1 / 55

Privacy

2. AGENDA. Review of definitionsUses and disclosures of PHI in research Without a subject's explicit permissionPrivacy Board or IRB waiver or alteration of authorizationDe-identified dataLimited Data SetPreparatory to ResearchInformation on DecedentsWith a subject's explicit permission ? the

fola
Télécharger la présentation

Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Privacy/Confidentiality and Research Bob Gross UCLA Health System and David Geffen School of Medicine Chief Privacy Officer Phone: 310-794-8639 Email: rhgross@mednet.ucla.edu

    2. 2 AGENDA Review of definitions Uses and disclosures of PHI in research Without a subjects explicit permission Privacy Board or IRB waiver or alteration of authorization De-identified data Limited Data Set Preparatory to Research Information on Decedents With a subjects explicit permission the authorization Breach Notification Discussion

    3. 3 HIPAA Requirements Exception statute in order to look at, touch/pick up, share, or disclose patient information you must meet a HIPAA exception OR have the patients permission using a form called the Authorization The purpose for accessing the information determines which exception is used.

    4. 4 Definitions Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

    5. 5 Definition of Providerrovider Any person or organization that furnishes, bills or is paid for, health care services or supplies in the normal course of business. Provider includes: Researchers who provide healthcare to the subjects of research Free clinics A health clinic or licensed health care professional located in a school or business

    6. 6 PHI and Research Uses and disclosures of PHI in research Without a subjects explicit permission Privacy Board or IRB waiver or alteration of authorization De-identified data Limited Data Set Preparatory to Research Information on Decedents

    7. 7 Waiver of the authorization The criteria for waiver of an authorization is the same for both the complete and partial waiver The privacy rule does not include the term partial waiver The rule makes it the responsibility of the IRB/Privacy Board to ensure the criteria for the waiver is met and to determine what PHI can be used for the research project

    8. 8 Waiver of the authorization An authorization can be waived if the IRB/Privacy Board determines The use or disclosure of the PHI involves no more than minimal risk to the privacy of the subject based on at least all of the following: An adequate plan to protect the identifiers destroy the identifiers at the earliest possible time Adequate written assurance the PHI will not be reused or re-disclosed except under very limited circumstances Required by law Oversight of the research Other research after additional IRB approval

    9. 9 Waiver of authorization (cont.) The research cannot practicably be done without the waiver of authorization Why wont other recruitment methods be effective? Why is obtaining an authorization impractical? Example: retrospective records review of clinical database for ER visits for patients with gunshot wound to the head The research cannot practicably be done without access to the PHI Why must the researcher use identifiable information for his/her study?

    10. 10 Waiver of authorization (cont.) The IRB/Privacy Board is tasked with determining what PHI is necessary for the research project. How should this be done? Ask the researcher to specify the information needed for the specific purpose of the waiver Examples Recruitment Retrospective records review

    11. 11 De-identified data? A) Names; (B) Street address, city, county, precinct, zip code, and equivalent geo-codes (C) All elements of dates (except year) for dates directly related to an individual and all ages over 89 (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan ID numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers/serial numbers; (N) Web addresses (URLs); (O) Internet IP addresses; (P) Biometric identifiers, incl. finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code.

    12. 12 Limited Data Set? A) Names; (B) Street address, town or city, county, precinct, zip code, and equivalent geo-codes (C) All elements of dates (except year) for dates directly related to an individual and all ages over 89 (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan ID numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers/serial numbers; (N) Web addresses (URLs); (O) Internet IP addresses; (P) Biometric identifiers, incl. finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code.

    13. 13 Data Use Agreement Sets out the permitted uses and disclosures of the PHI in the LDS Identifies who is permitted to use or disclose the information Provides that the recipient will Properly safeguard the data Not use the information in a manner inconsistent with the DUA Report any improper uses or disclosures to the CE Not use the information to attempt to identify or contact individuals based on the information in the LDS Require all agents and subcontractors to comply with the terms of the DUA

    14. 14 Uses or Disclosures Preparatory to Research To prepare a research protocol Researcher provides the following assurances The information will not be removed from the CE Use or disclosure is sought solely to prepare research protocol The PHI is necessary for the research purpose

    15. 15 Research on Decedent Information HIPAA protects PHI of a decedent To conduct research on decedents will require the submission of an attestation statement to the CE indicating: The information is sought solely for research on decedents The information is necessary for the research purpose If requested by the CE, documentation of the death of the individual(s)

    16. 16 Authorizations If the researchers do not meet one of the exceptions previously discussed, the ONLY compliant way to use (this means look at) or disclose a patients information for research is to obtain the individuals authorization.

