HIPAA Researcher Training and Certification

advertisement
HIPAA Privacy Rule and Research
Kaiser Permanente Researcher Training
March 3, 2003
KPSC IRB version dated: 8/27/2015
About this Training

This HIPAA Privacy Rule Training Program provides a summary explanation to
Kaiser Permanente (KP) researchers of new legislation that will have a significant
effect on the conduct of research in KP. This summary also reflects the policies and
procedures that KP has developed to implement the HIPAA Privacy Rule.

This legislation is commonly referred to as HIPAA and more appropriately called the
Privacy Rule. The Privacy Rule sets federal standards for KP control of access to
and use and disclosure of individually identifiable health information. It also
establishes rights for our members to access their health information and to know
how KP is using and disclosing it.

All KP employees must complete basic HIPAA Privacy Rule training appropriate to
their role. Completion of this research training program qualifies as having met KP
requirements for training on the Privacy Rule as it applies to research. It supplements
but does not replace basic HIPAA Privacy Rule training that is required for all KP
employees.

All full-time KP researchers must have documented completion of this or another
qualified training program specific to research by April 14, 2003. All other KP
researchers must have documented completion of this or another qualified research
training program as soon as possible and no later than June 14, 2003.
2
The HIPAA Privacy Rule and
Kaiser Permanente

The HIPAA Privacy Rule requires KP to set up new systems and procedures to
assure that our members' privacy rights are protected. The Privacy Rule applies to
health care treatment, payment, and operations as well as research. This training
program addresses issues specific to research.

The Privacy Rule requires KP to tell our Health Plan members if and how their health
information will be used within the KP Region and disclosed outside the KP Region. If
it will be disclosed, KP must tell them what information will be disclosed and to whom.
Also, KP must ask members’ permission before we use their health information for
purposes such as research. To the extent that non-members are involved as
research participants, all Privacy Rule provisions apply to them, as well.

The Privacy Rule provides our members with other rights such as the right to access
and amend their health information and to receive an accounting of any release of
their information outside the KP Region made without their written permission.

KP has always been committed to protecting the privacy of our members’ health
information, but this new regulation requires us to take certain additional steps.
3
HIPAA and the Privacy Rule

HIPAA is the acronym for federal legislation passed in 1996 called the Health
Insurance Portability and Accountability Act, which primarily addressed issues
relating to health insurance. The act contained a provision requiring Congress to pass
a new law by August 1999 to protect the privacy of identifiable health information. If
Congress failed to meet this deadline, the Secretary of DHHS was required to write
regulations. Congress did not pass a law by the deadline, and DHHS wrote the
regulation that is known as the Privacy Rule. There are special provisions in the
Privacy Rule that apply to research.

The final Privacy Rule was issued on August 14, 2002. On December 3, 2002, the
DHHS Office of Civil Rights issued guidance for KP and other entities to which the
Rule applies on how to implement it. KP must be in compliance with the Privacy Rule
by April 14, 2003.

A subsequent and related regulation that you will be hearing about is called the
Security Rule. The Security Rule is not addressed in this training program.
4
Who Must Comply with the Privacy Rule

The Privacy Rule applies to health care providers and health care organizations such
as KP. These entities are referred to under the Privacy Rule as covered entities. For
the purposes of research, each KP Region, including all KP entities within the Region
(e.g., Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Permanente
Medical Group as applicable), functions as a separate covered entity.

Everyone employed by any KP entity must comply with the Privacy Rule. Certain
provisions of the Rule also extend to KP vendors and contractors.

Because the Privacy Rule is federal regulation, compliance with the Rule is
mandatory. Failure to comply with the provisions of the Privacy Rule can result in
significant penalties levied by the federal government up to a fine of $250,000 and/or
10 years imprisonment. The Privacy Rule also requires Kaiser Permanente to apply
sanctions up to and including termination of members of its workforce who violate
KP’s policies and procedures.

In order to protect the privacy of our members’ health information and to prevent
sanctions to KP and ourselves, it is important to comply with all requirements of the
Privacy Rule.
5
Research under the Privacy Rule

The Privacy Rule defines research the same way the Common Rule does. (The
Common Rule is DHHS regulation on the protection of human subjects, which
requires review of research by IRBs and directs their processes.) The definition is “a
systematic investigation, including research development, testing, and evaluation,
designed to develop or contribute to generalizable knowledge.”

The kinds of research conducted at Kaiser Permanente that are subject to the
Privacy Rule include but are not limited to clinical trials as well as clinical
effectiveness, epidemiologic, behavioral, and health services research. Any research
that is subject to IRB review under the Common Rule is also subject to provisions of
the Privacy Rule.

