Title: HIPAA For Research
1HIPAA For Research
- Understanding how the Health Insurance
Portability Accountability Act of 1996 Affects
Clinical Research
2HIPAA History
- Health Insurance Portability Accountability Act
of 1996 (Kennedy-Kassebaum Act) - Effective April 14, 2001
- Compliance Required by April 14, 2003 (October
2003)
3HIPAA General Provisions
- Standardization of electronic patient health,
administrative and financial data - Unique identifiers for individuals, employers,
health plans, and health care providers - Security standards protecting the confidentiality
and integrity of health information.
4What Is PHI?
PHI is all individually identifiable health
information, including demographic data and
biological specimens, that is transmitted or
maintained by a covered entity. PHI can be in
any form, including written, electronic, and
verbal.
5Protected Health Information (PHI)
- Is created or received by a health care provider,
health plan, or health care clearinghouse - Relates to past, present, or future
- Provision of care to an individual
- Physical or mental condition(s)
- Payment for provision of health care to an
individual
6De-identification of PHIs
- Medical institutions can release de-identified
health information without patient authorization. - The following 18 specific identifiers must be
deleted
7De-identification
- Names
- All geographic subdivisions smaller than a state.
- All dates (except year)
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers, including license plate
numbers
8De-identification cont
- Device identifiers and serial numbers
- URLs
- Internet Protocol (IP) Addresses
- Biometric identifiers, including finger and voice
prints
- Full face photographic images and any comparable
images - Any other unique identifying number,
characteristic, or code.
9Impact on WVSOM Human Subject Research
-Access to PHI Researcher must understand the
permissible routes of access to PHI for research
activity AND -Restrictions on Use and Disclosure
of PHIs Researcher must implement necessary
safeguards to protect the PHI
10- The Privacy Rule permits a covered entity (WVSOM
or Affiliated Hospitals) to use and disclose PHI
for research - When an individual Authorization has been
obtained from a research participant, OR - When a Waiver of Authorization has been obtained.
11- There are other limited situations where PHI can
be used/disclosed without an Authorization e.g
use of PHI on decedents, use of PHI for Reviews
Preparatory to Research, limited data sets, etc.
12Existing IRB-Approved Studies
- The Transition Provision in the Privacy Rule
permits covered entities (USF) to continue to use
and disclose PHI for research, if it has obtained
prior to April 14, 2003, - An IRB approved consent form, or
- An IRB approved waiver of consent, or
- An express legal permission (e.g., a signed
authorization)
13New Studies
To use/disclose PHI in research, the researcher
must obtain 1) An Authorization from the
individual participant. OR 2) A Waiver of
Authorization for the study. An Authorization
is the HIPAA equivalent of consent to use and
disclose data.
14AUTHORIZATIONS
- Valid authorization must include the following
- elements
- A description that identifies the information in
a specific and meaningful fashion - The name of the person(s) authorized to make the
requested use or disclosure - The name of the person(s) to whom the covered
entity may make the requested use or disclosure
15Patient Authorization (Cont.)
- An expiration date/event that relates to the
purpose of the use or disclosure - A statement of the individuals right to revoke
the authorization in writing and the exceptions
to the right to revoke, together with a
description of how the individual may revoke the
authorization
16Patient Authorization (Cont.)
- A statement that information used may be subject
to re-disclosure by the recipient and no longer
be protected by this rule - Signature of the individual and date
- If the authorization is signed by a personal
representative of the individual, a description
of such representatives authority to act for the
individual
17Patient Authorization (Cont.)
- The authorization must be written in plain
language. - Can be combined with consent if research involves
treatment, but not at WVSOM. - Research including existing records would require
a separate authorization.
18Waiver
- Disclosure involves no more than minimal risk to
the individual - The waiver will not adversely affect the privacy
rights of the individual - Research could not be conducted without the
waiver - Research could not be conducted without access to
protected health information
19Waiver (Cont.)
