Ethics and Regulations in Child Health Services Research II

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Children’s Hospital and Health Center June 5, 2004 Research and Privacy • Common Rule – “adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data” 45 CFR §46.111(a)(7) • FDA – informed consent include “statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained and … not[ing] the possibility that the [FDA] may inspect the records” 21 CFR §50.25(a)(5) Health Insurance Portability and Accountability Act of 1996 • Title I: Health Care Access, Portability, and Renewability • www.hcfa.gov/medicaid/hipaa • Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform • aspe.hhs.gov/admnsimp • www.hhs.gov/ocr/hipaa Administrative Simplification Components Administrative Simplication Transaction Standards Standard Code Sets Unique Health Identifiers Security Standards Electronic Signature Standards Information Transfer Among Health Plans Privacy Standards TIMELINE • Transactions and Code Set Standards – October 16, 2002 (providers, large health plans) • extension but must file compliance plan – October 16, 2003 (health Plans < $ 5 million) • Privacy Rule – April 14, 2003 (providers, large health plans) – April 14, 2004 (small health plans) • Security Rule – April 20, 2005 (providers, large health plans) – April 20, 2006 (small health plans) Who is Covered? • Health care providers who transmit any health information in electronic transactions • Health plans • Health care clearinghouses • [Prescription drug discount sponsor] • Business associate relationships What is covered? • Protected health information (PHI) that is: – individually identifiable health information – transmitted or maintained in any form or medium • Held by a covered entity in any form or medium • De-identified information - NOT COVERED Key Points • Federal rule sets floor – covered entities may provide greater protection – More protective state law applies – California law permitted research uses & disclosures without specific authorization • Required disclosures limited to: – subject of information – DHHS for compliance • All other disclosures are permissive Privacy Rule - in brief • Notice of Privacy Practices • Uses and disclosures permitted for treatment, payment, health care operations • Minimum necessary requirements • Individual rights • Patient authorization • Organizational requirements • Business associates Individual Rights • • • • • Right to inspect and receive copy of PHI Right to request restrictions of uses/disclosures Right to request amendment Right to an accounting of disclosures Right to have reasonable requests for confidential communications accommodated • Right to written notice of information practices from providers and plans • Right to file complaint with DHHS or covered entity Enforcement • Civil Monetary Penalties – $100/violation – Capped at $25,000/calendar year for each requirement or prohibition that is violated – Enforced by DHHS Office of Civil Rights • Criminal Penalties – Greater penalties for certain knowing violations – Enforced by Department of Justice • Other liability Permitted Uses/Disclosures Research 45 CFR §§164.512(i), 164.514(a), (e) • Subject authorization • Approved waiver • Reviews preparatory to research • Research on decedent’s information - NEW • De-identified information – Not subject to Privacy Rule requirements • Limited data set Patient Authorization – Core Elements • description of PHI • CE authorized to make use/disclosure • authorized recipient of PHI • description of each purpose • expiration date or event • signature and date – personal representative’s authority Patient Authorization Required Statements • Right to revoke in writing – How, describe exceptions OR – Refer to CE’s Notice of Privacy Practices • Research participation may be conditioned on signing authorization • Potential of information to be redisclosed by recipient and no longer protected by Privacy Rule Patient Authorization – Additional Requirements • Plain language • Copy of signed authorization Criteria for Approval of Waiver • Minimal risk to subject’s privacy – Adequate plan to protect identifiers from improper use/disclosure – Adequate plan to destroy identifiers at earliest opportunity consistent with conduct of research, unless health, research or legal justification for retention – Adequate written assurances that PHI will not be reused or redisclosed to any other person or entity except as required by law, authorized oversight of research, or other permissible research • Could not be practicably conducted without waiver • Could not be practicably conducted without access to or use of PHI Documentation Requirements • • • • • Identification and date of action Waiver criteria PHI needed Review and approval procedures Required signature Additional Requirements • Notice of privacy practices • Accounting of disclosures • Minimum necessary standard Reviews Preparatory for Research • Permitted if CE obtains from researcher representations that: – use or disclosure sought solely to prepare a research protocol or for similar purposes – no PHI will be removed from CE by researcher in course of review – PHI necessary for research purposes Research Decedent’s Information Permitted if CE obtains from researcher: – representation that use or disclosure solely for research – documentation, upon request, of individuals’ deaths – representation that PHI necessary for research purposes Common Rule - Waiver • No more than minimal risk to subjects; • Will not adversely affect the rights and welfare of the subjects; • Research not practicably carried out without waiver or alteration; and • Subjects provided with additional pertinent information after participation, when appropriate Privacy Rule vs. Common Rule • De-identified information is not subject to privacy rule requirements – Certain exempt research now subject to IRB review • Coded information still subject to IRB review under Common Rule De-identification Requirements Expert Opinion Person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable – determination that risk is “very small”; and – documents methods and results of analysis. 45 CFR §164.514 De-identification Removal of Identifiers Names Telephone #s SSNs Account #s Device IDs Biometric IDs Addresses Fax #s MRNs License #s URLs Photos Dates E-mail addresses HP Beneficiary #s Vehicle #s IP address Other Limited Data Set • Research, public health, health care operations • CE may contract with business associate to create LDS • Data Use Agreement – Privacy Rule requirements Limited Data Set Removal of Direct Identifiers Names Telephone #s SSNs Account #s Device IDs Biometric IDs Street Address Fax #s MRNs License #s URLs Photos E-mail addresses HP Beneficiary #s Vehicle #s IP address #s Common Issues • Health care operations or research – QA, QI activities • Outcomes evaluation, development of clinical guidelines – Population-based activities relating to improving health or reducing cost – Protocol development, case management, case coordination – Cost management and planning-related analysis • Formulary development • Improved payment methodologies • Intent is key! – obtain generalizable knowledge not primary purpose Common Issues • Covered Entity, Hybrid Entity, or non-Covered Entity – Cities, counties, states, agencies – Schools, universities – Non-health care employers • Databases • Decedent research • De-identification WEBSITES • Privacyruleandresearch.nih.gov – HIPAA & Research • Aspe.hhs.gov/admnsimp – HIPAA Administrative Simplification Components • www.dhhs.gov/ocr/hipaa – HIPAA Privacy Rule