|
1
|
- William T Obremskey MD MPH
- AAOS 2004
- HWB Foundation
|
|
2
|
|
|
3
|
- Health Insurance Portability and Accountability Act of 1996 (Privacy
Rule)
- November 1999 – DHHS proposed regulations
- December 2000 – Final Rule published
- August 2002 – New Final Rule published
- December 2002 – Guidance Document published
- Date of Compliance – APRIL 14, 2003
|
|
4
|
- Health Plans (insurers and payors)
- Health Care Providers
- Health Care Clearinghouses (billing services)
|
|
5
|
- Individually Identifiable Health Information
- is defined as any information collected from an individual (including
demographics) that is:
- created or received by a health care provider, health plan, employer,
and/or health care clearinghouse
- relates to the past, present or future:
- physical or mental health or condition of an individual,
- the provision of health care to an individual; or
- payment for the provision of health care to an individual; and
- identifies the individual and/or there is reasonable basis to believe
that the information can be used to identify the individual. (45 CFR
160.103)
|
|
6
|
- Names
- Addresses
- Dates
- Phone Numbers
- Fax Numbers
- Social Security Numbers
- Medical Record Number
- Health Plan Numbers
- Account Numbers
- Certificate/License Numbers
- VIN/License Plate Numbers
- Device Identifiers
- Names of Relatives
- Web URLs
- IP addresses
- Biometric Identifiers
- Photographs and comparable images
- Any other unique identifying number, characteristic, or code
- Initials
|
|
7
|
- PHI – Protected Health Information
- Use – data accessed and shared within the covered entity
- Disclosure – the providing of data outside of the covered entity, not
including Business Associates
- Authorization – permission provided by the patient or legal
representative to use or disclose the individual’s PHI
- Limited Data Set – group of data that is de-identified except for
geographic location and dates
|
|
8
|
- Data Use Agreement – document used to create and disclose a Limited Data
Set
- Designated Record Set – The part of the medical record used for patient
care/treatment
- Minimum Necessary Standard – under certain conditions the covered entity
must limit the access to PHI
- Accounting of Disclosures – under certain conditions the covered entity
must track disclosures of PHI, such as waiver of authorization
|
|
9
|
|
|
10
|
- De-identified data
- Limited Data Set
- Authorization
- Waiver of Authorization
|
|
11
|
- De-identification
- Remove all 19 identifiers; or
- Statistical Certification – the information may be considered
de-identified, if an independent, qualified statistician:
- Determines that the risk of re-identification of the data, alone or
in combination with other data, is very small; and
- Documents the methods and results by which the health information is
de-identified, and the expert makes his/her determination of
risk. Note: the expert may not
be the researcher or anyone directly involved in the research study.
|
|
12
|
- Limit Data Set (LDS)
- Allows access to PHI, with limited identifiable data elements, without
an authorization or waiver of authorization
- Requires a Data Use Agreement
- Limited Data Set may include:
- Dates
- Geographic information (not street address)
- Other unique identifying numbers, characteristics, or codes that are
not expressly excluded
|
|
13
|
- The investigator must agree to the following:
- Not to use or disclose the LDS for any purpose other than the research
project or as required by law.
- To use appropriate safeguards to prevent use or disclosure of the LDS
other than as provided for by the agreement.
- To report to VUMC any use or disclosure of the LDS not provided for by
this agreement, of which he/she becomes aware, including without
limitation, any disclosure of PHI to an unauthorized subcontractor.
- To ensure that any agent, including a subcontractor, to whom he/she
provides the LDS, agrees to the same restrictions and conditions that
applies through the agreement to the Data Recipient with respect to
such information.
- Not to identify the information contained in the LDS or contact the
individual.
|
|
14
|
- Authorization
- Participant provides authorization to use/disclose PHI as part of the
informed consent process. MUST
include the following elements:
- Specific description of the information to be used/disclosed
- Who may use or disclose
- To whom the PHI will be disclosed
- Why the use or disclosure is being made (each purpose)
- Statement of how long the use or disclosure will continue
|
|
15
|
- Notice that authorization may be revoked
- Notice that the information may be disclosed to others not subject to
the Privacy Rule
- Notice that the covered entity may or may not condition treatment or
payment on the individual’s signature
- Individual’s signature and date
|
|
16
|
- Waiver of Authorization
- To be granted by the IRB and must meet the following criteria:
- The use or disclosure of PHI involves no more than minimal risk to the
privacy of the individual.
- The PI must provide a plan to protect identifiers, a plan to destroy
the identifiers as soon as possible, and a statement that the
information will not be disclosed.
- The PI should provide justification as to why the research cannot be
done without the waiver.
|
|
17
|
- The PI should provide justification as to why the research cannot be
done without the PHI.
- The PI must provide a written assurance to the IRB that the PHI will
not be re-used or disclosed except
- As required by law,
- For authorized oversight of the research, or
- For other research that has been reviewed and approved by the IRB
with specific approval regarding access to this PHI.
|
|
18
|
- A covered entity must try to limit the use or disclosure of PHI to the
minimum necessary to achieve the research purpose.
- This standard applies to the following:
- Research pursuant to a waiver
- Use/disclosure of decedent’s PHI
- Uses preparatory to research
- Limited Data Sets
- Minimum Necessary Standard does not apply to the following:
- Treatment disclosures or requests
- Use or disclosure made with an authorization
- Disclosures to the individual
- Disclosures to DHHS for compliance
- Disclosures required by law
|
|
19
|
- Patients have the right to request an accounting of disclosures of their
PHI for past six years.
- Applies to disclosure of PHI pursuant to a waiver of authorization,
disclosures required by law, and for public health purposes.
- Does not apply to disclosures pursuant to an authorization or to limited
data set.
- The Privacy Office, not the IRB, will maintain a centralized database to
track disclosures. This tracking
requirement is the responsibility of the PI in conjunction with the
Privacy Office.
|
|
20
|
- Preparatory to Research
- defined as any action taken, where access to PHI is required, for
assessing the research question/hypothesis such as accessing medical
records or querying of databases to prepare a research protocol.
- The use or disclosure of the PHI is sought solely for the purpose of
preparing a research protocol.
- The PHI will not be removed from the covered entity.
- This PHI is necessary for the purpose of a research study.
|
|
21
|
- Research on Decedents
- Researchers may use and disclose a decedent’s PHI for research purposes
without IRB review.
- The following criteria must be met in the form of a statement to the
covered entity:
- The use will be solely for research on the PHI of a decedent.
- The PHI sought is necessary for the purposes of the research.
- The researcher has documentation of the death of the individual about
whom information is being sought.
|
|
22
|
- IRBs are currently updating forms and template language to meet the
requirements set forth in the regulations.
- Approved studies that will be enrolling beyond April 14, 2003 must have
an authorization rider attached to the consent document. Template
language for the HIPAA authorization rider is approved and on the
website.
- New studies should choose the Confidentiality and Privacy of Health
Information language in the template and modify to include study
specific information.
|
|
23
|
|
|
24
|
|
|
25
|
|
|
26
|
- Research may be done if:
- No PHI is needed
- A limited data set is used (need data use agreement)
- Approval (authorization) from patient to do prospective research
- May do “preparatory research” w/o IRB approval
- “Waiver of Consent” is needed in retrospective studies and with a Limited Data Set
- All patients need to sign additional paper for approval of information
for prospective research
|
|
27
|
|
Notes
