Welcome to the HIPAA Privacy, Security and HIPAA Research ... · HIPAA Overview HIPAA is an acronym for the . H. ealth . I. nsurance . P. ortability & A. ccountability . A. ct of

Welcome to the

HIPAA Privacy, Security and HIPAA Research Training Session

Presented by: Nova Southeastern University’s Office of Compliance

and Nova Southeastern University’s Office of Innovation and

Information Technology

HIPAA PRIVACY – MODULE 1

Our Commitment to Privacy

Nova Southeastern University is committed to protecting the privacy and integrity of our patient’s health information. The HIPAA Privacy Rule and Security Rule recognizes the importance and value of this commitment. This training session will help us

continue to do our part in protecting privacy.

HIPAA Overview This training session provides a basic

overview of HIPAA and reminders of Nova Southeastern University’s (NSU) HIPAA Privacy, Security and Research policies and how you, a student, an employee, a researcher or a health care provider, are required to protect PHI.

HIPAA Overview HIPAA is an acronym for the Health

Insurance Portability & Accountability Act of 1996 (45 C.F.R. parts 160 & 164).

HIPAA provides a framework for the establishment of a nationwide protection of an individual’s health information, security of electronic health record systems, and standards and requirements for electronic transmission of health information.

HIPAA Overview Patients coming to our NSU Health Care

Centers/Clinics for care expect the information they share with us to be protected from unnecessary exposure.

This information is referred to as Protected Health Information (PHI).

HIPAA regulations requires that NSU provide education for all Health Care Center/Clinic students, employees, researchers and health care providers regarding privacy and security of patient information (PHI).

HIPAA Overview

Most of us think of patient’s confidential information as only including their medical information.

That concept has changed! – Medical information is still protected, but

now the patient’s billing information is protected as well as the demographic information.

HIPAA Overview

The Privacy Rule gives patients more control over their Protected Health Information (PHI). So you need to know… Patient’s rights regarding their PHI; Key terms and general rules that you can apply; and When you can share patient information and when

there are limits to what can be used or shared.

HIPAA Overview The Privacy Rule sets the standards for

how Covered Entities and Business Associates are to maintain the privacy of Protected Health Information (PHI)

The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic Protected Health Information (e-PHI)

Glossary of Terms Covered Entities

• A health care provider who transmits Protected Health Information (PHI) electronically for any covered HIPAA transactions; • A health plan; and • A health care clearinghouse. All Covered Entities along with their Business Associates (that use or access patient information on the Covered Entity’s behalf) are subject to HIPAA.

Glossary of Terms Protected Health Information (PHI): PHI is health information about a patient that is

created or received by a health care provider and health plans. PHI includes information:

• Sent or stored in any form (written, verbal electronic);

• That identifies the patient or can reasonably be used to identify the patient;

• That generally is about a patient’s past, present and/or future treatment and payment of services.

PHI Contains Patient Identifiers Names All geographic subdivisions

smaller than a state (street address, city, county)

For dates directly related to the individual, all elements of dates, except year

All ages or dates indicating an age over 89

Telephone numbers Fax numbers Email addresses Social Security numbers

Medical record numbers

Health Plan numbers Account numbers Certificate/license

numbers Vehicle identifiers and

serial numbers including license plate numbers

Device identifiers and serial numbers

PHI Contains Patient Identifiers Cont’d

Web universal resource locators (URLs)

Internet Protocol (IP) address

Biometric identifiers, including finger and voice prints

Full face photographic images and other comparable images, and

Any other unique identifying number, characteristic or code

Glossary of Terms Clinic HIPAA Liaison: The University complies with the Privacy Regulations by designating a Privacy Officer who is responsible for the development and implementation of the HIPAA Privacy Policies and Procedures of the University. In addition, Clinic HIPAA Liaisons are designated by each Covered Entity to work with the Privacy Officer on policy and procedural issues. The Clinic HIPAA Liaisons also receive requests by patients for access, amendment, appeals and accountings of disclosures regarding their clinical records

Glossary of Terms

Treatment, Payment and Operations (TPO): •Treatment [T]: Various activities related to patient care.

•Payment [P]: Various activities related to paying for or getting paid for health care services.

•Health Care Operations [O]: Generally refers to day-to-day activities of a covered entity, such as management, training, improving quality, providing services and education.

NOTE: Research is not considered TPO. Written authorization is required to access PHI for research or an exception to the requirement met.

Glossary of Terms

Business Associate (BA): A Person or organization (vendor) that is not a member of the University’s workforce AND Performs or assists in the performance of University’s operations or activities involving Protected Health Information (PHI) AND is a Vendor that contracts with the University for provision of services that are typically done by the provider (e.g. NSU Health Care Centers).

Glossary of Terms

Business Associate Agreement (BAA): An agreement that the privacy regulations require all Covered Entities have with their vendors that provide a service for them involving PHI.

Business Associates Examples

Examples of vendors that are BA’s: Technical vendors who have access to computer systems or databases containing PHI; Accreditation organizations Temporary agencies who place personnel in areas where there may have access to PHI Record storage facilities

Lawyers, accountants, consultants

Business Associates Examples

Examples of vendors that are not BA’s: Vendors who only incidental access to University PHI (e.g. janitorial companies) Other Covered Entities who receive NSU Health Care Center PHI but only for treatment purposes (e.g., other health care providers, hospitals, labs) Manufacturers or distributors who require PHI, but only for FDA reporting purposes (adverse event reporting) Vendors who receive only de-identified information

Business Associates Obligations

The Business Associate (BA) obligations include: Report any use or disclosure of the PHI not allowed under the Business Associate Agreement. Ensure that any of the BA’s agents, subcontractors, etc. agree to the same restrictions and conditions contained in the Business Associate Agreement. Make available to the Department of Health and Human Services internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by them on behalf of the Covered Entity.

Glossary of Terms

Minimum Necessary Rule: •When using or disclosing PHI or requesting it from another organization, we must make reasonable efforts to limit it to the smallest amount needed to accomplish the task. •If the entire chart is not required, only ask for the information you need. •For health care operations of NSU such as quality improvement and teaching, de-identified information should be used when possible, and the minimum necessary amount of information shared. •Exceptions to Minimum Necessary include disclosures to or requests by a health care provider for treatment purposes. •Follow the simple “need to know” rule.

Glossary of Terms

“Use” of PHI: • Use of PHI refers to how PHI is internally accessed, shared and utilized by the Covered Entity. For NSU Covered Entities, “use” refers to accessing, sharing, and utilizing PHI within the applicable Covered Entity. “Disclosure” of PHI: •Disclosure of PHI refers to how PHI is shared with individuals or entities externally. For NSU Covered Entities, “disclosure” refers to sharing PHI with others outside of (external to) the applicable Covered Entity.

Glossary of Terms Personal Representatives: • Individuals who have the authority under

Florida law to act on behalf of a NSU Covered Entity patient for purposes of health care decisions are personal representatives under the HIPAA Privacy Rule.

• This means that with respect to NSU Health HIPAA policies, procedures and forms, a patient’s personal representative shall “stand in the shoes” of the patient.

Who is covered by HIPAA? HIPAA Privacy Rule applies

to Protected Health Information (“PHI”) flowing from a Covered Entity (“CE”) and covered components of a hybrid entity.

It is important to understand which individuals/organizations qualify as a CE and/or covered components of a hybrid entity.

Who is covered by HIPAA? NSU has been designated as a special type of CE

called a hybrid entity under the HIPAA Privacy Rule.

For the purposes of implementing HIPAA, NSU has both covered and non-covered units.

For example, NSU provides healthcare services but also has other functions, such as education and research.

Covered Health Care Components of a hybrid entity such as NSU may not use or disclose PHI for research purposes unless an Authorization has been obtained, or an exception to the requirement is met.

What is an Authorization? • A written permission signed by the patient or the

patient’s personal representative (e.g., a parent) to allow a Covered Entity to Use or Disclose a patient’s PHI for reasons generally not related to Treatment, Payment or Healthcare Operations (TPO purposes).

