Revised February 4, 2004 1
Health Insurance Portability and Accountability Act(HIPAA)
HIPAA Privacy Rule:UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members
Revised February 4, 2004 2
In the BeginningThe emphasis was on the “portability” of insurance, and medical records.The issue was how to keep electronic medical records private.Little thought was given to the implications of HIPAA for research.Institutions with electronic records or electronic transmission of medical information would be charged with the responsibility of protecting the privacy and security of these records.
Revised February 4, 2004 3
What Is the Basic Privacy Rule?
HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI).PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient.Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA.PHI used in research must be obtained from the Covered Entity in compliance with HIPAA.
Revised February 4, 2004 4
What is a Covered Entity at UC?
A Covered Entity (CE) is the health care provider, health plans, and health information clearninghouses.The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF.
NOTE: The definition of the “Covered Entity” is different for each institution, including theSFVAMC, SFGH, Kaiser, CPMC, St. Luke’s, theHaight-Ashbury Free Clinic, and so on.
Revised February 4, 2004 5
What is PHI?Individually identifiable informationPast, present, or future: Health status Treatment Payment for health care
Created, used, or disclosed by a covered entity (CE)In any formIncludes any one of the 18 identifiers as defined by HIPAA
Revised February 4, 2004 6
Protected Health Information (PHI): 18 Identifiers defined by HIPAA
NamePostal addressAll elements of dates except year Telephone numberFax numberEmail addressURL addressIP addressSocial security numberAccount numbersLicense numbers
Medical record numberHealth plan beneficiary #Device identifiers and their serial numbersVehicle identifiers and serial numberBiometric identifiers (finger and voice prints)Full face photos and other comparable imagesAny other unique identifying number, code, or characteristic.
Revised February 4, 2004 7
How does HIPAA Privacy Rule affect University Researchers?
Researchers will likely want to access PHI held by the CE in order to conduct research.
The Privacy Board must approve use of PHI for research.
At UCSF the Privacy Board for research is the IRB, that is, the CHR.
The Privacy rule applies to all active studies as of April 14, 2003.
Revised February 4, 2004 8
Does all human subjects research use PHI?Not at all! Some examples:
Some non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records; blood draws for protein binding studies)Some interview studies and focus group studies Some questionnaire studiesStudies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research
Revised February 4, 2004 9
Covered Entity (CE):UCSF Medical Center, Hospitals and Clinics
If information from the study isadded to the CE
i.e., information is added toMedical Records or used to make health care decisions
If information is obtainedfor the study from the CE
i.e., medical records review for recruitment,
data analysis
Do HIPAA regulations apply?
Revised February 4, 2004 10
What are the practical implications of HIPAA for Human Research at UCSF?
New and different vocabulary Stricter control of access to Medical Records (HIMS and Faculty Practices) Stricter limitations to identifying subjects for recruitmentAdditional documentation for PI, IRB, and CE. Important Note: Most research being done can continue, but with additional documentation!
Revised February 4, 2004 11
What are the patients’ rights under HIPAA?
To restrict the use and disclosure of their PHITo access and receive a copy of their PHI used
for research purposes (unless it will cause psychological harm)
To receive an accounting of disclosures of their PHI by the CE
To request amendments to their PHI in their medical records
To file complaints with the University or OCR that may result in civil and criminal penalties for individuals as well as the covered entities
Revised February 4, 2004 12
What is the Covered Entity’s Responsibility?
The covered entity (CE) is responsible forprotecting PHI and for ensuring that PHI:
Is only used or released for TPO or as otherwise permitted or required by law;
Is not released without the patient’s authorization; or
Is released only under an IRB approved waiver of consent/authorization
Meets “minimum necessary” standard.
Revised February 4, 2004 13
How can an investigator access PHI for research?
Through a HIPAA Authorization signed by the subject (or legal representative)
-OR- Through a Waiver of Authorization requested by the PI and approved by the IRB.
Note: UCSF polices require IRB approval for access to PHI for human subjects research.
Revised February 4, 2004 14
Individual Subject’s Authorization for Research Access to PHI
Authorization must be a separate document used along with the Consent Form for biomedical and treatment studies.For some behavioral studies, Authorization may be combined with the Consent Form, but requires two separate signature lines: one for consent, and one for authorization.
Revised February 4, 2004 15
What does a HIPAA authorization look like?
The standard UC HIPAA authorization is a two-page document available on the HIPAA Forms section of the CHR website. The standard SFVAMC form is also available on that site.Other Covered Entities may require their own versions of the HIPAA authorizations.
Note: Some sponsors also have their own versions of the forms, but with rare exception UCSF researchers must use the UC version.
