Madison Wisconsin Birth Certificate

Document Sample
Madison Wisconsin Birth Certificate Powered By Docstoc
					   HIPAA and Clinical Research:
    Practical Tips for Managing
      Privacy and Protocols
              Heather Fields, J.D.
               Beth DeLair, J.D.




 HIPAA Collaborative of Wisconsin
Fall Conference September 26, 2003
             Presentation Overview
• HIPAA’s Impact on Research Programs
   » Authorizations
   » PHI Pathways for Researchers
   » HIPAA’s Impact on Subject Recruitment
   » Human Subjects’ HIPAA Rights
   » Transition Issues
• Case Study: Integrating HIPAA Privacy
  Requirements and Research at University of
  Wisconsin-Madison
• Questions and Answers


                 HIPAA Collaborative of Wisconsin    1
                Fall Conference September 26, 2003
       Are Researchers
       Covered Entities?




 HIPAA Collaborative of Wisconsin    2
Fall Conference September 26, 2003
       Examples of Non-Covered Entities
            Involved in Research
•   Universities
•   Research Foundations
•   Student Health Services (if do not bill for services)
•   Non-treating Ph.D.s
•   Contract Research Organizations
•   IRBs
•   Data Warehousing/Data Management Companies
•   Pharmaceutical Companies




                     HIPAA Collaborative of Wisconsin       3
                    Fall Conference September 26, 2003
     Are Researchers
   Business Associates?




 HIPAA Collaborative of Wisconsin    4
Fall Conference September 26, 2003
        Researchers Are Not Business
                Associates
• Business Associate is a person or entity conducting a
  covered function or activity (e.g., payment or health care
  operations) or providing one of the following services:
  legal, actuarial, accounting, consulting, data aggregation,
  management, administrative, accreditation, and financial
  services
• Research is not a covered function or activity or a
  business associate service
• Even if covered entity hires a researcher to do research
  on its behalf, the researcher is not a business associate


                  HIPAA Collaborative of Wisconsin              5
                 Fall Conference September 26, 2003
What Types of Research
Data Are Protected by the
     Privacy Rule?



 HIPAA Collaborative of Wisconsin    6
Fall Conference September 26, 2003
        HIPAA and Research:
Examples of Research Data Protected by
           the Privacy Rule
• All research data, regardless of funding source,
  involving/associated with treatment
• Identifiable or coded data or human tissue, DNA,
  blood or organ (e.g., samples that have been coded
  where the researcher controls of coding)
• Health information in medical or billing records
  maintained by a Covered Entity




                HIPAA Collaborative of Wisconsin       7
               Fall Conference September 26, 2003
          HIPAA and Research:
     Examples of Research Data NOT
      Protected by the Privacy Rule

• Research of de-identified records, data or tissue,
  blood, DNA samples
• Health information created by a non-covered entity
  (e.g., Ph.D., pharmaceutical company)
   » NOTE: Health information received or purchased
     by a non-covered party from a Covered Entity may
     still be protected by HIPAA



               HIPAA Collaborative of Wisconsin     8
              Fall Conference September 26, 2003
        De-Identified Health Information
       NOT Protected by the Privacy Rule:

    3 ways to De-Identify Health Information
•   Satisfy De-Identification Safe-Harbor

•   Statistically De-Identify and Obtain Certification

•   Create Limited Data Set




                HIPAA Collaborative of Wisconsin         9
               Fall Conference September 26, 2003
    De-Identification Safe Harbor:
Data Elements That Must Be Removed
• Name                             • Account number
• Address, including city,         • Certificate/license number
  county and zip code              • Vehicle or other device
• Dates, including birth date,       serial number
  admission date, discharge        • Web URL
  date and date of death           • Internet Protocol address
• Telephone and fax                • Finger or voice prints
  numbers
• Electronic mail addresses        • Photographic images
• Social security numbers          • Any other unique
                                     identifying number,
• Medical record numbers             characteristic or code
• Health plan beneficiary
  number

               HIPAA Collaborative of Wisconsin              10
              Fall Conference September 26, 2003
     De-Identifying Health Information:
        Statistical De-Identification

• Statistically De-Identify Using Generally Accepted
  De-Identification Methods
• Obtain Certification From Statistician that:
   » appropriate methods have been used
   » “very small” risk that the information could be
     used, alone or in combination with other
     reasonable available information, by an
     anticipated recipient to identify the individual