• The Authorization must include: A detailed description of the PHI to be disclosed, who will make the disclosure, to whom the disclosure will be made, expiration date, and the purpose of the disclosure.

• Contact the NSU Office of Compliance or your Clinic HIPAA Liaison to determine the appropriate authorization form needed for your purpose.

Notice of Privacy Practices Notice of Privacy Practices (NPP) HIPAA requires NSU’s Covered Entities to:

– Give each patient a copy of our Notice of Privacy Practices (NPP) that provides a detailed description of the various uses and disclosures of PHI that are permissible without obtaining a patient’s authorization.

– Except in emergencies, we must make a good faith effort to obtain written acknowledgement by the patient or their personal representative that our patients received the NPP.

– Request every patient to sign an written Acknowledgment that he/she has received the NPP.

– If unable to obtain acknowledgment, the attempt must be documented.

Notice of Privacy Practices The NPP needs to be given only once to a

patient. However, if a patient requests another copy of the HIPAA Notice, it must be provided to the patient as requested.

Unlike informed consents and similar documents, providing the NPP is not a continuing obligation.

Notice of Privacy Practices A patient who has been provided

NSU’s NPP can request an additional copy at another visit. However, if revisions are made to

the NPP, the revised NPP must be made available in the NSU Covered Entity upon request of patients.

Notice of Privacy Practices Under the Privacy Rule, each Covered

Entity location is also responsible for posting a copy of the HIPAA Notice in a prominent location where patients can view it such as in the waiting room.

Notice of Privacy Practices

To get your copy… Visit the Office of Compliance website at

http://www.nova.edu/cwis/ccd/hipaa/index.html Or Call the NSU Privacy Officer at 954-262-4302 to request a

copy or ask questions.

http://www.nova.edu/cwis/ccd/hipaa/index.html

Types of Uses and Disclosures

Types of Uses and Disclosures: 1.No Authorization Required (e.g. TPO) 2.No Authorization Required, but Must

Give Opportunity to Object 3.Authorization Required

Types of Uses and Disclosures

No Authorization is required to make

the following disclosures: To disclose PHI to the patient; To use or disclose PHI for treatment,

payment or healthcare operations; and Certain disclosures required by law

(for example, public health reporting of disease, etc.)

Uses and Disclosures of PHI For Treatment, Payment and

Health Care Operations (TPO)

The HIPAA Privacy Rule allows health care providers such as NSU’s Covered Entities to use and disclose a patient’s PHI without obtaining an Authorization for purposes of:

Treating the patient; Getting paid for services provided to the

patient; and Conducting the operations of the Covered

Entity.



Although PHI can be used and disclosed for these routine purposes without obtaining an Authorization from a patient, NSU’s Covered Entity staff, students and health care providers are still responsible for only using and disclosing the minimum necessary PHI to accomplish the task at hand.



Examples of uses and disclosures involving PHI that are considered part of treatment, payment or health care operations are: A health care provider discusses the patient’s

condition with another consulting health care provider;

A health care provider submits a bill to a health insurance plan;

Uses of patient information in connection with quality assurance activities; and

Use of patient information in connection with operating student training programs within the NSU Covered Entity(s).

Use of PHI in Education

The HIPAA Privacy Rule allows health care providers, staff, and students to use and disclose Protected Health Information (“PHI”) without a patient’s written authorization for purposes related to treatment, payment, and health care operations.

It further defines “health care operations” to

include: “to conduct training programs in which students, trainees, or practitioners in areas of health care to learn under supervision to practice or improve their skills as health care providers.”


As such, the NSU Covered Entity health care providers, staff and students can use PHI, without a patient’s written HIPAA Authorization, to teach clinical students or trainees, subject to the following guidelines: • The Use and Disclosure Must Be Internal:

The PHI must stay within the NSU Covered Entity.

• It cannot be shared outside the NSU Covered Entity at professional meetings, conferences, lectures, classroom activities or educational journals.


NSU Covered Entity health care providers, staff and students may not use PHI in any class room activities, individual and/or small peer group supervision sessions, research, case studies, articles, industry conferences/lectures, posters, fliers, or any other material or media unless:

The PHI is de-identified in accordance with HIPAA De-Identification Standards, or…


Continued: The health care provider seeks the patient’s

permission, and the patient signs the applicable HIPAA compliant authorization. For example:

Authorization for Use and Disclosure of Information for Educational and Related Purposes

Authorization for Audio/Visual Recordings and Observation for Supervisory Purposes

HIPAA Authorization for Use and Disclosure of Protected Health Information in Research


NSU Covered Entity staff, students and health care providers are responsible for complying with the NSU Use of PHI in Education HIPAA Privacy policies implemented at the Covered Entity.

Any questions regarding the policies should be directed to your NSU Clinic HIPAA Liaison, or the NSU Privacy Officer.

Disclosures of PHI To Family Members and Friends

No Authorization is required, but Must Offer Opportunity to Object: The Patient must be offered an opportunity

to object before discussing PHI with a patient’s family or friends;

Before discussing patient information in an exam room, ask the patient if it is okay to discuss information in front of the patient’s family member or friend.

Alternatively, you can ask the family member or friend to leave, especially if the information is highly confidential.


If the patient does not object, the NSU Covered Entity may disclose the patient’s health information to the following persons if they are involved in the patient’s health care or payment of health care, provided that the information is relevant to the person’s involvement with the patient:

family member relative close personal friend other person identified by the patient as being involved

in the patient’s health care or payment of health care


Exceptions to Opportunity to object. Patients must be given the opportunity to

object to all disclosures made to family members, friends, relatives, personal representatives and caregivers unless:

A health care provider can infer from the circumstances that the patient would not object;

A health care provider determines in the exercise of his/her professional judgment that it is in the best interests of the patient to make the disclosure; or

The NSU Covered Entity is assisting with disaster relief efforts and providing an opportunity to object would hamper these efforts.

Disclosures of PHI Under Special Circumstances

In implementing the HIPAA Privacy Rule, the

government recognized that unobstructed access to patient information for certain public health and similar activities is necessary

Accordingly, the HIPAA Privacy Rule allows health care providers to disclose a patient’s PHI under special circumstances without obtaining a written HIPAA Authorization from the patient.


For example, PHI can be disclosed in the following special circumstances without obtaining a written HIPAA Authorization from the patient: The disclosure is required by law; The disclosure is to a public health

authority that is authorized by law to collect or receive information for the purpose of preventing/controlling disease or injury;


The HIPAA privacy rule also requires that these special circumstances disclosures be documented as patients have the right to request an accounting of such disclosures.


Due to the sensitive nature of the requests and the particular Florida law reporting requirements that may accompany the disclosures, all requests for these types of disclosures should be referred to your Clinic HIPAA Liaison.

Uses and Disclosures of PHI Requiring HIPAA Authorizations

Certain circumstances require the Covered

Entity to obtain a signed HIPAA Authorization from the patient prior to using or disclosing their PHI.

For example, an authorization is needed in connection with: • Disclosures of medical information made to

life insurance or disability insurance companies;

Uses and Disclosures of PHI Requiring HIPAA Authorizations

Examples Continued: Disclosures of medical information made to a

school, camp or other activities; To access, use or disclose PHI for research

(unless an exception is met); Use of PHI for marketing

Patient Right of Access WHAT RECORDS DOES THE PATIENT HAVE A

RIGHT TO ACCESS? – Patients have the right to access any health

information that has been used to make decisions about their health care at any facility.

– Patients may review the paper chart (supervised) or be provided a hard copy.

Patient Right of Access

WHAT RECORDS DOES THE PATIENT HAVE A RIGHT TO ACCESS CONT’D? – The health care provider can require that the

patient put their request in writing (e.g., completing the NSU Authorization for Use and Disclosure of Protected Health Information);

– The health care provider is permitted to charge a fee for making copies of the patient record.

Patient Right of Access – Electronic Records

If health information is maintained electronically, the patient may request an electronic copy.

The NSU Covered Entity can provide the patient with an electronic copy of his or her health information on a CD and/or DVD as applicable.

