HIPAA Privacy and Security at TGH Research Department Training Jeh Mohr, Senior Auditor Corporate Compliance & Audit 1 HIPAA Headline News Stories Minnesota Health System Fires 32 Employees for snooping in records. In another example of a spectacle that’s so intriguing that some health care workers will risk their jobs for a peek, Allina Hospitals and Clinics in Minnesota fired 32 employees recently for improperly accessing the records of patients involved in a headlinemaking incident. Jackson Health System (JHS) in Miami is conducting an internal investigation and cooperating with law enforcement after an employee inappropriately accessed patient information. JHS has terminated the individual’s employment and notified the affected patients. Richard Charette, who pleaded guilty in February to violating HIPAA, was sentenced to 33 months in prison, according to the U.S. Attorney’s Office for the District of Nevada. Charette participated in a scheme to receive and disclose records of trauma patients treated at the University Medical Center of Southern Nevada. 2 HIPAA Headline News Stories University Medical Center (UMC) in Tucson, Ariz., said that three employees and a contract nurse inappropriately accessed patients’ electronic medical records in the wake of the shootings involving a U.S. Congresswoman and 18 others. The three clinical support staff members and the contracted nurse all have been terminated from their jobs by their employers. Hospital staffers fired for sending photo of patient's wounds . The Hospital of Saint Raphael in New Haven Connecticut recently fired three workers and disciplined four others after a clinician took a photo of a 17-year-old gunshot victim in the ED and sent it to others. (New Haven Register/Boston Globe reports) Hospital employee sentenced to 1 year in prison for accessing patient’s PHI and posting HIV status on website. Also, received 5 years probation and 200 hours of community service. 3 HIPAA - Background The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established the basis for the Privacy and Security Rules. Why is the knowledge of HIPAA important? Healthcare providers must be knowledgeable of HIPAA to provide reasonable safeguards to protect the privacy of patients’ protected health information (PHI). Inappropriate use or disclosure of patients’ PHI that violates HIPAA, can result in civil and criminal penalties to TGH as well as you as an employee or as an individual. 4 HIPAA - Background Privacy Rule: The Privacy Rule includes national standards for the protection of Protected Healthcare Information (PHI). Standards were developed by the Department of Health and Human Services (HHS). The Office of Civil Rights (OCR) implements and enforces the Privacy and Security Rules with respect to compliance and penalties. Security Rule: The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information in order to protect the privacy of PHI from intentional or unintentional use or disclosure. 5 HIPAA - Privacy Privacy Basics: To protect patient information from being used or disclosed inappropriately. To give patients greater control over sharing of their PHI. To increase patient access to information. 6 HIPAA- Definitions (Con’t) Notice of Privacy Practices: Each patient seen at TGH receives a written notice of privacy practices. The HIPAA privacy regulations provides that covered entities must make a good faith effort to provide the patient with its Notice of Privacy Practices and obtain a written acknowledgement of such receipt from the patient. The Notice describes: How medical information about a patient may be used and disclosed. How a patient can gain access to this information. How a patient should request amendments. How a patient should request accountings of disclosures. How a patient should request restrictions on or opt-out provisions. How a patient should request confidential communications of information. 7 HITECH Notice of Privacy Practices (continued) Final Rule changes impact the content of the Notice of Privacy Practices, as set out in §164.520. The privacy notice, as of the compliance date, must contain the following additional statements: The covered entity must obtain an authorization for the use and disclosure of psychotherapy notes, marketing, and the sale of PHI (§164.508(a)(2)–(a)(4); if the covered entity does not maintain psychotherapy notes, it does not need to include the statement; Other uses and disclosures not described in the notice will be made only with the individual’s written authorization; The individual may revoke an authorization as provided by §164.508(b)(5); If a covered entity intends to use PHI for fundraising; The covered entity intends to contact the individual for fundraising; 8 HITECH Notice of Privacy Practices (continued) The individual has the right to opt out of the fundraising contacts; The covered entity will not “sell” PHI without the individual’s authorization The individual may restrict disclosure of PHI to a health plan where the individual has paid out-of-pocket in full for the services (only providers need include this statement); The individual’s right to be notified after a breach of unsecured PHI (a simple statement is sufficient for this requirement); For health plans (except long-term care issuers), a statement that the health plan is prohibited from using or disclosing PHI that is genetic information of an individual for underwriting purposes. 