1 / 28

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA). HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members . In the Beginning. The emphasis was on the “portability” of insurance, and medical records.

lani
Télécharger la présentation

Health Insurance Portability and Accountability Act (HIPAA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health Insurance Portability and Accountability Act(HIPAA) HIPAA Privacy Rule: UCSF Education Module for Researchers, Research Administrators, Coordinators, Staff and IRB Members Revised February 4, 2004

  2. In the Beginning • The emphasis was on the “portability” of insurance, and medical records. • The issue was how to keep electronic medical records private. • Little thought was given to the implications of HIPAA for research. • Institutions with electronic records or electronic transmission of medical information would be charged with the responsibility of protecting the privacy and security of these records. Revised February 4, 2004

  3. What Is the Basic Privacy Rule? • HIPAA-covered entities are required to protect the privacy and security of an individual’s Protected Health Information (PHI). • PHI may be used and disclosed for Treatment, Payment, Operations (TPO) and certain other uses and disclosures without authorization from the patient. • Any other use or disclosure of PHI must be authorized by the patient or conform to an exception permitted by HIPAA. • PHI used in research must be obtained from the Covered Entity in compliance with HIPAA. Revised February 4, 2004

  4. What is a Covered Entity at UC? • A Covered Entity (CE) is the health care provider, health plans, and health information clearninghouses. • The UC Covered Entity includes UC’s institutions and workforce members at the five academic health centers at UCD, UCI, UCLA, UCSD and UCSF. NOTE: The definition of the “Covered Entity” is different for each institution, including the SFVAMC, SFGH, Kaiser, CPMC, St. Luke’s, the Haight-Ashbury Free Clinic, and so on. Revised February 4, 2004

  5. What is PHI? • Individually identifiable information • Past, present, or future: • Health status • Treatment • Payment for health care • Created, used, or disclosed by a covered entity (CE) • In any form • Includes any one of the 18 identifiers as defined by HIPAA Revised February 4, 2004

  6. Name Postal address All elements of dates except year Telephone number Fax number Email address URL address IP address Social security number Account numbers License numbers Medical record number Health plan beneficiary # Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers (finger and voice prints) Full face photos and other comparable images Any other unique identifying number, code, or characteristic. Protected Health Information (PHI):18 Identifiers defined by HIPAA Revised February 4, 2004

  7. How does HIPAA Privacy Rule affect University Researchers? • Researchers will likely want to access PHI held by the CE in order to conduct research. • The Privacy Board must approve use of PHI for research. • At UCSF the Privacy Board for research is the IRB, that is, the CHR. • The Privacy rule applies to all active studies as of April 14, 2003. Revised February 4, 2004

  8. Does all human subjects research use PHI? Not at all! Some examples: • Some non-treatment studies, i.e., testing done w/no identifiers; use of aggregate data; diagnostic or genetic tests that do not go into the medical records; blood draws for protein binding studies) • Some interview studies and focus group studies • Some questionnaire studies • Studies that recruit subjects through ads and flyers where no PHI was accessed and none is created during research Revised February 4, 2004

  9. Do HIPAA regulations apply? Covered Entity (CE): UCSF Medical Center, Hospitals and Clinics If information is obtained for the study from the CE i.e., medical records review for recruitment, data analysis If information from the study is added to the CE i.e., information is added to Medical Records or used to make health care decisions Revised February 4, 2004

  10. What are the practical implications of HIPAA for Human Research at UCSF? • New and different vocabulary • Stricter control of access to Medical Records (HIMS and Faculty Practices) • Stricter limitations to identifying subjects for recruitment • Additional documentation for PI, IRB, and CE. Important Note: Most research being done can continue, but with additional documentation! Revised February 4, 2004

  11. What are the patients’ rights under HIPAA? • To restrict the use and disclosure of their PHI • To access and receive a copy of their PHI used for research purposes (unless it will cause psychological harm) • To receive an accounting of disclosures of their PHI by the CE • To request amendments to their PHI in their medical records • To file complaints with the University or OCR that may result in civil and criminal penalties for individuals as well as the covered entities Revised February 4, 2004

  12. What is the Covered Entity’s Responsibility? The covered entity (CE) is responsible for protecting PHI and for ensuring that PHI: • Is only used or released for TPO or as otherwise permitted or required by law; • Is not released without the patient’s authorization; or • Is released only under an IRB approved waiver of consent/authorization • Meets “minimum necessary” standard. Revised February 4, 2004

  13. How can an investigator access PHI for research? • Through a HIPAA Authorization signed by the subject (or legal representative) -OR- • Through a Waiver of Authorization requested by the PI and approved by the IRB. Note: UCSF polices require IRB approval for access to PHI for human subjects research. Revised February 4, 2004

  14. Individual Subject’s Authorization for Research Access to PHI • Authorization must be a separate document used along with the Consent Form for biomedical and treatment studies. • For some behavioral studies, Authorization may be combined with the Consent Form, but requires two separate signature lines: one for consent, and one for authorization. Revised February 4, 2004

