Embed Size (px)
Citation preview
HIPAA Privacy Rule
Paul BelowClinical Research Consultant
2
Training Objectives
• Overview of the HIPAA Privacy Rule and its impact on clinical research
• Quiz
3
Disclaimer / Disclosure
• This presentation is intended for educational and informational purposes only and should not be construed to be legal advice
• The presenter does not have a significant equity interest in any of the companies mentioned in the following slides
4
What is HIPAA?
• HIPAA stands for “Health Insurance Portability and Accountability Act of 1996”
• Lengthy federal statute that addresses a variety of health care issues
• Original intent of the law was to allow individuals to carry their health insurance plans to new jobs
• Scope expanded to include such items as Medicare fraud and simplifying the electronic exchange of information to expedite payments
5
HIPAA Privacy Rule
• HIPAA Title II (Administrative Simplification) mandated creation of standards to protect health information privacy
• HHS created regulations – Standards for Privacy of Individually Identifiable Health Information – a.k.a., the “Privacy Rule”
• Compliance with the rule for most was required by April 14, 2003
6
HIPAA Legislation
HIPAA Act (1996)
Title IIAdministrative Simplification
TransactionStandards
StandardCode Sets
Unique HealthIdentifiers
Privacy(Sec 264)
SecurityStandards
ElectronicSignatures
Privacy Rule45 CFR 160 & 164
Enforcement by HHS Office of Civil Rights
Source: “HIPAA Primer”, E. Rusnik, Research Practitioner, Nov-Dec 2002, Vol. 3, No. 6, pgs 201-212.
7
Privacy National Standard
• The Privacy Rule is a national standard that creates a “floor” for privacy protections
• It preempts state laws that are contrary or provide lesser protections
• It does not replace other laws (federal, state) that grant additional privacy protections (e.g., alcohol/drug treatment, STD, HIV/AIDs, genetics, child abuse reporting)
• Institutions can adapt more protective policies and practices
8
Why is the Privacy Rule Needed?
• A banker who also served on his county health board cross-referenced patient information with his customer accounts. He called due the mortgages of anyone diagnosed with cancer (The National Law Journal, May 30, 1994, p. A1)
• Others examples of medical privacy violations in the news available at Health Privacy Project website (www.healthprivacy.org/usr_doc/ privacystories814.pdf)
9
Privacy Rule General Provisions
• The Privacy Rule imposes limits on the ways that health care insurers and providers (“covered entities”) may use or disclose health information for a variety of purposes
• Patients own their health information and have more control over its use (privacy rights)
• In some cases, authorization is required by the patient prior to the use or disclosure of their “protected health information”
10
Individual Privacy Rights• Right to access (inspect and copy) medical records
• Right to amend medical records
• Right to request restrictions on disclosures
• Right to revoke authorization for use or disclosure
• Right to account for disclosures within previous 6 years
11
Institutional Obligations
• Have written privacy policies, including a description of staff that has access to protected health information, how it will be used and when it may be disclosed
• Must train their employees in their privacy procedures
• Must designate an individual to be responsible for ensuring the privacy policies are followed (Privacy Officer)
12
HIPAA Vocabulary
• Covered Entities
• Business Associates
• Protected Health Information
• De-identified Data
• Notice of Privacy Practices
• Authorization Form/Clause
13
Covered Entities
• Definition = A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with certain defined transactions (health care claims, payment, plan enrollment, referrals, coordination of benefits, etc.)
