The HIPAA Privacy Rule

1
The HIPAA Privacy Rule Research
2
We will cover 3 main topics

• What is HIPAA and the Privacy Rule?
• How does the Privacy Rule affect Human Subject
  Research?
• What do I have to do to comply?

3
What is HIPAA?

• The Health Insurance Portability and
  Accountability Act of 1996
• Signed into law on August 21,1996 by President
  Clinton
• Primary Goals
• Portability of health care coverage for
  individuals who leave or change jobs
• Government authority to investigate and prosecute
  health care fraud and abuse and
• Administrative simplification

4
What is the Privacy Rule?

• HIPAA Privacy Rule gives new rights to
  individuals with respect to their health
  information
• The Privacy Rule protects the privacy of the
  individually identifiable health information by
  establishing conditions for its use and
  disclosure
• Final regulations issued by DHHS on August
  14,2002

5
New Concepts Introduced by the Privacy Rule

• Individual written authorization is required for
  use or disclosure of PHI unless a waiver is
  granted
• Authorization waivers can be granted by IRBs or
  Privacy Boards
• Decedents information is protected but
  authorization is not required
• Accounting and reporting of disclosures are
  required.

6
2 Rules to RememberCommon Rule and Privacy Rule

• Privacy Rule does not replace or modify the
  Common Rule or FDA regulations
• Privacy Rule exceeds privacy protections of
  Common Rule and FDA regulations.
• Applies to all research
• Definition of identifiable information
• Requires authorization for use and disclosure of
  certain types of health information
• Applies to decedents information

7
What is an identifier in the Privacy Rule?The
Privacy Rule identifies 18 specific identifiers

• Names
• Geographic info (including city, state, and zip)
• Elements of dates
• Telephone
• Fax
• E-mail address
• Social Security
• Medical record, prescription
• Health Plan beneficiary
• Account

• Certificates/license
• VIN and serial , license plate
• Device identifiers, serial ,
• Web URLs
• IP address
• Biometric identifiers (finger prints)
• Full face photo images
• Unique identifying

8
What is a Covered Entity?

• A covered entity is one of the following
• Health plans
• Health care clearinghouses
• Health care providers who conduct certain
  financial and administrative transactions
  electronically.

9
How is Syracuse University classified under HIPAA?

• Syracuse University is a Hybrid Entity which
  means that only certain departments within
  Syracuse University are Covered Entities
• There are 5 Covered Entities within Syracuse
  University
• Health Services
• Gebbie Speech-Language Clinic
• Human Resources - Group Health Plan
• Student Health Insurance Plan
• Human Resources - Employee Assistance Program

10
What is Covered?

• Protected Health Information (PHI)
• Health information Identifier PHI
• Transmitted or maintained in any form (paper,
  electronic, web-based, etc.)
• Decedents information included
• Does not include de-identified health information
  or biological tissue

11
We will cover 3 main topics

• What is HIPAA and the Privacy Rule?
• How does the Privacy Rule affect Human Subject
  Research?
• What do I have to do to comply?

12
How will these changes affect research which uses
PHI?

• Obtaining authorization documentation
• OR
• Waiver of authorization documentation
• OR
• Use of limited data set
• Access to PHI (Private or Protected Health
  Information)

13
Informed Consent (Common Rule) vs. Authorization
(Privacy Rule)

• Informed Consent
• To participate in the research based on the risks
  and benefits
• According to the Common Rule
• Approved by the IRB

• Authorization
• To use or disclose PHI
• According to the Privacy Rule
• Reviewed by the Privacy Board or IRB

14
Criteria for Waiver

• Common Rule
• No more than minimal risk
• Not adversely affect rights and welfare of
  subjects
• Research cannot be conducted without waiver

• Privacy Rule
• No more than minimal risk to privacy
• Plan to protect identifiers
• Plan to destroy identifiers
• Written assurance that PHI will not be
  used/disclosed with few exceptions
• Research cannot be conducted without waiver
• Research cannot be conducted without this PHI

15
Limited Data Sets

• A set of data that are not fully de-identified
• Option for research, public health, and health
  care operations
• Of the18 identifiers can retain
• Dates
• Geographic information (not Street address)
• Other unique identifying numbers
  characteristics,or codes that are not expressly
  excluded

16
Decedents

• Common Rule definition of Human Subjects does
  not include decedents
• Privacy Rule protections extend to identifiable
  information on decedents

17
IRB vs. Privacy Board

• IRB
• Approves consent
• Approves waivers of consent
• Approves all human subjects research based on
  risk vs. benefits
• Does not review preparatory to research
• Can serve as privacy board
• Does not approve research on decedents

• Privacy Board
• Review authorizations
• Approves waivers of authorization
• Does not approve human subjects research
• Reviews preparatory to research
• Cannot serve as IRB
• Research on decedents
• Limited data sets/data use agreements

18
We will cover 3 main topics

• What is HIPAA and the Privacy Rule?
• How does the Privacy Rule affect Human Subject
  Research?
• What do I have to do to comply?

19
If your research involves receiving PHI from a
covered entity WITHIN Syracuse University you
will need to

• Receive authorization from the patient when
  receiving PHI directly from a covered entity
• OR
• Apply to SUs IRB for a Waiver of Authorization
• SUs IRB will act as Privacy Board for review of
  Authorizations or approval of Waivers
• SUs IRB Authorization template and Waiver forms
  are on our website at www.osp.syr.edu/RegulatoryC
  ompliance.htm

20
If research involves receiving PHI from a Covered
Entity OUTSIDE of Syracuse University you will
need to one of the following

• Receive authorization according to the covered
  entities requirements
• Apply for an IRB or Privacy Board waiver of
  authorization
• De-Identify PHI
• Use of a Limited Data Set with Data Use Agreement
• Activity preparatory to research
• Research on decedents information

21
How does this effect human subjects research at
Syracuse University?

• All human subject research which involves PHI
  will be subject to the HIPAA Privacy Rule and the
  Common Rule.
• When the two regulations conflict, the one with
  the higher protection prevails.

22
What wont change?

• All research involving human subject research
  must still be reviewed by the IRB.
• The Common Rule (45 CFR 46) still guides this
  research.

23
Recruitment of Research Subjects

• BEFORE
• April 14, 2003
• Business as usual
• Informed Consent or Waiver
• NO AUTHORIZATION NEEDED UNTIL APRIL 14, 2003

• AFTER
• April 14, 2003
• Privacy Rule Compliance!
• Informed consent and authorization or waivers of
  informed consent and authorization

24
Enforcement Provisions in HIPAA

• Civil Penalties - Fines which may accumulate for
  each type of violation

• Criminal Penalties - Against entities and
  individuals who intentionally misuse PHI

25
Contact us at the Office of Regulatory Compliance

• Patty Brundage, Administrative Secretary,
  443-3013
• Kathy Reinhard, Director, 443-2855
• e-mail-regcomp_at_syr.edu
• Visit our Website _at_ www.osp.syr.edu/RegulatoryCom
  pliance.htm

26
THE END FOR NOW!