Patients are not permitted to log into or inspect their electronic medical record!

Can I Access My Family Member’s, Friends, or Co-Worker’s PHI?

Employees may not access either through the NSU information systems (e.g., NextGen, Axium or QS1), or the patient’s medical record the medical and/or demographic information of family members, friends, or other individuals for personal or other non-work related purposes, even if written or oral patient authorization has been given.

Denials of Requests for Medical Records CAN THE HEALTH CARE PROVIDER DENY THE

PATIENT’S REQUEST FOR MEDICAL RECORDS? – Yes, in limited circumstances. A patient may

be denied access under certain circumstances (e.g., when a patient might physically endanger him or herself or others).

Denials of Requests for Medical Records

CAN THE HEALTH CARE PROVIDER DENY THE

PATIENT’S REQUEST FOR MEDICAL RECORDS BECAUSE THEY BELIEVE IT MIGHT UPSET THE PATIENT? – No, the health care provider cannot deny

the patient’s request to their record because they think the information might upset the patient.


CAN THE HEALTH CARE PROVIDER DENY THE

PATIENT’S REQUEST FOR MEDICAL RECORDS BECAUSE THEY BELIEVE IT MIGHT UPSET THE PATIENT CONT’D? – However if the health care provider believes

that the patient will become upset enough to physically harm him or herself or others, then the health care provider may deny the request.


CAN THE HEALTH CARE PROVIDER DENY THE PATIENT’S REQUEST FOR MEDICAL RECORDS CONT’D? – If the health care provider denies the

patient’s request for their medical record because they believe that seeing it might physically endanger the patient or someone else, the patient has the right to have a different health care professional review their decision.

Right to Amend Medical Records

A PATIENT’S RIGHT TO AMEND THE MEDICAL RECORD – The patient has the right to have information

added to their record to make it more complete or accurate.

– The patient does not have the right to have information that is already in their medical record removed or altered. The patient only has the right to add more information.

Right of Amend Medical Records

A PATIENT’S RIGHT TO AMEND THE MEDICAL RECORD CONT’D – The right to amend the record is not

intended to provide the patient with a chance to dispute a diagnosis. It is meant to provide the patient with a chance to amend the record by adding information to it.


A PATIENT’S RIGHT TO AMEND THE MEDICAL RECORD CONT’D – The health care provider has 60 days after

receipt of the patient’s request to amend their medical record to either:

• Add the information to the patient’s medical record as requested, or

• Deny the patient’s request in writing.

Right to Amend Medical Records A PATIENT’S RIGHT TO AMEND THE MEDICAL

RECORD CONT’D – There are instances in which the health care

provider can deny the patient’s request to amend:

• If you determine the record is accurate or complete, or

• NSU did not create the information that the patient wants to amend.

Right to Amend Medical Records A PATIENT’S RIGHT TO AMEND THE

MEDICAL RECORD CONT’D – If the health care provider denies the

patient’s request for amendment, the patient has the right to give the health care provider a written statement that explains why the patient disagrees with the decision.


A PATIENT’S RIGHT TO AMEND THE MEDICAL RECORD CONT’D – The health care provider must make the

patient’s statement part of the medical record.

– In the future, when the provider shares the medical record with others, the provider must also give them a copy of the denial of the request to amend along with a copy of the patient’s statement of disagreement.

Patient Rights: Right to Receive

An Accounting of Disclosures of PHI Patient Rights: Right to Receive an

Accounting of Disclosures of PHI – HIPAA’s Privacy Rule includes a right to an

“accounting of disclosures” – a listing of all disclosures of an individual’s PHI made by a Covered Entity or its Business Associates for up to 6 years preceding the request.

Patient Rights: Right to Receive an Accounting of Disclosures of PHI

Disclosures NOT requiring accounting include disclosures made:

– For Treatment (to persons involved in the individual’s care), Payment or Operations.

– To the individual, of his/her own PHI. – Made as a result of a signed patient authorization. – To patients about themselves. – To persons (family, friends, etc.) involved in the care

or payment of health care of the patient. – Made incidentally to a permitted or required use

and disclosure. – For national security or intelligence purposes. – To correctional institutions or law enforcement

officials having lawful custody of an individual. – Made for the creation of a limited data set.

(disclosures of a limited data set to researchers with a data use agreement under 45 CFR 164.514(e)).

Patient Rights: Right to Receive an Accounting

of Disclosures of PHI

– Otherwise required/ permitted by law – For public health

activities – Victims of abuse,

neglect, violence. – Health oversight

activities – Judicial/ Administrative

proceedings – Law enforcement

purposes

– Human-subject research that does not obtain a subjects authorization

– To avert a serious threat to health and safety

– To the FDA for purposes related to the quality, safety or effectiveness of a FDA regulated product or activity

– Workers’ compensation – Releases made in error to an

incorrect person/entity (i.e. breach)

– Organ/eye/tissue donations

Disclosures requiring accounting include:

Patient Rights to Requests Restrictions and Confidential Communications

In addition to granting other rights, the HIPAA Privacy Rule provides the following rights to NSU Covered Entity patients:

The right to request restrictions on the use and disclosures of PHI; and The right to request confidential

communications.


NSU Covered Entity patients can request

that the Covered Entity restrict uses or disclosures of their PHI. – For example, patients could request that NSU

Clinics not disclose certain information to the third party payer insurance company or to another physician involved in the patient’s care.


Importantly, (with one exception) NSU Covered Entity’s can refuse these requests. However, if a request is granted, the restriction must be honored unless there is an emergency situation.

Exception: Request for Restriction of Information Provided to Health Plan If a patient pays for a service out of

pocket, he or she may request that not information about the visit be provided to the patient’s health plan.

In this situation, the NSU Covered Entity must comply with the patient’s request (unless there is a legal reason that NSU cannot comply – in which case the patient must be informed and given the opportunity to go elsewhere).


NSU Covered Entity patients may also request confidential communications. It is important to understand the distinction between these requests and requests for restrictions as requests for confidential communication must generally be honored by the NSU Covered Entities.


May health care providers leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments?


Yes. HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communications with patients at their homes, whether through the mail or by phone.

In addition, the Privacy Rule does not prohibit Covered Entities from leaving messages for patients on their answering machines.


In situations where a patient has requested that the physician communicate with him or her in a confidential manner, such as an alternative means or at an alternate location, the physician must accommodate that request…

if reasonable.


The privacy rule also prohibits health care providers from asking patients why they are requesting the confidential communication.

– Accordingly, NSU Covered Entity staff, students and faculty are not permitted to ask patients the reason for requesting a confidential communication.

Reasonable Safeguards Policy Fax Policy

Safeguarding Faxes Although the HIPAA privacy regulations do not

directly address the use of fax machines, the nature of fax transmissions makes information sent particularly vulnerable to unintended and unauthorized uses and disclosures. As with other communications related to health care, the NSU Covered Entity must reasonably safeguard information sent by fax.


Faxing PHI to Patients: Generally, it is the policy of the NSU Covered

Entities that non-emergent patient requests for copies of his/her health care records and billing information shall not be faxed to the patient.

Health care records and billing information shall be provided to the patient by either mailing the patient information to the address designated on the HIPAA Authorization, or hand-delivered to the patient at the NSU Covered Entity upon completion of the NSU HIPAA Authorization.


Exception PHI may be sent by fax to a patient for emergent

patient care issues. The Clinic HIPAA Liaison (or designee) will be responsible for reviewing the patient’s request as well as the oversight of securely faxing the requested PHI using guidelines set forth in the NSU Covered Entity HIPAA Privacy policy.


Cover Sheet Use All faxes sent by the NSU Clinic/Covered

Entities must be accompanied by the approved NSU Clinic/Covered Entity fax cover sheet.


Determine “Minimum Necessary” • Use “Minimum Necessary” guidelines when faxing

PHI by sending only the requested/required information (i.e., do not forward the entire medical record when a progress note for a particular date of service was requested).


