1 / 30

Research & Accounting for Disclosures March 12, 2008

Research & Accounting for Disclosures March 12, 2008. Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance Services Indiana University, Indianapolis. HIPAA. HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L. 104-191).

Download Presentation

Research & Accounting for Disclosures March 12, 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Research & Accounting for DisclosuresMarch 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance Services Indiana University, Indianapolis

  2. HIPAA • HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L. 104-191). • First comprehensive federal health privacy protection law.

  3. Two Key Privacy Rule Goals • Provide strong Federal protections for privacy rights • Preserve quality healthcare

  4. Why did the Government want the Privacy & Security Regulations?

  5. Major Concepts • Notice of the Use/Disclosure • Notice of Privacy Practices • Authorization • Safeguarding PHI during its use and disclosure • Researchers are entrusted with this sensitive information. • Policies that address how PHI is accessed, stored and transferred so that unauthorized use or disclosure is prevented.

  6. Creates Rights for Patients • Right to inspect & copy protected health information • Right to amend • Right to have reasonable requests for confidential communications accommodated • Right to file a complaint with the Office for Civil Rights or with the covered entity • Right to written notice of information practices from providers and health plans • Right to an accounting of disclosures

  7. Accounting for Uses/Disclosures • Upon a patient’s request, a covered entity must provide an accounting of all uses and disclosures of PHI without an authorization

  8. Protected Health Information (PHI) • PHI Individually identifiable health information, Created or received by a Covered Entity, • Relates to the: provision of health care to an individual; past, present, or future physical or mental health or condition of an individual; or payment for the provision of health care to an individual; • Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.

  9. Access to PHI • A covered entity may use/disclose PHI to carry out essential health care functions (TPO) • Treatment • Payment • Health Care Operations

  10. Treatment • Treatment means the provision, coordination or management of health care by one or more health care providers. • Consultation between health care providers • Patient referrals • Important for • Continuity of Care • Quality of Care

  11. Payment • Payment means activities of: • Health care providers to obtain payment or be reimbursed for their services • Necessary to release information to Medicare/Medicaid and Commercial Insurance Plans to be reimbursed for services provided

  12. Health Care Operations Administrative, financial, legal and quality improvement activities necessary to run business and to support core functions of treatment and payment • Fraud and abuse detection • Conducting or arranging for medical review, legal services, auditing or monitoring • Business management and general administrative activities Quality assessment and improvement activities • Training, accreditation, certification, credentialing, licensing, reviewing, competence, evaluating performance

  13. Access to PHI for Research • Research ≠ TPO • To Use PHI for Research purposes must: • Obtain an Authorization or • Waiver of authorization approved by the Privacy Board (IU’s IRBs) • Meet one of the exceptions

  14. Access to PHI for Research • Must comply with the Minimum Necessary Rule • must take reasonable steps to limit the use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. • what PHI is reasonably necessary is determined on a case by case basis by the covered entity

  15. Exceptions to obtaining an Authorization or Waiver of Authorization • Reviews preparatory to research • Research solely on decedents’ information • Limited Data Set • De-identified Data

  16. Reviews Preparatory to Research Covered entity must obtain representation from the researcher that: • The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose. • PHI will not be removed from the covered entity. AND • PHI is necessary for research purposes • Even though an authorization is not required, this access requires an Accounting of Disclosure

  17. Research Solely on Decedents’ Information Researcher must represent that: • Use or disclosure solely for research on decedents' information. • PHI is necessary for research, and • Individual is a decedent, and provide documentation upon covered entity's request. • Even though an authorization is not required, this access requires an Accounting of Disclosure

  18. Limited Data Sets • Limited types of identifiers can be released for research purposes (a Limited Data Set). • Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient. • The Limited Data Set can contain: • Elements of Dates. • City, town, state, and ZIP. • Other unique identifiers, characteristics and codes not previously listed as direct identifiers (next slide).

  19. Names Postal address info (if other than city, town, state, and ZIP) Telephone and fax #s E-mail address Social Security # Medical record numbers Health plan #s Account #s Certificate/license #s VIN and Serial #s, license plate #s Device identifiers, serial #s Web URLs IP address #s Biometric identifiers (finger prints) Full face photographic images and any comparable images A Limited Data Set excludes the following direct or facial identifiers

  20. Data Use Agreement • Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way that the covered entity cannot) • Identify who can use and receive the Limited Data Set • Does not require an Accounting of Disclosure More . . .

  21. PHI has been de-identified • 18 identifiers removed from data and no knowledge that remaining information can (alone or in combination with other information) identify the individual. OR • Statistically "de-identified" information. A qualified statistician determines that there is a "very small" risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis. • Does not require an Accounting of Disclosure

  22. Names. All geographic subdivisions smaller than a state, street address, city, county, precinct, ZIP Code etc. All elements of dates (except year) Telephone numbers. Facsimile numbers. Electronic mail addresses. Social security numbers. Medical record numbers. Health plan beneficiary numbers. Account numbers. Certificate/license numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locators (URLs). Internet protocol (IP) address numbers. Biometric identifiers, including fingerprints and voiceprints. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code. Identifiers

  23. Other Uses and Disclosures of PHI w/o Authorization • This includes the following: • Disclosures required by law • Disclosures to public health authorities • Authorized by law to collect or receive such information for public health activities • Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA All the above require Accounting of Disclosure

  24. HIPAA & Recruitment Recruitment is considered research Therefore, the special provisions for research apply to recruitment

  25. Accounting for Uses & Disclosures Information required to be provided in each patient’s record for an accounting: • The date of the disclosure • The name of the entity or person who received the PHI and, if known, • the address of such entity or person • A brief description of the PHI disclosed • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure

  26. Accounting for Uses & Disclosures If for research purposes 50 or more records are reviewed: • the name of the protocol or other research activity; • a plain language description of the protocol or other research activity, including the research purpose and the criteria for selecting the records; • brief description of the type of PHI disclosed; • date or time period during which the disclosures occurred or may have occurred, including at least the last date; • name, address and phone number of the entity that sponsored the research and the PI to which the information was disclosed; and • a statement that the PHI may or may not have been disclosed for the particular protocol or other research activity.

  27. Accounting for Uses & Disclosures • Documentation of a Use or Disclosure must be placed in the patient’s “official record” • If the record is housed by Clarian, must be documented in the Clarian record

  28. More Information • Clarian Contact Accounting for Disclosures: Roxanne Binford Compliance Services & HIPAA Send Accountings to: WH 322A Scan & email: rbinford@clarian.org or fax:  962-0304

  29. More Information • R&S website: http://www.iupui.edu/~resgrad/hipaa/hipaa_menu.htm http://www.iupui.edu/%7Eresgrad/human-sop/human-sop-menu.htm Subject Confidentiality & Privacy Policy HIPAA Information FAQ’s SOP’s Summary Safeguard Statement Recruitment Checklist

More Related