Transcript HIPAA for Clinical Researchers - University of Michigan Health System

HIPAA Learning Module
The following is an educational Powerpoint
presentation on the HIPAA rules and regulations.
If you are involved in Marketing or Fundraising, or
if you work with Business Associates, you will be
required to complete one or more additional
modules, currently under development.
To navigate through this module, use the arrows
or click “Slide Show” at bottom right, or click on
the titles in the table of contents on the left.
Version 2.0-Research
Updated 05/2012
1
The HIPAA Privacy Rule… Patient Care and Human Subjects
Research
THE HIPAA PRIVACY RULE …
PATIENT CARE AND
HUMAN SUBJECTS RESEARCH
UNIVERSITY OF MICHIGAN HEALTH SYSTEM
Effective 2003
Version 2.0-Research
Updated 05/2012
2
OUR COMMITMENT TO PRIVACY

The University of Michigan is committed to protecting
the privacy and integrity of our patients’ health
information. The HIPAA Privacy Rule recognizes the
importance and value of this commitment.

This session will help us continue to do our part in
protecting privacy.
Version 2.0-Research
Updated 05/2012
3
BACKGROUND
Regulations

The Privacy Rule was adopted under the Health
Insurance Portability and Accountability Act of 1996
(HIPAA).

The effective date for compliance was April 14, 2003.
Version 2.0-Research
Updated 05/2012
4
OVERVIEW
Overview
What this means to you and our
patients.
What this means to you
and our patients
The privacy rule gives patients more control over
their Protected Health Information (PHI). So you
need to know…..



Patients’ rights regarding their PHI;
Key terms and general rules that you can apply; and,
When you can share patient information and when
there are limits to what can be used or shared.
Version 2.0-Research
Updated 05/2012
5
OVERVIEW
Patient Rights
The Privacy Rule gives patients the right to:
 have
their PHI protected;
 receive a notice describing our
privacy practices
 inspect and copy their records;
 request that PHI in their records
be corrected or changed;
 ask for limits on how their PHI is
used or shared;
 get information about their PHI in
different ways, such as at work
and not at home;
 get a list of certain disclosures
made of their PHI.
Version 2.0-Research
Updated 05/2012
6
GENERAL RULES
Notice of Privacy Practices

Health care providers and
health plans will give out a
Notice of Privacy Practices
(NPP) that describes how we
use and share their PHI,
patients’ rights regarding PHI,
our responsibilities regarding
PHI, and who to contact for
more information.

Click here to review our NPP.
Version 2.0-Research
Updated 05/2012
7
KEY TERMS
Protected Health Information,
Use and Disclosure
Protected Health Information (PHI) includes
information:
 sent or stored in any form;
 that identifies the patient or can be used to identify
the patient;
 that is created or received by a covered entity
(e.g., hospital, doctor, dentist, health plan);
 that relates to a patient’s past, present and/or
future treatment and payment of services.
Use: generally refers to how PHI is handled (internally).
Disclosure: generally refers to how PHI is shared
externally.
Version 2.0-Research
Updated 05/2012
8
KEY TERMS
What is Protected Health Information?
(PHI)
Protected Health Information (PHI) includes all of the following:








Names
Addresses including Zip Codes
All Dates
Telephone & Fax Numbers
E-mail Addresses
Social Security Numbers
Medical Record Numbers
Health Plan Numbers







License Numbers
Vehicle Identification Numbers
Account Numbers
Biometric Identifiers
Device Identifiers
Full Face Photos
Any Other Unique Identifying
Number, Characteristic or Code
Information does not need to include diagnosis or treatment information
to be considered PHI.
Version 2.0-Research
Updated 05/2012
9
KEY TERMS
Covered Entities
“Covered entities” includes:

Health care providers at UMHS, including doctors,
dentists, nurses and therapists, and where they work,
such as hospitals and clinics;