• Only Covered Entities are required to adhere to the Privacy Rule
14
Covered Entities (cont)
• Sponsors are not Covered Entities simply by virtue of sponsoring clinical research and are not technically regulated under HIPAA
• However, almost all clinical trial data is health information created by covered entities so sponsors must be aware of HIPAA compliance in order to be able to use the data
15
Business Associate
• Definition = External individuals or entities that perform a service on behalf of a Covered Entity (not members of their workforce)
• Includes legal, accounting, management, consulting, administrative, data aggregation, and financial services that create or access PHI
• Examples: web-hosting or data storage companies, third party billing companies, third parties assisting with recruitment or screening
16
Business Associate (cont)
• Generally does not include outside researchers, sponsors or coordinating & statistical centers
• The Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher or sponsor
17
Business Associate (cont)
• Clinical trial sites will likely seek assurances from sponsors through provisions in their clinical trial agreements that all data recipients will protect the privacy of the research data and will use such data only for agreed upon purposes
18
Research & HIPAA
• Research Definition = systematic investigation including development, testing, and evaluation, designed to develop or contribute to generalizable knowledge (includes development of research repositories and databases)
• Research is a function not directly regulated by the Privacy Rule
• Researchers are covered entities if they are also health care providers that electronically transmit personally identifiable health information
19
Protected Health Information (PHI)
• Definition = any health information that is “individually identifiable” and is transmitted or maintained in any form or medium
• Data that is de-identified is not protected by the Privacy Rule
20
Data De-Identification
1. Names2. Geographic subdivisions
smaller than State3. Dates (except year) related
to the patient4. Telephone numbers5. Fax numbers6. E-mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiary
numbers10. Account numbers
11. Certificate/license numbers12. Vehicle identifiers & serial
numbers13. Device identifiers & serial
numbers14. Web URLs15. Internet Protocol (IP)
addresses16. Biometric identifiers (finger,
voice prints)17. Full face photos18. Any other unique identifying
numbers or codes
De-identified data is not PHI if it does not contain the following 18 identifiers:
21
Permitted Uses of PHI
• Covered entities are permitted to use and disclose “minimum necessary” PHI for such things as:
• Treatment, payment, healthcare operations
• For public health uses
• When required by law
• Patient must be given a “Notice of Privacy Practices”
22
Notice of Privacy Practices• Describes permitted uses and disclosures of PHI for treatment, payment, healthcare operations, public health uses,
uses by oversight agencies
• If the covered entity is a provider, they must make a good faith effort to obtain written acknowledgement of receipt
• Covered entities that want to use and disclose patient information for research must include this intent in their privacy notice
23
Permitted Uses (cont)
• Research is not considered “treatment” and requires a special authorization for PHI use
• Quality assurance, utilization management and quality improvement studies are all permitted activities that fall under “health care operations” but can be a grey area
24
Authorization Form/Clause
• Authorization grants permission to a Covered Entity to use and disclose PHI to a researcher
• Authorizations are generally protocol-specific
• Although authorization to use PHI is similar to informed consent and will generally be obtained during the consent process, it has different purposes and requirements
25
HIPAA Authorization vs. Informed Consent
Authorization• To use and disclose
protected health information
• Driven by Privacy Rule
• IRBs/Privacy Boards can grant waiver to allow PHI use without authorization
• Maybe reviewed by IRB or Privacy Board
Informed Consent• To participate in the
research based on the risks and benefits
• Driven by FDA regulations
• IRBs can waive consent requirements for minimal risk or emergency research
• Reviewed and approved by IRB
26
Authorization (cont)
• Authorization may be combined with the informed consent form or may be a separate document
• If separate documents, information must be consistent between the two
• The Privacy Rule does not require IRBs to review and approve stand-alone HIPAA authorization forms (however, some IRBs may still require approval of authorization forms)
27
IRB Approval of Authorization Forms
Recent letter from OCR clearly states that IRB review and approval of a stand-alone HIPAA authorization is not required under the Privacy Rule.
ICH guidance that IRB approve all written materials provided to subjects does not include HIPAA authorizations – “misinterpretation”.Source: Letter from the Office of Civil Rights, 15 April 2003, to the International Pharmaceutical Privacy
Consortium
28
Authorization (cont)
• Authorizations can be created by the covered entity or by a third party (such as the sponsor)
• Responsibility for ensuring research authorization is accurate rests with the sites
• Must include specific elements defined in 45 CFR 164.508 and be in “plain language”
29
Required Elements
• A meaningful description of the PHI and each purpose for the use and disclosure
• Name of person(s) authorized to make the disclosure
• Names of all users of the PHI
• Expiration date (for research, can be “end of the research study” or “none”)
• A statement about what may happen if the authorization is not signed (for research, permissible to exclude trial participation)
30
Required Elements (cont)
• Instructions on how to revoke authorization
• Must be in writing
• If research authorization revoked, can still use previously collected PHI if it is needed to maintain integrity of the study (account for subject withdrawals, adverse events, support FDA submissions)
• A warning that once information has been released, it may be released again without further authorization.
