HIPPA and Orthopedic
Research
|
|
|
William T Obremskey MD MPH |
|
AAOS 2004 |
|
HWB Foundation |
HIPAA – How Will the
Regulations Impact Research?
What is HIPAA?
|
|
|
|
Health Insurance Portability and
Accountability Act of 1996 (Privacy Rule) |
|
|
|
November 1999 – DHHS proposed
regulations |
|
December 2000 – Final Rule published |
|
August 2002 – New Final Rule published |
|
December 2002 – Guidance Document
published |
|
Date of Compliance – APRIL 14, 2003 |
Covered Entities
|
|
|
Health Plans (insurers and payors) |
|
Health Care Providers |
|
Health Care Clearinghouses (billing
services) |
Privacy Rule Protects:
|
|
|
|
Individually Identifiable Health
Information |
|
is defined as any information
collected from an individual (including demographics) that is: |
|
created or received by a health care
provider, health plan, employer, and/or health care clearinghouse |
|
relates to the past, present or future: |
|
physical or mental health or condition
of an individual, |
|
the provision of health care to an
individual; or |
|
payment for the provision of health
care to an individual; and |
|
identifies the individual and/or there
is reasonable basis to believe that the information can be used to identify
the individual. (45 CFR 160.103) |
Identifying Data Elements
|
|
|
Names |
|
Addresses |
|
Dates |
|
Phone Numbers |
|
Fax Numbers |
|
Social Security Numbers |
|
Medical Record Number |
|
Health Plan Numbers |
|
Account Numbers |
|
Certificate/License Numbers |
|
VIN/License Plate Numbers |
|
Device Identifiers |
|
Names of Relatives |
|
Web URLs |
|
IP addresses |
|
Biometric Identifiers |
|
Photographs and comparable images |
|
Any other unique identifying number,
characteristic, or code |
|
Initials |
HIPAA Terms
|
|
|
PHI – Protected Health Information |
|
Use – data accessed and shared within
the covered entity |
|
Disclosure – the providing of data
outside of the covered entity, not including Business Associates |
|
Authorization – permission provided by
the patient or legal representative to use or disclose the individual’s PHI |
|
Limited Data Set – group of data that
is de-identified except for geographic location and dates |
HIPAA Terms Continued
|
|
|
Data Use Agreement – document used to
create and disclose a Limited Data Set |
|
Designated Record Set – The part of the
medical record used for patient care/treatment |
|
Minimum Necessary Standard – under
certain conditions the covered entity must limit the access to PHI |
|
Accounting of Disclosures – under
certain conditions the covered entity must track disclosures of PHI, such as
waiver of authorization |
How to Fit HIPAA into
your Research?
How to Use or Disclose
PHI for
Research Purposes
|
|
|
De-identified data |
|
Limited Data Set |
|
Authorization |
|
Waiver of Authorization |
How to use or disclose
PHI for research purposes (continued)
|
|
|
|
|
|
De-identification |
|
Remove all 19 identifiers; or |
|
Statistical Certification – the
information may be considered de-identified, if an independent, qualified
statistician: |
|
Determines that the risk of
re-identification of the data, alone or in combination with other data, is
very small; and |
|
Documents the methods and results by
which the health information is de-identified, and the expert makes his/her
determination of risk. Note: the
expert may not be the researcher or anyone directly involved in the research
study. |
"Limit Data Set (LDS"
|
|
|
|
|
|
Limit Data Set (LDS) |
|
Allows access to PHI, with limited
identifiable data elements, without an authorization or waiver of
authorization |
|
Requires a Data Use Agreement |
|
Limited Data Set may include: |
|
Dates |
|
Geographic information (not street
address) |
|
Other unique identifying numbers,
characteristics, or codes that are not expressly excluded |
What is a Data Use
Agreement?
|
|
|
|
The investigator must agree to the
following: |
|
Not to use or disclose the LDS for any
purpose other than the research project or as required by law. |
|
To use appropriate safeguards to
prevent use or disclosure of the LDS other than as provided for by the
agreement. |
|
To report to VUMC any use or disclosure
of the LDS not provided for by this agreement, of which he/she becomes aware,
including without limitation, any disclosure of PHI to an unauthorized
subcontractor. |
|
To ensure that any agent, including a
subcontractor, to whom he/she provides the LDS, agrees to the same
restrictions and conditions that applies through the agreement to the Data
Recipient with respect to such information. |
|
Not to identify the information
contained in the LDS or contact the individual. |
How to use or disclose
PHI for research purposes (continued)
|
|
|
|
|
Authorization |
|
Participant provides authorization to
use/disclose PHI as part of the informed consent process. MUST include the following elements: |
|
Specific description of the information
to be used/disclosed |
|
Who may use or disclose |
|
To whom the PHI will be disclosed |
|
Why the use or disclosure is being made
(each purpose) |
|
Statement of how long the use or
disclosure will continue |
"Notice that
authorization may be..."