Health plans like Blue Cross/Blue Shield

Health care clearinghouses like Blue Cross/Blue
Shield’s DENIS system and WebMD/Envoy.
Version 2.0-Research
Updated 05/2012
10
KEY TERMS
Treatment, Payment and
Health Care Operations (TPO)
Treatment: various activities related to patient care.
Payment: various activities related to paying for or
getting paid for health care services.
Health Care Operations: generally refers to day-today activities of a covered entity, such as planning,
management, education and training, quality
improvement, accreditation, peer review.
NOTE: Research is not considered TPO.
Version 2.0-Research
Updated 05/2012
11
GENERAL RULES
Patient Permission/Authorization
Patient permission is not needed to
use or share information:







for “TPO” - treatment, payment, or
health care operations (research is
not TPO)
to share PHI with the patient
for public health purposes, e.g. to
report births, deaths or diseases
as required by law, for law
enforcement, to report abuse or
neglect
to avoid threats to health and safety
with medical examiners and funeral
directors
with organ donation organizations
Version 2.0-Research
Updated 05/2012
12
MARKETING AND FUNDRAISING
When Written Permission IS Needed
 Patient
permission or
“authorization” is needed to use
or share PHI for certain
marketing and fundraising
activities.
For example: A doctor cannot
give a diaper company the
names of pregnant patients
without an authorization.
NOTE: See the education
program on marketing and
fundraising for more
information.
Version 2.0-Research
Updated 05/2012
13
PSYCHOTHERAPY NOTES
When Written Permission IS Needed
 “Psychotherapy
notes” are certain
notes about a counseling session that
are separate from the rest of the
patient’s medical record.
 Generally, uses and disclosures of
such notes require specific
authorization.
NOTE: Stricter Michigan law
applies for mental health, see the
education program on behavioral
health for more information.
Version 2.0-Research
Updated 05/2012
14
GENERAL RULES
When the Patient Needs the Option to Decide
Patients are allowed to decide (written permission
is not needed) if they want some or all of their PHI
to be used or shared, such as:
♦ for patient directories; and
♦ with friends and family members involved in
patient care or payment
Version 2.0-Research
Updated 05/2012
15
GENERAL RULES
Minimum Necessary

Generally, the amount of PHI used, shared,
accessed or requested must be limited to only what
is needed.
For example: When we call an insurance company to get
permission to provide a healthcare service, we don’t need to
provide the patient’s entire medical history, only the diagnosis
and procedure information that is needed for the company to
approve payment of the claim.
Version 2.0-Research
Updated 05/2012
16
GENERAL RULES
Minimum Necessary

Workers should have access
only to the PHI that the job
responsibilities require.
For example: Someone who
delivers food trays to patients
may need PHI about the
patient’s diet, but does not
need to know why the patient
is in the hospital.
Version 2.0-Research
Updated 05/2012
17
GENERAL RULES
Minimum Necessary -- Continued
In some cases, this rule does
not apply, such as:




When PHI is shared or
requested among health care
providers for treatment;
Disclosures to a patient about
his or her own PHI;
Authorized uses or disclosures
approved by the patient; and,
Uses or disclosures required
by law or to comply with the
privacy regulations.
Version 2.0-Research
Updated 05/2012
18
GENERAL RULES
Incidental Disclosures

In conducting TPO or other
allowed activities, an incidental
disclosure of PHI may occur.
These are allowed if steps are
taken to limit them.
For example: a patient can see
another patient’s name on a signin sheet if no medical information
is on the sheet or may hear a
patient’s name as it is called in the
waiting room.
Version 2.0-Research
Updated 05/2012
19
GENERAL RULES
Incidental Disclosures
 Take
steps or reasonable
safeguards to secure and
protect PHI.
– For example:
– Speak in soft tones when
discussing PHI;
– Do not discuss PHI in
public hallways or in elevators;
– Use (but do not share) computer
passwords; and
– Lock cabinets when your area is
not monitored by other UMHS
employees, e.g. at night.
Version 2.0-Research
Updated 05/2012
20
GENERAL RULES
Business Associates

A vendor providing a service for us where they need have
access to PHI must sign an agreement called a Business
Associate agreement promising to keep PHI confidential.
For example: a database vendor that receives or has
access to PHI to maintain a clinical database is required to
sign a business associate agreement.

