simplifying privacy: hipaa privacy standards and research angela m. vieira general counsel childrens...
TRANSCRIPT
![Page 1: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/1.jpg)
SIMPLIFYING PRIVACY:SIMPLIFYING PRIVACY:HIPAA PRIVACY STANDARDS HIPAA PRIVACY STANDARDS
AND AND RESEARCHRESEARCH
Angela M. VieiraGeneral Counsel
Children’s Hospital and Health CenterJune 5, 2004
![Page 2: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/2.jpg)
Research and Privacy
• Common Rule– “adequate provisions to protect the privacy of subjects
and to maintain the confidentiality of data” 45 CFR §46.111(a)(7)
• FDA– informed consent include “statement describing the
extent, if any, to which confidentiality of records identifying the subject will be maintained and … not[ing] the possibility that the [FDA] may inspect the records” 21 CFR §50.25(a)(5)
![Page 3: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/3.jpg)
Health Insurance Portability and Accountability Act of 1996
• Title I: Health Care Access, Portability, and Renewability
• www.hcfa.gov/medicaid/hipaa
• Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
• aspe.hhs.gov/admnsimp
• www.hhs.gov/ocr/hipaa
![Page 4: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/4.jpg)
Administrative SimplificationComponents
Tran sac tionS tan d ard s
S tan d ardC od eS ets
U n iq u eH ea lth
Id en tifie rs
S ecu rityS tan d ard s
E lec tron icS ig n a tu reS tan d ard s
In fo rm ationTran s fe rA m on g
H ea lth P lan s
P rivacyS tan d ard s
A d m in is tra tive S im p lica tion
![Page 5: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/5.jpg)
TIMELINE• Transactions and Code Set Standards
– October 16, 2002 (providers, large health plans)• extension but must file compliance plan
– October 16, 2003 (health Plans < $ 5 million)
• Privacy Rule– April 14, 2003 April 14, 2003 (providers, large health plans)– April 14, 2004April 14, 2004 (small health plans)
• Security Rule– April 20, 2005 (providers, large health plans)– April 20, 2006 (small health plans)
![Page 6: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/6.jpg)
Who is Covered?
• Health care providers who transmit any health information in electronic transactions
• Health plans
• Health care clearinghouses
• [Prescription drug discount sponsor]
• Business associate relationships
![Page 7: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/7.jpg)
What is covered?
• Protected health information (PHI) that is:– individually identifiable health information– transmitted or maintained in any form or medium
• Held by a covered entity in any form or medium
• De-identified information - NOT COVERED
![Page 8: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/8.jpg)
Key Points
• Federal rule sets floor– covered entities may provide greater protection
– More protective state law applies
– California law permitted research uses & disclosures without specific authorization
• Required disclosures limited to:– subject of information
– DHHS for compliance
• All other disclosures are permissive
![Page 9: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/9.jpg)
Privacy Rule - in brief
• Notice of Privacy Practices• Uses and disclosures permitted for treatment,
payment, health care operations• Minimum necessary requirements• Individual rights• Patient authorization• Organizational requirements• Business associates
![Page 10: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/10.jpg)
Individual Rights• Right to inspect and receive copy of PHI
• Right to request restrictions of uses/disclosures
• Right to request amendment
• Right to an accounting of disclosures
• Right to have reasonable requests for confidential communications accommodated
• Right to written notice of information practices from providers and plans
• Right to file complaint with DHHS or covered entity
![Page 11: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/11.jpg)
Enforcement• Civil Monetary Penalties
– $100/violation– Capped at $25,000/calendar year for each
requirement or prohibition that is violated– Enforced by DHHS Office of Civil Rights
• Criminal Penalties– Greater penalties for certain knowing violations– Enforced by Department of Justice
• Other liability
![Page 12: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/12.jpg)
Permitted Uses/Disclosures Research
45 CFR §§164.512(i), 164.514(a), (e)
• Subject authorization
• Approved waiver
• Reviews preparatory to research
• Research on decedent’s information - NEW
• De-identified information – Not subject to Privacy Rule requirements
• Limited data set
![Page 13: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/13.jpg)
Patient Authorization – Core Elements
• description of PHI
• CE authorized to make use/disclosure
• authorized recipient of PHI
• description of each purpose
• expiration date or event
• signature and date
– personal representative’s authority
![Page 14: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/14.jpg)
Patient Authorization - Required Statements
• Right to revoke in writing– How, describe exceptions OR– Refer to CE’s Notice of Privacy Practices
