March 2014 - Risk Management

advertisement
HIPAA Privacy and
Security at TGH
Research Department Training
Jeh Mohr, Senior Auditor
Corporate Compliance & Audit
1
HIPAA Headline News Stories

Minnesota Health System Fires 32 Employees for snooping in records. In another
example of a spectacle that’s so intriguing that some health care workers will risk
their jobs for a peek, Allina Hospitals and Clinics in Minnesota fired 32 employees
recently for improperly accessing the records of patients involved in a headlinemaking incident.

Jackson Health System (JHS) in Miami is conducting an internal investigation and
cooperating with law enforcement after an employee inappropriately accessed
patient information. JHS has terminated the individual’s employment and notified
the affected patients.

Richard Charette, who pleaded guilty in February to violating HIPAA, was
sentenced to 33 months in prison, according to the U.S. Attorney’s Office for the
District of Nevada. Charette participated in a scheme to receive and disclose
records of trauma patients treated at the University Medical Center of Southern
Nevada.
2
HIPAA Headline News Stories

University Medical Center (UMC) in Tucson, Ariz., said that three employees and
a contract nurse inappropriately accessed patients’ electronic medical records in
the wake of the shootings involving a U.S. Congresswoman and 18 others. The
three clinical support staff members and the contracted nurse all have been
terminated from their jobs by their employers.

Hospital staffers fired for sending photo of patient's wounds . The Hospital of Saint
Raphael in New Haven Connecticut recently fired three workers and disciplined
four others after a clinician took a photo of a 17-year-old gunshot victim in the ED
and sent it to others. (New Haven Register/Boston Globe reports)

Hospital employee sentenced to 1 year in prison for accessing patient’s PHI and
posting HIV status on website. Also, received 5 years probation and 200 hours of
community service.
3
HIPAA - Background
The Health Insurance Portability and Accountability
Act (HIPAA) of 1996 established the basis for the
Privacy and Security Rules.
Why is the knowledge of HIPAA important?
Healthcare providers must be knowledgeable of HIPAA to
provide reasonable safeguards to protect the privacy of
patients’ protected health information (PHI). Inappropriate
use or disclosure of patients’ PHI that violates HIPAA, can
result in civil and criminal penalties to TGH as well as you
as an employee or as an individual.
4
HIPAA - Background


Privacy Rule: The Privacy Rule includes national
standards for the protection of Protected Healthcare
Information (PHI). Standards were developed by the
Department of Health and Human Services (HHS). The
Office of Civil Rights (OCR) implements and enforces the
Privacy and Security Rules with respect to compliance and
penalties.
Security Rule: The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic
protected health information in order to protect the privacy
of PHI from intentional or unintentional use or disclosure.
5
HIPAA - Privacy

Privacy Basics:



To protect patient information from being used
or disclosed inappropriately.
To give patients greater control over sharing of
their PHI.
To increase patient access to information.
6
HIPAA- Definitions

(Con’t)
Notice of Privacy Practices:
Each patient seen at TGH receives a written notice of privacy practices.

The HIPAA privacy regulations provides that covered entities must
make a good faith effort to provide the patient with its Notice of
Privacy Practices and obtain a written acknowledgement of such
receipt from the patient. The Notice describes:






How medical information about a patient may be used and
disclosed.
How a patient can gain access to this information.
How a patient should request amendments.
How a patient should request accountings of disclosures.
How a patient should request restrictions on or opt-out provisions.
How a patient should request confidential communications of
information.
7
HITECH
Notice of Privacy Practices (continued)
Final Rule changes impact the content of the Notice of Privacy Practices, as set out
in §164.520. The privacy notice, as of the compliance date, must contain the
following additional statements:





