hipaa, you, and the irb · • authorization expiration date or expiration event (“end of the...

HIPAA, Research, and the IRB

Michelle Brown, BBA Biomedical IRB Manager

Agenda

Brief History of HIPAA – How Did We Get Here?

When Does HIPAA Apply to Research?

How Do Researchers Access & Share PHI Under the Privacy Rule?

What Rights Has HIPAA Provided to Participants?

What Additional Requirements Impact Research Administrators?

Health Insurance Portability & Accountability Act

• Sponsored by Senators Ted Kennedy of Massachusetts & Nancy Kassebaum of Kansas

• Enacted by Congress • Signed by President Clinton in 1996

Original Intent:

improve portability and continuity of health insurance coverage in the group and individual markets,

combat waste, fraud, and abuse in health insurance and health

care delivery,

promote the use of medical savings accounts,

improve access to long-term care services and coverage,

to simplify the administration of health insurance.

Anatomy of the Act

Titles – Title I Healthcare Portability – Title II Administrative Simplification – Title III Tax Related Health Provisions – Title IV Application Group Health Requirements – Title V Revenue Offsets

Anatomy of the Act

Title II: Administrative Simplification Provisions – Improve Efficiency & Effectiveness – Required Department of Health & Human Services (HHS)

to adopt national standards for: • electronic health care transactions and code sets, • unique health identifiers, and • security.

Anatomy of the Act

Title II: Rules for Individually Identifiable Health Information – Transactions – Privacy – Security – Enforcement

All are located at 45 CFR Part 160, 162, and 164

Summary

Question: How did we get here? Answer: In the course of setting national standards for the regulation of certain health information, HIPAA and the Privacy Rule were created. Because researchers need access to this protected health information, we need to understand the parameters of the Privacy Rule.

The Privacy Rule & Research

• Health Plan • Health Care Clearinghouse • Health Care Provider (who transmits health information in electronic form

in connection with a transaction for which HHS has adopted a standard)

Only applies to a Covered Entity

• Protects the privacy of individually identifiable health information • Regulates the access, amendment, and sharing of PHI for research

Sets Minimal Federal Standards

• Establishes conditions under which covered entities can provide

researchers access to and use of PHI when necessary to conduct research

Not intended to impede research

Definition of Terms Health Information is any information in any medium, that:

– is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

– relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information is a subset of health information and: – is created or received by a health care provider, health plan, employer, or health

care clearinghouse; and – relates to the past, present, or future physical or mental health or condition of an

individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and o That identifies the individual; or o With respect to which there is a reasonable basis to believe the information

can be used to identify the individual.

Definition of Terms Protected Health Information (PHI) is individually identifiable health information that is:

– transmitted by electronic media – maintained in electronic media, or – transmitted or maintained in any other form or medium.

PHI is not: – education records covered by FERPA – employment records held by a covered entity in its role as employer.

Privacy: – relates to a person – The research proposal should outline strategies on how the investigator will access

information from or about participants. Confidentiality:

– relates to information/data about an individual – The research proposal should outline strategies to maintain confidentiality of identifiable

data, including controls on storage, handling, and sharing of data.

Privacy Rule & The Common Rule

HIPAA covers the use and disclosure of individuals’ protected health information (“PHI”) Common Rule: Individually identifiable means the identity of the participant is or may readily ascertained by the investigator.

Protected Information

1. Names

2. All geographic subdivisions smaller than a State, including: street address , city , county precinct , zip codes and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

a) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and

b) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.


3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.


4. Telephone Numbers 5. FAX Numbers 6. E-mail Addresses 7. Social Security Numbers 8. Medical Record Numbers 9. Health Plan Beneficiary Numbers 10. Account Numbers 11. Certificate / License Numbers 12. VIN and License Plate Numbers

13. Device ID’s and Serial Numbers 14. Web Addresses (URL’s) 15. Internet Protocol Numbers (IP Address) 16. Biometric Identifiers (fingerprints and

voiceprints) 17. Full-face Photos and Comparable

Images 18. Any other unique identifying number,

characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification

Summary

Question: When does HIPAA apply to research? Answer: When a covered entity is involved and it meets the definition of protected health information.

Accessing & Sharing PHI in Research

• Statistical Verification • Removing Specific Information De-identified

• Combined with Informed Consent • Pertains to specific research • Not future, unspecified research

Written Authorization

• Determination made by IRB or Privacy Board Without an Authorization

• Solely to prepare protocol • No PHI removed from covered entity • Necessary for preparation of research

Preparatory Work

• Necessary and solely for research • Documentation of death may be required Decedents

• Specific identifiers • Data Use Agreement Limited Data Sets

The Privacy Rule states that if PHI is de-identified, HIPAA does not apply. A researcher employed by a covered entity or accessing data from a covered entity can conduct his/her research using de-identified data and the study does not fall under the HIPAA Privacy Rule requirements. PHI can be de-identified in one of two ways: 1) Remove all 18 identifiers from the data. 2) Use statistical methods to certify there is small risk that the

information released could identify the individual.