Highly confidential information should not be faxed(except in an emergency). For Example: Substance abuse Mental health or psychological information Sexually-transmitted disease (STD) HIV status Genetic Testing


Misdirected Faxes

If information is inadvertently faxed to a patient-restricted party or an incorrect recipient, the Clinic HIPAA Liaison and the NSU Privacy Officer should be notified immediately.

Know Where You Left Your Paperwork

Check printers, faxes, copier machines when you are done using them.

Ensure paper charts are returned to applicable file rooms.

Do not leave hard copies of PHI laying on your desk; lock it up in you desk at the end of the day.

Seal envelopes well when mailing.

Disposal of Paper Documents

Shred PHI before throwing it away. Dispose of paper and other records with PHI in

secured shredding bins. Recycling and Trash bins are NOT secure.

Shredding bins work best when papers are put inside the bins. When papers are left outside the bin, they are not secured from: Daily trash The public.

Patient Complaints

NSU Clinics/Covered Entities, as providers of health care, are responsible for complying with the patient rights components of the HIPAA Privacy Rule. One of these rights is the right to file a complaint concerning the breach of privacy.

Patient Complaints

Under the HIPAA Privacy Rule, NSU Clinics/Covered Entities are required to establish an internal complaint system for handling patient complaints that their privacy has been violated.

Patient Complaints

According to the Privacy Rule and the

NSU Covered Entity policies, a patient who files a privacy complaint cannot be treated differently than other patients. – NSU Covered Entity employees, students,

researchers and health care providers will be subject to disciplinary action for intimidating, threatening or otherwise retaliating against patients who file privacy complaints.

Patient Complaints

In addition to filing a complaint with a NSU Covered Entity, patients may also file complaints with the federal government.

NSU Covered Entities are not permitted to ask patients to waive their right to complain to the government.

Patient Complaints

After a patient complaint has been

reported, the NSU Clinic HIPAA Liaison will notify the Privacy Officer of the complaint. The Privacy Officer will investigate the

complaint accordingly.

Patient Complaints

All NSU Clinic/Covered Entity workforce

are required to report any known or suspected patient privacy complaints immediately to the Clinic HIPAA Liaison or the NSU Privacy Officer.

Breach Reporting

When a use or disclosure occurs that is

not allowed by the HIPAA Privacy Rule, NSU may be required to notify the patient and report the breach to the Office of Civil Rights. We my also be required to notify the media.

All privacy breaches must be reported to the Clinic HIPAA Liaisons and/or NSU Privacy Officer immediately.

Breach Of Confidentiality

Workforce are required to report any known or

suspected breach of the HIPAA Privacy policies and procedures and/or patient confidentiality immediately to the Clinic HIPAA Liaison or NSU Privacy Officer. You may: Call the NSU Privacy Officer directly at # (954)262-4302, if you do not want to be

anonymous; or The Anonymous Compliance Hotline Phone: 888-609-NOVA (6682) - Toll free Available 24 hours a day, 7 days a week

…And IF A Suspected Breach Is Reported

After a suspected breach of the HIPAA

Privacy policies and procedures or a patient’s confidentiality is reported, the Privacy Officer will investigate the report accordingly.

HITECH Act Updated HIPAA in 2009 As part of the American Recovery and

Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.

The updates include: • Breach notification requirements • Fine and penalty increases for privacy violations • Right to request copies of the electronic health

care record in electronic format • Mandates that Business Associates are civilly

and criminally liable for privacy and security violations

Penalties for Violating HIPAA/HITECH Covered Entities and Individuals can be penalized

for violating HIPAA. 4 Tiers of Civil Monetary Penalties ranging from

$100 up to $1.5 million (per violation) Criminal fines: $250,000/up to 10 years

imprisonment Note: Individuals (This means You!) can be

subject to criminal prosecution, fines and imprisonment.

Disciplinary Actions

Individuals who violate NSU policies regarding privacy/security of confidential, restricted and/or protected health information or ePHI are subject to further corrective and disciplinary actions in accordance with NSU’s normal disciplinary policies.

Sanctions may include, but will not be limited to: (1) verbal warning; (2) written reprimand; (3) re-training; (4) suspension; (5) expulsion or termination; and (6) prosecution.

This sanction policy does not alter the at-will status of any NSU employee.

Who Can I Call IF I Have Questions About HIPAA Privacy ?

The NSU Privacy Officer, HIPAA Privacy Coordinator and your NSU HIPAA Liaison are available if you have questions about patient privacy and confidentiality. This includes questions on existing processes or functions you perform as well as new processes, programs, or initiatives you are considering that involve patients and protected health information (PHI).

NSU Privacy Officer # (954)262- 4302 NSU HIPAA Privacy Coordinator # (954) 262- 1934

Privacy - Summary Office of Corporate Compliance website: http://www.nova.edu/cwis/ccd/index.html NSU HIPAA Privacy Policies and Forms Available to NSU faculty, staff and students Resources/Links to governmental sites Office of Corporate Compliance staff

contact information Compliance Hotline

http://www.nova.edu/cwis/ccd/index.html

http://www.nova.edu/cwis/ccd/index.html

Privacy - Summary Keep Protected Health Information private and

secure at all times. Make sure only NSU Workforce who need to use

Protected Health Information see it or use it. Use only the minimum amount of Protected

Health Information necessary to accomplish the task. Read and understand NSU Privacy policies and

procedures. Consult the Privacy Officer with any questions you

have about privacy or Protected Health Information.

HIPAA Security/HITECH – Module 2

HIPAA: Privacy vs. Security What’s the difference?

Privacy Refers to WHAT is protected - Health

information about an individual and the determination of WHO is permitted to use, disclose, or access the information.

Security Refers to HOW private information is

safeguarded by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.

What is Electronic Protected Health Information?

ePHI (Electronic Protected Health Information) is: An individual’s Protected Health Information that

is created, received, transmitted or stored electronically.

Information in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent by NSU to another provider, payer, or a researcher

ePHI is used in the HIPAA Security Rule to describe information that must be secured.

The HIPAA Security Rule Applies to Your Use of… A computer workstation “on-site” at NSU or a

NSU facility A NSU-provided computer workstation “off-site”

at home, in a cafe, on a plane, in a hotel, etc. The use of your own, non-NSU computer

workstation, laptop or mobile device for NSU activities using ePHI.

You Are Responsible for Your Actions With NSU Covered Entity PHI and ePHI.

HIPAA Security Information that was not in a electronic

format prior to transmission such as information transmitted via fax or stored in voicemail systems is not ePHI. However, this information must still be protected consistent with the NSU HIPAA Privacy Policies.

How Do We Protect ePHI? Ensure the confidentiality, integrity, and availability

of information through safeguards (Information Security)

Ensure that the information will not be disclosed to unauthorized individuals or processes (Confidentiality)

Ensure that the condition of information has not been altered or destroyed in an unauthorized manner, and data is accurately transferred from one system to another (Integrity)

Ensure that information is accessible and usable upon demand by an authorized person (Availability)

HIPAA Security All individuals within the NSU covered

departments/clinics including health care providers, employees, researchers and students, are responsible for being aware of and complying with the NSU HIPAA Security Guidelines, Policies and Procedures.

Good Computing Practices Unique User ID or Log-In Name (User Access

Controls) Password Protection Workstation Security Security for Portable Devices & Laptops with ePHI Data Management, e.g., back-up, archive, restore,

disposal. Secure Remote Access E-Mail Security Reporting Security Incidents / Breach Your Responsibility to Adhere to the NSU HIPAA

Security Policies

Good Computing Practices Unique User Log-In /User Access Controls • Access Controls: ◦ Users are assigned a unique “User ID” for log-in

purposes, which limits access to the minimum information needed to do your job. Never use anyone else’s log-on, or a computer someone else is logged-on to.

◦ Use of information systems is audited for inappropriate access or use.

◦ Unauthorized access to ePHI by former employees is prevented by terminating access

Good Computing Practices Password Protection

o Don't use a word that can easily be found in a dictionary — English or otherwise;

o Use at least eight (8) characters ( with a combination of uppercase and lowercase letters, numbers, and symbols);

o Change your password to all systems and applications at least once per year.

o Don't share your password — After all, it is a "key" to your identity;

o Don't let your Web browser remember your passwords; and

o Personal Computers and other portable devices such as Laptops and PDAs which may contain ePHI must be password protected, and encrypt the ePHI.