• Signature & date of the individual
31
Authorization (cont)
• HIPAA has a “grandfather” clause if the subject has signed an IRB-approved informed consent form prior to 14 April 2003
• Investigators are not required to obtain an authorization for use/disclosure of PHI from these subjects unless the subjects must be reconsented after HIPAA takes effect
32
Authorization Exceptions
• Authorization is not required in research when:
• PHI is used for activities “preparatory to research” (i.e., preparing a protocol, recruitment)
• Involves decedents
• Researchers must “represent” to the Covered Entity that PHI use is:
• Necessary for research purposes
• Will not be removed from premises
• Will only be used for the stated activity
33
Exceptions (cont)
• Authorization is not required in research when a treating physician or members of the Covered Entity’s workforce do the following:
• Discuss research with their own patients
• Review their own patient records to determine patient eligibility
• Contact their own patients for study recruitment
34
Exceptions (cont)
• Third parties can review PHI preparatory to research but cannot contact potential subjects or record contact information without a “waiver of authorization”
35
Waiver of Authorization• Require IRB or Privacy Board approval
• Applicable for registry and database studies, external researchers involved in recruitment
• Required criteria for waiver:
• Use or disclosure of PHI involves no more than minimal risk to subject privacy (written assurance and adequate plan for protection)
• Research could not be practicably be conducted without access to and use of the PHI and without the waiver (cost can be a consideration)
36
Research Databases
• Authorization or waiver is required to use PHI in a database for future research (unless the database is limited to decedents’ PHI)
• If database is not maintained by a Covered Entity, authorization must indicate that PHI is not protected by the Privacy Rule and can be redisclosed without notice
• If database is maintained by a Covered Entity, use for a particular study requires a new, protocol-specific authorization or waiver
37
HIPAA References
• Standards for Privacy of Individually Identifiable Health Information - Final Rule (Amended), Federal Register, 67: 53185-53273; 14 August 2002
• “Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule,” NIH Publication No. 03-5388, April 2003
• “HIPAA and Human Subjects Research: A Question & Answer Reference Guide,” M. Barnes and J. Kulynych, Barnett International, March 2003
38
HIPAA Website Resources• Department of Health and Human Services – Office of Civil Rights (www.hhs.gov/ocr/hipaa/)
• DHHS – HIPAA Privacy Rule and Research (http://privacyruleandresearch.nih.gov/)
• Atlantic Information Services, Inc.(www.aishealth.com)
• Phoenix Health Systems (www.hipaadvisory.com)
• Georgetown University - Health Privacy Project (www.healthprivacy.org)
39
Training Objectives
• Overview of the HIPAA Privacy Rule and its impact on clinical research
• Quiz
40
HIPAA Quiz - #1
What kinds of research are covered by HIPAA?
A. Clinical trials only
B. Research funded by the federal government only
C. Epidemiologic research based on research records only
D. Any research done by a covered entity that uses PHI
41
HIPAA Quiz - #1
What kinds of research are covered by HIPAA?
A. Clinical trials only
B. Research funded by the federal government only
C. Epidemiologic research based on research records only
D. Any research done by a covered entity that uses PHI
The Privacy Rule covers categories of research that might even be considered exempt by HHS/FDA standards
42
HIPAA Quiz - #2
All ongoing research subjects who are active in a clinical study after 14 April 2003 must sign a HIPAA authorization.
A. True
B. False
43
HIPAA Quiz - #2
All ongoing research subjects who are active in a clinical study after 14 April 2003 must sign a HIPAA authorization.
A. True
B. False
HIPAA grandfather clause
44
HIPAA Quiz - #3
The Privacy Rule requires that a HIPAA authorization form (if separate from the informed consent form) must be reviewed by the IRB or Privacy Board.
A. True
B. False
45
HIPAA Quiz - #3
The Privacy Rule requires that a HIPAA authorization form (if separate from the informed consent form) must be reviewed by the IRB or Privacy Board.
A. True
B. False
Recent HHS guidance says it is not necessary although some IRBs will still require
46
HIPAA Quiz - #4
Revocation of a HIPAA authorization does not require a sponsor to remove the subject’s data that has already been collected from their database.
A. True
B. False
47
HIPAA Quiz - #4
Revocation of a HIPAA authorization does not require a sponsor to remove the subject’s data that has already been collected from their database.
A. True
B. False
HHS allows PHI that is already collected to be used as necessary for the NDA
48
HIPAA Quiz - #5
Revocation of a HIPAA authorization does not necessarily require a subject to withdrawal from the study if they have not also withdrawn informed consent.
A. True
B. False
49
HIPAA Quiz - #5
Revocation of a HIPAA authorization does not necessarily require a subject to withdrawal from the study if they have not also withdrawn informed consent.
A. True
B. False
They must be withdrawn because no further PHI can be collected from them
50
HIPAA Quiz - #6
Protected health information may be disclosed without authorization or waiver to government agencies as required by law.
A. True
B. False
51
HIPAA Quiz - #6
Protected health information may be disclosed without authorization or waiver to government agencies as required by law.
A. True
B. False
For example: Child abuse and neglect reporting to local health authorities, AE reporting and product defect reporting to FDA, Security reporting to the Department of Homeland Security
52
HIPAA Quiz - #7
Only the treating physician or members of the Covered Entity’s workforce may contact their patients to discuss potential participation in a study.
A. True
B. False
53
HIPAA Quiz - #7
Only the treating physician or members of the Covered Entity’s workforce may contact their patients to discuss potential participation in a study.
A. True
B. False
However, third party researchers may only do so with a partial waiver of authorization
54
HIPAA Quiz - #8
Pharmaceutical companies are considered Business Associates when sponsoring clinical trials with Covered Entities.
A. True
B. False
55
HIPAA Quiz - #8
Pharmaceutical companies are considered Business Associates when sponsoring clinical trials with Covered Entities.
A. True
B. False
Some Covered Entities will request this but it is not recommended – nothing prohibits this kind of agreement between sponsors and investigator sites
