HIPAA, Privacy & Confidentiality

Local Accountability for Research Protection in VA Facilities

VA Office of Research & DevelopmentBaltimore, February 2008

I have as much privacy as a goldfish in a bowl.

Princess Margaret

The Goal of VA Privacy

• Protecting the privacy of our veterans

• Assuring the confidentiality of research subject’s data

• Ensuring research will continue

VHA & Privacy

• VHA privacy program is “complex” – Must comply with 6 statutes that govern

collection, maintenance & release of information

– Investigators must have the authority to collect, use, or disclose private information

• VHA Handbook 1605.1 addresses most requirements

Privacy Related Statutes• HIPAA: Privacy Rule• Privacy Act of 1974• FOIA• VA Claims Confidentiality• Confidentiality of medical records about:

– Drug Abuse, – Alcoholism & Alcohol Abuse, – HIV, and – Sickle Cell Anemia

• Confidentiality of Healthcare Quality Assurance Review Records

HIPAA & the Privacy Rule

• Title I: Health Care Access, Portability, & Renewability

• Title II: Preventing Healthcare Fraud & Abuse; Administrative Simplification; Medical Liability & Reform

• Privacy Rule, • Transactions, • Security & • Enforcement

HIPAA & The Common Rule

• Represents 2 different, but NOT contradictory regulations

• Many terms similar but not the same

• IRB must make 2 separate determinations when reviewing & approving applicable research:– The Common Rule– HIPAA

HIPAA & Research

• Defines specific “HIPAA identifiers”• Controls use of Personal Health Information

(PHI)– Within the covered entity– Disclosures outside the covered entity– Allows only the “Minimum Necessary” information

• Use of PHI requires an authorization or waiver of authorization. Exceptions:– Preparatory to research Note: It does not include

recruiting subjects– Use of “limited data sets” as defined by HIPAA

HIPAA “Identifiers”: Remove All 18 to De-identify for HIPAA

(1) Names(2) All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people(3) All elements of dates except year and all ages over 89(4) Telephone numbers(5) Fax numbers(6) E-mail addresses(7) Social security numbers(8) Medical record numbers

HIPAA “Identifiers” (Cont.)

(9) Health plan beneficiary numbers(10) Account numbers(11) Certificate or license numbers(12) Vehicle identifiers and license plate numbers(13) Device identifiers and serial numbers(14) URLs(15) IP addresses(16) Biometric identifiers(17) Full-face photographs and any comparable images

HIPAA Identifiers (Cont.)

(18) Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification

• Scrambled SSNs• Initials• Last four digits of SSN• Employee numbers• Etc.

(“19”) A caveat: HIPAA also states that the entity does not have actual knowledge that the [remaining] information could be used alone or in combination with other information to identify an individual who is the subject of the information

• If you can strip all 18 identifiers, it still may not be de-identified

Applicability of Identifiers

• HIPAA identifiers apply to:– The individual – The individual’s relatives– The individual’s employers– The individual’s household members

What’s De-identified?

If some one tells you data is de-identified, ask them how they define de-identified!

De-identified: VHA’s Definition

• Information or data that meets the HIPAA Privacy Rule and the Common Rule definitions of de-identified– Does not contain any of the 18 HIPAA

identifiers– Has not been statistically de-identification

using HIPAA criteria– Identity of the subject is not readily

ascertained by the information remaining

Remember

Scrambled Social Security

Numbers are identifiers!!!

Protected Health Information (PHI)

• PHI is individually identifiable health information (IIH)

• IIH: Health information including demographics – Collected from an individual– Relates to:

• The past, present, or future physical, mental health, or condition of an individual;

• Provision of health care to the individual;

– Identifies the individual or there is a reasonable basis to believe the information can identify the individual

• Is retrieved by name or other unique identifier

Preparatory to Reach

• VHA Handbook 1605.1 states that contacting research subjects or conducting pilot studies are not activities “Preparatory to Research”

• HHS states that the “Preparatory to Research” provisions allow an investigator to use PHI to contact prospective research subjects

Limited Data Sets• HIPAA authorization or waiver of authorization

not required• Use allowed only for:

– Research,– Public health, or – Health care operations

• Requires a DUA• May contain identifiable information such as

scrambled SSNs, therefore may still be:– PHI– Human subjects research

Limited Data Set (Cont.)

• Excludes certain direct identifiers• Excluded identifiers apply to:

– The individual, – The individual’s relatives– The individual’s employers – The individual’s household members

• May contain:– City, state, ZIP code,– Elements of a date & other numbers, – Characteristics or codes not listed as direct identifiers

Limited Data Sets: Direct Identifiers

(1) Names(2) Postal address other than town, city, state, and ZIP code(3) Telephone numbers(4) Fax numbers(5) Electronic mail address(6) SSNs(7) Medical Record number(8) Health plan beneficiary numbers(9) Account numbers

Limited Data Set: Direct Identifiers (Cont.)