Good Computing Practices Workstation Security – Physical Security “Workstations” include any electronic computing

device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

Physical Security measures include: ◦ Disaster Controls ◦ Physical Access Controls ◦ Device & Media Controls

Good Computing Practices Workstation Security – Continued Lock-up: Offices, windows, sensitive papers

and PDAs, laptops, mobile devices/media Lock your workstation

Good Computing Practices Workstation: Disaster Controls • Disaster Controls: Protect workstations from

natural and environmental hazards, such as heat, liquids, water leaks and flooding, disruption of power, conditions exceeding equipment limits. o Use electrical surge protectors o Move servers away from overhead sprinklers

Good Computing Practices Workstations: Access Controls Log-off before leaving a workstation unattended.

This will prevent other individuals from accessing ePHI under your User-ID, and limit access by unauthorized users.

Good Computing Practices Workstations: Device Controls Automatic Screen Savers: Unless a

department/clinic has received a specific documented exception, each university-owned workstation should have a screen saver enabled that will automatically activate and require a password before further use if the workstation is idle for more than 10 minutes.

Good Computing Practices Security for Portable Devices

Always encrypt portable devices and media with ePHI on them (laptops, flash drives, memory sticks, external drives, CDs, etc.)

Encryption must be an approved NSU data encryption solution. Check with NSU’s Office of Information Security. Protect you device from loss and theft. Best practice: Do not keep ePHI on portable devices

unless absolutely necessary. And if necessary, the information must be encrypted.

Good Computing Practices Data Management and Security o System back-ups are created to assure integrity

and reliability. You can get information about back-up procedures from the Office of Innovation and Information Technologies (OIIT) administrator for your department.

o Backup original data files with ePHI and other essential data and software programs frequently based on data criticality, e.g., daily, weekly, monthly.

Good Computing Practices Email Security

PHI may only be emailed in accordance with the following rules:

• PHI may be emailed within the University from one NSU email address to another NSU email address when necessary to perform a job task.

• Email from the NSU email system to any other system is not considered secure.

• Check with your clinic/department supervisor for clinic/department specific procedures for emailing PHI.

Good Computing Practices

Email between Patients & Providers At this time NSU does not have a secure

method of emailing our patients. It is the policy of NSU that individuals may

not exchange clinically relevant information with patients via email, regardless of any authorization provided by patients.

Good Computing Practices Email Communication with Patients:

– If an individual receives an email from a patient, the individual is responsible for notifying the patient that the clinic does not communicate clinical information by email and that the patient should call the office to address the matter or make an appointment, as appropriate.

Good Computing Practices

No user shall have the expectation of privacy in anything they store, send or receive on NSU’s email system.

Accessing Electronic PHI Use your electronic access to information

systems only to perform your job-related duties and only access ePHI on a need-to-know basis.

All electronic systems are audited – a log of accesses is maintained and designed to protect patient privacy.

Inappropriate access can lead to disciplinary action, up to and including discharge from employment.

Who Can I Call IF I Have Questions About HIPAA Security ?

The NSU Chief Information Security Officer/NSU HIPAA Security Officer is available if you have questions about HIPAA Security. This includes questions on existing processes or functions you perform as well as new processes, programs, or initiatives you are considering that involve patients and electronic protected health information (PHI).

NSU HIPAA Security Officer – John Christly # (954)262- 4643 or via email at

[email protected]

HITECH Act: What is It? The Health Information Technology for

Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act (ARRA)

Through amendments to HIPAA, marked the beginning of a new era of health care privacy and security regulation and enforcement

Applies to HIPAA Covered Entities (CEs) and Business Associates (Bas)

HITECH – Breach Notification General Rule If security of “Unsecured PHI” is “breached,” CE

must provide notice without unreasonable delay and within 60 days after “discovery” of breach to “impacted individuals,” media (in certain instances) and HHS

Impacted Individuals are those whose “Unsecured PHI” has been or is reasonably believed by CE to have been accessed, acquired or disclosed as a result of a breach

This rule creates a functional safe harbor, if the PHI is “secured,” there is no obligation to notify under HITECH

Applies to breaches involving both electronic and paper records.

HITECH – What Constitutes a Breach?

Definition of “Breach” Was there an unauthorized acquisition, access,

use or disclosure of Unsecured PHI In a manner not permitted under the Privacy

Rule (unauthorized) Which compromises the security and privacy of

the information. Except where unauthorized person “would not

reasonably have been able to retain” the information.

HITECH – What Constitutes a Breach?

PHI is “compromised” if the breach poses a – A significant risk of financial, reputational or

other harm to the individual whose PHI was used or disclosed

– If the nature of the PHI does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach.

– NSU is responsible for conducting risk assessment and should be fact specific

Three Breach Exceptions

Breach Exception No. 1 (not a breach): Unintentional acquisition, access or use of PHI by

a workforce member or other person acting under the authority of the CE or BA if:

• Access made in good faith and within scope of employment or other professional relationship; and

• The information was not further acquired, accessed, used or disclosed (which means does not result in further use or disclosure that violates Privacy Rule).


Breach Exception # 2 (not a breach): Inadvertent disclosure from an individual

authorized at a CE or BA to another authorized person at the same CE or BA , so long as:

• The sender and recipient are “similarly situated” (both authorized to access PHI); and

• The information was not further acquired, accessed, used or disclosed (which means does not result in further use or disclosure that violates Privacy Rule).


Breach Exception #3 (not a breach): • Where the CE or BA has a good faith

belief that an unauthorized person to whom the PHI was disclosed would not have been able to retain the PHI.

Discovery of a Breach A breach is “discovered” as of the first day that

it is known (or reasonably should have been known) to the Covered Entity or Business Associate (not when the “breach risk assessment” is completed).

The Covered Entity or Business Associate has knowledge of the breach on the day that any employee, workforce member, officer or other agent has such knowledge (except for the individual who committed the breach).

Discovery starts the time period for providing notice.

What is Unsecured PHI? Breach notification requirement applies to

breach of “unsecured PHI” Reminder: PHI = individually identifiable health

information transmitted or maintained in any form or medium

“Unsecured” means that the PHI has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in “guidance”

What is Unsecured PHI? PHI not secured through use of a technology or

methodology specified by HHS as rendering the information unusable, unreadable or indecipherable to unauthorized persons.

HHS has identified certain encryption and destruction technologies and methodologies that must be implemented to meet this standard.

Encryption

All NSU authorized users who access, process and store Protected Health Information (PHI) on electronic computing end user devices are accountable for the protection and security of the data.

NSU policy specifies that when a legitimate business purpose exists requiring an individual to maintain Identifiable Protected Health Information (PHI) on a device other than a secure network server that device requires increased levels of protection, up to and including: Password Protection on the device; and Encryption of the PHI stored on the device; and Use of minimum necessary information to

accomplish the business purpose.

Encryption and Portable Data Files

NSU HIPAA Security Policies require that all portable data files stored on USB, CD/DVD, smart phones and mobile laptops that include PHI be encrypted and password-protected at all times.

Centrally managed, NSU owned devices will be encrypted .

Personally owned devices are required to be encrypted with a user-managed encryption product (e.g., BitLocker, TrueCrypt, etc.).

Please contact the NSU Office of Information Security for Laptop, Disk and USB Encryption Information.

Security Guidance - Destruction

Media on which PHI is stored or recorded must be destroyed:

• Paper, film or other hard copy media must be shredded or destroyed such that PHI cannot be read or otherwise reconstructed.

• Electronic media must be cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.

Breach Notification

The regulations require health care providers and other HIPAA Covered Entities to provide notice:

• To Impacted Individuals: Written notice must be provided to individuals, without unreasonable delay and in no case later than 60 days after discovery, by first class mail to last known address. Email notice is only permitted if the individual agrees to it.

