Transcript PHI - Vanderbilt University Medical Center

VUMC Confidentiality Policy and HIPAA
Implications for Clinical Research
General Clinical Research Center
Skills Workshop
March 2, 2007
Gaye Smith
Privacy Official
[email protected]
343-3019
1
Vanderbilt as a Hybrid Entity
HIPAA is a federal law that protects the privacy and security of an
individual’s health information held by a “Covered Entity.” HIPAA
supplements the Common Rule and the FDA’s protections for human
subjects. For purposes of HIPAA, “Covered Entity” includes health
care providers, health care plans, and health care clearinghouses that
conduct specified transactions electronically.
Vanderbilt University is engaged in both Covered Entity functions and
other activities that are not Covered Entity functions and is therefore
considered a Hybrid Entity.
HIPAA regulations only apply to the Covered Entity functions.
2
Hybrid Entity Covered Entity Designation
As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes:






Vanderbilt Medical Center hospitals, clinics, and practices
Vanderbilt Medical Group (VMG)
Vanderbilt School of Medicine (SOM)
Vanderbilt School of Nursing (SON)
Vanderbilt Health Plan
VUMC Administration
for covered functions that involve the use and disclosure of PHI.
In July of 2006, the VACE was expanded to include the affiliated entities for
which VUMC has a controlling ownership interest or management
accountable.
Whether a Vanderbilt function or individual’s activity on behalf of VU is
included in the VACE is determined based not upon any particular dept/unit,
but instead upon the data being used and/or disclosed.
3
Vanderbilt University (a hybrid-entity)/Vanderbilt University Medical Center Affiliated Covered Entity
Wholly Owned - In ACE
Non Profit Entity
Wholly Owned - In ACE
Disregarded for taxes
100%
50%
VGCC
VWCC
d/b/a Gateway-V
Cancer Treatment
Center
d/b/a V-Ingram Cancer Center
Franklin
Partially Owned - In
ACE
For Profit Entity
Partially Owned - In
ACE
Non Profit Entity
100%
VIP
50%
V Integrated Providers
non-profit
100%
VASAP
VHCS
V Asthma Sinus
Allergy Program
501(c)(3)
V Home Care Services
501(c)(3)
45.56%
VIP / MidSouth
66.6%
100%
VIP MidSouth LLC
physician clinics
UCHS
VIS
Univ Community
Health Services, Inc.
(Vine Hill)
501(c)(3)
V Imaging Services, LLC
Williamson Imaging, LLC
w/ Landman Radiology
Center
51%
VSTI
V St. Thomas
Imaging
80%
Williamson
Imaging LLC
Affiliated Entities-27Nov06
4
Data Categories
 Individually Identifiable Health Information (IIHI) –
information collected from an individual that is created or received by a
health care provider, employer, plan, or clearinghouse and relates to
the past, present, or future physical or mental condition of the
individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of care; and identifies the
individual or can reasonably be used to identify the individual.
 Protected Health Information (PHI) –
IIHI transmitted or maintained in any form by a covered function within
the Vanderbilt covered entity. This specifically excludes education and
employment records, as well as research health information.
5
Data Categories
 Research Health Information (RHI) –
a term used by Vanderbilt to identify Individually Identifiable
Health Information (IIHI) used for research purposes that is not
PHI, and thus is NOT subject to the HIPAA privacy and security
regulations. RHI is created in connection with research activity
and is not created in connection with patient care activity. If a
researcher is also a health care provider and IIHI is created in
connection with the researcher’s health care provider activities,
then the IIHI is PHI and is subject to HIPAA.
IIHI that is created as PHI and is needed for research purposes
may be disclosed to a researcher subject to the IRB approval
process, which includes proper patient authorization or IRB
waiver of authorization. After the PHI is properly disclosed to
the research setting, the IIHI transferred to the research setting
becomes RHI, which is no longer subject to the requirements of
HIPAA.
6
WHAT PARTS OF RESEARCH ARE INSIDE THE HEALTHCARE
COMPONENT OF THE HYBRID ENTITY?
INSIDE THE HEALTHCARE
COMPONENT


PHI is health information created,
used, and/or stored as a byproduct of the delivery of health
care services (stored in the
designated record set)
Human Subjects Research
using PHI

Clinical Trials

Health Information created as RHI
and conveyed to the medical
record to support treatment
purposes
OUTSIDE THE HEALTHCARE COMPONENT

Research Health Information is created,
used, stored, or disclosed from a
research data file or system distinctly
separate from the patient’s medical
record

Animal and Basic Sciences Research

Human Subjects Research not using PHI
7
PHI <-> RHI
Internal disclosure
(prepared by Daniel Masys, M.D.)
PHI
HIPAA Authorization
Subject to
HIPAA requirements
(and potentially, penalties)
PHI
RHI
Authorization
converts PHI to RHI
whose use is governed
by terms of authorization
or IRB waiver
Research creates new information
added to medical records
RHI
8
Data Handling Implications
for PHI vs. RHI
 PHI is subject to the HIPAA for the Privacy
Rule and the Security Rule.
 RHI is subject to best practices for
maintaining confidentiality of research
records, but not subject to HIPAA.
 Subsequent uses and disclosures of RHI are
governed by the terms of the authorization or
waiver, not by HIPAA.
9
Uses and Disclosures for Research
HIPAA and VUMC policy generally limit the use and disclosure of PHI
to treatment, payment, and administrative operation (TPO) functions,
unless proper authorization is secured from the patient. Research
falls outside of TPO and will always require specific authorization or
other protections.
PHI can be used or disclosed for research purposes if one of the
following conditions is met:







With a specific authorization signed by the patient
With an IRB waiver of this authorization
Under the “Preparatory to Research” criteria in IRB Policy X.A
As a limited data set in conjunction with a Data Use Agreement
As fully de-identified data
For research on decedents
Disclosures related to FDA-regulated products.
10
Requirements for Use or Disclosure of
Data for Human Research
PHI
Limited Data Set
or
De- identified Data
or
Exempt research, no PHI
IRB Exemption
Patient
Authorization
Waiver from
IRB
IRB waiver
and
Data Use Agreement
Accounting of
disclosure NOT
required
Disclosure Accounting
Accounting of disclosure is
NOT required
Accounting of disclosure is
NOT required
IS REQUIRED
11
If you have privacy or information security
concerns or questions contact:
 Privacy Office (936-3594) or email
[email protected]
 Help Desk (343-4357)
 Your manager
 Compliance Reporting Line (343-0135)
 Always forward patient privacy complaints to Patient
Affairs (322-6154) or the Privacy Office.
12