HIPAA Review for Research
Susan Bouregy
Chief HIPAA Privacy Officer
Director, Human Subjects Committee
What is HIPAA?





Health
Insurance
Portability and
Accountability
Act
Why does insurance portability
affect research?

Insurance portability costs money
 Electronic submission of
standardized claims
 Huge databases and electronic data
flowing over the web made people
nervous
Privacy and Security Rules of HIPAA
The Privacy Rule

Applies to health care
providers and health plans
that bill electronically
 Limits how health
information can be used
(internally) or disclosed
(externally)
 Provides patients certain
rights with respect to their
health information
HIPAA at Yale

At Yale, HIPAA applies to:
– YSM
– EPH
– YSN
– YUHS
– Psychology clinics
– YUHP
– Benefits Office
Protected Health Information (PHI)





Individually identified
AND
Past, present or future physical or mental
health or condition; healthcare; or payment
for healthcare
AND
Created or received by a covered entity
(including PHI created in research)
18 HIPAA identifiers
Facial identifiers
 Name
 Address
 SSN
 phone
 Fax
 e-mail
 full face photo
Less obvious identifiers
 any dates
 MRN
 health plan #
 account #’s
 license #
 VIN
 device #
 URL’s
 IP address
 finger/voice print
 Any other unique identifying
numbers, characteristics or
codes
What’s not covered?
De-identified health information
 Research outside covered
components (e.g. anthropology
etc)
 Studies that don’t involve health
information

How PHI can be used/disclosed

Healthcare providers can use/disclose for
treatment, payment and healthcare
operations (TPO)
 Patient can authorize any use or
disclosure
 Privacy Rule defines other circumstances
when PHI can be disclosed without patient
authorization – public health, abuse,
research, etc.
 Allowed list does not include blanket ok
for research disclosures
How PHI can be used for research







Patient authorization (RAF)
IRB approved waiver of authorization
De-identified data
Limited data sets with Data Use
Agreement
Decedent information
Preparatory to Research
Use “Request Access to PHI for Research
Purposes” form
Research authorization

What specific information will be used/disclosed
by whom and to whom (classes)
 Purpose of use/disclosure
 How long the authorization is valid (can be
forever if justified by the research)
 Ability to revoke
 Potential for re-disclosure if data shared with
non-HIPAA covered entity
 Ability (or not) to condition treatment on signing
 Signature & date
Common Rule consent















Statement that this is research
Purpose and duration
Procedures
Risks and benefits
Alternative procedures
Confidentiality
Compensation for injury
Who to contact
Voluntary participation
Potential for unknown risks
Potential to be pulled from study
Costs
Consequences of withdrawal
Ongoing information to be provided
Number of subjects
Research authorization





Use Yale RAF template on HIC site
Can be combined with consent form =
“Compound Authorization”
Can not be combined with other authorizations
Must be specific – can’t authorize future
unspecified research
Can use “standard” authorization in addition to
RAF to get copies of records from other sites who
don’t need to know about research involvement
Unauthorized disclosures that are ok
under HIPAA





Adverse event reporting to FDA (public
health exception)
Child or elder abuse reporting (state
mandated preemption)
Mandated public health reporting (gunshot
wounds, communicable diseases)
Serious threat to health or safety
Billing insurance (TPO)
Sign here!
I consent to this emergency
surgery and authorize any
scientist anywhere to have
access to my records and
tissues for any research
purpose.
Waiver of authorization

IRB must determine
– Minimal risk to privacy
– Research couldn’t be conducted
without access and without waiver
– Written assurance PHI won’t be redisclosed or re-used except as
required/permitted by law
– Limited to minimum necessary
“Partial waivers” and alterations

Recruitment may require access to PHI
but no patient contact
 Phone eligibility screens where no written
authorization possible
 Can waive authorization for these initial
research processes and then subjects
consented later
 No provisions for waiving documentation
only
Minimum Necessary Standard
Only that information required for the
research is collected
 No fishing expeditions

De-Identified vs Anonymous
De-identified = HIPAA, lacks
18 identifiers
 Anonymous = IRB term, not
actually in Common Rule;
identity of the subject may not
readily be ascertained
 Anonymous data may or may
not be de-identified

Secondary use of study data
Colleague requests copies of PET
scans created in a research project
to perform meta analysis.
 No other data requested
 Scans have date of scan embedded
in image which can’t be removed
 What is required to release the data
to external researcher?