Employees, volunteers, trainees and others whose work we
control are not considered business associates, and
therefore, no business associate agreement with them is
needed.
NOTE: See the education program on business associates for more information.
Version 2.0-Research
Updated 05/2012
21
RESEARCH
When Written Permission IS Needed


Patient permission or
“authorization” is usually
needed to use or share PHI
for research.
Conduct of research generally
is governed under federal
regulations for the protection
of human subjects (the
“Common Rule”); and use or
sharing of PHI for research is
governed by HIPAA
Version 2.0-Research
Updated 05/2012
22
RESEARCH
Key Terms
The definition of “research” is the same under the
Common Rule as it is under HIPAA but the application is
different . . .
Common Rule
HIPAA
•
a systematic investigation,
including research
development, testing, and
evaluation, designed to
develop or contribute to
generalizable knowledge
•
a systematic investigation,
including research
development, testing, and
evaluation, designed to
develop or contribute to
generalizable knowledge
•
applies only to human
subjects (i.e. live people)
•
applies to records, both for
current and for deceased
patients
Version 2.0-Research
Updated 05/2012
23
RESEARCH
General Rule

General Rule
PHI (for living or deceased individuals) may be
used or disclosed for research purposes only with
written “authorization” (permission) from the patient
Version 2.0-Research
Updated 05/2012
24
AUTHORIZATION REQUIREMENTS
Authorization must address specific issues and include
all of the following elements:
•
What information will be used or disclosed
•
Who can use or disclose
•
Who can receive the information
•
Purpose of disclosures
•
Right to revoke authorization
•
Notification of any consequences of refusing to sign the authorization (e.g.,
no participation in the research project)
•
Warning: once authorized information is disclosed, it may no longer be
protected under HIPAA
•
Expiration date or event (may be “at the end of the project” or “none”)
•
Signature, date, and (if applicable), authority of representative to sign
Version 2.0-Research
Updated 05/2012
25
RESEARCH
Exceptions to the Authorization Requirement
•
Authorization requirement is subject to some
exceptions:
1. Waiver of authorization (approved by IRB or
Privacy Board)
2. Use of PHI “preparatory to research”
3. Use of decedents’ information for research
purposes
4. Disclosure of limited amounts of PHI under a “data
use agreement”
Version 2.0-Research
Updated 05/2012
26
RESEARCH
Exceptions to the
Authorization Requirement
1. Waiver of Consent and Authorization
– Most studies regulated under the Common Rule are
conducted under active written informed consent
– Some studies qualify for a “waiver” of written
informed consent or a waiver of documentation of
consent under the Common Rule
– HIPAA permits a waiver of “authorization” – but
Common Rule and HIPAA requirements are not
identical
Version 2.0-Research
Updated 05/2012
27
RESEARCH
Waiver of Informed Consent/Authorization
A waiver may be granted by an IRB or a Privacy Board only
if certain conditions are met:
IRB-Common Rule:
IRB or Privacy Board-HIPAA:
•
Minimal risk to subjects
•
•
No adverse effect on
subject’s rights
•
Impracticable to do
research without waiver
•
Information to subjects
when appropriate
Minimal risk to subjects’
privacy
– Adequate plan to protect identifiers
– Adequate plans to destroy identifiers
(break links) when and if possible
– Written assurance no inappropriate reuse or re-disclosure
•
Impracticable to do research
without waiver and without
access to PHI
Even if your project is “exempt” from IRB oversight under the Common Rule,
you still may need a waiver from the IRB or Privacy Board under HIPAA!
Version 2.0-Research
Updated 05/2012
28
RESEARCH
Exceptions to the
Authorization Requirement
2. PHI may be used without authorization for “reviews
preparatory to research”
– Researcher must demonstrate to UM (through the IRB or Privacy Board)
that:
• the PHI will be used only to prepare a protocol
• no PHI will be removed from UM or disclosed outside UM
• the PHI to be used is necessary for the research purpose
– Purpose of exception is to prepare a protocol, e.g., facilitate study design
work or feasibility analysis – can also facilitate subject recruitment in some
cases
– Exception is available only to UM workforce members (no sharing outside
UM, e.g. with collaborators at other sites)
– The information reviewed under this exception may not be used for the
