HIPAA Privacy and Security Rules
and the HITECH Act
Training for Researchers
By: Office of University Counsel
February 2016
Introduction
The HIPAA Privacy Rule establishes the conditions under
which Covered Entities can provide researchers access to
and use of protected health information for research
purposes.
The HIPAA Privacy Rule does not replace or act in lieu of
other federal regulations such as HHS Protection of
Human Subjects and the FDA Protection of Human
Subjects
Research is defined under the HIPAA Privacy Rule as:
“a systematic investigation, including research
development, testing and evaluation, designed to develop
or contribute to generalized knowledge”
HIPAA Privacy Rule
• Covered Entity is a health plan, a health care provider or a
health care clearinghouse who electronically transmit any
health information in connection with transactions for which
HHS has adopted standards
• Protected Health Information (PHI):
 Relates to past, present, or future physical or mental condition
of an individual; provisions of healthcare to an individual; or for
payment of care provided to an individual.
 Is transmitted or maintained in any form (electronic, paper, or
oral representation).
 Identifies, or can be used to identify the individual.
HIPAA Security Rule
• The Security Rule defines the standards which require
covered entities to implement basic safeguards to
protect electronic Protected Health Information (ePHI)
• The rule requires safeguards for physical storage of
PHI, maintenance of PHI, transmission of PHI and
access to PHI
“e-PHI”
• e-PHI (electronic Protected Health Information) is
computer-based patient health information that is
used, created, stored, received or transmitted by a
Covered Entity using any type of electronic information
resource.
• Information in an electronic medical record, patient
billing information transmitted to a payer, digital
images and print outs, information when it is being sent
by one provider to another provider, a payer or a
researcher.
How Can Covered Entities Use and Disclose PHI for
Research and Comply with the HIPAA Privacy Rule?
1. De-identified health information, as described in the Privacy
Rule, is not PHI, and thus not protected by the Privacy Rule
2. PHI may be used and disclosed for research WITH an
individual’s written permission in the form of an
Authorization
3. PHI may be used and disclosed for research WITHOUT an
Authorization in limited circumstances: (a) under a waiver of
the Authorization requirement; (b) for research on
decedents’ information; (c) preparatory to research; and
(d) as a limited data set with a data use agreement
1.
De-Identified Health Information
• Health information that does not identify an individual and with
respect to which there is no reasonable basis to believe that the
information can be used to identify an individual is not
individually identifiable health information
• De-identified PHI has had all identifiers (listed in the HIPAA
Privacy regulation) removed
- The “Safe Harbor”
- Consider re-identification issues
• An expert certifies that the risk is small that the information
could be used to identify the individual
- The “Scientific Method”
What must be done to De-Identify PHI?
To de-identify PHI, all of the following identifiers must be
removed
• Name;
• Geographic subdivisions smaller than a state (i.e., county,
town, or city, street address, and zip code) (note: in some
cases, the initial three digits of a zip code may be used);
• All elements of dates (except year) for dates directly related
to an individual (including birth date, admission date,
discharge date, date of death, all ages over 89 and dates
indicative of age over 89) (note: ages and elements may be
aggregated into a single category of age 90 or older);
• Phone numbers;
• Fax numbers;
• E-mail addresses;
• Social security number;
• Medical record number;
De-Identifying PHI (cont.)
Health plan beneficiary number;
Account number;
Certificate/license number;
Vehicle identifiers and serial numbers;
Device identifiers and serial numbers;
URLs;
Internet protocol addresses;
Biometric identifiers (e.g., fingerprints);
Full face photographic and any comparable images;
Any other unique identifying number, characteristic, or code;
and
• Any other information that could be used alone or in
combination with other information to identify the individual
•
•
•
•
•
•
•
•
•
•
Request for Information from a Covered Entity
Scenario #1: A sponsor has asked you for information to
determine if Jefferson has a sufficient number of patients with
a specific diagnosis to conduct a study at Jefferson. How do
you proceed?
Why is the information needed?
What type of information is needed to make this
determination?
Is PHI needed?
Is de-identified information needed?
Is an approved IRB study needed to request de-identified
information?
To whom and how is the request made?
2.
Subject Authorization
• Gives the individual the opportunity to agree to the uses and
disclosures of their PHI
• Authorization must pertain to specific research
• If an authorization is used, the actual uses and disclosures made
must be consistent with what is stated in the Authorization
• The signed authorization must be retained for at least 6 years
• Authorization differs from an informed consent
• HIPAA Privacy Rule does not state who may draft, therefore,
researchers may draft
• Authorization must be compliant with HIPAA Privacy Rule:
written in plain language, contain core elements and a signed
copy provided to the individual
HIPAA Authorization Core Elements
Description of the PHI to be used or disclosed
Person/Class of Persons who may make the request
Person/Class of Persons to whom use/disclosure may be made
Description of the purpose of the requested use or disclosure
Expiration date (for research may state “at end of study” or
does not expire)
• Signature of the individual and date
• Statement of the right to revoke authorization
• Statement of conditions to treatment/payment or of refusing
to sign
• Statement of the possibility of re-disclosure
See OHR-8 form.
