overview of hipaa privacy confidentiality requirements related to research n.
Skip this Video
Loading SlideShow in 5 Seconds..
Overview of HIPAA Privacy & Confidentiality Requirements Related to Research PowerPoint Presentation
Download Presentation
Overview of HIPAA Privacy & Confidentiality Requirements Related to Research

Overview of HIPAA Privacy & Confidentiality Requirements Related to Research

145 Vues Download Presentation
Télécharger la présentation

Overview of HIPAA Privacy & Confidentiality Requirements Related to Research

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Overview of HIPAA Privacy & Confidentiality Requirements Related to Research Tulane Human Research Protection Program (“HRPP”) Present By: Wade Wootan Date: March 2010

  2. Objectives • Review applicable federal regulations affecting privacy of research information • Health Insurance Portability & Accountability Act Privacy Regulations (HIPAA Privacy or HIPAA) • Human subject protection regulations for Department of Health & Human Services (DHHS) and the Food and Drug Administration (FDA) • Who must comply? • What information is protected? • What uses & disclosures are permitted?

  3. Tulane HIPAA Policies, Procedures & Guidance • Research policies for HIPAA • See Section 16 of Tulane’s HRPP Standard Operating Policies (SOPs) found at • HIPAA authorization form found on IRBNet • TUMG HIPAA policies & forms found at

  4. HIPAA Privacy RulePurpose and Background • Acknowledges that, in course of conducting research, researchers may create, use, and/or disclose individually identifiable health information (IIHI) • Recognizes that research community has legitimate needs to use, access and disclose certain information to carry out a wide range of health research. • Establishes minimum standards for protecting the privacy of IIHI • Confers certain rights on patients/subjects, including rights to access and amend their health information and obtain a record of when and why their protected health information (PHI) was shared with others • Establishes conditions under which covered entities (CE) can provide researchers access to and use of PHI when necessary to conduct research.

  5. If a treatment relationship exists, HIPAA Privacy is intended neither to limit access to nor quality of health care • It also establishes penalties for covered entities that fail to comply, including money fines and/or imprisonment.

  6. Step-by-step analysis • Accounting requirements for non-routine disclosures Use & Disclosure of Research Information:

  7. To whom does the Privacy Rule apply? • HIPAA Privacy Rule applies only to: • Covered entities (CE)(i.e., health care providers, health plans & health clearinghouses) • Who electronically transmit any health information that DHHS has adopted standards (eg, transaction & code sets , coordination of benefits, authorizations, etc) • Tulane elected to be a hybrid entity for HIPAA compliance purposes. This limits application of the Privacy Rule to only health care operations (i.e., areas that create, use and/or disclose IIHI & electronically bill Federal payors). The following components were designated by Tulane as health care operations covered by the Privacy Rule: • TUMG, its physicians, and clinicians • TU employees & departments providing management, admin, financial, legal and operational services to TUMG and use IIHI • As a matter of policy, Tulane’s HRPP standard operating policies (SOPs) apply HIPAA to human subjects research (See SOPs at section 16) • Tulane’s IRB serves as a Privacy Board for HIPAA compliance purposes as it applies to research • This is in addition to the IRBs role to safeguard the confidentiality rights of subjects involved in research under DHHS & FDA requirements • For healthcare, Tulane’s Privacy Officer is Glenda Folse and Security Officer is Leo Tran [see also “Designation of Healthcare Components & Hybrid Entities (TU P&P GC-101]

  8. Comparison—Privacy Rights Under HIPAA & Confidentiality Rights Under DHHS Regulations

  9. What health information is protected by the Privacy Rule? The Privacy Rule applies to protected health information (PHI) created or maintained by a CE (and a CEs business associates) What is PHI? What is IIHI • Individually identifiable health information (IIHI) AND • Transmitted or maintained in any form or medium (i.e, oral, paper or electronic) • Information that relates to past, present or future physical or mental health or condition; healthcare; or payment for healthcare AND • Identifies an individual or can reasonably can be used to identify AND • Created or received by a covered entity (healthcare provider, health plan, or clearinghouse) Note: IIHI can include PHI created in research

