Columbia University
Health Sciences
Research under the Health Insurance
Portability and Accountability Act of 1996
(“HIPAA”)
HIPAA Overview
Health Insurance
Portability and Accountability
Act (HIPAA)
Administrative Simplification
Insurance
Reform
[Portability]
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002 and
10/16/03
Privacy
Security
Compliance Date:
4/14/2003
Compliance Date:
4/20/2005
PRIVACY vs. SECURITY


PRIVACY
Refers to WHAT is protected — Health information about
an individual and the determination of WHO is permitted to
use, disclose, or access the information
SECURITY
Refers to HOW private information is safeguarded—Insuring
privacy by controlling access to information and protecting it
from inappropriate disclosure and accidental or intentional
destruction or loss.
PRIVACY
WHAT does the Privacy Rule COVER?

Protected Health Information (PHI) = Individual
(Patient) identifiable information relating to the past,
present or future health condition of the individual

ALL information whether maintained in electronic,
paper or oral format
PRIVACY
WHAT does the Privacy Rule MEAN?
 Limits the Use and Disclosure of PHI
 Most uses or disclosures outside of treatment or payment
require actual patient authorization or an exception to
authorization—e.g., research
 Establishes Individual’s (Patient) right to control access
and use of PHI


Right to inspect or copy PHI
Right to amend incorrect information, etc…
PRIVACY
WHAT does the Privacy Rule MEAN? (cont’d)

Balances health information protection and individual
rights against public health and safety needs

Administrative Requirements






Privacy Officer
Privacy Board to review research
Notice
Training & Sanctions
Safeguards
Policies & Procedures
RASCAL HIPAA Forms
Human subjects research using identifiable health information must meet one of the
following criteria:
Form A) HIPAA Clinical Research Authorization
Form A - Spanish Version HIPAA Clinical Research Authorization
Form B) HIPAA Application for Waiver of Authorization
Form C) Request for Recruitment Waiver of Authorization
Form D) Investigator's Certification for Reviews Preparatory to Research
Form E) Investigator's Certification for Research with Decedents' Information
Form F) Data Use Agreement for Disclosure of a Limited Data Set for Research Purposes
Form G) Investigator's Certification for Research with De-Identified Data
HIPAA and Research
HIPAA mandates that a Privacy Board ensure
institutional compliance with HIPAA

The Privacy Board function can be administered by
an IRB or as a separate function

For research involving human subjects at CUMC, this
function is fulfilled by a Privacy Board function separate
from the IRB—meets every two weeks

HIPAA and Research
Privacy Board
Exceptions
Authorization signed
by patient for
all clinical research
Waiver Criteria
applied before
records research
• Preparatory to research
• Decedent
• De-identified
• Limited Data Set
HIPAA Authorization
Authorization signed
by patient for
all clinical research

Patient authorization elements









The information
Who may use or disclose the information
Who may receive the information
Purpose of the use or disclosure
Expiration date or event
Individual’s signature and date
Right to revoke authorization
Right to refuse to sign authorization
Redisclosure statement
HIPAA Authorization

The information
 Relates
to “minimum necessary standard” (we will
use only the PHI we need to for the research)

Who may use or disclose the information
 “the

PI and the research team”
Who may receive the information
 The
sponsor/CRO/central labs/etc.
HIPAA Authorization

Purpose of the use of disclosure


Expiration date or event


Short description of research
“end of study”; “never” for databases
Individual’s signature and date


Subject must receive signed copy
Must be retained for 6 years
HIPAA Authorization

Right to revoke authorization



Right to refuse to sign authorization


Must be made in writing
Reliance exception
If refusal exercised, research related treatment can be
withheld—note you cannot as a provider condition signing
an authorization for research on the provision of nonresearch related treatment
Redisclosures not protected

Statement that redisclosures may happen and their PHI
would no longer be protected
Problem areas




Creation of research databases from treatment
encounters
Compound authorizations not permitted—e.g., to build
a research database and do specific research from that
database
Future unspecified research cannot be authorized—
particular problem with Sponsor requested language
Patients general right to their health information—does
this extend to research related treatment?
HIPAA Waiver of Authorization
Waiver Criteria
applied before
records research

Most likely to be used in cases of research
involving retrospective chart reviews

IRB/Privacy Board may also waive
authorization to allow use of PHI by third
parties to recruit study subjects—no waiver or
authorization needed to recruit a researcher’s
patients into a clinical trial
HIPAA Waiver Criteria
Waiver requires IRB/Privacy Board approval
and documentation of three (3) waiver criteria:
1.
Use or disclosure involves no more than
minimal risk to privacy of the subject based
on, at least:



