version 2.0-research updated 05/2012 1 hipaa learning module the following is an educational...

Version 2.0-Research

Updated 05/2012 1

HIPAA Learning Module

The following is an educational Powerpoint presentation on the HIPAA rules and regulations.

If you are involved in Marketing or Fundraising, or if you work with Business Associates, you will be required to complete one or more additional modules, currently under development.

To navigate through this module, use the arrows or click “Slide Show” at bottom right, or click on the titles in the table of contents on the left.


Updated 05/2012 2

THE HIPAA PRIVACY RULE … PATIENT CARE ANDHUMAN SUBJECTS

RESEARCH

UNIVERSITY OF MICHIGAN HEALTH SYSTEMEffective 2003

The HIPAA Privacy Rule… Patient Care and Human Subjects Research


Updated 05/2012 3

The University of Michigan is committed to protecting the privacy and integrity of our patients’ health information. The HIPAA Privacy Rule recognizes the importance and value of this commitment.

This session will help us continue to do our part in protecting privacy.

OUR COMMITMENT TO PRIVACY


Updated 05/2012 4

BACKGROUND

Regulations

The Privacy Rule was adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The effective date for compliance was April 14, 2003.


Updated 05/2012 5

The privacy rule gives patients more control over their Protected Health Information (PHI). So you need to know…..

Patients’ rights regarding their PHI; Key terms and general rules that you can apply; and, When you can share patient information and when

there are limits to what can be used or shared.

OVERVIEW

What this means to you and our patients

OverviewWhat this means to you and our patients.


Updated 05/2012 6

OVERVIEWPatient Rights

The Privacy Rule gives patients the right to:

have their PHI protected; receive a notice describing our

privacy practices inspect and copy their records; request that PHI in their records

be corrected or changed; ask for limits on how their PHI is

used or shared; get information about their PHI in

different ways, such as at work and not at home;

get a list of certain disclosures made of their PHI.


Updated 05/2012 7

GENERAL RULESNotice of Privacy Practices

Health care providers and health plans will give out a Notice of Privacy Practices (NPP) that describes how we use and share their PHI, patients’ rights regarding PHI, our responsibilities regarding PHI, and who to contact for more information.

Click here to review our NPP.


Updated 05/2012 8

KEY TERMS

Protected Health Information,Use and Disclosure

Protected Health Information (PHI) includes information:

sent or stored in any form; that identifies the patient or can be used to identify

the patient; that is created or received by a covered entity (e.g.,

hospital, doctor, dentist, health plan); that relates to a patient’s past, present and/or future

treatment and payment of services.

Use: generally refers to how PHI is handled (internally).

Disclosure: generally refers to how PHI is shared externally.


Updated 05/2012 9

KEY TERMS

What is Protected Health Information? (PHI)

Names Addresses including Zip Codes All Dates Telephone & Fax Numbers E-mail Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers

License Numbers Vehicle Identification Numbers Account Numbers Biometric Identifiers Device Identifiers Full Face Photos Any Other Unique Identifying Number, Characteristic or Code

Protected Health Information (PHI) includes all of the following:

Information does not need to include diagnosis or treatment information to be considered PHI.


Updated 05/2012 10

KEY TERMS Covered Entities

“Covered entities” includes:

Health care providers at UMHS, including doctors, dentists, nurses and therapists, and where they work, such as hospitals and clinics;

Health plans like Blue Cross/Blue Shield

Health care clearinghouses like Blue Cross/Blue Shield’s DENIS system and WebMD/Envoy.


Updated 05/2012 11

KEY TERMS

Treatment, Payment andHealth Care Operations (TPO)

Treatment: various activities related to patient care.

Payment: various activities related to paying for or getting paid for health care services.

Health Care Operations: generally refers to day-to-day activities of a covered entity, such as planning, management, education and training, quality improvement, accreditation, peer review.

NOTE: Research is not considered TPO.


Updated 05/2012 12

GENERAL RULESPatient Permission/Authorization

Patient permission is not needed to use or share information:

for “TPO” - treatment, payment, or health care operations (research is not TPO)

to share PHI with the patient for public health purposes, e.g. to

report births, deaths or diseases as required by law, for law

enforcement, to report abuse or neglect

to avoid threats to health and safety with medical examiners and funeral

directors with organ donation organizations


Updated 05/2012 13

MARKETING AND FUNDRAISING

When Written Permission IS Needed

Patient permission or “authorization” is needed to use or share PHI for certain marketing and fundraising activities.

For example: A doctor cannot give a diaper company the names of pregnant patients without an authorization.

NOTE: See the education program on marketing and fundraising for more information.


Updated 05/2012 14

PSYCHOTHERAPY NOTES


“Psychotherapy notes” are certain notes about a counseling session that are separate from the rest of the patient’s medical record.

Generally, uses and disclosures of such notes require specific authorization.

NOTE: Stricter Michigan law applies for mental health, see the education program on behavioral health for more information.


Updated 05/2012 15

GENERAL RULES

When the Patient Needs the Option to Decide

Patients are allowed to decide (written permission is not needed) if they want some or all of their PHI to be used or shared, such as:

♦ for patient directories; and♦ with friends and family members involved in

patient care or payment


Updated 05/2012 16

GENERAL RULES Minimum Necessary

Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed. For example: When we call an insurance company to get permission to provide a healthcare service, we don’t need to provide the patient’s entire medical history, only the diagnosis and procedure information that is needed for the company to approve payment of the claim.


Updated 05/2012 17

GENERAL RULES Minimum Necessary

Workers should have access only to the PHI that the job responsibilities require.

For example: Someone who delivers food trays to patients may need PHI about the patient’s diet, but does not need to know why the patient is in the hospital.


Updated 05/2012 18

GENERAL RULES Minimum Necessary -- Continued

In some cases, this rule does not apply, such as:

When PHI is shared or requested among health care providers for treatment;

Disclosures to a patient about his or her own PHI;

Authorized uses or disclosures approved by the patient; and,

Uses or disclosures required by law or to comply with the privacy regulations.


Updated 05/2012 19

GENERAL RULES Incidental Disclosures

In conducting TPO or other allowed activities, an incidental disclosure of PHI may occur. These are allowed if steps are taken to limit them.

For example: a patient can see another patient’s name on a sign-in sheet if no medical information is on the sheet or may hear a patient’s name as it is called in the waiting room.


Updated 05/2012 20

GENERAL RULES Incidental Disclosures

Take steps or reasonable safeguards to secure and protect PHI.

– For example:– Speak in soft tones when

discussing PHI;– Do not discuss PHI in

public hallways or in elevators;– Use (but do not share) computer

passwords; and – Lock cabinets when your area is

not monitored by other UMHS employees, e.g. at night.


Updated 05/2012 21

GENERAL RULESBusiness Associates

A vendor providing a service for us where they need have access to PHI must sign an agreement called a Business Associate agreement promising to keep PHI confidential.

For example: a database vendor that receives or has access to PHI to maintain a clinical database is required to sign a business associate agreement.

Employees, volunteers, trainees and others whose work we control are not considered business associates, and therefore, no business associate agreement with them is needed.

NOTE: See the education program on business associates for more information.


Updated 05/2012 22

RESEARCH


Patient permission or “authorization” is usually needed to use or share PHI for research.

Conduct of research generally is governed under federal regulations for the protection of human subjects (the “Common Rule”); and use or sharing of PHI for research is governed by HIPAA


Updated 05/2012 23

RESEARCHKey Terms

Common Rule

• a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge

• applies only to human subjects (i.e. live people)

HIPAA

• a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge

• applies to records, both for current and for deceased patients

The definition of “research” is the same under the Common Rule as it is under HIPAA but the application is different . . .


Updated 05/2012 24

RESEARCHGeneral Rule

General RulePHI (for living or deceased individuals) may be used or disclosed for research purposes only with written “authorization” (permission) from the patient


Updated 05/2012 25

AUTHORIZATION REQUIREMENTS

• What information will be used or disclosed

• Who can use or disclose

• Who can receive the information

• Purpose of disclosures

• Right to revoke authorization

• Notification of any consequences of refusing to sign the authorization (e.g., no participation in the research project)

• Warning: once authorized information is disclosed, it may no longer be protected under HIPAA

• Expiration date or event (may be “at the end of the project” or “none”)

• Signature, date, and (if applicable), authority of representative to sign

Authorization must address specific issues and include all of the following elements:


Updated 05/2012 26

RESEARCHExceptions to the Authorization Requirement

• Authorization requirement is subject to some exceptions:1. Waiver of authorization (approved by IRB or

Privacy Board)2. Use of PHI “preparatory to research”3. Use of decedents’ information for research

purposes4. Disclosure of limited amounts of PHI under a “data

use agreement”


Updated 05/2012 27

1. Waiver of Consent and Authorization– Most studies regulated under the Common Rule are

conducted under active written informed consent– Some studies qualify for a “waiver” of written

informed consent or a waiver of documentation of consent under the Common Rule

– HIPAA permits a waiver of “authorization” – but Common Rule and HIPAA requirements are not identical

RESEARCHExceptions to the

Authorization Requirement


Updated 05/2012 28

RESEARCHWaiver of Informed Consent/Authorization

IRB-Common Rule:

• Minimal risk to subjects

• No adverse effect on subject’s rights

• Impracticable to do research without waiver

• Information to subjects when appropriate

IRB or Privacy Board-HIPAA:

• Minimal risk to subjects’ privacy

– Adequate plan to protect identifiers

– Adequate plans to destroy identifiers (break links) when and if possible

– Written assurance no inappropriate re-use or re-disclosure

• Impracticable to do research without waiver and without access to PHI

A waiver may be granted by an IRB or a Privacy Board only if certain conditions are met:

Even if your project is “exempt” from IRB oversight under the Common Rule, you still may need a waiver from the IRB or Privacy Board under HIPAA!


Updated 05/2012 29



2. PHI may be used without authorization for “reviews preparatory to research”– Researcher must demonstrate to UM (through the IRB or Privacy Board)

that:

• the PHI will be used only to prepare a protocol

• no PHI will be removed from UM or disclosed outside UM

• the PHI to be used is necessary for the research purpose

– Purpose of exception is to prepare a protocol, e.g., facilitate study design work or feasibility analysis – can also facilitate subject recruitment in some cases

– Exception is available only to UM workforce members (no sharing outside UM, e.g. with collaborators at other sites)

– The information reviewed under this exception may not be used for the research project itself or for any future project; only name/contact information should be extracted for recruitment


Updated 05/2012 30



– Researcher must demonstrate to UM (through the IRB or Privacy Board) that:• use or disclosure is only for research on decedents’

information• deaths are documented• PHI to be used or disclosed is necessary for the research

purpose

– Note: deceased individuals are not considered human subjects under the Common Rule

3. PHI may be used or shared for research on decedents’ information . . .


Updated 05/2012 31



4. PHI in a “limited data set” may be used or shared without authorization for research purposes– The researcher must sign a “Data Use Agreement”

(a simple one-page contract)– At UM, the Data Use Agreement must be filed with

and approved by the Privacy Board or its designee (DRDA is authorized; additional procedures are in development)


Updated 05/2012 32

RESEARCHLimited Data Sets - Definition

• A limited data set may include:– geographic information like city and zip code (but not street

address)– dates (including dates of birth, death, admission and discharge),

and age in hours, days, months or years

• A limited data set may not include any of the following information with respect to the patient, patient’s household members, or patient’s employer:– Name; street address; telephone and fax numbers; e-mail, URL,

and IP addresses– Social security, medical record, health plan beneficiary or account

numbers, certificate/license numbers, vehicle identifiers and serial numbers, including license plate numbers

– Device identifiers and serial numbers; biometric identifiers, including finger and voice prints; and full face photographic or comparable images


Updated 05/2012 33

RESEARCHBefore and After HIPAA

Before HIPAA On or After April 14, 2003

Informed Consent and Authorization

Informed consent was usually required before enrolling a patient into a research study. Informed consent documents generally addressed confidentiality of research records.

Informed consent for subjects enrolled or reconsented on or after April 14, 2003 must include specific information about use and disclosure of PHI for research purposes.

Pre-Research Activities

Many pre-research activities are not governed under the Common Rule and are not subject to oversight by IRBMED or other IRBs.

IRBMED or Privacy Board approval generally is required for any use or disclosure of PHI for research without authorization.

Waivers of Authorization

Needed IRBMED-approved waiver to perform research without written informed consent.

Need IRBMED or privacy board-approved waiver to use PHI for research purposes without patient authorization. Expanded criteria apply. All waivers granted before April 14, 2003 are grandfathered.

Exemptions Some studies are “exempt” from IRB oversight under the Common Rule.

Even exempt studies may require patient authorization or Privacy Board waiver, unless one of the other exceptions applies.

Accounting for Disclosures

The University of Michigan and other providers were not required to track disclosures made for research purposes without authorization.

Many research-related disclosures made without authorization must be tracked.


Updated 05/2012 34

RESEARCHPrivacy Board and IRB

Privacy Board (PB)• HIPAA permits a privacy board to

grant a waiver to the “authorization” requirement that applies to most research activities

• Includes people with relevant experience and expertise, including at least one non-affiliated (community) member

• At UMHS, the PB will handle, at least on a temporary basis, projects that IRBMED would not otherwise be required to review (e.g., research databases, exempt research, non-regulated research)

Institutional Review Board (IRB)• Functions under the Common Rule to

review, approve, and maintain oversight over human subjects research; HIPAA permits the IRB to approve authorization waivers as well

• Includes people with relevant and diverse experience and expertise, including at least one non-scientist and at least one non-affiliated (community) member

• At UMHS, the IRBMED will incorporate HIPAA requirements into its regular review process, except for projects that do not require use or sharing of PHI


Updated 05/2012 35

HIPAA allows either an IRB or a “Privacy Board” to grant a “waiver of authorization” for use or disclosure of PHI for research purposes (including creation/maintenance of research databases)

At UMHS, the Privacy Board also will assist in other ways, including:

Certifications for reviews preparatory to research Certifications for research on decedents’ information Approval of data use agreements Clearinghouse/expertise on privacy issues relevant to human

subjects research projects A privacy board is not authorized to review and approve research

under the Common Rule

RESEARCHImplementation at UMHS


Updated 05/2012 36

HIPAA requires covered entities (e.g., UMHHC) to “account” for many research-related disclosures made without patient authorization

Exceptions: internal uses do not need to be tracked disclosures made through a limited data set with a data use agreement

do not need to be tracked disclosures of “deidentified data” do not need to be tracked (no

information listed HERE included in the data set) disclosures made in studies involving more than 50 subjects do not need

to be tracked if we keep a list available of all such studies, including title, PI, and contact information

Policies/procedures for accounting are under development

RESEARCHImplementation at UMHS


Updated 05/2012 37

• No PHI in Research– If you are conducting a project without use of PHI, HIPAA does

not apply but IRBMED’s informed consent template must be used for all new projects and scheduled continuation reviews beginning April 1

– Caution!• If you do a blood test or radiological scan or other procedure only for

research purposes, and not related to treatment, the information may not be PHI and your project is not regulated by HIPAA; but

• If the test or results information passes through the subject’s UM electronic medical record (“EMR”) (because the medical record number is used and/or information is derived from and/or posted to the EMR or other clinical information systems), then HIPAA may apply

RESEARCHWhat Does HIPAA Mean for You?


Updated 05/2012 38

• Some research-related disclosures are “grandfathered” under HIPAA– “Express legal permission” (usually written

permission) from the individual to use or disclose their PHI for research

– Written informed consent obtained before April 14, 2003

– Waiver granted by IRB before April 14, 2003 (but if subject is later consented, consent must be HIPAA-compliant)

RESEARCHWhat Does HIPAA Mean for You?


Updated 05/2012 39

RESEARCHApplication: Multicenter Trials

Multicenter Trials• Four ways to share PHI with other centers:

– Written permission from the subject/patient (authorization)– Waiver from IRB or Privacy Board– Limited Data Set with Data Use Agreement– Deidentified data (nothing on “PHI” list)

• When we need information from other centers for our own research projects:

– The updated IRBMED informed consent template is intended to comply with the privacy rule and to allow any health care provider or health plan to disclose PHI to us (or UMHHC to disclose PHI to our co-investigators) for research purposes.

– However, every site may have its own rules and policies.– If another site or a sponsor requires an additional form to be signed by your

subject, IRBMED must review and approve that form in advance.


Updated 05/2012 40

Pros Cons

Review Preparatory to Research Simple Application to Privacy Board

For internal use only; should only get name/number; can’t use information

collected for the project

Waiver of Authorization from

Privacy BoardSimple Application to Privacy Board

Possible accounting requirement; IRBMED approval needed re:

recruiting procedures

(Partial) Waiver of Authorization from

IRBMED

Can disclose information outside UM (e.g., use survey vendors); can

use information for the project

Time required for IRBMED application; possible accounting

requirement

Tell Patients About Study Opportunities

But Let Them Contact Study Staff

No disclosure of PHI (docs with existing treatment relationship can

always tell their patients about possible studies) so no HIPAA

issues

Makes recruitment process passive and therefore likely less effective

Written Permission Can use information collected for the project; no accounting

Generally must discuss with/obtain from patient at point of care; may

need IRB review/approval

RESEARCHApplication: Subject Recruitment

Alternatives Under HIPAA


Updated 05/2012 41

• We can create and maintain databases or registries for treatment, payment, and health care operations (“TPO”) purposes (e.g., CareWeb; PathNet; data warehouse) without permission – TPO activities include:

– Clinical care, billing, utilization review– Quality assurance/assessment, accreditation activities– Education, planning

• IRB or Privacy Board approval is required to access a TPO database for research purposes (even reviews preparatory to research)

• Written patient permission or IRBMED or Privacy Board approved waiver is needed to create and maintain a database or registry solely for research purposes . . . patient permission, if sought, must be specific as to research purpose (HIPAA prohibits “blanket” authorizations)

RESEARCHApplication: Databases and Registries


Updated 05/2012 42

“Screening logs”• If no use or disclosure of PHI, no HIPAA issue (information

received directly from a subject through a survey is not PHI; but if the survey information is verified or supplemented by medical record information, then PHI has been used).

• If the log includes PHI but was created or used for TPO purposes, then ok to continue maintaining without patient permission.

• If the log includes PHI and is used only for research purposes, need patient permission or IRB or Privacy Board waiver to continue entering data after April 14.

• Alternatives for sending data from screening log to sponsors (without patient permission):

– “De-identify” the data (no elements listed on the “PHI” list may be present in the data set sent)

– Provide a “limited data set” with a data use agreement– Obtain a waiver of authorization from the Privacy Board



Updated 05/2012 43

Existing Datasets

• HIPAA does not require that existing datasets be destroyed

• New data cannot be added into an existing research dataset without written authorization or waiver, unless the data is first deidentified (all identifiers listed on the “PHI list” are eliminated) or made part of a limited data set

• Data cannot be removed from an existing dataset for research purposes without IRB or Privacy Board approval



Updated 05/2012 44

RESEARCHApplication: IRBMED or Privacy Board?

• IRBMED– Any research project

subject to federal regulations for the protection of human subjects.

– Reviews preparatory to research may be submitted to IRBMED

• Privacy Board– Waiver of authorization for

a project that does not require IRBMED review (e.g., exempt from Common Rule oversight)

– Review preparatory to research

– Research on decedents’ information

– Limited data sets disclosures


Updated 05/2012 45

We already follow many other laws, rules and guidelines to protect privacy

Generally, the Privacy Rule supersedes contrary state law, but there are times when Michigan law controls. In many cases, both must be followed.

In cases where Michigan law provides more protection, Michigan law should be followed. For example in AIDS/HIV or for mental health records Michigan law must be followed.

GENERAL RULESWhat About Other Laws?


Updated 05/2012 46

GENERAL RULESPenalties for Violating the Privacy Rule

The privacy regulations impose penalties for violations including:

Civil penalties up to $1.5 Million per calendar year for each type of violation

Criminal penalties up to $250,000 and 10 years in jail – applied to institutions and individuals.

UMHS policies include disciplinary action up to and including discharge.


Updated 05/2012 47

QUESTIONS

Please visit http://www.med.umich.edu/u/hipaa/contact.htmif you have any questions about the Privacy Rule or applicable UMHS policies or procedures; or if you would like to make a complaint.

Contact the Health System Legal Office at 734-764-2178 if you have any legal questions.

Contact IRBMED at 734-763-4768 if you have any questions about IRBMED forms or procedures. Visit IRBMED’s HIPAA website often for HIPAA research updates at: http://www.med.umich.edu/irbmed/NewIRBMEDHIPAA.htm.

For more information about the Privacy Rule, visit www.dhhs.gov/ocr/hipaa.


Updated 05/2012 48

Continue to next section and get credit…

You must complete the next section, “Frequently Asked Questions.”

To continue and get credit for completing this module, click HERE.

Be sure to click on the last slide when finished, to get a certificate and credit.

version 2.0-research updated 05/2012 1 hipaa learning module the following is an educational...

Documents

privacy slide

patients health information

patient information

phi key terms

human subjects research

health plans

patients rights

patients overview