Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | amelia-milbourne |
View: | 219 times |
Download: | 2 times |
HIPAA Requirements for Patient Oriented Research
UPENN HIPAA Experts
ContactsLauren SteinfeldUniversity Chief Privacy Officer 215-573-3348
Yvonne HigginsOffice of Regulatory [email protected]/regulatoryaffairs
Debbie GileadChief Privacy OfficerUPHS, [email protected]
HIPAA Resources for Researcherswww.med.upenn.edu/ohr/hipaa
University of Pennsylvania
Background - Background - HIPAA Privacy Rule
• HIPAA: Health Insurance Portability and Accountability Act outlines the Privacy Regulations
• Purpose: to protect privacy of patient records provided to health plans, doctors, hospitals and other health care providers
• Patients: provided with access to their records and more control over how their Protected Health Information (PHI) is used and disclosed
• Research: Includes specific rules surrounding clinical research and the collection and use of PHI for research purposes
• Owner: Developed by DHHS, enforced by OCR (Office of Civil Rights)
• Start date: April 14, 2003
University of Pennsylvania
DefinitionsDefinitions
Individually Identifiable Health Information
• Information about the physical or mental health of an individual
• Created or received by a covered entity
• Relates to individual’s health, health care or payment for care - past, present or future
• Reasonable belief that the information can be used to identify a particular individual
• Applies to defined standard transactions
University of Pennsylvania
Protected Health Information (PHI)
• All individually identifiable health information transmitted or maintained by a covered entity, regardless of form or media
– Include oral communications
– Excludes education records
– Excludes employment records
DefinitionsDefinitions
University of Pennsylvania
Definitions - Definitions - Covered Entity
UPenn School of Medicine
HUP
CPUP (Clinical Practices)
Presbyterian Hospital
Graduate Hospital
Pennsylvania Hospital
Penn Center for Rehab
CCA (Clinical Care Associates)
Others…
Does not include CHOP or VA
University of Pennsylvania
Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
The authorization must cover:• Health information collected as part of the study
• Who may use or disclose the information
• Who may receive the information
• Purpose of the use or disclosure
• Duration of authorization (i.e. note expiration date or the fact that authorization does not expire)
• Right to revoke authorization
• Reference to the Notice of Privacy Practices
• Information disclosed outside the covered entity may not be protected by HIPAA
Template can be downloaded from:www.med.upenn.edu/ohrtrain/hipaa
HIPAA AuthorizationHIPAA Authorization
University of Pennsylvania
Authorization approaches: Stand-alone authorization form Authorization incorporated into study informed consent form
Preferred approach: stand-alone form Current standard language not at 6 - 8th grade level Regulations may change, with resultant change to standard
language (i.e. form can be changed without requiring IRB re-approval of ICF)
IRBs are not required to approve authorization language
Stand-alone Template can be downloaded from:www.med.upenn.edu/ohrtrain/hipaa
HIPAA AuthorizationHIPAA Authorization
University of Pennsylvania
Individual Authorization is a one-time individual permission to use or disclose PHI for non-transaction and payment activities (includes research).
The Authorization language requirements are very detailed and must be protocol specific.
No accounting requirement for disclosures obtained with an authorization.
HIPAA AuthorizationHIPAA Authorization
University of Pennsylvania
Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
IRB Waiver of AuthorizationIRB Waiver of Authorization
IRB must document review of the following waiver criteria:
– Use or disclosure involves no more than minimal risk to the individuals;
– The research could not be practicably conducted without the waiver, and;
– The research could not be practicably conducted without access to the PHI.
University of Pennsylvania
IRB Waiver of AuthorizationIRB Waiver of Authorization
Accounting Requirements:
• Disclosures made via a waiver must be subject to an accounting process
• Patients have the right to receive an account of disclosures made of their protected health information (PHI)
• PI’s or research staff must record all applicable disclosures of PHI as required
University of Pennsylvania
Accounting for Disclosures
• Date or range of dates of disclosure
• Name of entity to whom the information was disclosed
• The address of entity to whom PHI was disclosed
• Description of the PHI disclosed
• Statement explaining the purpose of the disclosure or a copy of the written request for disclosure if available
University of Pennsylvania
IRB Waiver of AuthorizationIRB Waiver of AuthorizationWhen Do You Need a Waiver?
• Epidemiological Research where it is impractical to get authorization
• Research Chart Reviews (note Protocol Preparation Exception)
• Recruitment only if the subject’s contact information is being disclosed outside of SOM/UPHS. But note the following:
– Any subject recruitment within the SOM/UPHS should follow the HIPAA policy guidelines
– Also, “outside” SOM/UPHS includes the VA, CHOP, and other Schools of the University (except Nursing researchers)
– If the PI has a dual appointment and one appointment is in the SOM that individual is “inside” the covered entity.
