PHI will not be removed from the covered entity. AND PHI will not be removed from the covered entity. AND

• PHI is necessary for research purposesPHI is necessary for research purposes

• Even though an authorization is not required, this access Even though an authorization is not required, this access requires an requires an Accounting of DisclosureAccounting of Disclosure

1717

Research Solely on Research Solely on Decedents’ InformationDecedents’ Information

Researcher must represent that:Researcher must represent that:

• Use or disclosure solely for research on decedents' Use or disclosure solely for research on decedents' information. information.

• PHI is necessary for research, and PHI is necessary for research, and

• Individual is a decedent, and provide documentation Individual is a decedent, and provide documentation upon covered entity's request.upon covered entity's request.

• Even though an authorization is not required, this access Even though an authorization is not required, this access requires an requires an Accounting of DisclosureAccounting of Disclosure

1818

Limited Data SetsLimited Data Sets

• Limited types of identifiers can be released for research Limited types of identifiers can be released for research purposes (a Limited Data Set). purposes (a Limited Data Set).

• Limited Data Sets can only be used and released in Limited Data Sets can only be used and released in accordance with a accordance with a Data Use AgreementData Use Agreement between the between the covered entity and the recipient. covered entity and the recipient.

• The Limited Data Set can contain:The Limited Data Set can contain:– Elements of Dates. Elements of Dates. – City, town, state, and ZIP. City, town, state, and ZIP. – Other unique identifiers, characteristics and codes not Other unique identifiers, characteristics and codes not

previously listed as direct identifiers (next slide). previously listed as direct identifiers (next slide).

1919

A Limited Data Set excludes the A Limited Data Set excludes the following direct or following direct or facial facial identifiersidentifiers

• Names Names • Postal address info (if Postal address info (if

other than city, town, other than city, town, state, and ZIP) state, and ZIP)

• Telephone and fax #s Telephone and fax #s • E-mail address E-mail address • Social Security # Social Security # • Medical record numbers Medical record numbers • Health plan #s Health plan #s • Account #s Account #s

• Certificate/license #s Certificate/license #s • VIN and Serial #s, license VIN and Serial #s, license

plate #s plate #s • Device identifiers, serial Device identifiers, serial

#s #s • Web URLs Web URLs • IP address #s IP address #s • Biometric identifiers Biometric identifiers

(finger prints) (finger prints) • Full face photographic Full face photographic

images and any images and any comparable images comparable images

2020

Data Use AgreementData Use Agreement

• Describe permitted uses and disclosures Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way (recipient cannot use or disclose PHI in a way that the covered entity cannot)that the covered entity cannot)

• Identify who can use and receive the Limited Identify who can use and receive the Limited Data SetData Set

• Does notDoes not require an Accounting of Disclosure require an Accounting of Disclosure

More . . .More . . .

2121

PHI has been de-identifiedPHI has been de-identified

• 18 identifiers removed from data and no knowledge that 18 identifiers removed from data and no knowledge that remaining information can (alone or in combination with remaining information can (alone or in combination with other information) identify the individual. other information) identify the individual.

OR OR • Statistically "de-identified" information. A qualified Statistically "de-identified" information. A qualified

statistician determines that there is a "very small" risk statistician determines that there is a "very small" risk that the information could be used, alone or in that the information could be used, alone or in combination with other reasonably available information, combination with other reasonably available information, to identify the individual and documents the methods and to identify the individual and documents the methods and results of the analysis. results of the analysis.

• Does notDoes not require an Accounting of Disclosure require an Accounting of Disclosure

2222

IdentifiersIdentifiers

• Names. Names. • All geographic subdivisions All geographic subdivisions

smaller than a state, street smaller than a state, street address, city, county, precinct, ZIP address, city, county, precinct, ZIP Code etc. Code etc.

• All elements of dates (except year) All elements of dates (except year) Telephone numbers. Telephone numbers.

• Facsimile numbers. Facsimile numbers. • Electronic mail addresses. Electronic mail addresses. • Social security numbers.Social security numbers.• Medical record numbers. Medical record numbers. • Health plan beneficiary numbers. Health plan beneficiary numbers. • Account numbers. Account numbers. • Certificate/license numbers. Certificate/license numbers.

• Vehicle identifiers and serial Vehicle identifiers and serial numbers, including license plate numbers, including license plate numbers. numbers.

• Device identifiers and serial Device identifiers and serial numbers. numbers.

• Web universal resource locators Web universal resource locators (URLs). (URLs).

• Internet protocol (IP) address Internet protocol (IP) address numbers. numbers.

• Biometric identifiers, including Biometric identifiers, including fingerprints and voiceprints. fingerprints and voiceprints.

• Full-face photographic images and Full-face photographic images and any comparable images. any comparable images.

• Any other unique identifying Any other unique identifying number, characteristic, or code.number, characteristic, or code.

Six Mechanisms Minimum Necessary Standard4.9

Accounting for Disclosures

(Section 5.16)

HIPAA Documentation Requirements

IRB Requirements

Use of De-Identified Data(Section 5.5)

Does Not Apply

No Researcher documents that all 19 identifiers are removed under Safe Harbor Method (see section 5.5.2), or demonstrate how the data is statistically de-identified.

