Privacy/Confidentiality
and Research
Bob Gross
UCLA Health System and David Geffen School of Medicine
Chief Privacy Officer
Phone: 310-794-8639
Email: rhgross@mednet.ucla.edu
AGENDA


Review of definitions
Uses and disclosures of PHI in research

Without a subject’s explicit permission








Privacy Board or IRB waiver or alteration of authorization
De-identified data
Limited Data Set
Preparatory to Research
Information on Decedents
With a subject’s explicit permission – the authorization
Breach Notification
Discussion
2
HIPAA Requirements


“Exception” statute – in order to look at,
touch/pick up, share, or disclose patient
information you must meet a HIPAA
exception OR have the patient’s permission
using a form called the Authorization
The purpose for accessing the information
determines which exception is used.
3
Definitions


Use means, with respect to individually identifiable
health information, the sharing, employment,
application, utilization, examination, or analysis of
such information within an entity that maintains such
information.
Disclosure means the release, transfer, provision of,
access to, or divulging in any other manner of
information outside the entity holding the
information.
4
Definition of Providerrovider


Any person or organization that furnishes, bills or is paid for,
health care services or supplies in the normal course of
business.
Provider includes:
 Researchers who provide healthcare to the subjects of
research
 Free clinics
 A health clinic or licensed health care professional located
in a school or business
5
PHI and Research

Uses and disclosures of PHI in research

Without a subject’s explicit permission





Privacy Board or IRB waiver or alteration of
authorization
De-identified data
Limited Data Set
Preparatory to Research
Information on Decedents
6
Waiver of the authorization



The criteria for waiver of an authorization is
the same for both the complete and partial
waiver
The privacy rule does not include the term
partial waiver
The rule makes it the responsibility of the
IRB/Privacy Board to ensure the criteria for
the waiver is met and to determine what PHI
can be used for the research project
7
Waiver of the authorization
1.
An authorization can be waived if the IRB/Privacy
Board determines
A.
The use or disclosure of the PHI involves no more than
minimal risk to the privacy of the subject based on at
least all of the following:
1.
An adequate plan to
i.
ii.
2.
protect the identifiers
destroy the identifiers at the earliest possible time
Adequate written assurance the PHI will not be reused or redisclosed except under very limited circumstances
i. Required by law
ii. Oversight of the research
iii. Other research after additional IRB approval
8
Waiver of authorization (cont.)
2.
The research cannot practicably be done without the
waiver of authorization
a.
b.
c.
3.
Why won’t other recruitment methods be effective?
Why is obtaining an authorization impractical?
Example: retrospective records review of clinical
database for ER visits for patients with gunshot wound to
the head
The research cannot practicably be done without
access to the PHI
a.
Why must the researcher use identifiable information for
his/her study?
9
Waiver of authorization (cont.)


The IRB/Privacy Board is tasked with
determining what PHI is necessary for the
research project.
How should this be done?

Ask the researcher to specify the information
needed for the specific purpose of the waiver

Examples


Recruitment
Retrospective records review
10
De-identified data?











A) Names;
(B) Street address, city, county,
precinct, zip code, and equivalent
geo-codes
(C) All elements of dates (except
year) for dates directly related to an
individual and all ages over 89
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan ID numbers;
(J) Account numbers;
(K) Certificate/license numbers;

(L) Vehicle identifiers and serial
numbers, including license plate
numbers;

(M) Device identifiers/serial
numbers;
(N) Web addresses (URLs);
(O) Internet IP addresses;





(P) Biometric identifiers, incl. finger
and voice prints;
(Q) Full face photographic images
and any comparable images; and
(R) Any other unique identifying
number, characteristic, or code.
11
Limited Data Set?











