1 / 48

HIPAA Overview

HIPAA Overview. Joe R. Brown, MHS Office of Research Integrity University of Kentucky. Penalties. Civil fines: $100 per violation: maximum $25K per year per violation. Criminal penalties :

aviva
Télécharger la présentation

HIPAA Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Overview Joe R. Brown, MHS Office of Research Integrity University of Kentucky

  2. Penalties • Civil fines: • $100 per violation: maximum $25K per year per violation • Criminal penalties: • significant fines and imprisonment (up to 1 year for knowing violations; up to 10 years for violations with intent of personal gain or malicious harm) • Overseen by the Office of Civil Rights within the Department of Justice

  3. Health Insurance Portability and Accountability Act (HIPAA) • 1996 Federal Law • Department of Health and Human Services (DHHS) Regulations (1999), Final Rule (Aug. 2002), (Guidance Dec. 2002) • 4 Rules – Privacy, Security, Transaction and E-Signatures • Immediate Concern – Privacy Rule

  4. What is the Privacy Rule? Federal regulation designed to protect the use and/or disclosure of a person’s health information.

  5. Who is Covered? Publichealth officials Researchers • Health care providers who transmit health information in electronic transactions, including researchers who provide treatment to research participants • Health plans • Health care clearinghouses Marketers Lawenforcement Julie Kaneshiro, OHRP

  6. Hybrid Entity - Implications The importance of being a hybrid entity is that HIPAA requires the entity to build walls between the covered functions and the rest of the entity, so that the non-covered portions do not have access to PHI.

  7. What is Covered? De-identified information Human biological tissue • Protected health information (PHI): • Health Information & Identifiers • Transmitted or maintained in any form or medium • Decedents’ health information Julie Kaneshiro, OHRP

  8. Protected Health Information (PHI) Individually identifiable health information that a covered entity createsor receives • * Includes information about the past, present or future physical or mental health of a person, the provision of health care to a person and payment for care • * Includes information in written, electronic or oral form

  9. What is an Identifier in the Privacy Rule? The Privacy Rule defines 18 identifiers • Names • Geographic info (including city, state, and zip) • Elements of dates • Telephone #s • Fax #s • E-mail address • Social Security # • Medical record, prescription #s • Health plan beneficiary #s • Account #s • Certificate/license #s • VIN and Serial #s, license plate #s • Device identifiers, serial #s • Web URLs • IP address #s • Biometric identifiers (finger prints) • Full face, comparable photo images • Unique identifying #s

  10. Minimum Necessary Standard A Covered Entity or researcher should limit the PHI it uses, discloses, or requests to the minimum necessary to achieve the purposes desired.

  11. Individuals Rights: • Access their PHI • Request amendment of their PHI • Receive a record of certain disclosures of their PHI made within previous 6 years • Request restrictions on uses and disclosures • Revoke their authorization

  12. Right to Access Their PHI • Right to access can be temporarily suspended while the research is in progress, if stated in the signed authorization • There are limited other exceptions to access

  13. Right to Accounting of Disclosures For each disclosure, must record: • List of individuals receiving PHI • Date of disclosure • Name of person/entity who received it (and their address, if known) • Brief description of PHI disclosed • Brief statement of the purpose of the disclosure

  14. Right to Revoke Authorization • Revocation must be in writing • If research authorization is revoked, researcher cannot use or disclose the PHI, except to the extent that the researcher has already relied on the permission: • If the researcher has already included the PHI in an analysis. • If use or disclosure is needed to “maintain the integrity of the research study (i.e., account for withdrawal, report adverse event.)

  15. Additional Requirements/Rights: Privacy Notice: • A covered entity must tell individuals how their PHI is used/disclosed by: • Providing a Privacy Notice and making a good faith effort to obtain written acknowledgement of receipt.

  16. How to Fit HIPAA into your Research?

  17. How Do UK Researchers Access PHI? • Authorization • IRB/PB Waiver of Authorization • Preparatory Work • Decedent Data • Limited Data Set/Date Use Agreement • For Public Health Activities

  18. Other option to access/share not regulated by HIPAA: De-identification

  19. De-identified Health Information – 2 Options • All 18 Identifiers Removed • Statistically “De-identified” Information: Statistician Certifies “Very Small” Risk That Information Could Identify the Individual.

  20. De-identification • Remove listed identifiers of the individual and the individual’s relatives, employers, household members • And do not have knowledge that the remaining information can be used to identify the person

  21. What is an Identifier in the Privacy Rule? The Privacy Rule defines 18 identifiers • Names • Geographic info (including city, state, and zip) • Elements of dates • Telephone #s • Fax #s • E-mail address • Social Security # • Medical record, prescription #s • Health plan beneficiary #s • Account #s • Certificate/license #s • VIN and Serial #s, license plate #s • Device identifiers, serial #s • Web URLs • IP address #s • Biometric identifiers (finger prints) • Full face, comparable photo images • Unique identifying #s

  22. De-identification (Cont’d)Identifiers that may be used • Race • Age (89 or younger) • Gender

  23. Code Links • The Privacy Rule Does NOT Apply to De-identified Information • BUT • Privacy Rule Does Apply to the Code (Link) That Allows Identification of Coded Information

  24. Limited Data Set • Limited Types of Identifiers Can Be Released With Health Information • Can Only Be Released With Data Use Agreement