However, the Privacy Rule goes farther than the Common Rule. It covers research
that is exempt from IRB review under the Common Rule. It also covers certain
activities preparatory to research such as feasibility and pilot studies, and it covers
research on decedents. Any research that uses individually identifiable health
information or demographic information that could link health information with the
identity of an individual must be conducted in compliance with the Privacy Rule.
6
Privacy Rule Terminology

The Privacy Rule introduces a number of new terms with specific definitions under
the Rule. It is important for KP researchers to learn what these terms mean. In
particular, researchers should understand the three categories of information that are
recognized by the Privacy Rule: protected health information (PHI), de-identified
information, and limited data sets. Privacy Rule requirements differ for each of
these categories.

One of the Privacy Rule’s most important terms is protected health information or
PHI. PHI is identifiable health information, including any demographic or other
descriptive information that could link the identity of an individual to his or her health
information. It includes information maintained in paper medical records and in
electronic databases or disease registries. It also includes information communicated
verbally.

Identifiers specifically listed in the Privacy Rule that can make health information
identifiable are on page 8. However, any information that could be used alone or in
combination with other information to identify a research participant is PHI under the
Privacy Rule.
7
PHI Identifiers
#
Identifier
#
Identifier
1
Names
10
Account numbers
2
Addresses
11
Certificate or license numbers
3
All elements of dates directly related
to an individual, including birth date,
admission date, discharge date, date
of death, and all ages over 89.
12
Vehicle identifiers and serial numbers,
including license numbers
4
Telephone numbers
13
Device identifiers and serial numbers
5
Fax numbers
14
Web addresses (URLs)
6
E-mail addresses
15
Biometric identifiers, including voice and
finger prints
7
Social Security numbers
16
Full-face photographs and any
comparable images
8
Medical record numbers
17
Internet Protocol address numbers
9
Health Plan beneficiary numbers
18
Any other unique identifying
characteristic or code
8
De-identified Information and
Limited Data Sets

Besides PHI, the Privacy Rule defines two other categories of information. Deidentified information is a data set that contains none of the 18 identifiers listed on
page 8. Removing all of these identifiers is referred to as the "safe harbor" method for
de-identifying information. Privacy Rule provisions do not apply to de-identified
information.

The Privacy Rule also permits a statistician or other qualified person to determine
that research information from which all 18 identifiers have not been removed is deidentified. This statistician must document the methods and results of analyses that
were the basis of the determination.

The third category of information is called a limited data set. A limited data set can
include two categories of PHI identifiers:


1) dates, such as birth and death dates as well as admission, discharge, and service dates (it
also can include a person’s age); and
2) limited geographic subdivisions such as state, county, city, precinct, and the 5-digit zip
code.
However, the limited data set must exclude all of the other 16 identifiers listed in the
table on page 8.
9
More about Limited Data Sets

Under the Privacy Rule, a limited data set can be used or disclosed for research
purposes without written permission (authorization) from research participants or a
waiver of authorization from the IRB as long as it is used or disclosed under a data
use agreement. A limited data set is also exempt from the Privacy Rule requirement
to track disclosures of PHI outside the covered entity.

However, there are some restrictions that apply. For example, use of a limited data
set is subject to the Privacy Rule’s minimum necessary standard that will be
explained later.

Regardless of whether limited data sets will be disclosed outside the Region, KP
researchers must sign a data use agreement, providing certain assurances that
Privacy Rules will be followed. If a limited data set is disclosed outside the Region, a
data use agreement must be executed between the KP Region and the recipient of
the information.
10
Definitions of Use and Disclosure

The Privacy Rule provides specific definitions of these key terms. A use is defined as
“sharing, using, applying, examining PHI within a Region.” In KP, a use includes
sharing PHI between the KP entities (e.g., Kaiser Foundation Health Plan, Kaiser
Foundation Hospitals, and Permanente Medical Group, as applicable) that make up a
Region. It also includes sharing information within a KP entity, such as a medical
group, or even within a department.

A disclosure is defined as, “releasing, transferring, providing access to, or divulging
PHI to any individual or entity outside a KP Region.” This includes sharing PHI
between KP Regions.

It is also a disclosure if an individual who is not on KP’s workforce has access to PHI
on KP premises. For example, disclosure occurs when a clinical trial monitor,
representing the trial sponsor or a CRO, comes to the KP research site and looks at
medical records in order to verify the accuracy of information recorded on case report
forms.

Anytime anyone who is not on KP’s workforce has access to identifiable information
pertaining to one or more KP members for any reason, this is a disclosure, and this
disclosure is subject to Privacy Rule provisions.
11
The Minimum Necessary Standard

The Privacy Rule requires KP researchers to use and disclose the minimum PHI
necessary to perform the research. This applies to all uses and disclosures of PHI
except when participants give written authorization for the use or disclosure of their
health information. Even when authorization is obtained, the minimum necessary
standard is a good principle to follow, regardless of whether the Privacy Rule requires
it.

