Add to collection(s) Add to saved
  1. Science
  2. Health Science

Topic: HIPAA Terminology

advertisement 
Topic: HIPAA Terminology
Statement:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains
provisions to protect the confidentiality and security of personally-identifiable information that
arises in the course of providing health care. In order to understand how HIPAA affects research,
there are a few important terms that are defined by the law.
A covered entity is the organization that has to comply with HIPAA. The University of
California is a Hybrid Covered Entity because, in addition to providing health care at its medical
facilities, also has other organizational activities such as education and research.
The HIPAA Privacy Rule governs Protected Health Information (PHI) which is defined as
information that can be linked to a particular person (ie., is person-identifiable) that arises in the
course of providing a health care service.
When PHI is communicated inside of a covered entity, that is called a use of the information.
When PHI is communicated to another person or organization that is not part of the covered
entity, that is called a disclosure. HIPAA allows both use and disclosure of PHI for research
purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a
research plan that is reviewed and approved by an Institutional Review Board (IRB).
When participants in a research study sign an authorization to have a copy of their PHI used for
research purposes, the information transcribed into the research record is subsequently governed
by the terms of their authorization and is no longer PHI subject to HIPAA. Although the HIPAA
Privacy Rule no longer applies to this information as it is maintained in research records, best
practices for research involving human volunteers requires that its confidentiality continue to be
protected.
Question: Researchers at UCSD, UCLA and UC Irvine are conducting a multi-center study of a
new treatment for acne, for which participants sign an authorization for release of information
from their medical records for research purposes. The coordinating center for the project is at
UCLA, and person-identifiable information abstracted from clinic charts is recorded on case data
forms sent by UCSD researchers to the coordinating center. Is this a use or disclosure of PHI?
Answers:
Nr Correct
Answer
Response if selected
1
N
A disclosure of PHI would only occur if the PHI was sent
outside of the covered entity, which in this case is the entire
It is a disclosure of University of California system. More importantly, the
PHI.
information, while subject to best practices of protection of
confidentiality, is no longer PHI when transcribed into research
records under the terms of authorization signed by participants.
2
N
It is a use of PHI
Y
The information, while subject to best practices of protection of
It is neither use nor
confidentiality, is no longer PHI when transcribed into research
disclosure, since
records under the terms of authorization signed by participants.
the information is
Within the University of California this form of personnot PHI.
identifiable research information would be considered RHI -
3
The information, while subject to best practices of protection of
confidentiality, is no longer PHI when transcribed into research
records under the terms of authorization signed by participants.
Research-related Health Information.
***
Topic: What Kinds of Activities are Considered Research?
Statement:
The HIPAA Privacy Rule is primarily concerned with information generated in the course of
providing health care services, and is not primarily concerned with research. However, HIPAA
does recognize and endorse the fact that some research may create, use and disclose Protected
Health Information (PHI).
In order to understand whether HIPAA rules apply to a research project, it is first necessary to
determine whether the activity would be considered research. For this, HIPAA uses the same
definition as the federal Common Rule (45 CFR 46), which is a systematic investigation
designed to contribute to generalizable knowledge.
In practice, the most common test of whether an activity is research is whether the results will be
published. A quality improvement project that analyzes the medical records of patients who were
treated with a particular procedure would not be research if the analysis is used for internal
purposes only. But it is important to anticipate whether future publication is a possibility,
because retroactive approval to do research with person-identifiable records cannot be given.
Question: Which of the following would not be considered research for purposes of HIPAA
compliance?
Answers:
Nr Correct
1
2
3
4
***
Answer
Response if selected
N
An internal quality assurance study based on a
medical chart review, whose results are
published as a poster at a local professional
society meeting.
Presenting the results of a study
would be considered contributing to
generalizable knowledge and thus it
would be considered research.
N
An expectation of public funding is
A chart-review based comparison of the
that the results will be publically
treatment outcomes of community-acquired
available, thus contributing to
pneumonia using two different forms of
generalizable knowledge and
antibiotic, performed using NIH grant funding. meeting the HIPAA and Common
Rule definition of Research.
Y
A medical chart review looking for the
percentage of charts that have co-signature of
resident physician notes by an attending
physician. Results presented to the staff
medical executive committee.
