HIPAA Survival Skills An Introduction to HIPAA and
- Slides: 37
HIPAA Survival Skills An Introduction to HIPAA and Research Evelyne Bital, MA Assistant Director Privacy and Regulatory Affairs University of Miami Human Subjects Research Office October 31, 2006 University of Miami 1
What is HIPAA? q Health Insurance Portability and Accountability Act (HIPAA) Effective on April 14, 2003 q Federal law that protects the privacy of individually identifiable health information (PHI) q Title 45 of the Code of Federal Regulations Parts 160 and 164 University of Miami 2
What is Protected Health Information (PHI)? Protected Health Information (PHI) is any individually identifiable information that is transmitted or maintained in electronic medium, or in any other form or medium q Medical Records E. g. Medical History, Diagnosis, Treatment q Payment Information E. g. Bills, Receipts q Ancillary Services E. g. X-Rays, Labs q Demographic Information (When Maintained with Health Information) E. g. Date of Birth, Social Security Number University of Miami 3
Who Must Comply with HIPAA? Covered Entity – Custodians of PHI They must make a good faith effort to comply with the rule Three types of “ Covered Entities” q Health Care Providers Includes organizations, individuals such as researchers when they provide health care, e. g. clinical trials q Health Care Plans Insurers and payors q Health Care Clearinghouses Billing services University of Miami 4
How is UM Approaching HIPAA? q Hybrid Entity § The University is not a covered entity. It is a hybrid entity with covered and non-covered components. University of Miami 5
UM – Hybrid Entity Covered Componen ts Treatment Payment Non. Covered Component s Research Health Care Operations University of Miami 6
When are Researchers Covered? • When providing health care to individuals, researchers are considered health care providers • When accessing existing protected health information, HIPAA privacy rules applies University of Miami 7
What are Covered Entities Required To Do? 1. Keep records of certain disclosures 2. Provide only minimally necessary information, including: a. Use pursuant to waiver b. Use preparatory to research c. Use of decedents’ PHI d. Use of limited data sets 3. Provide an accounting of certain disclosures, including: a. Use pursuant to waiver b. Use preparatory to research c. Use of decedents’ PHI Note: This requires significant resources, e. g. time and labor, as well as strong internal controls on the part of the covered entity. University of Miami 8
How does HIPAA Impact Research? q Investigators will need to go through the covered entity’s “HIPAA-Hoops” to obtain data q UM IRB will need to consider research subjects’ privacy rights University of Miami 9
How Can PHI be Obtained for Research? To Access PHI for Research: q Authorization (Form B) q Limited Data Set / Data Use Agreement (Form C) q Waiver of Authorization (Form F) q Certification for Review Preparatory to Research (Form E) q Decedent Certification (Form D) q De-Identification University of Miami 10
What is De-Identified PHI? Information that does not identify the individual; and there is no reasonable basis to believe the information can be used to identify an individual. University of Miami 11
How do you De-Identify PHI? q Removal of 18 Specified Identifiers: § Name § All Geographic Subdivisions Smaller Than a State (Street, City, County, Precinct, Parish, Zip Code, & their Equivalent Geo-codes Except for Initial 3 Digits of a Zip Code) § All Elements of Dates, Except Year (Admission Date, Discharge Date, Date of Death) § All Ages Over 89 & Dates and Elements Related to such Ages (Unless Aggregated into a Single Category of Age over 90) University of Miami 12
How do you De-Identify PHI ? § Telephone & Fax Number § E-mail, IP, Address, & URL § Social Security #, Medical Record #, Health Plan Beneficiary #, & Account # § Certificate License #, VIN, Device Identifiers, & Serial # § Full Face Photographs, Biometric Identifiers § Any Other Unique Identifying Number, Characteristic, or Code University of Miami 13
What is HIPAA Authorization (Form B) q Each study participant permits Use & Disclosure of their PHI for research purposes q Must contain Privacy Notice provisions University of Miami 14 ?