Breach Notification

The regulations require health care providers and other HIPAA CE’s to provided notice:

• To the Media: If breach involves more than 500 impacted individuals in state or jurisdiction, notice must be provided through prominent media outlets. – This is in addition to written notice to

impacted individuals. – This notice must be provided in same time

frame, and have same content as notice to impacted individuals.

Breach Notification

The regulations require health care providers and other HIPAA CE’s to provide notice:

• To HHS: – If breach involves more than 500 impacted

individuals, CE notifies HHS at same time as individuals and HHS identifies CE on its website.

– If breach involves less than 500 impacted individuals, CE logs the breach and provides an annual log to HHS within 60 days of the end of the calendar year.

– HHS website contains forms to report breaches.

Content of Notice

Brief description of facts surrounding breach. Type of Unsecured PHI involved. Steps individuals should take to protect

themselves. Brief description of what CE is doing to

investigate and mitigate. Contact information for inquiries. Notice must be in plain language.

HIPAA Requires NSU to Tell You the Consequences for Individuals and NSU if There is a Violation

Covered Entities and Individuals can be penalized for violating HIPAA.

4 Tiers of Civil Monetary Penalties ranging from $100 up to $1.5 million (per violation)

Criminal fines: $250,000/up to 10 years imprisonment

Note: Individuals (This means You!) can be subject to criminal prosecution, fines and imprisonment.

HITECH: Expanded Penalties Circumstance of Violation Penalty

Tier 1 Entity did not know (even with reasonable diligence)

Penalty is at least $100 per violation not to exceed $25,000 for all violations of the same requirement in the same calendar year.

Tier 2 If the violation is due to “reasonable cause” (but not willful neglect)

Penalty is at least $1,000 per violation not to exceed $100,000 for all violations of the same requirement in the same calendar year.

Tier 3 If the violation is due to willful neglect, and is corrected within 30 days

Penalty is at least $10,000 per violation not to exceed $250,000 for all violations of the same requirement in the same calendar year.

Tier 4 If violation is due to willful neglect, and is not corrected in 30 days.

Penalty is at least $50,000 per violation, not to exceed $1.5 million for all violations of the same requirement in the same calendar year.

HITECH: Expanded Penalties Gives State Attorneys General authority

to bring civil actions for violations of HIPAA • Seek damages for individuals (at the “old”

penalty level) and • Attorneys fees and court costs may be

awarded to State (enforceable now!)

HITECH: Expanded Penalties

As of February 17, 2011, the Secretary for

HHS is required: • To investigate every complaint of a

HIPAA violation to determine if a violation is due to willful neglect.

• To impose a civil monetary penalty for any HIPAA violation determined to be due to willful neglect.

How to Report a Breach Immediately report any known or suspected breach

of the policies and procedures and/or patient confidentiality to the NSU HIPAA Security Officer, and/or to your Clinic Privacy Contact and/or the NSU Privacy Officer, You may:

Call the NSU HIPAA Security Officer at (954) 262-4643

Call the NSU Privacy Officer directly at (954)262-4302; or

Call the Anonymous Compliance Hotline Phone: 888-609-NOVA (6682) - Toll free Available 24 hours a day, 7 days a week

HIPAA Requires NSU to Tell You the Consequences for Individuals and NSU if There is a Violation

Individuals who violate NSU policies regarding privacy/security of confidential, restricted and/or protected health information or ePHI are subject to further corrective and disciplinary actions in accordance with NSU’s normal disciplinary policies.

Sanctions may include, but will not be limited to: (1) verbal warning; (2) written reprimand; (3) re-training; (4) suspension; (5) expulsion or termination; and (6) prosecution.

An employee who does not report a breach in accordance with the policies could lose his or her job.

This sanction policy does not alter the at-will status of any NSU employee.

HIPAA Privacy Rule & Research

Module 3

Glossary of Terms Covered Entities

• A health care provider who transmits Protected Health Information (PHI) electronically for any covered HIPAA transactions • A health plan • A health care clearinghouse All Covered Entities along with their Business Associates (that use or access patient information on the Covered Entity’s behalf) are subject to HIPAA.

What is the Privacy Rule Rules for Covered Entities (CE) for

using and disclosing individually identifiable health information known as Protected Health Information (PHI).

Protected Health Information Protected Health Information (PHI): PHI is health information about a patient that is

created or received by a health care provider and health plans. PHI includes information:

• Sent or stored in any form (written, verbal electronic);

• That identifies the patient or can reasonably be used to identify the patient;

• That generally is about a patient’s past, present and/or future treatment and payment of services.

What is PHI? Examples of PHI: Medical Records (e.g. medical history,

diagnosis, treatment) Payment Information (e.g. bills and receipts) Ancillary Services (e.g. x-rays, labs) Demographic Information (when maintained

with health information- e.g. date of birth, social security number).

NSU as a Hybrid Entity As discussed in the previous presentation

module, HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.”

For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specific transactions electronically.

NSU is engaged in both Covered Entity functions and other activities that are not Covered Entity functions (e.g. research and education) and is therefore considered a Hybrid Entity.

NSU as a Hybrid Entity

The University is not a covered entity. It is a hybrid entity with covered and non-covered components.

Covered Components

Treatment Payment and Health Care Operations

Non-Covered Components

Education and Research

When are Researchers Covered?

When providing health care to individuals, researchers are considered health care providers When accessing existing Protected Health Information, HIPAA Privacy Rules apply.

What are Covered Entities Required To Do?

1. Keep records of certain disclosures 2. Provide only minimally necessary information,

including: a. Use pursuant to a waiver b. Use preparatory to research c. Use of decedent’s PHI d. Use of limited data sets

3. Provide an accounting of certain disclosures, including:

a. Use pursuant to waiver b. Use preparatory to research c. Use of decedent’s PHI

How Does HIPAA Affect Research Activity?

Researchers will need to go through the Covered Entity’s HIPAA policies and procedures to obtain data.

NSU IRB will need to consider research subject’s privacy rights.

How Does HIPAA Affect Research Activity?

Privacy Rule permits Covered Entities to use and disclose PHI for research: With individual authorization, or Without individual authorization

under limited situations.

How Can PHI be Obtained for Research?

To Access PHI for Research: Authorization (NSU HIPAA Research Policies, Exhibits

1-2) Waiver of Authorization (NSU HIPAA Research Policies,

Exhibit 8) De-Identification (NSU HIPAA Research Policies,

Exhibit 18) Certification(s) for Review Preparatory for Research

(NSU HIPAA Research Policies, Exhibits 10-12) Research on Decedent’s Information without

Authorization Form (NSU HIPAA Research Policies, Exhibit 19)

Limited Data Set/Data Use Agreement (NSU HIPAA Research Policies, Exhibits 16-17)

What is HIPAA Authorization? Each study participant permits Use and

Disclosure of their PHI for research purposes.

Must contain Privacy Notice provisions.

PHI With Individual Authorizations GENERAL RULE

Researcher needs patient authorization for uses & disclosure related to research. (Please see the Instructions for Preparing the NSU Authorization for Use and Disclosure of PHI in Research on the IRB website).

For a specific research study – no blanket HIPAA Authorizations allowed for research.

Review and approval by the Institutional Review Board (IRB) is not necessary unless integrated with the consent form

Can be combined with the Informed Consent Form NSU Authorization for Use and Disclosure of PHI in

Research on the IRB and Compliance Department websites.

Not necessary to have an expiration date for HIPAA Authorizations granted for research

Authorizations vs. Informed Consent HIPAA Authorization Focuses on privacy risks Discusses how, why, and to whom the PHI will be

used / disclosed Individual agrees to the use / disclosure of PHI in a

particular study Informed Consent Provides a description of the study Discusses anticipated risks and benefits associated

with the study Describes how the confidentiality of the records will

be protected Individual agrees to participate in the study

Using PHI Without Individual Authorizations

Exceptions to the HIPAA Authorization Requirement:

1. IRB Waiver of HIPAA Authorization - See, HIPAA Research Policy No. 2

2. De-Identified Information - See, HIPAA Research Policy No. 3

3. Reviews preparatory to research by staff of the covered component - See, HIPAA Research Policy No. 4

4. Research involving a decedent’s information - See, HIPAA Research Policy No. 3

5. Use of a limited data set - See, HIPAA Research Policy No. 7

Exceptions to the HIPAA Authorization Requirement

1. IRB Waiver of HIPAA Authorization: The IRB waives the authorization requirement. PI/Researcher must justify the request for the

waiver. Covered Entity must obtain documentation

reflecting that the IRB has determined certain criteria as mandated by the Privacy Rule were satisfied before receiving a Waiver of HIPAA Authorization.