9 HITECH Right to Request Restrictions Before the final rule amendments, an individual was permitted to request that the covered entity restrict disclosure of his/her PHI for treatment, health care operations, and payment and to family members (§164.522(a)). Covered entities did not need to agree to the restriction, but if they did, they must abide by it. Section 13405(a) of the HITECH Act adds a provision requiring the covered entity to comply with an individual’s request to restrict disclosure to a health plan or its business associate for payment or health care operations if the individual, a family member, or another individual has paid in full out-of-pocket for the items or services in question. Payment from a flexible spending account or health savings account is considered out-of-pocket payment. Covered entities will need to design a way to flag the required restriction. 10 HIPAA –Definitions Accounting of Disclosures Currently a patient may request a detailed written accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested except for the following; (Con’t) Information for the treatment, payment of services and health care operations (TPO). Information disclosed to the patient Signed authorizations. Information used for national security, intelligence purposes, law enforcement or correctional institutions. Information that is part of a limited data set. Once the new regulations under the Health Information Technology for Economic and Clinical Health Act (HITECH), a division of American Recovery and Reinvestment Act (ARRA), go into effect, accounting of disclosures must include disclosures for TPO. 11 HIPAA –Definitions (Con’t) Incidental disclosures means disclosures that are limited in nature and occur as a by-product of an otherwise permissible use or disclosure. Incidental disclosures will not be considered a violation of the privacy rule if reasonable safeguard are in place and the minimum necessary requirements are met. For example; Keep information on white boards/locator boards to a minimum. Do not discuss patients in public areas, such as elevators, corridors, cafeteria, etc. Use of cubicles, dividers, shields or curtains in areas of multiple patient-staff or physician communications, such as pre-op, admitting areas, waiting rooms, etc. 12 HIPAA –Definitions (Con’t) Minimum necessary standard requires that health care staff must make a reasonable effort to disclose or use only the minimum amount of PHI needed to provide patient care, the PHI they “need to know”. For example, records compiled in response to a PHI request for a specific date of service should not include treatment records for other dates of service. However, the minimum necessary limitation does not apply when the disclosure is for treatment purposes. 13 Key Provisions of TGH’s HIPAA Policies (Con’t) If you are not involved in the provision of care to a patient then you have no right to access, use or disclose protected health information (PHI) related to that patient’s care. Your access to patient information must be in the context of providing direct or indirect patient treatment. Viewing or accessing the medical records of a family member, friend or associate without written authorization, for which you are not involved in the treatment of is a violation of HIPAA. Such violations are subject to disciplinary actions, up to and including termination. 14 Key Provisions of TGH’s HIPAA Policies (Con’t) You must be careful in communicating or discussing PHI. Prior to speaking to a patient in the presence of others, ask the patient if it is okay to discuss their patient information in the presence of others. Take the patient to a conference room; or ask others to wait outside of the room during confidential discussions. 15 Key Provisions of TGH’s HIPAA Policies (Con’t) Do not leave patient records or other confidential information out and available for anyone to see. Do not disposed of PHI in trashcans, place it in confidential trash bins. Do not discuss patient information outside of TGH 16 HIPAA – Security Security Basics: Ensure confidentiality, integrity and availability of electronic PHI. Protect against threat or hazards. Protect against unauthorized uses of disclosures. Use of flash drives is STRONGLY discouraged. 17 HIPAA (Con’t) TGH-issued equipment, such as laptop computers, cell phones, and pagers, must be protected from theft or damage. Never leave equipment unsecured or unattended in public areas. Locking equipment in file cabinets/drawers when not in use. Data stored on TGH’s equipment, such as laptops, PDAs, cell phones, and so forth, are the property of TGH. In order to prevent unauthorized access to the data, users are required to enable the password protection or lock code functions available on the equipment. 18 HIPAA Security (Con’t) Things you can do to safeguard security: Log on and log off of your computer. Never let others use your log-on and/or password, all users are required to have a unique user ID and password. Follow guidelines for password use. 19 Key Provisions of TGH’s HIPAA Policies (Con’t) Automatic forwarding from a TGH-owned e-mail account to an external network account is prohibited. Faxing of Medical Information (Refer to Policy IM-31, Faxing of Medical Information) : Releases of medical information should be through the Health Information Management (HIM) department. Limited to use by healthcare providers for immediate and/or emergency patient care purposes. Fax only when the original document or mail delivered photocopies will not serve the purpose. A signed patient authorization is required. Ensure that the fax is sent to the appropriate destination, verify the fax number. A fax cover sheet (form F-561) must precede the transmission. Report misdirected faxes to Corporate Compliance immediately by completing an Incident Report. 