The covered entity must obtain an authorization for the use and disclosure of
psychotherapy notes, marketing, and the sale of PHI (§164.508(a)(2)–(a)(4); if
the covered entity does not maintain psychotherapy notes, it does not need to
include the statement;
Other uses and disclosures not described in the notice will be made only with
the individual’s written authorization;
The individual may revoke an authorization as provided by §164.508(b)(5);
If a covered entity intends to use PHI for fundraising;
The covered entity intends to contact the individual for fundraising;
8
HITECH
Notice of Privacy Practices (continued)





The individual has the right to opt out of the fundraising contacts;
The covered entity will not “sell” PHI without the individual’s authorization
The individual may restrict disclosure of PHI to a health plan where the
individual has paid out-of-pocket in full for the services (only providers need
include this statement);
The individual’s right to be notified after a breach of unsecured PHI (a simple
statement is sufficient for this requirement);
For health plans (except long-term care issuers), a statement that the health
plan is prohibited from using or disclosing PHI that is genetic information of an
individual for underwriting purposes.
9
HITECH
Right to Request Restrictions
Before the final rule amendments, an individual was permitted to request that the
covered entity restrict disclosure of his/her PHI for treatment, health care
operations, and payment and to family members (§164.522(a)). Covered entities
did not need to agree to the restriction, but if they did, they must abide by it.
Section 13405(a) of the HITECH Act adds a provision requiring the covered entity
to comply with an individual’s request to restrict disclosure to a health plan or its
business associate for payment or health care operations if the individual, a family
member, or another individual has paid in full out-of-pocket for the items or
services in question. Payment from a flexible spending account or health savings
account is considered out-of-pocket payment. Covered entities will need to design
a way to flag the required restriction.
10
HIPAA –Definitions

Accounting of Disclosures Currently a patient may request a
detailed written accounting of disclosures of PHI made by a covered
entity in the six years prior to the date on which the accounting is
requested except for the following;






(Con’t)
Information for the treatment, payment of services and health care
operations (TPO).
Information disclosed to the patient
Signed authorizations.
Information used for national security, intelligence purposes, law
enforcement or correctional institutions.
Information that is part of a limited data set.
Once the new regulations under the Health Information Technology for
Economic and Clinical Health Act (HITECH), a division of American
Recovery and Reinvestment Act (ARRA), go into effect, accounting of
disclosures must include disclosures for TPO.
11
HIPAA –Definitions

(Con’t)
Incidental disclosures means disclosures that are limited in
nature and occur as a by-product of an otherwise permissible
use or disclosure. Incidental disclosures will not be considered
a violation of the privacy rule if reasonable safeguard are in
place and the minimum necessary requirements are met. For
example;



Keep information on white boards/locator boards to a
minimum.
Do not discuss patients in public areas, such as elevators,
corridors, cafeteria, etc.
Use of cubicles, dividers, shields or curtains in areas of
multiple patient-staff or physician communications, such as
pre-op, admitting areas, waiting rooms, etc.
12
HIPAA –Definitions

(Con’t)
Minimum necessary standard requires that health
care staff must make a reasonable effort to disclose or
use only the minimum amount of PHI needed to provide
patient care, the PHI they “need to know”.


For example, records compiled in response to a PHI request for a
specific date of service should not include treatment records for
other dates of service.
However, the minimum necessary limitation does not apply when
the disclosure is for treatment purposes.
13
Key Provisions of
TGH’s HIPAA Policies


(Con’t)
If you are not involved in the provision of care to a patient
then you have no right to access, use or disclose protected
health information (PHI) related to that patient’s care. Your
access to patient information must be
in the context of providing direct or
indirect patient treatment.
Viewing or accessing the medical records of a family
member, friend or associate without written authorization,
for which you are not involved in the treatment of is a
violation of HIPAA. Such violations are subject to
disciplinary actions, up to and including termination.
14
Key Provisions of
TGH’s HIPAA Policies



(Con’t)
You must be careful in communicating or discussing
PHI.
Prior to speaking to a patient in the presence of
others, ask the patient if it is okay to discuss their
patient information in the presence of others.
Take the patient to a conference room; or ask others
to wait outside of the room during confidential
discussions.
15
Key Provisions of
TGH’s HIPAA Policies



(Con’t)
Do not leave patient records or other
confidential information out and available for
anyone to see.
Do not disposed of PHI in trashcans, place it
in confidential trash bins.
Do not discuss patient information outside of
TGH
16
HIPAA – Security

Security Basics:

Ensure confidentiality, integrity and availability of
electronic PHI.