University of Pennsylvania
IRB Waiver of AuthorizationIRB Waiver of Authorization
When Don’t You Need a Waiver?
• Protocol Preparation (refer to HIPAA exceptions slide)
• Recruitment “inside” the SOM/UPHS covered entity
• Research Using an Authorization - but note:
– A waiver may be required in addition to the authorization if PHI collected prior to authorization is disclosed outside of UPHS/SOM.
• Research Using De-identified Data
University of Pennsylvania
IRB Waiver of AuthorizationIRB Waiver of Authorization
How do you apply for a Waiver?
• Complete the Request for Waiver of IRB Authorization Form:
www.upenn.edu/regulatoryaffairs/human/forms.html www.med.upenn.edu/ohrtrain/hipaa
• Submit a complete protocol & grant application if the waiver is to be part of a funded proposal.
University of Pennsylvania
Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
The limited data set is PHI without facial or direct identifiers
• Only applies to research, public health and health care operations
• Research conducted as part of an IRB approved protocol
• Information may be used or disclosed without individual authorization
• “Data Use Agreement” required for disclosure
Limited Data SetLimited Data Set
University of Pennsylvania
Facial identifiers• name• street address • telephone and fax numbers• e-mail address• social security number• certificate/license numbers• vehicle identifiers and serial numbers• URLs and IP addresses• full face photos and any other comparable images• medical record numbers (prescription numbers), health plan
beneficiary numbers, and other account numbers• device identifiers and serial numbers• biometric identifiers, including finger and voice prints
Limited Data SetLimited Data Set
University of Pennsylvania
When do I need a Data Use Agreement?
• When the following conditions are met:• Disclosure of data in a "limited data set" • Disclosure is for research purposes • Individual authorization is not obtained • As part of an IRB-approved protocol
• Who signs off on the Data Use Agreement?The UPenn Office of Research Services handles this agreement on behalf of the Trustees of the University of Pennsylvania.
University of Pennsylvania
Uses and Disclosures of PHI in ResearchUses and Disclosures of PHI in Research
There are FOUR ways to use PHI in Research:
1) Authorization
2) IRB Waiver of Authorization
3) Limited Data Set
4) De-Identified Data
University of Pennsylvania
De-Identified DataDe-Identified Data
• UPHS/SOM may use or disclose de-identified data for research purposes provided its done as part of an IRB approved protocol
• De-identified data is not covered by HIPAA and may be disclosed for research purposes
• A code may be applied to the data that would allow re-identification of data but only within the covered entity
University of Pennsylvania
Individually identifiable health information from which identifiers are removed for the individual, relatives, employers, or household members:
De-Identified DataDe-Identified Data
1. Names
2. Street address, city county, precinct, zip code & equivalent geocodes
3. All elements of dates (except year) for dates directly related to an individual and all ages over 89
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan ID numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers/serial numbers
14. Web addresses (URLs)
15. Internet IP addresses
16. Biometric identifiers, incl. finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code
University of Pennsylvania
• Use of PHI for Case Finding / Research Preparation
• Use of Decedent Information in Research
Must ensure the following• That the use or disclosure is sought solely to prepare a
research protocol
• Documentation of the death of the individual
• The PHI will not be removed from the covered entity
• The PHI used or accessed is necessary for the research purposes
HIPAA ExceptionsHIPAA Exceptions
University of Pennsylvania
Special RulesSpecial Rules
• Research commenced prior to 2003Research commenced prior to 2003– Obtain at time of annual continuing IRB reviewObtain at time of annual continuing IRB review
• Research using databases, repositories and Research using databases, repositories and banksbanks
– to include initial info into database authorization is to include initial info into database authorization is requiredrequired
– To utilize this data for research purposes the PI must To utilize this data for research purposes the PI must obtain a waiver of authorization from the IRBobtain a waiver of authorization from the IRB
– PI may review the info in the database without approval PI may review the info in the database without approval if it is preparatory for researchif it is preparatory for research
University of Pennsylvania
Special Rule - Subject RecruitmentSpecial Rule - Subject RecruitmentRequired contact methods (in order of preference):
– By a physician or other Health Care Professional who has taken care of a patient
– By the UPENN School of Medicine using a cover letter signed by a Physician who has taken care of the patient, and using text approved by the UPENN IRB
– By the researcher using a script or cover letter using text approved by the UPENN IRB
Direct recruitment by a researcher who has not taken care of the patient will require UPENN IRB approval and will only be permitted when both of the other two alternatives are impractical