HIPAA Privacy and Security Rules and the HITECH Act Training for Researchers By: Office of University Counsel February 2016 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities can provide researchers access to and use of protected health information for research purposes. The HIPAA Privacy Rule does not replace or act in lieu of other federal regulations such as HHS Protection of Human Subjects and the FDA Protection of Human Subjects Research is defined under the HIPAA Privacy Rule as: “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge” HIPAA Privacy Rule • Covered Entity is a health plan, a health care provider or a health care clearinghouse who electronically transmit any health information in connection with transactions for which HHS has adopted standards • Protected Health Information (PHI): Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual. Is transmitted or maintained in any form (electronic, paper, or oral representation). Identifies, or can be used to identify the individual. HIPAA Security Rule • The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic Protected Health Information (ePHI) • The rule requires safeguards for physical storage of PHI, maintenance of PHI, transmission of PHI and access to PHI “e-PHI” • e-PHI (electronic Protected Health Information) is computer-based patient health information that is used, created, stored, received or transmitted by a Covered Entity using any type of electronic information resource. • Information in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent by one provider to another provider, a payer or a researcher. How Can Covered Entities Use and Disclose PHI for Research and Comply with the HIPAA Privacy Rule? 1. De-identified health information, as described in the Privacy Rule, is not PHI, and thus not protected by the Privacy Rule 2. PHI may be used and disclosed for research WITH an individual’s written permission in the form of an Authorization 3. PHI may be used and disclosed for research WITHOUT an Authorization in limited circumstances: (a) under a waiver of the Authorization requirement; (b) for research on decedents’ information; (c) preparatory to research; and (d) as a limited data set with a data use agreement 1. De-Identified Health Information • Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information • De-identified PHI has had all identifiers (listed in the HIPAA Privacy regulation) removed - The “Safe Harbor” - Consider re-identification issues • An expert certifies that the risk is small that the information could be used to identify the individual - The “Scientific Method” What must be done to De-Identify PHI? To de-identify PHI, all of the following identifiers must be removed • Name; • Geographic subdivisions smaller than a state (i.e., county, town, or city, street address, and zip code) (note: in some cases, the initial three digits of a zip code may be used); • All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note: ages and elements may be aggregated into a single category of age 90 or older); • Phone numbers; • Fax numbers; • E-mail addresses; • Social security number; • Medical record number; De-Identifying PHI (cont.) Health plan beneficiary number; Account number; Certificate/license number; Vehicle identifiers and serial numbers; Device identifiers and serial numbers; URLs; Internet protocol addresses; Biometric identifiers (e.g., fingerprints); Full face photographic and any comparable images; Any other unique identifying number, characteristic, or code; and • Any other information that could be used alone or in combination with other information to identify the individual • • • • • • • • • • Request for Information from a Covered Entity Scenario #1: A sponsor has asked you for information to determine if Jefferson has a sufficient number of patients with a specific diagnosis to conduct a study at Jefferson. How do you proceed? Why is the information needed? What type of information is needed to make this determination? Is PHI needed? Is de-identified information needed? Is an approved IRB study needed to request de-identified information? To whom and how is the request made? 2. Subject Authorization • Gives the individual the opportunity to agree to the uses and disclosures of their PHI • Authorization must pertain to specific research • If an authorization is used, the actual uses and disclosures made must be consistent with what is stated in the Authorization • The signed authorization must be retained for at least 6 years • Authorization differs from an informed consent • HIPAA Privacy Rule does not state who may draft, therefore, researchers may draft • Authorization must be compliant with HIPAA Privacy Rule: written in plain language, contain core elements and a signed copy provided to the individual HIPAA Authorization Core Elements Description of the PHI to be used or disclosed Person/Class of Persons who may make the request Person/Class of Persons to whom use/disclosure may be made Description of the purpose of the requested use or disclosure Expiration date (for research may state “at end of study” or does not expire) • Signature of the individual and date • Statement of the right to revoke