research project itself or for any future project; only name/contact
information should be extracted for recruitment
Version 2.0-Research
Updated 05/2012
29
RESEARCH
Exceptions to the
Authorization Requirement
3. PHI may be used or shared for research on
decedents’ information . . .
– Researcher must demonstrate to UM (through the
IRB or Privacy Board) that:
• use or disclosure is only for research on decedents’
information
• deaths are documented
• PHI to be used or disclosed is necessary for the research
purpose
– Note: deceased individuals are not considered
human subjects under the Common Rule
Version 2.0-Research
Updated 05/2012
30
RESEARCH
Exceptions to the
Authorization Requirement
4. PHI in a “limited data set” may be used or
shared without authorization for research
purposes
– The researcher must sign a “Data Use Agreement”
(a simple one-page contract)
– At UM, the Data Use Agreement must be filed with
and approved by the Privacy Board or its designee
(DRDA is authorized; additional procedures are in
development)
Version 2.0-Research
Updated 05/2012
31
RESEARCH
Limited Data Sets - Definition
•
A limited data set may include:
– geographic information like city and zip code (but not street
address)
– dates (including dates of birth, death, admission and discharge),
and age in hours, days, months or years
•
A limited data set may not include any of the following
information with respect to the patient, patient’s household
members, or patient’s employer:
– Name; street address; telephone and fax numbers; e-mail, URL,
and IP addresses
– Social security, medical record, health plan beneficiary or account
numbers, certificate/license numbers, vehicle identifiers and serial
numbers, including license plate numbers
– Device identifiers and serial numbers; biometric identifiers,
including finger and voice prints; and full face photographic or
comparable images
Version 2.0-Research
Updated 05/2012
32
RESEARCH
Before and After HIPAA
Before HIPAA
On or After April 14, 2003
Informed
Consent and
Authorization
Informed consent was usually required before
enrolling a patient into a research study.
Informed consent documents generally
addressed confidentiality of research records.
Informed consent for subjects enrolled or
reconsented on or after April 14, 2003 must
include specific information about use and
disclosure of PHI for research purposes.
Pre-Research
Activities
Many pre-research activities are not governed
under the Common Rule and are not subject to
oversight by IRBMED or other IRBs.
IRBMED or Privacy Board approval generally is
required for any use or disclosure of PHI for
research without authorization.
Waivers of
Authorization
Needed IRBMED-approved waiver to perform
research without written informed consent.
Need IRBMED or privacy board-approved
waiver to use PHI for research purposes without
patient authorization. Expanded criteria apply.
All waivers granted before April 14, 2003 are
grandfathered.
Exemptions
Some studies are “exempt” from IRB oversight
under the Common Rule.
Even exempt studies may require patient
authorization or Privacy Board waiver, unless
one of the other exceptions applies.
Accounting
for
Disclosures
The University of Michigan and other providers
were not required to track disclosures made for
research purposes without authorization.
Many research-related disclosures made without
authorization must be tracked.
Version 2.0-Research
Updated 05/2012
33
RESEARCH
Privacy Board and IRB
Privacy Board (PB)
Institutional Review Board (IRB)
•
HIPAA permits a privacy board to
grant a waiver to the “authorization”
requirement that applies to most
research activities
•
•
Includes people with relevant
experience and expertise, including
at least one non-affiliated
(community) member
Functions under the Common Rule
to review, approve, and maintain
oversight over human subjects
research; HIPAA permits the IRB to
approve authorization waivers as well
•
•
At UMHS, the PB will handle, at
least on a temporary basis, projects
that IRBMED would not otherwise
be required to review (e.g., research
databases, exempt research, nonregulated research)
Includes people with relevant and
diverse experience and expertise,
including at least one non-scientist
and at least one non-affiliated
(community) member
•
At UMHS, the IRBMED will
incorporate HIPAA requirements into
its regular review process, except for
projects that do not require use or
sharing of PHI
Version 2.0-Research
Updated 05/2012
34
RESEARCH
Implementation at UMHS



