University of Miami1 Privacy, Confidentiality & Security Marisabel Davalos, M.S.Ed., CIP Associate...
-
Upload
eustace-greer -
Category
Documents
-
view
228 -
download
2
Transcript of University of Miami1 Privacy, Confidentiality & Security Marisabel Davalos, M.S.Ed., CIP Associate...
University of Miami
1
Privacy, Confidentiality &
Security
Marisabel Davalos, M.S.Ed., CIPAssociate Director of Educational Initiatives
November, 2008
University of Miami
2
Institutional Review Board for the Protection of Human Subjects
• Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students
• Includes ensuring compliance with University of Miami HIPAA policies
• Plan must contain elements required under HIPAA
• Documentation of compliance with Covered Entity
source of PHI
University of Miami
3
What is HIPAA?
Health Insurance Portability and Accountability Act (HIPAA)
Effective on April 14, 2003
Federal law that protects the privacy of individually identifiable health information (PHI)
Title 45 of the Code of Federal Regulations Parts 160 and 164
University of Miami
4
Who Must Comply with HIPAA?
Covered Entity – Custodians of PHI They must make a good faith effort to comply with the rule
Three types of “ Covered Entities”
Health Care ProvidersIncludes organizations, individuals such as researchers when they provide health care, e.g. clinical trials
Health Care Plans Insurers and payors
Health Care ClearinghousesBilling services
University of Miami
5
How is UM Approaching HIPAA?
Hybrid Covered Entity
The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”.
University of Miami
6
UM – Hybrid Entity
Covered Components
Treatment
Payment
Health Care Operations
Non-Covered
Components
Research
Important to Note
• Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations.
• Necessary compliance with State privacy laws and Institutional and IRB policies only.
University of Miami
7
UM Investigators and PHI
• those who create, use, or access health information while providing health care services to research subjects must comply with HIPAA regulations as well as state privacy, institutional and IRB policies.
University of Miami
8
Types of Studies Covered
• Clinical trials
• Chart reviews
• Epidemiological studies
• Behavioral and Social Science Studies
• Some basic science research activities• Studies may include the provision of treatment
but others may provide neither treatment or diagnosis.
University of Miami
9
HSRO Policies & Procedures
• HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”.
• Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6th, 2008.
• Policies are available on our website under, “Investigator Resources”.
University of Miami
10
Definitions
• Section 24.2 contains some important terms related to HIPAA.
• PHI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity
• RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care.
University of Miami
11
Definitions (cont’d).
• Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information. • The term “privacy” applies to persons whereas
the term “confidentiality” refers to the treatment of personal information.
University of Miami
12
Definitions (cont’d).
• Security: the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage. • Safeguards may be physical, electronic, or
administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.
University of Miami
13
University of Miami
14
More About PHI
Protected Health Information (PHI) is any individually identifiable information that is transmitted or maintainedin electronic medium, or in any other form or medium
Medical RecordsE.g. Medical History, Diagnosis, Treatment
Payment InformationE.g. Bills, Receipts
Ancillary ServicesE.g. X-Rays, Labs
Demographic Information (When Maintained with Health Information)E.g. Date of Birth, Social Security Number
IRB Privacy Issue Evaluation
• Time and place where information is provided by participants to investigators;
• Nature of the information provided;• Nature of the experience that participant will
undergo from the study;• Who is receiving, accessing, and using the
information;• Participants’s relationship to the investigator;• Presence of others when gathering data.
University of Miami
16
Factors to Determine What is Private to
Individuals• Gender
• Ethnicity
• Age
• Socio-economic status
• Education
• Ability levelUniversity of Miami
17
• Social or verbal skill
• Health status
• Legal status
• Nationality
• Intelligence
• Personality
University of Miami
18
What is De-Identified PHI?
Information that does not identify the individual; andthere is no reasonable basis to believe the information can be used to identify an individual.
University of Miami
19
Remove 18 Specified Identifiers: Name All Geographic Subdivisions Smaller Than a State
(Street, City, County, Precinct, Parish, Zip Code, & their Equivalent Geo-codes Except for Initial 3 Digits of a Zip Code)
All Elements of Dates, Except Year(Admission Date, Discharge Date, Date of Death)
All Ages Over 89 & Dates and Elements Related to such Ages(Unless Aggregated into a Single Category of Age over 90)
How do you De-Identify PHI?
University of Miami
20
How do you De-Identify PHI ?
Telephone & Fax Number E-mail, IP Address & URL Social Security #, Medical Record #, Health
Plan Beneficiary #, & Account # Certificate License #, VIN, Device
Identifiers, & Serial # Full Face Photographs, Biometric Identifiers Any Other Unique Identifying Number,
Characteristic, or Code
University of Miami
21
Research procedures should be carefully designed to limit the personal information to be acquired to that which is minimally necessary and should be administered using procedures that will protect the subject's privacy.
Example: Only the information pertaining to a specific use should be given to researcher.
Minimum Necessary Requirement
University of Miami
22
Responsibilities of The PrincipalInvestigator
• Document research team has completed HIPAA Privacy/Security Training and HIPAA Training for Researchers
• Submit project application to the IRB
• Assume responsibility for compliance with HIPAA
• Maintain logs of all access to, uses of, & disclosures of PHI
• Submit Data Use Agreements to the IRB
GENERAL PRINCIPLES• As custodian of a study’s research data, the Principal Investigator shall
ensure compliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol ;
• The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI;
• Access to research data (including ePHI) should be restricted and controlled.
• The PI must ensure locks on files or password or other protections (as applicable) (note – access to e PHI must be by password)
• The PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity.
University of Miami
24
Security, Section 24.6• All research data (including PHI) must be secured
and protected, as reasonable, against breaches in confidentiality, unpermitted uses and disclosures.
• HIPAA standards also apply after project completion when computers, devices, and/or media are destroyed or reformatted for other uses.
• Provides important requirements and methods to assure security of all research data.
• Additional requirements for ePHI (electronic PHI).
University of Miami
25
Security, Section 24.6
• Specifically addresses concerns and safeguards for when dealing with ePHI, securing paper records, securing faxes, and unanticipated problems and reportable events related to breaches in ePHI
University of Miami
26
Security, Section 24.6• Paper records: PHI must be stored
using locked filing system within a locked office or storage room.
• Shredding is required to discard printed materials with direct identifiers.
• Paper-based PHI should not be carried/sent unless necessary for research purposes.
University of Miami
27
Confidentiality, Section 24.7
• Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of his/her research records.• Examples: personality inventories, interviews,
questionnaires, observations, photos and film, tape recordings, and stored data.
University of Miami
28
Certificates of Confidentiality
• In certain circumstances involving civil, criminal, administrative, legislative, or other proceedings at the federal, state, or local level, PIs and Institutions may be compelled to release information that could identify subjects within a research study.
• Certificates of Confidentiality protect PIs and Institutions from having to divulge this information.
University of Miami
29
Certificates of Confidentiality – Cont’d.
• Certificates of Confidentiality are provided by the National Institutes of Health and are awarded whether a research study is federally funded or not.
University of Miami
30
University of Miami
31
Who do I contact about HIPAA Questions for Research?
• Evelyne Bital, MS, CIP• Associate Director of Privacy & Regulatory
Affairs, (305) 243-3195• e-mail: [email protected]
• For general HIPAA information or to access standard HIPAA forms for research: hsro.med.miami.edu
University of Miami
32
References
• Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164
• University of Miami HIPAA Policies and Procedures
http://www.hhs.gov/ocr/hipaa/
http://www.hipaadvisory.com/
http://www.hipaadvisory.com/regs/