authorization • Statement of conditions to treatment/payment or of refusing to sign • Statement of the possibility of re-disclosure See OHR-8 form. • • • • • Request for Information from a Covered Entity Scenario #3: The PI is conducting a clinical trial. Patient data needs to be obtained from the patients’ EMRs. How do you proceed? Why is the information needed? What type of information is needed? Is IRB approval needed before study coordinators are permitted to access patients’ EMRs? Is a signed Research Informed Consent Form needed? Are copies of relevant sections of the patients EMRs permitted to be made? Hint: See, Jefferson Policy No. 110.19 “Access to JUP Electronic Records by Research Coordinators for Research Purposes” 3. Without Authorization—(a) Waivers • Without a subject authorization use information only if it meets criteria (e.g. if an IRB permits and grants a waiver of individual authorization) • IRB may waive Authorization upon the request of a researcher only if: 1. The use or disclosure of PHI involves not more than a minimal risk to the privacy of individuals, based on • An adequate plan to protect the identifiers • A plan to destroy identifiers as soon as possible • Adequate written assurances that the PHI will not be reused or disclosed to any other person 2. The research could not practically be conducted without a waiver; and 3. The research could not practically be conducted without the PHI See OHR-3 form. 3. Without Authorization--(b) Research on Decedents’ Information PHI relating to decedents may be used or disclosed by a researcher if the researcher: • Represents that the use or disclosure is sought solely for the research; • Provides documentation that PHI is necessary for the research purposes; and • Provides documentation, at the Covered Entities’ request, of the death of the individuals See OHR-17 form. 3. Without Authorization—(c) Activities Preparatory To Research PHI may be used or disclosed by a researcher if the researcher represents that: • The use or disclosure is solely for review of PHI necessary to prepare a research protocol • No PHI will be removed from the Covered Entity • The PHI is necessary for the research purpose See OHR-29 form. Request for Information from a Covered Entity Scenario #2: The PI is considering conducting a study. The PI would like to review potential subjects’ PHI before submitting a protocol to the IRB. How do you proceed? Why is the information needed? What type of information is needed? Is PHI needed? Is IRB approval needed before the review may be conducted? To whom and how is the request for PHI made? Hint: See, OHR-29 Review Preparatory to Research Request Form 3. Without Authorization—(d) LIMITED DATA SET and DATA USE AGREEMENT • PHI that is used in a limited data set is still PHI, but may be used or disclosed for research without an authorization or waiver • Limited Data Set does NOT include direct identifiers • The Data Use Agreement MUST: - Establish the permitted uses and disclosures; - Limit who can receive the data; and - Require the recipient to agree not to use/disclose the information other than as permitted; use safeguards; agree not to contact the individual, etc. See OHR Data Use Agreement. Researchers’ Requests for PHI from Covered Entities • Researchers must comply with Covered Entity procedures to secure PHI • Example: JUP IDX Request and EMR Request Forms Other Uses and Disclosures of PHI • A Covered Entity may use or disclose PHI without an Authorization, as follows: - To the extent the use/disclosure is required by law, e.g. reporting to cancer registries - To a public health authority (e.g. NIH) - To a health oversight agency (e.g. OHRP) Minimum Necessary Restriction • With some exceptions, the HIPAA Privacy Rule minimum necessary requirements apply • Researchers should only secure the minimum information necessary to achieve the research purpose Accounting of Disclosures of PHI • Researchers must keep a record of PHI disclosures made in connection with: - Waived research protocols - Reviews preparatory to research - Decedents’ information • Standard accounting includes for each disclosure (for disclosures of PHI for fewer than 50 individuals): - The date the disclosure was made - The name and address of the person receiving the PHI - A brief description of the PHI disclosed - A brief statement of the reason for the disclosure Accounting of Disclosures • For disclosures of PHI for 50+ individuals, researchers must provide: - The protocol and purpose - Criteria for selecting the particular records - The period over which the disclosures likely occurred and the last disclosure made; and - The sponsor and researchers to whom PHI may have been made Subject Recruitment • Physicians can provide information about recruitment in research • If the physician is NOT the researcher: - The recruiting physician must obtain authorization to refer the patient to the researcher (i.e. to contact the patient about recruitment) - An additional Authorization will then be required to secure PHI and an informed consent needed for actual participation in the research How do we protect PHI when conducting Research? • Maintain the privacy/security of