HIPAA For Research - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

HIPAA For Research

Description:

To conduct investigations of scientific misconduct. To report adverse events ... Knowingly wrongful disclosures: fines up to $50,000 and/or up to 1 year in prison ... – PowerPoint PPT presentation

Number of Views:324
Avg rating:3.0/5.0
Slides: 39
Provided by: OVMC
Category:
Tags: hipaa | research

less

Transcript and Presenter's Notes

Title: HIPAA For Research


1
HIPAA For Research
  • Understanding how the Health Insurance
    Portability Accountability Act of 1996 Affects
    Clinical Research

2
HIPAA History
  • Health Insurance Portability Accountability Act
    of 1996 (Kennedy-Kassebaum Act)
  • Effective April 14, 2001
  • Compliance Required by April 14, 2003 (October
    2003)

3
HIPAA General Provisions
  • Standardization of electronic patient health,
    administrative and financial data
  • Unique identifiers for individuals, employers,
    health plans, and health care providers
  • Security standards protecting the confidentiality
    and integrity of health information.

4
What Is PHI?
PHI is all individually identifiable health
information, including demographic data and
biological specimens, that is transmitted or
maintained by a covered entity. PHI can be in
any form, including written, electronic, and
verbal.
5
Protected Health Information (PHI)
  • Is created or received by a health care provider,
    health plan, or health care clearinghouse
  • Relates to past, present, or future
  • Provision of care to an individual
  • Physical or mental condition(s)
  • Payment for provision of health care to an
    individual

6
De-identification of PHIs
  • Medical institutions can release de-identified
    health information without patient authorization.
  • The following 18 specific identifiers must be
    deleted

7
De-identification
  • Names
  • All geographic subdivisions smaller than a state.
  • All dates (except year)
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers, including license plate
    numbers

8
De-identification cont
  • Device identifiers and serial numbers
  • URLs
  • Internet Protocol (IP) Addresses
  • Biometric identifiers, including finger and voice
    prints
  • Full face photographic images and any comparable
    images
  • Any other unique identifying number,
    characteristic, or code.

9
Impact on WVSOM Human Subject Research
-Access to PHI Researcher must understand the
permissible routes of access to PHI for research
activity AND -Restrictions on Use and Disclosure
of PHIs Researcher must implement necessary
safeguards to protect the PHI
10
  • The Privacy Rule permits a covered entity (WVSOM
    or Affiliated Hospitals) to use and disclose PHI
    for research
  • When an individual Authorization has been
    obtained from a research participant, OR
  • When a Waiver of Authorization has been obtained.

11
  • There are other limited situations where PHI can
    be used/disclosed without an Authorization e.g
    use of PHI on decedents, use of PHI for Reviews
    Preparatory to Research, limited data sets, etc.

12
Existing IRB-Approved Studies
  • The Transition Provision in the Privacy Rule
    permits covered entities (USF) to continue to use
    and disclose PHI for research, if it has obtained
    prior to April 14, 2003,
  • An IRB approved consent form, or
  • An IRB approved waiver of consent, or
  • An express legal permission (e.g., a signed
    authorization)

13
New Studies
To use/disclose PHI in research, the researcher
must obtain 1) An Authorization from the
individual participant. OR 2) A Waiver of
Authorization for the study. An Authorization
is the HIPAA equivalent of consent to use and
disclose data.
14
AUTHORIZATIONS
  • Valid authorization must include the following
  • elements
  • A description that identifies the information in
    a specific and meaningful fashion
  • The name of the person(s) authorized to make the
    requested use or disclosure
  • The name of the person(s) to whom the covered
    entity may make the requested use or disclosure

15
Patient Authorization (Cont.)
  • An expiration date/event that relates to the
    purpose of the use or disclosure
  • A statement of the individuals right to revoke
    the authorization in writing and the exceptions
    to the right to revoke, together with a
    description of how the individual may revoke the
    authorization

16
Patient Authorization (Cont.)
  • A statement that information used may be subject
    to re-disclosure by the recipient and no longer
    be protected by this rule
  • Signature of the individual and date
  • If the authorization is signed by a personal
    representative of the individual, a description
    of such representatives authority to act for the
    individual

17
Patient Authorization (Cont.)
  • The authorization must be written in plain
    language.
  • Can be combined with consent if research involves
    treatment, but not at WVSOM.
  • Research including existing records would require
    a separate authorization.