                 HIPAA Collaborative of Wisconsin       11
                Fall Conference September 26, 2003
     De-Identifying Health Information:
             Limited Data Sets
• Set of data with “facial” identifiers of the individual or
  of relatives, employers or household members of the
  individual removed (e.g., name, address, social
  security number, medical record number)
• May be used/disclosed only for purposes of research,
  public health or health care operations
• Recipient of limited data set must enter into a data
  use agreement specifying what use will be made of
  the limited data set, who will be permitted to access
  it, limitations on further disclosure or use


                 HIPAA Collaborative of Wisconsin         12
                Fall Conference September 26, 2003
 Impact of Privacy Rule on
   Research Programs




 HIPAA Collaborative of Wisconsin    13
Fall Conference September 26, 2003
             Privacy Rule’s Impact on
          Research Program Stakeholders
• Subjects: Grants control over use of PHI
• Investigators and Sponsors: Provides continued access to PHI for
  research purposes
• IRBs: Sets forth special role and responsibilities with respect to
  protection of subject’s privacy
• Human Subject Protection Offices: Requires development of HIPAA-
  compliant policies and procedures; creation of privacy board;
  identification of business associates
• Institutional Officials of Covered Entities: Establishes responsibility for
  overall HIPAA compliance; policies and procedures; data
  management; grants management




                       HIPAA Collaborative of Wisconsin                 14
                      Fall Conference September 26, 2003
How will you “fit” HIPAA Privacy
    into your operations?




     HIPAA Collaborative of Wisconsin    15
    Fall Conference September 26, 2003
  Follow 10 Easy Steps




To Learn to Live With HIPAA

   HIPAA Collaborative of Wisconsin    16
  Fall Conference September 26, 2003
  HIPAA For Research in 10 Easy Steps

Step 1: Differentiate Roles: Common Rule vs. HIPAA
Step 2: Know the Five HIPAA PHI Pathways
Step 3: Define the IRB’s HIPAA Compliance Role
Step 4: Use/Disclose PHI in the Minimum Necessary Way
Step 5: Ensure Subject Recruitment Complies with HIPAA
Step 6: Uphold Subject’s HIPAA Rights
Step 7: Watch Out for Transition Issues
Step 8: Comply with HIPAA’s Administrative Requirements
Step 9: Understand the Business Associate Rule
Step 10: Seek HIPAA Training for IRB Members and Staff



                HIPAA Collaborative of Wisconsin      17
               Fall Conference September 26, 2003
     Step 1: Understand the Difference
     Between the Common Rule and the
               Privacy Rule
         Common Rule                     HIPAA Privacy Rule
•   Governs Human Subject         •   Governs Use/Disclosure of
    Protections                       PHI
•   Requires Consent              •   Requires Authorization
•   Sets forth IRB review         •   Sets forth waiver of
    exemption requirements            authorization requirements
•   May apply to research         •   May apply even if study is
    even if data is de-               exempt
    identified


                 HIPAA Collaborative of Wisconsin             18
                Fall Conference September 26, 2003
        Step 2: Know the Five HIPAA
        Pathways to PHI for Research
Pathway 1: Get Patient to Sign a HIPAA Authorization

Pathway 2: Use Safe Harbored/Statistically De-Identified PHI

Pathway 3: Access Limited Data Set per Data Use Agreement

Pathway 4: Obtain Privacy Board Waiver of Authorization

Pathway 5: Review only PHI that is “minimally necessary”
          >>for preparatory research; or
          >>to study information of deceased individuals

                 HIPAA Collaborative of Wisconsin          19
                Fall Conference September 26, 2003
               PHI Pathway No. 1:
              HIPAA Authorization
• Specific meaningful description of PHI to be
  used/disclosed
• Names of persons authorized to receive, create,
  and/or use PHI
• Names of persons to whom PHI may be disclosed
• Statement of purpose of use/disclosure
• Expiration date/event (“end of research” or “none” ok)
• Statement right to revoke
• Signature/date
• Any potential for redisclosure identified
                HIPAA Collaborative of Wisconsin      20
               Fall Conference September 26, 2003
Differences Between HIPAA Authorization and
        Informed Consent Form (cont.)
      Informed Consent                  HIPAA Authorization
   • Governed by Common               • Governed by Privacy
     Rule                               Rule
   • Required to participate          • Required to use or
     in the research based              disclose PHI for
     on the risks and                   research purposes
     benefits                         • Likely to be reviewed
   • Reviewed by the IRB,               by IRB, but not
     unless waived                      required
                                      • May be waived by
                                        Privacy Board