research documents • When you consent/talk about patients/subjects as part of your research, try to prevent others from overhearing the conversation. Hold conversations in private areas. Do not discuss patients/subjects while in public areas. • Do not leave PHI unattended • Remove patient/subject documents from faxes/copiers as soon as you can. • When you throw away documents containing PHI, properly dispose of documents, e.g. shredding. • Never remove the patient's official medical record from a Covered Entity. • Do not leave PHI where your family members/others may see it. How do we protect e-PHI when conducting Research? • Never use anyone else’s log-on, or a computer someone else is logged-on to. Do not share passwords. • Never download PHI on personal laptops and PDAs. • Never leave PHI unattended. • Never “Blog” disclosing PHI. • Do use automatic locks on laptop computers and PDAs. • Do log off after each time you use a computer. • Do purge PHI from devices as soon as possible. • Do use secure networks for e-mails with PHI and add a confidentiality disclaimer to the footer of such e-mails. • Do provide for confidential sending and receipt of faxes that contain PHI and other confidential information. Mandatory Breach Notification The HITECH Act applies to breaches of “unsecured protected health information” Information must be encrypted or destroyed in order to be considered “secured” If you suspect a breach has occurred, promptly notify your immediate supervisor. If a breach has occurred, reporting requirements must be satisfied. See, Jefferson Policy No. 122.37, “Mandatory Reporting, Investigation and Notification of Breaches of Health or Personal Information”. HITECH-What Constitutes a Breach? A “breach” is an impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy or Security Rules. Examples include: • Laptop containing PHI is stolen • Researcher who is not authorized to access PHI looks through patient files in order to learn of a person’s treatment • Researcher misplaces research documents with study subject PHI • Researcher sends wrong sponsor study subject information including PHI • Researcher sends sponsor more PHI than necessary • Research office theft results in stolen PHI HITECH-Breach Notification Obligations If a breach has occurred, a Covered Entity will be responsible for providing notice to: • The affected individuals (without unreasonable delay and in no event later than 60 days from the date of discovery) • The Secretary of the U.S. Department of Health and Human Services (timing will depend on number of individuals affected by the breach) • The media (only required if 500 or more individuals of any one state are affected) The OHR must consider reporting obligations. Penalties for Violations • A violation of federal regulations can result in civil money penalties or criminal penalties. • Penalties can be imposed for underlying HIPAA Privacy Rule violation even if the breach is properly handled. Civil Money Penalty Enhancement • Unknowing Violations: $100 to $50,000 per violation • Negligent Violations: $1,000 to $50,000 per violation • Willful Neglect: “Conscious intentional failure or reckless indifference to the obligation to comply” – $10,000 to $50,000 per violation (if corrected within 30 days) – $50,000 per violation (if not corrected) $1.5M cap per calendar year for all violations of the same type Enforcement $150,000 settlement with Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts for loss of unencrypted flash drive and not having policies to address breach notification provisions. Enforcement $1,215,780 settlement with Affinity Health Plan for impermissibly disclosing PHI of 344,579 affected individuals when it returned multiple photocopiers to leasing agents without erasing the data on the copier hard drives. Enforcement $1,700,000 settlement with Well Point for security weaknesses in an online application database that left the e-PHI of 612,402 individuals accessible to unauthorized individuals over the Internet. The data included names, dates of birth, addresses, social security numbers, telephone numbers and health information. Enforcement • $1.5M settlement with BCBS of TN over the loss of 57 hard drives containing 1M patient records • $865,000 settlement with UCLA Medical Center after hospital employees allegedly accessed the records of two celebrity patients without authority • $1M settlement with Mass General after employee left 192 HIV patients’ records on subway Enforcement • $50,000 settlement with Hospice of Northern Idaho after theft of laptop containing unencrypted PHI of 441 patients • $1.5M settlement with Mass Eye & Ear after theft of laptop containing unencrypted PHI of 3,621 patients • $1.7M settlement with Alaska DHHS after theft from employee’s vehicle of USB hard drive possibly containing PHI • $100,000 settlement with Phoenix Cardiac Surgery which posted clinical and surgical appointments in Internet-based calendar that was publicly available Conclusion Thank you for taking the time to learn about the HIPAA Rules and the HITECH Rules as they relate to research. If you have questions, please feel free to contact Doreen Kornrumpf, Privacy Officer/Legal Counsel.