what is hipaa ? hipaa with the dhpg research medical records clinical trials business associate...
TRANSCRIPT
What is HIPAA ?
HIPAA with the DHPG
Research
Medical RecordsClinical Trials
Business Associate Agreement
Michael Shoob, Elizabeth BankertFebruary 2003
What is HIPAA?
• The Health Insurance Portability and Accountability Act of 1996; and
• Three sets of regulations issued by the Department of Health and Human Services:– Privacy Regulations - April 14, 2003 Compliance
Deadline
– Transaction Standards - October 16,2002 Compliance Deadline
– Security Regulations - Pending
This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.
http://www.hhs.gov/ocr/hipaa/privacy.html
PHI = Protected Health Information
PHI = Protected Health Information
Any information, created or received by us in any form, that identifies an individual and is related to the past, present, or future:
1) Physical or mental health of the individual2) Provision of health care to the individual’ or3) Payment for health care provided to the individual
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
It gives patients more control over their health information.
It sets boundaries on the use and release of health records.
It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
It empowers individuals to control certain uses and disclosures of their health information.
"Overall, these national standards required under HIPAA will make it easier and less costly for the health care industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential," Secretary Thompson said. "The security standards in particular will help safe guard confidential healthinformation as the industry increasingly relies on computers for processing health care transactions."
Rule #1: DON’T SURPRISE THE PATIENT
William Braithwaite, MD, PhD“Doctor HIPAA”PriceWaterHouseCoopers
Rule #2: Use minimal amount of PHI necessary to conduct research
DHPGDartmouth Hitchcock Privacy Group:
Dartmouth Hitchcock ClinicsMary Hitchcock Memorial HospitalDartmouth Medical SchoolDartmouth-Hitchcock Psychiatric AssociatesCheshire Medical CenterMt. Ascutney HospitalUpper Connecticut Valley HospitalWeeks Medical CenterWest Central Behavioral HealthOther Affiliated Institutions Using the Dartmouth-Hitchcock Name to ProvideHealth Care Services to Patients
Privacy Notice
HIPAA / DHPG
Privacy Officer = Peter Johnson
Linda Messman, Director of Medical Records
http://intranet.hitchcock.org/is/hdr/pages/hipaa.html
Scott Farr / (work in progress)
Privacy Notice:
TreatmentPaymentOperations (TPO)
Research not included !
Quality Assurance/ Peer Review
The process of reviewing, analyzing or evaluating patient and/or provider specific data which may indicate (the need for) changes in systems or procedures which would improve the quality of care.
Quality Assurance/ Peer Review Characteristics
• Confidential• Learn from individual cases• Involves patient and/or provider specific data• Protected from legal discoverability• Review often triggered by predetermined
“thresholds”/criteria• Must be conducted within QA/PR committee structure• Knowledge generation typically for local, immediate
application
Quality / Performance Improvement
• The process of reviewing, analyzing and evaluating aggregate data to understand patterns & trends
• Process triggers a cycle of:
– Analyzing a process
– Identifying potential changes
– Testing changes
– Evaluating impact of changes on measures of success
QI / PI Characteristics
• Not protected from legal discoverability
• Uses aggregate data, not patient identifiable information
• Evaluates patterns & trends
• Not usually triggered by specific event
• Pre-data collection, a commitment to a corrective/improvement action plan
• Knowledge generation typically for local, immediate application
What do researchers do when they want to access patient information for
research purposes?
Obtain IRB approval !
Research: a systematic investigation, including
research development, testing and evaluation, designed to
develop or contribute to generalizable knowledge.
How can researchers access patient information for research
purposes?
HIPAA rules !
6. Information requested is “de-identified”
1. Obtain informed consent (authorization) from the patient
2. Waive the requirement for obtaining informed consent
3. The information is being collected only for preparatory work to research
4. Only a Limited Data Set is collected accompanied with a Data Use Agreement
5. Only decedent data is being collected
Six ways the IRB will allow researchers to access protected health information (PHI)
6. De-identification Requirements (Two Methods)
HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i)• Names• Geographic subdivisions smaller than a
state• Zip codes• Dates (birth, admission, discharge, death)• Age, if over 89• Telephone numbers• Fax numbers• E-mail addresses• Social security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate and license numbers• Vehicle identification and serial numbers• License plate numbers• Device identifiers and serial numbers• URLs• Internet Protocol address numbers• Biometric identifiers (finger and voice
prints)• Full face photos and comparable images• Any other unique identifiers
Statistical 45 CRF 164.514(b)(1)
• A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;
• Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and
• Documents the methods and results.
