SIMPLIFYING PRIVACY:SIMPLIFYING PRIVACY:HIPAA PRIVACY STANDARDS HIPAA PRIVACY STANDARDS

AND AND RESEARCHRESEARCH

Angela M. VieiraGeneral Counsel

Children’s Hospital and Health CenterJune 5, 2004

Research and Privacy

• Common Rule– “adequate provisions to protect the privacy of subjects

and to maintain the confidentiality of data” 45 CFR §46.111(a)(7)

• FDA– informed consent include “statement describing the

extent, if any, to which confidentiality of records identifying the subject will be maintained and … not[ing] the possibility that the [FDA] may inspect the records” 21 CFR §50.25(a)(5)

Health Insurance Portability and Accountability Act of 1996

• Title I: Health Care Access, Portability, and Renewability

• www.hcfa.gov/medicaid/hipaa

• Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

• aspe.hhs.gov/admnsimp

• www.hhs.gov/ocr/hipaa

Administrative SimplificationComponents

Tran sac tionS tan d ard s

S tan d ardC od eS ets

U n iq u eH ea lth

Id en tifie rs

S ecu rityS tan d ard s

E lec tron icS ig n a tu reS tan d ard s

In fo rm ationTran s fe rA m on g

H ea lth P lan s

P rivacyS tan d ard s

A d m in is tra tive S im p lica tion

TIMELINE• Transactions and Code Set Standards

– October 16, 2002 (providers, large health plans)• extension but must file compliance plan

– October 16, 2003 (health Plans < $ 5 million)

• Privacy Rule– April 14, 2003 April 14, 2003 (providers, large health plans)– April 14, 2004April 14, 2004 (small health plans)

• Security Rule– April 20, 2005 (providers, large health plans)– April 20, 2006 (small health plans)

Who is Covered?

• Health care providers who transmit any health information in electronic transactions

• Health plans

• Health care clearinghouses

• [Prescription drug discount sponsor]

• Business associate relationships

What is covered?

• Protected health information (PHI) that is:– individually identifiable health information– transmitted or maintained in any form or medium

• Held by a covered entity in any form or medium

• De-identified information - NOT COVERED

Key Points

• Federal rule sets floor– covered entities may provide greater protection

– More protective state law applies

– California law permitted research uses & disclosures without specific authorization

• Required disclosures limited to:– subject of information

– DHHS for compliance

• All other disclosures are permissive

Privacy Rule - in brief

• Notice of Privacy Practices• Uses and disclosures permitted for treatment,

payment, health care operations• Minimum necessary requirements• Individual rights• Patient authorization• Organizational requirements• Business associates

Individual Rights• Right to inspect and receive copy of PHI

• Right to request restrictions of uses/disclosures

• Right to request amendment

• Right to an accounting of disclosures

• Right to have reasonable requests for confidential communications accommodated

• Right to written notice of information practices from providers and plans

• Right to file complaint with DHHS or covered entity

Enforcement• Civil Monetary Penalties

– $100/violation– Capped at $25,000/calendar year for each

requirement or prohibition that is violated– Enforced by DHHS Office of Civil Rights

• Criminal Penalties– Greater penalties for certain knowing violations– Enforced by Department of Justice

• Other liability

Permitted Uses/Disclosures Research

45 CFR §§164.512(i), 164.514(a), (e)

• Subject authorization

• Approved waiver

• Reviews preparatory to research

• Research on decedent’s information - NEW

• De-identified information – Not subject to Privacy Rule requirements

• Limited data set

Patient Authorization – Core Elements

• description of PHI

• CE authorized to make use/disclosure

• authorized recipient of PHI

• description of each purpose

• expiration date or event

• signature and date

– personal representative’s authority

Patient Authorization - Required Statements

• Right to revoke in writing– How, describe exceptions OR– Refer to CE’s Notice of Privacy Practices

• Research participation may be conditioned on signing authorization

• Potential of information to be redisclosed by recipient and no longer protected by Privacy Rule

Patient Authorization –Additional Requirements

• Plain language

• Copy of signed authorization

Criteria for Approval of Waiver• Minimal risk to subject’s privacy

– Adequate plan to protect identifiers from improper use/disclosure– Adequate plan to destroy identifiers at earliest opportunity consistent with

conduct of research, unless health, research or legal justification for retention

– Adequate written assurances that PHI will not be reused or redisclosed to any other person or entity except as required by law, authorized oversight of research, or other permissible research

• Could not be practicably conducted without waiver

• Could not be practicably conducted without access to or use of PHI

Documentation Requirements

• Identification and date of action

• Waiver criteria

• PHI needed

• Review and approval procedures

• Required signature

Additional Requirements

• Notice of privacy practices

• Accounting of disclosures

• Minimum necessary standard

Reviews Preparatory for Research

• Permitted if CE obtains from researcher representations that:– use or disclosure sought solely to prepare a

research protocol or for similar purposes– no PHI will be removed from CE by researcher

in course of review– PHI necessary for research purposes

Research Decedent’s Information

Permitted if CE obtains from researcher:– representation that use or disclosure solely for

research– documentation, upon request, of individuals’

deaths– representation that PHI necessary for research

purposes

Common Rule - Waiver

• No more than minimal risk to subjects;

• Will not adversely affect the rights and welfare of the subjects;

• Research not practicably carried out without waiver or alteration; and

• Subjects provided with additional pertinent information after participation, when appropriate

Privacy Rule vs. Common Rule

• De-identified information is not subject to privacy rule requirements– Certain exempt research now subject to IRB

review

• Coded information still subject to IRB review under Common Rule

De-identification RequirementsExpert Opinion

Person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable– determination that risk is “very small”; and

– documents methods and results of analysis.

45 CFR §164.514

De-identificationRemoval of Identifiers

Names Addresses Dates

Telephone #s Fax #s E-mail addresses

SSNs MRNs HP Beneficiary #s

Account #s License #s Vehicle #s

Device IDs URLs IP address

Biometric IDs Photos Other

Limited Data Set

• Research, public health, health care operations

• CE may contract with business associate to create LDS

• Data Use Agreement– Privacy Rule requirements

Limited Data SetRemoval of Direct Identifiers

Names Street Address

Telephone #s Fax #s E-mail addresses

SSNs MRNs HP Beneficiary #s

Account #s License #s Vehicle #s

Device IDs URLs IP address #s

Biometric IDs Photos

Common Issues• Health care operations or research

– QA, QI activities• Outcomes evaluation, development of clinical guidelines

– Population-based activities relating to improving health or reducing cost

– Protocol development, case management, case coordination

– Cost management and planning-related analysis• Formulary development

• Improved payment methodologies

• Intent is key!– obtain generalizable knowledge not primary purpose

Common Issues

• Covered Entity, Hybrid Entity, or non-Covered Entity– Cities, counties, states, agencies– Schools, universities– Non-health care employers

• Databases

• Decedent research

• De-identification

WEBSITES

• Privacyruleandresearch.nih.gov– HIPAA & Research

• Aspe.hhs.gov/admnsimp– HIPAA Administrative Simplification

Components

• www.dhhs.gov/ocr/hipaa– HIPAA Privacy Rule