Sharing PHI for Research

J.T.AshUniversityofHawaiiSystemHIPAAComplianceOfficer

jtash@hawaii.eduhipaa@hawaii.edu

AgendaØHIPAAisa“TEAMSPORT”andeveryonehasaroleinprotectingprotectedhealthinformation(PHI).

ØPrivacyRule,SecurityRule,&BreachNotificationRule

ØMethodstoSharePHI(PrivacyRule)

ØWithIndividualAuthorization

ØWithoutAuthorization

ØAccountingforResearchDisclosure

ØDe-IdentifiedData

ØSecurityRule&BreachNotification

HIPAA Privacy Rule

Ø https://www.youtube.com/watch?v=y751i4QqP0g

Ø TheRulerequiresappropriatesafeguardstoprotecttheprivacyofpersonalhealthinformation,andsetslimitsandconditionsontheusesanddisclosuresthatmaybemadeofsuchinformationwithoutpatientauthorization.TheRulealsogivespatientsrightsovertheirhealthinformation,includingrightstoexamineandobtainacopyoftheirhealthrecords,andtorequestcorrections.

Ø https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Ø 45CFRPart160 andSubpartsAandEofPart164.

HIPAA Security Rule

Ø TheSecurityRulerequiresappropriateadministrative,physicalandtechnicalsafeguardstoensuretheconfidentiality,integrity,andsecurityofelectronicprotectedhealthinformation.

Ø https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Ø 45CFRPart160 andSubpartsAandC ofPart164.

Ø Safeguards:Ø AdministrativeØ PhysicalØ Technical

Breach Notification RuleØ NotificationtoIndividuals:IndividualswhoseunsecuredPHIhasbeen,oris

reasonablybelievedtohavebeen,accessed,acquired,used,ordisclosedasaresultofsuchbreachmustbenotifiedwithoutunreasonabledelayandinnocaselaterthan60calendardaysfollowingthediscoveryofsuchbreach.

Ø NotificationtoOthers:AUHCoveredComponentshallalsonotifyprominentlocalmediaoutletsifthebreachinvolvesmorethan500residentsoftheStatenolaterthan60daysafterdiscoveryofthebreach.

Ø NotificationtoDHHSSecretary:AUHCoveredComponentshallnotifytheDHHSSecretaryonanannualbasis,inamannerspecifiedontheDHHSWebsite,andviaareportduetotheDHHSSecretarynolaterthan60calendardaysaftertheendofthecalendaryearinwhichbreachesarediscoverediflessthan500individualsareinvolved.Ifmorethan500individualsareinvolved,theUHCoveredComponentshallnotifytheDHHSSecretaryinthemannerprovidedbytheDHHSWebsite,whichpresentlyrequiresnoticewithoutunreasonabledelayandinnocaselaterthan60daysfollowingabreach.

Ø NotificationbyaBusinessAssociate.ABusinessAssociateshallnotifyaUHCoveredComponentofabreachwithin5businessdaysthattheBusinessAssociatediscoveredabreachoccurred…

Methods to Share PHI(***Satisfies Privacy Rule Obligations)

Methods to Share PHI

With Authorization

Without Authorization

De-Identified Data

With Individual Authorization

ØThePrivacyRulehasageneralsetofauthorizationrequirementsthatapplytoallusesanddisclosures,includingthoseforresearchpurposes.However,severalspecialprovisionsapplytoresearchauthorizations:Ø Unlikeotherauthorizations,anauthorizationforaresearchpurposemaystatethatthe

authorizationdoesnotexpire,thatthereisnoexpirationdateorevent,orthattheauthorizationcontinuesuntilthe“endoftheresearchstudy;”and

Ø Anauthorizationfortheuseordisclosureofprotectedhealthinformationforresearchmaybecombinedwithaconsenttoparticipateintheresearch,orwithanyotherlegalpermissionrelatedtotheresearchstudy.

