University of Miami

1

Privacy, Confidentiality &

Security

Marisabel Davalos, M.S.Ed., CIPAssociate Director of Educational Initiatives

November, 2008

University of Miami

2

Institutional Review Board for the Protection of Human Subjects

• Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students

• Includes ensuring compliance with University of Miami HIPAA policies

• Plan must contain elements required under HIPAA

• Documentation of compliance with Covered Entity

source of PHI

University of Miami

3

What is HIPAA?

Health Insurance Portability and Accountability Act (HIPAA)

Effective on April 14, 2003

Federal law that protects the privacy of individually identifiable health information (PHI)

Title 45 of the Code of Federal Regulations Parts 160 and 164

University of Miami

4

Who Must Comply with HIPAA?

Covered Entity – Custodians of PHI They must make a good faith effort to comply with the rule

Three types of “ Covered Entities”

Health Care ProvidersIncludes organizations, individuals such as researchers when they provide health care, e.g. clinical trials

Health Care Plans Insurers and payors

Health Care ClearinghousesBilling services

University of Miami

5

How is UM Approaching HIPAA?

Hybrid Covered Entity

The University is not a covered entity. It is a hybrid entity with certain health care components covered by HIPAA and research components that may not be covered by HIPAA and that fall outside the “covered entity”.

University of Miami

6

UM – Hybrid Entity

Covered Components

Treatment

Payment

Health Care Operations

Non-Covered

Components

Research

Important to Note

• Investigators who do not access or create health information from/with the “covered entity” because they are acting solely as researchers and not health care providers are not considered part of the UM/JHS “covered entity” and are not subject to HIPAA regulations.

• Necessary compliance with State privacy laws and Institutional and IRB policies only.

University of Miami

7

UM Investigators and PHI

• those who create, use, or access health information while providing health care services to research subjects must comply with HIPAA regulations as well as state privacy, institutional and IRB policies.

University of Miami

8

Types of Studies Covered

• Clinical trials

• Chart reviews

• Epidemiological studies

• Behavioral and Social Science Studies

• Some basic science research activities• Studies may include the provision of treatment

but others may provide neither treatment or diagnosis.

University of Miami

9

HSRO Policies & Procedures

• HSRO has “Written Policies and Procedures for the Protection of Human Research Subjects”.

• Section, 24 specific to Privacy, Security, Confidentiality, and HIPAA were revised on August 6th, 2008.

• Policies are available on our website under, “Investigator Resources”.

University of Miami

10

Definitions

• Section 24.2 contains some important terms related to HIPAA.

• PHI – protected health information derived from the past, present, future physical or mental health care of an individual managed by a covered entity

• RHI – Research-related health information, personally identifiable information distinct from PHI by not being associated with or derived from health care or payment for care.

University of Miami

11

Definitions (cont’d).

• Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information.  • The term “privacy” applies to persons whereas

the term “confidentiality” refers to the treatment of personal information.

University of Miami

12

Definitions (cont’d).

• Security:  the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage.  • Safeguards may be physical, electronic, or

administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.

University of Miami

13

University of Miami

14

More About PHI

Protected Health Information (PHI) is any individually identifiable information that is transmitted or maintainedin electronic medium, or in any other form or medium

Medical RecordsE.g. Medical History, Diagnosis, Treatment

Payment InformationE.g. Bills, Receipts

Ancillary ServicesE.g. X-Rays, Labs

Demographic Information (When Maintained with Health Information)E.g. Date of Birth, Social Security Number

PRIVACY

University of Miami

15

IRB Privacy Issue Evaluation

• Time and place where information is provided by participants to investigators;

• Nature of the information provided;• Nature of the experience that participant will

undergo from the study;• Who is receiving, accessing, and using the

information;• Participants’s relationship to the investigator;• Presence of others when gathering data.

University of Miami

16

Factors to Determine What is Private to

Individuals• Gender

• Ethnicity

• Age

• Socio-economic status

• Education

• Ability levelUniversity of Miami

17

• Social or verbal skill

• Health status

• Legal status

• Nationality

• Intelligence

• Personality

University of Miami

18

What is De-Identified PHI?