20 Key Provisions of TGH’s HIPAA Policies (Con’t) No PHI, including photographs, should be disclosed through the use of social networks, such as Facebook, MySpace, Twitter or other on-line personal communications networks. Social networks are considered public. Disclosures of PHI would potentially violate the HIPAA privacy rules. 21 Key Provisions of TGH’s HIPAA Policies (Con’t) All electronic mail messages and the data contained therein are the property of TGH. Users should not expect privacy of any messages created, sent, stored, or received using the system. TGH reserves the right to monitor e-mail with the express authorization by the CEO. 22 Key Provisions of TGH’s HIPAA Policies (Con’t) Internet usage is provided by TGH and is intended primarily for business use. TGH reserves the right to monitor Internet usage. Computer Audit access logs for TGH’s applications records each user’s access of a patient’s PHI. Refer to TGH policy RI-54, “Information Privacy and Security Compliance “. 23 Key Provisions of TGH’s HIPAA Policies (Con’t) Check files for viruses before loading CDs, diskettes, or downloading files on TGH computers. Contact the Technology Support Center at extension 7490 to acquire or load software programs on TGH computers. Downloading movies, music and books, reports and other such files for personal use is not permitted. 24 Key Provisions of TGH’s HIPAA Policies (Con’t) TGH management reserves and retains the authority to: Restrict or revoke any user's access to computerized information, Inspect, copy, remove or otherwise alter any data, program or other system resource that may undermine hospital policies directed to the protection of PHI, Take any other steps deemed necessary to manage and protect all protected health information on TGH information systems. This authority may be exercised with or without notice to the involved users. TGH disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives. 25 HIPAA (Con’t) Health care professionals, who fail to comply with TGH’s policies, procedures, or federal and state laws, shall be subject to disciplinary action in accordance with TGH administrative policies; which includes possible termination of employment. In certain circumstances you can be personally subject to civil and/or criminal prosecution for violations of HIPAA including monetary penalties. Refer to TGH policy RI-54, “Information Privacy and Security Compliance “. 26 HIPAA IN AN EPIC WORLD EPIC will log the actions of all users as they routinely view and interact within the EMR. Break the Glass (BTG) – Is an event tracking feature for specialized groups of patients and encounters. Your Password and a Reason are required to proceed into the record. Confidential Patient Private Encounter Behavioral Health Unit (7F) BTG prompts users with a warning that they are entering a “restricted” patient record. BTG provides enhanced reporting/audit review of what is done after a BTG event. EPIC can also limit visibility of special unit lists (Behavioral Health). EPIC is configured for SSN masking (XXX-XX-1234). 27 What will EPIC not do? EPIC will not…Prevent all intentional and inappropriate access to the record EPIC’s recommendation is to use BTG to inform users, but users must understand—and are accountable for—the “appropriateness” of viewing a patient’s record. EPIC will not…Mask a patient’s identity without changing their name. USERS are responsible for their actions in using any system containing PHI. 28 Key Provisions of TGH’s HIPAA Policies (Con’t) If you believe a breach of patient privacy or security of information incident has occurred, complete an incident report. Check with a manager if you need assistance. You may also call the Corporate Compliance Line 800-352-6875 or the TGH Privacy or Security Officers. TGH’s Privacy Officer is Ron Peterson, Director of Corporate Compliance & Audit. His office number is 844-4813. TGH’s Security Officer is Balaji Ramadoss, VP, Chief Technology Officer. His office number is 844-3286. 29 HIPAA Case Studies-Privacy Scenario #1 Case Studies A friend contacts you. The friend has a fellow employee or friend scheduled to have surgery at TGH. The friend asks if you would periodically check on their friend during and after surgery and provide updates. The friend pre-registered and did not opt-out of disclosing general condition information or directory information. You have no involvement with the care of the patient. During and after the surgery you find out information on the patient and provide more than general conditions or directory information to your colleague at Hospital A. 30 HIPAA Case Studies-Privacy (Con’t) Question ? Have you violated HIPAA? 31 HIPAA Case Studies (Con’t) Have You Violated HIPAA? Answer: YES! You have, if you provide more than general conditions updates. If as a clinician you have no involvement in the patient’s care, you should not access any information associated with the patient. HIPAA’s minimum necessary rule says that you can access information on patients that you are involved in providing care to. In that context you have a “need to know “the medical information necessary to provide care to the patient. Since you have no involvement with the patient you have no need to know anything about this patient. Disclosing more than general condition or directory information would be a violation of HIPAA and could subject you to potential disciplinary actions. 