A Road Map to Research at Jefferson:HIPAA Privacy and Security Rulesfor Researchers

Presented By: Privacy Officer/Office of Legal CounselOctober 2015

Introduction

The HIPAA Privacy Rule establishes the conditions under which Covered Entities can provide researchers access to and use of protected health information for research purposes.

The HIPAA Privacy Rule does not replace or act in lieu of other federal regulations such as HHS Protection of Human Subjects and the FDA Protection of Human Subjects

Research is defined under the HIPAA Privacy Rule as:“a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge”

HIPAA Privacy Rule

• Covered Entity is a health plan, a health care provider or a health care clearinghouse who electronically transmit any health information in connection with transactions for which HHS has adopted standards

• Protected Health Information (PHI):Relates to past, present, or future physical or mental

condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.

Is transmitted or maintained in any form (electronic, paper, or oral representation).

Identifies, or can be used to identify the individual.

How Can Covered Entities Use and Disclose PHI for Research and Comply with the HIPAA Privacy Rule?1. De-identified health information, as described in

the Privacy Rule, is not PHI, and thus not protected by the Privacy Rule

2. PHI may be used and disclosed for research WITH an individual’s written permission

3. PHI may be used and disclosed for research WITHOUT an Authorization in limited circumstances: (a) under a waiver of the Authorization requirement; (b) for research on decedents’ information; (c) preparatory to research; and (d) as a limited data set with a data use agreement

Request for Information from a Covered Entity

Scenario #1: A sponsor has asked you for information to determine if Jefferson has a sufficient number of patients with a specific diagnosis to conduct a study at Jefferson. How do you proceed?

Why is the information needed?What type of information is needed to make this determination?

Is PHI needed?Is de-identified information needed?

Is an approved IRB study needed to request de-identified information?To whom and how is the request made?

Request for Information from a Covered Entity

Scenario #2: The PI is considering conducting a study. The PI would like to review potential subjects’ PHI before submitting a protocol to the IRB. How do you proceed?

Why is the information needed?What type of information is needed?Is PHI needed?Is IRB approval needed before the review may be conducted?To whom and how is the request for PHI made?

Hint: See, OHR-29 Review Preparatory to Research Request Form

Request for Information from a Covered Entity

Scenario #3: The PI is conducting a clinical trial. Patient data needs to be obtained from the patients’ EMRs. How do you proceed?

Why is the information needed?What type of information is needed?Is IRB approval needed before study coordinators are permitted to access patients’ EMRs?Is a signed Research Informed Consent Form needed?Are copies of relevant sections of the patients EMRs permitted to be made?

Hint: See, Jefferson Policy No. 110.19 “Access to JUP Electronic Records by Research Coordinators for Research Purposes”

Minimum Necessary Restriction

• With some exceptions, the HIPAA Privacy Rule minimum necessary requirements apply• Researchers should only secure the

minimum information necessary to achieve the research purpose

How do we protect PHI when conducting Research?• Maintain the privacy and security of research

documents. • When you talk about patients/subjects as part of your

research, try to prevent others from overhearing the conversation. Hold conversations in private areas; do not discuss patients in public areas.

• Do not leave PHI unattended• Remove patient/subject documents from faxes/copiers

as soon as you can. • When you throw away documents containing PHI,

properly dispose of documents, e.g. shredding. • Never remove the patient's official medical record from

a Covered Entity. • Do not leave PHI where your family members or other

unauthorized individuals may see it.

How do we protect e-PHI when conducting Research?• Never use anyone else’s log-on, or a computer

someone else is logged-on to. Do not share passwords.

• Never download PHI on personal laptops and PDAs.

• Never leave PHI unattended.• Never “Blog” disclosing PHI.• Do use automatic locks on laptop computers

and PDAs.• Do log off after each time you use a computer. • Do purge PHI from devices as soon as possible.• Do use secure networks for e-mails with PHI

and add a confidentiality disclaimer to the footer of such e-mails.

• Do provide for confidential sending and receipt of faxes that contain PHI and other confidential information.

Mandatory Breach Notification

• The HITECH Act applies to breaches of “unsecured protected health information”

• Information must be encrypted or destroyed in order to be considered “secured”

• If you suspect a breach has occurred, promptly notify your immediate supervisor.

• If a breach has occurred, reporting requirements must be satisfied.

• See, Jefferson Policy No. 122.37, “Mandatory Reporting, Investigation and Notification of Breaches of Health or Personal Information”.

HITECH-What Constitutes a Breach?

A “breach” is an impermissible acquisition, access, use or disclosure not permitted by the HIPAA Privacy or Security Rules. Examples include: • Laptop containing PHI is stolen• Researcher who is not authorized to access PHI

looks through patient files in order to learn of a person’s treatment

• Researcher misplaces research documents with study subject PHI

• Researcher sends study subject information including PHI to the wrong sponsor

• Researcher sends sponsor more PHI than stated in Informed Consent Form

• Research office theft results in stolen PHI

Penalties for Violations

• A violation of federal regulations can result in civil money penalties or criminal penalties. • Penalties can be imposed for underlying HIPAA Privacy Rule violation even if the breach is properly handled.

Conclusion

If you have questions, please feel free to contact Doreen Kornrumpf, Privacy Officer/Legal Counsel.