Sharing PHI for Research
J.T.AshUniversityofHawaiiSystemHIPAAComplianceOfficer
[email protected]@hawaii.edu
AgendaØHIPAAisa“TEAMSPORT”andeveryonehasaroleinprotectingprotectedhealthinformation(PHI).
ØPrivacyRule,SecurityRule,&BreachNotificationRule
ØMethodstoSharePHI(PrivacyRule)
ØWithIndividualAuthorization
ØWithoutAuthorization
ØAccountingforResearchDisclosure
ØDe-IdentifiedData
ØSecurityRule&BreachNotification
HIPAA Privacy Rule
Ø https://www.youtube.com/watch?v=y751i4QqP0g
Ø TheRulerequiresappropriatesafeguardstoprotecttheprivacyofpersonalhealthinformation,andsetslimitsandconditionsontheusesanddisclosuresthatmaybemadeofsuchinformationwithoutpatientauthorization.TheRulealsogivespatientsrightsovertheirhealthinformation,includingrightstoexamineandobtainacopyoftheirhealthrecords,andtorequestcorrections.
Ø https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
Ø 45CFRPart160 andSubpartsAandEofPart164.
HIPAA Security Rule
Ø TheSecurityRulerequiresappropriateadministrative,physicalandtechnicalsafeguardstoensuretheconfidentiality,integrity,andsecurityofelectronicprotectedhealthinformation.
Ø https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Ø 45CFRPart160 andSubpartsAandC ofPart164.
Ø Safeguards:Ø AdministrativeØ PhysicalØ Technical
Breach Notification RuleØ NotificationtoIndividuals:IndividualswhoseunsecuredPHIhasbeen,oris
reasonablybelievedtohavebeen,accessed,acquired,used,ordisclosedasaresultofsuchbreachmustbenotifiedwithoutunreasonabledelayandinnocaselaterthan60calendardaysfollowingthediscoveryofsuchbreach.
Ø NotificationtoOthers:AUHCoveredComponentshallalsonotifyprominentlocalmediaoutletsifthebreachinvolvesmorethan500residentsoftheStatenolaterthan60daysafterdiscoveryofthebreach.
Ø NotificationtoDHHSSecretary:AUHCoveredComponentshallnotifytheDHHSSecretaryonanannualbasis,inamannerspecifiedontheDHHSWebsite,andviaareportduetotheDHHSSecretarynolaterthan60calendardaysaftertheendofthecalendaryearinwhichbreachesarediscoverediflessthan500individualsareinvolved.Ifmorethan500individualsareinvolved,theUHCoveredComponentshallnotifytheDHHSSecretaryinthemannerprovidedbytheDHHSWebsite,whichpresentlyrequiresnoticewithoutunreasonabledelayandinnocaselaterthan60daysfollowingabreach.
Ø NotificationbyaBusinessAssociate.ABusinessAssociateshallnotifyaUHCoveredComponentofabreachwithin5businessdaysthattheBusinessAssociatediscoveredabreachoccurred…
Methods to Share PHI(***Satisfies Privacy Rule Obligations)
Methods to Share PHI
With Authorization
Without Authorization
De-Identified Data
With Individual Authorization
ØThePrivacyRulehasageneralsetofauthorizationrequirementsthatapplytoallusesanddisclosures,includingthoseforresearchpurposes.However,severalspecialprovisionsapplytoresearchauthorizations:Ø Unlikeotherauthorizations,anauthorizationforaresearchpurposemaystatethatthe
authorizationdoesnotexpire,thatthereisnoexpirationdateorevent,orthattheauthorizationcontinuesuntilthe“endoftheresearchstudy;”and
Ø Anauthorizationfortheuseordisclosureofprotectedhealthinformationforresearchmaybecombinedwithaconsenttoparticipateintheresearch,orwithanyotherlegalpermissionrelatedtotheresearchstudy.