•
•
•
•
•
Request for Information from a Covered Entity
Scenario #3: The PI is conducting a clinical trial. Patient data needs
to be obtained from the patients’ EMRs. How do you proceed?
Why is the information needed?
What type of information is needed?
Is IRB approval needed before study coordinators are permitted to
access patients’ EMRs?
Is a signed Research Informed Consent Form needed?
Are copies of relevant sections of the patients EMRs permitted to
be made?
Hint: See, Jefferson Policy No. 110.19 “Access to JUP Electronic
Records by Research Coordinators for Research Purposes”
3. Without Authorization—(a) Waivers
•
Without a subject authorization use information only if it meets
criteria (e.g. if an IRB permits and grants a waiver of individual
authorization)
•
IRB may waive Authorization upon the request of a researcher only if:
1. The use or disclosure of PHI involves not more than a minimal
risk to the privacy of individuals, based on
•
An adequate plan to protect the identifiers
•
A plan to destroy identifiers as soon as possible
•
Adequate written assurances that the PHI will not be reused
or disclosed to any other person
2. The research could not practically be conducted without a
waiver; and
3. The research could not practically be conducted without the PHI
See OHR-3 form.
3. Without Authorization--(b) Research on
Decedents’ Information
PHI relating to decedents may be used or disclosed by a
researcher if the researcher:
• Represents that the use or disclosure is sought solely for
the research;
• Provides documentation that PHI is necessary for the
research purposes; and
• Provides documentation, at the Covered Entities’ request,
of the death of the individuals
See OHR-17 form.
3. Without Authorization—(c) Activities
Preparatory To Research
PHI may be used or disclosed by a researcher if the
researcher represents that:
• The use or disclosure is solely for review of PHI
necessary to prepare a research protocol
• No PHI will be removed from the Covered Entity
• The PHI is necessary for the research purpose
See OHR-29 form.
Request for Information from a Covered Entity
Scenario #2: The PI is considering conducting a study. The PI
would like to review potential subjects’ PHI before submitting
a protocol to the IRB. How do you proceed?
Why is the information needed?
What type of information is needed?
Is PHI needed?
Is IRB approval needed before the review may be
conducted?
To whom and how is the request for PHI made?
Hint: See, OHR-29 Review Preparatory to Research Request
Form
3. Without Authorization—(d) LIMITED DATA
SET and DATA USE AGREEMENT
• PHI that is used in a limited data set is still PHI, but may
be used or disclosed for research without an authorization
or waiver
• Limited Data Set does NOT include direct identifiers
• The Data Use Agreement MUST:
- Establish the permitted uses and disclosures;
- Limit who can receive the data; and
- Require the recipient to agree not to use/disclose the
information other than as permitted; use safeguards; agree
not to contact the individual, etc.
See OHR Data Use Agreement.
Researchers’ Requests for PHI from Covered
Entities
• Researchers must comply with Covered Entity
procedures to secure PHI
• Example: JUP IDX Request and EMR Request Forms
Other Uses and Disclosures of PHI
• A Covered Entity may use or disclose PHI without an
Authorization, as follows:
- To the extent the use/disclosure is required by law, e.g.
reporting to cancer registries
- To a public health authority (e.g. NIH)
- To a health oversight agency (e.g. OHRP)
Minimum Necessary Restriction
• With some exceptions, the HIPAA Privacy Rule
minimum necessary requirements apply
• Researchers should only secure the minimum
information necessary to achieve the research
purpose
Accounting of Disclosures of PHI
• Researchers must keep a record of PHI disclosures made
in connection with:
- Waived research protocols
- Reviews preparatory to research
- Decedents’ information
• Standard accounting includes for each disclosure (for
disclosures of PHI for fewer than 50 individuals):
- The date the disclosure was made
- The name and address of the person receiving the PHI
- A brief description of the PHI disclosed
- A brief statement of the reason for the disclosure
Accounting of Disclosures
• For disclosures of PHI for 50+ individuals, researchers
must provide:
- The protocol and purpose
- Criteria for selecting the particular records
- The period over which the disclosures likely occurred
and the last disclosure made; and
- The sponsor and researchers to whom PHI may have
been made
Subject Recruitment
• Physicians can provide information about recruitment in
research
• If the physician is NOT the researcher:
- The recruiting physician must obtain authorization to
refer the patient to the researcher (i.e. to contact the
patient about recruitment)
- An additional Authorization will then be required to
secure PHI and an informed consent needed for actual
participation in the research
How do we protect PHI when conducting
Research?