                 HIPAA Collaborative of Wisconsin             21
                Fall Conference September 26, 2003
            PHI Pathway No. 2:
    Use De-Identified Health Information
• Satisfy De-identification Safe Harbor
   » Must remove all 18 identifiers
   » No dates or five digit zip codes
• Statistically De-Identify Using Generally Accepted
  Statistical De-Identification Methods
   » Must obtain certification from Statistician that “very
     small” risk that the information could be used,
     alone or in combination with other reasonable
     available information, by an anticipated recipient
     to identify the individual



                  HIPAA Collaborative of Wisconsin        22
                 Fall Conference September 26, 2003
             PHI Pathway No. 3:
           Access Limited Data Set

• Data must be “facially” de-identified (e.g., name,
  address, social security number, medical record
  number removed)
• May be used/disclosed only for research purposes
• Must enter into data use agreement with Covered
  Entity specifying what use will be made of the limited
  data set, who will be permitted to access it, limitations
  on further disclosure or use
• If researcher is creator of limited data set may also
  need to enter into Business Associate Agreement


                 HIPAA Collaborative of Wisconsin        23
                Fall Conference September 26, 2003
             PHI Pathway No. 4:
    Privacy Board Waiver of Authorization
• Research could not practicably be conducted without the
  waiver
• Research could not practicably be conducted without access
  to and use of the PHI
• Disclosure involves no more than minimal privacy risk to the
  individuals
   » Adequate plan to protect the PHI from improper use and
      disclosure
   » Plan to destroy the identifiers at the earliest opportunity
      (unless adequate justification not to destroy)
   » Adequate written assurances that PHI will not be reused or
      disclosed to any other person, except as required or
      permitted by law

                    HIPAA Collaborative of Wisconsin               24
                   Fall Conference September 26, 2003
           PHI Pathway No. 5:
    Using PHI for Preparatory Research

• Covered Entity may disclose health information to a
  researcher to prepare a research protocol, if the
  researcher certifies:
   » Review is necessary to prepare a research
     protocol
   » No health information will be removed by the
     researcher during the review
   » NOTE: No definition in Privacy Rule for
     “remove”—some argue that remove means
     disclosure and therefore Covered Entity may use
     PHI internally under this exception
• Minimum Necessary Standard applies
                HIPAA Collaborative of Wisconsin        25
               Fall Conference September 26, 2003
          PHI Pathway No. 5:
   Research Involving PHI of Deceased
               Individuals

• Researcher may review health information of
  deceased persons without authorization, if researcher
  certifies that:
   » review is solely for research purposes
   » information which is sought is necessary to conduct
     the research
• Minimum Necessary Standard applies



                HIPAA Collaborative of Wisconsin     26
               Fall Conference September 26, 2003
    Step 3: Define the HIPAA Compliance Role of
    the IRB and the Research Compliance Office
• NOTE: Institution may handle outside of IRB
• IRB may, but is not required to:
   » Review HIPAA Authorizations
   » Serve as Privacy Board and Review Authorization
      Waiver Requests
• Research Compliance Office may, but is not required to:
   » Review requests to access PHI for Preparatory
     Research or Decedent Research
   » Review Limited Data Set Agreements
   » Ensure Proper De-identification
   » Ensure subject requirement practices comply with
     HIPAA
                  HIPAA Collaborative of Wisconsin          27
                 Fall Conference September 26, 2003
  Step 4: Use and Disclose in the HIPAA
         Minimum Necessary Way

• A Covered Entity must try to limit the “amount” PHI it
  uses, discloses, or requests to the minimum
  necessary to achieve the purposes
• Business Associates must also comply with the
  Minimum Necessary Standard when using PHI
• Example of application to IRB: request for additional
  information regarding an adverse event
• Example of application to research administrator:
  review of medical records for purposes of conducting
  compliance audit

                HIPAA Collaborative of Wisconsin       28
               Fall Conference September 26, 2003
 Step 4: Use and Disclose in the HIPAA
    Minimum Necessary Way (cont.)

Minimum Necessary Standard Applies to:
• Waiver Authorized Research
• Use/Disclosure of Decedent’s PHI
• Use/Disclosure of PHI Preparatory to Research
• Limited Data Sets




               HIPAA Collaborative of Wisconsin    29
              Fall Conference September 26, 2003
 Step 4: Use and Disclose in the HIPAA
    Minimum Necessary Way (cont.)