Protect against threat or hazards.

Protect against unauthorized uses of disclosures.

Use of flash drives is STRONGLY discouraged.
17
HIPAA
(Con’t)
TGH-issued equipment, such as laptop computers, cell
phones, and pagers, must be protected from theft or
damage.

Never leave equipment unsecured or unattended in public areas.

Locking equipment in file cabinets/drawers when not in use.

Data stored on TGH’s equipment, such as laptops, PDAs, cell
phones, and so forth, are the property of TGH. In order to prevent
unauthorized access to the data, users are required to enable the
password protection or lock code functions available on the
equipment.
18
HIPAA Security

(Con’t)
Things you can do to safeguard security:



Log on and log off of your computer.
Never let others use your log-on and/or password, all
users are required to have a unique user ID and
password.
Follow guidelines for password use.
19
Key Provisions of
TGH’s HIPAA Policies


(Con’t)
Automatic forwarding from a TGH-owned e-mail account to an external
network account is prohibited.
Faxing of Medical Information (Refer to Policy IM-31, Faxing of
Medical Information) :

Releases of medical information should be through the Health
Information Management (HIM) department.

Limited to use by healthcare providers for immediate and/or
emergency patient care purposes.

Fax only when the original document or mail delivered photocopies
will not serve the purpose.

A signed patient authorization is required.

Ensure that the fax is sent to the appropriate destination, verify the
fax number.

A fax cover sheet (form F-561) must precede the transmission.

Report misdirected faxes to Corporate Compliance immediately by
completing an Incident Report.
20
Key Provisions of
TGH’s HIPAA Policies
(Con’t)
No PHI, including photographs, should be
disclosed through the use of social networks, such
as Facebook, MySpace, Twitter or other on-line
personal communications networks. Social
networks are considered public. Disclosures of
PHI would potentially violate the HIPAA privacy
rules.
21
Key Provisions of
TGH’s HIPAA Policies
(Con’t)
All electronic mail messages and the data contained
therein are the property of TGH.


Users should not expect privacy of any messages
created, sent, stored, or received using the system.
TGH reserves the right to monitor e-mail with the
express authorization by the CEO.
22
Key Provisions of
TGH’s HIPAA Policies
(Con’t)

Internet usage is provided by TGH and is intended
primarily for business use.

TGH reserves the right to monitor Internet usage.

Computer Audit access logs for TGH’s applications records
each user’s access of a patient’s PHI.

Refer to TGH policy RI-54, “Information Privacy
and Security Compliance “.
23
Key Provisions of
TGH’s HIPAA Policies



(Con’t)
Check files for viruses before loading CDs, diskettes, or
downloading files on TGH computers.
Contact the Technology Support Center at extension
7490 to acquire or load software programs on TGH
computers.
Downloading movies, music and books, reports and other
such files for personal use is not permitted.
24
Key Provisions of
TGH’s HIPAA Policies

(Con’t)
TGH management reserves and retains the authority
to:



Restrict or revoke any user's access to computerized
information,
Inspect, copy, remove or otherwise alter any data, program
or other system resource that may undermine hospital
policies directed to the protection of PHI,
Take any other steps deemed necessary to manage and
protect all protected health information on TGH information
systems. This authority may be exercised with or without
notice to the involved users. TGH disclaims any
responsibility for loss or damage to data or software that
results from its efforts to meet these security objectives.
25
HIPAA



(Con’t)
Health care professionals, who fail to comply with TGH’s
policies, procedures, or federal and state laws, shall be
subject to disciplinary action in accordance with TGH
administrative policies; which includes possible
termination of employment.
In certain circumstances you can be personally subject to
civil and/or criminal prosecution for violations of HIPAA
including monetary penalties.
Refer to TGH policy RI-54, “Information Privacy
and Security Compliance “.
26
HIPAA IN AN EPIC WORLD






EPIC will log the actions of all users as they routinely view and interact within
the EMR.
Break the Glass (BTG) – Is an event tracking feature for specialized groups
of patients and encounters. Your Password and a Reason are required to
proceed into the record.

