Health Insurance Portability and Accountability Act

1
Health Insurance Portability and Accountability
Act

• APS Workshop on Human Research Protections
• Karen A. Hegtvedt, Ph.D.
• Emory University

2
What is HIPAA?

• Health Insurance Portability and Accountability
  Act
• Federal law intended to protect health
  information
• HIPAA has 4 major components
• Health insurance portability (effective 1996)
• Medicare/medicaid fraud
• Privacy regulations (effective 4-14-2003)
• Key aspect affecting research!
• Security Regulations (effective 2005)

3
What does HIPAA affect?

• The ability to access, use, and disclose
  protected health information (PHI)
• Individually identifiable medical, financial, or
  demographic information
• Related to a persons past, present, or future
  health or treatment
• Transmitted or maintained in any form
  (electronic, paper, spoken) by a covered entity
• Key aspect affecting research!
• Required security measures for documents and
  computers
• Required policies and training

4
What entities does HIPAA cover?

• Covered entities, e.g., health plans, providers,
  clearing houses
• Organized Health Care Arrangements, i.e.
  collections of covered entities
• Hybrid entities, e.g., universities in which some
  units are covered, others not
• Covered components within an entity, e.g., a
  hospital at a university
• Business associates of covered entities

5
What is HIPAAs impact on health care activities
of covered entities?

• Notice of privacy individual has right to
  control access to PHI and purpose to which it is
  put
• General rule can use PHI for treatment,
  payment, and health care operations (TPO) without
  authorization or waiver
• Research is not part of TPO!
• Minimum necessary rule
• Accounting for disclosures

6
What is HIPAAs impact on research at covered
entities?

• Affects how covered entities provide access to or
  disclose PHI for use in research
• Greater concern with liability complex
  procedures
• Uncertainty about researchers HIPAA compliance
• Places limits on clinicians who use PHI they
  collect for research purposes
• Types of data collection
• Clinical trials -- Merging patient information
  databases
• Patient surveys -- Retrospective chart reviews
• Copying specific information from medical records

7
How does HIPAA relate to IRB review?

• Research must comply with Common Rule and HIPAA
• Research involving PHI requires
• Informed consent or waiver of informed consent
• HIPAA authorization or waiver of HIPAA
  authorization, including privacy protection plan
• Universities may use IRB to review both or have a
  separate committee for HIPAA purposes

8
What are the options for accessing PHI for use in
research?

• 1) Authorization
• 2) Waiver of authorization
• 3) Use or disclosure of completely
  de-identified information
• 4) Use or disclosure of decedents PHI
• 5) Use of a Limited Data Set with data use
  agreement
• 6) Reviews preparatory to research

9
1) Authorization (e.g., clinical trials, patient
surveys)

• Patients (or guardians) signed permission to
  disclose or use PHI for research purposes
• Specific information on
• What PHI?
• What purpose?
• By whom?
• How long?
• Statements of right of revocation, conditionality
  and possibility of re-disclosure
• Other criteria
• Written in plain language
• Copy given to subject
• May be combined with informed consent

10
2) Waiver of Authorization (e.g., for
retrospective chart reviews)

• No more than minimal risk to privacy
• PHI protection plan
• Plan to destroy identifiers
• Assurances against re-disclosure
• Research could not practicably be conducted
  without
• Waiver -- PHI information
• Waiver will not adversely affect the rights or
  welfare of the subject
• Subjects may get information later

11
Partial Waiver of Authorization

• For purposes of recruitment of study subjects
• Unable to use de-identified information and
  authorization impossible to attain
• Allows record examination to determine
  feasibility of sample
• Once determined, obtain authorization from those
  in sample

12
3) De-Identified Information (e.g., number of
times a procedure is done by age groups health
outcomes without identifiers)

• Data set contains none of 18 identifiers listed
  by HIPAA
• Expert opinion that risk of identification is
  small
• No actual knowledge that individual can be
  identified by available information

13
HIPAAs 18 Identifiers

• Names
• Geographic subdivisions
• Smaller than state
• Dates (except year)
• Telephone numbers
• FAX numbers
• Email addresses
• Social Security Numbers
• Medical Record Numbers
• Health Plan beneficiary numbers
• Account numbers

• Certificate/license numbers
• Vehicle identifiers
• Device identifiers
• Web URLs
• IP addresses
• Biometric identifiers
• Finger or voice prints
• Full face photograph or image
• Any other number, code or characteristic that can
  be linked to identity by researcher

14
4) Decedents PHI (e.g., retrospective chart
review with deceased patients only)

• Deceased individuals are not human subjects
• PHI of decedents is necessary for and only for
  research
• Consider risk to living relatives
• Covered entity may require proof of death
• IRB waiver of authorization not required but the
  above should be documented

15
5) Limited Data Set (e.g., data from hospital
records on disease incidence)

• Mostly de-identified, except for e.g.
• Dates for admission, services, discharge
• Geographic information
• Age
• Covered by data use agreement that includes
  HIPAA-specific provisions
• Neither authorization or waiver of authorization
  required

16
6) Reviews Preparatory to Research (e.g., chart
review to assess study feasibility)

• Access only to data reasonably required for
  preparation of research study
• Provide assurance of limited purpose
• PHI may not leave the covered entity
• Access by employee of entity
• No contact with potential subjects (unless
  researcher is treating physician
• Authorization or waiver of authorization not
  required

17
Can PHI be used/ disclosed without authorization,
etc? YES, for

• Public health activities
• Abuse, neglect, domestic violence reports
• Health oversight agencies
• Judicial administrative proceedings
• Law enforcement purposes

• Coroners funeral directors
• Organ donation
• Serious threat to health or safety
• Special government functions (e.g., military,
  prisons)

18
How does HIPAA affect studies in progress prior
to April 14, 2003?

• Only refers to PHI
• If informed consent obtained
• If enrolled prior to 4-14, no HIPAA authorization
• If enrolled after 4-14, HIPAA authorization
  needed
• If informed consent waived by IRB prior to 4-14,
  no HIPAA authorization or waiver of authorization
  needed
• Currently, all new studies and enrollments must
  follow one of HIPAA options

19
How does HIPAA pertain to studies that use
PHI-like information?

• If information looks like PHI
• If not collected in provision of health care, not
  PHI
• Consent but not HIPAA authorization needed
• E.g., heart rate BP of subjects in exercising
  study
• If PHI used for section of subjects but not for
  actual study
• Partial waiver of authorization for screening
• Consent but not HIPAA authorization needed
  subsequently
• E.g., recruiting health babies for growth studies
  after mother delivers)

20
What are the consequences of non-compliance with
HIPAA?

• Possible harms to individual whose PHI is
  improperly disclosed (e.g., loss of insurance
  distress)
• Potential loss of public trust in
• Institution
• Research enterprise
• Civil and criminal penalties
• Fines up to 250,000
• Imprisonment up to 10 years

21
How to avoid such consequences

• Embrace HIPAA
• Become familiar with regulations
• Pay particular attention to conditions under
  which PHI collected, privacy security
  protections, and restrictions on disclosure to
  other researchers
• Request IRB assistance
• Development of boiler-plates for authorization or
  waiver of authorization
• Consultations with regard to applicability to a
  particular study
• Remember security provisions for 2005!