Internal uses of PHI for quality
improvement purposes, are not
considered research.
N
A prospective treatment trial randomizing
patients to either standard treatment or an
investigational asthma medication, which is
sponsored by a drug company. The results will
be not be published but will be sent to the
Food and Drug Administration (FDA
Studies that generate pre-market
approval data are considered to be
research by the FDA, as they
contribute to generalizable
knowledge about new drugs and
categories of drugs.
Topic: Research that is covered by HIPAA
Statement:
HIPAA affects only that research which uses, creates, or discloses Protected Health Information
(PHI). In general, there are two ways a research study would involve PHI:
1. The study involves review of medical records as one (or the only) source of research
information. Retrospective studies involve PHI in this way. Prospective studies may do
this also, such as when a researcher contacts a participant's physician to obtain or verify
some aspect of a person's health history.
2. The study creates new medical records because as part of the research a health care
service is being performed, such as testing of a new way of diagnosing a health condition
or a new drug or device for treating a health condition.
Most sponsored clinical trials that submit data to the US Food and Drug Administration (FDA)
will involve PHI because study monitors have an obligation to compare research records such as
Case Report Forms (CRF) to the medical records of the persons participating in the study, in
order to verify that the information transcribed onto the CRFs is accurate.
Question: You are part of a research team that has an NIH grant to analyze the types and
frequency of hospital-acquired infections. As part of the research, you plan to do chart reviews of
hospitalized patients where you look at the charts, but no identifying information is transcribed
to your research records. Is this project using PHI?
Nr Correct Answer
Answers:
Response if selected
1
Y
Yes.
From the perspective of the person whose records are being analyzed, their
health information has been used for a research purpose. This type of
project requires IRB review but can generally be granted a waiver of the
need to get informed consent (called Authorization in HIPAA parlance).
2
N
No.
HIPAA governs the using of PHI for research, not just the transcribing of it
for research purposes.
***
Topic: PHI or Not?
Statement:
The broad definition of individually identifiable information has led some to conclude that any
individually-identifiable fact about a person arising out of their participation in a research study
would be PHI if it had immediate or potential relevance to normal or abnormal functioning (ie.,
health and disease) at a molecular, physiologic, or functional level.
However, life sciences research includes activities that record person-identifiable information as
part of the study and in many cases it is simply not known whether the research results will be
significant, correct, and relevant to healthcare services or to the health and well being of a
particular individual. A large fraction of the biomedical research involving human subjects that is
sponsored by NIH and other federal and not-for-profit entities is done to characterize and better
understand disease processes without an associated intervention designed to correct them.
The University of California HIPAA Task Force has defined the term Research-related Health
Information (RHI) for information which shares some characteristics of HIPAA PHI, but would
be governed by a different set of principles and best practices. These practices respect the rights
of individuals while at the same time catalyzing progress in biomedical and behavioral sciences.
The key distinction between RHI and PHI is that PHI is associated with or derived from a
healthcare service event. Thus, research studies that use medical records as a source of personidentifiable research data are using PHI, and interventional clinical studies where treatments are
being compared for safety and effectiveness would create PHI. In contrast, a research study that
does not include a diagnostic or therapeutic intervention, and does not acquire health-related
facts about a person by copying them from a medical record, would create information that if
individually identifiable would be considered RHI. A white paper on the differences between
PHI and RHI is available here.
Question: An NIH-sponsored study of brain functioning after stroke is recruiting stroke victims
via newspaper ads. Volunteers who enroll in the study complete a research questionnaire about
their personal medical history, and have a functional MRI scan of the brain. Participants are paid
$100 for participating. Researchers use the person-indentifiable data entered on the research
forms to correlate it with the fMRI findings. Is this study covered by provisions of HIPAA?
Answers:
Nr Correct Answer
1
2
Y
N
Response if selected
No
This study is producing RHI, but not PHI.
Yes
PHI arises only as a result of providing a health care service. The person
identifiable information in this study would be RHI (Research Related
Health Information) but would not be PHI since there was no health care
service involved and no access to the person's medical records.
