What is HIPAA ? HIPAA with the DHPG Research Medical Records Clinical Trials Business Associate Agreement February 2003 Michael Shoob, Elizabeth Bankert
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996; and Three sets of regulations issued by the Department of Health and Human Services: Privacy Regulations - April 14, 2003 Compliance Deadline Transaction Standards - October 16,2002 Compliance Deadline Security Regulations - Pending
http://www.hhs.gov/ocr/hipaa/privacy.html This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002. PHI = Protected Health Information
PHI = Protected Health Information • Any information, created or received by us in any form, that • identifies an individual and is related to the past, present, or • future: • Physical or mental health of the individual • Provision of health care to the individual’ or • Payment for health care provided to the individual
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. It gives patients more control over their health information. It sets boundaries on the use and release of health records. It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made. It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure. It generally gives patients the right to examine and obtain a copy of their own health records and request corrections. It empowers individuals to control certain uses and disclosures of their health information.
"Overall, these national standards required under HIPAA will make it easier and less costly for the health care industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential," Secretary Thompson said. "The security standards in particular will help safe guard confidential health information as the industry increasingly relies on computers for processing health care transactions."
William Braithwaite, MD, PhD “Doctor HIPAA” PriceWaterHouseCoopers Rule #1: DON’T SURPRISE THE PATIENT
DHPG Dartmouth Hitchcock Privacy Group: Dartmouth Hitchcock Clinics Mary Hitchcock Memorial Hospital Dartmouth Medical School Dartmouth-Hitchcock Psychiatric Associates Cheshire Medical Center Mt. Ascutney Hospital Upper Connecticut Valley Hospital Weeks Medical Center West Central Behavioral Health Other Affiliated Institutions Using the Dartmouth-Hitchcock Name to Provide Health Care Services to Patients
HIPAA / DHPG Privacy Officer = Peter Johnson Linda Messman, Director of Medical Records Privacy Notice http://intranet.hitchcock.org/is/hdr/pages/hipaa.html Scott Farr / (work in progress)
Privacy Notice: Treatment Payment Operations (TPO) Research not included !
Quality Assurance/ Peer Review The process of reviewing, analyzing or evaluating patient and/or providerspecific data which may indicate (the need for) changes in systems or procedures which would improve the quality of care.
Quality Assurance/ Peer Review Characteristics Confidential Learn from individual cases Involves patient and/or provider specific data Protected from legal discoverability Review often triggered by predetermined “thresholds”/criteria Must be conducted within QA/PR committee structure Knowledge generation typically for local, immediate application
Quality / Performance Improvement The process of reviewing, analyzing and evaluating aggregate data to understand patterns & trends Process triggers a cycle of: Analyzing a process Identifying potential changes Testing changes Evaluating impact of changes on measures of success
QI / PI Characteristics Not protected from legal discoverability Uses aggregate data, not patient identifiable information Evaluates patterns & trends Not usually triggered by specific event Pre-data collection, a commitment to a corrective/improvement action plan Knowledge generation typically for local, immediate application
What do researchers do when they want to access patient information for research purposes? Research: a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. Obtain IRB approval !
How can researchers access patient information for research purposes? HIPAA rules !
Six ways the IRB will allow researchers to access protected health information (PHI) 1. Obtain informed consent (authorization) from the patient 2. Waive the requirement for obtaining informed consent 3. The information is being collected only for preparatory work to research • Only a Limited Data Set is collected • accompanied with a Data Use Agreement 5. Only decedent data is being collected 6. Information requested is “de-identified”
6. De-identificationRequirements (Two Methods) HIPAA Safe Harbor45 CFR 164.514(b)(2)(i) • Names • Geographic subdivisions smaller than a state • Zip codes • Dates (birth, admission, discharge, death) • Age, if over 89 • Telephone numbers • Fax numbers • E-mail addresses • Social security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate and license numbers • Vehicle identification and serial numbers • License plate numbers • Device identifiers and serial numbers • URLs • Internet Protocol address numbers • Biometric identifiers (finger and voice prints) • Full face photos and comparable images • Any other unique identifiers Statistical 45 CRF 164.514(b)(1) • A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; • Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and • Documents the methods and results.
5. Decedent Information Privacy Board or IRB
Not Allowed Names Postal info (OTHER than town, city, state, and zip code) Telephone and Fax Number e-Mail Addresses Social Security Number Medical Record Number Health Plan Beneficiary Number Account Number Certificate / License Number Vehicle ID (license plate) and Serial Device ID and Serial Number URLs and IP Addresses Biometric ID (finger, voice prints) Full Face Photos and Comparable Images 4. “Limited Use” Data Set
Data Use Agreement :Used with Limited Data Set Researcher must agree: a. to the use of the limited data set or PHI to the specified purpose as described • to limit who can use or receive the data to the • research team directly involved in this project • not to re-identify the data or contact the individuals • to whom the data belongs
3. Preparatory to Research • - Notice from the researcher1. The use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research • 2. Will not remove any PHI from the covered entity, • 3. The PHI for which access is sought is necessary for the research purpose. • This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.
IRB Waiver of IC – requirements: A. Use or disclosure involves no more than minimal risk to individuals; • Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C. Research could not practicably be conducted without the alteration or waiver; • Research could not practicably be conducted without access to and use of PHI; • Adequate plan to protect identifiers from improper use and disclosure; • Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and G. Adequate written assurances that PHI will not be reused or disclosed for other purposes.