A) Names;
(B) Street address, town or city,
county, precinct, zip code, and
equivalent geo-codes
(C) All elements of dates (except
year) for dates directly related to
an individual and all ages over 89
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan ID numbers;
(J) Account numbers;
(K) Certificate/license numbers;

(L) Vehicle identifiers and serial
numbers, including license plate
numbers;

(M) Device identifiers/serial
numbers;
(N) Web addresses (URLs);
(O) Internet IP addresses;





(P) Biometric identifiers, incl. finger
and voice prints;
(Q) Full face photographic images
and any comparable images; and
(R) Any other unique identifying
number, characteristic, or code.
12
Data Use Agreement



Sets out the permitted uses and disclosures of the PHI in the
LDS
Identifies who is permitted to use or disclose the information
Provides that the recipient will





Properly safeguard the data
Not use the information in a manner inconsistent with the DUA
Report any improper uses or disclosures to the CE
Not use the information to attempt to identify or contact individuals
based on the information in the LDS
Require all agents and subcontractors to comply with the terms of the
DUA
13
Uses or Disclosures Preparatory to
Research

To prepare a research protocol

Researcher provides the following assurances



The information will not be removed from the CE
Use or disclosure is sought solely to prepare research
protocol
The PHI is necessary for the research purpose
14
Research on Decedent Information


HIPAA protects PHI of a decedent
To conduct research on decedents will require the
submission of an attestation statement to the CE
indicating:



The information is sought solely for research on decedents
The information is necessary for the research purpose
If requested by the CE, documentation of the death of the
individual(s)
15
Authorizations

If the researchers do not meet one of the
exceptions previously discussed, the ONLY
compliant way to use (this means look at) or
disclose a patient’s information for research is
to obtain the individual’s authorization.
16
Authorization Components

Specify






Information to be used or disclosed
Who can use or disclose
To whom the information can be used or disclosed
Purpose(s) of uses and disclosures
Expiration date
Required statements





Revocation
Participation
Re-disclosure by third parties
Access to information during study
Individual’s signature and date
17

“The elements we require to be included in the
authorization are intended to ensure that individuals
knowingly and willingly authorize the use or
disclosure of protected health information about
them. If these elements are missing or incomplete,
the covered entity cannot know which protected
health information to use or disclose to whom and
cannot be confident that the individual intends for
the use or disclosure to occur.” 65 Fed.Reg. 82657.
18
Description of PHI to be used or disclosed

A description of the information to be used or
disclosed that identifies the information in a
specific and meaningful fashion

Information requested from system administrators
must be the same as PHI stated in the IRB
protocol and subject authorization form.
19
Who can use or disclose the information?

The name or other specific identification of
the person(s) or class of person(s), authorized
to make the requested use or disclosure.
20
To whom will we give the information?


The name or other specific identification of
the person(s) or class of person(s), to whom
the covered entity may make the requested
use or disclosure.
If the entity is not listed on the authorization
in either specifically or at a minimum in
general terms the information cannot be
shared with that individual.
21
The purpose of sharing the information



A description of each purpose of the
requested use or disclosure.
Because the rules require the authorization to
specify the purpose of each requested use or
disclosure this precludes a very non-specific
statement like future research.
It might also preclude a statement like “to
conduct the research study”
22

“The required statement of purpose(s) must provide
individuals with the facts they need to make an
informed decision whether to allow release of the
information. The use of broad or blanket
authorizations requesting the use or disclosure of
protected health information for a wide range of
unspecified purposes should not be used. Both the
information that is to be used or disclosed and the
specific purpose(s) for such uses and disclosures
must be stated in the authorization”
23
RE-DISCLOSURE BY 3RD PARTY

A required statement regarding “The potential
for information disclosed pursuant to the
authorization to be subject to re-disclosure by
the recipient and no longer protected by this
subpart.”
24
PARTICIPATION IS CONDITIONAL
ON SIGNING AUTHORIZATION


A covered health care provider may condition
the provision of research-related treatment on
the provision of an authorization for the use
and disclosure of protected health information
for such research under this section.
Inform the subject of the consequences of
failure to sign the authorization.
25
Right to revoke authorization

Statement informing the subject of their right
to revoke their authorization in writing, the
exceptions to the right to revoke and how they
can revoke the authorization.
26
Expiration date or event