***
Topic: Getting Consent to Use PHI
Statement:
The principle of respect for persons means that, if it is feasible to get the consent of someone
before using their PHI for research, then consent should be obtained. HIPAA refers to consent
for use of information as an Authorization, and requires that the following elements be present in
an Authorization to use PHI for research purposes:
1. A description of information to be used or released.
2. The name of person(s) or class of persons (e.g., project staff) who will use the
information
3. The name of persons or organizations whom PHI will be released. (e.g., central
coordinating offices of multi-center trials)
4. The expiration date or event that ends authorization to use PHI (e.g., completion of the
research), or statement that authorization does not expire.
5. A statement that the research participant has the right to revoke authorization (as part of
withdrawal from study procedures).
6. A statement that if information will be disclosed to other organizations the information
may no longer be protected.
7. A statement that individual may inspect or copy their records. The researcher may
stipulate that records will not be available until after the study is complete.
HIPAA states that these elements of authorization can be incorporated into the research informed
consent document, or can be included in a separate authorization form signed by a study
participant. One or the other approach needs to be used for all newly enrolled study participants
in research that uses or creates PHI, beginning April 14, 2003.
Question: Does the HIPAA requirement for authorization for use of PHI mean that all currently
enrolled study participants will need to sign a new consent form on or after April 14, 2003 if the
study involves PHI?
Nr Correct Answer
1
2
N
Y
Answers:
Response if selected
Yes
HIPAA only affects newly enrolled participants beginning April 14, 2003.
The permissions in place and documented by signed consents prior to April
14 are grandfathered by HIPAA, and do not need to be re-executed.
No
Consents signed prior to April 14, 2003 remain in effect, but any newly
enrolled participants will need to sign either a HIPAA-compatible consent
form or a stand-alone HIPAA Authorization to Use PHI in research form
beginning April 14, 2003.
***
Topic: Waivers of Authorization
Statement:
Although it is always preferred to get permission to use an individual's Protected Health
Information, HIPAA permits research using PHI without obtaining consent (called Authorization
by HIPAA). In order to do this, the research must be reviewed and approved by a duly
established Institutional Review Board (IRB). HIPAA requires that IRBs review the project to be
sure it meets all of the following criteria:
1. The use or disclosure of PHI involves no more than minimal risk.
2. Granting of the waiver will not adversely affect privacy rights and welfare of the
individuals whose records will be used.
3. The project could not practicably be conducted without a waiver.
4. The project could not practicably be conducted without use of PHI.
5. The privacy risks are reasonable relative to the anticipated benefits of research.
6. An adequate plan to protect identifiers from improper use and disclosure is included in
the research proposal.
7. An adequate plan to destroy the identifiers at the earliest opportunity, or justification for
retaining identifiers, is included in the research proposal.
8. The project plan includes written assurances that PHI will not be re-used or disclosed for
other purposes.
9. Whenever appropriate, the subjects will be provided with additional pertinent information
after participation.
Question: The IRB approves your research project to do a retrospective chart review of hospital
records. For research purposes you transcribe from the medical records information such as
hospital admission and discharge dates, and the zip code of patient's residences. Once approved,
can you keep this information in your research records indefinitely?
Nr Correct Answer
Answers:
Response if selected
With a signed authorization, the terms of use of PHI for research are
spelled out and agreed to by the research participant. This can include the
fact that the authorization does not expire.
1
N
Yes
2
Y
No
In the case of research done without individual authorization, the PHI
elements that make the information potentially linkable to an individual
have to be destroyed at the earliest opportunity in the course of doing the
research.
Unless a researcher has a signed authorization to keep the PHI, it must be
destroyed at the earliest opporunity.
***
Topic: Need to Know and Minimum Necessary Access
Statement:
For both healthcare and for research, HIPAA requires that Protected Health Information be
communicated on a Need to Know and Minimum Necessary basis. Simply put, individually
identifiable information should be made available only to persons whose job requires access to
that information. And only that information that is the minimum necessary to get the job done
should be provided.
These principles also apply to the disclosure of PHI to research collaborators at outside
institutions. In most cases, scientific data about individuals in research studies should be shared
with other researchers only in a format where it is linked to a unique study number or participant
identifier that is not traceable to an individual. Do not use Medical Record Number as a study
identifier because it is one of the elements that is considered person-identifiable. Information
such as names, addresses, phone numbers, e-mail addresses, and other contact information
should not be disclosed unless there it is essential to the conduct of the research.