1. Obtain Consent (authorization) from the Patient 1. Description of Health Information to be gathered. 2. Identification of Person authorized to disclose 3. Identification of Recipient 4. Description of Purpose(s) 5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repository 6. Statement of Right to Revoke 7. (In)Ability to Condition Treatment on the Authorization statement 8. Statement Regarding Re-disclosure 9. Remuneration for Marketing Activity (if applicable) 10. Dated Patient Signature 11. if signed by Personal Representative, a description of that person's authority
Consent Forms for Clinical Trials: Please remember each study is unique, thus the correct language for the consent form is dependent on the language in the protocol and/or contract. You will begin to see HIPAA language in sponsor provided consent form templates.
In the Consent Form under the section entitled: Other Important Items You Should Know: Add a sub - section entitled: Data Collection Under the same section expand the current sub-section entitled: Confidentiality
Data Collection: Add a general sentence about the data to be collected. • And add the following sentences as applicable for the particular study: • The data collected in this study includes : • The data collected in this study will be used for the purpose • described in this form. Patient identifiable data will not be released • beyond that required for the purposes of conducting this research • study. By signing this form, you are allowing the research team • access to your medical records. The research team includes the • researchers listed in this consent form and other personnel • involved in this study at DHMC and other entities as described in • the "Confidentiality" section of this consent form. If you chose to • withdraw from the study, you may revoke your approval for the • use of your future medical information. To do this, you may • contact the researcher in writing. Data which has already been • collected will be maintained with the research records.
Explain how long data will be maintained: Examples: Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA. Data gathered from this study will be maintained indefinitely or as required by federal or state regulations. If there are limits to the patient access to research records describe here: Example: During the course of this study participants may not have access to research records. If you chose, you may request this information after the research is completed.
2. Identification of Person authorized to disclose The research team includes the researchers listed in this consent form and other personnel involved in this study at DHMC and other entities as described in the "Confidentiality" section of this consent form
3. Identification of Recipient Describe as applicable who may have access to research data - this can be added to Confidentiality section: Example: Research data may be shared, as required by law, with Dartmouth Hitchcock Medical Center authorities and ...... Examples: Federal agencies such as the Food and Drug Administration, add as appropriate: National Co-operative Study Group, Multi-center sites , Insurance Company. If the research is sponsored or if the data is being sent anywhere outside of DHMC describe in some detail: The sponsor of the study, xxx, and any corresponding entities involved in the monitoring of this study (name of CRO if applicable) or Data and Safety Monitoring Committee if applicable, will also have access to this research data. These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).
4. Description of Purpose(s) Most consent forms describe the purpose of the research in the opening paragraphs. If not, please add.
5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repository Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA. Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.
6. Statement of Right to Revoke If you choose to withdraw from the study, you may revoke your approval for the use of your future medical information. To do this, you may contact the researcher in writing. Data which has already been collected will be maintained with the research records.
7. (In)Ability to Condition Treatment on the Authorization statement If not already in the consent form, add in the "Other Important Items" section: o Your decision whether or not to participate in this study, or a decision to withdraw will not involve any penalty or loss of benefits to which you are entitled.
8. Statement Regarding Re-disclosure The wording in the contract with the sponsor will determine this statement in the consent form. If a sponsor will not re-disclose patient identifiable information, include that information or : These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).
9. Remuneration for Marketing Activity (if applicable) The sponsor usually provides wording for this activity, which is usually something to the effect : "You will not receive any compensation if the results of this research are used towards the development of a commercially available product."
10. Dated Patient Signature This is already required in the signature section. Please also add this sentence if it is not in the current consent form: I have been given a copy of this consent document for my own records.
11. if signed by Personal Representative, a description of that person's authority This is already required in the signature section.
PLEASE NOTE: The signed consent form must be maintained for at least 6 years after it is signed. This can be satisfied by placing the consent form in themedical record or by keeping it in the study's research files. There is CIS team recently released a feature to create an electronic consent form and protocol summary.
Patients enrolled into a research study prior to April 14, 2003 do not have to sign another consent form. New patients enrolled into a clinical trial on or after April 14, 2003 will need to sign an IRB approved HIPAA compliant consent form OR the currently IRB approved consent form PLUS an IRB approved 'add on‘ form describing HIPAA information.
To be considered: • 1. Departmentally maintained databases • Registries • 3. Disclosures / Tracking
Committee for the Protection of Human Subjects http://www.dartmouth.edu/~cphs/ a. NEW FORM: Research with PHI b. HIPAA Compliant Consent Form Template c. HIPAA powerpoint • Additional HIPAA • presentation/consent review dates
Additional HIPAA forum dates: Review Consent Forms Café B 2/18 9-10 am Café B 2/21 9-10 am Café B 3/5 9-10 am Café C 3/10 9-10:30 am Café B 3/17 2-3 pm Café A 3/26 12-1:30 pm HIPAA EDUCATION DATES 3/4 Aud E 2:00 to 3:00 pm 2/18 L2B 8:00 to 10:30am 3/26 L2B 10:30 to 1:00pm.
HIPAA applies to Covered Entities (CEs) only: - Health Care Providers - Health Care Plans - Health Care Clearinghouse
Business Associates of HIPAA Covered Entities
Business Associates of HIPAA Covered Entity: • A person or entity (not a member of the Covered Entities workforce or plan) that provides services for a Covered Entity that involves the use of protected health information (PHI)
Business Associates could include: • Pharmaceutical / Biotech Companies • Data Entry Service Vendors • Other covered entities
Business Associate Agreement Does not pass through the same privacy requirements of Covered Entity to business associate. It requires in a written contract: • Satisfactory assurance that PHI will be appropriately safeguarded and used only for the purposes of performing associate’s obligations • Assure that agents of business associate agree to the same restriction • Make PHI available as require by law • Return or destroy all PHI at conclusion of contract