Oliver Johnson, Esq. Chief Privacy Officer Merck & Co., Inc

Download Oliver Johnson, Esq. Chief Privacy Officer Merck & Co., Inc

Post on 30-Dec-2015




0 download

Embed Size (px)


The Impact of HIPAA on U.S. Biomedical Research Presented To The: Dartmouth Hitchcock Medical Center Regional IRB Meeting Hanover, NH March 24, 2003. Oliver Johnson, Esq. Chief Privacy Officer Merck & Co., Inc. Merck Privacy Office. Overview. HIPAA Basics What is HIPAA? - PowerPoint PPT Presentation


<ul><li><p>The Impact of HIPAA on U.S. Biomedical Research Presented To The: Dartmouth Hitchcock Medical CenterRegional IRB Meeting</p><p>Hanover, NH March 24, 2003Oliver Johnson, Esq.Chief Privacy OfficerMerck &amp; Co., Inc.</p></li><li><p>OverviewHIPAA BasicsWhat is HIPAA?Who is covered?What is permitted?Recent Changes to HIPAAImpact of HIPAA on Biomedical ResearchImpact Management Strategies</p></li><li><p>Biomedical ResearchClinical ResearchEpidemiologic ResearchOutcomes Research</p></li><li><p>What is HIPAA?The Health Insurance Portability and Accountability Act of 1996; andThree sets of regulations issued by the Clinton Department of Health and Human Services in 2000:Privacy Regulations - April 14, 2003 Compliance DeadlineTransaction Standards - October 16,2002 Compliance DeadlineSecurity Regulations - PendingPrivacy rule revised by the Bush Department of Health and Human Services on August 14, 2002 RED = August 14, 2002 DeletionsBLUE = August 14, 2002 AdditionsGREEN = August 14, 2002 Reorganization</p></li><li><p>Who is covered?HIPAA Covered EntitiesHealth Care Providers that transmit health data electronically in connection with 1 or more of 8 HIPAA TransactionsPhysiciansHospitalsClinicsGroup PracticesPharmaciesHealth Care PlansHMOsHealth InsurersMedicarePBMsGroup Health PlansMedicaidHealth Care ClearinghousesEntities that transmit data into a HIPAA standard format from anon-standard format or vice versaBusiness Associates of HIPAA Covered EntitiesEntities that use protected health information (PHI) for or on behalf of covered entities</p></li><li><p>What is permitted?HIPAA Covered Entities must obtain one-time patient consents and then may use protected health information (PHI) only for TPO:Treatment of patientsPayment for treatmentHealth Care OperationsNOTE: The August 14, 2002 revisions replace the requirement of consent for TPO with an obligation to seek written verifications that data subjects have been provided with a covered entitys notice of privacy practices.</p></li><li><p>HIPAA Impact On Biomedical ResearchPharmaceutical industry research sponsors generally are not HIPAA Covered Entities or Business Associates of such entities.</p><p>Virtually all entities through which pharmaceutical companies conduct human-subject biomedical research are HIPAA Covered Entities.</p><p>There may be multiple Covered Entities involved in a clinical study (e.g., Study Site and Clinical Laboratory).</p><p>Research is not included in TPO.</p></li><li><p>HIPAA Research RequirementsUses or disclosures of PHI for research require:Signed, HIPAA compliant authorizations from each study participant, in addition to HIPAA consents and Common Rule informed consents;IRB or Privacy Board waivers of some or all of the authorization requirements; orDe-identification of patient data via one of two methods:Removing each of 18 prescribed data elements; orStatistical Analysis and opinionNOTE: The August 14, 2002 revisions allow the HIPAA authorization to be combined with a Common Rule informed consent.NOTE: The August 14, 2002 revisions create a limited identifiable data set that will be very useful for epidemiologic and outcomes research. Given restrictions on use, this data set would likely not be useful in clinical research.</p></li><li><p>HIPAA Research Requirements - Cont.Covered Entities Must Also:Provide detailed notices of their privacy policies and practices to all study participants;Provide physical, technical and administrative security;Allow data subjects to access and correct PHI about them.Disclose the minimum PHI necessary to achieve the authorized purposes; andDocument and provide, on request, an accounting of all disclosures of PHI for research purposes.</p><p>NOTE: The August 14, 2002 revisions eliminate the minimum necessary and accounting requirements for research conducted under HIPAA Authorizations.