1 / 48

HIPAA Review for Research

HIPAA Review for Research. Susan Bouregy Chief HIPAA Privacy Officer Director, Human Subjects Committee. What is HIPAA?. H ealth Insurance Portability and A ccountability A ct. Why does insurance portability affect research?. Insurance portability costs money

kasen
Download Presentation

HIPAA Review for Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Review for Research Susan Bouregy Chief HIPAA Privacy Officer Director, Human Subjects Committee

  2. What is HIPAA? • Health • Insurance • Portability and • Accountability • Act

  3. Why does insurance portability affect research? • Insurance portability costs money • Electronic submission of standardized claims • Huge databases and electronic data flowing over the web made people nervous • Privacy and Security Rules of HIPAA

  4. The Privacy Rule • Applies to health care providers and health plans that bill electronically • Limits how health information can be used (internally) or disclosed (externally) • Provides patients certain rights with respect to their health information

  5. HIPAA at Yale • At Yale, HIPAA applies to: • YSM • EPH • YSN • YUHS • Psychology clinics • YUHP • Benefits Office

  6. Protected Health Information (PHI) • Individually identified • AND • Past, present or future physical or mental health or condition; healthcare; or payment for healthcare • AND • Created or received by a covered entity (including PHI created in research)

  7. Facial identifiers Name Address SSN phone Fax e-mail full face photo Less obvious identifiers any dates MRN health plan # account #’s license # VIN device # URL’s IP address finger/voice print Any other unique identifying numbers, characteristics or codes 18 HIPAA identifiers

  8. What’s not covered? • De-identified health information • Research outside covered components (e.g. anthropology etc) • Studies that don’t involve health information

  9. How PHI can be used/disclosed • Healthcare providers can use/disclose for treatment, payment and healthcare operations (TPO) • Patient can authorize any use or disclosure • Privacy Rule defines other circumstances when PHI can be disclosed without patient authorization – public health, abuse, research, etc. • Allowed list does not include blanket ok for research disclosures

  10. How PHI can be used for research • Patient authorization (RAF) • IRB approved waiver of authorization • De-identified data • Limited data sets with Data Use Agreement • Decedent information • Preparatory to Research • Use “Request Access to PHI for Research Purposes” form

  11. Research authorization • What specific information will be used/disclosed by whom and to whom (classes) • Purpose of use/disclosure • How long the authorization is valid (can be forever if justified by the research) • Ability to revoke • Potential for re-disclosure if data shared with non-HIPAA covered entity • Ability (or not) to condition treatment on signing • Signature & date

  12. Common Rule consent • Statement that this is research • Purpose and duration • Procedures • Risks and benefits • Alternative procedures • Confidentiality • Compensation for injury • Who to contact • Voluntary participation • Potential for unknown risks • Potential to be pulled from study • Costs • Consequences of withdrawal • Ongoing information to be provided • Number of subjects

  13. Research authorization • Use Yale RAF template on HIC site • Can be combined with consent form = “Compound Authorization” • Can not be combined with other authorizations • Must be specific – can’t authorize future unspecified research • Can use “standard” authorization in addition to RAF to get copies of records from other sites who don’t need to know about research involvement

  14. Unauthorized disclosures that are ok under HIPAA • Adverse event reporting to FDA (public health exception) • Child or elder abuse reporting (state mandated preemption) • Mandated public health reporting (gunshot wounds, communicable diseases) • Serious threat to health or safety • Billing insurance (TPO)

  15. Sign here! I consent to this emergency surgery and authorize any scientist anywhere to have access to my records and tissues for any research purpose.

  16. Waiver of authorization • IRB must determine • Minimal risk to privacy • Research couldn’t be conducted without access and without waiver • Written assurance PHI won’t be re-disclosed or re-used except as required/permitted by law • Limited to minimum necessary

  17. “Partial waivers” and alterations • Recruitment may require access to PHI but no patient contact • Phone eligibility screens where no written authorization possible • Can waive authorization for these initial research processes and then subjects consented later • No provisions for waiving documentation only

  18. Minimum Necessary Standard • Only that information required for the research is collected • No fishing expeditions

  19. De-Identified vs Anonymous • De-identified = HIPAA, lacks 18 identifiers • Anonymous = IRB term, not actually in Common Rule; identity of the subject may not readily be ascertained • Anonymous data may or may not be de-identified

  20. Secondary use of study data • Colleague requests copies of PET scans created in a research project to perform meta analysis. • No other data requested • Scans have date of scan embedded in image which can’t be removed • What is required to release the data to external researcher?