  15. What does a HIPAA authorization look like? • The standard UC HIPAA authorization is a two-page document available on the HIPAA Forms section of the CHR website. • The standard SFVAMC form is also available on that site. • Other Covered Entities may require their own versions of the HIPAA authorizations. Note: Some sponsors also have their own versions of the forms, but with rare exception UCSF researchers must use the UC version. Revised February 4, 2004

  16. What Elements Are Required in the HIPAA Authorization? • Description of PHI to be disclosed • Name or class of recipients of information and of those authorized to disclose PHI • Description of research purpose • Expiration date, though at UC this is stated as “when study is completed.” • Right to cancel authorization • Advise subject that HIPAA protections may not apply to redisclosed information although other protections apply • Consequences of a refusal to sign an authorization • Signature of subject and date Revised February 4, 2004

  17. Which Research Does Not Require a Subject’s Authorization? • Research granted a Waiver of Consent/Authorization by the CHR • Research using De-Identified Data • Research using a Limited Data Set • Research not using PHI Revised February 4, 2004

  18. #1: Waiver of Authorization • PI and IRB must certify that research: • Could not practicably be conducted w/o waiver • Could not practicably be conducted w/o PHI • Poses minimal risk to privacy based on written assurance that the PHI will not be reused or disclosed and that there is an adequate plan to protect identifiers. • To accomplish this, PI fills out Waiver of Consent/Authorization Form available on CHR website and submits with application. • Research released by a waiver, must be tracked for disclosure to the subject. Revised February 4, 2004

  19. #2: De-Identified Data Sets • There are two HIPAA-approved methods of de-identifying datasets: • All 18 identifiers of PHI must be removed, or • A qualified statistician documents the methods and analysis used to determine that • data is de-identified or • risk is very small that information can be used to identify an individual • IRB approval of protocol is still required • PI should apply for Exempt Certification from IRB. Revised February 4, 2004

  20. #3: Limited Data Set • May include only the following PHI: • Date(s) of service (admission, discharge) • Dates of birth and death • 5 digit zip codes and other geographic subdivisions other than street address • May include non-PHI information (i.e., diagnosis) • Does not require a subject’s authorization • Does require IRB approval which includes a Waiver of Consent/Authorization NOTE:IRB applications must include a request for a wavier of consent/authorization. Revised February 4, 2004

  21. #4: Research Not Using PHI Covered Entity (CE): UCSF Medical Center, Hospitals and Clinics == == If information from the study is NOT added to the CE If information obtained for the study does NOT come from the CE i.e., NO medical records review for recruitment or data analysis Revised February 4, 2004

  22. How does a researcher gain access to PHI in Medical Records at UCSF? • Copy of CHR approval letter with: • statement of Waiver of Authorization of individual consent --or-- • statement that Individual Subject Authorization will be obtained Revised February 4, 2004

  23. What types of CHR approvals are needed for these types of studies? • PHI: Full Committee or Expedited • De-identified PHI (no PHI used): CHR Exempt Certification • Limited Data Sets (limited PHI allowed): Expedited with Waiver of Authorization NOTE: Medical Records will require CHR approval to release PHI for research. Revised February 4, 2004

  24. What information is now required by the CHR to address HIPAA? • PIs should complete and submit the HIPAA Supplement with all full committee and expedited applications, even if no PHI is being used; Waiver of consent/authorization form if applicable (usually for recruitment purposes) • The pilot application (required as of January 2004) embeds HIPAA information within it. • Exempt applications do not require any additional information about HIPAA. Revised February 4, 2004

  25. What are the 8 Most Common and Acceptable Recruitment Methods? • PIs recruit their own patients directly • PIs provides PCPs a “Dear Patient” letter that instructs any interested patients how to contact PI about enrollment • PIs ask PCPs for referrals and may contact patients if there is documented patient permission to do so • PI used CHR-approved ads, notices, and/or media Revised February 4, 2004

  26. Recruitment Methods (continued) • Faculty Practices/Clinics develop a CHR-approved recruitment protocol so subjects agree ahead of time to be contacted for research • PIs request a Waiver of Consent/Authorization for recruitment purposes as an exception to the regularly approved methods. • PIs enter data about study into the UCSF Seeking Clinical Trials Volunteer Website or another similarly managed website • PIs do not access PHI for recruitment purposes. Revised February 4, 2004

  27. Conclusion-The HIPAA Privacy Rule • Greater emphasis on privacy and confidentiality of medical records in both health care and research. • Researcher’s responsibilitiesare more clearly defined. • Subject’s have more clearly defined legal rights to protect their privacy. Revised February 4, 2004

  28. UCSF HIPAA Websites • UCSF: http://www.ucsf.edu/hipaa • HIPAA Handbook (pdf) • HIPAA Training Modules • Privacy Officer • CHR: http://www.research.ucsf.edu/chr/index.asp • Application and Consent templates/Guidelines • Research Training, FAQ, information • UCSF Medical Center IT: http://it.ucsfmedicalcenter.org/ • UCSF Information Security:http://isecurity.ucsf.edu Revised February 4, 2004

More Related