Post on 03-Jan-2016
RESEARCH PRIVACY AND HIPAAWith
S. Joseph Austin, JD, LL.M, Regulatory CoordinatorJan Hewett, JD, BSN, Director, IRBMEDRobin Sedman, MAEd, MSN, Senior Associate Regulatory AnalystLauren Shellenberger, JD, RN, Director, Compliance Policy & EducationAlan Sugar, MD, Co-Chair, IRBMED
Moderated by: Jennifer Galland, MHA, Board Member, IRBMED
October 18, 20112:00 to 4:00CVC Danto Auditorium
I. IRBMEDII. Privacy BoardIII. HIPAAIV. Protected Health InformationV. AuthorizationVI. Waiver of HIPAA AuthorizationVII. Certification Preparatory to ResearchVIII. DecedentsIX. De-Identified Data SetsX. Limited Data Sets
Institutional Review Boards of the University of Michigan Medical School(IRBMED)
http://www.med.umich.edu/irbmed/
IRBMED:Structure
DirectorJan Hewett
Office ManagerLisa Kiel
Support StaffMaria
CamilleriColleen Bouton
Patti Meredith
CoordinatorsPat Gordon, eResearch
Georgia Marvin, Compliance
Review Teams
A1A2B1B2C1
Expedited ReviewerJennifer Galland
EducationJoseph Austin, Senior Education &
RegulatoryBrian Seabolt, Technical Writer
Monica Stiddom, Education
IRBMED:Structure
A1
Gwendolyn YoungAnn Dillon
Cheryl Jamnick
A2
Robin SedmanCarol Hutsko
Zan Daley
B1
Rosalind FantoneLark SpeyerNora Coury
B2
Derrick MannCecilia BrennerAaron Rankin
C1
Faith PenixKara RumseyWendy Ulmer
Behavioral Medicine (AP)Complementary Medicine (CAM)Family MedicineGraduate Medical EducationInternal Medicine (see also B1/C1)PediatricsPsychology Genetics / Neuro-Psych (AP)Public HealthRadiologyRadiology Devices Social Work / Social Sciences
GeriatricsKinesiologyNeurologyNeurosurgeryObstetrics & GynecologyOphthalmologyOtolaryngologyPathologyPhysical Medicine and Rehabilitation Surgery (General, Orthopedic, Head & Neck, Pediatric, Plastic, Vascular)
Allergy (AP) Anesthesiology / Pain (AP)Dentistry / Surgical (AP)Dermatology (AP)Emergency MedicineGastroenterology (AP)Hepatic / Pancreative (AP)Hematology (excl cooperative studies)Infectious Disease (AP) HIV/AIDSNursingPharmacyUrology (Surg & Onc)Radiology Oncology
Cardiac Electrophys (AP)Cardiology (AP)Cardio-Thoracic Surgery (AP)Endocrin / Metabolism (AP) Genetics/MicrobiologyHypertension (AP) Nephrology (AP)Pulmonology (AP) RheumatologyTransplant (AP) (Heart, Lung, Kidney, Liver)
Oncology / Cancer (AP) Bone Marrow Transplant Pediatric SurgicalDepartments (exclude Urology) Hem/Onc Medical Oncology CTO Studies
PRIVACY BOARD:Responsibility
Privacy Board oversees research aspects of HIPAA
Compliance Office oversees clinical aspects of HIPAA.
PRIVACY BOARD:Members
Chair: Alan Sugar, MD
Members: Fran Lyman, MLSDuke Morrow, DMinMichael Paschke, MAJoy Stair, MS, RN
Coordinator:S Joseph Austin, JD, LL.M
HIPAA:Basics
HIPAA is the Health Insurance Portability and Accountability Act.
Purpose: Protect the privacy of individuals’ personal health
information. Provide physical and electronic security for PHI. Simplify billing. Provide rights for patients regarding access to and use of
their medical information.
HIPAA:Authorizations
A HIPAA Authorization is signed permission from an individual that allows that individual’s PHI to be used or disclosed for reasons other than Treatment, Payment or Healthcare Operations (TPO purposes).
The Authorization must include: A description of the PHI to be used/disclosed. Who will make the disclosure. To whom the disclosure will be made. An expiration date. The purpose of the disclosure.
Note: An individual may revoke a signed authorization at any time.
PROTECTED HEALTH INFORMATION: Defined
Protected Health Information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as treatment, payment, or operations.
Note: PHI may be in any form or media, including electronic, paper, or oral.
PROTECTED HEALTH INFORMATION:HIPAA
HIPAA regulations allow researchers to access and use PHI when necessary to conduct research.
However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment, or operations.
Examples:
PHI is used in research studies when researchers will access existing medical records for research information.
Studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or using a new drug or device for treating a health condition.