Question: Which use of PHI in a research setting would not meet a Need to Know standard?
Answers:
Nr Correct
1
2
3
Answer
Response if selected
N
Access to participant phone
numbers by the research staff
who schedule study visits.
N
Access to names, addresses and
medical record numbers by
office staff who mail out
PHI elements are necessary for the completion of
requests to community
Release of Records requests.
physicians for release of medical
records of study participants in
their care.
Y
Putting a study participant's
name on every research form
they fill out.
In order to contact participants, contact
information such as phone numbers is necessary.
Research forms with participant names on them
present an unnecessary confidentiality risk in most
cases. Use of a study number is a preferred way of
identifying forms. To decrease chances of an error
in transcribing study numbers, a common practice
is to also record the participant's initials, but not
name.
***
Topic: Participant Access to Research Records
Statement:
HIPAA states that just as patients have a uniform right of access to their medical records,
research participants have a right of access to their research records. The researcher may
stipulate in the authorization form (which may be separate or a component of the research
consent form) that these records will not be available until after the study is complete. Rarely, it
may be the case that a participant's research data would be harmful to them if revealed, such as in
the case of stigmatizing disorders such as substance abuse. But the spirit and overall intent of
HIPAA is to give persons access to records that are maintained about them.
Question: A study participant requests a copy of the research information that has been recorded
about them. What should a researcher do if he or she believes the participant will not understand
the information in their research records?
Answers:
Nr Correct
1
2
3
Answer
Response if selected
N
The difficult to understand
information should be deleted to keep
participants from becoming confused
or troubled.
HIPAA does not require that researchers
explain the content of research records to
participants, but this is not a reason to
withhold access.
N
The information must be made
available in any case, and an
educational effort must be made to
help participants understand the
information in their research records.
HIPAA does not require that researchers
explain the content of research records to
participants, however a common sense
approach would be to explain the major types
of information being recorded about the
participant.
Unless psychological harm would
result, a copy should be given to
participants who request it.
According to HIPAA, participant access to
their research records that contain PHI can be
delayed until after the research is completed,
but can only be denied if this access would
potentially be harmful.
Y
***
Topic: Deidentification
Statement:
HIPAA recognizes that health-related information is often so rich in content that it can never be
made truly anonymous, but that the risk of re-identification of an individual is greatly decreased
by removing certain elements from research data. Data lacking these elements is said to be
deidentified and is excluded from the rules governing use of Protected Health Information.
De-identified data has the following elements removed:
1. Names;
2. All geographic subdivisions smaller than a State, including street address, city, county,
precinct, zip code, and their equivalent geocodes, except for the initial three digits of a
zip code if, according to the current publicly available data from the Bureau of the
Census: (1) The geographic unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people; and (2) The initial three digits of a zip
code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over 89 and all
elements of dates (including year) indicative of such age, except that such ages and
elements may be aggregated into a single category of age 90 or older;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic or code
Question: As part of a treatment study, you take pictures of newly enrolled participants but do
not write their name on the picture, only their study identifier. Is this PHI?
Answers:
Nr Correct
Answer
Response if selected
1
N
1
Y
Yes
Full face photographic images are considered PHI even if there is no
other identifying text on the photo.
2
N
No
Full face photographic images are considered PHI even if there is no
other identifying text on the photo.
***
Topic: Information Security
Statement:
HIPAA requires that research involving Protected Health Information use physical, technical and
administrative safeguards to protect confidentiality.
Physical safeguards include storing of person-identifiable data in locked file cabinets, and
restriction of access only to those project staff who have a need to access the files. Paper records
should not be kept in public areas where passers-by may inadvertently see their content.
Technical safeguards apply to computer systems where PHI is stored, and include use of
password-protected access, screensavers that have a timeout such that when a user walks away
from the computer, access is locked after a period of time, and audit trails that record who has
created or changed PHI data in the system. Wherever feasible, person-identifiable elements of
the computerized research records should be stored separately, and if feasible, in an encrypted
format.