Without Authorization
ØACoveredEntitymustobtainoneofthefollowing:Ø DocumentedInstitutionalReviewBoard(IRB)BoardApprovalØ PreparatorytoResearchØ ResearchonProtectedHealthInformationofDecedentsØ LimitedDataSetswithaDataUseAgreement
Documented Institutional Review Board (IRB) Board Approval
ØAcoveredentitymayuseordiscloseprotectedhealthinformationforresearchpurposespursuanttoawaiverofauthorizationbyanIRBorPrivacyBoard,providedithasobtaineddocumentationofALL ofthefollowing:Ø IdentificationoftheIRBorPrivacyBoardandthedateonwhichthealterationorwaiverof
authorizationwasapproved;Ø AstatementthattheIRBorPrivacyBoardhasdeterminedthatthealterationorwaiverof
authorization,inwholeorinpart,satisfiesthethreecriteriaintheRule;Ø AbriefdescriptionoftheprotectedhealthinformationforwhichuseoraccesshasbeendeterminedtobenecessarybytheIRBorPrivacyBoard;
Ø Astatementthatthealterationorwaiverofauthorizationhasbeenreviewedandapprovedundereithernormalorexpeditedreviewprocedures;and
Ø Thesignatureofthechairorothermember,asdesignatedbythechair,oftheIRBorthePrivacyBoard,asapplicable.
Institutional Review Board (IRB) Waiver of Authorization
ØThefollowingthreecriteriamustbesatisfiedforanIRBorPrivacyBoardtoapproveawaiverofauthorizationunderthePrivacyRule:Ø Theuseordisclosureofprotectedhealthinformationinvolvesnomorethanaminimal
risktotheprivacyofindividuals,basedon,atleast,thepresenceofthefollowingelements:
ØAnadequateplantoprotecttheidentifiersfromimproperuseanddisclosure;ØAnadequateplantodestroytheidentifiersattheearliestopportunityconsistentwithconductoftheresearch,unlessthereisahealthorresearchjustificationforretainingtheidentifiersorsuchretentionisotherwiserequiredbylaw;and
ØAnadequatewrittenassurancesthattheprotectedhealthinformationwillnotbereusedordisclosedtoanyotherpersonorentity,exceptasrequiredbylaw,forauthorizedoversightoftheresearchproject,orforotherresearchforwhichtheuseordisclosureofprotectedhealthinformationwouldbepermittedbythissubpart;
Ø Theresearchcouldnotpracticablybeconductedwithoutthewaiveroralteration;andØ Theresearchcouldnotpracticablybeconductedwithoutaccesstoanduseofthe
protectedhealthinformation.
Preparatory to Research
ØRepresentationsfromtheresearcher,eitherinwritingororally,thattheuseordisclosureoftheprotectedhealthinformationissolelytopreparearesearchprotocolorforsimilarpurposespreparatorytoresearch,thattheresearcherwillnotremoveanyprotectedhealthinformationfromthecoveredentity,andrepresentationthatprotectedhealthinformationforwhichaccessissoughtisnecessaryfortheresearchpurpose.
Research on Protected Health Information of Decedents
ØRepresentationsfromtheresearcher,eitherinwritingororally,thattheuseordisclosurebeingsoughtissolelyforresearchontheprotectedhealthinformationofdecedents,thattheprotectedhealthinformationbeingsoughtisnecessaryfortheresearch,and,attherequestofthecoveredentity,documentationofthedeathoftheindividualsaboutwhominformationisbeingsought.
Limited Data Sets with a Data Use Agreement
ØAdatauseagreemententeredintobyboththecoveredentityandtheresearcher,pursuanttowhichthecoveredentitymaydisclosealimiteddatasettotheresearcherforresearch,publichealth,orhealthcareoperations.