Minimum Necessary Standard Does Not Apply to:
• Treatment
• Use/Disclosure pursuant to authorization
• Disclosures to individual/subject
• Disclosures to DHHS for compliance
• Disclosures Required by Law




               HIPAA Collaborative of Wisconsin    30
              Fall Conference September 26, 2003
   Step 5: Ensure Subject Recruitment
      Practices Comply with HIPAA
• Direct Contact with Patients by Treating Provider
  Permitted
• Identification of potential subjects through:
   » Review Preparatory to Research
      Direct Patient Contact Restricted to Those Within
        Covered Entity
      Cannot disclose PHI
   » Partial Waiver of Authorization
      Would permit disclosure of recruitment logs
      Direct patient contact permitted
• Potential Subjects can always self-identify
                HIPAA Collaborative of Wisconsin           31
               Fall Conference September 26, 2003
   Step 6: Uphold the Subject’s HIPAA
                 Rights
Under HIPAA Subjects Have Right to:
• Notice of Privacy Practices of Covered Entity
• Access their PHI
• Request amendment of their PHI
• Receive a record of certain disclosures of their PHI
  made within previous 6 years
• Request restrictions on uses and disclosures
• Revoke their authorization
• Request alternative means/location of communication
  of PHI

                HIPAA Collaborative of Wisconsin    32
               Fall Conference September 26, 2003
   Step 7: Watch Out for Transition Issues
• For studies ongoing prior to April 14, 2003:
   » Grandfather Provision applies to allow researcher to
     continue to create, use and disclose PHI post-HIPAA in a
     manner that is consistent with the approved terms of use
     in following situations:
       * Patient has signed an IRB-approved informed consent form
         or some other legally valid authorization prior to April 14,
         2003
       * IRB waiver of informed consent was obtained prior to April
         14, 2003
   » NOTE: If patient did not sign an informed consent form
     prior to April 14, 2003 OR if study was exempted from IRB
     review prior to April 14, 2003, the grandfather provision
     does not apply


                     HIPAA Collaborative of Wisconsin                   33
                    Fall Conference September 26, 2003
Step 7: Watch Out for Transition Issues
               (cont.)

• EVEN if study is deemed “exempt” under the
  common rule IF the study involves the creation,
  use or disclosure of PHI, THEN researcher must:
   » Seek HIPAA authorization from subjects
   » Obtain waiver of authorization from Privacy Board
• To use PHI created PRIOR to April 14, 2003 must
  obtain HIPAA-compliant authorization, waiver of
  authorization from IRB/Privacy Board or meet other
  HIPAA exception




                HIPAA Collaborative of Wisconsin         34
               Fall Conference September 26, 2003
 Step 7: Watch Out for Transition Issues
                (cont.)

• If researcher has obtained informed consent, legal
  authorization or IRB waiver of informed consent for
  “future unspecified research,” such “approval” may
  be relied on to conduct the research post-HIPAA.
• May want to require additional HIPAA “PHI
  pathway” to be satisfied, especially in the case of
  databases




                HIPAA Collaborative of Wisconsin    35
               Fall Conference September 26, 2003
         Step 8: Comply with HIPAA
        Administrative Requirements
• Policies and Procedures needed to comply with HIPAA
  research requirements include:
   » Authorization/Informed Consent
   » Processing of Waivers of Authorization
   » Review Requests to Access PHI for Preparatory
     Research, Decedent Research and Limited Data Set
   » De-identification
   » Subject Recruitment
   » Individual Rights (Accounting Requirement)
• Document Retention (for 6 years)


                HIPAA Collaborative of Wisconsin        36
               Fall Conference September 26, 2003
   Step 9: Evaluate Business Associate
                  Issues
• Only BA if performing service or TPO function on behalf of
  covered entity requiring access to PHI (e.g., compliance
  monitor for hospital)
• IRB could be a business associate, depending upon the
  relationship to the covered entity
• BA agreement can be stand-alone or part of larger contract
• Must include:
   »   Restrictions on how PHI may be used or disclosed
   »   Promise to protect the PHI
   »   Promise to return PHI at end of contract
   »   Assurance to make PHI available for compliance

                  HIPAA Collaborative of Wisconsin             37
                 Fall Conference September 26, 2003
        Step 10: Seek HIPAA Training
         For IRB Members and Staff
• Compliance requires awareness and understanding
  of HIPAA requirements
• Business Associates will be contractually bound to
  comply with HIPAA
• Even if not Covered Entity or Business Associate,
  HIPAA sensitivity necessary:
   » Covered Entities are PHI Sources and they are
     required to ensure HIPAA compliance
   » Enforcement of HIPAA penalties subject to
     interpretation
   » Civil liability may be incurred for breach of privacy