- The privacy risks are reasonable in relation to
the anticipated benefits to the individuals and
the importance of the knowledge gained through
research - There is a plan to protect patient identifiers
from improper use and disclosure - There is a plan to destroy patient identifiers at
the earliest opportunity
20Waiver (Cont.)
- There are adequate written assurances that
protected health information will not be reused
or disclosed to others except as provided by the
regulations and restricts most disclosures of
information to the minimum intended purpose.
21Research Use/Disclosures That Do Not Require
Authorizations or Waivers
1. Review of PHI Preparatory to Research
2. Use of PHI of Decedents for Research Purposes
22Special Rules Regarding Databases
- Creating and maintaining databases containing
PHI is considered research. - If you will use existing databases containing PHI
for research after April 14, 2003, you must
obtain Authorizations or Waivers. - If you will create or maintain databases for
future analysis, you must comply with HIPAA in
addition to obtaining IRB approval.
23Research Subject Recruitment
- Recruitment for research is subject to the
general authorization requirement unless the
researcher has a direct treatment relationship
with the patient. - Researchers could use the Waiver of Authorization
mechanism to access PHI for recruiting
prospective research subjects.
24Research Subject Recruitment cont
- A researcher who has a direct treatment
relationship with the patient can engage in
conversations related to recruitment without
having to obtain Authorizations or Waivers.
25Revocation of Authorization
- Research subjects can revoke their Authorization
in writing at any time. This is subject to an
exception know as the Reliance Exception. - A subject wishing to revoke the Authorization
must be given a form for Revocation of
Authorization
26Revocation of Authorization cont
- If the subject does not sign and return the form,
then the researcher may continue to use the PHI
and treat the Authorization as valid.
27Reliance Exception to Revocation
- The Reliance Exception allows researchers to use
and disclose a subjects PHI that was obtained
before the subjects revocation in the following
ways - To account for a subjects withdrawal from the
study - To conduct investigations of scientific
misconduct - To report adverse events
- As necessary to incorporate the information of a
marketing application to FDA
28Research Subjects Rights
- Accounting of the following research related
disclosures of PHI are required - Disclosures as allowed by a Waiver of
Authorization - Reviews preparatory to research
- Research on PHI of decedents
- Disclosures made as allowed by law
29Research Subjects Rights cont
- The Following Disclosures are NOT required
- Disclosures made to the individual subject.
- Disclosures authorized by the subject (i.e., the
research subject has signed an Authorization for
this use/disclosure of PHI). - De-identified data and limited data sets.
30Summary
31Sanctions for Non-Compliance
- Significant penalties may be imposed against
WVSOM, Affiliate Hospitals, and individual
researchers. - Civil Penalties
- Based on patient complaints 100 per violation
with 25,000 maximum per year
32- Criminal Penalties
- Knowingly wrongful disclosures fines up to
50,000 and/or up to 1 year in prison - Under false pretenses fines up to 100,000
and/or up to 5 years in prison - With intent to sell fines up to 250,000 and/or
up to 10 years in prison
33Summary Researcher Responsibilities
- Preparing an extensive confidentiality plan
- Who will have access to the data?
- How long will access be needed?
- Will third party payers or other administrators
need to have access? - Time to gain approval from an additional
committee - Alternatives
34Summary IRB Responsibilities
- Have appropriate expertise in privacy and
confidentiality concerns. - Ensure that consent forms contain appropriate
authorization requirements if applicable.
35Summary IRB Responsibilities
- Understand waiver criteria and document
appropriately. - Coordinate with Privacy Board, if applicable.
36HIPAA IRB AT WVSOM
37You must demonstrate both IRB and HIPAA
Compliance by Passing the Following Courses and
Quizzes
IRB http//cme.nci.nih.gov/
HIPAA http//www.wvu.edu/rc/irb/hipwebct.htm
38QUESTIONS!?
- Prepared By
- Jason S. Wrench, Ed. D.
- Medical Education Specialist
- West Virginia School of Osteopathic Medicine