HIPAA Basics Health Insurance Portability and Accounting Act of 1996 (HIPAA – KennedyKassebaum Act) Compliance is required by April 14, 2003. The primary purpose of HIPAA is not the protection of privacy for PHI (personal health information) but rather the intent of the law was to allow individuals the means to effectively carry their health insurance plan(s) to new employment situations (jobs). There is much readily available written material concerning the genesis of the legislation and the current state of requirements to comply. While trying to gain a knowledge and grasp of this information – and its role in clinical research, try to remember that this is all part of Administrative Simplification on the part of government. If you identify as a CE – Covered Entity then HIPAA applies. 1. If research performed at Temple is part of a: Health plan, Health care clearinghouse, or Health care provider 2. That transmits any health information in electronic form in conjunction with HIPAA transactions: Health care claims or equivalent encounter information, Health care payment and remittance advice, Coordination of benefits, Heath care claim status, Enrollment and disenrollment in a health plan, Eligibility for a heath plan, Health plan premium payment, Referral certification and authorization, First report of injury, Health claims attachments, 3. Then Temple is a covered Entity under HIPAA and must comply with the Privacy Rule. CEs are required to provide a written Notice of Privacy Practices. The Notice must contain certain elements and be written in “plain language”. Researchers will need to provide this Notice to potential subjects – if the initial contact with the CE is by way of participation in a clinical trial or other form of research. If this initial contact does not result in signing of an informed consent or screening – it is advisable to give the Notice to the contact regardless of inclusion in the research. Acknowledgement of Notice: CEs must (with the exception of emergency treatment), make a good faith effort to obtain a written Acknowledgement of receipt of the Notice provided in accordance with regulations. Acknowledgement should be documented as to
�the attempt and result of Acknowledgement and any reason why the Acknowledgement was not obtained. Documentation: A CE is required to document compliance with the regulations regarding disclosure of Privacy Practices by retaining copies of written Acknowledgements of receipt of Notice or, it not obtained, documentation of its good faith efforts to obtain written Acknowledgement. Individuals are not required to sign the Acknowledgement but may sign a log as an indicator that they received the Notice or by initialing the coversheet of the notice. If the coversheet is initialed as receipt, a copy of this initialed Notice should be kept as documentation. If a researcher in a CE intends to use or disclose PHI in the course of clinical research, they need to obtain signed Authorization for the release of PHI from the subject, unless the IRB or Privacy Board waives such Authorization. Authorization for use of PHI under the Privacy Rule can be combined with the research consent document. Subjects must receive a signed copy of the Authorization. The CE must retain the Authorization for at least 6 years.
Authorization: A valid Authorization must include all of the following elements: A description of the information to be used or disclosed; An identification of the persons or class of persons authorized to make the use or disclosure of the protected health information; An identification of the persons or class of persons to whom the CE is authorized to make the use or disclosure; A description of each purpose of the use or disclosure; An expiration date or event (except for research, where a statement that there is no expiration date may be inserted instead); The individual’s signature and date; If signed by a personal representative, a description of his or her authority to act for the individual; A statement that the individual may revoke the authorization in writing, including either: -Instructions on how to exercise such right, -A statement about the consequences of refusing to sign the authorization; and A statement that, generally, the health information may no longer by protected by the Privacy Rule once it is disclosed by the CE (or a more specific statement of redisclosure risks where appropriate). Criteria to be met for Authorization to be waived: Documentation that the alteration or waiver of Authorization was approved by an IRB or Privacy Board that was composed as stipulated by the Privacy Rule; Documentation identifying the IRB or Privacy Board and the date on which the alteration or waiver of Authorization was approved;
�
Documentation that the alteration or Waiver of Authorization, in whole or in part, satisfies the following 8 criteria: Use or disclosure of PHI involves no more than minimal risk to the individuals; Alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals; The research could not practicably be conducted without the alteration or waiver; The research could not practicably be conducted without access to and use of the PHI; Risk to individuals whose PHI is to be used is reasonable in relation to the anticipated benefits to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research; There is an adequate plan to protect the identifiers from improper use or disclosure; There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and There is documented assurance that the PHI will not be reused or disclosed to any other person or entity, except as required By law, For authorized oversight of the research project, or For other research for which the use or disclosure of PHI would be permitted by this subpart. A brief description of the PHI that will be used or accessed for the research and for which Authorization has been waived; A statement that the alteration or Waiver of Authorization has been reviewed and approved under either normal or expedited review procedures as stipulated by the Privacy Rule; and The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.
Medical institutions can release de-identified health information without patient Authorization if the following 18 specific identifiers are deleted: 1. Names 2. All geographic subdivisions smaller than a state 3. All dates (except year) 4. Telephone numbers 5. Fax numbers 6. Electronic mail addresses 7. Device identifiers and serial numbers 8. URLs 9. Internet protocol (P) addresses 10. Biometric identifiers, including finger and voiceprints
�11. Social security numbers 12. Medical record numbers 13. Health plan beneficiary numbers 14. Account numbers 15. Certificate/license numbers 16. Vehicle identifiers, including license plate numbers 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code Tracking and Accounting of Disclosures If a covered entity Waives Authorization for disclosure, it need to: Track all disclosures made relative to waivers of Authorization, and At the request of the individual whose data were disclosed, provide an accounting of such disclosures going back up to 6 years prior to the request. Disclosures for research purposes are addressed specifically. The regulations require that if the CE makes disclosures or protected health information for a particular research purpose for 50 or more individuals, the accounting include: The name of the protocol or other research activity; A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; A brief description of the type of protected health information that was disclosed; The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.
