HIPAA and Research and YOU

1
HIPAAand Research andYOU

2
INTRODUCTION

• Rule 1 Dont Panic
• Rule 2 Bottom Line for Researchers HIPAA is
  Manageable thru Education/Awareness and Good
  Planning, and will become routine over time
• - The biggest impact of HIPPA is that it
  requires researchers to plan the data
  privacy and data sharing aspects of their studies
  more carefully, specifically by
  identifying in advance all persons and entities
  who will need access and getting the
  patients authorization (or IRB waiver) allowing
  that access.
• - Most other changes due to HIPAA
• will be standardized ones e.g.
  boilerplate consent language,
  standard IRB findings for waivers, and
  standardized written representations or
  data use agreements signed by researchers in
  certain
• situations.
• - Changes will most affect
• (a) data access/use/disclosure planning
• (b) researcher/departmental databases and
  registries
• (c) how you maintain/secure/treat your
  research records
• (d) studies starting pre 4/03 and
  continuing after 4/03
• Rule 3 But Beware HIPAAs Bite
• The Civil and Criminal Penalties
• under HIPAA are significant

3
HIPAA OVERVIEWTHE VERY, VERY BASICS

• 1996 Federal Law
• Department of Health and Human Services (DHHS)
  Regulations
• 4 Rules Privacy, Security, Transaction and
  E-Signatures
• Immediate Concern Privacy Rule
• Effective Date of Privacy Rule April 13, 2003

4
HIPAA OVERVIEWTHE VERY, VERY BASICS

• Essential Purposes/Goals of HIPAA Privacy Rule
  Broadly, to specify how providers, (who bill
  insurers electronically) health plans and medical
  billing intermediaries (clearing houses)a/k/a
  (Covered Entities), must treat/handle
  (use/disclose) an individuals protected health
  information (phi)
• To specify when, for what purposes and under what
  conditions/circumstances phi can be used by the
  Covered Entity or disclosed to a third party
• To specify what rights individuals have with
  respect to their own phi.
• To specify what administrative procedures and
  safeguards Covered Entities must implement to
  safeguard phi.

5
HIPAA OVERVIEW THE VERY, VERY BASICS

• Q Is a Researcher a Covered Entity that has to
  comply with HIPAA?
• Answer Maybe
• HIPAA Rule coverers providers who bill insurers
  for their services electronically, and does not
  cover researchers per se.
• However, DHHS has said that if the researcher is
  engaged in a clinical study involving standard
  of care or routine treatment (e.g. MRI or
  liver function test) and the researcher bills
  insurers for the costs of that treatment, then
  the researcher is a covered provider that needs
  to comply with HIPAA
• In other cases, researchers will not be covered
  by HIPAA
• Q Are Researchers that are not Covered Entities
  still affected by HIPAA?
• Answer Yes, if they need to receive and use phi
  held by a Covered Entity (e.g. FAHC)
• In those cases, HIPAA rules must be followed by
  the CE before disclosing the PHI to the
  researcher.

6
HIPAA OVERVIEWTHE VERY, VERY BASICS

• What are the implications of a researcher being
  covered by HIPAA?
• Research Records must be accounted for and
  unauthorized disclosures must be tracked and an
  accounting provided to the subject upon request
• Minimum Necessary and other rules must be
  followed with respect to access to research
  records and study-related phi.

7
HIPAA OVERVIEWTHE VERY, VERY BASICS

• Some Key Concepts to Keep in Mind
• HIPPA Default Rule Unless HIPAA Rule
  specifically permits otherwise, a Covered Entity
  (e.g. FAHC) can only use/disclose phi for any
  purpose if specifically authorized by the
  individual in writing.

8
HIPAA OVERVIEW THE VERY, VERY BASICS

• Some Key Exceptions A Covered Entity can
  use/disclose PHI without individual
  authorizations
• for treatment, payment, health care operations
• for certain public health, law enforcement or
  other specified public response reasons
• for research with approval of an IRB (when
  authorization is not practicable and other
  conditions are met) or in other limited
  circumstances (described below).

9
HIPAA OVERVIEW THE VERY, VERY BASICS

• Meaning of Default Rule for Researchers
• With very few exceptions, when a written
  authorization can practicably be obtained from
  research subjects, you have to get it.
• Always be sure to plan in advance by identifying
  all persons/entities needing access to PHI and,
  whenever possible, getting the patients
  authorization to allow that access
• Remember, patient needs to authorize both (1) the
  researcher getting and using the patients phi
  and (2) the researcher disclosing phi to third
  parties.

