New JHSPH HIPAA Policy:

1

• New JHSPH HIPAA Policy
• How does it impact your research?
• Leah Mendelsohn, J.D.
• Research Regulations Specialist
• Office of Graduate Education and Research
• ORS Brown Bag Series
• April 12, 2006

2
What is different in the new policy?

• OLD Policy
• Some studies were covered by HIPAA while others
  were not covered by HIPAA.
• NEW Policy
• No new JHSPH study is covered by HIPAA.

3
What if there is an ongoing study which is
covered by HIPAA?

• Ongoing studies that are covered by HIPAA, the
  information obtained from participants in these
  studies, and the databases created from these
  studies will remain covered by HIPAA.
• If an investigator or study staff member is added
  to a covered study and will have access to the
  individually identifiable health information, the
  individual must
• Complete the HIPAA training course entitled
  "Privacy Issues Relating to Research" and
• Sign a Confidentiality Agreement for Workforce
  Members - General (dated 08/2004).
• These are available at http//irb.jhmi.edu.

4
Overall Picture

• Fewer forms
• Application
• Authorization (if applicable)
• Data Use Agreement (if applicable)
• Business Associates Agreement (if applicable)
• Improved compliance
• Less confusing HIPAA status
• Fewer approvals of the HIPAA application and
  forms
• New obligation for some information obtained from
  JH covered entities

5
How are JHSPH studies still impacted by HIPAA?

• Questions to help determine how studies are
  impacted
• What information is being obtained?
• Is the information being obtained from a Johns
  Hopkins covered entity or from a non-Hopkins
  covered entity?
• Is the protocol a JHSPH protocol and is the
  Principal Investigator is a JHSPH investigator?

6
What information is being obtained?

• Protected Health Information is individually
  identifiable health information, transmitted by
  electronic media, maintained in electronic media,
  or transmitted or maintained in any other form or
  medium.
• If PHI is being sought from a covered entity,
  your study will be impacted by HIPAA.

7
What are identifiers under HIPAA?

• Name
• Geographic information smaller than state
• Elements of dates
• Telephone numbers
• FAX numbers
• Electronic mail addresses
• Social Security Numbers
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers

• Certificate or license numbers
• Vehicle identifiers and serial numbers including
  license plate numbers
• Device identifiers and serial numbers
• URLs
• IP address numbers
• Biometric identifiers
• Full face photographic images and comparable
  images
• Any other unique identifying number,
  characteristic or code

8
What is a covered entity?

• A covered entity is a
• health plan,
• health care clearinghouse, or
• a health care provider who transmits information
  in electronic form in connection with a
  transaction for which HHS has adopted a standard.

9
What is a Johns Hopkins covered entity?

• PROVIDERS
• The Johns Hopkins University School of Medicine
• The Johns Hopkins University School of Nursing
• The Johns Hopkins Hospital
• Johns Hopkins Bayview Medical Center, Inc.
• Hopkins ElderPlus (a Provider and a Plan)
• Howard County General Hospital, Inc.
• The Johns Hopkins Medical Services Corporation
• Johns Hopkins Community Physicians, Inc.
• Priority Partners Managed Care Organization, Inc.
  (a Provider and a Plan)
• Johns Hopkins Pharmaquip, Inc.
• Johns Hopkins Home Health Services, Inc.
• Johns Hopkins Pediatrics at Home, Inc.
• Ophthalmology Associates, LLC
• The Central Maryland Heart Center, Inc.
• The Center for Ambulatory Services, Inc. (TCAS)
• HCP Venture One Corporation
• Howard County MRI Limited Partnership
• Cedar Emergency Services Company, Inc.

10
What is a Johns Hopkins covered entity?

• HEALTH PLANS
• (Some of the following health plans,
  particularly EHP health plans, are administered
  by Johns Hopkins Health Care LLC)
• The Johns Hopkins University
• Welfare Plan
• Benefit Elections Program Plan
• SOM SPH Student Health Program
• SOM Dental Insurance Program
• Student Health Insurance Plan
• APL Medical and Dental Insurance Plans
• APL Health Care Spending Account
• APL Employee Assistance Program
• The Johns Hopkins Health System
• Broadway Services EHP Medical Plan
• Bayview Medical Center
• Employee Benefits Plan
• Represented Employee Benefits Plan
• House Staff Employee Benefits Plan
• Employee Assistance Plan
• Long Term Care Insurance Plan (6/1/04)

11
What is not a Johns Hopkins covered entity?

• Examples of non-Hopkins covered entities include
• Kennedy Krieger Institute
• CMS
• Indian Health Services

12
What is a JHSPH study?

• A study on which the PI is a JHSPH researcher.
• If the study involves human subjects research,
  the project is approved by CHR.