(10) Certificate/license numbers(12) Vehicle identifiers and serial numbers including license plate numbers(12) Device identifiers & serial numbers(13) Web universal resource locators (URLs)(14) Internet protocol (IP) address(15) Biometric identifiers, including fingerprints & voice prints(16) Full-face photographic images and any comparable images

Business Associate Agreements

• Business Associate: An individual or entity who on behalf of VHA

– Performs functions, services, or activities involving the use or disclosure of PHI

– Must be related to treatment, payment, or health care operations

Business Associate Agreements

• BAAs required for:– Any person or entity meeting the definition of

Business Associate

• BAA’s not required for research or research sponsors– Research is not a function or activity

regulated by HIPAA (treatment, payment, or health care operations)

HIPAA Authorization

• Authorization requirements:– Handbook 1605.1 “Privacy & Release of Information”

• Poor authorizations:– Inadequate description of the data – Does not specifically state if PHI related to drug or

alcohol abuse; alcoholism; HIV; or Sickle Cell Anemia will be used

– Statements regarding who will see data are to general– Failure to state what will happen with the data, where

it is sent, and how it is secured• My be stand alone or incorporated into informed

consent

Waiver of Authorization

• IRB or Privacy Board (PB) may approve:– Full waiver of authorization– Partial waiver of authorization– Alteration of the disclosure

• IRB or Privacy Board: – Must make specific determination prior to

approving waiver– Must document specific findings

Required Determinations: 3 Criteria

1. The use or disclosure of PHI involves no more than a minimal risk to the individual based on at least the presence of the following elements:

– An adequate plan to Protect the identifiers from improper use & disclosure

– An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research unless there is health or research justification for retaining them or retention or the retention is required by law; and

– Adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use of disclosure of PHI would be permitted by this subpart

Required Determinations: 3 Criteria (Cont.)

2. The research could not practicably be conducted without the waiver

3. The research could not practicably be conducted without access to and use of the protected health information

Required Documentation

• Name of IRB or PB & date approved• Statement: IRB or PB determined the alteration or waiver

of authorization, in whole or in part, satisfies the 3 criteria in the Rule (list criteria)

• A brief description of the PHI for which use or access has been determined to be necessary

• A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, and

• Signature of the chair or other voting member, as designated by the chair, of the IRB or PB, as applicable.

Data Use Agreements (DUA)

• Originally VHA (in addition to HHS) required a DUA for use of limited data sets

• VHA and ORD policy now requires a combined DUA and Data Transfer Agreement (DTA/DTA) for anytime you transfer data within or outside VHA for research purposes unless:– The consent allows transfer to the sponsor– The transfer is within the scope of the protocol e.g.,

transferring data to a data coordinating center

• DUA/DTA requirements will be published soon

Privacy Act of 1974

An American has no sense of privacy.

He does not know what it means.

There is no such thing in the country.

George Bernard Shaw

Privacy Act of 1974

• Purpose: To balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy

• Background: Watergate era and Congress concerned with: – Curbing illegal surveillance & investigations– Potential abuses presented by government’s

increasing use of computers to store & retrieve personal data

Privacy Act Objectives

• Restrict disclosure of personally identifiable records by agencies

• Grant individuals– Increased rights of access to agency records– The right to seek amendment of agency

records

• Establish code of fair information practices for agencies

A Privacy Act Requirement

• Agencies that maintain a system of records "shall promulgate rules, in accordance with notice and comment rulemaking”

• Systems of Records (SOR): “A group of records under agency control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

System of Records Content

• Category of individuals covered by the system

• Categories of records in the system

• Purpose of the records

• Routine uses of records

• Storage (storage medium)

• Retrievability (name, numbers or identifier)

SORs and Research

• 34VA12 -- Veteran, Patient, Employee, and Volunteer Research and Development Project Records

• 121VA19 -- National Patient Databases – VA

• 97VA105 – Consolidated Data Information System – VA (contains Medicare data)

SOR’s Major Impact on Research

• All release/disclosure of information must be consistent with the SOR and routine uses

• Investigators can not release information to non-VA investigators or institutions unless:– Written permissions/authorization from individual or– Permission of the USH or designee

• Release of information is through or at the direction of the Privacy Office– Privacy Officer approval– ISO: secure release & transmission

Privacy Issues Resources

• VHA Privacy Officer: Stephania Putt

• Local privacy officer

• VHA privacy program:– http://vaww.vhaco.va.gov/privacy/– Links to all Federal statutes, regulations, &

policies including security policies– Privacy Fact Sheets

Is This True?

"The more the data banks record about each one of us, the less we exist”

Marshall McLuhan

Canadian philosopher & educator