1 / 33

Privacy, Confidentiality & Security

Privacy, Confidentiality & Security. Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008. Institutional Review Board for the Protection of Human Subjects.

triage
Download Presentation

Privacy, Confidentiality & Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy, Confidentiality & Security Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008 University of Miami

  2. Institutional Review Board for the Protection of Human Subjects • Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students • Includes ensuring compliance with University of Miami HIPAA policies • Plan must contain elements required under HIPAA • Documentation of compliance with Covered Entity source of PHI University of Miami

  3. What is HIPAA? • Health Insurance Portability and Accountability Act (HIPAA) Effective on April 14, 2003 • Federal law that protects the privacy of individually identifiable health information (PHI) • Title 45 of the Code of Federal Regulations Parts 160 and 164 University of Miami

  4. Who Must Comply with HIPAA? Covered Entity – Custodians of PHI They must make a good faith effort to comply with the rule Three types of “ Covered Entities” • Health Care ProvidersIncludes organizations, individuals such as researchers when they provide health care, e.g. clinical trials • Health Care Plans Insurers and payors • Health Care ClearinghousesBilling services University of Miami

  5. How is UM Approaching HIPAA? • Hybrid Covered Entity • The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”. University of Miami

  6. UM – Hybrid Entity Covered Components Treatment Payment Health Care Operations Non-Covered Components Research University of Miami

  7. Important to Note • Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations. • Necessary compliance with State privacy laws and Institutional and IRB policies only. University of Miami

  8. UM Investigators and PHI • those who create, use, or access health information while providing health care services to research subjects must comply with HIPAA regulations as well as state privacy, institutional and IRB policies. University of Miami

  9. Types of Studies Covered • Clinical trials • Chart reviews • Epidemiological studies • Behavioral and Social Science Studies • Some basic science research activities • Studies may include the provision of treatment but others may provide neither treatment or diagnosis. University of Miami

  10. HSRO Policies & Procedures • HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”. • Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6th, 2008. • Policies are available on our website under, “Investigator Resources”. University of Miami

  11. Definitions • Section 24.2 contains some important terms related to HIPAA. • PHI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity • RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care. University of Miami

  12. Definitions (cont’d). • Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information.  • The term “privacy” applies to persons whereas the term “confidentiality” refers to the treatment of personal information. University of Miami

  13. Definitions (cont’d). • Security:  the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage.  • Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors. University of Miami

  14. More About PHI Protected Health Information (PHI) is any individually identifiable information that is transmitted or maintained in electronic medium, or in any other form or medium • Medical RecordsE.g. Medical History, Diagnosis, Treatment • Payment InformationE.g. Bills, Receipts • Ancillary ServicesE.g. X-Rays, Labs • Demographic Information (When Maintained with Health Information)E.g. Date of Birth, Social Security Number University of Miami

  15. PRIVACY University of Miami

  16. IRB Privacy Issue Evaluation • Time and place where information is provided by participants to investigators; • Nature of the information provided; • Nature of the experience that participant will undergo from the study; • Who is receiving, accessing, and using the information; • Participants’s relationship to the investigator; • Presence of others when gathering data. University of Miami

  17. Factors to Determine What is Private to Individuals • Gender • Ethnicity • Age • Socio-economic status • Education • Ability level • Social or verbal skill • Health status • Legal status • Nationality • Intelligence • Personality University of Miami

  18. What is De-Identified PHI? Information that does not identify the individual; andthere is no reasonable basis to believe the information can be used to identify an individual. University of Miami

  19. How do you De-Identify PHI? • Remove 18 Specified Identifiers: • Name • All Geographic Subdivisions Smaller Than a State(Street, City, County, Precinct, Parish, Zip Code, & their Equivalent Geo-codes Except for Initial 3 Digits of a Zip Code) • All Elements of Dates, Except Year(Admission Date, Discharge Date, Date of Death) • All Ages Over 89 & Dates and Elements Related to such Ages(Unless Aggregated into a Single Category of Age over 90) University of Miami

  20. How do you De-Identify PHI ? • Telephone & Fax Number • E-mail, IP Address & URL • Social Security #, Medical Record #, Health Plan Beneficiary #, & Account # • Certificate License #, VIN, Device Identifiers, & Serial # • Full Face Photographs, Biometric Identifiers • Any Other Unique Identifying Number, Characteristic, or Code University of Miami

  21. Minimum Necessary Requirement • Research procedures should be carefully designed to limit the personal information to be acquired to that which is minimally necessary and should be administered using procedures that will protect the subject's privacy. Example: Only the information pertaining to a specific use should be given to researcher. University of Miami

  22. Responsibilities of The PrincipalInvestigator • Document research team has completed HIPAA Privacy/Security Training and HIPAA Training for Researchers • Submit project application to the IRB • Assume responsibility for compliance with HIPAA • Maintain logs of all access to, uses of, & disclosures of PHI • Submit Data Use Agreements to the IRB University of Miami

  23. SECURITY University of Miami

  24. GENERAL PRINCIPLES • As custodian of a study’s research data, the Principal Investigator shall ensure compliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol ; • The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI; • Access to research data (including ePHI) should be restricted and controlled. • The PI must ensure locks on files or  password or other protections (as applicable) (note – access  to e PHI must be by password) • The PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity.  University of Miami

  25. Security, Section 24.6 • All research data (including PHI) must be secured and protected, as reasonable, against breaches in confidentiality, unpermitted uses and disclosures. • HIPAA standards also apply after project completion when computers, devices, and/or media are destroyed or reformatted for other uses. • Provides important requirements and methods to assure security of all research data. • Additional requirements for ePHI (electronic PHI). University of Miami

  26. Security, Section 24.6 • Specifically addresses concerns and safeguards for when dealing with ePHI, securing paper records, securing faxes, and unanticipated problems and reportable events related to breaches in ePHI University of Miami

  27. Security, Section 24.6 • Paper records: PHI must be stored using locked filing system within a locked office or storage room. • Shredding is required to discard printed materials with direct identifiers. • Paper-based PHI should not be carried/sent unless necessary for research purposes. University of Miami

  28. Confidentiality, Section 24.7 • Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of his/her research records. • Examples: personality inventories, interviews, questionnaires, observations, photos and film, tape recordings, and stored data. University of Miami

  29. Certificates of Confidentiality • In certain circumstances involving civil, criminal, administrative, legislative, or other proceedings at the federal, state, or local level, PIs and Institutions may be compelled to release information that could identify subjects within a research study. • Certificates of Confidentiality protect PIs and Institutions from having to divulge this information. University of Miami

  30. Certificates of Confidentiality – Cont’d. • Certificates of Confidentiality are provided by the National Institutes of Health and are awarded whether a research study is federally funded or not. University of Miami

  31. Who do I contact about HIPAA Questions for Research? • Evelyne Bital, MS, CIP • Associate Director of Privacy & Regulatory Affairs, (305) 243-3195 • e-mail: ebital@med.miami.edu • For general HIPAA information or to access standard HIPAA forms for research: hsro.med.miami.edu University of Miami

  32. References • Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164 • University of Miami HIPAA Policies and Procedures http://www.hhs.gov/ocr/hipaa/ http://www.hipaadvisory.com/ http://www.hipaadvisory.com/regs/ University of Miami

  33. Questions? University of Miami

More Related