Ex: PET scan including date of scan
Common Rule
 Anonymous
 Not human
subjects research
 No IRB approval
 No consent
requirements
HIPAA
 Date + scan = PHI
 HIPAA applies
 Authorization or
waiver
 Accounting for
disclosures
Coded data




HIPAA allows a covered entity to code data and
then release the coded data as “de-identified” as
long as the code is secured and not distributed
with the data
Common Rule considers coded data with
agreement/policy that PI can’t access code to not
involve human subjects
When the PI codes the data it is not de-identified
but it may be Common Rule exempt if PI does not
hold the code
Codes can not be derived from identifiers (e.g.
last 4 digits of SSN)
Limited Data Sets
“Almost” de-identified
 Can have dates and
geographic info
 Requires signed data use
agreement
 Does not require accounting
for disclosures

“Internal” data use agreements
Yale construct
 Useful when data collected outside
HIPAA context (international,
schools etc)
 Don’t concern yourself with HIPAA
until you return to Yale
 Leave identifiers at site/outside Yale
covered entity

Preparatory and Decedents





Preparatory to research requires no PHI
leave the covered entity
Useful for feasibility determinations, grant
prep, etc.
Decedent information requires PI
certification that only decedents’
information requested
Covered entity can ask for proof of death
Use “Request Access to PHI for
Research” form
Ways to recruit subjects
Treating clinician tells
patient about the study and
how to contact researcher
 Treating clinician obtains
authorization allowing
researcher to contact
patient
 Partial waiver

Data and specimen banks




Authorization must be for specific
purpose
Banks don’t know at time of collection
how data/specimens will be used.
Therefore, can’t obtain valid authorization
for research uses
Can get authorization to bank
Access then requires a waiver for the use
or disclosure of the information
Patient rights in research context

Notice of Privacy Practices
– NOPP describes our clinical uses/disclosures
– Required to distribute in treatment studies

Access and amendment
– Access is to “Designated Record Set” (information used
to make treatment decisions), research data isn’t
automatically included in DRS
– HIPAA allows access to be denied in the course of a
blinded study

Accounting for disclosures
– Provide list of disclosures of PHI that are not TPO and
not authorized
– Data accessed under a waiver of authorization must be
listed
Privacy and Security


Privacy relies on adequate security
Subjects promised certain level of
confidentiality in consent documents
 HIPAA Security Rule specifies that we
have administrative, technical and
physical safeguards of ePHI
 State law requires notification if “personal
information” is accessed/stolen (identified
financial information)
 VA security directives
Data classification

Low risk
– No regulatory or contractual requirements for
confidentiality/security
– Can be released to the public

Sensitive
– Contractual or other obligation to protect the
data or deemed sensitive by Yale

Restricted
– Data protect by law (HIPAA, FERPA) or
deemed restricted by Yale
Low risk data
Publicly available
 De-identified data
 Data collected in an
“exempt” study

Sensitive data
Minimal risk studies
 Linking codes related to
restricted data
 Coded data stored separately
from code
 Sponsor requires data be
maintained confidentially
(trade secrets)

Restricted data

Identified data collected in
collaboration with VA
 Identified HIV, mental health,
genetic predisposition to
disease, substance abuse,
criminal history
 ID theft information – social
security numbers, financial
account numbers
 Data held under a Certificate of
Confidentiality
Above-Threshold Systems
Primary source, sensitive, or
restricted data
 ePHI critical for treatment, payment
or healthcare operations
 Sensitive or restricted information
held in a multi-user system

Above Threshold examples
A PC with database including social
security numbers
 Server with health information
collected for research that is
accessed by several members of the
research team
 Computer housing primary copy of
patient medical record

Basic System (below threshold)
Doesn’t contain above
threshold information
 Single user
 De-identified data
 Public information

Above threshold requirements
Registration with Information
Security
 Annual review of security safeguards
 Contingency plans, emergency mode
operation, access controls etc.

Ways to secure data






Striping identifiers
Coding data
Encryption
Secure servers (Yale data center)
Lock and key for paper records
Secure data transfer (encrypted email, FedEx of encrypted CD)
Other data security issues
Frequent data back-ups to ensure
access
 Back-up stored off-site or in secure
location
 Secure access to Yale systems by
external collaborators
 Appropriate disposal at end of life

Questions
hipaa@yale.edu
 www.hipaa.yale.edu
 432-5919

Getting the information

You need an IDX report of all patients
seen in the last 5 years who have
been diagnosed with breast cancer.
You e-mail your administrative
assistant to get the report so you can
call patients for enrollment.
Getting the information
Do you have an IRB approved partial
waiver?
 Providing the list requires
accounting by the holder of the
records
 Cold calls are generally considered
inappropriate.

Lost or stolen laptop

Help my laptop (flashdrive, CD backups, PDA, etc) is missing! Do I need
to do anything?
Lost or stolen laptop
Report to police (YU and local)
 Report to Information Security
 Report to IRB
 Was it encrypted?
 Was it backed up?
 What was on it and how sensitive?

Old samples

We have a freezer full of old tissue
blocks that have built up over the
years and we want to use them for
our new exciting research.
Old samples

Freezer full of samples is a repository.
 Requires IRB protocol outlining how
obtained and maintained.
 Was there consent/authorization to keep
the samples when they were collected?
 Is the proposed use consistent with any
prior consent/authorization?
I got a great new job!

I’m leaving tomorrow for a new
position and all my data, samples
and equipment are loaded into my
rental truck. See Ya!
Great new job






Has IRB approval been obtained from the new
institution?
Has Yale approved the transfer of equipment?
Are there grant funds that will be transferred?
Are there Yale personnel that rely on or have
ownership interest in the
equipment/data/specimens?
Has the removal of data/specimens been
approved and accounted for?
Has OEHS made sure equipment and materials
can be safely transported?