Revised February 4, 2004 16
What Elements Are Required in the HIPAA Authorization?
Description of PHI to be disclosedName or class of recipients of information and of those authorized to disclose PHIDescription of research purposeExpiration date, though at UC this is stated as “when study is completed.”Right to cancel authorizationAdvise subject that HIPAA protections may not apply to redisclosed information although other protections applyConsequences of a refusal to sign an authorizationSignature of subject and date
Revised February 4, 2004 17
Which Research Does Not Require a Subject’s Authorization?
1. Research granted a Waiver of Consent/Authorization by the CHR
2. Research using De-Identified Data
3. Research using a Limited Data Set
4. Research not using PHI
Revised February 4, 2004 18
#1: Waiver of Authorization
PI and IRB must certify that research:1. Could not practicably be conducted w/o
waiver2. Could not practicably be conducted w/o PHI3. Poses minimal risk to privacy based on
written assurance that the PHI will not be reused or disclosed and that there is an adequate plan to protect identifiers.
To accomplish this, PI fills out Waiver of Consent/Authorization Form available on CHR website and submits with application.Research released by a waiver, must be tracked for disclosure to the subject.
Revised February 4, 2004 19
#2: De-Identified Data Sets
There are two HIPAA-approved methods of de-identifying datasets: All 18 identifiers of PHI must be removed, or A qualified statistician documents the methods
and analysis used to determine that data is de-identified or risk is very small that information can be used
to identify an individual
IRB approval of protocol is still requiredPI should apply for Exempt Certification from IRB.
Revised February 4, 2004 20
#3: Limited Data Set
May include only the following PHI: Date(s) of service (admission, discharge) Dates of birth and death 5 digit zip codes and other geographic
subdivisions other than street address May include non-PHI information (i.e., diagnosis)Does not require a subject’s authorization Does require IRB approval which includes a Waiver of Consent/Authorization
NOTE: IRB applications must include a request for a wavier of consent/authorization.
Revised February 4, 2004 21
Covered Entity (CE):UCSF Medical Center, Hospitals and Clinics
If information from the study isNOT added to the CE
If information obtained for thestudy does NOT come from the CE
i.e., NO medical records review for recruitment or
data analysis
== ==
#4: Research Not Using PHI
Revised February 4, 2004 22
How does a researcher gain access to PHI in Medical Records at UCSF?
Copy of CHR approval letter with: statement of Waiver of
Authorization of individual consent --or-- statement that Individual Subject
Authorization will be obtained
Revised February 4, 2004 23
What types of CHR approvals are needed for these types of studies?
PHI: Full Committee or Expedited De-identified PHI (no PHI used): CHR Exempt CertificationLimited Data Sets (limited PHI allowed): Expedited with Waiver of Authorization
NOTE: Medical Records will require CHR approval to release PHI for research.
Revised February 4, 2004 24
What information is now required by the CHR to address HIPAA?
PIs should complete and submit the HIPAA Supplement with all full committee and expedited applications, even if no PHI is being used; Waiver of consent/authorization form if applicable (usually for recruitment purposes)
The pilot application (required as of January 2004) embeds HIPAA information within it.
Exempt applications do not require any additional information about HIPAA.
Revised February 4, 2004 25
What are the 8 Most Common and Acceptable Recruitment Methods?
PIs recruit their own patients directlyPIs provides PCPs a “Dear Patient” letter that instructs any interested patients how to contact PI about enrollmentPIs ask PCPs for referrals and may contact patients if there is documented patient permission to do soPI used CHR-approved ads, notices, and/or media
Revised February 4, 2004 26
Recruitment Methods (continued)
Faculty Practices/Clinics develop a CHR-approved recruitment protocol so subjects agree ahead of time to be contacted for researchPIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods.PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed websitePIs do not access PHI for recruitment purposes.
Revised February 4, 2004 27
Conclusion-The HIPAA Privacy Rule
Greater emphasis on privacy and confidentiality of medical records in both health care and research.Researcher’s responsibilities are more clearly defined.Subject’s have more clearly defined legal rights to protect their privacy.
Revised February 4, 2004 28
UCSF HIPAA Websites• UCSF: http://www.ucsf.edu/hipaa
HIPAA Handbook (pdf) HIPAA Training Modules Privacy Officer
• CHR: http://www.research.ucsf.edu/chr/index.asp Application and Consent templates/Guidelines Research Training, FAQ, information
• UCSF Medical Center IT: http://it.ucsfmedicalcenter.org/
• UCSF Information Security: http://isecurity.ucsf.edu
Top Related