RESEARCH PRIVACY AND HIPAAWith

S. Joseph Austin, JD, LL.M, Regulatory CoordinatorJan Hewett, JD, BSN, Director, IRBMEDRobin Sedman, MAEd, MSN, Senior Associate Regulatory AnalystLauren Shellenberger, JD, RN, Director, Compliance Policy & EducationAlan Sugar, MD, Co-Chair, IRBMED

Moderated by: Jennifer Galland, MHA, Board Member, IRBMED

October 18, 20112:00 to 4:00CVC Danto Auditorium

I. IRBMEDII. Privacy BoardIII. HIPAAIV. Protected Health InformationV. AuthorizationVI. Waiver of HIPAA AuthorizationVII. Certification Preparatory to ResearchVIII. DecedentsIX. De-Identified Data SetsX. Limited Data Sets

Institutional Review Boards of the University of Michigan Medical School(IRBMED)

http://www.med.umich.edu/irbmed/

IRBMED:Structure

DirectorJan Hewett

Office ManagerLisa KielSupport

StaffMaria

CamilleriColleen Bouton

Patti Meredith

CoordinatorsPat Gordon, eResearch

Georgia Marvin, Compliance

Review Teams

A1A2B1B2C1

Expedited ReviewerJennifer Galland

EducationJoseph Austin, Senior Education &

RegulatoryBrian Seabolt, Technical Writer

Monica Stiddom, Education

IRBMED:Structure

A1

Gwendolyn YoungAnn Dillon

Cheryl Jamnick

A2

Robin SedmanCarol Hutsko

Zan Daley

B1

Rosalind FantoneLark SpeyerNora Coury

B2

Derrick MannCecilia BrennerAaron Rankin

C1

Faith PenixKara RumseyWendy Ulmer

Behavioral Medicine (AP)Complementary Medicine (CAM)Family MedicineGraduate Medical EducationInternal Medicine (see also B1/C1)PediatricsPsychology Genetics / Neuro-Psych (AP)Public HealthRadiologyRadiology Devices Social Work / Social Sciences

GeriatricsKinesiologyNeurologyNeurosurgeryObstetrics & GynecologyOphthalmologyOtolaryngologyPathologyPhysical Medicine and Rehabilitation Surgery (General, Orthopedic, Head & Neck, Pediatric, Plastic, Vascular)

Allergy (AP) Anesthesiology / Pain (AP)Dentistry / Surgical (AP)Dermatology (AP)Emergency MedicineGastroenterology (AP)Hepatic / Pancreative (AP)Hematology (excl cooperative studies)Infectious Disease (AP) HIV/AIDSNursingPharmacyUrology (Surg & Onc)Radiology Oncology

Cardiac Electrophys (AP)Cardiology (AP)Cardio-Thoracic Surgery (AP)Endocrin / Metabolism (AP) Genetics/MicrobiologyHypertension (AP) Nephrology (AP)Pulmonology (AP) RheumatologyTransplant (AP) (Heart, Lung, Kidney, Liver)

Oncology / Cancer (AP) Bone Marrow Transplant Pediatric SurgicalDepartments (exclude Urology) Hem/Onc Medical Oncology CTO Studies

Privacy Board

PRIVACY BOARD:Responsibility

Privacy Board oversees research aspects of HIPAA

Compliance Office oversees clinical aspects of HIPAA.

PRIVACY BOARD:Members

Chair: Alan Sugar, MD

Members: Fran Lyman, MLSDuke Morrow, DMinMichael Paschke, MAJoy Stair, MS, RN

Coordinator:S Joseph Austin, JD, LL.M

HIPAA

HIPAA:Basics

HIPAA is the Health Insurance Portability and Accountability Act.

Purpose: Protect the privacy of individuals’ personal health information. Provide physical and electronic security for PHI. Simplify billing. Provide rights for patients regarding access to and use of their

medical information.

HIPAA:Authorizations

A HIPAA Authorization is signed permission from an individual that allows that individual’s PHI to be used or disclosed for reasons other than Treatment, Payment or Healthcare Operations (TPO purposes).

The Authorization must include: A description of the PHI to be used/disclosed. Who will make the disclosure. To whom the disclosure will be made. An expiration date. The purpose of the disclosure.

Note: An individual may revoke a signed authorization at any time.

Protected Health Information (PHI)

PROTECTED HEALTH INFORMATION: Defined

Protected Health Information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as treatment, payment, or operations.

Note: PHI may be in any form or media, including electronic, paper, or oral.

PROTECTED HEALTH INFORMATION:HIPAA

HIPAA regulations allow researchers to access and use PHI when necessary to conduct research.

However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment, or operations.

Examples:

PHI is used in research studies when researchers will access existing medical records for research information.

Studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or using a new drug or device for treating a health condition.

