HIPAA, Privacy

1
(No Transcript)
2
HIPAA, Privacy Confidentiality

• Local Accountability for Research Protection in
  VA Facilities
• VA Office of Research Development
• Baltimore, February 2008

3

• I have as much privacy as a goldfish in a bowl.
• Princess Margaret

4
The Goal of VA Privacy

• Protecting the privacy of our veterans
• Assuring the confidentiality of research
  subjects data
• Ensuring research will continue

5
VHA Privacy

• VHA privacy program is complex
• Must comply with 6 statutes that govern
  collection, maintenance release of information
• Investigators must have the authority to collect,
  use, or disclose private information
• VHA Handbook 1605.1 addresses most requirements

6
Privacy Related Statutes

• HIPAA Privacy Rule
• Privacy Act of 1974
• FOIA
• VA Claims Confidentiality
• Confidentiality of medical records about
• Drug Abuse,
• Alcoholism Alcohol Abuse,
• HIV, and
• Sickle Cell Anemia
• Confidentiality of Healthcare Quality Assurance
  Review Records

7
HIPAA the Privacy Rule

• Title I Health Care Access, Portability,
  Renewability
• Title II Preventing Healthcare Fraud Abuse
  Administrative Simplification Medical Liability
  Reform
• Privacy Rule,
• Transactions,
• Security
• Enforcement

8
HIPAA The Common Rule

• Represents 2 different, but NOT contradictory
  regulations
• Many terms similar but not the same
• IRB must make 2 separate determinations when
  reviewing approving applicable research
• The Common Rule
• HIPAA

9
HIPAA Research

• Defines specific HIPAA identifiers
• Controls use of Personal Health Information (PHI)
• Within the covered entity
• Disclosures outside the covered entity
• Allows only the Minimum Necessary information
• Use of PHI requires an authorization or waiver of
  authorization. Exceptions
• Preparatory to research Note It does not include
  recruiting subjects
• Use of limited data sets as defined by HIPAA

10
HIPAA Identifiers Remove All 18 to De-identify
for HIPAA

• (1) Names
• (2) All geographic subdivisions smaller than a
  state, except
• for the initial three digits of the zip
  code if the
• geographic unit formed by combining all zip
  codes with
• the same three initial digits contains more
  than
• 20,000 people
• (3) All elements of dates except year and all
  ages over 89
• (4) Telephone numbers
• (5) Fax numbers
• (6) E-mail addresses
• (7) Social security numbers
• (8) Medical record numbers

11
HIPAA Identifiers (Cont.)

• (9) Health plan beneficiary numbers
• (10) Account numbers
• (11) Certificate or license numbers
• (12) Vehicle identifiers and license plate
  numbers
• (13) Device identifiers and serial numbers
• (14) URLs
• (15) IP addresses
• (16) Biometric identifiers
• Full-face photographs and any comparable
• images

12
HIPAA Identifiers (Cont.)

• Any other unique identifying number,
  characteristic
• or code, unless otherwise permitted by
  the Privacy
• Rule for re-identification
• Scrambled SSNs
• Initials
• Last four digits of SSN
• Employee numbers
• Etc.
• (19) A caveat HIPAA also states that the
  entity does not have actual
• knowledge that the remaining
  information could be used alone
• or in combination with other
  information to identify an individual
• who is the subject of the information
• If you can strip all 18 identifiers, it still may
  not be de-identified

13
Applicability of Identifiers

• HIPAA identifiers apply to
• The individual
• The individuals relatives
• The individuals employers
• The individuals household members

14
Whats De-identified?

• If some one tells you data is de-identified, ask
  them how they define de-identified!

15
De-identified VHAs Definition

• Information or data that meets the HIPAA Privacy
  Rule and the Common Rule definitions of
  de-identified
• Does not contain any of the 18 HIPAA identifiers
• Has not been statistically de-identification
  using HIPAA criteria
• Identity of the subject is not readily
  ascertained by the information remaining

16
Remember

• Scrambled Social Security
• Numbers are identifiers!!!

17
Protected Health Information (PHI)

• PHI is individually identifiable health
  information (IIH)
• IIH Health information including demographics
• Collected from an individual
• Relates to
• The past, present, or future physical, mental
  health, or condition of an individual
• Provision of health care to the individual
• Identifies the individual or there is a
  reasonable basis to believe the information can
  identify the individual
• Is retrieved by name or other unique identifier

18
Preparatory to Reach

• VHA Handbook 1605.1 states that contacting
  research subjects or conducting pilot studies are
  not activities Preparatory to Research
• HHS states that the Preparatory to Research
  provisions allow an investigator to use PHI to
  contact prospective research subjects

19
Limited Data Sets

• HIPAA authorization or waiver of authorization
  not required
• Use allowed only for
• Research,
• Public health, or
• Health care operations
• Requires a DUA
• May contain identifiable information such as
  scrambled SSNs, therefore may still be
• PHI
• Human subjects research

20
Limited Data Set (Cont.)

• Excludes certain direct identifiers
• Excluded identifiers apply to
• The individual,
• The individuals relatives
• The individuals employers
• The individuals household members
• May contain
• City, state, ZIP code,
• Elements of a date other numbers,
• Characteristics or codes not listed as direct
  identifiers

21
Limited Data Sets Direct Identifiers

• (1) Names
• (2) Postal address other than town, city, state,
• and ZIP code
• (3) Telephone numbers
• Fax numbers
• Electronic mail address
• (6) SSNs
• (7) Medical Record number
• (8) Health plan beneficiary numbers
• (9) Account numbers

