160 likes | 284 Views
Health Insurance Portability and Accountability Act (HIPAA) and Human Research. Vanderbilt University Medical Center Education Module. Vanderbilt as a Hybrid Entity.
E N D
Health Insurance Portability and Accountability Act (HIPAA) and Human Research Vanderbilt University Medical Center Education Module
Vanderbilt as a Hybrid Entity HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically. Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity. HIPAA regulations only apply to the Covered Entity functions.
Hybrid Entity Covered Entity Designation As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes: • Vanderbilt University Medical Center hospitals, clinics, and practices • Vanderbilt Medical Group (VMG) • Vanderbilt School of Medicine (SOM) • Vanderbilt School of Nursing (SON) • Vanderbilt Health Plan • VUMC Administration for covered functions that involve the use and disclosure of PHI. Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VCE is hereafter determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.
Data Categories • Individually Identifiable Health Information (IIHI) – information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual. • Protected Health Information (PHI) – IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.
Data Categories • Research Health Information (RHI) – a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA. IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.
PHI <-> RHI(prepared by Daniel Masys, M.D.) Internal disclosure PHI RHI HIPAAAuthorization Authorization converts PHI to RHI whose use is governed by terms of authorization or IRB waiver Subject to HIPAA requirements (and potentially, penalties) PHI RHI Researchcreatesnew information added to medical records
Data Categories • De-identified Data – IIHI that has been stripped of the 18 identifiers of the individual or relatives, employers, or household members of the individual as defined in the HIPAA regulations. Fully de-identified data is no longer considered PHI and therefore is not subject to HIPAA requirements. • Limited Data Set (LDS) -PHI that excludes direct identifiers of the individual or relatives, employers, or household members of the individual with certain exceptions including city, state, zip code, elements of dates, and other numbers, characteristics or codes not listed as direct identifiers.
HIPAA Defined Identifiers That Must be Removed from PHI to be a Limited Data Set • Names; • Postal address information, other than town or city, State, and zip code; • Telephone numbers; • Fax numbers; • Electronic mail addresses; • Social security numbers; • Medical record numbers; • Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; • Vehicle identifiers & serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers, including finger and voice prints; and • Full face photographic images and any comparable images.
Identifiers That Must Be Removed In Addition to Those Required for a LDS if the Data is to be Fully De-Identified • All geographic subdivisions smaller than a State, including street address, county, precinct, and their equivalent geocodes, except for the initial three digits of a zip code under certain circumstances; • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all individual ages over 89; • Any other unique identifying number, characteristic, or code, except as permitted under the implementation specifications for re-identification.
Uses and Disclosures for Research HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections. PHI can be used or disclosed for research purposes if one of the following conditions is met: With a specific authorization signed by the patient With an IRB waiver of this authorization Under the “Preparatory to Research” criteria in IRB Policy X.A As a limited data set in conjunction with a Data Use Agreement As fully de-identified data For research on decedents Disclosures related to FDA-regulated products.
Requirements for Use or Disclosure of Data for Human Research PHI Limited Data Set De- identified Data or or Exempt research, no PHI IRB Exemption IRB waiver Patient Authorization Waiver from IRB and Data Use Agreement Accounting of disclosure is NOT required Accounting of disclosure is NOT required Accounting of disclosure NOT required Disclosure Accounting IS REQUIRED
Requirements for Use or Disclosure of Data for Research The table below shows, generally, how the HIPAA rules apply to the IRB oversight of human research.
Use of PHI for Research Requires Patient Authorization or Waiver of Authorization from the IRB • PHI may be disclosed to a researcher who is also a health care provider pursuant to patient authorization or IRB Waiver • Use of PHI with proper patient authorization does NOT require disclosure tracking. • Use of PHI through an IRB Waiver of Authorization DOES require disclosure tracking (even for use by a Vanderbilt researcher) • Disclosure Tracking may be done for each record through the online system accessed through StarPanel; or a direct link on the HIPAA website; or in batch using a Disclosure Template available from the Privacy Office
Use of a Limited Data Set • HIPAA allows the VCE to disclose partially de-identified data – called a limited data set – for research purposes without obtaining patient authorization or an IRB waiver of authorization. • Use of a Limited Data Set does NOT trigger the requirement for disclosure tracking. • Use of a Limited Data Set always requires a Data Use Agreement. • The IRB application forms contain the required elements of a Data Use Agreement for use and disclosure of data within Vanderbilt University in the Section labeled Intra-Vanderbilt Data Use Agreement. • A stand alone external Data Use Agreement must be prepared whenever the LDS will be shared for use or disclosure by a person or entity not employed by Vanderbilt University. This language can be obtained from the Office of Grants and Contract Management or the Privacy Office.
Research Activities Without IRB Review HIPAA permits researchers to conduct certain research activities that are not subject to IRB review. • Use of PHI consistent with the “Preparatory to Research” criteria defined in IRB Policy X.A • Use of PHI for research on decedents. HIPAA requires researchers requesting data for such research activities to provide written representations that: • the information is being used only for such purposes; • is necessary; and • will not be removed from VUMC; or • only involves deceased individuals, as applicable. Managers of areas that release data for these research purposes will manage the collection of these representations when a request for data is made.
Contact Information • Questions related to HIPAA requirements for research may be directed to the Privacy Office at 936-3594 or email Privacy.Office@vanderbilt.edu • Questions related to IRB requirements may be directed to the IRB Office at 322-2918.