HIPAA allows either an IRB or a “Privacy Board” to grant a “waiver
of authorization” for use or disclosure of PHI for research purposes
(including creation/maintenance of research databases)
At UMHS, the Privacy Board also will assist in other ways,
including:

Certifications for reviews preparatory to research

Certifications for research on decedents’ information

Approval of data use agreements

Clearinghouse/expertise on privacy issues relevant to human
subjects research projects
A privacy board is not authorized to review and approve research
under the Common Rule
Version 2.0-Research
Updated 05/2012
35
RESEARCH
Implementation at UMHS

HIPAA requires covered entities (e.g., UMHHC) to
“account” for many research-related disclosures made
without patient authorization

Exceptions:





internal uses do not need to be tracked
disclosures made through a limited data set with a data use agreement
do not need to be tracked
disclosures of “deidentified data” do not need to be tracked (no
information listed HERE included in the data set)
disclosures made in studies involving more than 50 subjects do not need
to be tracked if we keep a list available of all such studies, including title,
PI, and contact information
Policies/procedures for accounting are under development
Version 2.0-Research
Updated 05/2012
36
RESEARCH
What Does HIPAA Mean for You?
•
No PHI in Research
– If you are conducting a project without use of PHI, HIPAA does
not apply but IRBMED’s informed consent template must be
used for all new projects and scheduled continuation reviews
beginning April 1
– Caution!
• If you do a blood test or radiological scan or other procedure only
for research purposes, and not related to treatment, the information
may not be PHI and your project is not regulated by HIPAA; but
• If the test or results information passes through the subject’s UM
electronic medical record (“EMR”) (because the medical record
number is used and/or information is derived from and/or posted to
the EMR or other clinical information systems), then HIPAA may
apply
Version 2.0-Research
Updated 05/2012
37
RESEARCH
What Does HIPAA Mean for You?
•
Some research-related disclosures are
“grandfathered” under HIPAA
– “Express legal permission” (usually written
permission) from the individual to use or disclose
their PHI for research
– Written informed consent obtained before
April 14, 2003
– Waiver granted by IRB before April 14, 2003 (but if
subject is later consented, consent must be HIPAAcompliant)
Version 2.0-Research
Updated 05/2012
38
RESEARCH
Application: Multicenter Trials
Multicenter Trials
•
Four ways to share PHI with other centers:
–
–
–
–
•
Written permission from the subject/patient (authorization)
Waiver from IRB or Privacy Board
Limited Data Set with Data Use Agreement
Deidentified data (nothing on “PHI” list)
When we need information from other centers for our own
research projects:
– The updated IRBMED informed consent template is intended to comply with the
privacy rule and to allow any health care provider or health plan to disclose PHI
to us (or UMHHC to disclose PHI to our co-investigators) for research purposes.
– However, every site may have its own rules and policies.
– If another site or a sponsor requires an additional form to be signed by your
subject, IRBMED must review and approve that form in advance.
Version 2.0-Research
Updated 05/2012
39
RESEARCH
Application: Subject Recruitment
Alternatives Under HIPAA
Pros
Cons
Simple Application to Privacy Board
For internal use only; should only get
name/number; can’t use information
collected for the project
Waiver of
Authorization from
Privacy Board
Simple Application to Privacy Board
Possible accounting requirement;
IRBMED approval needed re:
recruiting procedures
(Partial) Waiver of
Authorization from
IRBMED
Can disclose information outside
UM (e.g., use survey vendors); can
use information for the project
Time required for IRBMED
application; possible accounting
requirement
Tell Patients About
Study Opportunities
But Let Them Contact
Study Staff
No disclosure of PHI (docs with
existing treatment relationship can
always tell their patients about
possible studies) so no HIPAA
issues
Makes recruitment process passive
and therefore likely less effective
Written Permission
Can use information collected for
the project; no accounting
Generally must discuss with/obtain
from patient at point of care; may
need IRB review/approval
Review Preparatory
to Research
Version 2.0-Research
Updated 05/2012
40
RESEARCH
Application: Databases and Registries
•
We can create and maintain databases or registries for treatment,
payment, and health care operations (“TPO”) purposes (e.g.,
CareWeb; PathNet; data warehouse) without permission – TPO
activities include:
– Clinical care, billing, utilization review
– Quality assurance/assessment, accreditation activities
– Education, planning
•
IRB or Privacy Board approval is required to access a TPO
database for research purposes (even reviews preparatory to
research)
•
Written patient permission or IRBMED or Privacy Board approved
waiver is needed to create and maintain a database or registry
solely for research purposes . . . patient permission, if sought,
must be specific as to research purpose (HIPAA prohibits
“blanket” authorizations)
Version 2.0-Research
Updated 05/2012
41
RESEARCH
Application: Databases and Registries
“Screening logs”
•
If no use or disclosure of PHI, no HIPAA issue (information
received directly from a subject through a survey is not PHI; but if
the survey information is verified or supplemented by medical
record information, then PHI has been used).
•
If the log includes PHI but was created or used for TPO purposes,
then ok to continue maintaining without patient permission.
•
If the log includes PHI and is used only for research purposes,
need patient permission or IRB or Privacy Board waiver to continue
entering data after April 14.
•
Alternatives for sending data from screening log to sponsors
(without patient permission):
– “De-identify” the data (no elements listed on the “PHI” list may be present in
the data set sent)
– Provide a “limited data set” with a data use agreement
– Obtain a waiver of authorization from the Privacy Board
Version 2.0-Research
Updated 05/2012
42
RESEARCH
Application: Databases and Registries
Existing Datasets
•
HIPAA does not require that existing datasets be
destroyed
•
New data cannot be added into an existing research
dataset without written authorization or waiver,
unless the data is first deidentified (all identifiers
listed on the “PHI list” are eliminated) or made part
of a limited data set
•
Data cannot be removed from an existing dataset
for research purposes without IRB or Privacy Board
approval
Version 2.0-Research
Updated 05/2012
43
RESEARCH
Application: IRBMED or Privacy Board?
•
IRBMED
– Any research project
subject to federal
regulations for the
protection of human
subjects.
– Reviews preparatory to
research may be
submitted to IRBMED
•
Privacy Board
– Waiver of authorization for
a project that does not
require IRBMED review
(e.g., exempt from
Common Rule oversight)
– Review preparatory to
research
– Research on decedents’
information
– Limited data sets
disclosures
Version 2.0-Research
Updated 05/2012
44
GENERAL RULES
What About Other Laws?

