Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy...

Revised February 4, 2004 1

Health Insurance Portability and Accountability Act(HIPAA)

HIPAA Privacy Rule:UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members


In the BeginningThe emphasis was on the “portability” of insurance, and medical records.The issue was how to keep electronic medical records private.Little thought was given to the implications of HIPAA for research.Institutions with electronic records or electronic transmission of medical information would be charged with the responsibility of protecting the privacy and security of these records.


What Is the Basic Privacy Rule?

HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI).PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient.Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA.PHI used in research must be obtained from the Covered Entity in compliance with HIPAA.


What is a Covered Entity at UC?

A Covered Entity (CE) is the health care provider, health plans, and health information clearninghouses.The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF.

NOTE: The definition of the “Covered Entity” is different for each institution, including theSFVAMC, SFGH, Kaiser, CPMC, St. Luke’s, theHaight-Ashbury Free Clinic, and so on.


What is PHI?Individually identifiable informationPast, present, or future: Health status Treatment Payment for health care

Created, used, or disclosed by a covered entity (CE)In any formIncludes any one of the 18 identifiers as defined by HIPAA


Protected Health Information (PHI): 18 Identifiers defined by HIPAA

NamePostal addressAll elements of dates except year Telephone numberFax numberEmail addressURL addressIP addressSocial security numberAccount numbersLicense numbers

Medical record numberHealth plan beneficiary #Device identifiers and their serial numbersVehicle identifiers and serial numberBiometric identifiers (finger and voice prints)Full face photos and other comparable imagesAny other unique identifying number, code, or characteristic.


How does HIPAA Privacy Rule affect University Researchers?

Researchers will likely want to access PHI held by the CE in order to conduct research.

The Privacy Board must approve use of PHI for research.

At UCSF the Privacy Board for research is the IRB, that is, the CHR.

The Privacy rule applies to all active studies as of April 14, 2003.


Does all human subjects research use PHI?Not at all! Some examples:

Some non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records; blood draws for protein binding studies)Some interview studies and focus group studies Some questionnaire studiesStudies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research


Covered Entity (CE):UCSF Medical Center, Hospitals and Clinics

If information from the study isadded to the CE

i.e., information is added toMedical Records or used to make health care decisions

If information is obtainedfor the study from the CE

i.e., medical records review for recruitment,

data analysis

Do HIPAA regulations apply?


What are the practical implications of HIPAA for Human Research at UCSF?

New and different vocabulary Stricter control of access to Medical Records (HIMS and Faculty Practices) Stricter limitations to identifying subjects for recruitmentAdditional documentation for PI, IRB, and CE. Important Note: Most research being done can continue, but with additional documentation!


What are the patients’ rights under HIPAA?

To restrict the use and disclosure of their PHITo access and receive a copy of their PHI used

for research purposes (unless it will cause psychological harm)

To receive an accounting of disclosures of their PHI by the CE

To request amendments to their PHI in their medical records

To file complaints with the University or OCR that may result in civil and criminal penalties for individuals as well as the covered entities


What is the Covered Entity’s Responsibility?

The covered entity (CE) is responsible forprotecting PHI and for ensuring that PHI:

Is only used or released for TPO or as otherwise permitted or required by law;

Is not released without the patient’s authorization; or

Is released only under an IRB approved waiver of consent/authorization

Meets “minimum necessary” standard.


How can an investigator access PHI for research?

Through a HIPAA Authorization signed by the subject (or legal representative)

-OR- Through a Waiver of Authorization requested by the PI and approved by the IRB.

Note: UCSF polices require IRB approval for access to PHI for human subjects research.


Individual Subject’s Authorization for Research Access to PHI

Authorization must be a separate document used along with the Consent Form for biomedical and treatment studies.For some behavioral studies, Authorization may be combined with the Consent Form, but requires two separate signature lines: one for consent, and one for authorization.


What does a HIPAA authorization look like?

The standard UC HIPAA authorization is a two-page document available on the HIPAA Forms section of the CHR website. The standard SFVAMC form is also available on that site.Other Covered Entities may require their own versions of the HIPAA authorizations.

Note: Some sponsors also have their own versions of the forms, but with rare exception UCSF researchers must use the UC version.