  10. 18 Types of IIHI More obvious identifiers • Names • Address • SSN • phone • Fax • e-mail • full face photo Less obvious identifiers • any dates • MRN • health plan # • account #’s • license # • VIN • device # • URL’s • IP address • finger/voice print • Any other unique identifying numbers, characteristics or codes Look for the existence of any one of the following:

  11. Comparison—Definition of Individually Identifiable Information

  12. What is not covered under HIPAA? • De-identified health information (i.e, no IIHI) & thus not protected by HIPAA • Studies that do not involve health information or healthcare (e.g. anthropology) • IIHI held by anyone other than a CE (eg, an independent researcher)

  13. De-Identifying PHI • CEs may use/disclose health information that is de-Identified. • Before disclosing, confirm de-ID through either: • By removing all 18 IIHI identifiers • The CE does not have actual knowledge that info could be used alone or in combination with other documents to identify an individual who is a subject of the info OR • Statistical verification of de-ID; • A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering info not individually identifiable determines that risk is very small that info could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the info • Document the methods and results of the analysis justifying determination 164.514(b)

  14. De-Identifying PHIStatistical Verification of De-ID • DHHS guidance to generally accepted statistical and scientific principles and methods: • Statistical Policy Working Paper 22 - Report on Statistical Disclosure Limitation Methodology ( (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget) and • Checklist on Disclosure Potential of Proposed Data Releases ( (prepared by the Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget). DHHS commentary to 45 CFR 164.514(b)

  15. De-Identifying PHIRe-Identification • Question: Can a code be used to re-ID information that previously was de-ID? • Answer: Yes. • A CE may assign a code or other means of record identification to allow de-identified information to be re-identified by the CE, provided that: • The code or other means of record identification is not derived from or related to info about the individual and is not otherwise capable of being translated so as to identify the individual; and • The CE does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. 164.514(c) Re-Identification

  16. De-IdentificationCoded data • Privacy Rule allows a CE to code data and then disclose it as “de-identified” • The code is secured and not distributed with the data • Codes cannot be derived from IIHI (e.g. last 4 digits of SSN) • Common Rule considers coded data with agreement/policy that PI can’t access code to not involve human subjects • When PI codes data it is not de-identified but it may be Common Rule exempt if PI does not hold the code

  17. De-Identified vs Anonymous • De-identified health information is not PHI and, thus, is not protected by Privacy Rule • “Anonymous” is a DHHS/IRB term. • Identity of the subject may not readily be ascertained • Anonymous can refer to fact that identifying information was never collected • If collected, anonymous data may or may not be de-identified

  18. How PHI can be used or disclosed? • Use = Internal sharing, exam, analysis of PHI within a CE • Disclosure = external release, transfer or divulging of PHI by a CE • If the Privacy Rule applies, then a CE can use/disclose PHI for: • TPO:treatment, payment and healthcare operations (TPO), even without subject permission • Research: • With individual HIPAA authorization [45 CFR 164.508] • IRB approved waiver or alteration of authorization [164.512(i)(1)(i)] • Limited data sets with Data Use Agreement [164.514] • Preparatory to Research [164.512(i)(1)(ii)] • Research of Decedents [164.512(i)(1)(iii)] • “Grandfathered” Research • Required by Law [164.512]

  19. HIPAA Authorization for Research Use & DisclosuresRequired Elements • A HIPAA Authorization is individual’s signed permission that contains: • Specific information to be used/disclosed • By whom and to whom (may be classes of persons) • Purpose of use/disclosure • Be specific – cannot authorize future unspecified research • How long the authorization is valid (“end of study” or “forever” are okay if justified by research) • Potential risks of re-disclosure (eg, if data shared with non-HIPAA covered entity) • Signed & dated • Do not condition treatment on signing authorization • Right of individual to revoke authorization (pro-actively) • Authorization may be combined with study informed consent. • Tulane does not allow combination of HIPAA authorization with any other consent/documents to avoid subject confusion

  20. Comparison—Research permissions

  21. IRB-approved waiver of HIPAA authorization • When de-identification is impractical or is not feasible for researchers to obtain signed authorizations for all PHI the researcher needs to obtain, the Privacy Rule permits obtaining IRB approval for waiver or alterations of the authorization requirement regarding uses & disclosures Section 164.512(i); see also Use & Disclosure of PHI for Research (TU P&P GC-012)