An expiration date or an expiration event that
relates to the individual of the use or
disclosure purpose. The statement “end of the
research study” or “none” or similar language
is sufficient if the authorization is for the use
or disclosure or protected health information
is for research, including the creation and
maintenance of a research database or
research repository.
27
Right to deny access

A covered entity may suspend an individual’s
access to PHI during the research study if the
individual agreed to the suspension of access
in the authorization.
28
Verbal authorizations



The privacy rule does not provide for a verbal
authorization.
Comment: Some commenters requested that we
permit covered entities to use or disclose protected
health information pursuant to a verbal
authorization.
Response: To ensure compliance and mutual
understanding between covered entities and
individuals, we require all authorizations to be in
writing.
29
Dual research projects

A clinical trial that also collects data and/or
identifiable tissue for possible future research
uses or disclosures may require two
authorizations.


Data banks
Repositories
30
Breach notification requirement

A breach is



(1) Unauthorized acquisition, access, use, or
disclosure of
(2) unsecured PHI which
(3) compromises the privacy or security of
the PHI.
31
What is not a breach?


(i) any unintentional acquisition, access, or use of protected
health information by an employee or individual acting under
the authority of a covered entity or business associate if—
(I) such acquisition, access, or use was made in good faith
and within the course and scope of the employment or other
professional relationship of such employee or individual,
respectively, with the covered entity or business associate;
AND
32
What is not a breach?


(II) such information is not further acquired,
accessed, used, or disclosed by any person; OR (ii)
any inadvertent disclosure from an individual who is
otherwise authorized to access protected health
information at a facility operated by a covered entity
or business associate to another similarly situated
individual at same facility; and
(iii) any such information received as a result of such
disclosure is not further acquired, accessed, used, or
disclosed without authorization by any person.
33
Definition of Unsecure PHI

Unsecured PHI is defined as


PHI not secured through technology or a method
specified by the Secretary through guidance
Guidance from HHS

Federal Register /Vol. 74, No. 79 /Monday, April
27, 2009:
“…two methods for rendering PHI unusable,
unreadable, or indecipherable to unauthorized
individuals: encryption and destruction.”
34
Encryption methods

Data at rest


National Institute of Standards and Technology (NIST) Special
Publication 800-111
Guide to Storage Encryption Technologies for End User Devices
Data in motion

Valid encryption processes for data in motion are those that comply
with the requirements of Federal Information Processing Standards
(FIPS) 140–2. These include, as appropriate, standards described in
NIST Special Publications 800–52, Guidelines for the Selection and
Use of Transport Layer Security (TLS) Implementations; 800–77,
Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, and may
include others which are FIPS 140–2 Validated.
35
Destruction methods

The media on which the PHI is stored or
recorded has been destroyed in one of the
following ways:


(i) Paper, film, or other hard copy media have been
shredded or destroyed such that the PHI cannot be read or
otherwise cannot be reconstructed.
(ii) Electronic media have been cleared, purged, or
destroyed consistent with NIST Special Publication 800–
88, Guidelines for Media Sanitization,19 such that the
PHI cannot be retrieved.
36
Analysis of what is a breach

Is it an unauthorized access, acquisition, use
or disclosures?


If it is used, disclosed, accessed or acquired in a
manner not permitted under subpart E the Privacy
Rule
Example:
Failure to follow minimum necessary might be a
breach
37
Analysis of what is a breach

Is it unsecure PHI?


It was ePHI that was not encrypted in a manner
identified by the guidance document.
It was paper PHI
38
Analysis of what is a breach

Does it compromise the privacy and security
of the PHI?


Poses a significant financial, reputational or other
harm to the individual
Requires a risk assessment
39
Risk assessment

Things to consider,


Who impermissibly used or disclosed the
information?
To whom was the information disclosed?


Was it another covered entity?
What mitigating steps were taken and when?