32 HIPAA Case Studies-Privacy Scenario #2 Two patients are in a semi-private room. In addition both patients have family members and friends present in the room. You enter the room and immediately begin to discuss patient A’s medical information in a voice loud enough for all present in the room to over hear the conversation. 33 HIPAA Case Studies-Privacy (Con’t) Question ? Have you violated HIPAA? What could you have done differently? 34 HIPAA Case Studies-Privacy (Con’t) Answer: YES! You may have, if you did not take reasonable safeguards to minimize the disclosures overheard by the persons present. Reasonable safeguards, such as: 1. 2. 3. 4. Ask the patient prior to any discussion of their medical information, whether it is okay to discuss it in front of the persons present in the room, Ask the persons, including the patient in the adjacent bed, if practical, to temporarily leave the room Taking the patient to a conference room to discuss the medical information, and Speaking in a quiet voice so that no one other than the patient could have heard the conversation, are a few examples of what might be considered reasonable safeguards. What if this was a waiting room, would this change your approach? 35 HIPAA Case Studies-Security Case Studies Scenario #3 You receive an email with an attachment from an unknown source. The email reads that your computer has been infected with a virus and you need to follow the directions and open the attachment to get rid of it. Question ? Should you follow the instructions? 36 HIPAA Case Studies-Security (Con’t) Answer: No! Never open unexpected attachments from unknown sources. If you are unsure about whether you should open something, contact the Technology Support Center at ext 7490. 37 HIPAA Case Studies-Security Scenario #4 A new resident hasn’t yet been given a username and password for the computer system. The resident needs to access the computer system. Question ? Should you just let the resident use your username and password until one is assigned? 38 HIPAA Case Studies-Security (Con’t) Answer: No! You should never allow anyone to use your username and password to log on to the system. Have the new resident contact a manager or the Help Desk at ext. 7490 to inquire about when to expect to receive his or her own username and password and what interim actions can be taken until one is assigned. 39 HIPAA Questions? 40 HITECH Health Information Technology for Economic and Clinical Health Act (HITECH) IMPROVING HEALTH CARE QUALITY, SAFETY, AND EFFICIENCY APPLICATION AND USE OF ADOPTED HEALTH INFORMATION TECHNOLOGY STANDARDS IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES 41 HITECH CERTIFIED EHR TECHNOLOGY —The term ‘certified EHR technology’ means a qualified electronic health record that is certified pursuant to section 3001(c)(5) as meeting standards adopted under section 3004 that are applicable to the type of record involved (as determined by the Secretary, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals). ENTERPRISE INTEGRATION —The term ‘enterprise integration’ means the electronic linkage of health care providers, health plans, the government, and other interested parties, to enable the electronic exchange and use of health information among all the components in the health care infrastructure in accordance with applicable law, and such term includes related application protocols and other related standards. 42 HITECH Subtitle A—Promotion of Health Information Technology ‘‘SEC. 3001. OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY. ESTABLISHMENT —There is established within the Department of Health and Human Services an Office of the National Coordinator for Health Information Technology (referred to in this section as the ‘Office’). PURPOSE —The National Coordinator shall perform the duties under subsection (c) in a manner consistent with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information and that— 43 HITECH Purpose: (1) ensures that each patient’s health information is secure and protected, in accordance with applicable law; (2) improves health care quality, reduces medical errors, reduces health disparities, and advances the delivery of patient centered medical care; (3) reduces health care costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information; (4) provides appropriate information to help guide medical decisions at the time and place of care; (5) ensures the inclusion of meaningful public input in such development of such infrastructure; 44 HITECH Purpose: (6) improves the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of health care information; (7) improves public health activities and facilitates the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks; (8) facilitates health and clinical research and health care quality; (9) promotes early detection, prevention, and management of chronic diseases; (10) promotes a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services; and (11) improves efforts to reduce health disparities. 45 HITECH Subtitle D—Privacy The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. ELECTRONIC HEALTH RECORD —The term ‘‘electronic health record’’ means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. 