• Research participation may be conditioned on signing authorization
• Potential of information to be redisclosed by recipient and no longer protected by Privacy Rule
![Page 15: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/15.jpg)
Patient Authorization –Additional Requirements
• Plain language
• Copy of signed authorization
![Page 16: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/16.jpg)
Criteria for Approval of Waiver• Minimal risk to subject’s privacy
– Adequate plan to protect identifiers from improper use/disclosure– Adequate plan to destroy identifiers at earliest opportunity consistent with
conduct of research, unless health, research or legal justification for retention
– Adequate written assurances that PHI will not be reused or redisclosed to any other person or entity except as required by law, authorized oversight of research, or other permissible research
• Could not be practicably conducted without waiver
• Could not be practicably conducted without access to or use of PHI
![Page 17: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/17.jpg)
Documentation Requirements
• Identification and date of action
• Waiver criteria
• PHI needed
• Review and approval procedures
• Required signature
![Page 18: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/18.jpg)
Additional Requirements
• Notice of privacy practices
• Accounting of disclosures
• Minimum necessary standard
![Page 19: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/19.jpg)
Reviews Preparatory for Research
• Permitted if CE obtains from researcher representations that:– use or disclosure sought solely to prepare a
research protocol or for similar purposes– no PHI will be removed from CE by researcher
in course of review– PHI necessary for research purposes
![Page 20: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/20.jpg)
Research Decedent’s Information
Permitted if CE obtains from researcher:– representation that use or disclosure solely for
research– documentation, upon request, of individuals’
deaths– representation that PHI necessary for research
purposes
![Page 21: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/21.jpg)
Common Rule - Waiver
• No more than minimal risk to subjects;
• Will not adversely affect the rights and welfare of the subjects;
• Research not practicably carried out without waiver or alteration; and
• Subjects provided with additional pertinent information after participation, when appropriate
![Page 22: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/22.jpg)
Privacy Rule vs. Common Rule
• De-identified information is not subject to privacy rule requirements– Certain exempt research now subject to IRB
review
• Coded information still subject to IRB review under Common Rule
![Page 23: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/23.jpg)
De-identification RequirementsExpert Opinion
Person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable– determination that risk is “very small”; and
– documents methods and results of analysis.
45 CFR §164.514
![Page 24: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/24.jpg)
De-identificationRemoval of Identifiers
Names Addresses Dates
Telephone #s Fax #s E-mail addresses
SSNs MRNs HP Beneficiary #s
Account #s License #s Vehicle #s
Device IDs URLs IP address
Biometric IDs Photos Other
![Page 25: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/25.jpg)
Limited Data Set
• Research, public health, health care operations
• CE may contract with business associate to create LDS
• Data Use Agreement– Privacy Rule requirements
![Page 26: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/26.jpg)
Limited Data SetRemoval of Direct Identifiers
Names Street Address
Telephone #s Fax #s E-mail addresses
SSNs MRNs HP Beneficiary #s
Account #s License #s Vehicle #s
Device IDs URLs IP address #s
Biometric IDs Photos
![Page 27: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/27.jpg)
Common Issues• Health care operations or research
– QA, QI activities• Outcomes evaluation, development of clinical guidelines
– Population-based activities relating to improving health or reducing cost
– Protocol development, case management, case coordination
– Cost management and planning-related analysis• Formulary development
• Improved payment methodologies
• Intent is key!– obtain generalizable knowledge not primary purpose
![Page 28: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/28.jpg)
Common Issues
• Covered Entity, Hybrid Entity, or non-Covered Entity– Cities, counties, states, agencies– Schools, universities– Non-health care employers
• Databases
• Decedent research
• De-identification
![Page 29: SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004](https://reader036.vdocuments.mx/reader036/viewer/2022070305/5514e951550346b0338b5c75/html5/thumbnails/29.jpg)
WEBSITES
• Privacyruleandresearch.nih.gov– HIPAA & Research
• Aspe.hhs.gov/admnsimp– HIPAA Administrative Simplification
Components
• www.dhhs.gov/ocr/hipaa– HIPAA Privacy Rule