  22. IRB-approved waiver of authorization (cont.) • IRB must determine • Minimal risk to privacy • Research couldn’t be conducted without access and without waiver • Written assurance PHI won’t be re-disclosed or re-used except as required/permitted by law • Limited to minimum necessary • IRB need only review request to waive or alter authorization (vs actual authorization) • IRB waiver of authorization documented in IRB approval letter

  23. Partial waivers of Authorization & alterations to Authorization approved by IRB • Recruitment may require access to PHI but no patient contact • Phone eligibility screens where no written authorization possible • Can waive authorization for these initial research processes and then subjects consented later • No provisions for waiving documentation only

  24. Q&A: Tissue banks & old tissue samples • Question: We have a freezer full of old tissue blocks that have built up over the years and we want to use them for our new research. Is this human subjects research & is a HIPAA authorization needed? • Answer: • It depends if human subjects research exists. Look to investigator intent: • Systematic investigation • On a living individual about whom the investigation is being conducted • About whom the investigator conducting research obtains • Data through intervention or interaction with the individual; or • Individually identifiable private information • That is designed • To develop or contribute to “generalizable knowledge” • If human subjects research, then samples repository & IRB approved protocol regarding use & maintenance of samples • Was there consent/authorization to keep the samples when they were collected? • Was there informed consent/authorization for future activities? • Is the proposed use consistent with any prior consent/authorization? • Otherwise, access requires an IRB waiver for use or disclosure of information

  25. Comparison—Cooperative Research & Waiver/Alteration of HIPAA Authorization For multi-site research or research requiring use/disclosure of PHI created or maintained by multiple CEs or where multiple IRBs may be involved, review by 1 IRB is okay

  26. Comparison—Waivers of Authorization or IC Requirements

  27. Limited Data SetsBackground • Privacy Rule permits disclosure of limited data sets (“almost” identified) by a CE and researcher to another researcher for research, public health or healthcare operations • Receiving researcher must have a signed Data Use Agreement with CE • No need for authorization or IRB waiver • Does not require accounting for disclosures

  28. Limited Data Sets 16 Identifiers (versus 18 IIHI) More obvious identifiers • Names • Address (except town, city, state & zip) • SSN • phone • Fax • e-mail • full face photo Less obvious identifiers • any dates • MRN • health plan # • account #’s • license # • VIN • device # • URL’s • IP address • finger/voice print • Any other unique identifying numbers, characteristics or codes For a limited data set to exist, remove the following IIHI:

  29. Limited Data Sets Data Use Agreements • Because limited data sets contain IHI (ie, potentially 2 categories), they are PHI and a Data Use Agreement is required under the Privacy Rule • A Data Use Agreement is a way for a CE to set boundaries for the use and disclosure of limited data sets for researchers for PHI they received

  30. Limited Data Sets Elements to Include in Data Use Agreements • Establish permitted use/disclosure of limited data set by recipient, consistent with purpose of research; no use/ disclosure by recipient that would violate Privacy Rule if done by disclosing CE; and • Limit who can use/disclose PHI received; and • Recipient stipulates • Not to use/disclose info other than as permitted by data use agreement or as required by law • Use safeguards to prevent use/disclosure of info not allowed by data use agreement • Report to CE any use/disclosure of info not allowed by data use agreement • Ensure that any agent’s/contractors of recipient who receive info agree to data use agreement requirements • Not identify the info or contact the subjects

  31. When to use Data Use Agreements? • Use Data Use Agreements if limited data set recipient/researcher: • Is an employee or workforce member of another covered entity • Is another covered entity • “Internal” data use scenario where recipient is TU employee or not part of TUMG [See TU Data Use Agreement Policy (GC-018)]

  32. Preparatory to Research • An investigator may use/disclose PHI to prepare a research protocol, design a study, assess study feasibility, grant prep, etc • Investigator must certify (orally/writing) that: • Use/disclosure of PHI is solely preparatory to research, • PHI will not be removed from CE, and • PHI sought is necessary for research

  33. Research of Decedents • An investigator may use/disclose PHI of decedent for research • Investigator must certify that: • Use/disclosure of PHI is solely to research PHI on decedent, • PHI sought is necessary, & • Proof of death (if CE requests proof of death)

