HIPPA and OrthopedicResearch

William T Obremskey MD MPH

AAOS 2004

HWB Foundation

HIPAA – How Will theRegulations Impact Research?

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996 (Privacy Rule)

November 1999 – DHHS proposed regulations

December 2000 – Final Rule published

August 2002 – New Final Rule published

December 2002 – Guidance Document published

Date of Compliance – APRIL 14, 2003

Covered Entities

Health Plans (insurers and payors)

Health Care Providers

Health Care Clearinghouses (billing services)

Privacy Rule Protects:

Individually Identifiable Health Information

is defined as any information collected from an individual (including demographics) that is:

created or received by a health care provider, health plan, employer, and/or health care clearinghouse

relates to the past, present or future:

physical or mental health or condition of an individual,

the provision of health care to an individual; or

payment for the provision of health care to an individual; and

identifies the individual and/or there is reasonable basis to believe that the information can be used to identify the individual. (45 CFR 160.103)

Identifying Data Elements

Names

Addresses

Dates

Phone Numbers

Fax Numbers

Social Security Numbers

Medical Record Number

Health Plan Numbers

Account Numbers

Certificate/License Numbers

VIN/License Plate Numbers

Device Identifiers

Names of Relatives

Web URLs

IP addresses

Biometric Identifiers

Photographs and comparable images

Any other unique identifying number, characteristic, or code

Initials

HIPAA Terms

PHI – Protected Health Information

Use – data accessed and shared within the covered entity

Disclosure – the providing of data outside of the covered entity, not including Business Associates

Authorization – permission provided by the patient or legal representative to use or disclose the individual’s PHI

Limited Data Set – group of data that is de-identified except for geographic location and dates

HIPAA Terms Continued

Data Use Agreement – document used to create and disclose a Limited Data Set

Designated Record Set – The part of the medical record used for patient care/treatment

Minimum Necessary Standard – under certain conditions the covered entity must limit the access to PHI

Accounting of Disclosures – under certain conditions the covered entity must track disclosures of PHI, such as waiver of authorization

How to Fit HIPAA intoyour Research?

How to Use or DisclosePHI for
Research Purposes

De-identified data

Limited Data Set

Authorization

Waiver of Authorization

How to use or disclosePHI for research purposes (continued)

De-identification

Remove all 19 identifiers; or

Statistical Certification – the information may be considered de-identified, if an independent, qualified statistician:

Determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and

Documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. Note: the expert may not be the researcher or anyone directly involved in the research study.

"Limit Data Set (LDS"

Limit Data Set (LDS)

Allows access to PHI, with limited identifiable data elements, without an authorization or waiver of authorization

Requires a Data Use Agreement

Limited Data Set may include:

Dates

Geographic information (not street address)

Other unique identifying numbers, characteristics, or codes that are not expressly excluded

What is a Data UseAgreement?

The investigator must agree to the following:

Not to use or disclose the LDS for any purpose other than the research project or as required by law.

To use appropriate safeguards to prevent use or disclosure of the LDS other than as provided for by the agreement.

To report to VUMC any use or disclosure of the LDS not provided for by this agreement, of which he/she becomes aware, including without limitation, any disclosure of PHI to an unauthorized subcontractor.

To ensure that any agent, including a subcontractor, to whom he/she provides the LDS, agrees to the same restrictions and conditions that applies through the agreement to the Data Recipient with respect to such information.

Not to identify the information contained in the LDS or contact the individual.

How to use or disclosePHI for research purposes (continued)

Authorization

Participant provides authorization to use/disclose PHI as part of the informed consent process. MUST include the following elements:

Specific description of the information to be used/disclosed

Who may use or disclose

To whom the PHI will be disclosed

Why the use or disclosure is being made (each purpose)

Statement of how long the use or disclosure will continue

"Notice thatauthorization may be..."

Notice that authorization may be revoked

Notice that the information may be disclosed to others not subject to the Privacy Rule

Notice that the covered entity may or may not condition treatment or payment on the individual’s signature

Individual’s signature and date

How to use or disclosePHI for research purposes (continued)

Waiver of Authorization

To be granted by the IRB and must meet the following criteria:

The use or disclosure of PHI involves no more than minimal risk to the privacy of the individual.

The PI must provide a plan to protect identifiers, a plan to destroy the identifiers as soon as possible, and a statement that the information will not be disclosed.

The PI should provide justification as to why the research cannot be done without the waiver.

How to use or disclosePHI for research purposes (continued)

The PI should provide justification as to why the research cannot be done without the PHI.