We already follow many other laws, rules and
guidelines to protect privacy

Generally, the Privacy Rule supersedes contrary
state law, but there are times when Michigan law
controls. In many cases, both must be followed.

In cases where Michigan law provides more
protection, Michigan law should be followed. For
example in AIDS/HIV or for mental health records
Michigan law must be followed.
Version 2.0-Research
Updated 05/2012
45
GENERAL RULES
Penalties for Violating the Privacy Rule

The privacy regulations impose penalties for
violations including:
 Civil
penalties up to $1.5 Million per calendar year for each
type of violation
penalties up to $250,000 and 10 years in jail –
applied to institutions and individuals.
 Criminal

UMHS policies include disciplinary action up to and
including discharge.
Version 2.0-Research
Updated 05/2012
46
QUESTIONS

Please visit http://www.med.umich.edu/u/hipaa/contact.htm
if you have any questions about the Privacy Rule or
applicable UMHS policies or procedures; or if you would like
to make a complaint.

Contact the Health System Legal Office at 734-764-2178 if you
have any legal questions.

Contact IRBMED at 734-763-4768 if you have any questions
about IRBMED forms or procedures. Visit IRBMED’s HIPAA
website often for HIPAA research updates at:
http://www.med.umich.edu/irbmed/NewIRBMEDHIPAA.htm.

For more information about the Privacy Rule, visit
www.dhhs.gov/ocr/hipaa.
Version 2.0-Research
Updated 05/2012
47
Continue to next section and get credit…
You must complete the next section,
“Frequently Asked Questions.”
To continue and get credit for completing
this module, click HERE.
Be sure to click on the last slide when
finished, to get a certificate and credit.
Version 2.0-Research
Updated 05/2012
48