Confidential Patient

Private Encounter

Behavioral Health Unit (7F)
BTG prompts users with a warning that they are entering a “restricted” patient
record.
BTG provides enhanced reporting/audit review of what is done after a BTG
event.
EPIC can also limit visibility of special unit lists (Behavioral Health).
EPIC is configured for SSN masking (XXX-XX-1234).
27
What will EPIC not do?



EPIC will not…Prevent all intentional and inappropriate
access to the record
EPIC’s recommendation is to use BTG to inform users, but
users must understand—and are accountable for—the
“appropriateness” of viewing a patient’s record.
EPIC will not…Mask a patient’s identity without changing
their name.
USERS are responsible for their actions
in using any system containing PHI.
28
Key Provisions of
TGH’s HIPAA Policies

(Con’t)
If you believe a breach of patient privacy or security of information
incident has occurred, complete an incident report. Check with a
manager if you need assistance. You may also call the Corporate
Compliance Line 800-352-6875 or the TGH Privacy or Security
Officers.

TGH’s Privacy Officer is Ron Peterson, Director of Corporate
Compliance & Audit. His office number is 844-4813.

TGH’s Security Officer is Balaji Ramadoss, VP, Chief Technology
Officer. His office number is 844-3286.
29
HIPAA Case Studies-Privacy
Scenario #1
Case Studies
A friend contacts you. The friend has a fellow employee or
friend scheduled to have surgery at TGH. The friend asks if
you would periodically check on their friend during and after
surgery and provide updates. The friend pre-registered and
did not opt-out of disclosing general condition information or
directory information. You have no involvement with the care
of the patient. During and after the surgery you find out
information on the patient and provide more than general
conditions or directory information to your colleague at
Hospital A.
30
HIPAA Case Studies-Privacy
(Con’t)
Question ?
Have you violated
HIPAA?
31
HIPAA Case Studies
(Con’t)
Have You Violated HIPAA?
Answer: YES!
You have, if you provide more than general conditions updates.
If as a clinician you have no involvement in the patient’s care, you should
not access any information associated with the patient. HIPAA’s minimum
necessary rule says that you can access information on patients that you
are involved in providing care to.
In that context you have a “need to know “the medical information
necessary to provide care to the patient. Since you have no involvement
with the patient you have no need to know anything about this patient.
Disclosing more than general condition or directory information would be a
violation of HIPAA and could subject you to potential disciplinary actions.
32
HIPAA Case Studies-Privacy
Scenario #2
Two patients are in a semi-private room. In addition both
patients have family members and friends present in the
room.
You enter the room and immediately begin to discuss
patient A’s medical information in a voice loud enough for
all present in the room to over hear the conversation.
33
HIPAA Case Studies-Privacy
(Con’t)
Question ?
Have you violated HIPAA?
What could you have done differently?
34
HIPAA Case Studies-Privacy
(Con’t)
Answer: YES!
You may have, if you did not take reasonable safeguards to minimize the
disclosures overheard by the persons present. Reasonable safeguards,
such as:
1.
2.
3.
4.
Ask the patient prior to any discussion of their medical information, whether it is
okay to discuss it in front of the persons present in the room,
Ask the persons, including the patient in the adjacent bed, if practical, to
temporarily leave the room
Taking the patient to a conference room to discuss the medical information, and
Speaking in a quiet voice so that no one other than the patient could have heard
the conversation, are a few examples of what might be considered reasonable
safeguards. What if this was a waiting room, would this change your approach?
35
HIPAA Case Studies-Security
Case Studies
Scenario #3
You receive an email with an attachment from an
unknown source. The email reads that your computer
has been infected with a virus and you need to follow the
directions and open the attachment to get rid of it.
Question ?
Should you follow the instructions?
36
HIPAA Case Studies-Security
(Con’t)
Answer: No!
Never open unexpected attachments from
unknown sources.
If you are unsure about whether you should
open something, contact the Technology
Support Center at ext 7490.
37
HIPAA Case Studies-Security
Scenario #4
A new resident hasn’t yet been given a username and
password for the computer system. The resident needs to
access the computer system.
Question ?
Should you just let the resident use your username and
password until one is assigned?
38
HIPAA Case Studies-Security
(Con’t)
Answer: No!
You should never allow anyone to use your
username and password to log on to the system.
Have the new resident contact a manager or the
Help Desk at ext. 7490 to inquire about when to
expect to receive his or her own username and
password and what interim actions can be taken
until one is assigned.
39
HIPAA
Questions?
40
HITECH
Health Information Technology for Economic and Clinical Health Act
(HITECH)