  21. Common Rule Anonymous Not human subjects research No IRB approval No consent requirements HIPAA Date + scan = PHI HIPAA applies Authorization or waiver Accounting for disclosures Ex: PET scan including date of scan

  22. Coded data • HIPAA allows a covered entity to code data and then release the coded data as “de-identified” as long as the code is secured and not distributed with the data • Common Rule considers coded data with agreement/policy that PI can’t access code to not involve human subjects • When the PI codes the data it is not de-identified but it may be Common Rule exempt if PI does not hold the code • Codes can not be derived from identifiers (e.g. last 4 digits of SSN)

  23. Limited Data Sets • “Almost” de-identified • Can have dates and geographic info • Requires signed data use agreement • Does not require accounting for disclosures

  24. “Internal” data use agreements • Yale construct • Useful when data collected outside HIPAA context (international, schools etc) • Don’t concern yourself with HIPAA until you return to Yale • Leave identifiers at site/outside Yale covered entity

  25. Preparatory and Decedents • Preparatory to research requires no PHI leave the covered entity • Useful for feasibility determinations, grant prep, etc. • Decedent information requires PI certification that only decedents’ information requested • Covered entity can ask for proof of death • Use “Request Access to PHI for Research” form

  26. Ways to recruit subjects • Treating clinician tells patient about the study and how to contact researcher • Treating clinician obtains authorization allowing researcher to contact patient • Partial waiver

  27. Data and specimen banks • Authorization must be for specific purpose • Banks don’t know at time of collection how data/specimens will be used. Therefore, can’t obtain valid authorization for research uses • Can get authorization to bank • Access then requires a waiver for the use or disclosure of the information

  28. Patient rights in research context • Notice of Privacy Practices • NOPP describes our clinical uses/disclosures • Required to distribute in treatment studies • Access and amendment • Access is to “Designated Record Set” (information used to make treatment decisions), research data isn’t automatically included in DRS • HIPAA allows access to be denied in the course of a blinded study • Accounting for disclosures • Provide list of disclosures of PHI that are not TPO and not authorized • Data accessed under a waiver of authorization must be listed

  29. Privacy and Security • Privacy relies on adequate security • Subjects promised certain level of confidentiality in consent documents • HIPAA Security Rule specifies that we have administrative, technical and physical safeguards of ePHI • State law requires notification if “personal information” is accessed/stolen (identified financial information) • VA security directives

  30. Data classification • Low risk • No regulatory or contractual requirements for confidentiality/security • Can be released to the public • Sensitive • Contractual or other obligation to protect the data or deemed sensitive by Yale • Restricted • Data protect by law (HIPAA, FERPA) or deemed restricted by Yale

  31. Low risk data • Publicly available • De-identified data • Data collected in an “exempt” study

  32. Sensitive data • Minimal risk studies • Linking codes related to restricted data • Coded data stored separately from code • Sponsor requires data be maintained confidentially (trade secrets)

  33. Restricted data • Identified data collected in collaboration with VA • Identified HIV, mental health, genetic predisposition to disease, substance abuse, criminal history • ID theft information – social security numbers, financial account numbers • Data held under a Certificate of Confidentiality

  34. Above-Threshold Systems • Primary source, sensitive, or restricted data • ePHI critical for treatment, payment or healthcare operations • Sensitive or restricted information held in a multi-user system

  35. Above Threshold examples • A PC with database including social security numbers • Server with health information collected for research that is accessed by several members of the research team • Computer housing primary copy of patient medical record

  36. Basic System (below threshold) • Doesn’t contain above threshold information • Single user • De-identified data • Public information

  37. Above threshold requirements • Registration with Information Security • Annual review of security safeguards • Contingency plans, emergency mode operation, access controls etc.

  38. Ways to secure data • Striping identifiers • Coding data • Encryption • Secure servers (Yale data center) • Lock and key for paper records • Secure data transfer (encrypted e-mail, FedEx of encrypted CD)

  39. Other data security issues • Frequent data back-ups to ensure access • Back-up stored off-site or in secure location • Secure access to Yale systems by external collaborators • Appropriate disposal at end of life

  40. Questions • hipaa@yale.edu • www.hipaa.yale.edu • 432-5919

  41. Getting the information • You need an IDX report of all patients seen in the last 5 years who have been diagnosed with breast cancer. You e-mail your administrative assistant to get the report so you can call patients for enrollment.

  42. Getting the information • Do you have an IRB approved partial waiver? • Providing the list requires accounting by the holder of the records • Cold calls are generally considered inappropriate.

  43. Lost or stolen laptop • Help my laptop (flashdrive, CD back-ups, PDA, etc) is missing! Do I need to do anything?

  44. Lost or stolen laptop • Report to police (YU and local) • Report to Information Security • Report to IRB • Was it encrypted? • Was it backed up? • What was on it and how sensitive?

  45. Old samples • We have a freezer full of old tissue blocks that have built up over the years and we want to use them for our new exciting research.

  46. Old samples • Freezer full of samples is a repository. • Requires IRB protocol outlining how obtained and maintained. • Was there consent/authorization to keep the samples when they were collected? • Is the proposed use consistent with any prior consent/authorization?

  47. I got a great new job! • I’m leaving tomorrow for a new position and all my data, samples and equipment are loaded into my rental truck. See Ya!

  48. Great new job • Has IRB approval been obtained from the new institution? • Has Yale approved the transfer of equipment? • Are there grant funds that will be transferred? • Are there Yale personnel that rely on or have ownership interest in the equipment/data/specimens? • Has the removal of data/specimens been approved and accounted for? • Has OEHS made sure equipment and materials can be safely transported?

More Related