Hipaa

HIPAA For Research

Understanding how the Health Insurance Portability &

Accountability Act of 1996 Affects Clinical Research

HIPAA History• Health Insurance Portability &

Accountability Act of 1996 (Kennedy-Kassebaum Act)

• Effective April 14, 2001

• Compliance Required by April 14, 2003 (October 2003)

HIPAA – General Provisions • Standardization of electronic patient health,

administrative and financial data;

• Unique identifiers for individuals, employers, health plans, and health care providers;

• Security standards protecting the confidentiality and integrity of health information.

What Is PHI?* PHI is all individually identifiable health information, including demographic data and biological specimens, that is transmitted or maintained by a covered entity.

* PHI can be in any form, including written, electronic, and verbal.

Protected Health Information (PHI)

–Is created or received by a health care provider, health plan, or health care clearinghouse

–Relates to past, present, or future:• Provision of care to an individual

• Physical or mental condition(s)

• Payment for provision of health care to an individual

De-identification of PHIs

• Medical institutions can release de-identified health information without patient authorization.

• The following 18 specific identifiers must be deleted:

De-identification

• Names• All geographic

subdivisions smaller than a state.

• All dates (except year)• Telephone numbers• Fax numbers• Electronic mail

addresses• Social Security

numbers

• Medical record numbers

• Health plan beneficiary numbers

• Account numbers• Certificate/license

numbers• Vehicle identifiers,

including license plate numbers

De-identification cont…

• Device identifiers and serial numbers

• URLs• Internet Protocol (IP)

Addresses• Biometric identifiers,

including finger and voice prints

• Full face photographic images and any comparable images

• Any other unique identifying number, characteristic, or code.

Impact on WVSOM Human Subject Research

-Access to PHI

Researcher must understand the permissible routes of access to PHI for research activity

AND

-Restrictions on Use and Disclosure of PHIs

Researcher must implement necessary safeguards to protect the PHI

The Privacy Rule permits a covered entity (WVSOM or Affiliated Hospitals) to use and disclose PHI for research

• When an individual Authorization has been obtained from a research participant, OR

• When a Waiver of Authorization has been obtained.

•There are other limited situations where PHI can be used/disclosed without an Authorization e.g use of PHI on decedents, use of PHI for Reviews Preparatory to Research, limited data sets, etc.

Existing IRB-Approved StudiesThe ‘Transition Provision’ in the Privacy Rule permits covered entities (USF) to continue to use and disclose PHI for research, if it has obtained prior to April 14, 2003,

• An IRB approved consent form, or

• An IRB approved waiver of consent, or

• An express legal permission (e.g., a signed authorization)

New StudiesTo use/disclose PHI in research, the researcher

must obtain1) An Authorization from the individual participant.OR2) A Waiver of Authorization for the study.

An Authorization is the HIPAA equivalent of consent to use and disclose data.

AUTHORIZATIONSValid authorization must include the followingelements:A description that identifies the information

in a specific and meaningful fashion;The name of the person(s) authorized to

make the requested use or disclosureThe name of the person(s) to whom the

covered entity may make the requested use or disclosure

Patient Authorization (Cont.)

An expiration date/event that relates to the purpose of the use or disclosure;

A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization;


A statement that information used may be subject to re-disclosure by the recipient and no longer be protected by this rule;

Signature of the individual and date;If the authorization is signed by a personal

representative of the individual, a description of such representative’s authority to act for the individual;


The authorization must be written in plain language.

Can be combined with consent if research involves treatment, but not at WVSOM.

Research including existing records would require a separate authorization.

Waiver1. Disclosure involves no more than minimal

risk to the individual2. The waiver will not adversely affect the

privacy rights of the individual3. Research could not be conducted without

the waiver4. Research could not be conducted without

access to protected health information

Waiver (Cont.)5. The privacy risks are reasonable in relation

to the anticipated benefits to the individuals and the importance of the knowledge gained through research

6. There is a plan to protect patient identifiers from improper use and disclosure

7. There is a plan to destroy patient identifiers at the earliest opportunity

Waiver (Cont.)8. There are adequate written assurances that

protected health information will not be reused or disclosed to others except as provided by the regulations and restricts most disclosures of information to the minimum intended purpose.