IMPROVING HEALTH CARE QUALITY, SAFETY, AND EFFICIENCY
APPLICATION AND USE OF ADOPTED HEALTH INFORMATION TECHNOLOGY
STANDARDS

IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS

RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES
41
HITECH


CERTIFIED EHR TECHNOLOGY —The term ‘certified EHR technology’ means a
qualified electronic health record that is certified pursuant to section 3001(c)(5) as
meeting standards adopted under section 3004 that are applicable to the type of record
involved (as determined by the Secretary, such as an ambulatory electronic health record
for office-based physicians or an inpatient hospital electronic health record for hospitals).
ENTERPRISE INTEGRATION —The term ‘enterprise integration’ means the electronic
linkage of health care providers, health plans, the government, and other interested
parties, to enable the electronic exchange and use of health information among all the
components in the health care infrastructure in accordance with applicable law, and such
term includes related application protocols and other related standards.
42
HITECH
Subtitle A—Promotion of Health Information Technology ‘‘SEC. 3001.
OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION
TECHNOLOGY.


ESTABLISHMENT —There is established within the Department of Health and Human
Services an Office of the National Coordinator for Health Information Technology
(referred to in this section as the ‘Office’).
PURPOSE —The National Coordinator shall perform the duties under subsection (c) in a
manner consistent with the development of a nationwide health information technology
infrastructure that allows for the electronic use and exchange of information and that—
43
HITECH
Purpose:





(1) ensures that each patient’s health information is secure and protected, in accordance
with applicable law;
(2) improves health care quality, reduces medical errors, reduces health disparities, and
advances the delivery of patient centered medical care;
(3) reduces health care costs resulting from inefficiency, medical errors, inappropriate
care, duplicative care, and incomplete information;
(4) provides appropriate information to help guide medical decisions at the time and
place of care;
(5) ensures the inclusion of meaningful public input in such development of such
infrastructure;
44
HITECH
Purpose:


(6) improves the coordination of care and information among hospitals, laboratories,
physician offices, and other entities through an effective infrastructure for the secure and
authorized exchange of health care information;
(7) improves public health activities and facilitates the early identification and rapid
response to public health threats and emergencies, including bioterror events and
infectious disease outbreaks;

(8) facilitates health and clinical research and health care quality;

(9) promotes early detection, prevention, and management of chronic diseases;


(10) promotes a more effective marketplace, greater competition, greater systems
analysis, increased consumer choice, and improved outcomes in health care services; and
(11) improves efforts to reduce health disparities.
45
HITECH
Subtitle D—Privacy