Administrative safeguards include use of signed confidentiality agreements and publication of
policies regarding the confidentiality and security of research data.
Question: Does all Protected Health Information stored on a computer need to be encrypted?
Answers:
Response if selected
Nr Correct
Answer
1
N
Yes
Although encryption is one mechanism to improve the confidentiality of
PHI when stored in a computerized system, HIPAA does not specifically
require this approach.
2
Y
No
Encryption and separation of PHI elements in a research information
system is a best practice, but is not specifically required.
***
Topic: Record Keeping
Statement:
HIPAA requires that certain records be maintained in both healthcare and research contexts.
Authorizations for use of PHI should be kept in research records for at least six years. Though
not required, a good practice would be to keep signed informed consent documents together with
research authorization forms, if the two are separate documents.
When disclosures of PHI occur (ie., when information is sent outside to persons in other
organizations), the principal investigator must keep a record of what information was sent, and to
whom. An audit trail of disclosures should be kept, and made available on request by a study
participant so that they can see what information about them was sent to an outside organization
or person.
Question: Should copies of signed HIPAA authorizations be sent to the IRB when a research
project is approved for use of PHI?
Answers:
Nr Correct
Answer
Response if selected
1
Y
No
Signed HIPAA authorization forms are part of the research records
maintained by the principal investigator, and should not be sent to the
IRB unless requested.
2
N
Yes
Signed HIPAA authorization forms are part of the research records
maintained by the principal investigator, and should not be sent to the
IRB unless requested.
***
Topic: Recruiting Methods
Statement:
It has been a common practice for clinicians who are also doing research to use medical records
they have produced, or the clinical information systems of their organization, to identify
potential participants for research studies or to find cases for a retrospective chart review.
HIPAA distinguishes between the use of medical records for health care--which is a HIPAA
covered function--and the use of records for research purposes, which is not covered and must be
done only with signed authorization or with a waiver of authorization granted by an Institutional
Review Board.
The HIPAA Privacy Rule permits use of PHI for reviews preparatory to research however in the
University of California system, this is considered part of the overall research plan and requires
IRB review prior to the review activity commencing. It is not permissible to begin the research
by gathering preliminary data via lookups in clinical information systems, or reviewing clinic
appointment logs or other records of clinical care, prior to IRB review and approval of a study.
Question: You are a HIPAA covered health care provider and also do research in your research
specialty. You would like to maintain a database of patients seen for care in your clinic that
includes disease-related information and contact information, to be used for research purposes
such as knowing whether the incidence of certain health conditions is changing. How can this be
done in the setting of the HIPAA Privacy Rule?
Answers:
Nr Correct
1
2
3
Answer
Response if selected
N
It is no longer permissible It is possible to maintain such databases, but such uses
to create such databases require signed authorizations by the persons whose
under HIPAA.
information is being used for this research purpose.
N
The IRB can waive the requirement for authorization only
when it is not practicable to get authorization. In cases
Obtain IRB approval for
where patients are actively receiving health care services,
waiver of authorization to
there will nearly always be an opportunity to elicit their
use clinical information
preference about whether their records will be used for
for research purposes.
research purposes. If so, the IRB will not waive the
requirement for authorization.
Y
Create a research plan for
the database and obtain
IRB review and approval
prior to beginning the
project.
The IRB will require that all patients whose records are
going to be included in the research database give consent
to have their records included, unless it is not practicable
to obtain consent.
Related documents
GASTROINTESTINAL AND LIVER CLINIC, PC
GASTROINTESTINAL AND LIVER CLINIC, PC
CATS
CATS
word - New England Neurological Associates, PC
word - New England Neurological Associates, PC
Confidentiality Policy - Indiana University Kokomo
Confidentiality Policy - Indiana University Kokomo
G2Endo Endocrinology & Metabolism
G2Endo Endocrinology & Metabolism
Emergency Department FAQs
Emergency Department FAQs
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
POLICY: HANDLING PATIENTS` CLINICAL PHONE CALLS
Module 9-Confidentiality & HIPAA
Module 9-Confidentiality & HIPAA
HIPAA & State Confidentiality Provisions for PHI (40k doc)
HIPAA & State Confidentiality Provisions for PHI (40k doc)
Download
advertisement