1 / 34

HIPAA – How Will the Regulations Impact Research?

HIPAA – How Will the Regulations Impact Research?. What is HIPAA?. Health Insurance Portability and Accountability Act of 1996 (Privacy Rule) November 1999 – DHHS proposed regulations December 2000 – Final Rule published August 2002 – New Final Rule published

zulema
Télécharger la présentation

HIPAA – How Will the Regulations Impact Research?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA – How Will the Regulations Impact Research?

  2. What is HIPAA? Health Insurance Portability and Accountability Act of 1996 (Privacy Rule) • November 1999 – DHHS proposed regulations • December 2000 – Final Rule published • August 2002 – New Final Rule published • December 2002 – Guidance Document published • Date of Compliance – APRIL 14, 2003

  3. Covered Entities • Health Plans (insurers and payors) • Health Care Providers (VUMC) • Health Care Clearinghouses (billing services)

  4. Privacy Rule Protects: Individually Identifiable Health Information is defined as any information collected from an individual (including demographics) that is: • created or received by a health care provider, health plan, employer, and/or health care clearinghouse • relates to the past, present or future: • physical or mental health or condition of an individual, • the provision of health care to an individual; or • payment for the provision of health care to an individual; and • identifies the individual and/or there is reasonable basis to believe that the information can be used to identify the individual. (45 CFR 160.103)

  5. Names Addresses Dates Phone Numbers Fax Numbers Social Security Numbers Medical Record Number Health Plan Numbers Account Numbers Certificate/License Numbers VIN/License Plate Numbers Device Identifiers Names of Relatives Web URLs IP addresses Biometric Identifiers Photographs and comparable images Any other unique identifying number, characteristic, or code Identifying Data Elements

  6. HIPAA Terms • PHI – Protected Health Information • Use – data accessed and shared within the covered entity • Disclosure – the providing of data outside of the covered entity, not including Business Associates • Authorization – permission provided by the patient or legal representative to use or disclose the individual’s PHI • Limited Data Set – group of data that is de-identified except for geographic location and dates

  7. HIPAA Terms Continued • Data Use Agreement – document used to create and disclose a Limited Data Set • Designated Record Set – The part of the medical record used for patient care/treatment • Minimum Necessary Standard – under certain conditions the covered entity must limit the access to PHI • Accounting of Disclosures – under certain conditions the covered entity must track disclosures of PHI, such as waiver of authorization

  8. How to Fit HIPAA into your Research?

  9. How to Use or Disclose PHI for Research Purposes • De-identified data • Limited Data Set • Authorization • Waiver of Authorization

  10. How to use or disclose PHI for research purposes (continued) • De-identification • Remove all 18 identifiers; or • Statistical Certification – the information may be considered de-identified, if an independent, qualified statistician: • Determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and • Documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. Note: the expert may not be the researcher or anyone directly involved in the research study.

  11. How to use or disclose PHI for research purposes (continued) • Limit Data Set (LDS) • Allows access to PHI, with limited identifiable data elements, without an authorization or waiver of authorization • Requires a Data Use Agreement • Limited Data Set may include: • Dates • Geographic information (not street address) • Other unique identifying numbers, characteristics, or codes that are not expressly excluded

  12. What is a Data Use Agreement? • The investigator must agree to the following: • Not to use or disclose the LDS for any purpose other than the research project or as required by law. • To use appropriate safeguards to prevent use or disclosure of the LDS other than as provided for by the agreement. • To report to VUMC any use or disclosure of the LDS not provided for by this agreement, of which he/she becomes aware, including without limitation, any disclosure of PHI to an unauthorized subcontractor. • To ensure that any agent, including a subcontractor, to whom he/she provides the LDS, agrees to the same restrictions and conditions that applies through the agreement to the Data Recipient with respect to such information. • Not to identify the information contained in the LDS or contact the individual.

  13. How to use or disclose PHI for research purposes (continued) • Authorization • Participant provides authorization to use/disclose PHI as part of the informed consent process. MUST include the following elements: • Specific description of the information to be used/disclosed • Who may use or disclose • To whom the PHI will be disclosed • Why the use or disclosure is being made (each purpose) • Statement of how long the use or disclosure will continue

  14. Authorization elements continued: • Notice that authorization may be revoked • Notice that the information may be disclosed to others not subject to the Privacy Rule • Notice that the covered entity (VUMC) may or may not condition treatment or payment on the individual’s signature • Individual’s signature and date

  15. How to use or disclose PHI for research purposes (continued) • Waiver of Authorization • To be granted by the IRB and must meet the following criteria: • The use or disclosure of PHI involves no more than minimal risk to the privacy of the individual. • The PI must provide a plan to protect identifiers, a plan to destroy the identifiers as soon as possible, and a statement that the information will not be disclosed. • The PI should provide justification as to why the research cannot be done without the waiver.

  16. How to use or disclose PHI for research purposes (continued) • The PI should provide justification as to why the research cannot be done without the PHI. • The PI must provide a written assurance to the IRB that the PHI will not be re-used or disclosed except • As required by law, • For authorized oversight of the research, or • For other research that has been reviewed and approved by the IRB with specific approval regarding access to this PHI.