10
HIPAA RESEARCH RULES

• Definition of Research
• Same in HIPAA Common Rule
• A systematic investigation including research
  development, testing, and evaluation, designed to
  develop or contribute to generalizable knowledge
• Distinct from QA/QI Activities (HIPAA permits
  without patient authorization or IRB waiver)

11
HIPPA RESEARCH RULES

• When can PHI be used/disclosed for research
  purposes?
• With individuals signed, written authorization
• Upon waiver of authorization by IRB or PB
• For reviews preparatory to research
• For research on decedents information
• If provided in a Limited Data Set (16
  identifiers removed) under a Data Use Agreement
• Whenever PHI is completely de-identified (30
  identifiers removed)

12
HIPAA RESEARCH RULES

• What are some of the other key HIPAA rules re
  Research
• Authorizations - Content Requirements
• IRB Waivers of Authorization - Process, Required
  IRB Findings and Documentation and Recordkeeping
• Reviews Preparatory to Research - When How
• Research Involving Decedents Information -
  When How
• Research Using De-Identified Data - When How
• Research Using Limited Data Sets - When How
• Registries Databases - Creation Use

13
HIPAA RESEARCH RULES

• HIPAA Transition Rule
• - All pre-compliance date authorizations and IRB
  waivers, and resulting PHI , can continue to be
  utilized after 4/13/03 in both treatment and
  records studies that were approved before
  4/13/03.
• - For studies approved after 4/13/03, HIPAA
  rules must be followed
• - However, for treatment studies approved and
  commenced before 4/13/03, HIPAA-compliant
  authorizations must be obtained for all patients
  enrolled after 4/13/03.

14
WHAT DOES IT MEAN FOR ME AND MY STUDY?

• For Treatment Studies
• Follow applicable HIPAA rules (and applicable IRB
  rules) for recruitment activities and reviews
  preparatory to research
• Make sure informed consent form contains HIPAA
  authorization language and that it authorizes all
  researchers and necessary research staff to
  access and use pre-existing phi and phi generated
  in the study, and that it authorizes disclosures
  of records to all third parties requiring access
  (e.g. study sponsor, IRB staff, study audit
  staff, etc).
• Also make sure authorization covers/permits
  access (as necessary) by persons within FAHC
  and/or UVM needing access (e.g. Cancer Study
  staff) as necessary . This is because (a) under
  the HIPAA Default Rule a specific patient
  authorization is normally required, and (b) UVM
  and FAHC are separate legal entities.

15
WHAT DOES IT MEAN FOR ME AND MY STUDY?

• For Records or Chart Review Studies
• IRB Waiver of authorization under HIPAA must be
  obtained in addition to waiver of consent under
  the Common Rule
• Exceptions Researcher receives only Limited
  Data Set under Data Use Agreement
• Researcher receives only de-identified data
• Researcher receives only decedents data upon
  filing required written representations

16
WHAT DOES IT MEAN FOR ME AND MY STUDY?

• For Patient Recruitment Activities
• If researcher is employee of the Covered Entity
  holding the phi (FAHC) no IRB approval is needed
  to access medical records to identify patients
  and record contact information.
• If researcher is not an employee of Covered
  Entity holding the phi (e.g. employees of UVM or
  other third party) researcher must obtain a
  partial IRB waiver to access medical records to
  identify patients and record contact information.
• In either case, IRB policy on patient contact
  (i.e. contact only through treating physician)
  must still be followed.

17
WHAT DOES IT MEAN FOR ME AND MY STUDY?

• For Keepers of Registries Databases
• - Registries and databases created with patient
  authorization continue to be fully permissible
  before and after 4/03.
• - Existing databases approved through an IRB
  waiver of consent are grandfathered old data
  can continue to be maintained and accessed and
  new data added without further approval
• - existing databases never authorized by
  patients or approved by an IRB can continue to be
  maintained and accessed after 4/03, but an IRB
  waiver or patient authorization is needed to add
  new phi after 4/03.
• - In all cases, phi in a registry or database can
  only be later used/disclosed for research upon a
  new/second patient authorization or IRB waiver.

18
WHAT DOES IT MEAN FOR ME AND MY STUDY ?

• For Pre-Approved Studies Continuing Past 4/13/03
• For IRB Waiver studies (mostly record
  studies) no action needed original waiver is
  deemed still valid
• For patient authorization studies (mostly
  treatment studies), patients enrolling pre 4/03
  need not be re-consented but patients enrolled
  after 4/03 must sign a HIPAA-complaint consent.

19
WHAT DOES IT MEAN FOR ME AND MY STUDY?

• For staff maintaining research records
• research records are different than treatment
  records
• need to determine whether HIPAA rules apply to
  your research records
• If research also involves standard treatment
  (e.g. in most clinical trials) and insurance
  billing is involved, it is likely that some
  provisions of HIPAA will apply to the research
  records.
• Otherwise, HIPAA will not apply to the research
  records
• If HIPAA does apply to the research records, you
  will, at a minimum have to
• - ensure institution knows of existence of
  records and their location
• - account for all unauthorized disclosures
• - keep phi secure
• - be trained in HIPAA requirements
• - failure could lead to institutional or
  personal liability

20
THE END