Without Authorization

ØACoveredEntitymustobtainoneofthefollowing:Ø DocumentedInstitutionalReviewBoard(IRB)BoardApprovalØ PreparatorytoResearchØ ResearchonProtectedHealthInformationofDecedentsØ LimitedDataSetswithaDataUseAgreement

Documented Institutional Review Board (IRB) Board Approval

ØAcoveredentitymayuseordiscloseprotectedhealthinformationforresearchpurposespursuanttoawaiverofauthorizationbyanIRBorPrivacyBoard,providedithasobtaineddocumentationofALL ofthefollowing:Ø IdentificationoftheIRBorPrivacyBoardandthedateonwhichthealterationorwaiverof

authorizationwasapproved;Ø AstatementthattheIRBorPrivacyBoardhasdeterminedthatthealterationorwaiverof

authorization,inwholeorinpart,satisfiesthethreecriteriaintheRule;Ø AbriefdescriptionoftheprotectedhealthinformationforwhichuseoraccesshasbeendeterminedtobenecessarybytheIRBorPrivacyBoard;

Ø Astatementthatthealterationorwaiverofauthorizationhasbeenreviewedandapprovedundereithernormalorexpeditedreviewprocedures;and

Ø Thesignatureofthechairorothermember,asdesignatedbythechair,oftheIRBorthePrivacyBoard,asapplicable.

Institutional Review Board (IRB) Waiver of Authorization

ØThefollowingthreecriteriamustbesatisfiedforanIRBorPrivacyBoardtoapproveawaiverofauthorizationunderthePrivacyRule:Ø Theuseordisclosureofprotectedhealthinformationinvolvesnomorethanaminimal

risktotheprivacyofindividuals,basedon,atleast,thepresenceofthefollowingelements:

ØAnadequateplantoprotecttheidentifiersfromimproperuseanddisclosure;ØAnadequateplantodestroytheidentifiersattheearliestopportunityconsistentwithconductoftheresearch,unlessthereisahealthorresearchjustificationforretainingtheidentifiersorsuchretentionisotherwiserequiredbylaw;and

ØAnadequatewrittenassurancesthattheprotectedhealthinformationwillnotbereusedordisclosedtoanyotherpersonorentity,exceptasrequiredbylaw,forauthorizedoversightoftheresearchproject,orforotherresearchforwhichtheuseordisclosureofprotectedhealthinformationwouldbepermittedbythissubpart;

Ø Theresearchcouldnotpracticablybeconductedwithoutthewaiveroralteration;andØ Theresearchcouldnotpracticablybeconductedwithoutaccesstoanduseofthe

protectedhealthinformation.

Preparatory to Research

ØRepresentationsfromtheresearcher,eitherinwritingororally,thattheuseordisclosureoftheprotectedhealthinformationissolelytopreparearesearchprotocolorforsimilarpurposespreparatorytoresearch,thattheresearcherwillnotremoveanyprotectedhealthinformationfromthecoveredentity,andrepresentationthatprotectedhealthinformationforwhichaccessissoughtisnecessaryfortheresearchpurpose.

Research on Protected Health Information of Decedents

ØRepresentationsfromtheresearcher,eitherinwritingororally,thattheuseordisclosurebeingsoughtissolelyforresearchontheprotectedhealthinformationofdecedents,thattheprotectedhealthinformationbeingsoughtisnecessaryfortheresearch,and,attherequestofthecoveredentity,documentationofthedeathoftheindividualsaboutwhominformationisbeingsought.

Limited Data Sets with a Data Use Agreement

ØAdatauseagreemententeredintobyboththecoveredentityandtheresearcher,pursuanttowhichthecoveredentitymaydisclosealimiteddatasettotheresearcherforresearch,publichealth,orhealthcareoperations.