The PI must provide a written assurance to the IRB that the PHI will not be re-used or disclosed except

As required by law,

For authorized oversight of the research, or

For other research that has been reviewed and approved by the IRB with specific approval regarding access to this PHI.

Minimum NecessaryStandard

A covered entity must try to limit the use or disclosure of PHI to the minimum necessary to achieve the research purpose.

This standard applies to the following:

Research pursuant to a waiver

Use/disclosure of decedent’s PHI

Uses preparatory to research

Limited Data Sets

Minimum Necessary Standard does not apply to the following:

Treatment disclosures or requests

Use or disclosure made with an authorization

Disclosures to the individual

Disclosures to DHHS for compliance

Disclosures required by law

Accounting of Disclosures

Patients have the right to request an accounting of disclosures of their PHI for past six years.

Applies to disclosure of PHI pursuant to a waiver of authorization, disclosures required by law, and for public health purposes.

Does not apply to disclosures pursuant to an authorization or to limited data set.

The Privacy Office, not the IRB, will maintain a centralized database to track disclosures. This tracking requirement is the responsibility of the PI in conjunction with the Privacy Office.

What does not require IRBreview?

Preparatory to Research

defined as any action taken, where access to PHI is required, for assessing the research question/hypothesis such as accessing medical records or querying of databases to prepare a research protocol.

The use or disclosure of the PHI is sought solely for the purpose of preparing a research protocol.

The PHI will not be removed from the covered entity.

This PHI is necessary for the purpose of a research study.

What does not require IRBreview?
(Continued)

Research on Decedents

Researchers may use and disclose a decedent’s PHI for research purposes without IRB review.

The following criteria must be met in the form of a statement to the covered entity:

The use will be solely for research on the PHI of a decedent.

The PHI sought is necessary for the purposes of the research.

The researcher has documentation of the death of the individual about whom information is being sought.

What is the IRB currentlydoing to prepare for HIPAA?

IRBs are currently updating forms and template language to meet the requirements set forth in the regulations.

Approved studies that will be enrolling beyond April 14, 2003 must have an authorization rider attached to the consent document. Template language for the HIPAA authorization rider is approved and on the website.

New studies should choose the Confidentiality and Privacy of Health Information language in the template and modify to include study specific information.

HIPAA Algorithm

POINTS to REMEMBER

HIPAA IS Here!

Since APRIL 14, 2003

Real Impact

Research may be done if:

No PHI is needed

A limited data set is used (need data use agreement)

Approval (authorization) from patient to do prospective research

May do “preparatory research” w/o IRB approval

“Waiver of Consent” is needed in retrospective studies and with a Limited Data Set

All patients need to sign additional paper for approval of information for prospective research

Questions?


	Health Insurance Portability and Accountability Act of 1996 (Privacy Rule)

		November 1999 – DHHS proposed regulations
		December 2000 – Final Rule published
		August 2002 – New Final Rule published
		December 2002 – Guidance Document published
		Date of Compliance – APRIL 14, 2003


	Health Plans (insurers and payors)
	Health Care Providers
	Health Care Clearinghouses (billing services)


	Individually Identifiable Health Information
	is defined as any information collected from an individual (including demographics) that is:
	created or received by a health care provider, health plan, employer, and/or health care clearinghouse
	relates to the past, present or future:
		physical or mental health or condition of an individual,
		the provision of health care to an individual; or
		payment for the provision of health care to an individual; and
		identifies the individual and/or there is reasonable basis to believe that the information can be used to identify the individual. (45 CFR 160.103)


	Names
	Addresses
	Dates
	Phone Numbers
	Fax Numbers
	Social Security Numbers
	Medical Record Number
	Health Plan Numbers
	Account Numbers
	Certificate/License Numbers
	VIN/License Plate Numbers
	Device Identifiers
	Names of Relatives
	Web URLs
	IP addresses
	Biometric Identifiers
	Photographs and comparable images
	Any other unique identifying number, characteristic, or code
	Initials


	PHI – Protected Health Information
	Use – data accessed and shared within the covered entity
	Disclosure – the providing of data outside of the covered entity, not including Business Associates
	Authorization – permission provided by the patient or legal representative to use or disclose the individual’s PHI
	Limited Data Set – group of data that is de-identified except for geographic location and dates


	Data Use Agreement – document used to create and disclose a Limited Data Set
	Designated Record Set – The part of the medical record used for patient care/treatment
	Minimum Necessary Standard – under certain conditions the covered entity must limit the access to PHI
	Accounting of Disclosures – under certain conditions the covered entity must track disclosures of PHI, such as waiver of authorization


	De-identified data
	Limited Data Set
	Authorization
	Waiver of Authorization


De-identification
	Remove all 19 identifiers; or
	Statistical Certification – the information may be considered de-identified, if an independent, qualified statistician:
		Determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and
		Documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. Note: the expert may not be the researcher or anyone directly involved in the research study.


