2. 1 Presentation Overview HIPAA’s Impact on Research Programs
Authorizations
PHI Pathways for Researchers
HIPAA’s Impact on Subject Recruitment
Human Subjects’ HIPAA Rights
Transition Issues
Case Study: Integrating HIPAA Privacy Requirements and Research at University of Wisconsin-Madison
Questions and Answers
3. 2
4. 3 Examples of Non-Covered Entities Involved in Research Universities
Research Foundations
Student Health Services (if do not bill for services)
Non-treating Ph.D.s
Contract Research Organizations
IRBs
Data Warehousing/Data Management Companies
Pharmaceutical Companies
5. 4
6. 5 Researchers Are Not Business Associates Business Associate is a person or entity conducting a covered function or activity (e.g., payment or health care operations) or providing one of the following services: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services
Research is not a covered function or activity or a business associate service
Even if covered entity hires a researcher to do research on its behalf, the researcher is not a business associate
7. 6
8. 7 HIPAA and Research:�Examples of Research Data Protected by the Privacy Rule All research data, regardless of funding source, involving/associated with treatment
Identifiable or coded data or human tissue, DNA, blood or organ (e.g., samples that have been coded where the researcher controls of coding)
Health information in medical or billing records maintained by a Covered Entity
9. 8 HIPAA and Research:�Examples of Research Data NOT Protected by the Privacy Rule Research of de-identified records, data or tissue, blood, DNA samples
Health information created by a non-covered entity (e.g., Ph.D., pharmaceutical company)
NOTE: Health information received or purchased by a non-covered party from a Covered Entity may still be protected by HIPAA
10. 9
11. 10 De-Identification Safe Harbor: �Data Elements That Must Be Removed Name
Address, including city, county and zip code
Dates, including birth date, admission date, discharge date and date of death
Telephone and fax numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary number Account number
Certificate/license number
Vehicle or other device serial number
Web URL
Internet Protocol address
Finger or voice prints
Photographic images
Any other unique identifying number, characteristic or code
12. 11 De-Identifying Health Information:�Statistical De-Identification
Statistically De-Identify Using Generally Accepted De-Identification Methods
Obtain Certification From Statistician that:
appropriate methods have been used
“very small” risk that the information could be used, alone or in combination with other reasonable available information, by an anticipated recipient to identify the individual
13. 12 De-Identifying Health Information:�Limited Data Sets Set of data with “facial” identifiers of the individual or of relatives, employers or household members of the individual removed (e.g., name, address, social security number, medical record number)
May be used/disclosed only for purposes of research, public health or health care operations
Recipient of limited data set must enter into a data use agreement specifying what use will be made of the limited data set, who will be permitted to access it, limitations on further disclosure or use
14. 13
15. 14 Privacy Rule’s Impact on �Research Program Stakeholders Subjects: Grants control over use of PHI
Investigators and Sponsors: Provides continued access to PHI for research purposes
IRBs: Sets forth special role and responsibilities with respect to protection of subject’s privacy
Human Subject Protection Offices: Requires development of HIPAA-compliant policies and procedures; creation of privacy board; identification of business associates
Institutional Officials of Covered Entities: Establishes responsibility for overall HIPAA compliance; policies and procedures; data management; grants management
16. 15 How will you “fit” HIPAA Privacy �into your operations?