13
What if the PI has a joint appointment at SOM or
SON?

• When performing clinical care under a joint
  appointment at SOM/SON, the information obtained
  solely in that capacity will remain subject to
  HIPAA.
• If the PI is doing research on a JHSPH protocol,
  the new policy applies.
• If the PI generates or accesses PHI at a JH
  covered entity when conducting a JHSPH protocol,
  the PHI in the medical record remains subject to
  HIPAA.
• The information documented in a separate research
  record will be free of HIPAA limitations.

14
What if the PI is a SOM or SON researcher?

• The study is still included within the JH covered
  entities and is still fully covered by HIPAA.
• JHSPH researchers will be treated as outsiders.
• PHI obtained through the protocol may only be
  used according to the terms of the protocol or a
  subsequent protocol approved by the SOM IRB.
• The PHI may not be added to a database accessible
  to researchers not part of the protocol.

15
If a JHSPH researcher is seeking to obtain PHI
from a non-Hopkins covered entity

• Consult with the entity from whom you are
  receiving data to determine their policies.
• The covered entity may require that the PI use
  their forms or follow different guidelines than
  what JHSPH has implemented with Johns Hopkins
  covered entities. 
• Once the covered entity is contacted, the JHSPH
  researcher will know exactly what HIPAA forms
  will need to be completed to be compliant with
  that covered entitys procedures. 
• Complete a JHSPH HIPAA Application

16
If a JHSPH researcher is seeking to obtain PHI
from a non-Hopkins covered entity

• The JHSPH HIPAA Authorizations may be used as
  default forms with the permission of the covered
  entity.
• The JHSPH CHR may approve waivers or alterations
  of the Authorization requirement.

17
If a JHSPH researcher is seeking to obtain PHI
from a non-Hopkins covered entity

• The HIPAA application and associated forms will
  undergo administrative review.
• The Authorizations will not be stamped as
  approved. They will be stamped as received.
• The HIPAA application will be administratively
  reviewed.
• You will receive a letter from the Office of
  Graduate Education and Research indicating that
  your HIPAA application/forms have been received
  and reviewed.
• The only time the HIPAA forms will be reviewed
  and approved by CHR is if a waiver or alteration
  of the Authorization requirement is requested.

18
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• If the research team will access PHI only
  post-consent process
• The subjects Authorization must be obtained for
  the disclosure of PHI from the covered entity to
  the researcher.
• An Authorization for the disclosure of health
  information allows a covered entity to release a
  patients individually identifiable health
  information with the patients signed permission.
  
• If a JHSPH PI is seeking to obtain PHI from a
  Johns Hopkins covered entity for a JHSPH
  protocol, the HIPAA Authorization available at
  www.jhsph.edu/hipaa must be utilized.
• This Authorization has been approved by JH HIPAA
  and may not be altered.

19
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Access to PHI may be obtained without the
  Authorization of the individual in the following
  cases
• Research using de-identified information
• Research using limited data sets
• Research on decedents
• Reviews preparatory to research
• Research where a waiver or partial waiver of the
  Authorization requirement has been granted.

20
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Research using de-identified data
• Submit a HIPAA Application
• Enter into a Business Associates Agreement with
  the Johns Hopkins HIPAA Office

21
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Research using a limited data set
• Submit a HIPAA Application
• Enter into a Business Associates Agreement with
  the Johns Hopkins HIPAA Office
• Enter into a Data Use Agreement with the Johns
  Hopkins HIPAA Office
• The information obtained in the limited data set
  may ONLY be used in a manner consistent with the
  Data Use Agreement.

22
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• When a Johns Hopkins covered entity discloses PHI
  to a JHSPH researcher
• For a review preparatory to research
• For research on the PHI of decedents and
• In response to a full or partial waiver of the
  Authorization requirement
• The researcher must track the disclosure in the
  SPH JH HIPAA Compliance System.

23
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• HIPAA requires covered entities to account for
  disclosures for up to six years for PHI
  disclosed
• For a review preparatory to research,
• For research on decedents, and
• Under a full or partial waiver of the
  Authorization requirement.
• Due to our close research relationship with the
  Hopkins covered entity health care components,
  it is JHSPH policy to assist the JH covered
  entities in accounting for disclosures that occur
  as a result of a JHSPH study by tracking those
  disclosures.

24
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• The SPH JH HIPAA Compliance System was developed
  to provide a method of tracking protected health
  information disclosed by Johns Hopkins covered
  entities.
• It also enables researchers to note limitations
  that individuals may have on the use of their
  medical information which are discovered during
  the conduct of research.