• Maintain the privacy/security of research documents
• When you consent/talk about patients/subjects as part of
your research, try to prevent others from overhearing the
conversation. Hold conversations in private areas. Do not
discuss patients/subjects while in public areas.
• Do not leave PHI unattended
• Remove patient/subject documents from faxes/copiers as
soon as you can.
• When you throw away documents containing PHI, properly
dispose of documents, e.g. shredding.
• Never remove the patient's official medical record from a
Covered Entity.
• Do not leave PHI where your family members/others may
see it.
How do we protect e-PHI when conducting
Research?
• Never use anyone else’s log-on, or a computer someone
else is logged-on to. Do not share passwords.
• Never download PHI on personal laptops and PDAs.
• Never leave PHI unattended.
• Never “Blog” disclosing PHI.
• Do use automatic locks on laptop computers and PDAs.
• Do log off after each time you use a computer.
• Do purge PHI from devices as soon as possible.
• Do use secure networks for e-mails with PHI and add a
confidentiality disclaimer to the footer of such e-mails.
• Do provide for confidential sending and receipt of faxes
that contain PHI and other confidential information.
Mandatory Breach Notification
The HITECH Act applies to breaches of “unsecured
protected health information”
Information must be encrypted or destroyed in order
to be considered “secured”
If you suspect a breach has occurred, promptly notify
your immediate supervisor.
If a breach has occurred, reporting requirements
must be satisfied.
See, Jefferson Policy No. 122.37, “Mandatory
Reporting, Investigation and Notification of Breaches of
Health or Personal Information”.
HITECH-What Constitutes a Breach?
A “breach” is an impermissible acquisition, access, use
or disclosure not permitted by the HIPAA Privacy or
Security Rules.
Examples include:
• Laptop containing PHI is stolen
• Researcher who is not authorized to access PHI
looks through patient files in order to learn of a
person’s treatment
• Researcher misplaces research documents with
study subject PHI
• Researcher sends wrong sponsor study subject
information including PHI
• Researcher sends sponsor more PHI than necessary
• Research office theft results in stolen PHI
HITECH-Breach Notification Obligations
If a breach has occurred, a Covered Entity will be
responsible for providing notice to:
• The affected individuals (without unreasonable
delay and in no event later than 60 days from the
date of discovery)
• The Secretary of the U.S. Department of Health
and Human Services (timing will depend on
number of individuals affected by the breach)
• The media (only required if 500 or more
individuals of any one state are affected)
The OHR must consider reporting obligations.
Penalties for Violations
• A violation of federal regulations can result in
civil money penalties or criminal penalties.
• Penalties can be imposed for underlying HIPAA
Privacy Rule violation even if the breach is
properly handled.
Civil Money Penalty Enhancement
• Unknowing Violations: $100 to $50,000 per violation
• Negligent Violations: $1,000 to $50,000 per violation
• Willful Neglect: “Conscious intentional failure or
reckless indifference to the obligation to comply”
– $10,000 to $50,000 per violation (if corrected within
30 days)
– $50,000 per violation (if not corrected)
$1.5M cap per calendar year for all violations of the
same type
Enforcement
$150,000 settlement with Adult &
Pediatric Dermatology, P.C. of
Concord, Massachusetts for loss of
unencrypted flash drive and not
having policies to address breach
notification provisions.
Enforcement
$1,215,780 settlement with Affinity
Health Plan for impermissibly disclosing
PHI of 344,579 affected individuals when
it returned multiple photocopiers to
leasing agents without erasing the data
on the copier hard drives.
Enforcement
$1,700,000 settlement with Well Point for
security weaknesses in an online application
database that left the e-PHI of 612,402
individuals accessible to unauthorized
individuals over the Internet. The data
included names, dates of birth, addresses,
social security numbers, telephone numbers
and health information.
Enforcement
• $1.5M settlement with BCBS of TN over the loss
of 57 hard drives containing 1M patient records
• $865,000 settlement with UCLA Medical Center
after hospital employees allegedly accessed the
records of two celebrity patients without
authority
• $1M settlement with Mass General after
employee left 192 HIV patients’ records on
subway
Enforcement
• $50,000 settlement with Hospice of Northern Idaho
after theft of laptop containing unencrypted PHI of
441 patients
• $1.5M settlement with Mass Eye & Ear after theft of
laptop containing unencrypted PHI of 3,621 patients
• $1.7M settlement with Alaska DHHS after theft from
employee’s vehicle of USB hard drive possibly
containing PHI
• $100,000 settlement with Phoenix Cardiac Surgery
which posted clinical and surgical appointments in
Internet-based calendar that was publicly available
Conclusion
Thank you for taking the time to learn about the
HIPAA Rules and the HITECH Rules as they relate
to research.
If you have questions, please feel free to contact
Doreen Kornrumpf, Privacy Officer/Legal Counsel.