Research Use/Disclosures That Do Not Require Authorizations or Waivers

1. Review of PHI Preparatory to Research

2. Use of PHI of Decedents for Research Purposes

Special Rules Regarding Databases

Creating and maintaining databases containing PHI is considered research.

• If you will use existing databases containing PHI for research after April 14, 2003, you must obtain Authorizations or Waivers.

• If you will create or maintain databases for future analysis, you must comply with HIPAA in addition to obtaining IRB approval.

Research Subject Recruitment

• Recruitment for research is subject to the general authorization requirement unless the researcher has a direct treatment relationship with the patient.

• Researchers could use the Waiver of Authorization mechanism to access PHI for recruiting prospective research subjects.

•A researcher who has a direct treatment relationship with the patient can engage in conversations related to recruitment without having to obtain Authorizations or Waivers.

Research Subject Recruitment cont…

Revocation of Authorization

Research subjects can revoke their Authorization in writing at any time. This is subject to an exception know as the ‘Reliance Exception.’

• A subject wishing to revoke the Authorization must be given a form for Revocation of Authorization

•If the subject does not sign and return the form, then the researcher may continue to use the PHI and treat the Authorization as valid.

Revocation of Authorizationcont…

Reliance Exception to Revocation

The Reliance Exception allows researchers to use and disclose a subject’s PHI that was obtained before the subject’s revocation in the following ways:– To account for a subject’s withdrawal from the

study– To conduct investigations of scientific

misconduct– To report adverse events– As necessary to incorporate the information of a

marketing application to FDA

Research Subject’s Rights

Accounting of the following research related disclosures of PHI are required:

• Disclosures as allowed by a Waiver of Authorization

• Reviews preparatory to research

• Research on PHI of decedents

• Disclosures made as allowed by law

Research Subject’s Rights cont…

The Following Disclosures are NOT required:

• Disclosures made to the individual subject.

• Disclosures authorized by the subject (i.e., the research subject has signed an Authorization for this use/disclosure of PHI).

• De-identified data and limited data sets.

SummaryIRB HIPAA

Clinical Research Yes Yes (2)

Preexisting and Research

Record Review

(Identifiers)

Exempt

No

Yes

Record Review

(No Identifiers)

No No

Decedents No Yes

Sanctions for Non-Compliance

Significant penalties may be imposed against WVSOM, Affiliate Hospitals, and individual researchers.

• Civil Penalties: – Based on patient complaints: $100 per

violation with $25,000 maximum per year

•Criminal Penalties:

–Knowingly wrongful disclosures: fines up to $50,000 and/or up to 1 year in prison

–Under false pretenses: fines up to $100,000 and/or up to 5 years in prison

–With intent to sell: fines up to $250,000 and/or up to 10 years in prison

Summary: Researcher Responsibilities

• Preparing an extensive confidentiality plan

– Who will have access to the data?

– How long will access be needed?

– Will third party payers or other administrators need to have access?

• Time to gain approval from an additional committee

• Alternatives

Summary: IRB Responsibilities

• Have appropriate expertise in privacy and confidentiality concerns.

• Ensure that consent forms contain appropriate authorization requirements if applicable.

•Understand waiver criteria and document appropriately.

•Coordinate with Privacy Board, if applicable.

Summary: IRB Responsibilities

HIPAA &IRB AT WVSOM

David Brown, Ph.D.Chair of the IRB

[email protected] Thompson

HIPAA Compliance [email protected]

mailto:[email protected]

mailto:[email protected]

You must demonstrate both IRB and HIPAA Compliance by Passing the

Following Courses and Quizzes:

IRB: http://cme.nci.nih.gov/

HIPAA: http://www.wvu.edu/~rc/irb/hipwebct.htm

QUESTIONS!?Prepared By:

Jason S. Wrench, Ed. D.

Medical Education Specialist

West Virginia School of Osteopathic Medicine