46 HITECH PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY ROVISIONS (a) APPLICATION OF SECURITY PROVISIONS — Sections 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. (b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES — In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision. 47 HITECH SEC. 13402. NOTIFICATION IN THE CASE OF BREACH. (a) A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. 48 HITECH TIMELINESS OF NOTIFICATION INDIVIDUAL NOTICE - All notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)). MEDIA NOTICE - Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. NOTICE TO SECRETARY - Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved. 49 HITECH BUSINESS ASSOCIATE SEC. 13402. NOTIFICATION IN THE CASE OF BREACH. (b) NOTIFICATION OF COVERED ENTITY BY BUSINESS ASSOCIATE — A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. 50 HITECH BUSINESS ASSOCIATE Includes any organization that has “routine” access to PHI to perform a service for the covered entity (CE) Exception is if they do not have routine access, and they are considered “conduits” providing only courier services, such as the U.S. Postal Service or internet providers that offer data transmission only An entity that maintains PHI on behalf of the CE is a BA even if it does not actually view the PHI. Researchers are not business associates unless they act in a business associate capacity for the CE 51 HITECH BUSINESS ASSOCIATE Includes “Subcontractors” of Business Associates – a person to whom a business delegates a function, activity, or services other than in the capacity of a workforce member. Business Associate (BA) must obtain “satisfactory assurance” (BA agreement) from the subcontractor that it will protect PHI. Protects individuals PHI no matter how many subcontractors of subcontractors exist. 52 HITECH BUSINESS ASSOCIATE AGREEMENT REQUIREMENTS If a covered entity wants a business associate to be liable for additional provisions of the privacy rule, compliance with the provision must be included in the business associate agreement §164.504(e) . The agreement must state that the business associate will: Comply with the provisions of the security rule; Report breaches of unsecured protected health information under the breach reporting rules; Ensure that a subcontractor agrees to the same restrictions and conditions that apply to the business associate with respect to such information; and Comply with the privacy requirements that apply to the covered entity in the performance of an activity the business associate is carrying out on behalf of the covered entity. 53 HITECH PENALTIES No knowledge / Carelessness - $100 for each violation, not to exceed $25,000; during a calendar for identical violations. Reasonable Cause (but not willful neglect) - $1,000 for each violation, not to exceed $100,000 during a calendar for identical violations. Willful Neglect (corrected) - $10,000 for each violation, not to exceed $250,000 during a calendar for identical violations. Willful Neglect (not corrected) - $50,000 for each violation, not to exceed $1,500,000 during a calendar for identical violations. HITECH Act also allows state attorney generals to levy fines, seek attorney’s fees, and award costs. 54 HITECH PART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES; EFFECTIVE DATE; REPORTS HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT: The standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under sections 262(a) and 264 of the Health Insurance Portability and Accountability Act of 1996 shall remain in effect to the extent that they are consistent with this subtitle. The Secretary shall by rule amend such Federal regulations as required to make such regulations consistent with this subtitle. 55 HITECH Questions? 56 Human Research Privacy Human Research and HIPAA Privacy 57 Human Research Privacy Ethical Research Codes Nuremberg Code of 1947 – Doctors involved in Nazi human experiments Consent Avoiding unnecessary physical and mental suffering Ensure risk never exceeds humanitarian importance of experiment Declaration of Helsinki in 1964 Consent Duty to protect life, health, dignity, integrity, privacy, confidentiality of research subjects Belmont Report of 1972 – addressed ethical lapses in research (ie 1932-11972 Tuskegee syphilis study) Informed Consent, Assessment of Risk and Benefits, Selection of Subjects Respect for Persons, Beneficence, Justice 58 Human Research Privacy Major Compliance Rules National Science Foundation – Defines Privacy and Confidentiality Health and Human Services - Common Rule for Human Subjects (45 CFR 46) Healthy Human or Patient participating in Research HIPAA Privacy Rule (45 CFR 160 and 164) – Does not define H.S Living Individual where investigator obtains Data or Identifiable Private Information Food and Drug Administration Regulations - Definition of H.S. (21 CFR 50 and 56) Privacy relates to Persons, and Confidentiality relates to restricting access to Data Defines PHI and specifies compliance for deceased individuals Public Health Service Act Certificates of Confidentiality (301 (d), 42 U.S.C. 241 (d)) Can protect the privacy of subjects from Federal, State, or local civil, criminal, administrative, legislative proceedings 59 Human Research Privacy Common Rule Applies to research funded by a federal department or agency Must provide written assurance of compliance, filed with HHS Office of Human Research Protections Requires Institutional Review Boards (IRB) to review proposed research. Criteria for approval includes: 1. 