25
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Researchers must check the database to determine
  if a limitation is noted
• Prior to contacting any individual to obtain a
  consent/authorization relating to research, if a
  waiver or partial waiver of the Authorization
  requirement has been obtained or
• If a PI is going to use PHI previously obtained
  from a JH covered entity pursuant to a waiver of
  the Authorization requirement or for research on
  decedents.
• If a limitation is noted, the researcher must
  abide by the limitation.

26
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• The SPH JH HIPAA Compliance System can be
  accessed at
• http//www.jhsph.edu/HIPAA/SPH20JH20HIPAA20Comp
  liance20System.
• PIs will be granted access when they submit a
  HIPAA application which requires them to track
  disclosures or track/search limitations.
• Researchers will only have access to their own
  studies.
• All PIs with access to the System will be able to
  search all limitations.

27
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Activities preparatory to research
• Example A researcher would like access to
  medical records to create a research question.
• Complete a HIPAA Application, making the required
  representations.
• PHI disclosed to JHSPH researchers from a JH
  covered entity in a review preparatory to
  research must be tracked in the SPH JH HIPAA
  Compliance System.
• You may only remove minimal amounts of PHI from
  the covered entity necessary to satisfy the
  tracking requirements.
• The PHI may only be used to complete the tracking
  database.

28
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Research reviewing the PHI of decedents
• Complete a HIPAA Application making the required
  representations
• Track the disclosures of PHI and limitations
  found in the review in the SPH JH HIPAA
  Compliance System

29
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Research where access to PHI is being obtained
  without contact with the individual
• Examples
• Retrospective medical chart review
• Review of medical charts to obtain the contact
  information of prospective participants
• Apply for a waiver or partial waiver of the
  Authorization requirement.
• Complete the JHSPH HIPAA Application
• Your Application will be reviewed by CHR.
• Full or partial waivers of the Authorization
  requirement must be approved by an IRB or Privacy
  Board. 45 CFR 164.512(i)(1)(i).
• You will have to make entries into a new SPH JH
  HIPAA Compliance System regarding the PHI
  disclosed and any limitations learned while
  conducting the research.

30
What if a JHSPH researcher stores specimens at a
Johns Hopkins covered entity?

• If a JHSPH researcher stores specimens from a
  JHSPH protocol at a Johns Hopkins covered entity,
  those specimens will not become subject to HIPAA
  if all of the following exist
• The JHSPH researcher owns the specimens and has
  the total right to control the use of the
  specimens
• The Johns Hopkins covered entity does not have
  control over the use of the specimens
• The specimens are clearly identified as belonging
  to the JHSPH researcher
• To the extent that the covered entity works with
  the samples, it works with de-identified
  information and
• If a link exists between the specimens and the
  individually identifiable health information, the
  covered entity does not have access to that link.

31
What if a JHSPH researcher stores specimens at a
Johns Hopkins covered entity?

• If the specimens stored at a Johns Hopkins
  covered entity are de-identified, the specimens
  are not covered by HIPAA.
• de-identified the 18 identifiers under HIPAA
  are removed from the data

32
What if a study is international?

• If a JHSPH study is being conducted outside of
  the U.S. and individually identifiable health
  information is being sent from a health care
  provider to JHSPH, your study is not impacted by
  HIPAA.
• If information is sent from a research setting
  outside the U.S. to a Johns Hopkins covered
  entity, the information may become subject to
  HIPAA if
• the information is identifiable (i.e. contains
  any of the 18 identifiers under HIPAA)
• OR
• the covered entity has access to a link between
  the information and the person from whom the
  information was obtained.

33
What happens to the information once it arrives
at JHSPH?

• Information disclosed to a researcher from a
  covered entity, which is maintained at JHSPH, is
  not protected by the Privacy Rule.
• Exception PHI obtained through a Data Use
  Agreement (i.e. a limited data set) or otherwise
  limited by contractual terms
• Other Federal and State protections, such as the
  Common Rule, may limit the use or disclosure of
  the information.

34
If a JHSPH researcher is seeking to obtain PHI
from a JHU/JHHS covered entity

• Information received from a Johns Hopkins covered
  entity by a JHSPH researcher MAY NOT be used for
  marketing or fundraising purposes.

35
Review Process

• All forms will be administratively reviewed by
  the Research Regulations Specialist (RRS).
• With one exception, they will be stamped as
  received, but will not be approved.
• If the Application indicates that the researcher
  is seeking a waiver or partial waiver of the
  Authorization requirement
• The waiver request will be reviewed and approved
  or denied by CHR.
• Once the administrative review (and approval, if
  necessary) is completed, the PI will be notified
  by the RRS.

36
Questions?

• Leah Mendelsohn, J.D.
• Research Regulations Specialist
• Office of Graduate Education and Research
• 615 North Wolfe Street, W1033
• Baltimore, Maryland 21204
• (410) 502-0433
• lmendels_at_jhsph.edu
• http//www.jhsph.edu/hipaa