1. IRB Waiver of HIPAA Authorization: Criteria for Waiver of Authorization: A. The PHI use or disclosure involves no more than a minimal risk to

the privacy of individual(s) based on an adequate: plan to protect PHI identifiers from improper use and disclosure

(e.g., Who has access to PHI); plan to destroy those identifiers at earliest opportunity,

consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and

written assurances that the PHI will not be reused or disclosed to any other person or entity except (as) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of PHI is permitted under the Privacy Rule.

B. The research could not be practicably conducted without the requested waiver.

C. The research could not be practicably conducted without access to and use of PHI.


1. IRB Waiver of HIPAA Authorization: Documentation of Approval by the IRB of Waiver Of

HIPAA Authorization must include: Statement identifying the IRB; Date of approval; Statement reflecting proper consideration of the

mandated criteria; Brief description of the PHI to which access has been

determined to be necessary; Statement that waiver has been reviewed under normal

or expedited review procedures; and Signature of Chair or member designated by Chair.


1. IRB Waiver of HIPAA Authorization: Purpose: Access to Protected Health Information (PHI)

for research when it is not practicable to get signed HIPAA Authorization.

Similar to a waiver of informed consent Requires approval by the IRB. Justifications must be met to approve. All waiver requests should be submitted through the

standard IRB procedures. As part of this process, researchers must complete the

IRB Waiver of Authorization Form. Please see HIPAA Research Policy 2 and Exhibit 8.


1. De-Identified Information: Information may be used by a researcher or

disclosed to a researcher without a HIPAA Authorization if the information has been de-identified prior to the disclosure.

Please see HIPAA Research Policy 3

What is De-Identified Information? To be exempt from HIPAA,

none of the following 18 subject identifiers can be reviewed or recorded by the researcher:

1. Name 2. All geographic subdivision

smaller than a state (street address, city, county) Note: zip code or equivalents must be removed, but can retain in certain circumstances, the first 3 digits of a zip code where the zip code contains more than 20,000 people.

3. For dates directly related to the individual, all elements of dates, except year

4. All ages or dates indicating an age over 89

5. Telephone numbers

6. Fax numbers 7. Email addresses 8. Social security

number

What is De-Identified Information (cont.)?

9. Medical record numbers 10. Health plan beneficiary

numbers 11. Account numbers 12. Certificate/license

numbers 13. Vehicle identifiers and

serial numbers including license plate numbers

14. Device identifiers and serial numbers

15. Web universal resource locators (URLs)

16. Internet Protocol (IP) address numbers

17. Biometric identifiers, including finger and voice prints

18. Full face photographic images and other comparable images, and

De-Identified Data Any health information that is recorded

without the 18 specific identifiers is considered de-identified.

De-Identified data is not subject to HIPAA regulations.

Submit the de-identified data form with the IRB application attesting that health information has no identifiers with it.

Assigning a Code to De-Identified Data A Covered Entity may assign a code to allow

re-identification. However, The code must not be derived from or

related to information about the individual The code must not have the capability of

being translated to identify the individual; and The Covered Entity must not disclose

the mechanism for re- identification.


3. Reviews Preparatory to Research: Purpose: Access PHI to

Determine study feasibility Identify potential research participants for

recruitment Caveat: Review Preparatory to Research may

only be used for recruitment if the researcher is a member of the covered entity’s workforce.

PHI may not be removed from the Covered Entity


Reviews Preparatory to Research cont’d: A Covered Entity may use or disclose PHI for research in the

context of reviews preparatory to research without a patient HIPAA Authorization or IRB approval of a Waiver of HIPAA Authorization only if the Covered Entity obtains from the researcher representations that:

the use or disclosure is sought solely to review PHI as necessary to

prepare the research protocol or other similar preparatory purposes preparatory to research;

the PHI will not be removed from the covered entity by the researcher

in the course of review; and the PHI that the researcher seeks to use or access is necessary for the

research. However, NSU Accounting of Disclosures Form for Research, will need

to be completed for these records (See, HIPAA Research Policy 5).


Reviews Preparatory to Research cont’d: Researchers Within the Workforce of a

Covered NSU Health Care Center/Clinic: In such cases, it is the internal procedure of NSU

that such researchers are required to receive approval from the applicable NSU Health Care Center/Clinic HIPAA Liaison and the IRB prior to commencement of any review preparatory to research.

As part of this process, researchers must complete the IRB Review Preparatory to Research Form (Clinic Workforce Version) See HIPAA Research Policy 4, Exhibit 10 which requires written certification by the researcher.


Reviews Preparatory to Research cont’d: Researchers Not Within the Workforce of a Particular

Covered NSU Health Care Center/Clinic but Who Are Affiliated with another Covered NSU Health Care Center/Clinic: In such cases, it is the internal procedure of NSU that

such researchers are required to receive approval from the applicable NSU Health Care Center/Clinic HIPAA Liaison and the IRB prior to commencement of any review preparatory to research.

As part of this process, researchers must complete the IRB Review Preparatory to Research Form (NSU Affiliate - Outside Researcher Version) ) See HIPAA Research Policy 4, Exhibit 11 which requires written certification by the researcher.


Reviews Preparatory to Research cont’d:

Importantly, any researcher who is part of the workforce of the particular covered NSU Health Care Center/Clinic that maintains the PHI cannot delegate patient recruitment to an assistant or any other individual who is not a member of the workforce of the covered NSU Health Care Center/Clinic.


4. Research involving a decedent’s information:

Unlike Common Rule, HIPAA regulations cover PHI of deceased individuals.

A HIPAA Authorization is not required for research if the patient is deceased, the use or disclosure is solely for research and is necessary to the research. As part of this process, researchers must complete the Research on Decedent’s Information Without Authorization form, Exhibit 19.

Note that a NSU Accounting of Disclosures Form for Research, must be completed for these disclosures in accordance with HIPAA Research Policy No. 5.


Research involving a decedent’s information cont’d: Covered Entity must obtain representation from

the researcher that: The use or disclosure sought is solely for research

on the PHI of the decedent; There is documentation of the death of the

patients in question; The PHI for which use or disclosure is sought is

necessary for the conduct of the research; and The research is approved by the IRB.


5. Use of a Limited Data Sets: Purpose: Allow use or disclosure of PHI

without a signed HIPAA Authorization or a Waiver of HIPAA Authorization.

The researcher must enter into a Data Use Agreement with the Covered Entity to access the Limited Data Set.

Limited Data Sets= (PHI) – (certain direct identifiers)


5. Use of a Limited Data Sets: Data Use Agreement Defines who can use or receive data; Defines for what purpose the data may be used; Provides that researcher will not re-identify the data

or contact the subject; Provides that data will be safeguarded & not used

for unauthorized purposes; Provides that researchers will report improper uses

and disclosures; and Provides that researcher will ensure that

subcontractors agree to the same restrictions and conditions.


5. Use of a Limited Data Sets: How would a Covered Entity Create a Limited Data

Set from PHI? Exclude the following: Names Postal address information, other than town or

city, state, and zip code Telephone and Fax numbers E-mail addresses Social security number Medical record numbers Health plan beneficiary numbers


Exclude the following cont’d: Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including

license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice

prints; and Full face photographic images and any

comparable images


Limited Data Sets vs. De-Identified Data Admission dates Discharge dates Birth dates Dates of death Zip codes State County City but no street addresses!