2. 3. 4. 5. Risks to subjects are minimized Informed Consent is sought and documented Research Plan ensures subject safety Provisions to protect privacy of subjects and confidentiality of data Safeguards for vulnerable populations 60 Human Research Privacy Informed Consent – Requirements and Elements Give opportunity for subject to decide whether or not to participate Language must be understandable States research purpose, duration, and procedures Description of risks and benefits Disclosure of alternative treatments Statement that participation is voluntary State how confidentiality of records that identify the subject will be maintained Contact for questions and to report injuries Compensation and medical treatment for injuries (more than a minimal risk) No waiver of legal rights of subject or release fro liability for negligence of sponsor, investigator, or institution 61 Human Research Privacy Informed Consent IRB may waive consent “if” (46.117(c)): Consent Form is the only record linking subject to the study and main risk is breach of confidentiality No more than minimal risk and consent not normally required outside of research 62 Human Research Privacy FDA Regulated Research - minor differences No ability to waive informed consent No ability for IRB to alter or waive requirement for informed consent 63 Human Research Privacy HIPAA Research Requirements Applies to Use and Disclosure PHI (160.103) Use is sharing, utilization, examination, analysis of PHI Disclosure is release, transfer, access outside the entity Applies to research regardless of source of funding Research is not considered TPO, even if conducted inside a CE by a physician with access to the PHI for treatment, payment, or health care operations. Physician must comply with HIPAA research provisions to use PHI to conduct research, or disclose outside the CE for research purposes Researchers are not business associates unless they act in a business associate capacity for the CE 64 Human Research Privacy HIPAA Research Requirements Research Authorization may be combined with Informed Consent Authorization must be obtained, or IRB or Privacy Board has documented the waiver, or PHI is used Preparatory to Research, or PHI is for research of deceased individuals, or PHI is part of a Limited Data Set 65 Human Research Privacy Criteria for Alteration or Waiver No more than a minimal risk to the individual’s privacy Must have a Plan to protect identifiers for unauthorized use and disclosure, and to destroy identifiers as expediently as possible Written assurance PHI will not be reused or disclosed Research cold not be performed without the waiver or alteration, and access to the PHI 66 Human Research Privacy Preparatory to Research Covered Entity (CE) must obtain written assurance that: [45 CFR 164.512(i)(1)(ii)] PHI used or disclosed is only used as necessary to prepare a research protocol Researcher cannot remove any PHI from the CE during this review PHI is necessary for the research 67 Human Research Privacy Preparatory to Research May use and disclose PHI to researchers to aid in Study Recruitment Researcher may directly contact the potential study participant if the researcher is an employee of the CE CE may contract with a Business Associate to assist in contacting individuals for the CE to obtain authorizations CE may also discuss alternative treatments with patients, that may include participation in clinical trials as part of patient’s treatment 68 Human Research Privacy Decedents HIPAA requirements apply to the PHI of decedents. However, CE may use or disclose PHI of decedents to researchers if they obtain written assurance that: PHI used or disclosed will be used solely for research on the PHI of decedents PHI is necessary for research purposes The PHI of decedents will be protected for 50 years. After then, the data is no longer considered PHI. 69 Human Research Privacy Limited Data Set [45 CFR 164.514(e)] CE may use or disclose a limited data set for research purposes: Data Use Agreement is required A benefit is that more detailed addresses and full dates can then be used Limited data Set is protected health information that excludes the direct identifiers of the individual or of relatives, employers, or household members of the individual list on the subsequent slide: 70 Human Research Privacy Limited Data Set 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Names, postal address information, other than town or city, state, and zip code. All elements of dates (except year) directly related to the individual. Telephone numbers, fax numbers, electronic mail (email) addresses. Social Security numbers, medical record numbers. Health plan beneficiary numbers, account numbers, certificate/license numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web Universal Resource Locators (URLs). Internet Protocol (IP) address numbers. Biometrics identifiers, including finger and voice prints, full-face photographic images, and any comparable images. Any other unique identifying number, characteristic, or code. 71 Human Research Privacy Accounting of Disclosures Disclosures made other than with a patient’s authorization or Limited Data Set must be tracked. Such as: Preparatory to Research Pursuant to alteration or waiver 72 Human Research Privacy Data Breaches Data breaches are subject to the Breach Notification rules of HIPAA 73 Human Research Privacy Questions? 74