IRB approval required for the process of de-identification; in nearly all cases this will be an exempt application.

Research Using Limited Data Set(Section 5.6)

Applies No Researcher documents in Exempt Checklist. Data Use Agreement4.5 between researcher and data source required.

IRB approval required; in nearly all cases this will be an exempt application.

Authorization(Section 5.7)

Does Not Apply

No(Note: Accounting for disclosure is required for psychotherapy notesG20 )

Patient-Subject Authorization

IRB approval required.Use of template authorization recommended.

Waiver of Authorization(Section 5.8)

Applies Yes, but simplified if 50 or more records will be utilized

Requirements as listed in 5.8

IRB approval required; may use this mode for recruitment purposes in addition to authorization and informed consent for the actual study procedures.

Research Involving Decedent Information(Section 5.9)

Applies Yes, but simplified if 50 or more records will be utilized

Researcher documents in description of study.

IRB approval required (exempt application).

Review Preparatory to Research(Section 5.10)

Applies Yes, but simplified if 50 or more records will be utilized

Researcher documents to covered entity supplying information.

No IRB approval necessary.

2424

Other Uses and Disclosures of Other Uses and Disclosures of PHI w/o AuthorizationPHI w/o Authorization

• This includes the following: This includes the following:

– Disclosures required by lawDisclosures required by law

– Disclosures to public health authoritiesDisclosures to public health authorities• Authorized by law to collect or receive such Authorized by law to collect or receive such

information for public health activitiesinformation for public health activities

– Disclosures for adverse event reporting to certain Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDApersons subject to the jurisdiction of the FDA

All the above require Accounting of DisclosureAll the above require Accounting of Disclosure

2525

HIPAA & RecruitmentHIPAA & Recruitment

RecruitmentRecruitment is considered is considered research research

Therefore, the special provisions for Therefore, the special provisions for research apply to recruitmentresearch apply to recruitment

2626

Accounting for Uses & Accounting for Uses & DisclosuresDisclosures

Information required to be provided in each Information required to be provided in each patient’s record for an accounting:patient’s record for an accounting:

– The date of the disclosureThe date of the disclosure– The name of the entity or person who The name of the entity or person who

received the PHI and, if known, received the PHI and, if known, – the address of such entity or person the address of such entity or person – A brief description of the PHI disclosedA brief description of the PHI disclosed– A brief statement of the purpose of the A brief statement of the purpose of the

disclosure that reasonably informs the disclosure that reasonably informs the individual of the basis for the disclosureindividual of the basis for the disclosure

2727

Accounting for Uses & Accounting for Uses & DisclosuresDisclosures

If for research purposes 50 or more records areIf for research purposes 50 or more records arereviewed:reviewed:

– the name of the protocol or other research activity; the name of the protocol or other research activity; – a plain language description of the protocol or other a plain language description of the protocol or other

research activity, including the research purpose and the research activity, including the research purpose and the criteria for selecting the records; criteria for selecting the records;

– brief description of the type of PHI disclosed; brief description of the type of PHI disclosed; – date or time period during which the disclosures date or time period during which the disclosures

occurred or may have occurred, including at least the occurred or may have occurred, including at least the last date; last date;

– name, address and phone number of the entity that name, address and phone number of the entity that sponsored the research and the PI to which the sponsored the research and the PI to which the information was disclosed; and information was disclosed; and

– a statement that the PHI may or may not have been a statement that the PHI may or may not have been disclosed for the particular protocol or other research disclosed for the particular protocol or other research activity. activity.

2828

Accounting for Uses & Accounting for Uses & DisclosuresDisclosures

• Documentation of a Use or Disclosure Documentation of a Use or Disclosure must be placed in the patient’s “official must be placed in the patient’s “official record”record”– If the record is housed by Clarian, must be If the record is housed by Clarian, must be

documented in the Clarian recorddocumented in the Clarian record

2929

More InformationMore Information

• Clarian ContactClarian Contact

Accounting for Disclosures:Accounting for Disclosures:

Roxanne BinfordRoxanne Binford

Compliance Services & HIPAACompliance Services & HIPAA

Send Accountings to:Send Accountings to:

WH 322AWH 322A

Scan & email: Scan & email: rbinford@clarian.orgrbinford@clarian.org or or

fax:  962-0304 fax:  962-0304

3030

More InformationMore Information

• R&S website:R&S website:http://www.iupui.edu/~resgrad/hipaa/hipaa_menu.htmhttp://www.iupui.edu/~resgrad/hipaa/hipaa_menu.htm

http://www.iupui.edu/%7Eresgrad/human-sop/human-sop-menu.htmhttp://www.iupui.edu/%7Eresgrad/human-sop/human-sop-menu.htmSubject Confidentiality & Privacy Policy Subject Confidentiality & Privacy Policy

HIPAA InformationHIPAA Information

FAQ’sFAQ’sSOP’sSOP’sSummary Safeguard StatementSummary Safeguard StatementRecruitment ChecklistRecruitment Checklist