    17. 17 Authorization Components Specify Information to be used or disclosed Who can use or disclose To whom the information can be used or disclosed Purpose(s) of uses and disclosures Expiration date Required statements Revocation Participation Re-disclosure by third parties Access to information during study Individuals signature and date

    18. 18 The elements we require to be included in the authorization are intended to ensure that individuals knowingly and willingly authorize the use or disclosure of protected health information about them. If these elements are missing or incomplete, the covered entity cannot know which protected health information to use or disclose to whom and cannot be confident that the individual intends for the use or disclosure to occur. 65 Fed.Reg. 82657.

    19. 19 Description of PHI to be used or disclosed A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion Information requested from system administrators must be the same as PHI stated in the IRB protocol and subject authorization form.

    20. 20 Who can use or disclose the information? The name or other specific identification of the person(s) or class of person(s), authorized to make the requested use or disclosure.

    21. 21 To whom will we give the information? The name or other specific identification of the person(s) or class of person(s), to whom the covered entity may make the requested use or disclosure. If the entity is not listed on the authorization in either specifically or at a minimum in general terms the information cannot be shared with that individual.

    22. 22 The purpose of sharing the information A description of each purpose of the requested use or disclosure. Because the rules require the authorization to specify the purpose of each requested use or disclosure this precludes a very non-specific statement like future research. It might also preclude a statement like to conduct the research study

    23. 23 The required statement of purpose(s) must provide individuals with the facts they need to make an informed decision whether to allow release of the information. The use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of unspecified purposes should not be used. Both the information that is to be used or disclosed and the specific purpose(s) for such uses and disclosures must be stated in the authorization

    24. 24 RE-DISCLOSURE BY 3RD PARTY A required statement regarding The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer protected by this subpart.

    25. 25 PARTICIPATION IS CONDITIONAL ON SIGNING AUTHORIZATION A covered health care provider may condition the provision of research-related treatment on the provision of an authorization for the use and disclosure of protected health information for such research under this section. Inform the subject of the consequences of failure to sign the authorization.

    26. 26 Right to revoke authorization Statement informing the subject of their right to revoke their authorization in writing, the exceptions to the right to revoke and how they can revoke the authorization.

    27. 27 Expiration date or event An expiration date or an expiration event that relates to the individual of the use or disclosure purpose. The statement end of the research study or none or similar language is sufficient if the authorization is for the use or disclosure or protected health information is for research, including the creation and maintenance of a research database or research repository.

    28. 28 Right to deny access A covered entity may suspend an individuals access to PHI during the research study if the individual agreed to the suspension of access in the authorization.

    29. 29 Verbal authorizations The privacy rule does not provide for a verbal authorization. Comment: Some commenters requested that we permit covered entities to use or disclose protected health information pursuant to a verbal authorization. Response: To ensure compliance and mutual understanding between covered entities and individuals, we require all authorizations to be in writing.

    30. 30 Dual research projects A clinical trial that also collects data and/or identifiable tissue for possible future research uses or disclosures may require two authorizations. Data banks Repositories

    31. 31 Breach notification requirement A breach is (1) Unauthorized acquisition, access, use, or disclosure of (2) unsecured PHI which (3) compromises the privacy or security of the PHI.

    32. What is not a breach? (i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; AND 32

    33. What is not a breach? (II) such information is not further acquired, accessed, used, or disclosed by any person; OR (ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person. 33

    34. 34 Definition of Unsecure PHI Unsecured PHI is defined as PHI not secured through technology or a method specified by the Secretary through guidance Guidance from HHS Federal Register /Vol. 74, No. 79 /Monday, April 27, 2009: two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: encryption and destruction.

    35. Encryption methods Data at rest National Institute of Standards and Technology (NIST) Special Publication 800-111 Guide to Storage Encryption Technologies for End User Devices Data in motion Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 1402. These include, as appropriate, standards described in NIST Special Publications 80052, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 80077, Guide to IPsec VPNs; or 800113, Guide to SSL VPNs, and may include others which are FIPS 1402 Validated. 35

    36. Destruction methods The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 80088, Guidelines for Media Sanitization,19 such that the PHI cannot be retrieved. 36

    37. Analysis of what is a breach Is it an unauthorized access, acquisition, use or disclosures? If it is used, disclosed, accessed or acquired in a manner not permitted under subpart E the Privacy Rule Example: Failure to follow minimum necessary might be a breach 37

