Privacy - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Privacy

Description:

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information s ... – PowerPoint PPT presentation

Number of Views:156
Avg rating:3.0/5.0
Slides: 21
Provided by: vhaiowsmitha
Category:
Tags: privacy

less

Transcript and Presenter's Notes

Title: Privacy


1
Privacy HIPAA Requirements at the Iowa
City VA Health Care System
2
New VA HIPAA Authorization Form
forResearch(Form 10-0493)
3
  • What does this form mean?
  • HIPAA Authorization means prior written
    permission for use and disclosure of protected
    health information (PHI) from the informations
    source person, research subject, or legally
    authorized personal representative, as required
    under law, including HIPAA. (simple definition
    This form is a release of information, signed by
    the subject, authorizing you to use/disclose
    their data outside of the VA)
  • What are the correct and incorrect ways this form
    would be completed?
  • All elements of the HIPAA Authorization form must
    be filled out by the investigator and will be
    consistent with the informed consent and HawkIRB
    application. All forms are required to be filled
    out completely and signed by the subject, to whom
    the information pertains too.
  • Failure to complete and have the subject sign the
    HIPAA Authorization, will be reported to the
    Privacy Officer, Office of Research Oversight
    (ORO), Research Compliance Officer and the IRB as
    a privacy violation

4
  • Which sections of the form are the investigators
    vs. the subject responsible for understanding?
  • Investigators are responsible for ensuring that
    no human being is involved as a subject in
    research unless the investigator or a designee
    has obtained legally effective HIPAA
    Authorization for use and disclosure of the
    subjects PHI, or has obtained IRB-approved waiver
    of HIPAA Authorization
  • Subject or legally authorized representative are
    responsible for understanding and consenting to
    the use and disclosure of their PHI on the HIPAA
    Authorization form
  • Where is the HIPAA authorization located?
  • HIPAA Authorization form will be located within
    the HawkIRB application under approval tab.
    Click on PO review, then other review screen,
    then VA HIPAA. It is not located under
    attachments because the IRB does not approve
    HIPAA documents.
  • Will the HIPAA Authorization need to be included
    in the HawkIRB application?
  • The HIPAA Authorization form is required to be
    part of the HawkIRB application, when applicable

5
  • How would the new authorization form affect the
    content of the current informed consent document?
  • The Principal Investigator will be responsible
    for ensuring the HIPAA Authorization, informed
    consent and protocol are consistent with each
    other to include use of data or specimens for
    other research as described within HIPAA
    Authorization and who the information pertaining
    to the subject is disclosed too outside of the VA
  • Where does this document get filed after it is
    signed?
  • The original HIPAA Authorization should be kept
    with the research team and a copy of the HIPAA
    Authorization will be sent to the VA Scanning
    department (mail code 136c) to be scanned into
    the subjects medical record
  • What are the retention requirements for this new
    form?
  • The National Archives and Records Administration
    (NARA) currently have not set retention
    requirements for ANY research records, therefore
    nothing should be destroyed at the time. All
    Research records including the HIPAA
    Authorization must be kept until NARA provides
    guidance for destroying research records.

6
  • What is individually-identifiable health
    information?
  • Health information that does not identify an
    individual and to which there is no reasonable
    basis to believe that the information can be used
    to identify an individual. 18 HIPAA identifiers.
    Note Retinal Scans and audio recordings are
    considered individual-identifiable identifiers
  • What is de-identified data?
  • For purposes of VA research, de-identified data
    are data that have been de-identified in
    accordance with both HIPAA Privacy Rule and the
    Common Rule
  • (18 HIPAA identifiers)
  • Scrambling of names and social security numbers
    is not considered de-identifying health
    information
  • Coded data is data identifiable by the
    individual(s) who has access to the code.
    Therefore, coded data are not considered to be
    de-identified or anonymous. When disclosing
    de-identified data to non-VA entities this code
    needs to be removed

7
  • Other information
  • Use of the new HIPAA Authorization, Form 10-0493
    begins immediately for all new protocol
    applications
  • All existing IRB approved projects will not be
    required to revise the consent process at the
    point of CR or modification to use the new HIPAA
    Authorization, unless you are making changes to
    your HIPAA Authorization or as directed by the
    IRB