                 HIPAA Collaborative of Wisconsin        38
                Fall Conference September 26, 2003
                         The
                         END


 HIPAA Collaborative of Wisconsin    39
Fall Conference September 26, 2003
Research at the University of
    Wisconsin-Madison
          Beth DeLair R.N., J.D.
  Assistant General Counsel and HIPAA
             Privacy Officer
  University of Wisconsin Hospital & Clinics
           ce.delair@hosp.wisc.edu
                (608) 262-4926
      UW-Madison Research
          Structure
• Human Subjects Department
   – Responsible for coordinating all research
     activities
• ―5‖ Campus IRB’s—All IRB’s are responsible for
  knowing and applying HIPAA requirements
   – IRB Policy Committee
     • Provides oversight
     • Establishes policy
     • Does not review protocols
  – Health Sciences IRB
     • Reviews all protocols involving medical intervention
                                                              41
   UW-Madison Research
       Structure
– Social behavior sciences IRB
   • Reviews all protocols involving human subjects by
     social sciences researchers
   • Some protocols involve ―pseudo intervention‖ such
     as blood draws or placement of electrodes
– Education IRB
   • Reviews all protocols involving research into
     educational processes


                                                     42
   UW-Madison Research
       Structure
– Minimal Risk IRB—established spring of 2003
  • Reviews protocols involving PHI that do not involve
    medical intervention (e.g. retrospective medical
    records review)
  • Reviews protocols that may not involve PHI and are
    ―minimal‖ risk
  • Overflow IRB




                                                     43
           Research and Training
• Potential researchers
   –   PHD and MD researchers
   –   Pharmacists, nurses
   –   Medical, nursing, and pharmacy students
   –   Visiting professors
• Training
   – UW web based training module
   – Communication with departments
   – Web resource
        • www.wisc.edu/hipaa/ResearchGuide/index.html

                                                        44
      Policies and Procedures
• Maintenance of personal databases
  – Permitted but must be registered with UW
    Privacy Officer
      • Security of database must be described and verified
      • Registration must be proved with protocol submission
• Requests for info
  – Must provide copy of IRB approval or
    ―certificate(s)‖ before PHI will be provided
    from UWHC
                                                               45
      Policies and Procedures
• Preparatory to research activities
   – Defined as
      • The development of research questions
      • The determination of study feasibility including the number
        availability and eligibility of potential participants
      • The development of eligibility criteria
   – Must complete ―Preparatory to Research
     Certification‖ form and file with UW Privacy
     Officer
      • Must be completed initially, and then periodically (e.g. every
        one or two years)

                                                                         46
      Policies and Procedures
• Research on decedents info
  – Defined as
      • Research involving solely decedents or research
        involving primarily descendents PHI—in other
        words the research must target descendents
   – Must complete ―Research on Decedents
     Certification‖ form and file with UW Privacy
     Officer on a ―per protocol‖ basis


                                                          47
      Policies and Procedures
• Waiver of authorization:
  – Must be submitted with application
  – IRB evaluates descriptions of how PHI will be
    secured
  – IRB determination whether conducting research
    is impracticable
     • Number of individuals whose PHI must be used or disclosed
     • Difficulty in obtaining authorization, including cost and
       necessary resources
     • Time involved in obtaining
     • Time since last contact with patient
                                                                   48
     Policies and Procedures
• De-identified information
  – Not useful in research
     • At minimum need dates, regional information
     • Cannot verify de-identified information
  – UW will frequently utilize LDS




                                                     49
      Policies and Procedures
• Right to request access to and amendment of
  research records
   – Have not yet determined the interface between
     research records and medical records—often
     they overlap
• Right to an accounting of disclosures
   – As applicable, each researcher logs relevant
     information
   – ACE members inform UW Privacy Officer of
     request
   – UW Privacy Officer contacts researcher and 50
      Policies and Procedures
• Research vs. quality assurance activities
  – Definitions
      • Research –contributes to generalize knowledge
      • Quality assurance-contributes to the internal knowledge and
        practice of the organization conducting the activity
   – Conflicted community and academic standards
      • Regulations seem to require intent to publish or present
      • Bioethics community believes there are ethical issues in QA
        that mirror the ethical issues in research


                                                                      51

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:24
posted:11/14/2010
language:English
pages:52
Description: Madison Wisconsin Birth Certificate document sample