The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of
protected health information which compromises the security or privacy of such
information, except where an unauthorized person to whom such information is disclosed
would not reasonably have been able to retain such information.
ELECTRONIC HEALTH RECORD —The term ‘‘electronic health record’’ means an
electronic record of health-related information on an individual that is created, gathered,
managed, and consulted by authorized health care clinicians and staff.
46
HITECH
PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY ROVISIONS


(a) APPLICATION OF SECURITY PROVISIONS — Sections 164.310, 164.312, and 164.316
of title 45, Code of Federal Regulations, shall apply to a business associate of a covered
entity in the same manner that such sections apply to the covered entity. The additional
requirements of this title that relate to security and that are made applicable with respect
to covered entities shall also be applicable to such a business associate and shall be
incorporated into the business associate agreement between the business associate and
the covered entity.
(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES — In the case of a business
associate that violates any security provision specified in subsection (a), sections 1176
and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the
business associate with respect to such violation in the same manner such sections apply
to a covered entity that violates such security provision.
47
HITECH
SEC. 13402. NOTIFICATION IN THE CASE OF BREACH.

(a) A covered entity that accesses, maintains, retains, modifies, records, stores, destroys,
or otherwise holds, uses, or discloses unsecured protected health information (as defined
in subsection (h)(1)) shall, in the case of a breach of such information that is discovered
by the covered entity, notify each individual whose unsecured protected health
information has been, or is reasonably believed by the covered entity to have been,
accessed, acquired, or disclosed as a result of such breach.
48
HITECH
TIMELINESS OF NOTIFICATION



INDIVIDUAL NOTICE - All notifications required under this section shall be made without
unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the
covered entity involved (or business associate involved in the case of a notification required under
subsection (b)).
MEDIA NOTICE - Notice shall be provided to prominent media outlets serving a State or jurisdiction,
following the discovery of a breach described in subsection (a), if the unsecured protected health
information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to
have been, accessed, acquired, or disclosed during such breach.
NOTICE TO SECRETARY - Notice shall be provided to the Secretary by covered entities of
unsecured protected health information that has been acquired or disclosed in a breach. If the breach
was with respect to 500 or more individuals than such notice must be provided immediately. If the
breach was with respect to less than 500 individuals, the covered entity may maintain a log of any
such breach occurring and annually submit such a log to the Secretary documenting such breaches
occurring during the year involved.
49
HITECH
BUSINESS ASSOCIATE
SEC. 13402. NOTIFICATION IN THE CASE OF BREACH.


(b) NOTIFICATION OF COVERED ENTITY BY BUSINESS ASSOCIATE — A business
associate of a covered entity that accesses, maintains, retains, modifies, records, stores,
destroys, or otherwise holds, uses, or discloses unsecured protected health information
shall, following the discovery of a breach of such information, notify the covered entity of
such breach.
Such notice shall include the identification of each individual whose unsecured protected
health information has been, or is reasonably believed by the business associate to have
been, accessed, acquired, or disclosed during such breach.
50
HITECH
BUSINESS ASSOCIATE




Includes any organization that has “routine” access to PHI to perform a service for the
covered entity (CE)
Exception is if they do not have routine access, and they are considered “conduits”
providing only courier services, such as the U.S. Postal Service or internet providers that
offer data transmission only
An entity that maintains PHI on behalf of the CE is a BA even if it does not actually view
the PHI.
Researchers are not business associates unless they act in a business associate capacity
for the CE
51
HITECH
BUSINESS ASSOCIATE



Includes “Subcontractors” of Business Associates – a person to whom a business
delegates a function, activity, or services other than in the capacity of a workforce
member.
Business Associate (BA) must obtain “satisfactory assurance” (BA agreement) from the
subcontractor that it will protect PHI.
Protects individuals PHI no matter how many subcontractors of subcontractors exist.
52
HITECH
BUSINESS ASSOCIATE AGREEMENT REQUIREMENTS
If a covered entity wants a business associate to be liable for additional provisions of the
privacy rule, compliance with the provision must be included in the business associate
agreement §164.504(e) .
The agreement must state that the business associate will:

Comply with the provisions of the security rule;

Report breaches of unsecured protected health information under the breach reporting
rules;

Ensure that a subcontractor agrees to the same restrictions and conditions that apply to
the business associate with respect to such information; and

Comply with the privacy requirements that apply to the covered entity in the
performance of an activity the business associate is carrying out on behalf of the covered
entity.
53
HITECH
PENALTIES





No knowledge / Carelessness - $100 for each violation, not to exceed $25,000;
during a calendar for identical violations.
Reasonable Cause (but not willful neglect) - $1,000 for each violation, not to
exceed $100,000 during a calendar for identical violations.
Willful Neglect (corrected) - $10,000 for each violation, not to exceed $250,000
during a calendar for identical violations.
Willful Neglect (not corrected) - $50,000 for each violation, not to exceed
$1,500,000 during a calendar for identical violations.
HITECH Act also allows state attorney generals to levy fines, seek attorney’s
fees, and award costs.
54
HITECH
PART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES;
EFFECTIVE DATE; REPORTS
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT:

The standards governing the privacy and security of individually identifiable
health information promulgated by the Secretary under sections 262(a) and
264 of the Health Insurance Portability and Accountability Act of 1996 shall
remain in effect to the extent that they are consistent with this subtitle. The
Secretary shall by rule amend such Federal regulations as required to make
such regulations consistent with this subtitle.
55
HITECH
Questions?
56
Human Research Privacy
Human Research and HIPAA Privacy
57
Human Research Privacy
Ethical Research Codes



Nuremberg Code of 1947 – Doctors involved in Nazi human experiments

Consent

Avoiding unnecessary physical and mental suffering

Ensure risk never exceeds humanitarian importance of experiment
Declaration of Helsinki in 1964

Consent

Duty to protect life, health, dignity, integrity, privacy, confidentiality of research
subjects
Belmont Report of 1972 – addressed ethical lapses in research (ie 1932-11972 Tuskegee syphilis study)

Informed Consent, Assessment of Risk and Benefits, Selection of Subjects

Respect for Persons, Beneficence, Justice
58
Human Research Privacy
Major Compliance Rules

National Science Foundation – Defines Privacy and Confidentiality


Health and Human Services - Common Rule for Human Subjects (45 CFR 46)


Healthy Human or Patient participating in Research
HIPAA Privacy Rule (45 CFR 160 and 164) – Does not define H.S


Living Individual where investigator obtains Data or Identifiable Private Information
Food and Drug Administration Regulations - Definition of H.S. (21 CFR 50 and 56)


Privacy relates to Persons, and Confidentiality relates to restricting access to Data
Defines PHI and specifies compliance for deceased individuals
Public Health Service Act Certificates of Confidentiality (301 (d), 42 U.S.C. 241 (d))

Can protect the privacy of subjects from Federal, State, or local civil, criminal, administrative, legislative
proceedings
59
Human Research Privacy
Common Rule



Applies to research funded by a federal department or agency
Must provide written assurance of compliance, filed with HHS Office of Human Research
Protections
Requires Institutional Review Boards (IRB) to review proposed research. Criteria for
approval includes:
1.
2.
3.
4.
5.
Risks to subjects are minimized
Informed Consent is sought and documented
Research Plan ensures subject safety
Provisions to protect privacy of subjects and confidentiality of data
Safeguards for vulnerable populations
60
Human Research Privacy
Informed Consent – Requirements and Elements










Give opportunity for subject to decide whether or not to participate
Language must be understandable
States research purpose, duration, and procedures
Description of risks and benefits
Disclosure of alternative treatments
Statement that participation is voluntary
State how confidentiality of records that identify the subject will be maintained
Contact for questions and to report injuries
Compensation and medical treatment for injuries (more than a minimal risk)
No waiver of legal rights of subject or release fro liability for negligence of sponsor,
investigator, or institution
61
Human Research Privacy
Informed Consent