8
(No Transcript)
9
New section
10
New section
Need to insert your information here
11
(No Transcript)
12
This part of the form is new
13
  • Miscellaneous Research Privacy information
  • Record retention language will be used for all
    protocols involving the VA
  • The required records, including the
    investigators research records, will be retained
    until disposition instructions are approved by
    the National Archives and Records Administration
    and are published in VHAs Records Control
    Schedule (RCS 10-1)
  • Original audio recordings cannot be
    deleted/destroyed even after transcribed (upload
    to a VA server)
  • Research Identifiers cannot be deleted/destroyed
  • If you are storing VA information on a University
    server this language needs to be documented in
    the informed consent Transfer of your
    information to an affiliate server constitutes
    disclosure under HIPAA. After transfer of your
    information to the University affiliate server,
    VA no longer owns the transferred information and
    VA cedes control over the information. A HIPAA
    Authorization will also need to be completed if
    storing information to the University server. If
    the investigator is not getting the subjects
    written consent/HIPAA Authorization, but storing
    information on the University server you must
    have a waiver from the VA Chief Information
    Officer prior to storing information outside of
    the VA.
  • A prior written HIPAA Authorization signed by the
    subject must be obtained prior to disclosing PHI
    to an academic affiliate

14
  • All employees will follow clean desk practices
    to protect VA sensitive information (in any form)
    in uncontrolled environments and all VA sensitive
    information on printouts and other media will be
    kept in locked files or cabinets when not in use
  • VA Authorization to transport data outside of VA
    property will be filled out and signed by all
    parties before any VA sensitive information is
    transported, transmitted, accessed, or removed
    from VA property.
  • Privacy Practice Notice
  • Handbook 1605.04 indicates VHA must provide a
    copy of its VHA Notice of Privacy Practices to
    all non-Veteran research subjects enrolled in an
    approved VHA research study with clinical trials
  • The non veteran patient must acknowledge receipt
    of the VHA Notice of Privacy Practices during
    first episode of care on VA form 10-163. After
    the non-Veteran has signed the acknowledgement
    form the principal investigator for the research
    study will send an encrypted email to the
    facility Privacy Officer with the full name of
    the non-Veteran and the non-Veterans last four
    of social security number

15
  • Privacy Practice Notice continue
  • If an acknowledgement of VHA Notice of Privacy
    Practices is not received from the non-Veteran
    patient, an administrative note must be entered
    into CPRS or the research subjects record
    indicating the good faith efforts made to obtain
    the written acknowledgement and the reason(s) why
    the acknowledgement was not received
  • Legally Authorized Representative(LAR)
  • Is an individual who is qualified to provide
    informed consent on behalf of a prospective
    research subject but may not always qualify as a
    personal representative for the purposes of
    consent to use or disclose a human subjects PHI
    (HIPAA authorization)
  • Examples of LAR
  • Health Care agent
  • Legal or special guardian
  • Next of kin in this order spouse, child, parent,
    sibling, grandparent, grandchild, or
  • A close friend

16
  • If an investigator wants a copy of the research
    data, a request must be submitted to the Privacy
    Officer prior to receiving a copy of the data
  • All research data is the property of the VA and
    is required to stay with the VA, even after the
    research study is closed

17
  • 18 HIPAA Identifiers
  • The following identifiers of the individual or of
    relatives, employers, or household
  • members of the individual are removed
  • Names
  • (2) All geographic subdivisions smaller than a
    State, including street address, city, county,
    precinct, zip code, and their equivalent
    geocodes, except for the initial three digits of
    a zip code if, according to the current publicly
    available data from the Bureau of the Census
  • (a) The geographic unit formed by combining all
    zip codes with the same three initial digits
    contains more than 20,000 people and
  • (b) The initial three digits of a zip code for
    all such geographic units containing 20,000 or
    fewer people is changed to 000

18
(3) All elements of dates (except year) for dates
directly related to an individual, including
birth date, admission date, discharge date, date
of death and all ages over 89 and all elements
of dates (including year) indicative of such age,
except that such ages and elements may be
aggregated into a single category of age 90 or
older (4) Telephone numbers (5) Fax
numbers (6) Electronic mail addresses (7)
Social Security Numbers (8) Medical record
numbers (9) Health plan beneficiary
numbers (10) Account numbers (11) Certificate
and/or license numbers
19
(12) Vehicle identifiers and serial numbers,
including license plate numbers (13) Device
identifiers and serial numbers (14) Web
Universal Resource Locators (URLs) (15) Internet
Protocol (IP) address numbers (16) Biometric
identifiers, including finger and voice
prints (17) Full-face photographic images and
any comparable images (18) Any other unique
identifying number, characteristic, or code
20
Questions for Privacy please contact
  • Amber Smith
  • VA Privacy Officer
  • (319) 338-0581, ext. 6092
  • Amber.Smith2_at_va.gov
  • Sara Miller
  • Research Compliance Officer
  • (319) 338-0581, ext. 6217
  • Sara.Miller_at_va.gov
Write a Comment
User Comments (0)
About PowerShow.com