Authorization (Form B) Authorization Core Elements: q Specific and meaningful description of information to be used or disclosed q Identification of the person or class of person releasing the information q Description of the investigator or class of persons receiving the information q Description of each purpose of the requested use or disclosure q Expiration date or event q Signature and date University of Miami 15
Confidentiality: Other Authorization Contents: q Individual right to revoke authorization q Covered entities are not permitted to condition treatment on the provision of authorization q Must explain potential for information to be redisclosed by the recipient and that the recipient may not be required to comply with the Privacy Rule q Must be written in plain language q Copies must be provided to individual permitting the use and disclosure of PHI University of Miami 16
What is a Waiver of Authorization? q The IRB waives the authorization requirement q PI must justify the request for the waiver Note: Most applicable when authorization is impracticable E. g. Retrospective Medical Research, Identifiable Database Research University of Miami 17
What are the Criteria to Waive Authorization? In order to obtain the waiver, researchers must justify the following criteria: • The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals • • • Describe plan to protect identifiers e. g. Who has access to PHI? Describe plan to destroy identifiers or return identifying information to the covered entity Provide assurance that PHI will not be re-used or disclosed to others • The research could not practicably be conducted without the waiver or alteration to the authorization; and • The research could not practicably be conducted without access to and use of the PHI University of Miami 18
Reviews Preparatory to Research (Form E) Preparatory work is PHI reviewed for the purpose of designing a research study or identifying potential subjects. - PI must complete a protocol application and a Certification Preparatory to Research (Form E) and/or (Form F) where form E representations were not satisfied. E. g: PI wishes to have some direct identifiers (phone #) to contact subjects. University of Miami 19
Reviews Preparatory to Research Certification requires investigator to represent that: 1. The use or disclosure is sought solely to review PHI as necessary to prepare a research protocol 2. No UM PHI is to be removed from the covered entity by the researcher in the course of the review 3. The PHI for which use or access is sought is necessary for research purposes; and 4. The researcher will only record de-identified information Clinicians wanting to review their own patient records for research purposes must follow this policy. University of Miami 20
Research with Decedents (Form D) • Decedent PHI is health information collected from deceased (prior to the study) subject’s records. • Investigator’s Certification for Research with Decedents (Form D) must be submitted. University of Miami 21
Minimum Necessary Requirement HIPAA requires that use and disclosure of, and requests for, protected health information (PHI) must be limited to the “minimum necessary to accomplish the intended purpose. ” Example: Only the information pertaining to a specific use should be given to researcher. University of Miami 22
Limited Data Set The requirements for de-identifying information are so extensive that often the data is of limited value to researchers. The Privacy Rule permits the use and disclosure of PHI via a “limited data set” with a “data use agreement”. University of Miami 23
What is a Limited Data Set? q Limited set of identifiers to be used for research, public health, and health care operations purposes q Permits use of some identifiable health information: § Five-Digit Zip Codes § City, State § Dates of Birth § Age Expressed in Years, Months, Days or Hours § Dates of Death § Dates of Admission/Discharge/Service q Excludes direct identifiers q Recipient enters into a “data use agreement” with covered entity in a form mandated by HIPAA (Form C) q Recipient enters into a “Business Associate Agreement” with covered entity University of Miami 24
Data Use Agreement (Form C) REQUIRED for Limited Data Set 1. Defines who can use or receive data; 2. Defines for what purpose the data may be used; 3. Provides that PI will not re-identify the data or contact the subject; 4. Provides that data will be safeguarded & not used for unauthorized purposes; 5. Provides that researcher will report improper uses & disclosures; 6. Provides that researcher will “push down” privacy protection obligations to subcontractors. University of Miami 25
HIPAA Business Associate (BA) q. At q UM, investigators will serve dual roles: BAs of the covered entity in order to access the PHI to create the limited data set; and investigator/recipient of the LDS. Prior to disclosing PHI to the business associate, UM is required to enter into a written agreement with the BA that imposes specified safeguards on the PHI used or disclosed by the BA. University of Miami 26