17. 16 Follow 10 Easy Steps
18. 17 HIPAA For Research in 10 Easy Steps Step 1: Differentiate Roles: Common Rule vs. HIPAA
Step 2: Know the Five HIPAA PHI Pathways
Step 3: Define the IRB’s HIPAA Compliance Role
Step 4: Use/Disclose PHI in the Minimum Necessary Way
Step 5: Ensure Subject Recruitment Complies with HIPAA
Step 6: Uphold Subject’s HIPAA Rights
Step 7: Watch Out for Transition Issues
Step 8: Comply with HIPAA’s Administrative Requirements
Step 9: Understand the Business Associate Rule
Step 10: Seek HIPAA Training for IRB Members and Staff
19. 18 Step 1: Understand the Difference Between the Common Rule and the Privacy Rule Common Rule
Governs Human Subject Protections
Requires Consent
Sets forth IRB review exemption requirements
May apply to research even if data is de-identified HIPAA Privacy Rule
Governs Use/Disclosure of PHI
Requires Authorization
Sets forth waiver of authorization requirements
May apply even if study is exempt
20. 19 Step 2: Know the Five HIPAA �Pathways to PHI for Research Pathway 1: Get Patient to Sign a HIPAA Authorization
Pathway 2: Use Safe Harbored/Statistically De-Identified PHI
Pathway 3: Access Limited Data Set per Data Use Agreement
Pathway 4: Obtain Privacy Board Waiver of Authorization
Pathway 5: Review only PHI that is “minimally necessary”
>>for preparatory research; or
>>to study information of deceased individuals
21. 20 PHI Pathway No. 1: �HIPAA Authorization Specific meaningful description of PHI to be used/disclosed
Names of persons authorized to receive, create, and/or use PHI
Names of persons to whom PHI may be disclosed
Statement of purpose of use/disclosure
Expiration date/event (“end of research” or “none” ok)
Statement right to revoke
Signature/date
Any potential for redisclosure identified
22. 21 Differences Between HIPAA Authorization and Informed Consent Form (cont.) Informed Consent
Governed by Common Rule
Required to participate in the research based on the risks and benefits
Reviewed by the IRB, unless waived HIPAA Authorization
Governed by Privacy Rule
Required to use or disclose PHI for research purposes
Likely to be reviewed by IRB, but not required
May be waived by Privacy Board
23. 22 PHI Pathway No. 2: �Use De-Identified Health Information
Satisfy De-identification Safe Harbor
Must remove all 18 identifiers
No dates or five digit zip codes
Statistically De-Identify Using Generally Accepted Statistical De-Identification Methods
Must obtain certification from Statistician that “very small” risk that the information could be used, alone or in combination with other reasonable available information, by an anticipated recipient to identify the individual
24. 23 PHI Pathway No. 3:�Access Limited Data Set Data must be “facially” de-identified (e.g., name, address, social security number, medical record number removed)
May be used/disclosed only for research purposes
Must enter into data use agreement with Covered Entity specifying what use will be made of the limited data set, who will be permitted to access it, limitations on further disclosure or use
If researcher is creator of limited data set may also need to enter into Business Associate Agreement
25. 24 PHI Pathway No. 4: �Privacy Board Waiver of Authorization Research could not practicably be conducted without the waiver
Research could not practicably be conducted without access to and use of the PHI
Disclosure involves no more than minimal privacy risk to the individuals
Adequate plan to protect the PHI from improper use and disclosure
Plan to destroy the identifiers at the earliest opportunity (unless adequate justification not to destroy)
Adequate written assurances that PHI will not be reused or disclosed to any other person, except as required or permitted by law
26. 25 PHI Pathway No. 5: �Using PHI for Preparatory Research Covered Entity may disclose health information to a researcher to prepare a research protocol, if the researcher certifies:
Review is necessary to prepare a research protocol
No health information will be removed by the researcher during the review
NOTE: No definition in Privacy Rule for “remove”—some argue that remove means disclosure and therefore Covered Entity may use PHI internally under this exception
Minimum Necessary Standard applies
27. 26 PHI Pathway No. 5: �Research Involving PHI of Deceased Individuals Researcher may review health information of deceased persons without authorization, if researcher certifies that:
review is solely for research purposes
information which is sought is necessary to conduct the research
Minimum Necessary Standard applies
28. 27 Step 3: Define the HIPAA Compliance Role of �the IRB and the Research Compliance Office NOTE: Institution may handle outside of IRB
IRB may, but is not required to:
Review HIPAA Authorizations
Serve as Privacy Board and Review Authorization Waiver Requests