  34. “Grandfathered” Research • Under the Privacy Rule’s transition provisions, a CE may use/disclose PHI for research purposes if one of the following was obtained before the 4/14/2003 HIPAA Privacy compliance deadline: • Individual authorization or other express legal permission to use/disclose PHI for research; • Subject provided IC to participate in research; or • IRB waiver of IC

  35. Required by Law • Privacy Rules permits use/disclosure of PHI required by law (Federal or State), even if no express individual permission exists. Examples include a CE disclosing PHI (as legally required): • To cancer registries (or other registries) • To public health authorities re. preventing or controlling disease, injury or disability or public health surveillance, investigations and interventions • To a person subject to FDA jurisdiction (eg, a sponsor) re. FDA-regulated product/ activity for which that person has responsibility re. QA, safety or effectiveness of FDA-regulated product/ activity • Includes adverse event reporting; FDA-product tracking; post-market surveillance; & enabling product recalls, repairs, replacements, etc • To health oversight agencies (eg, Federal, State, accreditation, etc)

  36. Certificates of Confidentiality (CoC)Background • CoCs are issued by NIH, FDA & CDC to protect identifiable information on IRB-approved research from forced disclosure • Protect against subpoena, court order or request from any Federal, State or local proceeding (ie, civil, criminal, administrative, legislative, etc) • Allow investigators & others with access to research records to not disclosure information that could ID research subjects if the disclosure could have adverse consequences for subjects (eg, subject’s financial standing, employability, insurability, reputation, etc) [42 USC 241(d) (with DHHS authority delegated to respective Federal agencies)]

  37. Certificates of Confidentiality (CoC) Adverse Consequences • Examples of research with potential adverse consequences for subjects: • Collecting genetic information • Collecting information on psychological well-being of subjects • Collecting information on sexual attitudes, preferences or practices • Collecting data on substance abuse or other illegal risk behaviors • Studies where subjects may be involved in litigation related to exposures under study (eg, breast implants, environmental or occupational exposures)

  38. Certificates of Confidentiality (CoC) Potential Recipients • Issued for single, well-defined research projects • CoCs granted to Institutions based on PI’s application • May be issued for cooperative multi-site projects • Must have a coordinating center or “lead” institution responsible for ensuring that all institutions conform to application assurances • Lead institution can apply on behalf of all associated institutions

  39. Certificates of Confidentiality (CoC) Assurances • Lead institution is responsible for ensuring that all institutions conform to application assurances & agree to: • Protect against compelled disclosure and support/defend authority of CoC against legal challenges • Comply with Federal regs re. human subject protection • No represent the CoC as an endorsement of the study by Federal Government or use/coerce participation • Inform subjects re. existence of CoC, its protections & limitations

  40. Certificates of Confidentiality (CoC) Limits of Protection • CoC protects data maintained during any time the CoC is in effect • Protects that data in perptuity • Does not eliminate need to disclosure to Government for study audits & investigations • Does not protect against disclosures reportable by law: • Child/elder abuse • Threat of harm to self/others • Communicable diseases • CoC does not eliminate need for data security, which is essential to protection of research subjects’ privacy • Researchers should safeguard research data & findings from unauthorized use & disclosures

  41. Projects Not Eligible for CoC • Not research • Not collecting personally identifiable information • No IRB review/approval • Collecting information that, if disclosed, would not significantly harm or damage subject

  42. Minimum Necessary • Privacy Rule limits the non-routine use, disclosure, or requesting of PHI to the minimum amount of info necessary to accomplish the purpose of the use or disclosure. • Non-routine disclosures do not include the following : • De-identified information • Limited data set information • Made pursuant to a HIPAA authorization • For TPO • If required by law [See Minimum Necessary Standard (TU GC-005)]

  43. Accounting for Non-Routine Disclosures • HIPAA requires accounting for: • Non-routine disclosures AND • Disclosures of PHI involving 50 or more subjects on a study. • The accounting may provide: • Name of protocol or other research activity; • Description of research protocol or other research activity, including the purpose of research and criteria for selecting particular records; • Brief description of type of PHI disclosed; • Date or period of time during which such disclosures occurred, or may have occurred; • Name, address, and phone of research sponsored and of researcher to whom the information was disclosed; and • Statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity. 164.528(b)

  44. Recap