PROTECTED HEALTH INFORMATION: Individually Identifiable Health Information
Individually identifiable health information is information (including demographic information) that is related to:
At least one of the following three:
The past, present, or future physical or mental health or condition of the individual. The health care provided to the individual. The past, present, or future payment for health care provided to the individual,
AND
Either identifies the individual or there is a reasonable basis to believe that the information could be used to identify the individual.
PROTECTED HEALTH INFORMATION: Identifiers
Names Geographic subdivisions smaller than
a state. Dates directly related to the
individual except year All ages over 89 and/or dates
indicating an age over 89 Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan numbers
PHI includes the following:
Account numbers Certificate or license numbers Vehicle identification/serial
numbers, including license plate numbers
Device identification/serial numbers Universal Resource Locators (URLs) Internet protocol (IP) addresses Biometric identifiers, including
finger and voice prints Full face photographs and
comparable images Any unique identifying number,
code, or other similar information.
PROTECTED HEALTH INFORMATION:Use v Disclosure
“Use” refers to the access, sharing, and utilization of PHI within the Covered Entity.
“Disclosure” refers to the sharing of PHI to individuals and entities outside of the Covered Entity
PROTECTED HEALTH INFORMATION: Covered v Not Covered
PHI does not, however, cover employment records that a covered entity maintains in its capacity as an employer.
PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
PROTECTED HEALTH INFORMATION: Re-Identification
Additional standards exist to protect an individual's privacy from re-identification.
Any code used to replace the identifiers in datasets cannot be derived from information related to the individual.
For example, a subject's initials cannot be used to code their data because the initials are derived from their name.
Also, the method used to derive the codes may not be disclosed.
Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers.
WAIVER OF HIPAA AUTHORIZATION:Types of Applications
There are three types of applications that require a Waiver of Authorization:
Regulated Studies, when simultaneously requesting:
A Waiver of Informed Consent OR A Waiver of Documentation of Informed Consent
WAIVER OF HIPAA AUTHORIZATION:Types of Applications
Exempt Studies, when accessing PHI
Non-Regulated Studies, when accessing PHI
Note: Requests for a Waiver for Regulated studies may be granted by the Full Board or by expedited review. Waivers for Exempt or Non-Regulated studies may be granted by the Full Board, expedited review, or by Privacy Board.
WAIVER OF INFORMED CONSENT:Criteria
Waivers should only be granted for studies where the study team will access PHI if the following are met:
There is no more than minimal risk to the privacy of the individuals.
The research could not practicably be conducted without the waiver of consent or waiver of documentation of consent.
The research could not practicably be conducted without the requested use or disclosure of PHI.
Whenever appropriate, the subjects will be provided with additional pertinent information after participation.
HIPAA:Authorizations
A HIPAA Authorization is signed permission from an individual that allows that individual’s PHI to be used or disclosed for reasons other than Treatment, Payment or Healthcare Operations (TPO purposes).
The Authorization must include: A description of the PHI to be used/disclosed. Who will make the disclosure. To whom the disclosure will be made. An expiration date. The purpose of the disclosure.
Note: An individual may revoke a signed authorization at any time.
WAIVER OF HIPAA AUTHORIZATION:Criteria
There is an adequate plan in place to protect patient identifiers and PHI from improper use and disclosure.
There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a Privacy Review Board-approved health or research justification for retaining the identifiers or such retention is otherwise required by law.
There are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure would be permitted by HIPAA.
The Waiver or Alteration of Authorization will not adversely affect the rights and welfare of the subjects
The research could not practicably be conducted without the Waiver or Alteration of Authorization.
The research could not practicably be conducted without access to and use of the PHI. Whenever appropriate, the subjects (including their physicians, as applicable) are provided with
additional pertinent information after participation. Where the Principal Investigator anticipates the disclosure of PHI outside the Covered Entity (as
that may be determined from time to time), the Principal Investigator must account for each disclosure and retain records of such disclosures.
WAIVER OF HIPAA AUTHORIZATION: eResearch Application
The study team will need to complete Sections 25-1 and 25-2 for a Waiver of HIPAA Authorization Note: eResearch logic does not always force these sections;
they are, however, necessary
The study team will need to complete Section 25.1 and the following when applicable: Section 25-3 when “Preparatory to Research” Section 25-4 when “Limited Data Set” Section 25-5 when “Deidentified Data Set” Section 25-6 when “Decedents”
CERTIFICATION PREPARATORY TO RESEARCH
Projects that are preparatory to research are not regulated under the Common Rule.
However, when researchers will be accessing Protected Health Information (PHI) to assess the feasibility of a research project, the activities are subject to HIPAA.
To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.
CERTIFICATION PREPARATORY TO RESEARCH
In order to use PHI preparatory to research purposes, the researcher will need to affirm the following:
The use or disclosure of the PHI is solely to prepare to conduct research.