ØThedatauseagreementmust:Ø Establishthepermittedusesanddisclosuresofthelimiteddatasetbytherecipient,
consistentwiththepurposesoftheresearch,andwhichmaynotincludeanyuseordisclosurethatwouldviolatetheRuleifdonebythecoveredentity;
Ø Limitwhocanuseorreceivethedata;andØ Requiretherecipienttoagreetothefollowing:
Ø Nottouseordisclosetheinformationotherthanaspermittedbythedatauseagreementorasotherwiserequiredbylaw;
Ø Useappropriatesafeguardstopreventtheuseordisclosureoftheinformationotherthanasprovidedforinthedatauseagreement;
Limited Data Sets with a Data Use Agreement
Ø Reporttothecoveredentityanyuseordisclosureoftheinformationnotprovidedforbythedatauseagreementofwhichtherecipientbecomesaware;
Ø Ensurethatanyagents,includingasubcontractor,towhomtherecipientprovidesthelimiteddatasetagreestothesamerestrictionsandconditionsthatapplytotherecipientwithrespecttothelimiteddataset;and
Ø Nottoidentifytheinformationorcontacttheindividual.
Accounting for Research Disclosure
ØThePrivacyRulegivesindividualstherighttoreceiveanaccountingofcertaindisclosuresofprotectedhealthinformationmadebyacoveredentity.
ØThisaccountingmustincludedisclosuresofprotectedhealthinformationthatoccurredduringthesixyearspriortotheindividual’srequestforanaccounting,orsincetheapplicablecompliancedate(whicheverissooner),andmustincludespecifiedinformationregardingeachdisclosure.
ØAmoregeneralaccountingispermittedforsubsequentmultipledisclosurestothesamepersonorentityforasinglepurpose.
ØAmongthetypesofdisclosuresthatareexemptfromthisaccountingrequirementare:Ø Researchdisclosuresmadepursuanttoanindividual’sauthorization;Ø Disclosuresofthelimiteddatasettoresearcherswithadatauseagreement
What is De-identified Data?ØDe-identifieddata isnotconsideredPHI
ØNoobligationstothePrivacy/Security/BreachNotificationRules
ØMayuseanddisclosede-identifieddatawithoutrestriction
Expert Determination & Safe Harbor
What is De-identified Data?ØRemovalof all18uniqueidentifiers
Ø NameØ AllgeographicsubdivisionssmallerthanaState,includingstreetaddress,city,county,
precinct,zipcode,andtheirequivalentgeocodes,exceptfortheinitialthreedigitsofazipcodeif,accordingtothecurrentpubliclyavailabledatafromtheBureauoftheCensus:(1)thegeographicunitformedbycombiningallzipcodeswiththesamethreeinitialdigitscontainsmorethan20,000peopleand(2)theinitialthreedigitsofazipcodeforallsuchgeographicunitscontaining20,000orfewerpeopleischangedto000.
Ø Allelementsofdates(exceptyear)fordatesdirectlyrelatedtoanindividual,includingbirthdate,admissiondate,dischargedate,dateofdeath;andallagesover89andallelementsofdates(includingyear)indicativeofsuchage,exceptthatsuchagesandelementsmaybeaggregatedintoasinglecategoryofage90orolder.
Ø TelephonenumbersØ FaxnumbersØ EmailaddressesØ SocialSecuritynumbersØ Medicalrecordnumbers
What is De-identified Data?ØRemovalof all18uniqueidentifiers(ExpertDetermination&SafeHarbor)
Ø HealthplanbeneficiarynumbersØ AccountnumbersØ Certificate/licensenumbersØ Vehicleidentifiers/serialnumbersØ Deviceidentifiers/serialnumbersØ WebURLsØ IPaddressnumbersØ BiometricidentifiersØ Full-facephotographicimagesandanycomparableimagesØ Anyotheruniqueidentifyingnumber,characteristic,orcode;and
Ø Thecoveredentitydoesnothaveactualknowledgethattheinformationcouldbeusedaloneorincombinationwithotherinformationtoidentifyanindividualwhoisasubjectoftheinformation.
Security Rule & Breach Notification
ØStillneedtoworkwithyourITsupporttoensuretheyhaveanenvironmentthatcansatisfytheobligationsoftheSecurityRule
ØStillneedtoworkwithyourInfoSecsupporttoensuretheyhavethepolicies/proceduresinplacetosatisfytheobligationsoftheBreachNotificationRule
[email protected] •(808)956-7241