Research Compliance Office may, but is not required to:
Review requests to access PHI for Preparatory Research or Decedent Research
Review Limited Data Set Agreements
Ensure Proper De-identification
Ensure subject requirement practices comply with HIPAA
29. 28 Step 4: Use and Disclose in the HIPAA Minimum Necessary Way A Covered Entity must try to limit the “amount” PHI it uses, discloses, or requests to the minimum necessary to achieve the purposes
Business Associates must also comply with the Minimum Necessary Standard when using PHI
Example of application to IRB: request for additional information regarding an adverse event
Example of application to research administrator: review of medical records for purposes of conducting compliance audit
30. 29 Step 4: Use and Disclose in the HIPAA Minimum Necessary Way (cont.) Minimum Necessary Standard Applies to:
Waiver Authorized Research
Use/Disclosure of Decedent’s PHI
Use/Disclosure of PHI Preparatory to Research
Limited Data Sets
31. 30 Step 4: Use and Disclose in the HIPAA Minimum Necessary Way (cont.) Minimum Necessary Standard Does Not Apply to:
Treatment
Use/Disclosure pursuant to authorization
Disclosures to individual/subject
Disclosures to DHHS for compliance
Disclosures Required by Law
32. 31 Step 5: Ensure Subject Recruitment Practices Comply with HIPAA Direct Contact with Patients by Treating Provider Permitted
Identification of potential subjects through:
Review Preparatory to Research
Direct Patient Contact Restricted to Those Within Covered Entity
Cannot disclose PHI
Partial Waiver of Authorization
Would permit disclosure of recruitment logs
Direct patient contact permitted
Potential Subjects can always self-identify
33. 32 Step 6: Uphold the Subject’s HIPAA Rights Under HIPAA Subjects Have Right to:
Notice of Privacy Practices of Covered Entity
Access their PHI
Request amendment of their PHI
Receive a record of certain disclosures of their PHI made within previous 6 years
Request restrictions on uses and disclosures
Revoke their authorization
Request alternative means/location of communication of PHI
34. 33 Step 7: Watch Out for Transition Issues For studies ongoing prior to April 14, 2003:
Grandfather Provision applies to allow researcher to continue to create, use and disclose PHI post-HIPAA in a manner that is consistent with the approved terms of use in following situations:
Patient has signed an IRB-approved informed consent form or some other legally valid authorization prior to April 14, 2003
IRB waiver of informed consent was obtained prior to April 14, 2003
NOTE: If patient did not sign an informed consent form prior to April 14, 2003 OR if study was exempted from IRB review prior to April 14, 2003, the grandfather provision does not apply
35. 34 Step 7: Watch Out for Transition Issues (cont.) EVEN if study is deemed “exempt” under the common rule IF the study involves the creation, use or disclosure of PHI, THEN researcher must:
Seek HIPAA authorization from subjects
Obtain waiver of authorization from Privacy Board
To use PHI created PRIOR to April 14, 2003 must obtain HIPAA-compliant authorization, waiver of authorization from IRB/Privacy Board or meet other HIPAA exception
36. 35 Step 7: Watch Out for Transition Issues (cont.)
If researcher has obtained informed consent, legal authorization or IRB waiver of informed consent for “future unspecified research,” such “approval” may be relied on to conduct the research post-HIPAA.
May want to require additional HIPAA “PHI pathway” to be satisfied, especially in the case of databases
37. 36 �Step 8: Comply with HIPAA Administrative Requirements Policies and Procedures needed to comply with HIPAA research requirements include:
Authorization/Informed Consent
Processing of Waivers of Authorization
Review Requests to Access PHI for Preparatory Research, Decedent Research and Limited Data Set
De-identification
Subject Recruitment
Individual Rights (Accounting Requirement)
Document Retention (for 6 years)
38. 37 Step 9: Evaluate Business Associate Issues Only BA if performing service or TPO function on behalf of covered entity requiring access to PHI (e.g., compliance monitor for hospital)
IRB could be a business associate, depending upon the relationship to the covered entity
BA agreement can be stand-alone or part of larger contract
Must include:
Restrictions on how PHI may be used or disclosed
Promise to protect the PHI
Promise to return PHI at end of contract
Assurance to make PHI available for compliance
39. 38 Step 10: Seek HIPAA Training �For IRB Members and Staff Compliance requires awareness and understanding of HIPAA requirements
Business Associates will be contractually bound to comply with HIPAA
Even if not Covered Entity or Business Associate, HIPAA sensitivity necessary:
Covered Entities are PHI Sources and they are required to ensure HIPAA compliance