</p></li><li><p>AuthorizationsHIPAA Authorizations Must:Be written in plain language and signed by each study participant;Specify the data that will be collected and each use to which it will be put;Specify the persons, or types of persons, who will have access to the data;Specify a date or event after which the covered entity will no longer collect, use or disclose the data, or state that the authorization will not expire; State that the individual may refuse to sign or revoke the authorization at any time and that data collected before revocation will continue to be used;State that once the data are provided to the study sponsor, HIPAA will no longer protect them; andDisclose any payments from the sponsor to the investigator for use or disclosure of the data.</p></li><li><p>De-identification (Two Methods)HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i)NamesGeographic subdivisions smaller than a stateZip codesDates (birth, admission, discharge, death)Age, if over 89Telephone numbersFax numbersE-mail addressesSocial security numbersMedical record numbersHealth plan beneficiary numbersAccount numbersCertificate and license numbersVehicle identification and serial numbersLicense plate numbersDevice identifiers and serial numbersURLsInternet Protocol address numbersBiometric identifiers (finger and voice prints)Full face photos and comparable imagesAny other unique identifiersStatistical 45 CRF 164.514(b)(1)A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; andDocuments the methods and results.</p></li><li><p>Limited Use Data SetAllowedAdmission DatesDischarge DatesService DatesDeath DateAge (in hours, months or days)Age (for those over 90)Five Digit Zip CodesNot AllowedNamesStreet AddressesTelephone and Fax Numberse-Mail AddressesSocial Security NumbersCertificate or License NumbersVehicle ID and Serial NumbersURLs and IP AddressesFull Face Photos and Comparable ImagesMedical Record Numbers</p></li><li><p>Waivers and Alterations (HIPAA vs. CR)HIPAA 45 CFR 164.512(i)(2)(ii) A.Use or disclosure involves no more than minimal risk to the privacy of individuals, as indicated by F-H below;B.Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C.Research could not practicably be conducted without the alteration or waiver;D.Research could not practicably be conducted without access to and use of PHI;E.Privacy risks to individuals are reasonable in relation to the anticipated benefits if any, to the individuals, and the importance of the knowledge that may be reasonably expected to result from the research;F.Adequate plan to protect identifiers from improper use and disclosure;G.Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; andH.Adequate written assurances that PHI will not be reused or disclosed for other purposes.Common Rule 45 CFR46.116(d)A.Research involves no more than minimal risk to subjects;B.Waiver or alteration will not adversely affect the rights and welfare of subjects;C.Research could not practicably be carried out without the waiver or alteration; andD.Whenever appropriate, subjects will be provided with additional pertinent information after participation</p></li><li><p>ExceptionsCovered entities may use and disclose PHI withoutauthorizations, waivers, or de-identification where:</p><p>the disclosure is to a person who is subject to FDA jurisdiction with respect to a product for which that person has responsibility, and is required for the purpose of activities related to the quality, safety or effectiveness of the product, including to:collect or report adverse events;track products;enable product recalls, repairs or replacements; orconduct post-marketing surveillance.</p><p>the information is used in preparation for research (e.g., protocol development), provided that it does not leave the covered entity; or</p><p>the information relates to deceased individuals.</p></li><li><p>HIPAA Transition ProvisionsTransition (Grandfather) Provisions for Research ThatIncludes Treatment:For patients who sign informed consents before April 14, 2003:data collected before April 14, 2003 may be used and disclosed for research after April 14, 2003 without the need for authorizations; anddata may be collected, used and disclosed for research after April 14, 2003 without the need for authorizations, provided thatdata are collected, used and disclosed in consistently with the Common Rule informed consents.Research authorizations required for patients who sign Common Rule informed consents on or after April 14, 2003.Note: The August 14, 2002 revisions adopt this transition provision for all research regardless of whether treatment is involved, and for research conducted pursuant to an IRB waiver of informed consent obtained prior to April 14, 2003. </p></li><li><p>HIPAA Transition ProvisionsTransition Provisions for Research That Does NotInclude Treatment:If informed consents are obtained before April 14, 2003, researchers may rely on such consents to use and disclose data created or received before April 14, 2003, but not after.Research authorizations are required for patients who sign informed consents on or after April 14, 2003.Research authorizations are required where patients did not sign informed consents to participate in research.NOTE: The August 14, 2002 revisions eliminate this provision and adopt the transition provisions set forth on the preceding slide for all research.