    38. Analysis of what is a breach Is it unsecure PHI? It was ePHI that was not encrypted in a manner identified by the guidance document. It was paper PHI 38

    39. Analysis of what is a breach Does it compromise the privacy and security of the PHI? Poses a significant financial, reputational or other harm to the individual Requires a risk assessment 39

    40. Risk assessment Things to consider, Who impermissibly used or disclosed the information? To whom was the information disclosed? Was it another covered entity? What mitigating steps were taken and when? Reasonable assurances from the recipient that the information would not be further used or disclosed The information is destroyed by the recipient. 40

    41. Risk assessment Was the PHI retrieved or returned before it could be impermissibly accessed? Cannot delay notification hoping that a lost computer/USB drive will be recovered. Is the nature of the PHI such that it does not pose a significant financial, reputational or other risk of harm to the individual? 41

    42. The risk assessment should be fact specific, and the covered entity or business associate should keep in mind that many forms of health information, not just information about sexually transmitted diseases or mental health, should be considered sensitive for purposes of the risk of reputational harm especially in light of fears about employment discrimination. 42

    43. 43 Breach notification requirement A covered entity or BA is on notice of a breach on the first day anyone, other than the employee committing the breach, in the organization knows of the breach or with the exercise of reasonable diligence should have known of the breach

    44. Breach notification requirement The covered entity or BA must notify the individual, their next-of-kin or personal representative without unreasonable delay but no later than 60 days after breach is discovered. 44

    45. Breach Notification An investigation of the facts and circumstances surrounding the breach may take some time to investigate The time to investigate can be a reason for delaying notification However, the 60 days starts running from the date of the breach not the date the investigation is complete The reasons for any delays must be documented 45

    46. Breach notification requirement Written notification through first class mail at the last known address of the individual, the personal representative or the next-of-kin If you do not have a good address, then you must try other means of notification. Substitute notice is not required when you do not have not have a good contact information for the personal representative or next-of-kin. 46

    47. Breach notification requirement If you have more than 10 persons for whom you do not have good contact information, then the details of the breach must be posted on the home page of the covered entitys website or in major print or broadcast media. The post must be for 90 days Must include a toll free number for individuals to contact and see if their information was impacted 47

    48. Breach notification requirement If the nature of the breach puts the individual in imminent danger of misuse of unsecured PHI, the covered entity may also notify via telephone. If the breach involves the unsecured PHI of more than 500 people in a particular state or jurisdiction, the covered entity must also notify the prominent media outlets serving the state or jurisdiction where the individuals reside Jurisdiction is defined as a geographic area small than a state such as a county, city or town. 48

    49. Breach notification requirement The covered entity must notify the DHHS Secretary. If the breach is more than 500 people, immediate notice is required. Immediate means without undue delay and at the same time as notice to the individual involved 49

    50. Breach notification requirement If the breach is less than 500 people, the covered entity can keep a log of all such breaches and turn it in to the Secretary annually. The information must be submitted annually to the Secretary within 60 days of the end of the calendar year 50

    51. Content of the notification Brief description of What happened Unsecure PHI involved in breach Steps the individual should take to protect themselves The covered entitys investigation, mitigation of harm to the individual and corrective action plan Contact method such as toll-free number email address, website or postal address for individuals to ask questions 51

    52. Discussion Case The Facts: The Protocol Director and Principle Investigator (PI) wishes to recruit 75 individuals for a clinical trial from patients who received a certain type of treatment for blocked arteries in the hospitals cardiac cath lab between June 2006 and July 2007. They would receive a new medication suppose to prevent or reduce further blockage. The PI first wishes to find out how many individuals received this treatment at the Hospital. The PI approaches the HIMS director to run an electronic query for the time period using a particular CPT code. The Director, concerned about the request contacts the Privacy Officer for guidance as there are over 200 such patients. 52

    53. The IRB approves the protocol, including a HIPAA authorization in the informed consent form. The PI goes back to HIMS and asks for a query that will produce the names and addresses of the patients, medical records numbers, and a copy of the medical record. What should the HIMS director obtain from the PI? A signed authorization, because otherwise it would be providing PHI for research use? 53

    54. What if the protocol sponsor also wanted information (including PHI) about the individuals who were pre-screened by telephone but did not qualify for the clinical trial? The PI will not have an authorization signed by these individuals. What if all the patients were the PI's? What if the PI already had a separate research database with these patients in it? 54

    55. 55 QUESTIONS

More Related