Limit Data Set (LDS)
	Allows access to PHI, with limited identifiable data elements, without an authorization or waiver of authorization
	Requires a Data Use Agreement
	Limited Data Set may include:
		Dates
		Geographic information (not street address)
		Other unique identifying numbers, characteristics, or codes that are not expressly excluded


	The investigator must agree to the following:
		Not to use or disclose the LDS for any purpose other than the research project or as required by law.
		To use appropriate safeguards to prevent use or disclosure of the LDS other than as provided for by the agreement.
		To report to VUMC any use or disclosure of the LDS not provided for by this agreement, of which he/she becomes aware, including without limitation, any disclosure of PHI to an unauthorized subcontractor.
		To ensure that any agent, including a subcontractor, to whom he/she provides the LDS, agrees to the same restrictions and conditions that applies through the agreement to the Data Recipient with respect to such information.
		Not to identify the information contained in the LDS or contact the individual.


Authorization
	Participant provides authorization to use/disclose PHI as part of the informed consent process. MUST include the following elements:
		Specific description of the information to be used/disclosed
		Who may use or disclose
		To whom the PHI will be disclosed
		Why the use or disclosure is being made (each purpose)
		Statement of how long the use or disclosure will continue


			Notice that authorization may be revoked
			Notice that the information may be disclosed to others not subject to the Privacy Rule
			Notice that the covered entity may or may not condition treatment or payment on the individual’s signature
			Individual’s signature and date


Waiver of Authorization
	To be granted by the IRB and must meet the following criteria:
		The use or disclosure of PHI involves no more than minimal risk to the privacy of the individual.
		The PI must provide a plan to protect identifiers, a plan to destroy the identifiers as soon as possible, and a statement that the information will not be disclosed.
		The PI should provide justification as to why the research cannot be done without the waiver.


			The PI should provide justification as to why the research cannot be done without the PHI.
			The PI must provide a written assurance to the IRB that the PHI will not be re-used or disclosed except
				As required by law,
				For authorized oversight of the research, or
				For other research that has been reviewed and approved by the IRB with specific approval regarding access to this PHI.


	A covered entity must try to limit the use or disclosure of PHI to the minimum necessary to achieve the research purpose.
	This standard applies to the following:
		Research pursuant to a waiver
		Use/disclosure of decedent’s PHI
		Uses preparatory to research
		Limited Data Sets
	Minimum Necessary Standard does not apply to the following:
		Treatment disclosures or requests
		Use or disclosure made with an authorization
		Disclosures to the individual
		Disclosures to DHHS for compliance
		Disclosures required by law


	Patients have the right to request an accounting of disclosures of their PHI for past six years.
	Applies to disclosure of PHI pursuant to a waiver of authorization, disclosures required by law, and for public health purposes.
	Does not apply to disclosures pursuant to an authorization or to limited data set.
	The Privacy Office, not the IRB, will maintain a centralized database to track disclosures. This tracking requirement is the responsibility of the PI in conjunction with the Privacy Office.


Preparatory to Research
	defined as any action taken, where access to PHI is required, for assessing the research question/hypothesis such as accessing medical records or querying of databases to prepare a research protocol.
		The use or disclosure of the PHI is sought solely for the purpose of preparing a research protocol.
		The PHI will not be removed from the covered entity.
		This PHI is necessary for the purpose of a research study.


Research on Decedents
	Researchers may use and disclose a decedent’s PHI for research purposes without IRB review.
	The following criteria must be met in the form of a statement to the covered entity:
		The use will be solely for research on the PHI of a decedent.
		The PHI sought is necessary for the purposes of the research.
		The researcher has documentation of the death of the individual about whom information is being sought.


	IRBs are currently updating forms and template language to meet the requirements set forth in the regulations.

	Approved studies that will be enrolling beyond April 14, 2003 must have an authorization rider attached to the consent document. Template language for the HIPAA authorization rider is approved and on the website.

	New studies should choose the Confidentiality and Privacy of Health Information language in the template and modify to include study specific information.


	Research may be done if:
		No PHI is needed
		A limited data set is used (need data use agreement)
		Approval (authorization) from patient to do prospective research
		May do “preparatory research” w/o IRB approval
		“Waiver of Consent” is needed in retrospective studies and with a Limited Data Set
	All patients need to sign additional paper for approval of information for prospective research