What Elements Are Required in the HIPAA Authorization?

Description of PHI to be disclosedName or class of recipients of information and of those authorized to disclose PHIDescription of research purposeExpiration date, though at UC this is stated as “when study is completed.”Right to cancel authorizationAdvise subject that HIPAA protections may not apply to redisclosed information although other protections applyConsequences of a refusal to sign an authorizationSignature of subject and date


Which Research Does Not Require a Subject’s Authorization?

1. Research granted a Waiver of Consent/Authorization by the CHR

2. Research using De-Identified Data

3. Research using a Limited Data Set

4. Research not using PHI


#1: Waiver of Authorization

PI and IRB must certify that research:1. Could not practicably be conducted w/o

waiver2. Could not practicably be conducted w/o PHI3. Poses minimal risk to privacy based on

written assurance that the PHI will not be reused or disclosed and that there is an adequate plan to protect identifiers.

To accomplish this, PI fills out Waiver of Consent/Authorization Form available on CHR website and submits with application.Research released by a waiver, must be tracked for disclosure to the subject.


#2: De-Identified Data Sets

There are two HIPAA-approved methods of de-identifying datasets: All 18 identifiers of PHI must be removed, or A qualified statistician documents the methods

and analysis used to determine that data is de-identified or risk is very small that information can be used

to identify an individual

IRB approval of protocol is still requiredPI should apply for Exempt Certification from IRB.


#3: Limited Data Set

May include only the following PHI: Date(s) of service (admission, discharge) Dates of birth and death 5 digit zip codes and other geographic

subdivisions other than street address May include non-PHI information (i.e., diagnosis)Does not require a subject’s authorization Does require IRB approval which includes a Waiver of Consent/Authorization

NOTE: IRB applications must include a request for a wavier of consent/authorization.


Covered Entity (CE):UCSF Medical Center, Hospitals and Clinics

If information from the study isNOT added to the CE

If information obtained for thestudy does NOT come from the CE

i.e., NO medical records review for recruitment or

data analysis

== ==

#4: Research Not Using PHI


How does a researcher gain access to PHI in Medical Records at UCSF?

Copy of CHR approval letter with: statement of Waiver of

Authorization of individual consent --or-- statement that Individual Subject

Authorization will be obtained


What types of CHR approvals are needed for these types of studies?

PHI: Full Committee or Expedited De-identified PHI (no PHI used): CHR Exempt CertificationLimited Data Sets (limited PHI allowed): Expedited with Waiver of Authorization

NOTE: Medical Records will require CHR approval to release PHI for research.


What information is now required by the CHR to address HIPAA?

PIs should complete and submit the HIPAA Supplement with all full committee and expedited applications, even if no PHI is being used; Waiver of consent/authorization form if applicable (usually for recruitment purposes)

The pilot application (required as of January 2004) embeds HIPAA information within it.

Exempt applications do not require any additional information about HIPAA.


What are the 8 Most Common and Acceptable Recruitment Methods?

PIs recruit their own patients directlyPIs provides PCPs a “Dear Patient” letter that instructs any interested patients how to contact PI about enrollmentPIs ask PCPs for referrals and may contact patients if there is documented patient permission to do soPI used CHR-approved ads, notices, and/or media


Recruitment Methods (continued)

Faculty Practices/Clinics develop a CHR-approved recruitment protocol so subjects agree ahead of time to be contacted for researchPIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods.PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed websitePIs do not access PHI for recruitment purposes.


Conclusion-The HIPAA Privacy Rule

Greater emphasis on privacy and confidentiality of medical records in both health care and research.Researcher’s responsibilities are more clearly defined.Subject’s have more clearly defined legal rights to protect their privacy.


UCSF HIPAA Websites• UCSF: http://www.ucsf.edu/hipaa

HIPAA Handbook (pdf) HIPAA Training Modules Privacy Officer

• CHR: http://www.research.ucsf.edu/chr/index.asp Application and Consent templates/Guidelines Research Training, FAQ, information

• UCSF Medical Center IT: http://it.ucsfmedicalcenter.org/

• UCSF Information Security: http://isecurity.ucsf.edu

Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy...

Documents

Transcript of Revised February 4, 20041 Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy...