HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.
Post on 29-Jan-2016
Embed Size (px)
HIPAA and Human Subjects Research
HIPAA and Human Subjects ResearchIRB Member CEMay 2014Slideshow by Sean HorkheimerWhat is HIPAA?HIPAA is the Health Insurance Portability and Accountability Act. HIPAA is a set of federal laws that regulates, among other things, the disclosure of protected health information (PHI) about patients treated by most health care providers and organizations in the United States.HIPAA regulates how PHI is maintained and how it is gathered by researchers. HIPAAs laws apply to research done at MCW/FHCovered Entity: MCW Corporate Policies (AD.HP.010) define a covered entity as a healthplan, or a health care clearinghouse, or a health care provider who transmits any healthinformation in electronic form in connection with a transaction covered by the provisions ofthe Privacy Regulation.HIPAA: means the federal law called the Health Insurance Portability and Accountability Actthat regulates, among other things, the disclosure of protected health information ("PHI")about patients treated by most health care providers and organizations in the United States("Covered Entities"). In the context of human subject research, HIPAA establishes a federalstandard for the manner in which the confidentiality of PHI will be maintained by CoveredEntities and prescribes a process through which researchers can obtain PHI about patientswho are sought by researchers to be research subjects or potential research subjects.2What is Protected Health Information (PHI)?Information that is:Created or received by a health care provider, health plan, or health care clearinghouse.Relates to an individuals past, present, or future physical or mental health condition, or health care treatment That either identifies an individual or includes enough personal identifiers that the individual could be reasonably determined. MCW Corporate Policies (AD.HP.010) defines PHI asany individually identifiable health information, whether oral, written, electronic, transmitted,or maintained in form or medium that: Is created or received by a health care provider such as the Medical College ofWisconsin, a health plan, or a health care clearinghouse; and Relates to an individual's past, present, or future physical or mental health condition,health care treatment, or the past, present or future payment for health care servicesto the individual; That either identifies an individual (for example, name, social security number ormedical record number) or can reasonably be used to find out the person's identity(address, telephone number, birth date, e-mail address, and names of relatives oremployers).3What are personal identifiers?Examples include:NameAgeGenderSocial Security numberDate of birthAddress (physical or electronic mail)Phone numberNames of relatives or employersIdentifiable Private Information: means information about a living individual that is used forresearch purposes and includes information about behavior that occurs in a context in whichan individual can reasonably expect that no observation or recording is taking place, andinformation that has been provided for specific purposes by an individual and which theindividual can reasonably expect will not be made public (e.g., a medical record). Under theOHRP regulations, private information must be individually identifiable (i.e., the identity of theresearch subject is or may readily be ascertained by the investigator or associated with theinformation) in order for obtaining the information to constitute research involving humansubjects.Individually Identifiable Information (health care): MCW Corporate Policies (AD.HP.010)defines this as Information that is a subset of health information, including demographicinformation collected from an individual, and: Is created or received by a health care provider, health plan, employer, or health careclearinghouse; and Relates to the past, present, or future physical or mental health or condition of anindividual; the provision of health care to an individual; or the past, present, or futurepayment for the provision of health care to an individual; and That identifies the individual; or With respect to which there is a reasonable basis to believe the information canbe used to identify the individual.4HIPAA in the SmartFormWhat about a recruitment HIPAA waiver?For when study teams need to review records to identify potential subjects for recruitment. When 16.1 & 16.1.1 are selected Yes
This HIPAA section will identify how the study team will use PHI. The sections that follow will answer all the necessary points for consideration.
HIPAA in the SmartForm, contdWhat to consider when approving a HIPAA waiver for screening?The following three criteria must be satisfied for an IRB or Privacy Board to approve a waiver of authorization: 1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: an adequate plan to protect the identifiers from improper use and disclosure; an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
2. The research could not practicably be conducted without the waiver or alteration; and
3. The research could not practicably be conducted without access to and use of the protected health information.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/research.html7What does the IRB do with regard to HIPAA during their review of the submission?Review the study SmartForm for sections that address HIPAA.Review the study protocol.Review the informed consent:Do the SmartForm, protocol, and ICF all describe the same PHI collected and protections?Does the ICF include all of the necessary information based on the ICF template?What needs to be in the HIPAA authorization in the consent form?HIPAA required elements are included in Section EWhat health information will be collected and used for the study?Who will see the health information?What are the risks of sharing this health information?How long will the information be kept? (10 years or longer)How to cancel permission to share health information.Circumstances that may affect access to clinical records. (Ex: which drug given in blinded study).http://www.mcw.edu/hrpp/Forms/ConsentFormTemplates.htm9Other Possibilities: Limited Data SetsThese are data sets accessed or obtained by an investigator after they have completed a Limited Data Set Agreement with the holder of the data.Is the data set is indicated in the SmartForm?Is the Limited Data Set Agreement completed and uploaded?
Other Possibilities: Use of DecedentsResearch that involves the review of records of only deceased individuals, and no living subjects are contacted or have their information accessed.No Authorization or waiver of Authorization by an IRB or Privacy Board is needed for use or disclosure of PHI for research only on the PHI of deceased persons, if these conditions are met:the PHI is necessary for the research and is being sought solely for research on the PHI of decedents documentation of the deaths of the study subjects can be madeThe EndQuestions?