IRB may waive consent “if” (46.117(c)):


Consent Form is the only record linking subject to the study and main risk is breach
of confidentiality
No more than minimal risk and consent not normally required outside of research
62
Human Research Privacy
FDA Regulated Research - minor differences

No ability to waive informed consent

No ability for IRB to alter or waive requirement for informed consent
63
Human Research Privacy
HIPAA Research Requirements

Applies to Use and Disclosure PHI (160.103)






Use is sharing, utilization, examination, analysis of PHI
Disclosure is release, transfer, access outside the entity
Applies to research regardless of source of funding
Research is not considered TPO, even if conducted inside a CE by a physician with access
to the PHI for treatment, payment, or health care operations.
Physician must comply with HIPAA research provisions to use PHI to conduct research, or
disclose outside the CE for research purposes
Researchers are not business associates unless they act in a business associate capacity
for the CE
64
Human Research Privacy
HIPAA Research Requirements

Research Authorization may be combined with Informed Consent

Authorization must be obtained, or

IRB or Privacy Board has documented the waiver, or

PHI is used Preparatory to Research, or

PHI is for research of deceased individuals, or

PHI is part of a Limited Data Set
65
Human Research Privacy
Criteria for Alteration or Waiver


No more than a minimal risk to the individual’s privacy
Must have a Plan to protect identifiers for unauthorized use and disclosure, and to
destroy identifiers as expediently as possible

Written assurance PHI will not be reused or disclosed

Research cold not be performed without the waiver or alteration, and access to the PHI
66
Human Research Privacy
Preparatory to Research
Covered Entity (CE) must obtain written assurance that:
[45 CFR 164.512(i)(1)(ii)]

PHI used or disclosed is only used as necessary to prepare a research protocol

Researcher cannot remove any PHI from the CE during this review

PHI is necessary for the research
67
Human Research Privacy
Preparatory to Research




May use and disclose PHI to researchers to aid in Study Recruitment
Researcher may directly contact the potential study participant if the researcher is an
employee of the CE
CE may contract with a Business Associate to assist in contacting individuals for the CE to
obtain authorizations
CE may also discuss alternative treatments with patients, that may include participation
in clinical trials as part of patient’s treatment
68
Human Research Privacy
Decedents



HIPAA requirements apply to the PHI of decedents.
However, CE may use or disclose PHI of decedents to researchers if they obtain written
assurance that:

PHI used or disclosed will be used solely for research on the PHI of decedents

PHI is necessary for research purposes
The PHI of decedents will be protected for 50 years. After then, the data is no longer
considered PHI.
69
Human Research Privacy
Limited Data Set [45 CFR 164.514(e)]
CE may use or disclose a limited data set for research purposes:

Data Use Agreement is required

A benefit is that more detailed addresses and full dates can then be used

Limited data Set is protected health information that excludes the direct identifiers of
the individual or of relatives, employers, or household members of the individual list
on the subsequent slide:
70
Human Research Privacy
Limited Data Set
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Names, postal address information, other than town or city, state, and zip code.
All elements of dates (except year) directly related to the individual.
Telephone numbers, fax numbers, electronic mail (email) addresses.
Social Security numbers, medical record numbers.
Health plan beneficiary numbers, account numbers, certificate/license numbers.
Vehicle identifiers and serial numbers, including license plate numbers.
Device identifiers and serial numbers.
Web Universal Resource Locators (URLs).
Internet Protocol (IP) address numbers.
Biometrics identifiers, including finger and voice prints, full-face photographic images,
and any comparable images.
Any other unique identifying number, characteristic, or code.
71
Human Research Privacy
Accounting of Disclosures

Disclosures made other than with a patient’s authorization or Limited Data Set
must be tracked. Such as:

Preparatory to Research

Pursuant to alteration or waiver
72
Human Research Privacy
Data Breaches
Data breaches are subject to the
Breach Notification rules of HIPAA
73
Human Research Privacy
Questions?
74
Download