Reasonable assurances from the recipient that the
information would not be further used or disclosed
The information is destroyed by the recipient.
40
Risk assessment



Was the PHI retrieved or returned before it
could be impermissibly accessed?
Cannot delay notification hoping that a lost
computer/USB drive will be recovered.
Is the nature of the PHI such that it does not
pose a significant financial, reputational or
other risk of harm to the individual?
41

“The risk assessment should be fact specific,
and the covered entity or business associate
should keep in mind that many forms of
health information, not just information about
sexually transmitted diseases or mental health,
should be considered sensitive for purposes of
the risk of reputational harm – especially in
light of fears about employment
discrimination.”
42
Breach notification requirement

A covered entity or BA is on notice of a
breach on the first day anyone, other than the
employee committing the breach, in the
organization knows of the breach or with the
exercise of reasonable diligence should have
known of the breach
43
Breach notification requirement

The covered entity or BA must notify the
individual, their next-of-kin or personal
representative without unreasonable delay but
no later than 60 days after breach is
discovered.
44
Breach Notification




An investigation of the facts and circumstances
surrounding the breach may take some time to
investigate
The time to investigate can be a reason for delaying
notification
However, the 60 days starts running from the date of
the breach not the date the investigation is complete
The reasons for any delays must be documented
45
Breach notification requirement


Written notification through first class mail at
the last known address of the individual, the
personal representative or the next-of-kin
If you do not have a good address, then you
must try other means of notification.

Substitute notice is not required when you do not
have not have a good contact information for the
personal representative or next-of-kin.
46
Breach notification requirement



If you have more than 10 persons for whom you do
not have good contact information, then the details
of the breach must be posted on the home page of
the covered entity’s website or in major print or
broadcast media.
The post must be for 90 days
Must include a toll free number for individuals to
contact and see if their information was impacted
47
Breach notification requirement


If the nature of the breach puts the individual in
imminent danger of misuse of unsecured PHI, the
covered entity may also notify via telephone.
If the breach involves the unsecured PHI of more
than 500 people in a particular state or jurisdiction,
the covered entity must also notify the prominent
media outlets serving the state or jurisdiction where
the individuals reside

Jurisdiction is defined as a geographic area small than a
state such as a county, city or town.
48
Breach notification requirement


The covered entity must notify the DHHS Secretary.
If the breach is more than 500 people, immediate
notice is required.

Immediate means without undue delay and at the same
time as notice to the individual involved
49
Breach notification requirement

If the breach is less than 500 people, the covered
entity can keep a log of all such breaches and turn it
in to the Secretary annually.

The information must be submitted annually to the
Secretary within 60 days of the end of the calendar year
50
Content of the notification

Brief description of
What happened
 Unsecure PHI involved in breach
 Steps the individual should take to protect
themselves
 The covered entity’s investigation, mitigation of
harm to the individual and corrective action plan
Contact method such as toll-free number email
address, website or postal address for individuals to
ask questions


51
Discussion Case
The Facts:
The Protocol Director and Principle Investigator (PI) wishes to
recruit 75 individuals for a clinical trial from patients who
received a certain type of treatment for blocked arteries in the
hospital’s cardiac cath lab between June 2006 and July 2007.
They would receive a new medication suppose to prevent or
reduce further blockage.

The PI first wishes to find out how many individuals received
this treatment at the Hospital. The PI approaches the HIMS
director to run an electronic query for the time period using a
particular CPT code. The Director, concerned about the request
contacts the Privacy Officer for guidance as there are over 200
52
such patients.
The
IRB approves the protocol, including a HIPAA
authorization in the informed consent form. The PI
goes back to HIMS and asks for a query that will
produce the names and addresses of the patients,
medical records numbers, and a copy of the medical
record.
What
should the HIMS director obtain from the PI? A
signed authorization, because otherwise it would be
providing PHI for research use?
53
What
if the protocol sponsor also wanted
information (including PHI) about the individuals
who were pre-screened by telephone but did not
qualify for the clinical trial? The PI will not have
an authorization signed by these individuals.
What
if all the patients were the PI's? What if
the PI already had a separate research database
with these patients in it?
54
QUESTIONS
55