The minimum necessary standard applies to activities preparatory to research,
research on decedents, and research conducted under an IRB-approved waiver of
authorization. As said above, it also applies to a limited data set.

KP researchers must be prepared to justify that the PHI they are using or disclosing
meets the minimum necessary standard.
12
Authorization for Use or Disclosure of PHI

Before KP researchers can use or disclose PHI, they must have either written
authorization from the individuals to whom the identifiable health information
pertains or an IRB-approved waiver or alteration of the authorization requirement.

The IRB is permitted to approve a waiver only if the following criteria are met: The
use or disclosure of PHI must have a minimal risk to the privacy rights of the subjects.
There must be a plan to protect the PHI and to destroy the PHI at the earliest
opportunity. And, the researcher must assure that PHI will not be reused for any other
purpose, including for another research project. The other waiver criteria include:
 The research could not practicably be conducted without the waiver;
 The research could not practicably be conducted without access to the PHI;
 The rights and welfare of participants will not be adversely affected by the
waiver; and
 The risks are reasonable in relation to the anticipated benefits of the research.

IRBs also have authority under the Privacy Rule to alter the specific requirements of
the written authorization. For the IRB to approve an alteration, the same criteria as
used for waiving the authorization must be met.
13
More on Participant Authorization

Using or disclosing a limited data set does not require written authorization as long as
a data use agreement has been signed by the appropriate parties. Activities
preparatory to research also do not require authorization as long as the researcher
uses PHI according to Privacy Rule provisions and submits the required
representation.

Written authorization for use or disclosure of PHI will typically be provided as a new
section at the back of the research consent form. The Privacy Rule has specific core
requirements for this authorization. For example, it must describe the PHI being used
or disclosed. If PHI will be disclosed, it must say who can disclose it, to whom, and
why. This information must be in a separate section of the consent form, and it must
be written in plain language. This authorization section requires a separate participant
signature.

Research participants who have signed a research consent form prior to April 14,
2003, do not need to sign a Privacy Rule authorization form. However, anyone
enrolled after April 14, 2003, must provide written authorization unless the IRB waives
or alters this requirement.
14
Research Participant Rights

The Privacy Rule permits research participants to revoke their authorization during
the study, subject to certain limitations. Such revocation must be protocol-specific,
and it should be made in writing to the KP principal investigator. The research team
may continue to use and disclose any PHI collected about the participant before
authorization was revoked. Also, use or disclosure of PHI after revocation is allowed
to assure the safety of any individual or as otherwise required by law.

Research participants also have the right to access certain information collected
about them in the study; however, certain limitations apply for clinical trials.
Participants in research that involves treatment may be denied access to their PHI
obtained in connection with the specific protocol provided that the PHI was obtained
in the course of the research, the participants signed an authorization in which
restrictions to their access was explained, and the right of access will be reinstated
once the research study has ended and the authorization has expired.

The Privacy Rule allows participants’ personal representative to authorize the use
and/or disclosure of PHI by signing the authorization form. And, the Privacy Rule
requires that the participant or the representative who signs the form be given a copy
of the signed authorization form. The researcher must maintain a copy of the signed
form for at least six years.
15
Activities Preparatory to Research

The Privacy Rule has special provisions that affect the use of PHI in activities
preparatory to research. Such activities include: assessing the feasibility of
conducting a study, preparing a grant application, conducting a pilot study, and prescreening clinical trial enrollees. For these and other activities preparatory to
research, KP researchers must submit a representation to their Region agreeing to
these principles:



The use of PHI will be restricted to the minimum necessary to prepare a research protocol or
for another purpose preparatory to research;
No PHI will be removed from KP premises; and
The PHI for which use or access is sought is necessary for the research purposes.

Your regional research office will provide a representation form for you to complete
before you access PHI for any purpose preparatory to research. They will also
provide instructions for submitting it.

If Privacy Rule provisions are followed, activities preparatory to research do not
require participant authorization or a waiver of authorization. These activities are
typically exempt from IRB review under the Common Rule because they are not
considered to be research. Activities preparatory to research that involve a limited
data set must be conducted under a data use agreement.
16
Research on Decedents

Prior to the Privacy Rule, research on decedents was largely unregulated. It did not
require IRB review because it did not pertain to “living individuals.” The Privacy Rule
introduces regulations on this type of research when PHI will be used or disclosed.

Before KP researchers can conduct research involving PHI on decedents, they must
submit a written representation, agreeing to the following principles:
 The use or disclosure of PHI is sought solely for the purpose of conducting the
research on decedents;
 Documentation of the death of such individuals will be provided to the KP Region
or IRB on request; and
 The PHI for which use or disclosure of PHI is sought is the minimum necessary
for the research.