</p></li><li><p>HIPAA LiabilityViolations of HIPAA can result in:Civil sanctions on covered entitiesCriminal sanctionsInterruption of data collection, use and disclosure by covered entities</p></li><li><p>Impact On Clinical ResearchAs a practical matter, each of the following will be required to conduct CLINICAL studies under HIPAA:Common Rule Informed Consent to participate in the studyHIPAA Consent for treatment, payment and health care operationsHIPAA Authorization to allow use of existing medical records for researchHIPAA Authorization to allow the study site to collect, use and disclose PHI to the sponsor for research purposesHIPAA Notice of Privacy Practices detailing covered entities HIPAA compliant policies and procedures.NOTE: The August 14, 2002 revisions replace the HIPAA Consent requirement with an obligation to seek verifications that data subjects have been provided with a covered entitys notice of privacy practices.NOTE: The August 14, 2002 revisions allow an authorization to be combined with a Common Rule consent.</p></li><li><p>Impact On Public Health ResearchAs a practical matter, the following will be required to conduct non-clinical EPIDEMIOLOGIC and OUTCOMES research under HIPAA:HIPAA Authorization to allow use of existing medical records for research; orIRB Waiver of some or all of the Authorization requirements.ORUse of partially identifiable data under an agreement with the providing Covered Entity that binds the researcher to use and disclose the data only for research and public health purposes, and to not re-identify or contact any data subject.</p></li><li><p>Assessing HIPAA ReadinessBefore engaging a U.S. study site, research sponsorsshould verify that the site:Posts its notice of privacy practices and seeks written acknowledgement from patients that they have received copies;Maintains HIPAA policies and procedures;Has a privacy officer and a contact person to receive complaints;Has implemented technical, physical and administrative security for patient information; andHas provided and documented HIPAA training for its employees.</p></li><li><p>Monitoring HIPAA ComplianceOnce a decision is made to engage a U.S. study site,sponsor monitors should verify that:Consent forms used at the site meet the HIPAA authorization requirements;Final CRFs, workbooks, and other documents provided to the sponsor contain only the identifiable patient information that is to be disclosed to the sponsor in accordance with the consents/authorizations and protocol;Hard copy patient information is maintained securely, electronic systems are password protected, and access to records is given on a need-to-know basis;The site has documented and responded to any study participant requests for access; andAny confidentiality breaches are addressed and resolved.</p></li><li><p>Practical ImplicationsAugust 14, 2002 revisions are practical and appropriate and will reduce HIPAAs negative impact on research;More conservative IRB scrutiny of research protocols, consent forms, authorizations and waiver requests;Attempts by some research institutions to contractually impose HIPAA Business Associate requirements on pharmaceutical company research sponsors;Increased paperwork, expense, time and difficulty in enrolling patients and administering studies; Need for pre-contract consideration by research sponsors of research partner HIPAA compliance; andGreater reluctance amongst U.S. physicians to provide AE and pregnancy registry information to pharmaceutical companies.</p></li><li><p>HIPAA Impact Management StrategyUpdate Merck Consent Templates to address HIPAA.Educate internally regarding HIPAAs impact on Merck research.Establish criteria for evaluating the HIPAA readiness of U.S. research sites.Engage pharmaceutical industry research sponsors, leading research institutions, IRBs and trade associations in discussions regarding the practical impact of HIPAA on research and build consensus regarding key issues and appropriate solutions.Monitor and respond to emergence of tougher U.S. state laws.</p></li><li><p>Questions?</p></li></ul>