Business Associate Agreement q Form mandated by HHS, in which the recipients satisfactorily assures the covered entity (UM/JHS) that they will protect the information from further disclosure. q Before data is released, there needs to be specific descriptions of the methods the recipient will use to assure that the privacy of the information is protected. This is to be documented in a data use agreement or business associate agreement, depending on the situation. University of Miami 27
HIPAA Disclosures • HIPAA regulations grant individuals the right to receive an accounting of disclosures of their PHI made by a covered component for the six years prior to the request or since the applicable compliance date. • Records must include specific information regarding each disclosure. University of Miami 28
Accounting for Research Disclosures (cont’d) • The Privacy Rule allows a simplified accounting by Covered Entities for disclosures of PHI for research purposes without an individual’s authorization. • Under simplified accounting provisions, covered entities may provide individuals with a list of all protocols for which PHI has been disclosed, as well as the researcher’s name and contact information. University of Miami 29
General Rules For Use and Disclosure of PHI for Research: Accounting for Disclosures (Form G): Disclosures made pursuant to an IRB waiver of authorization Disclosures made pursuant to certifications Authorized disclosures (Authorization) PHI furnished in limited data sets University of Miami Accounting Required Accounting NOT Required 30
General Rules For Use and Disclosure of PHI for Research: Disclosures made pursuant to an IRB waiver of authorization Accounting Required Disclosures made pursuant to certifications q UM must complete an accounting for disclosures form (G) and submit form to privacy office and disclose PHI to research staff. q Disclosure forms must be completed for each patient participating in the study. University of Miami 31
Transition Provisions • Covered Entities may use and disclose PHI that was received or created for research before the compliance date (April 14, 2003) if they obtained one or more of the following prior to the compliance date: • An authorization or other express legal permission from an individual to use or disclose PHI for research purposes • The informed consent of the individual to participate in research • A waiver of informed consent granted by the IRB University of Miami 32
Responsibilities of The Principal Investigator • Document research team has completed HIPAA Privacy/Security Training and HIPAA Training for Researchers • Submit project application to the IRB • Assume responsibility for compliance with HIPAA • Maintain logs of all access to, uses of, & disclosures of PHI • Submit Data Use Agreements to the IRB University of Miami 33
Institutional Review Board for the Protection of Human Subjects • Responsible for review, approval and monitoring of human subject research conducted by UM faculty, staff and students • Includes ensuring compliance with University of Miami HIPAA policies • Plan must contain elements required under HIPAA • Documentation of compliance with Covered Entity source of PHI University of Miami 34
Sources of Information in Presentation • Federal Regulations for HIPAA 45 CFR 160 and 45 CFR 164 • University of Miami HIPAA Policies and Procedures http: //www. hhs. gov/ocr/hipaa/ http: //www. hipaadvisory. com/regs/ University of Miami 35
Who do I contact about HIPAA Questions for Research? • HIPAA Privacy Liaison for research is: Evelyne Bital (305)243 -3195 e-mail: ebital@med. miami. edu • For general HIPAA information or to access standard HIPAA forms for research: hsro. med. miami. edu University of Miami 36
Questions? University of Miami 37
Survival skills introduction
State of survival survival of the fittest tweak
State of survival survival of the fittest stages
Survival skills for advocates
Tony wagner's seven survival skills
Intrapersonal skills vs interpersonal skills
Skills: definition example
Ontario skills passport
Geisingerconnect
Cvs privacy awareness and hipaa training answers
Hipaa privacy and security awareness training
Joint commission and hipaa compliance
Natural selection is the unequal survival that results
"omada identity"
Apip adalah
Necessary life functions and survival needs
Hipaa training georgia
Hippa secure now
Joint commission accreditation standards
Hipaa pre-existing condition protections
Hipaa training air force
Gillman hipaa progress note
Hippa cow
Jira hipaa
Accountable hipaa training
Hipaa security rule self assessment toolkit
Dap note example
Uday ali pabrai
Hipaa summit
What does tpo stand for in hipaa
When should you promote hipaa awareness
Hipaa security rule objectives
What is hipaa
What is hipaa
Ada hipaa compliance kit
Hippocratic oath
Hipaa training strategies
Hipaa training for nurses