Your KP regional research office will provide a form and instructions for submitting it.

If a limited data set will be used, a data use agreement must be signed. If PHI on
decedents’ relatives, employers, or household members will be disclosed,
prospective IRB approval is required. If PHI will be disclosed outside the Region,
disclosure accounting rules apply.
17
The Privacy Rule and Exempt Research

Research that is exempt from IRB review under the Common Rule is not necessarily
exempt from the Privacy Rule. Researchers who believe that their activities are
exempt from IRB review must submit a request for exemption form to the IRB. This
form, recently expanded to enable determinations relating to the Privacy Rule, is
available from your KP IRB.

After April 14, 2003, when evaluating research to determine if it is exempt from IRB
review, the reviewer (usually the IRB Chair or Administrator) must determine whether
or not protected health information (PHI) will be used or disclosed. If it will, the
reviewer will determine whether the research qualifies for a waiver of authorization. If
it does not qualify for a waiver, the research will require written authorization from
participants. Typically, this means that the study will require review by the convened
IRB.
18
Business Associate Agreements

The Privacy Rule requires that a special legal agreement, a business associate
agreement, be executed between KP and its business associates that are
receiving, using, or creating PHI. A business associate is an individual or entity
external to KP, not acting as a researcher, providing services on behalf of KP.

Business associates are typically vendors, independent contractors, or commercial
entities that are providing support to KP such as mailing, survey, laboratory,
radiology, or consulting services.

A sponsor is not a business associate because it does not provide services on behalf
of KP. Research collaborators, even those working under subcontract to KP, are not
business associates because they are typically acting as researchers on the study.
These individuals and companies need to sign other types of agreements with KP.

Your KP regional research office should make the final determination about when a
business associate agreement or any other type of research agreement is needed.
KP investigators must not sign business associate agreements or other research
agreements on behalf of KP.
19
Disclosure Accounting

Under the Privacy Rule, KP is required to account for all research disclosures of PHI
outside the Region except when participants have provided written authorization for
the disclosure. This will allow KP to respond to member requests for reports on when
PHI about them might have been disclosed outside KP. For research, this will be
accomplished in two ways.

For research involving 50 or more participants (or PHI on 50 or more individuals), the
regional research office will maintain a database that meets Privacy Rule disclosure
accounting requirements. The IRB application will ask new questions that are
designed to obtain this information from KP researchers.

For research involving fewer than 50 participants (or PHI on fewer than 50
individuals), each KP investigator will be required to provide certain information to
their Region. Your regional research office will notify the Region of any studies that
involve PHI on fewer than 50 participants for which no authorization is being sought.

Disclosure accounting is required for exempt research, activities preparatory to
research, research on decedents, and research conducted under a waiver of
authorization.
20
Where to go for Additional Information

Your regional research office is a good source of information on implementing the
Privacy Rule. You can also contact the Kaiser Foundation Research Institute (KFRI)
located in Oakland at 510/625-3431. For information on regional research contacts
and guidance on conducting research in KP, consult the KFRI web site at
http://kpnet.kp.org/kfri. This site now has a special HIPAA Privacy Rule section that
includes relevant KP policies and procedures, a glossary of terms specific to
research, and other guidance for researchers.

For general information on the Privacy Rule for KP, consult the KP HIPAA website at
http://kpnet.kp.org/hipaa. In addition, KFRI has established an e-mailbox for
research-related questions: Submit your questions via Lotus Notes to HIPAA
Research Questions.

The Privacy Rule is new, and KP researchers can anticipate changes in
interpretations of this regulation and in associated KP and IRB policies and
procedures over time. It is the responsibility of all who conduct research in KP to
become aware of these changes and modify their research practices accordingly.

KP research and compliance leaders appreciate your efforts to understand and
comply with these important new federal requirements.
21
Documentation of Completion
 In order to receive credit for completing this training, you must complete this page
with your handwritten signature, indicating that you have read and understood the
content of this HIPAA Privacy Rule Training Program for KP researchers.
Step 1: Email a copy of this complete and signed Documentation of Completion
Page in PDF format from your KP.ORG email to KPSC.IRB@kp.org.
Step 2: After two weeks, you must upload in iRIS the complete and signed
Documentation of Completion Page in PDF format to your iRIS My Account
Information, under Education History.
 If you are a new user, go to http://irissupport.kp-scalresearch.org/ to get a username
and password. Click on the orange “new users” button located on the right hand
side of your screen.
 If you already have an iRIS username and password, log on to the iRIS home page
http://iris.kp-scalresearch.org/.
_____________________
Printed Name
_____________________
Signature (in blue or black ink only)
__________________________
KP Location and Department
_______________
KP NUID#
________________
Date
________________
Phone Number
22
KPSC IRB version dated: 8/27/2015
Download