Enforcement of HIPAA penalties subject to interpretation
Civil liability may be incurred for breach of privacy
40. 39
41. Research at the University of Wisconsin-Madison Beth DeLair R.N., J.D.
Assistant General Counsel and HIPAA Privacy Officer
University of Wisconsin Hospital & Clinics
ce.delair@hosp.wisc.edu
(608) 262-4926
42. 41 UW-Madison Research Structure Human Subjects Department
Responsible for coordinating all research activities
“5” Campus IRB’s—All IRB’s are responsible for knowing and applying HIPAA requirements
IRB Policy Committee
Provides oversight
Establishes policy
Does not review protocols
Health Sciences IRB
Reviews all protocols involving medical intervention
43. 42 UW-Madison Research Structure Social behavior sciences IRB
Reviews all protocols involving human subjects by social sciences researchers
Some protocols involve “pseudo intervention” such as blood draws or placement of electrodes
Education IRB
Reviews all protocols involving research into educational processes
44. 43 UW-Madison Research Structure Minimal Risk IRB—established spring of 2003
Reviews protocols involving PHI that do not involve medical intervention (e.g. retrospective medical records review)
Reviews protocols that may not involve PHI and are “minimal” risk
Overflow IRB
45. 44 Research and Training Potential researchers
PHD and MD researchers
Pharmacists, nurses
Medical, nursing, and pharmacy students
Visiting professors
Training
UW web based training module
Communication with departments
Web resource
www.wisc.edu/hipaa/ResearchGuide/index.html
46. 45 Policies and Procedures Maintenance of personal databases
Permitted but must be registered with UW Privacy Officer
Security of database must be described and verified
Registration must be proved with protocol submission
Requests for info
Must provide copy of IRB approval or “certificate(s)” before PHI will be provided from UWHC
47. 46 Policies and Procedures Preparatory to research activities
Defined as
The development of research questions
The determination of study feasibility including the number availability and eligibility of potential participants
The development of eligibility criteria
Must complete “Preparatory to Research Certification” form and file with UW Privacy Officer
Must be completed initially, and then periodically (e.g. every one or two years)
48. 47 Policies and Procedures Research on decedents info
Defined as
Research involving solely decedents or research involving primarily descendents PHI—in other words the research must target descendents
Must complete “Research on Decedents Certification” form and file with UW Privacy Officer on a “per protocol” basis
49. 48 Policies and Procedures Waiver of authorization:
Must be submitted with application
IRB evaluates descriptions of how PHI will be secured
IRB determination whether conducting research is impracticable
Number of individuals whose PHI must be used or disclosed
Difficulty in obtaining authorization, including cost and necessary resources
Time involved in obtaining
Time since last contact with patient
50. 49 Policies and Procedures De-identified information
Not useful in research
At minimum need dates, regional information
Cannot verify de-identified information
UW will frequently utilize LDS
51. 50 Policies and Procedures Right to request access to and amendment of research records
Have not yet determined the interface between research records and medical records—often they overlap
Right to an accounting of disclosures
As applicable, each researcher logs relevant information
ACE members inform UW Privacy Officer of request
UW Privacy Officer contacts researcher and reports back to ACE member
52. 51 Policies and Procedures Research vs. quality assurance activities
Definitions
Research –contributes to generalize knowledge
Quality assurance-contributes to the internal knowledge and practice of the organization conducting the activity
Conflicted community and academic standards
Regulations seem to require intent to publish or present
Bioethics community believes there are ethical issues in QA that mirror the ethical issues in research