None of the PHI will be removed from the covered entity. Access to the PHI is necessary for the research purpose.
Importantly, researchers may not record identifiers and may not use the accessed information in order to identify or recruit subjects for the study.
CERTIFICATION PREPARATORY TO RESEARCH
Researchers should complete a Not-Regulated application through eResearch.
As part of the submission, the researcher will need to complete Sections 25-1 and 25-3 of the application.
The completed application will then be reviewed by the Privacy Board.
DECEDENTS:Basics
Research involving decedents is not regulated under the Common Rule.
However, when researchers will be accessing Protected Health Information (PHI) in order to create a limited data set, the activities are subject to HIPAA.
To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.
DECEDENTS:Criteria
In order use the PHI of decedents for research purposes, the researcher will need to affirm:
The use or disclosure being sought is solely for
research on the PHI of decedents. The PHI being sought is necessary for the research. At the request of the covered entity, the research will
be able to provide documentation of the death of the individuals about whom information is being sought.
DECEDENTS:Process
Researchers should complete a Not-Regulated application through eResearch.
As part of the submission, the researcher will need to complete Sections 25-1 and 25-6 of the application.
The completed application will then be reviewed by the Privacy Board.
De-Identified Data Sets:Definition
A de-Identified data set is a data set that meets both of the following:
Does not identify any individual that is a subject of the
data. Does not provide any reasonable basis for identifying
any individual that is a subject of the data.
De-Identified Data Sets:Methods for De-Identification
There are two methods for de-identifying information:
The removal of certain identifiers
The statistical method
DE-IDENTIFIED DATA SETS:Removal of Identifiers
Names Geographic subdivisions smaller than
a state. Dates directly related to the
individual except year All ages over 89 and/or dates
indicating an age over 89 Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan numbers
Under the first method, the identifiers that must be removed include the following:
Account numbers Certificate or license numbers Vehicle identification/serial
numbers, including license plate numbers
Device identification/serial numbers Universal Resource Locators (URLs) Internet protocol (IP) addresses Biometric identifiers, including
finger and voice prints Full face photographs and
comparable images Any unique identifying number,
code, or other similar information.
DE-IDENTIFIED DATA SETS:Statistical Method
An individual with knowledge of and experience with generally accepted statistical and scientific methods for rendering information not individually identifiable must provide certification that the data is de-identified.
The individual should find that the risk is very small that the information could be used (either alone or in combination with other reasonably available information) to identify any individual who is a subject of the data.
Additionally, the methods and results of the analysis must be documented.
DE-IDENTIFIED DATA SETS:Creating a De-Identified Data Set
Research involving a de-identified data set is not regulated under the Common Rule.
However, when researchers will be accessing PHI in order to create a de-identified data set, the activities are subject to HIPAA.
To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.
DE-IDENTIFIED DATA SETS:Using a De-Identified Data Set
Pre-existing, de-identified data sets are not subject to the requirements of the HIPAA Privacy Rule since they do not include individually identifiable information.
However, in order to ensure compliance with HIPAA, the project should be reviewed by the Privacy Board.
LIMITED DATA SETS:Basics
A limited data set is a distinct category of protected health information (PHI) where certain identifiers have been removed.
Importantly, these identifiers must have been removed for the individuals as well as their relatives, household members, and employers (when applicable).
LIMITED DATA SETS:Removed Identifiers
Names Postal address information other
than town/city, state, and zip code
Telephone numbers Fax numbers Email addresses Social Security number Medical record numbers Vehicle identification/serial
numbers, including license plate numbers
The identifiers that must be removed include the following:
Health plan numbers Account numbers Certificate or license numbers Device identification/serial
numbers Universal Resource Locators
(URLs) Internet Protocol (IP) addresses Biometric identifiers, including
finger and voice prints Full face photographs and
comparable images
LIMITED DATA SETS:Data Use Agreements
A limited data set may be used and disclosed for research purposes, as well as for health care operations and public health purposes.
Before any such use, however, the recipient must enter into a data use agreement.
The agreement guarantees that certain measures will be taken to safeguard the PHI.
LIMITED DATA SETS:Creating a Limited Data Set
Research involving a limited data set is not regulated under the Common Rule.
However, when researchers will be accessing PHI in order to create a limited data set, the activities are subject to HIPAA.
To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.
LIMITED DATA SETS:Using a Limited Data Set
Research using a pre-existing limited data set is not regulated under the Common Rule.
However, in order to ensure compliance with HIPAA, the project should be reviewed by the Privacy Board.
In order to use a limited data set, the recipient of the data
must first enter into a data use agreement. After the agreement is finalized, a Not-Regulated application should be completed through eResearch.