5. Decedent Information
Privacy Board or IRB
4. “Limited Use” Data Set
Not Allowed• Names• Postal info (OTHER than town,
city, state, and zip code)• Telephone and Fax Number• e-Mail Addresses• Social Security Number• Medical Record Number• Health Plan Beneficiary Number• Account Number• Certificate / License Number• Vehicle ID (license plate) and
Serial • Device ID and Serial Number• URLs and IP Addresses• Biometric ID (finger, voice prints)• Full Face Photos and
Comparable Images
Data Use Agreement : Used with Limited Data Set
Researcher must agree:
a. to the use of the limited data set or PHI to the specified purpose as described
b. to limit who can use or receive the data to the research team directly involved in this project
c. not to re-identify the data or contact the individuals to whom the data belongs
3. Preparatory to Research - Notice from the researcher1. The use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research
2. Will not remove any PHI from the covered entity,
3. The PHI for which access is sought is necessary for the research purpose.
This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.
2. IRB Waiver of IC – requirements:
A. Use or disclosure involves no more than minimal risk to individuals;
B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals;
C. Research could not practicably be conducted without the alteration or waiver;
D. Research could not practicably be conducted without access to and use of PHI;
E. Adequate plan to protect identifiers from improper use and disclosure;
F. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and
G. Adequate written assurances that PHI will not be reused or disclosed for other purposes.
1. Obtain Consent (authorization) from the Patient
1. Description of Health Information to be gathered. 2. Identification of Person authorized to disclose 3. Identification of Recipient 4. Description of Purpose(s) 5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repository 6. Statement of Right to Revoke 7. (In)Ability to Condition Treatment on the Authorization statement 8. Statement Regarding Re-disclosure 9. Remuneration for Marketing Activity (if applicable) 10. Dated Patient Signature 11. if signed by Personal Representative, a description of that person's authority
Consent Forms for Clinical Trials:
Please remember each study is unique, thus the correct language for the consent form is dependent on the language in the protocol and/or contract.
You will begin to see HIPAA languagein sponsor provided consent form templates.
Other Important Items You Should Know:
In the Consent Form under the section entitled:
Add a sub - section entitled:
Data Collection
Under the same section expand thecurrent sub-section entitled:
Confidentiality
1. Data Collection: Add a general sentence about the data to be collected. And add the following sentences as applicable for the particular study:
The data collected in this study includes :
The data collected in this study will be used for the purposedescribed in this form. Patient identifiable data will not be
released beyond that required for the purposes of conducting this research study. By signing this form, you are allowing the research team access to your medical records. The research team includes the researchers listed in this consent form and other personnel involved in this study at DHMC and other entities as described in the "Confidentiality" section of this consent form. If you chose to withdraw from the study, you may revoke your approval for the use of your future medical information. To do this, you may contact the researcher in writing. Data which has already been collected will be maintained with the research records.
Explain how long data will be maintained: Examples:
Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA.
Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.
If there are limits to the patient access to research records describe here: Example:
During the course of this study participants may not have access to research records.
If you chose, you may request this information after the research is completed.
2. Identification of Person authorized to disclose
The research team includes the researchers listed in this consent form and other personnel involved in this study at DHMC and other entities as described in the "Confidentiality" section of this consent form
3. Identification of Recipient
Describe as applicable who may have access to research data - this can be added to Confidentiality section:
Example:Research data may be shared, as required by law, with Dartmouth
Hitchcock Medical Center authorities and ......
Examples: Federal agencies such as the Food and Drug Administration, add as appropriate: National Co-operative Study Group, Multi-center sites , Insurance Company.
If the research is sponsored or if the data is being sent anywhere outside of DHMC describe in some detail: The sponsor of the study, xxx, and any corresponding entities involved in the monitoring of this study (name of CRO if applicable) or Data and Safety Monitoring Committee if applicable, will also have access to this research data. These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).