Adequate plan to protect the information from
improper use and disclosure;
Adequate plan to destroy identifiers; and
Written assurances that the PHI will not be disclosed
further than as set forth in the waiver
HIPAA Waiver Criteria, con’t
2.
The research could not practicably be
conducted without waiver or alteration
3.
The research could not practicably be
conducted without access to and use of the
PHI
Waiver problem areas




Case studies or—case studies generally not research
must be de-identified
Limited # of subject studies
Your research involves the disclosure of health
information which the patient has to authorize—e.g.,
HIV status
Your requesting a waiver for research where the Privacy
Board believes you have ample opportunity to get
actual authorization—e.g., research database creation
Recruitment Issues




PI who is also subjects MD may contact his/her
patients directly about research
IRB approved recruitment letters ok—should be signed
by treating MD—active versus passive consent
IRB approved advertisement—subjects call investigator
or screening service
Not OK—recruiting out of waiting rooms;
investigators with no relationship calling patients
directly
Authorization and Waiver exceptions
Exceptions Documented
• Preparatory to research

There can be no disclosure of PHI to
researchers from CU or NYPH without
authorization or waiver unless the disclosure is
for:
1.
2.
Preparatory research—i.e., to assess feasibility
of research; formulate a research hypothesis; or
define recruitment cohort
Or an exception applies—e.g., decedent; deidentified; limited data set
Reviews Preparatory to Research

CE obtains a representation from the researcher that:
Use or disclosure is sought solely to review protected
health information as necessary to prepare a research
protocol;
 No protected health information is to be removed from
the covered entity by the researcher in the course of the
review; and
 The protected health information is necessary for the
research purposes.

De-Identified Health Information
Research on a decedent
De-identified
Limited data set
1.
If information is “de-identified” in accordance with
“generally accepted statistical and scientific principles or
methods”
2.
If all identifiers listed in a “safe harbor” are removed—
this safe harbor requires the removal of 18 identifiers (of
limited use)
3.
Dummy identifier to facilitate linkage within CE
permitted
Limited Data Set

Permits identifiers not permitted by de-identification
safe harbor such as:

Zip code, town, city & state, date of birth/death and
dates of service

Benefit: no need for waiver or authorization if only
disclosing a limited data set to a researcher; accounting
rule doesn’t apply

Requires a “data use agreement” with the intended
recipient
Limited Data Set

Authorized for public health, research, and health care
operations purposes:
1.
Public health uses—disease registries maintained by private
sector or universities or other types of studies for public health
purposes
2.
Possible health care operations use—hospital sharing of limited
data set information with local hospital association
3.
Possible research use—establishment of research databases and
repositories
HIPAA Security
Soumitra Sengupta
Information Security Officer
Columbia University Biomedical and Health
Information Services (CUBHIS)
HIPAA Recap

Health Insurance Portability and
Accountability Act (HIPAA) - 1996
 Administrative
Simplification
Transaction code standards (November 2003)
 Privacy (April 2003)
 Information Security (April 2005)

Definitions
Protected Health Information (PHI)
Health or medical information identifiably linked to a
specific individual, such as information about:
 their identity – demographic and financial data
 their medical condition and treatment – clinical data
 Electronic PHI (EPHI)
PHI stored on or transmitted via our computers and
networks, including CDs, PDAs, tapes, and clinical
equipment
 Goal of HIPAA Security regulation is to –
Secure EPHI

Concepts of Info Security
 Confidentiality
 Prevent
unauthorized access or release of
EPHI
 Prevent abuse of access (identity theft, gossip)
 Integrity
 Prevent
unauthorized changes to EPHI
 Availability
 Prevent
service disruption due to malicious or
accidental actions, or natural disasters.
Regulation specification

Administrative Safeguards





Physical Safeguards




Policies and Procedures
Responsibility
Awareness and Training
Incident Processing, Sanctions
Workstation Use and Security
Facility Access Control
Device and Media Control
Technical Safeguards



Access Control
Audit Control
Encryption and Integrity control
Action items to compliance

Development of Policies and Procedures
Information
Security Mgmt

Process

General Info Security
Workstation
Use and Security
Sec: Backup, Device &
Media Control
Information Access Mgmt &
Control
 Info
Sec: Audit and Evaluation
 Workforce
Security Clearance,
Term and Auth
 Info

Info Sec: Facility Access Control
& Security
Info

Info Sec: Security Incident
Procedure
Sec: Disaster Contingency
& Recovery Plan
Information Security Best Practices
Action items to compliance