Information that does not identify the individual; andthere is no reasonable basis to believe the information can be used to identify an individual.

University of Miami

19

Remove 18 Specified Identifiers: Name All Geographic Subdivisions Smaller Than a State

(Street, City, County, Precinct, Parish, Zip Code, & their Equivalent Geo-codes Except for Initial 3 Digits of a Zip Code)

All Elements of Dates, Except Year(Admission Date, Discharge Date, Date of Death)

All Ages Over 89 & Dates and Elements Related to such Ages(Unless Aggregated into a Single Category of Age over 90)

How do you De-Identify PHI?

University of Miami

20

How do you De-Identify PHI ?

Telephone & Fax Number E-mail, IP Address & URL Social Security #, Medical Record #, Health

Plan Beneficiary #, & Account # Certificate License #, VIN, Device

Identifiers, & Serial # Full Face Photographs, Biometric Identifiers Any Other Unique Identifying Number,

Characteristic, or Code

University of Miami

21

Research procedures should be carefully designed to limit the personal information to be acquired to that which is minimally necessary and should be administered using procedures that will protect the subject's privacy.

Example: Only the information pertaining to a specific use should be given to researcher.

Minimum Necessary Requirement

University of Miami

22

Responsibilities of The PrincipalInvestigator

• Document research team has completed HIPAA Privacy/Security Training and HIPAA Training for Researchers

• Submit project application to the IRB

• Assume responsibility for compliance with HIPAA

• Maintain logs of all access to, uses of, & disclosures of PHI

• Submit Data Use Agreements to the IRB

SECURITY

University of Miami

23

GENERAL PRINCIPLES• As custodian of a study’s research data, the Principal Investigator shall

ensure compliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol ;

• The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI;

• Access to research data (including ePHI) should be restricted and controlled.

• The PI must ensure locks on files or  password or other protections (as applicable) (note – access  to e PHI must be by password)

• The PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity. 

University of Miami

24

Security, Section 24.6• All research data (including PHI) must be secured

and protected, as reasonable, against breaches in confidentiality, unpermitted uses and disclosures.

• HIPAA standards also apply after project completion when computers, devices, and/or media are destroyed or reformatted for other uses.

• Provides important requirements and methods to assure security of all research data.

• Additional requirements for ePHI (electronic PHI).

University of Miami

25

Security, Section 24.6

• Specifically addresses concerns and safeguards for when dealing with ePHI, securing paper records, securing faxes, and unanticipated problems and reportable events related to breaches in ePHI

University of Miami

26

Security, Section 24.6• Paper records: PHI must be stored

using locked filing system within a locked office or storage room.

• Shredding is required to discard printed materials with direct identifiers.

• Paper-based PHI should not be carried/sent unless necessary for research purposes.

University of Miami

27

Confidentiality, Section 24.7

• Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of his/her research records.• Examples: personality inventories, interviews,

questionnaires, observations, photos and film, tape recordings, and stored data.

University of Miami

28

Certificates of Confidentiality

• In certain circumstances involving civil, criminal, administrative, legislative, or other proceedings at the federal, state, or local level, PIs and Institutions may be compelled to release information that could identify subjects within a research study.

• Certificates of Confidentiality protect PIs and Institutions from having to divulge this information.

University of Miami

29

Certificates of Confidentiality – Cont’d.

• Certificates of Confidentiality are provided by the National Institutes of Health and are awarded whether a research study is federally funded or not.

University of Miami

30

University of Miami

31

Who do I contact about HIPAA Questions for Research?

• Evelyne Bital, MS, CIP• Associate Director of Privacy & Regulatory

Affairs, (305) 243-3195• e-mail: ebital@med.miami.edu

• For general HIPAA information or to access standard HIPAA forms for research: hsro.med.miami.edu

University of Miami

32

References

• Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164

• University of Miami HIPAA Policies and Procedures

http://www.hhs.gov/ocr/hipaa/

http://www.hipaadvisory.com/

http://www.hipaadvisory.com/regs/

University of Miami

33

Questions?