300 likes | 417 Views
Research & Accounting for Disclosures March 12, 2008. Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance Services Indiana University, Indianapolis. HIPAA. HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L. 104-191).
E N D
Research & Accounting for DisclosuresMarch 12, 2008 Leslie J. Pfeffer, BS, CHP Office of the Vice President for Research Administration Office of Compliance Services Indiana University, Indianapolis
HIPAA • HIPAA – Health Insurance Portability & Accountability Act of 1996 (P.L. 104-191). • First comprehensive federal health privacy protection law.
Two Key Privacy Rule Goals • Provide strong Federal protections for privacy rights • Preserve quality healthcare
Why did the Government want the Privacy & Security Regulations?
Major Concepts • Notice of the Use/Disclosure • Notice of Privacy Practices • Authorization • Safeguarding PHI during its use and disclosure • Researchers are entrusted with this sensitive information. • Policies that address how PHI is accessed, stored and transferred so that unauthorized use or disclosure is prevented.
Creates Rights for Patients • Right to inspect & copy protected health information • Right to amend • Right to have reasonable requests for confidential communications accommodated • Right to file a complaint with the Office for Civil Rights or with the covered entity • Right to written notice of information practices from providers and health plans • Right to an accounting of disclosures
Accounting for Uses/Disclosures • Upon a patient’s request, a covered entity must provide an accounting of all uses and disclosures of PHI without an authorization
Protected Health Information (PHI) • PHI Individually identifiable health information, Created or received by a Covered Entity, • Relates to the: provision of health care to an individual; past, present, or future physical or mental health or condition of an individual; or payment for the provision of health care to an individual; • Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
Access to PHI • A covered entity may use/disclose PHI to carry out essential health care functions (TPO) • Treatment • Payment • Health Care Operations
Treatment • Treatment means the provision, coordination or management of health care by one or more health care providers. • Consultation between health care providers • Patient referrals • Important for • Continuity of Care • Quality of Care
Payment • Payment means activities of: • Health care providers to obtain payment or be reimbursed for their services • Necessary to release information to Medicare/Medicaid and Commercial Insurance Plans to be reimbursed for services provided
Health Care Operations Administrative, financial, legal and quality improvement activities necessary to run business and to support core functions of treatment and payment • Fraud and abuse detection • Conducting or arranging for medical review, legal services, auditing or monitoring • Business management and general administrative activities Quality assessment and improvement activities • Training, accreditation, certification, credentialing, licensing, reviewing, competence, evaluating performance
Access to PHI for Research • Research ≠ TPO • To Use PHI for Research purposes must: • Obtain an Authorization or • Waiver of authorization approved by the Privacy Board (IU’s IRBs) • Meet one of the exceptions
Access to PHI for Research • Must comply with the Minimum Necessary Rule • must take reasonable steps to limit the use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. • what PHI is reasonably necessary is determined on a case by case basis by the covered entity
Exceptions to obtaining an Authorization or Waiver of Authorization • Reviews preparatory to research • Research solely on decedents’ information • Limited Data Set • De-identified Data
Reviews Preparatory to Research Covered entity must obtain representation from the researcher that: • The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose. • PHI will not be removed from the covered entity. AND • PHI is necessary for research purposes • Even though an authorization is not required, this access requires an Accounting of Disclosure
Research Solely on Decedents’ Information Researcher must represent that: • Use or disclosure solely for research on decedents' information. • PHI is necessary for research, and • Individual is a decedent, and provide documentation upon covered entity's request. • Even though an authorization is not required, this access requires an Accounting of Disclosure
Limited Data Sets • Limited types of identifiers can be released for research purposes (a Limited Data Set). • Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient. • The Limited Data Set can contain: • Elements of Dates. • City, town, state, and ZIP. • Other unique identifiers, characteristics and codes not previously listed as direct identifiers (next slide).
Names Postal address info (if other than city, town, state, and ZIP) Telephone and fax #s E-mail address Social Security # Medical record numbers Health plan #s Account #s Certificate/license #s VIN and Serial #s, license plate #s Device identifiers, serial #s Web URLs IP address #s Biometric identifiers (finger prints) Full face photographic images and any comparable images A Limited Data Set excludes the following direct or facial identifiers
Data Use Agreement • Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way that the covered entity cannot) • Identify who can use and receive the Limited Data Set • Does not require an Accounting of Disclosure More . . .
PHI has been de-identified • 18 identifiers removed from data and no knowledge that remaining information can (alone or in combination with other information) identify the individual. OR • Statistically "de-identified" information. A qualified statistician determines that there is a "very small" risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis. • Does not require an Accounting of Disclosure
Names. All geographic subdivisions smaller than a state, street address, city, county, precinct, ZIP Code etc. All elements of dates (except year) Telephone numbers. Facsimile numbers. Electronic mail addresses. Social security numbers. Medical record numbers. Health plan beneficiary numbers. Account numbers. Certificate/license numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locators (URLs). Internet protocol (IP) address numbers. Biometric identifiers, including fingerprints and voiceprints. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code. Identifiers
Other Uses and Disclosures of PHI w/o Authorization • This includes the following: • Disclosures required by law • Disclosures to public health authorities • Authorized by law to collect or receive such information for public health activities • Disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA All the above require Accounting of Disclosure
HIPAA & Recruitment Recruitment is considered research Therefore, the special provisions for research apply to recruitment
Accounting for Uses & Disclosures Information required to be provided in each patient’s record for an accounting: • The date of the disclosure • The name of the entity or person who received the PHI and, if known, • the address of such entity or person • A brief description of the PHI disclosed • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure
Accounting for Uses & Disclosures If for research purposes 50 or more records are reviewed: • the name of the protocol or other research activity; • a plain language description of the protocol or other research activity, including the research purpose and the criteria for selecting the records; • brief description of the type of PHI disclosed; • date or time period during which the disclosures occurred or may have occurred, including at least the last date; • name, address and phone number of the entity that sponsored the research and the PI to which the information was disclosed; and • a statement that the PHI may or may not have been disclosed for the particular protocol or other research activity.
Accounting for Uses & Disclosures • Documentation of a Use or Disclosure must be placed in the patient’s “official record” • If the record is housed by Clarian, must be documented in the Clarian record
More Information • Clarian Contact Accounting for Disclosures: Roxanne Binford Compliance Services & HIPAA Send Accountings to: WH 322A Scan & email: rbinford@clarian.org or fax: 962-0304
More Information • R&S website: http://www.iupui.edu/~resgrad/hipaa/hipaa_menu.htm http://www.iupui.edu/%7Eresgrad/human-sop/human-sop-menu.htm Subject Confidentiality & Privacy Policy HIPAA Information FAQ’s SOP’s Summary Safeguard Statement Recruitment Checklist