PROTECTED HEALTH INFORMATION: Individually Identifiable Health Information

Individually identifiable health information is information (including demographic information) that is related to:

At least one of the following three:

The past, present, or future physical or mental health or condition of the individual. The health care provided to the individual. The past, present, or future payment for health care provided to the individual,

AND

Either identifies the individual or there is a reasonable basis to believe that the information could be used to identify the individual.

PROTECTED HEALTH INFORMATION: Identifiers

Names Geographic subdivisions smaller than a

state. Dates directly related to the individual

except year All ages over 89 and/or dates indicating

an age over 89 Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan numbers

PHI includes the following:

Account numbers Certificate or license numbers Vehicle identification/serial

numbers, including license plate numbers

Device identification/serial numbers Universal Resource Locators (URLs) Internet protocol (IP) addresses Biometric identifiers, including

finger and voice prints Full face photographs and

comparable images Any unique identifying number,

code, or other similar information.

PROTECTED HEALTH INFORMATION:Use v Disclosure

“Use” refers to the access, sharing, and utilization of PHI within the Covered Entity.

“Disclosure” refers to the sharing of PHI to individuals and entities outside of the Covered Entity

PROTECTED HEALTH INFORMATION: Covered v Not Covered

PHI does not, however, cover employment records that a covered entity maintains in its capacity as an employer.

PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

PROTECTED HEALTH INFORMATION: Re-Identification

Additional standards exist to protect an individual's privacy from re-identification.

Any code used to replace the identifiers in datasets cannot be derived from information related to the individual.

For example, a subject's initials cannot be used to code their data because the initials are derived from their name.

Also, the method used to derive the codes may not be disclosed.

Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers.

Waiver of HIPAA Authorization

WAIVER OF HIPAA AUTHORIZATION:Types of Applications

There are three types of applications that require a Waiver of Authorization:

Regulated Studies, when simultaneously requesting:

A Waiver of Informed Consent OR A Waiver of Documentation of Informed Consent

WAIVER OF HIPAA AUTHORIZATION:Types of Applications

Exempt Studies, when accessing PHI

Non-Regulated Studies, when accessing PHI

Note: Requests for a Waiver for Regulated studies may be granted by the Full Board or by expedited review. Waivers for Exempt or Non-Regulated studies may be granted by the Full Board, expedited review, or by Privacy Board.

WAIVER OF INFORMED CONSENT:Criteria

Waivers should only be granted for studies where the study team will access PHI if the following are met:

There is no more than minimal risk to the privacy of the individuals.

The research could not practicably be conducted without the waiver of consent or waiver of documentation of consent.

The research could not practicably be conducted without the requested use or disclosure of PHI.

Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

HIPAA:Authorizations

A HIPAA Authorization is signed permission from an individual that allows that individual’s PHI to be used or disclosed for reasons other than Treatment, Payment or Healthcare Operations (TPO purposes).

The Authorization must include: A description of the PHI to be used/disclosed. Who will make the disclosure. To whom the disclosure will be made. An expiration date. The purpose of the disclosure.

Note: An individual may revoke a signed authorization at any time.

WAIVER OF HIPAA AUTHORIZATION:Criteria

There is an adequate plan in place to protect patient identifiers and PHI from improper use and disclosure.

There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a Privacy Review Board-approved health or research justification for retaining the identifiers or such retention is otherwise required by law.

There are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure would be permitted by HIPAA.

The Waiver or Alteration of Authorization will not adversely affect the rights and welfare of the subjects

The research could not practicably be conducted without the Waiver or Alteration of Authorization. The research could not practicably be conducted without access to and use of the PHI. Whenever appropriate, the subjects (including their physicians, as applicable) are provided with

additional pertinent information after participation. Where the Principal Investigator anticipates the disclosure of PHI outside the Covered Entity (as that

may be determined from time to time), the Principal Investigator must account for each disclosure and retain records of such disclosures.

WAIVER OF HIPAA AUTHORIZATION: eResearch Application

The study team will need to complete Sections 25-1 and 25-2 for a Waiver of HIPAA Authorization Note: eResearch logic does not always force these sections;

they are, however, necessary

The study team will need to complete Section 25.1 and the following when applicable: Section 25-3 when “Preparatory to Research” Section 25-4 when “Limited Data Set” Section 25-5 when “Deidentified Data Set” Section 25-6 when “Decedents”

Certification Preparatory toResearch

CERTIFICATION PREPARATORY TO RESEARCH

Projects that are preparatory to research are not regulated under the Common Rule.

However, when researchers will be accessing Protected Health Information (PHI) to assess the feasibility of a research project, the activities are subject to HIPAA.

To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

CERTIFICATION PREPARATORY TO RESEARCH

In order to use PHI preparatory to research purposes, the researcher will need to affirm the following:

The use or disclosure of the PHI is solely to prepare to conduct research.