  17. Minimum Necessary Standard • A covered entity (VUMC) must try to limit the use or disclosure of PHI to the minimum necessary to achieve the research purpose. • This standard applies to the following: • Research pursuant to a waiver • Use/disclosure of decedent’s PHI • Uses preparatory to research • Limited Data Sets • Minimum Necessary Standard does not apply to the following: • Treatment disclosures or requests • Use or disclosure made with an authorization • Disclosures to the individual • Disclosures to DHHS for compliance • Disclosures required by law

  18. Accounting of Disclosures • Patients have the right to request an accounting of disclosures of their PHI for past six years. • Applies to disclosure of PHI pursuant to a waiver of authorization, disclosures required by law, and for public health purposes. • Does not apply to disclosures pursuant to an authorization or to limited data set. • The Privacy Office, not the IRB, will maintain a centralized database to track disclosures. This tracking requirement is the responsibility of the PI in conjunction with the Privacy Office.

  19. Privacy Rule Common Rule Where the Common Rule (45 CFR 46) and the Privacy Rule (45 CFR 160 & 164) disagree, the IRB must act in the best interest of protection of human subjects and follow the regulation that is more restrictive.

  20. What does not require IRB review? • Preparatory to Research • defined as any action taken, where access to PHI is required, for assessing the research question/hypothesis such as accessing medical records or querying of databases to prepare a research protocol. • The use or disclosure of the PHI is sought solely for the purpose of preparing a research protocol. • The PHI will not be removed from the covered entity (VUMC). • This PHI is necessary for the purpose of a research study.

  21. What does not require IRB review?(Continued) • Research on Decedents • Researchers may use and disclose a decedent’s PHI for research purposes without IRB review. • The following criteria must be met in the form of a statement to the covered entity (VUMC): • The use will be solely for research on the PHI of a decedent. • The PHI sought is necessary for the purposes of the research. • The researcher has documentation of the death of the individual about whom information is being sought.

  22. How do we get ready for HIPAA?

  23. April 14, 2003 IRB Approval Planned enrollment of subjects Planned research assessment period Transition Period INFORMED CONSENT DOCUMENTS GRANDFATHERED HIPAA AUTHORIZATION RIDER IS NOT NEEDED

  24. April 14, 2003 IRB Approval Planned enrollment of subjects Planned research assessment period Transition Period Informed consent documents - GRANDFATHERED Consent form(s) need HIPAA Authorization Language (Rider)

  25. April 14, 2003 Planned enrollment of subjects BUT the IRB has granted a WAIVER OF CONSENT IRB Approval Planned research assessment period Transition Period Waiver of Authorization grandfathered and no action needed.

  26. April 14, 2003 Planned enrollment of subjects IRB Approval Planned research assessment period Transition Period NEW Consent form(s) with HIPAA Authorization Language incorporated with Confidentiality Language

  27. April 14, 2003 Planned enrollment of subjects AND the study meets the criteria for Exempt under 45 CFR 46.101 category (b) 4. IRB Approval Planned research assessment period Transition Period Complete Affirmation/Data Set Agreement to obtain a Limited Data Set – This is included in the Exempt Application.

  28. April 14, 2003 Planned enrollment of subjects BUT the IRB has granted a WAIVER OF CONSENT IRB Approval Planned research assessment period Transition Period Waiver of Authorization criteria must also be met and approved. This is a combined form currently available on the web.

  29. Does this proposal involve the creating, using, and/or disclosing of PHI? HIPAA Does Not Apply no yes Does the proposal meet HIPAA criteria for Waiver of Authorization? Can the research be completed using a Limited Data Set? PI must obtain Authorization from the participant. no no yes yes Waiver granted PI must track disclosures and minimum necessary applies. PI should complete a Data Use Agreement with Affirmation Statements. Proposal Decision Path

  30. What is the IRB currently doing to prepare for HIPAA? • The IRB forms and template language are updated and on the website. • Currently approved studies that will be enrolling beyond April 14, 2003 must have an authorization rider attached to the consent document. Template language for the HIPAA authorization rider is approved and on the website. • New studies should choose the Confidentiality and Privacy of Health Information language in the template and modify to include study specific information.

  31. POINTS to REMEMBER • VU Institutional Review Board is serving as the Privacy Board for Research for the VUMC Covered Entity. • We are NOT serving as the Privacy Board for Research for institutions outside the Covered Entity (VUMC). • These institutions will need their own authorization language and will be responsible for submission as an amendment, only if VU IRB is serving as the IRB of record or coordinating center. • Sponsors are generally NOT covered entities. The IRB will not be incorporating sponsor’s language in the authorization for patients at VUMC. • The VU IRB is not serving as the Privacy Board for Research for the VAMC.

  32. HIPAA IS COMING! Compliance Date: APRIL 14, 2003

  33. Questions?

  34. Additional Training Opportunities March 24, 2003 Preston Research Building, Room 206 1:30pm - 2:30pm March 31, 2003 2209 Medical Center North 11:00am-12:00pm

More Related