22
Limited Data Set Direct Identifiers (Cont.)

• (10) Certificate/license numbers
• (12) Vehicle identifiers and serial numbers
• including license plate numbers
• (12) Device identifiers serial numbers
• (13) Web universal resource locators (URLs)
• (14) Internet protocol (IP) address
• (15) Biometric identifiers, including
  fingerprints
• voice prints
• (16) Full-face photographic images and any
• comparable images

23
Business Associate Agreements

• Business Associate An individual or entity who
  on behalf of VHA
• Performs functions, services, or activities
  involving the use or disclosure of PHI
• Must be related to treatment, payment, or health
  care operations

24
Business Associate Agreements

• BAAs required for
• Any person or entity meeting the definition of
  Business Associate
• BAAs not required for research or research
  sponsors
• Research is not a function or activity regulated
  by HIPAA (treatment, payment, or health care
  operations)

25
HIPAA Authorization

• Authorization requirements
• Handbook 1605.1 Privacy Release of
  Information
• Poor authorizations
• Inadequate description of the data
• Does not specifically state if PHI related to
  drug or alcohol abuse alcoholism HIV or Sickle
  Cell Anemia will be used
• Statements regarding who will see data are to
  general
• Failure to state what will happen with the data,
  where it is sent, and how it is secured
• My be stand alone or incorporated into informed
  consent

26
Waiver of Authorization

• IRB or Privacy Board (PB) may approve
• Full waiver of authorization
• Partial waiver of authorization
• Alteration of the disclosure
• IRB or Privacy Board
• Must make specific determination prior to
  approving waiver
• Must document specific findings

27
Required Determinations 3 Criteria

• 1. The use or disclosure of PHI involves no more
  than a minimal risk to the individual based on
  at least the presence of the following elements
• An adequate plan to Protect the identifiers from
  improper use disclosure
• An adequate plan to destroy the identifiers at
  the earliest opportunity consistent with the
  conduct of the research unless there is health
  or research justification for retaining them or
  retention or the retention is required by law
  and
• Adequate written assurance that the PHI will not
  be reused or disclosed to any other person or
  entity, except as required by law, for authorized
  oversight of the research study, or for other
  research for which the use of disclosure of PHI
  would be permitted by this subpart

28
Required Determinations 3 Criteria (Cont.)

• 2. The research could not practicably be
  conducted without the waiver
• 3. The research could not practicably be
  conducted without access to and use of the
  protected health information

29
Required Documentation

• Name of IRB or PB date approved
• Statement IRB or PB determined the alteration or
  waiver of authorization, in whole or in part,
  satisfies the 3 criteria in the Rule (list
  criteria)
• A brief description of the PHI for which use or
  access has been determined to be necessary
• A statement that the alteration or waiver of
  authorization has been reviewed and approved
  under either normal or expedited review
  procedures, and
• Signature of the chair or other voting member, as
  designated by the chair, of the IRB or PB, as
  applicable.

30
Data Use Agreements (DUA)

• Originally VHA (in addition to HHS) required a
  DUA for use of limited data sets
• VHA and ORD policy now requires a combined DUA
  and Data Transfer Agreement (DTA/DTA) for
  anytime you transfer data within or outside VHA
  for research purposes unless
• The consent allows transfer to the sponsor
• The transfer is within the scope of the protocol
  e.g., transferring data to a data coordinating
  center
• DUA/DTA requirements will be published soon

31

• Privacy Act of 1974

32

• An American has no sense of privacy.
• He does not know what it means.
• There is no such thing in the country.
• George Bernard Shaw

33
Privacy Act of 1974

• Purpose To balance the governments need to
  maintain information about individuals with the
  rights of individuals to be protected against
  unwarranted invasions of their privacy
• Background Watergate era and Congress concerned
  with
• Curbing illegal surveillance investigations
• Potential abuses presented by governments
  increasing use of computers to store retrieve
  personal data

34
Privacy Act Objectives

• Restrict disclosure of personally identifiable
  records by agencies
• Grant individuals
• Increased rights of access to agency records
• The right to seek amendment of agency records
• Establish code of fair information practices for
  agencies

35
A Privacy Act Requirement

• Agencies that maintain a system of records "shall
  promulgate rules, in accordance with notice and
  comment rulemaking
• Systems of Records (SOR) A group of records
  under agency control from which information is
  retrieved by the name of the individual or by
  some identifying number, symbol, or other
  identifying particular assigned to the
  individual.

36
System of Records Content

• Category of individuals covered by the system
• Categories of records in the system
• Purpose of the records
• Routine uses of records
• Storage (storage medium)
• Retrievability (name, numbers or identifier)

37
SORs and Research

• 34VA12 -- Veteran, Patient, Employee, and
  Volunteer Research and Development Project
  Records
• 121VA19 -- National Patient Databases VA
• 97VA105 Consolidated Data Information System
  VA (contains Medicare data)

38
SORs Major Impact on Research

• All release/disclosure of information must be
  consistent with the SOR and routine uses
• Investigators can not release information to
  non-VA investigators or institutions unless
• Written permissions/authorization from individual
  or
• Permission of the USH or designee
• Release of information is through or at the
  direction of the Privacy Office
• Privacy Officer approval
• ISO secure release transmission

39
Privacy Issues Resources

• VHA Privacy Officer Stephania Putt
• Local privacy officer
• VHA privacy program
• http//vaww.vhaco.va.gov/privacy/
• Links to all Federal statutes, regulations,
  policies including security policies
• Privacy Fact Sheets

40
Is This True?

• "The more the data banks record about each one of
  us, the less we exist
• Marshall McLuhan
• Canadian philosopher educator

41
(No Transcript)
42