18
Waiver
  • Disclosure involves no more than minimal risk to
    the individual
  • The waiver will not adversely affect the privacy
    rights of the individual
  • Research could not be conducted without the
    waiver
  • Research could not be conducted without access to
    protected health information

19
Waiver (Cont.)
  • The privacy risks are reasonable in relation to
    the anticipated benefits to the individuals and
    the importance of the knowledge gained through
    research
  • There is a plan to protect patient identifiers
    from improper use and disclosure
  • There is a plan to destroy patient identifiers at
    the earliest opportunity

20
Waiver (Cont.)
  • There are adequate written assurances that
    protected health information will not be reused
    or disclosed to others except as provided by the
    regulations and restricts most disclosures of
    information to the minimum intended purpose.

21
Research Use/Disclosures That Do Not Require
Authorizations or Waivers
1. Review of PHI Preparatory to Research
2. Use of PHI of Decedents for Research Purposes
22
Special Rules Regarding Databases
  • Creating and maintaining databases containing
    PHI is considered research.
  • If you will use existing databases containing PHI
    for research after April 14, 2003, you must
    obtain Authorizations or Waivers.
  • If you will create or maintain databases for
    future analysis, you must comply with HIPAA in
    addition to obtaining IRB approval.

23
Research Subject Recruitment
  • Recruitment for research is subject to the
    general authorization requirement unless the
    researcher has a direct treatment relationship
    with the patient.
  • Researchers could use the Waiver of Authorization
    mechanism to access PHI for recruiting
    prospective research subjects.

24
Research Subject Recruitment cont
  • A researcher who has a direct treatment
    relationship with the patient can engage in
    conversations related to recruitment without
    having to obtain Authorizations or Waivers.

25
Revocation of Authorization
  • Research subjects can revoke their Authorization
    in writing at any time. This is subject to an
    exception know as the Reliance Exception.
  • A subject wishing to revoke the Authorization
    must be given a form for Revocation of
    Authorization

26
Revocation of Authorization cont
  • If the subject does not sign and return the form,
    then the researcher may continue to use the PHI
    and treat the Authorization as valid.

27
Reliance Exception to Revocation
  • The Reliance Exception allows researchers to use
    and disclose a subjects PHI that was obtained
    before the subjects revocation in the following
    ways
  • To account for a subjects withdrawal from the
    study
  • To conduct investigations of scientific
    misconduct
  • To report adverse events
  • As necessary to incorporate the information of a
    marketing application to FDA

28
Research Subjects Rights
  • Accounting of the following research related
    disclosures of PHI are required
  • Disclosures as allowed by a Waiver of
    Authorization
  • Reviews preparatory to research
  • Research on PHI of decedents
  • Disclosures made as allowed by law

29
Research Subjects Rights cont
  • The Following Disclosures are NOT required
  • Disclosures made to the individual subject.
  • Disclosures authorized by the subject (i.e., the
    research subject has signed an Authorization for
    this use/disclosure of PHI).
  • De-identified data and limited data sets.

30
Summary
31
Sanctions for Non-Compliance
  • Significant penalties may be imposed against
    WVSOM, Affiliate Hospitals, and individual
    researchers.
  • Civil Penalties
  • Based on patient complaints 100 per violation
    with 25,000 maximum per year

32
  • Criminal Penalties
  • Knowingly wrongful disclosures fines up to
    50,000 and/or up to 1 year in prison
  • Under false pretenses fines up to 100,000
    and/or up to 5 years in prison
  • With intent to sell fines up to 250,000 and/or
    up to 10 years in prison

33
Summary Researcher Responsibilities
  • Preparing an extensive confidentiality plan
  • Who will have access to the data?
  • How long will access be needed?
  • Will third party payers or other administrators
    need to have access?
  • Time to gain approval from an additional
    committee
  • Alternatives

34
Summary IRB Responsibilities
  • Have appropriate expertise in privacy and
    confidentiality concerns.
  • Ensure that consent forms contain appropriate
    authorization requirements if applicable.

35
Summary IRB Responsibilities
  • Understand waiver criteria and document
    appropriately.
  • Coordinate with Privacy Board, if applicable.

36
HIPAA IRB AT WVSOM
37
You must demonstrate both IRB and HIPAA
Compliance by Passing the Following Courses and
Quizzes
IRB http//cme.nci.nih.gov/
HIPAA http//www.wvu.edu/rc/irb/hipwebct.htm
38
QUESTIONS!?
  • Prepared By
  • Jason S. Wrench, Ed. D.
  • Medical Education Specialist
  • West Virginia School of Osteopathic Medicine
Write a Comment
User Comments (0)
About PowerShow.com