HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator

Download HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator

Post on 20-Dec-2015

213 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> HIPAA, Researchers and the IRB Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator </li> <li> Slide 2 </li> <li> Introduction This is a preliminary overview much more information to comeThis is a preliminary overview much more information to come Be kind we do NOT have all the answers but we do want to hear the questionsBe kind we do NOT have all the answers but we do want to hear the questions Be patient the final Privacy Rule was first available on August 14, 2002 we are working furiously!Be patient the final Privacy Rule was first available on August 14, 2002 we are working furiously! Dont blame us we didnt write it!Dont blame us we didnt write it! </li> <li> Slide 3 </li> <li> What are the new Privacy Standards? Limits the use and release of health informationLimits the use and release of health information Gives patients the right to access their medical recordsGives patients the right to access their medical records And to know who else accessed their health information Restricts most disclosure of health information to the minimal intended purpose Establishes civil/criminal penalties for improper use or disclosureEstablishes civil/criminal penalties for improper use or disclosure Establishes new requirement for access to records by researchersEstablishes new requirement for access to records by researchers </li> <li> Slide 4 </li> <li> What Research is Affected? Privacy rule applies to research that uses Protected Health Information (PHI). PHI is individually identifiable health information. </li> <li> Slide 5 </li> <li> What Research is Affected? Three categories of identifiability: Three categories of identifiability: 1.PHI Identifiable rule applies 2.De-Identified Information - rule does not apply 3.Limited Data Set a middle option - limited parts of the rule apply </li> <li> Slide 6 </li> <li> What Research is Affected? De-Identified there are 18 specific identifiers which must be removed to be considered de- identified thus not covered by rule.De-Identified there are 18 specific identifiers which must be removed to be considered de- identified thus not covered by rule. Limited Data Set Not fully de-identified can retain certain dates, geographic info and unique identifying numbers. Most privacy rule requirements do not apply, the minimum necessary standard does apply and a data use agreement is required.Limited Data Set Not fully de-identified can retain certain dates, geographic info and unique identifying numbers. Most privacy rule requirements do not apply, the minimum necessary standard does apply and a data use agreement is required. </li> <li> Slide 7 </li> <li> 18 Items Which Must Be Removed to Be De-identified 1.Names 2.ALL geographic subdivisions smaller than the state 3.All elements of dates smaller than a year birth date, admission, discharge, death, etc.) 3.All elements of dates smaller than a year (i.e. birth date, admission, discharge, death, etc.) 4.Phone numbers 5.Fax numbers 6.E-mail addresses 7.SS numbers 8.Medical record number 9.Health plan beneficiary </li> <li> Slide 8 </li> <li> 10.Any other account numbers 11.Certificate/license numbers 12.Vehicle identifiers 13.Device identification numbers 14.WEB URL's 15.Internet IP address numbers 16.Biometric identifiers (fingerprint, voice prints, retina scan, etc) 17.Full face photographs or comparable images 18.Any other unique number, characteristic or code. 18 Items Which Must Be Removed to Be De-identified (continued) </li> <li> Slide 9 </li> <li> How to obtain PHI for research? 1. Authorization 2. Waiver of Authorization </li> <li> Slide 10 </li> <li> How to obtain authorization for use of PHI? To use or disclose PHITo use or disclose PHI Driven by Privacy RuleDriven by Privacy Rule Reviewed by IRB or Privacy Board (our IRB will serve as the Privacy Board)Reviewed by IRB or Privacy Board (our IRB will serve as the Privacy Board) To participate in the research based on the risks and benefits Driven by the Common Rule Reviewed by IRB Authorization Informed Consent Authorization </li> <li> Slide 11 </li> <li> How to obtain authorization II Required elements in an authorizationRequired elements in an authorization Specific and meaningful description of what information will be used or disclosed Who may use or disclose To whom the PHI will be disclosed Why the use or disclosure is being made (each purpose) Notice that authorization may be revoked; Notice that the information may be disclosed to others not subject to the Privacy Rule </li> <li> Slide 12 </li> <li> How to obtain authorization III Required elements in an authorizationRequired elements in an authorization Statement of how long the use or disclosure will continue (no expiration date is allowed for research purposes - but this must be explicitly stated in the authorization form) Notice that the covered entity may or may not condition treatment or payment on the individuals signature Individuals signature and date Required elements in an authorizationRequired elements in an authorization Statement of how long the use or disclosure will continue (no expiration date is allowed for research purposes - but this must be explicitly stated in the authorization form) Notice that the covered entity may or may not condition treatment or payment on the individuals signature Individuals signature and date </li> <li> Slide 13 </li> <li> How to obtain Authorization? Authorization language will be provided as a template by the IRB, to be incorporated into the informed consent document. </li> <li> Slide 14 </li> <li> How to obtain Waiver of Authorization? In research, authorization is not required if it meets the criteria for waiver outlined in the privacy rule. </li> <li> Slide 15 </li> <li> No more than minimal riskNo more than minimal risk Not adversely affect rights and welfare of subjectsNot adversely affect rights and welfare of subjects Research cannot be done without waiverResearch cannot be done without waiver When appropriate, information will be provided to subjects of researchWhen appropriate, information will be provided to subjects of research No more than minimal risk to privacy, based on, at least: Plan to protect identifiers Plan to destroy identifiers ASAP Written assurance that PHI will not be used/disclosed with few exceptions Research cannot be done without waiver, and Research cannot be done without this PHI COMMON RULEPRIVACY RULE CRITERIA FOR WAIVER OF AUTHORIZATION </li> <li> Slide 16 </li> <li> TRANSITION TO PRIVACY RULE Compliance date: April 14, 2003Compliance date: April 14, 2003 Informed consents and waiversInformed consents and waivers Whats grandfathered? When are new forms required? </li> <li> Slide 17 </li> <li> 4/14/03 HIPAA DAY!! If: All informed consents signed before HIPAA-day HIPAA DAY!! Planned enrollment of subjects Planned long-term assessment period IRB approval Informed consents GRANDFATHERED </li> <li> Slide 18 </li> <li> 4/14/03 HIPAA DAY!! IRB approval Planned enrollment of subjects Planned long-term assessment period If: Informed consents signed before and after HIPAA-day Grand- fathered Addendum needed </li> <li> Slide 19 </li> <li> If: All informed consents signed after HIPAA-day 4/14/03 HIPAA DAY!! Planned enrollment of subjects Planned long-term assessment period New forms or addendum needed IRB approval </li> <li> Slide 20 </li> <li> 4/14/03 HIPAA DAY!! If: Waiver of informed consent approved before HIPAA-day HIPAA DAY!! IRB approval Waiver GRANDFATHERED </li> <li> Slide 21 </li> <li> If: Waiver of consent approved after HIPAA-day 4/14/03 HIPAA DAY!! New waiver needed IRB Approval </li> <li> Slide 22 </li> <li> REMINDERS When the authorization language is finalized, the IRB will contact you to inform you what you need to do When the authorization language is finalized, the IRB will contact you to inform you what you need to do HIPAA is in addition to current IRB human subject requirements - when both regulations apply, both requirements must be followed HIPAA is in addition to current IRB human subject requirements - when both regulations apply, both requirements must be followed </li> <li> Slide 23 </li> <li> REMINDERS Message Messenger </li> <li> Slide 24 </li> <li> Acknowledgement Some of the material used in this presentation was developed by P. Pearl O'Rourke, M.D., Director of Human Research Affairs at Partners HealthCare Systems, in Boston, MA and we are grateful to her for her willingness to share this information with us. </li> </ul>