4. Description of Purpose(s)
Most consent forms describe the purpose of the research in the opening paragraphs. If not, please add.
5. Expiration date - "end of research study," "none," or similar language is sufficient if the disclosure is for research, including for the creation and maintenance of a research database or research repository
Data gathered from this study will be maintained for as long as the sponsor needs to obtain approval from the FDA.
Data gathered from this study will be maintained indefinitely or as required by federal or state regulations.
6. Statement of Right to Revoke
If you choose to withdraw from the study, you may revoke your approval for the use of your future medical information. To do this, you may contact the researcher in writing. Data which has already been collected will be maintained with the research records.
7. (In)Ability to Condition Treatment on the Authorization statement
If not already in the consent form, add in the "Other Important Items" section:
o Your decision whether or not to participate in this study, or a decision to withdraw will not involve any penalty or loss of benefits to which you are entitled.
8. Statement Regarding Re-disclosure
The wording in the contract with the sponsor will determine this statement in the consent form. If a sponsor will not re-disclose patient identifiable information, include that information or :
These organizations do not have a regulatory obligation to protect the data. (however if the data being released is not patient identifiable or the sponsor agrees not to redisclose patient identifiable information, a statement to that effect should be included here).
9. Remuneration for Marketing Activity (if applicable)
The sponsor usually provides wording for this activity, which is usually something to the effect :
"You will not receive any compensation if the results of this research are used towards the development of a commercially available product."
10. Dated Patient Signature
This is already required in the signature section.
Please also add this sentence if it is not in the current consent form:
I have been given a copy of this consent document for my own records.
11. if signed by Personal Representative, a description of that person's authority
This is already required in the signature section.
PLEASE NOTE:
The signed consent form must be maintained for at least 6 years after it is signed. This can be satisfied by placing the consent form in the medical record or by keeping it in the study's research files.
There is CIS team recently released a feature to create an electronic consent form and protocol summary.
New patients enrolled into a clinical trial on or after April 14, 2003 will need to sign an IRB approved HIPAA compliant consent form OR the currently IRB approved consent form PLUS an IRB approved 'add on‘ form describingHIPAA information.
Patients enrolled into a research studyprior to April 14, 2003 do not have to sign another consent form.
1. Departmentally maintained databases
2.Registries
3. Disclosures / Tracking
To be considered:
Committee for the Protection of Human Subjects
http://www.dartmouth.edu/~cphs/
a. NEW FORM: Research with PHI
b. HIPAA Compliant Consent Form Template
c. HIPAA powerpoint
d. Additional HIPAA presentation/consent review dates
Additional HIPAA forum dates:
Review Consent FormsCafé B 2/18 9-10 amCafé B 2/21 9-10 amCafé B 3/5 9-10 amCafé C 3/10 9-10:30 amCafé B 3/17 2-3 pmCafé A 3/26 12-1:30 pm
HIPAA EDUCATION DATES
3/4 Aud E 2:00 to 3:00 pm
2/18 L2B 8:00 to 10:30am
3/26 L2B 10:30 to 1:00pm.
HIPAA applies to Covered Entities (CEs) only:
- Health Care Providers - Health Care Plans - Health Care Clearinghouse
Business Associates of HIPAA Covered Entities
Business Associates of HIPAA Covered Entity:
• A person or entity (not a member of the Covered Entities workforce or plan) that provides services for a Covered Entity that involves the use of protected health information (PHI)
Business Associates could include:• Pharmaceutical / Biotech Companies• Data Entry Service Vendors• Other covered entities
Business Associate Agreement
• Satisfactory assurance that PHI will beappropriately safeguarded and used only for the purposes of performing associate’s obligations
• Assure that agents of business associate agree to the same restriction
• Make PHI available as require by law• Return or destroy all PHI at conclusion
of contract
Does not pass through the same privacy requirements of Covered Entity to business associate. It requires in a written contract:
Business Associate Agreement
• Associate to advise Covered Entity when violations have occurred
• Take reasonable steps to cure a breach of privacy requirements
• Covered Entity may terminate agreement if breach of privacy not cured
Requirements continued:
Chain-of-Trust Provisions
• Business Associate agrees to protect the integrity and confidentiality of PHI exchanged electronically
HIPAA Health Insurance Portability and
Accountability Act