•Statistical Verification •Removing Specific Information

De-identified

•Combined with Informed Consent •Pertains to specific research •Not future, unspecified research


Required Elements:

• Specific description of information to be used • Identification of the person(s) authorized to make the requested use or

disclosure • The names of the person(s) to whom the covered entity may make the

requested use or disclosure • Description of each purpose of the requested use or disclosure • Authorization expiration date or expiration event (“end of the research

study” or “none” are permissible for research) • Signature of the individual and date.

•Combined with Informed Consent •Pertains to specific research •Not future, unspecified research


Required Statements: • Individual’s right to revoke authorization in writing

• Ability or inability to condition treatment, payment, enrollment, or

eligibility for benefits

• Potential for information to be subject to re-disclosure

•Determination made by IRB or Privacy Board Without Authorization

Criteria:

• The use/disclosure involves no more than minimal risk because of an adequate plan/assurance:

• to protect PHI from improper use or disclosure • to destroy identifiers at earliest opportunity • that PHI will not be inappropriately reused or disclosed

• The research could not practicably be conducted without the waiver

• The research could be practicably be conducted without access to and use of PHI.

Waiver of Authorization must be approved by the IRB.

•Solely to prepare protocol •No PHI removed from covered entity •Necessary for preparation of research

Preparatory Work

Typically used by researchers to obtain access to PHI without authorization in order to collect aggregate data to determine if there are enough prospective subjects to justify conducting a study or to identify prospective participants that meet the inclusion / exclusion study criteria. Researcher may not remove PHI from Covered Entity site. Allows researcher to identify prospective participants for purposes of seeking their Authorization to use/disclose PHI for a study.

•Necessary and solely for research •Documentation of death may be required Decedents

Not required to obtain Authorizations from personal representative or next of kin, a waiver or an alteration of the Authorization, or a Data Use Agreement. Researcher must provide: • oral or written representations that the use and disclosure is sought solely

for research on the PHI of decedents • oral or written representations that the PHI is necessary for the research • documentation of the death of the individual(s) whose PHI is being sought.

The PHI of decedents may not be used to obtain information about a decedent’s living relatives.

Research on decedents does not require IRB approval.

•Specific identifiers •Data Use Agreement Limited Data Sets

Research using a limited data allows the use of limited identifiers There must be a limited potential for individual identification “Direct” identifiers may not be used Provider of PHI must have a Data Use Agreement with recipient of data

DIRECT IDENTIFIERS

1. Names 2. Street Addresses 3. Phone and Fax Numbers 4. Email Addresses 5. Social Security Numbers 6. Medical Record Numbers 7. Health Plan Numbers

8. Account Numbers 9. Certificate/Licenses Numbers 10. Vehicle Identifiers/license Plates 11. Device Identifiers 12. Web URLS 13. Internet Protocols (IP) 14. Full Face Photo

Summary

Question: How do researchers access and share date under HIPAA and the Privacy Rule? Answer: Go outside of the Privacy Rule and de-identify the data. Obtain a Written Authorization. Obtain a Waiver of Written Authorization from the IRB. Verify PHI is being used in preparation of research. Research involves decedents and/or limited data sets.

Key Points: The Privacy Rule provides individuals with certain rights about: • how their health information is used and disclosed and • how they can gain access to health records and information about

when their PHI was released without their permission. The Privacy Rule describes how covered entities can implement these rights while maintaining the integrity of the research project.

How Are Research Participants’ Rights Affected by the Privacy Rule?

Covered entities are permitted to amass information on their patients for treatment, payment, and health care operations purposes, and to enter this information into their own databases without Authorization. The creation of a research Database/Repository or Registry, and the use or disclosure of PHI from a Database/Repository or Registry for research purposes, is research activity and requires IRB approval. - UNLESS the data is de-identified and determined by the IRB to be exempt from review, or a limited data set (under a Data Use Agreement)

Databases / Repositories & Registries

Illinois State Law: • sensitive information includes mental health, developmental

disabilities, genetic testing, genetic counseling, HIV • use of identifiable sensitive information for research requires

patient consent • genetic testing and HIV information may be used without

consent on a de-identified basis • genetic counseling, mental health, developmental disabilities

require consent to use on a de-identified basis for research Minimum Necessary Requirement: • covered entity or researcher must try to limit the PHI to be

collected, used, or disclosed to the minimum necessary to achieve the research purpose

Summary

Question: What additional requirements impact research administrators? Answer: state laws more than I list in the scope of this talk

For more information, consult the website at:

http://irb.northwestern.edu/policies/

hipaa

Questions?

hipaa, you, and the irb · • authorization expiration date or expiration event (“end of the...

Documents