Infrastructure security

Computer network and systems security








Firewalls, Intrusion Detection/Prevention systems
Secure remote access – VPN
Assuring availability: Bandwidth restrictions to the Internet
Anti-virus (Symantec)
Anti-spyware (Pest Patrol)
Host Integrity Check (Tripwire)
Communication with patients (Relay Health)
Facilities Security

Data Centers (planned upgrade)
Action items to compliance

Infrastructure security
Workforce Security
 Authentication and Termination
 Columbia UNI, CUMC/NYP LDAP, Weill Cornell
LDAP
 Termination from NYP, CU, WC Human Resources,
CU Student Information Services, WC Students,
Service Corporation, Private/Temp employees, etc.
 Security Incident Processing and Sanctions
 Others

Responsibility action items

Information Asset Owner Responsibility
 Risk Assessment and management
 Tier A – More than 20 users –
A Detailed Security Questionnaire and a set of formal
Documentation about security of the asset

Tier B – Less than 20 users –
A Limited Security Questionnaire – 11 security questions
Implementation of Security Controls
 Audit and evaluation
 Disaster Contingency and Recovery Plan
 Additional information in Policy documents

Action items
Report EPHI applications with more than 20
users to us to initiate rigorous security risk
assessment
 For applications with less than 20 users, CUBHIS
is scheduling for an external agency to conduct
security sessions for asset owners to

Learn about necessary security methods
 Help fill out the limited Questionnaire


CUBHIS is also available for server and
workstation management services for assets that
need better management (“Custodial functions”)
Action items




We will incorporate security training with privacy
training; call upon us to discuss HIPAA security to your
department.
All new Clinical Systems must be technically evaluated
and approved by Dr. Randy Barrows Jr., Asst VP,
CUBHIS Clinical Resources. Approval criteria includes
HIPAA Security check requirements.
All EPHI assets are required to be registered
We are working with IRB and Privacy Board to
incorporate Security checks for research systems, Expect
a guidance from IRB about security of all research, not
just EPHI research.
Responsibility action items
Manager responsibility
 Workforce Clearance, Termination and
Authorization
 Facilities access to sensitive information assets
 Education, security reminders, sanctions
End User responsibility
 “Acceptable Use”
 Safe practices
 Sensitivity towards patient privacy
Consequences of Security Failure
Disruption of Patient Care
 Increased cost to the institution
 Legal liability and lawsuits
 Negative Publicity
 Identity theft (monetary loss, credit fraud)
 Disciplinary action

Types of Security Failure

Intentional Attacks
Malicious Software (Virus, Spyware)
 Stolen Passwords (Keyloggers, Trojans)
 Impostors e-mailing to infect and steal info
(Phishing)
 Theft (Laptop, PDA, CD/USB storage devices, etc.)
 Abuse of privilege (Employee/VIP clinical data)
 Theft of copyrighted material (Kazaa)

Types of Security Failure

Employee Carelessness
Sharing Passwords
 Not signing off systems
 Downloading and executing unknown software
 Sending EPHI outside the institution without
encryption
 Losing PDA and Laptop in transit
 Pursuing risky behavior – Improper web surfing, and
instant messaging
 Not questioning, reporting, or challenging suspicious
or improper behavior

Methods to Protect against Failures
Install anti-virus, anti-spyware solutions,
 Install security patches
 Update definitions daily
 Use caution when viewing web pages, e-mail
attachments, and using games and programs
 Chose strong passwords, refuse to share it,
change if you suspect a breach
 Protect your laptop or PDA with a password, and
turn on encryption on sensitive folders, including
copies in CD, Floppy, USB storage devices, etc.

Methods to Protect against Failures
Do not abuse clinical access privilege, report if you
observe an abuse (if necessary, anonymously)
 Do not be responsible for another person’s abuse
by neglecting to sign off, this negligence may
easily lead to your suspension and termination
 Do not copy, duplicate, or move EPHI without a
proper authorization
 Do not email EPHI without encryption to
addresses outside the institution

Methods to Protect against Failures



Strictly follow principles of ‘Minimum necessary’ and
‘Need-to-know’ for all accesses– the 3 fundamental
missions of the institution are Care, Education and
Research.
Challenge improper behavior, question suspicious
behavior, report violations and security problems to proper
authorities – email to hipaa@columbia.edu or
security@cumc.columbia.edu or call Privacy Office (1-212305-7315) or call CUBHIS Helpdesk (1-212-305-HELP)
Communicate with colleagues and staff about secure and
ethical behavior
More Information

Current Website
Go to http://www.cumc.columbia.edu/cubhis/
 Select Security, and then CUMC HIPAA


Email to

security@cumc.columbia.edu or sen@columbia.edu