Rights of the Individual When PHI Is Used in Research

Individual is entitled to: Access health records Receive an accounting of

disclosures Revoke an authorization

Accounting For Research Disclosures Covered Entity staff who disclose PHI for

research purposes MUST maintain an Accounting of Disclosures under the following circumstances: Reviews preparatory to research; Research using PHI of decedents; Pursuant to a Waiver of Authorization;

and Disclosures made pursuant to law.

Accounting For Research Disclosures The Covered Entity staff who disclose PHI for

research purposes are NOT required to maintain an Accounting of Disclosures under the following circumstances: Disclosures of Limited Data Sets pursuant to a

Data Use Agreement Disclosures with written HIPAA Authorization

of the patient Disclosures of De-identified data

Accounting For Research Disclosures If a researcher reviews patient records and these reviews

are conducted without a HIPAA authorization then the researcher must keep a list of all patient records that were reviewed, the dates on which the records were reviewed, and a description of the type of information that was reviewed.

This information should be kept on a NSU Accounting of Disclosures for Research Form and must be provided to the NSU Clinic’s HIPAA Liaison (Please see HIPAA Research Policy 5, Exhibit 7.

It is the policy of NSU that it will be the responsibility of the researcher to complete the NSU Accounting of Disclosures for Research Form (Exhibit 7) and provide it to the NSU Clinic’s HIPAA Liaison.

Reliance Exception Individuals have the right to revoke HIPAA

Authorizations at any time subject to the ‘Reliance Exception’.

Pursuant to this exception, NSU may continue to use and disclose PHI that was obtained prior to the revocation if necessary to maintain the integrity of the research.

Recruitment Questions

Are you using PHI to identify subjects? If so, what permission do you need

to gain access to the PHI? Do you have a treatment

relationship with the prospective subject?

Allowable Recruitment Practices

NSU’s IRB must approve a research protocol with an accompanying recruitment plan before any patient screening and enrollment may begin.

This recruitment plan must be detailed by researchers in their IRB application and must outline a process that is compliant with the Health Insurance Portability and Accountability Act (HIPAA).

This law regulates how identifiable health information created or received by a covered entity (e.g. applicable NSU Health Care Centers) may be used or disclosed in connection with research.

Under HIPAA, the use of PHI in research generally is not permitted without written authorization from the subject or an IRB waiver of privacy authorization.

Recruitment by a Clinician or Treatment Staff

A physician/health care provider who has a treatment relationship with the patient (the “clinician”) and who is also the researcher may approach a patient about participation in an IRB-approved trial in which the clinician participates as a researcher. The clinician’s treatment personnel (those who have “reason to know” identifiable health information by virtue of the treatment relationship) also may approach the patient about this research. The clinician or his/her treatment personnel must note the communication in the patient's medical record.


A clinician who is not the researcher (and the clinician’s

treatment personnel) may approach a patient about participation in another researcher's study. The clinician or his/her staff must note the communication in the patient's medical record. If the patient agrees to a referral to the researcher, suggested language is as follows:

"I discussed the referral of the patient to [team or

health care provider] for [describe research study]. The patient agreed to the referral, including sharing information about the patient's condition."


A clinician who is not the researcher (and the clinician’s treatment personnel) may give the patient another researcher's name and contact information, and the patient may contact the researcher.

A clinician who is not the researcher (and the clinician’s treatment personnel) may discuss possible patient eligibility with the research personnel in a de-identified manner, i.e., with all PHI removed. If the research personnel believe the de-identified patient would be eligible for the trial, the treatment personnel could then obtain the patient's permission to give the research personnel the patient's name or give the patient the researcher's contact information. (See bullets two and three above.)


A clinician who is not the researcher (and the clinician’s treatment personnel) may send a letter to the patient about how to join an IRB-approved study so long as the content of the letter is approved by the IRB. (Note: unless the IRB approves a waiver of authorization for study recruitment purposes, the letter may NOT be co-signed by the researcher and the researcher may not have a copy of the letter.)

Allowable Recruitment Practices Health care providers can always talk to their own

patients about studies they are conducting. Health Care Providers can notify the patient that they

may qualify for a particular study, and the patient can initiate the contact with the researcher.

Patients can self-refer from ads, flyers, etc.

APPLICABILITY OF RESEARCH POLICY An exemption from IRB review does not equate to an

exemption from the HIPAA requirement for Authorization or Waiver of Authorization when the research involves a Covered Entity’s and/or Covered Health Care Component of a Hybrid Entity’s protected health information.

Researchers who receive an exemption determination but whose research involves PHI must still submit a HIPAA Authorization form (or a request for waiver of HIPAA Authorization), or, if applicable, HIPAA forms for conducting research involving decedents’ information or research using a limited data set.

Researchers who wish to review PHI to prepare a research protocol must submit the appropriate HIPAA form for IRB approval.

Minimum Necessary Requirement HIPAA requires that use and disclosure of, and

requests for, protected health information (PHI) must be limited to the “minimum necessary to accomplish the intended purpose.”

Example: Only the information pertaining to a specific use should be given to the researcher

Security: What Do I Need To Know? No PHI in outgoing email (including file attachments) All individually identifiable health information must

be stored in a password protected application/program/file.

Sharing of user name and passwords (user access) is strictly prohibited.

Storage of individually identifiable health information or Protected Health Information on mobile devices that are not encrypted and password protected is strictly prohibited.

There are secure methods of transmitting PHI electronically. Please consult with the HIPAA Security Officer, John Christly at (954)262-4643.

Responsibilities of the Researcher? Researchers must refer to the NSU HIPAA Research

Use and Disclosures Policies to determine their responsibilities related to HIPAA compliance. Document research team has completed HIPAA

Privacy, Research and Security Training. Assume responsibility for compliance with HIPAA. In addition to the above, researchers will need to

consult with NSU’s IRB policies and procedures related to the Common Rule to determine when and how to obtain IRB approval for a project and when and how to obtain informed consent.

Breach Reporting

When a use or disclosure occurs that is

not allowed by the HIPAA Privacy Rule, NSU may be required to notify the patient and report the breach to the Office of Civil Rights. We may also be required to notify the media.

All privacy breaches must be reported to the Clinic HIPAA Liaisons and/or NSU Privacy Officer immediately.

Breach Of Confidentiality

Workforce, including researchers are required to

report any known or suspected breach of the HIPAA Privacy policies and procedures and/or patient confidentiality immediately to the Clinic HIPAA Liaison or NSU Privacy Officer. You may: Call the NSU Privacy Officer directly at # (954)262-4302, if you do not want to be

anonymous; or The Anonymous Compliance Hotline Phone: 888-609-NOVA (6682) - Toll free Available 24 hours a day, 7 days a week

…And IF A Suspected Breach Is Reported

After a suspected breach of the HIPAA

Privacy policies and procedures or a patient’s confidentiality is reported, the Privacy Officer will investigate the report accordingly.

HITECH Act Updated HIPAA in 2009 As part of the American Recovery and

Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.

The updates include: • Breach notification requirements • Fine and penalty increases for privacy violations • Right to request copies of the electronic health

care record in electronic format • Mandates that Business Associates are civilly

and criminally liable for privacy and security violations

Conclusion – Research & HIPAA Privacy Rule

Places responsibility on the Covered Entity to meet HIPAA requirements for disclosing PHI to researcher.

Places responsibility on the IRB to assure the Covered Entity that health information will be protected under the research protocol.

Does not replace the Common Rule or FDA human subject protection regulations.

If you have questions regarding the Privacy Rule and

Research, contact the NSU Privacy Officer.

HIP HIPAA HOORAY!!! You have successfully completed NSU’s HIPAA Privacy,

Security and Research Training Modules! • Please complete the HIPAA Research Training Test. • Please complete the NSU HIPAA Confidentiality and “Need to

Know” Agreement. • Print your certificate and retain it for your records. • If you have any questions, please feel free to contact: • The NSU Privacy Officer, Robin Supler at (954) 262-4302, • The HIPAA Privacy Coordinator, Stacy Seay at (954) 262-1934, • The HIPAA Security Officer, John Christly at (954) 262- 4643, or • The anonymous Compliance Hotline: 888-609-Nova (6682)