HIPAA Privacy and Research August 21, 2015

Laura LaCorteOffice of Compliance

• HIPAA/HITECH– Federal standards for

protecting and securing health information

– Breach notification requirements

– HHS Office of Civil Rights (OCR)

• State lawsPage 2

Regulatory Landscape

De-Coding HIPAA• PHI: Protected Health Information• Authorization• Waiver• LDS: Limited Data Set • DUA: Data Use Agreement• De-Identification• Designated Record Set

Page 3

Authorization Core Elements • Description of PHI to be used or disclosed • The name(s) or other specific identification of person(s) authorized to make the requested use or

disclosure.• The name(s) or other specific identification of the person(s) who may use the PHI or to whom the

covered entity may make the requested disclosure.• Description of each purpose of the requested use or disclosure. • Authorization expiration date (could be “end of study”)• Signature of the individual and date. If the Authorization is signed by an individual's personal

representative, a description of the representative's authority to act for the individual.Authorization Required Statements • The individual's right to revoke his/her Authorization in writing and exceptions• Notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or

eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization.

• The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. Page 4

HIPAA Authorization requirements

Page 5

– Compound authorizations

– Future research– Decedents research

HITECH

Page 6

Step 1

Steps to Complete Authorization

Revision Date

• Step 1: Which providers are releasing health information to the research team?

• Check all boxes that apply

11/1/11

Step 2

Step 3

• Step 2: Must check one of the two boxes to reflect PHI being used/released

• Step 3: Must check boxes and have participant sign if using/releasing HIV test results, mental health records or substance abuse records

Page 7

Step 4

• Step 4: Check box if research team intends to use health information for future research purposes.

Page 8

Page 9

Step 6

Step 5

• Step 6: Research Participant, Legal Guardian or Personal Representative must sign and date document BEFORE PHI is used or released.

• Step 5: Must list the PI name and address as contact

What if sponsor requests changes?

• Need Office of Compliance written

approval • Submit approval to IRB

Page 10

Page 11

Page 12

Limited Data SetProtected Health Information that excludes the following direct identifiers:(i) Names;(ii) Postal address information, other than town or city, State, and zip code;(iii) Telephone numbers;(iv) Fax numbers;(v) Electronic mail addresses;(vi) Social security numbers;(vii) Medical record numbers;(viii) Health plan beneficiary numbers;(ix) Account numbers;(x) Certificate/license numbers;(xi) Vehicle identifiers and serial numbers, including license plate numbers;(xii) Device identifiers and serial numbers;(xiii) Web Universal Resource Locators (URLs);(xiv) Internet Protocol (IP) address numbers;(xv) Biometric identifiers, including finger and voice prints; and(xvi) Full face photographic images and any comparable images.

Page 13

• Name/Initials• Street address, city*, county*, precinct*, zip code*, or equivalent

geocodes*• All elements of dates (except year) directly related to an individual (date

of birth, admission date, discharge date, date of death)*• Elements of date, including year, for persons 90 or older• Telephone number• Fax number• Electronic mail address• Social Security Number• Medical record number• Health plan identification number• Account number• Certificate/license number• Vehicle identifiers and serial numbers, including license plate number• Device identifiers and serial number• Web addresses (URLs); Internet IP addresses• Biometric identifiers, including finger and voice print• Full face photographic images and any comparable images• Any other unique identifying number, characteristic, or code*

De-Identification: -ALL of the following identifiers must be removed

-HIPAA privacy rule does not apply if de-identified

See HIPAA policy for full

definition

Designated Record Set• Relationship to patients rights• Why is it important to consider in the

research context

Page 14

Page 15

• Protected Health Information: Individually identifiable health information in any form or medium that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

• Authorization: A detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

• Waiver of Authorization: Permits a covered entity to use or disclose health data for research purposes without an authorization provided certain criteria are met. An IRB or Privacy Board must determine if the waiver criteria are met.

• Limited Data Set: Protected Health Information that excludes specified direct identifiers of individuals or their relatives, employers, or household members and is used for research, public health or health care operations.. A “limited data set” may include, zip codes, dates of service, dates of birth and death and geographic information. A limited data set may not be used/released without a Data Use Agreement.

• Data Use Agreement: An agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. The agreement must specify the permitted uses and disclosures, among other obligations.

• De-identification: Health information that does not identify an individual and to which there is no reasonable basis to believe that the information can be used to identify an individual. Health information shall be considered de-identified only if 18 identifiers as set forth in the privacy rule are removed; or via statistical methods as set forth in the rule.

• Designated Record Set: A DRS includes an individual’s patient records and billing records maintained by a covered entity and records used by providers, in whole or in part, to make decisions about individuals. This includes psychotherapy notes as well as records received from other providers but that are used in connection with clinical decision making.

(See full definitions in USC HIPAA policies: www.usc.edu/policies)

OCR Settlements• New York hospitals pay $4.8 Million when a de-activated

server left information on 6,800 patients accessible over the internet

• Stolen Laptops at Concentra Health Services lead to $1.7 million settlement

• WellPoint pays HHS $1.7 million for security weaknesses in an online application database leaving health information accessible over Internet

• Mass General pays $1 million when employee leaves highly sensitive health data on 192 patients on the subway

• Stanford and two vendors agree to pay $4.1 million to settle a class action lawsuit for vendor mismanagement of emergency room records

Page 17

Where we are today• Over 25,000 individuals completed training• Comprehensive HIPAA policies, procedures and

template forms• Integrated process with Purchasing to identify Business

Associates and negotiate Business Associate Agreement• Monitoring of risk areas, including access controls• Active coordination with Fundraising, PR and Research• Partnership with Keck IT in implementation of

new systems• Privacy issues incorporated into due diligence and

integration of new health care practices• Breach notification and sanctions process

Page 18