None of the PHI will be removed from the covered entity. Access to the PHI is necessary for the research purpose.

Importantly, researchers may not record identifiers and may not use the accessed information in order to identify or recruit subjects for the study.

CERTIFICATION PREPARATORY TO RESEARCH

Researchers should complete a Not-Regulated application through eResearch.

As part of the submission, the researcher will need to complete Sections 25-1 and 25-3 of the application.

The completed application will then be reviewed by the Privacy Board.

Decedents

DECEDENTS:Basics

Research involving decedents is not regulated under the Common Rule.

However, when researchers will be accessing Protected Health Information (PHI) in order to create a limited data set, the activities are subject to HIPAA.

To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

DECEDENTS:Criteria

In order use the PHI of decedents for research purposes, the researcher will need to affirm:

The use or disclosure being sought is solely for research

on the PHI of decedents. The PHI being sought is necessary for the research. At the request of the covered entity, the research will be

able to provide documentation of the death of the individuals about whom information is being sought.

DECEDENTS:Process

Researchers should complete a Not-Regulated application through eResearch.

As part of the submission, the researcher will need to complete Sections 25-1 and 25-6 of the application.

The completed application will then be reviewed by the Privacy Board.

DE-IDENTIFIED DATA SETS

De-Identified Data Sets:Definition

A de-Identified data set is a data set that meets both of the following:

Does not identify any individual that is a subject of the

data. Does not provide any reasonable basis for identifying

any individual that is a subject of the data.

De-Identified Data Sets:Methods for De-Identification

There are two methods for de-identifying information:

The removal of certain identifiers

The statistical method

DE-IDENTIFIED DATA SETS:Removal of Identifiers

Names Geographic subdivisions smaller than a

state. Dates directly related to the individual

except year All ages over 89 and/or dates indicating

an age over 89 Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan numbers

Under the first method, the identifiers that must be removed include the following:

Account numbers Certificate or license numbers Vehicle identification/serial

numbers, including license plate numbers

Device identification/serial numbers Universal Resource Locators (URLs) Internet protocol (IP) addresses Biometric identifiers, including

finger and voice prints Full face photographs and

comparable images Any unique identifying number,

code, or other similar information.

DE-IDENTIFIED DATA SETS:Statistical Method

An individual with knowledge of and experience with generally accepted statistical and scientific methods for rendering information not individually identifiable must provide certification that the data is de-identified.

The individual should find that the risk is very small that the information could be used (either alone or in combination with other reasonably available information) to identify any individual who is a subject of the data.

Additionally, the methods and results of the analysis must be documented.

DE-IDENTIFIED DATA SETS:Creating a De-Identified Data Set

Research involving a de-identified data set is not regulated under the Common Rule.

However, when researchers will be accessing PHI in order to create a de-identified data set, the activities are subject to HIPAA.

To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

DE-IDENTIFIED DATA SETS:Using a De-Identified Data Set

Pre-existing, de-identified data sets are not subject to the requirements of the HIPAA Privacy Rule since they do not include individually identifiable information.

However, in order to ensure compliance with HIPAA, the project should be reviewed by the Privacy Board.

LIMITED DATA SETS

LIMITED DATA SETS:Basics

A limited data set is a distinct category of protected health information (PHI) where certain identifiers have been removed.

Importantly, these identifiers must have been removed for the individuals as well as their relatives, household members, and employers (when applicable).

LIMITED DATA SETS:Removed Identifiers

Names Postal address information other

than town/city, state, and zip code

Telephone numbers Fax numbers Email addresses Social Security number Medical record numbers Vehicle identification/serial

numbers, including license plate numbers

The identifiers that must be removed include the following:

Health plan numbers Account numbers Certificate or license numbers Device identification/serial

numbers Universal Resource Locators

(URLs) Internet Protocol (IP) addresses Biometric identifiers, including

finger and voice prints Full face photographs and

comparable images

LIMITED DATA SETS:Data Use Agreements

A limited data set may be used and disclosed for research purposes, as well as for health care operations and public health purposes.

Before any such use, however, the recipient must enter into a data use agreement.

The agreement guarantees that certain measures will be taken to safeguard the PHI.

LIMITED DATA SETS:Creating a Limited Data Set

Research involving a limited data set is not regulated under the Common Rule.

However, when researchers will be accessing PHI in order to create a limited data set, the activities are subject to HIPAA.

To ensure compliance with HIPAA, the project will need to be reviewed by the Privacy Board.

LIMITED DATA SETS:Using a Limited Data Set

Research using a pre-existing limited data set is not regulated under the Common Rule.

However, in order to ensure compliance with HIPAA, the project should be reviewed by the Privacy Board.

In order to use a limited data set, the recipient of the data

must first enter into a data use agreement. After the agreement is finalized, a Not-Regulated application should be completed through eResearch.