ØThedatauseagreementmust:Ø Establishthepermittedusesanddisclosuresofthelimiteddatasetbytherecipient,

consistentwiththepurposesoftheresearch,andwhichmaynotincludeanyuseordisclosurethatwouldviolatetheRuleifdonebythecoveredentity;

Ø Limitwhocanuseorreceivethedata;andØ Requiretherecipienttoagreetothefollowing:

Ø Nottouseordisclosetheinformationotherthanaspermittedbythedatauseagreementorasotherwiserequiredbylaw;

Ø Useappropriatesafeguardstopreventtheuseordisclosureoftheinformationotherthanasprovidedforinthedatauseagreement;

Limited Data Sets with a Data Use Agreement

Ø Reporttothecoveredentityanyuseordisclosureoftheinformationnotprovidedforbythedatauseagreementofwhichtherecipientbecomesaware;

Ø Ensurethatanyagents,includingasubcontractor,towhomtherecipientprovidesthelimiteddatasetagreestothesamerestrictionsandconditionsthatapplytotherecipientwithrespecttothelimiteddataset;and

Ø Nottoidentifytheinformationorcontacttheindividual.

Accounting for Research Disclosure

ØThePrivacyRulegivesindividualstherighttoreceiveanaccountingofcertaindisclosuresofprotectedhealthinformationmadebyacoveredentity.

ØThisaccountingmustincludedisclosuresofprotectedhealthinformationthatoccurredduringthesixyearspriortotheindividual’srequestforanaccounting,orsincetheapplicablecompliancedate(whicheverissooner),andmustincludespecifiedinformationregardingeachdisclosure.

ØAmoregeneralaccountingispermittedforsubsequentmultipledisclosurestothesamepersonorentityforasinglepurpose.

ØAmongthetypesofdisclosuresthatareexemptfromthisaccountingrequirementare:Ø Researchdisclosuresmadepursuanttoanindividual’sauthorization;Ø Disclosuresofthelimiteddatasettoresearcherswithadatauseagreement

What is De-identified Data?ØDe-identifieddata isnotconsideredPHI

ØNoobligationstothePrivacy/Security/BreachNotificationRules

ØMayuseanddisclosede-identifieddatawithoutrestriction

Expert Determination & Safe Harbor

What is De-identified Data?ØRemovalof all18uniqueidentifiers

Ø NameØ AllgeographicsubdivisionssmallerthanaState,includingstreetaddress,city,county,

precinct,zipcode,andtheirequivalentgeocodes,exceptfortheinitialthreedigitsofazipcodeif,accordingtothecurrentpubliclyavailabledatafromtheBureauoftheCensus:(1)thegeographicunitformedbycombiningallzipcodeswiththesamethreeinitialdigitscontainsmorethan20,000peopleand(2)theinitialthreedigitsofazipcodeforallsuchgeographicunitscontaining20,000orfewerpeopleischangedto000.

Ø Allelementsofdates(exceptyear)fordatesdirectlyrelatedtoanindividual,includingbirthdate,admissiondate,dischargedate,dateofdeath;andallagesover89andallelementsofdates(includingyear)indicativeofsuchage,exceptthatsuchagesandelementsmaybeaggregatedintoasinglecategoryofage90orolder.

Ø TelephonenumbersØ FaxnumbersØ EmailaddressesØ SocialSecuritynumbersØ Medicalrecordnumbers

What is De-identified Data?ØRemovalof all18uniqueidentifiers(ExpertDetermination&SafeHarbor)

Ø HealthplanbeneficiarynumbersØ AccountnumbersØ Certificate/licensenumbersØ Vehicleidentifiers/serialnumbersØ Deviceidentifiers/serialnumbersØ WebURLsØ IPaddressnumbersØ BiometricidentifiersØ Full-facephotographicimagesandanycomparableimagesØ Anyotheruniqueidentifyingnumber,characteristic,orcode;and

Ø Thecoveredentitydoesnothaveactualknowledgethattheinformationcouldbeusedaloneorincombinationwithotherinformationtoidentifyanindividualwhoisasubjectoftheinformation.

Security Rule & Breach Notification

ØStillneedtoworkwithyourITsupporttoensuretheyhaveanenvironmentthatcansatisfytheobligationsoftheSecurityRule

ØStillneedtoworkwithyourInfoSecsupporttoensuretheyhavethepolicies/proceduresinplacetosatisfytheobligationsoftheBreachNotificationRule

J.T.AshUHSystemHIPAAComplianceOfficerjtash@hawaii.edu •(808)956-7241