|
|
|
|
|
Notice that authorization may be
revoked |
|
Notice that the information may be
disclosed to others not subject to the Privacy Rule |
|
Notice that the covered entity may or
may not condition treatment or payment on the individual’s signature |
|
Individual’s signature and date |
How to use or disclose
PHI for research purposes (continued)
|
|
|
|
|
Waiver of Authorization |
|
To be granted by the IRB and must meet
the following criteria: |
|
The use or disclosure of PHI involves
no more than minimal risk to the privacy of the individual. |
|
The PI must provide a plan to protect
identifiers, a plan to destroy the identifiers as soon as possible, and a
statement that the information will not be disclosed. |
|
The PI should provide justification as
to why the research cannot be done without the waiver. |
How to use or disclose
PHI for research purposes (continued)
|
|
|
|
|
|
The PI should provide justification as
to why the research cannot be done without the PHI. |
|
The PI must provide a written assurance
to the IRB that the PHI will not be re-used or disclosed except |
|
As required by law, |
|
For authorized oversight of the
research, or |
|
For other research that has been
reviewed and approved by the IRB with specific approval regarding access to
this PHI. |
Minimum Necessary
Standard
|
|
|
|
A covered entity must try to limit the
use or disclosure of PHI to the minimum necessary to achieve the research
purpose. |
|
This standard applies to the following: |
|
Research pursuant to a waiver |
|
Use/disclosure of decedent’s PHI |
|
Uses preparatory to research |
|
Limited Data Sets |
|
Minimum Necessary Standard does not
apply to the following: |
|
Treatment disclosures or requests |
|
Use or disclosure made with an
authorization |
|
Disclosures to the individual |
|
Disclosures to DHHS for compliance |
|
Disclosures required by law |
Accounting of Disclosures
|
|
|
Patients have the right to request an
accounting of disclosures of their PHI for past six years. |
|
Applies to disclosure of PHI pursuant
to a waiver of authorization, disclosures required by law, and for public
health purposes. |
|
Does not apply to disclosures pursuant
to an authorization or to limited data set. |
|
The Privacy Office, not the IRB, will
maintain a centralized database to track disclosures. This tracking requirement is the
responsibility of the PI in conjunction with the Privacy Office. |
What does not require IRB
review?
|
|
|
|
|
Preparatory to Research |
|
defined as any action taken, where
access to PHI is required, for assessing the research question/hypothesis
such as accessing medical records or querying of databases to prepare a
research protocol. |
|
The use or disclosure of the PHI is
sought solely for the purpose of preparing a research protocol. |
|
The PHI will not be removed from the
covered entity. |
|
This PHI is necessary for the purpose
of a research study. |
What does not require IRB
review?
(Continued)
|
|
|
|
|
Research on Decedents |
|
Researchers may use and disclose a
decedent’s PHI for research purposes without IRB review. |
|
The following criteria must be met in
the form of a statement to the covered entity: |
|
The use will be solely for research on
the PHI of a decedent. |
|
The PHI sought is necessary for the
purposes of the research. |
|
The researcher has documentation of the
death of the individual about whom information is being sought. |
What is the IRB currently
doing to prepare for HIPAA?
|
|
|
IRBs are currently updating forms and
template language to meet the requirements set forth in the regulations. |
|
|
|
Approved studies that will be enrolling
beyond April 14, 2003 must have an authorization rider attached to the
consent document. Template language for the HIPAA authorization rider is
approved and on the website. |
|
|
|
New studies should choose the
Confidentiality and Privacy of Health Information language in the template
and modify to include study specific information. |
HIPAA Algorithm
POINTS to REMEMBER
HIPAA IS Here!
Real Impact
|
|
|
|
Research may be done if: |
|
No PHI is needed |
|
A limited data set is used (need data
use agreement) |
|
Approval (authorization) from patient
to do prospective research |
|
May do “preparatory research” w/o IRB
approval |
|
“Waiver of Consent” is needed in
retrospective studies and with a
Limited Data Set |
|
All patients need to sign additional
paper for approval of information for prospective research |
Questions?