  25. Limited Data Set Elements to be excluded: Names Street Address* Telephone number Fax number E-mail address Social Security Number Medical Record Number Health Plan Beneficiary # Account Number Certificate/License number Vehicle identifiers/serial #s Device identifiers/serial #s Web URLs IP address numbers Biometric identifiers Full face photographs and any comparable images

  26. Limited data set may include: • Zip code • Date of birth or date of death • Date(s) of service • Geographic subdivision (city)

  27. Data Use Agreement Must Include: • Permitted Uses/Disclosures by Recipient • Who is Permitted to Use/Receive the PHI • No Use/Disclosure Other Than as Permitted • Use Appropriate Safeguards • Report to CE Disclosure/Use NOT permitted • Ensure Subcontractors agree to SAME restrictions

  28. Who Can Prepare Limited Data Set? • Researchers if… • Data Use Agreement • Business Associate Agreement • www.mc.uky.edu/compliance/HIPAA/HIPAAProjectTeam.htm

  29. Use of “preparatory” rule • Prepare a protocol • Find out if usable data exists • See if enough potential subjects • Cannot use information to directly recruit subjects • If send data to sponsor, use de-identified data or get a waiver of authorization from the IRB.

  30. Work preparatory to research For access, the covered entity will require statements that: • Access is solely to review PHI to prepare a research protocol or for similar purposes preparatory to research. • No PHI will be removed from the covered entity. • The information requested is necessary for the research (“minimum necessary”)

  31. Decedent research For access, the covered entity will require statements that: • Access is solely for research on information of decedents • The information requested is necessary for the research (“minimum necessary”) • The covered entity may request: Proof decedent is really dead

  32. Authorization • Participant provides authorization to use/disclose PHI as part of the informed consent process. MUST include the following elements: • Specific description of the information to be used/disclosed • Who may use or disclose • To whom the PHI will be disclosed • Why the use or disclosure is being made (each purpose) • Statement of how long the use or disclosure will continue

  33. Authorization (Cont’d) • Notice that authorization may be revoked • Notice that the information may be disclosed to others not subject to the Privacy Rule • Notice that the covered entity may or may not condition treatment or payment on the individual’s signature • Individual’s signature and date

  34. HIPAA language found in an Authorization Form After the study is completed, the videotapes will be destroyed personally by the investigator with a sledgehammer.

  35. Exceptions to Authorization • A Covered Entity can use/disclose PHI without individual authorizations: • for treatment, payment, health care operations • for certain public health, law enforcement or other specified “public response” reasons • for research with approval of an IRB (when authorization is not “practicable” and other conditions are met).

  36. Waiver of Authorization • To be granted by the IRB and must meet the following criteria: • The use or disclosure of PHI involves no more than minimal risk to the privacy of the individual. • The PI must provide a plan to protect identifiers, a plan to destroy the identifiers as soon as possible, and a statement that the information will not be disclosed. • The PI should provide justification as to why the research cannot be done without the waiver.

  37. Waiver of Authorization (Cont’d) • The PI should provide justification as to why the research cannot be done without the PHI. • The PI must provide a written assurance to the IRB that the PHI will not be re-used or disclosed except: • As required by law, • For authorized oversight of the research, or • For other research that has been reviewed and approved by the IRB with specific approval regarding access to this PHI.

  38. Accounting of Disclosure Applies: • Waiver of Authorization • Preparatory Research • Decedent PHI • Disclosure to Public Health Authorities • Disclosure Mandated By Law

  39. Accounting Not Applicable: • Authorization • Limited Data Sets • Disclosure to Individual (6 yrs prior to notification) • De-identified Information

  40. HIPAA Extended to Other Entities Business Associates • Indirect extension of the Privacy Rule • Business associates are: • External individuals or entities that perform a service on your behalf and that create or have access to identifiable health information; • Outside legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation have access to such information

  41. Business Associates Generally NOT a business associate • Outside researchers • Sponsor • Study Personnel Generally considered a business associate • Third party billing company/consultant • Third party assisting with recruitment and/or screening

  42. Business Associates:Written Agreement • May be stand-alone or part of larger contract • Must include: • Restrictions on how PHI may be used or Disclosed • Promise to protect the PHI • Promise to return PHI at end of contract • Assurance to make PHI available for compliance • www.mc.uky.edu/compliance/HIPAA/HIPAAProjectTeam.htm

  43. Please be aware that the Privacy Rule is open to much interpretation - and every institution decides how best to implement this Rule in the context of other local/institutional policies.

  44. Researcher to do list (new protocols) • If accessing data from another covered entity, comply with their HIPAA rules (do not complete UK forms). • Include HIPAA forms with IRB applications (full, expedited, exempt). • System for accounting, revocation, access (if applicable). • Determine if Business Associate Agreement needed. • Comply with Minimum Necessary requirement.

  45. Compliance Should not be seen as something that must be done just because it is required…

  46. Compliance Should be seen as the “right thing to do” because it helps protect the rights…[of] subjects Protecting Study Volunteers in Research, Cynthia McGuire Dunn, M.D., & Gary Chadwick, Pharm.D., MPH, 2001

  47. Acknowledgements Pearl O’Rourke (Partners Healthcare systems) Peter Harrington (University of Vermont) Shannon Ontiveros (Vanderbilt University) Rory Jaffe (UC Davis Health Systems) Ada Sue Selwitz (University of Kentucky) Helene Lake-Bullock (University of Kentucky)

More Related