5/18/2011

1

New Developments in Privacy & Research

Kristen Rosati, Esq.

Coppersmith Schermer & Brockelman PLCCoppersmith Schermer & Brockelman PLCCoppersmith Schermer & Brockelman PLCCoppersmith Schermer & Brockelman PLC

HCCA Research Compliance ConferenceHCCA Research Compliance ConferenceHCCA Research Compliance ConferenceHCCA Research Compliance Conference

June 15, 2011June 15, 2011June 15, 2011June 15, 2011

Session Overview

Our schizophrenic national agenda on research and privacy: the tension between the public good and individual rights

HIPAA Privacy Compliance in Clinical Research Impending HITECH Act Privacy Rule requirements Business associate agreements in clinical research HIPAA Breach Notification Requirements

Informed Consent Research Collaborations Investigator Departures

2

5/18/2011

2

Office of the National Coordinator

Office of the National Coordinator for Health Information Technology, Federal Health Information Technology Strategic Plan, 2001-2015 at http://healthit.hhs.gov/portal/server.pt?open=512&objID=1211&parentname=CommunityPage&parentid=2&mode=2:

In the long run, the government is pursuing a vision of a learning health system, in which a vast array of health care data can be appropriately aggregated, analyzed, and leveraged using real-time algorithms and functions.

In order to support information exchange vital for research, information in an EHR, with the appropriate privacy protections, should be accessible by researchers, research systems, biorepositories, registries, and other types of research databases.

ONC Strategic Plan continued

Privacy and security are the bedrock of building trust, a must-have component that is essential to achieving meaningful use and realizing the value of health IT. Patients and providers must feel confident that laws, policies, and processes are in place to keep their information private and secure, and that they will be enforced when violations occur. . . . These added privacy and security protections [in the amendments to the HIPAA rules] are an integral piece of the governments increased efforts to broaden the use of IT in health care.

5/18/2011

3

The Digital Infrastructure for a Learning

Health System: Foundation for Continuous Improvement in Health and Health Care - Workshop Summary (Dec. 20, 2010) http://iom.edu/Reports/2010/The-Digital-Infrastructure-for-a-

Learning-Health-System.aspx

3-part workshop series, sponsored by ONC, to address promoting technical advances and innovation, generating and using information, engaging patients and the public, and fostering stewardship and governance

Office for Civil Rights HIPAA Compliance

Proposed amendments to the HIPAA rules to implement the HITECH Act*: 75 Fed. Reg. at 40868 (July 14, 2010)

Comments closed September 13, 2010

Final regulations anticipated during the first half of 2011

OCR will not enforce the new regulations until 180 days after the effective date of the final regulations

*American Recovery and Reinvestment Act of 2009 (ARRA) --Division A, Title XIII and Division B, Title IV: Health Information Technology for Economic and Clinical Health Act (HITECH Act)

5/18/2011

4

7

Current rule: CE may receive payment for a disclosure of PHI where that disclosure is permitted by the regulations (such as for research)

HITECH Act prohibits indirect or direct receipt of remuneration in exchange for a disclosure of PHI without the individuals authorization (with exceptions) Proposed rule would prohibit indirect or direct remuneration in

exchange for a disclosure of PHI without authorization (with exceptions on the next slide)

Remuneration is not defined-- will it include non-financial remuneration?

[HITECH Act 13405(d); Proposed 45 CFR 164.508]

No Sale of PHI

8

For public health purposes

For research, where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI

For treatment and payment

For the sale, transfer, merger or consolidation of the covered entity and related due diligence

To or by a business associate to perform activities for the covered entity, where the only remuneration provided is by the covered entity to the business associate for the performance of such activities

To an individual for access or accounting

Where required by law to disclose PHI

Where the only remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI, or a fee is otherwise expressly permitted by another law

[Proposed 45 CFR 164.508]

No Sale of PHI-- Exceptions

5/18/2011

5

9

Does not apply to disclosures of PHI for research under 164.512(i) (the general rule on research disclosures) or 164.514(e) (disclosures of a Limited Data Set for research), where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the [PHI] for such purposes.

What is a reasonable cost-based fee?

Comments urged OCR to allow organizations to recoup investment and other indirect costs in the fees they charge for PHI

Not permitting recoupment of a wide range of costs may be an unconstitutional taking of property

Who will determine the appropriate amount and how will that be done?

No Sale of PHI Research Exception

10

Prohibition on sale doesnt exclude:

disclosure of research results

disclosure of Limited Data Sets

LDS expressly added to research and public health exceptions

quality assurance/ performance improvement activities

Section 13405(d)(2)(G) of the HITECH Act provides authority to the OCR to make additional exceptions for disclosures of PHI that the OCR judges to be similarly necessary and appropriate as the other enumerated statutory exemptions to the sale of PHI

No Sale of PHI Research Exception

5/18/2011

6

11

No grandfather provision

Past grandfather provision permitted use of PHI to continue if the informed consent/waiver obtained before HIPAA was valid under pre-HIPAA law

No Sale of PHI Research Exception

12

Authorization for future research

OCR sought comment on whether and how to change its interpretation that an authorization may not seek permission for use in unspecified future research

Options considering:

Permitting, if authorization adequately describes future research

Permitting, with certain required elements or statements

Permitting, with limits on sensitive research areas, such as genetic or mental health research

Working with OHRP on consistency with Common Rule

Research Authorizations

5/18/2011

7

13

Compound authorizations

Proposed rule would permit compound authorizations, which combine authorization for a clinical trial and authorization to contribute PHI to a research repository, as long as the form provides the individual with an opportunity opt-in to the research repository

[Proposed 45 CFR 164.508(b)]

Potential problem:

Opt-in will reduce participation in research repositories

Research Authorizations

14

BAAs required if have third party de-identify PHI or create Limited Data Set

BAAs not required to disclose PHI for research on behalf of the covered entity, because research is not a covered function under HIPAA

OCR has clarified informally that this applies beyond disclosure to the researcher, and also encompasses research management and other services

Business Associate Agreements in Research

5/18/2011

8

15

Add organizations that provide patient safety activities listed at 42 CFR 3.20 (to implement the Patient Safety and Quality Improvement Act)

Add Health Information Organizations, e-prescribing gateways, or other persons that provide data transmission or other persons that provide data transmission or other persons that provide data transmission or other persons that provide data transmission services, services, services, services, which transmit protected health information (PHI) to a covered entity and require access to that PHI on a routine basis

Add entities that offer a personal health record to individuals on behalf of a covered entity

[HITECH Act 13408; proposed 45 CFR 160.103]

Changes to the Definition of Business Associate

16

Proposed rule: Would protect for only 50 years after death [Proposed 45 CFR 164.502(f)]

Would permit to permit CEs to disclose a decedents PHI to family members and others who were involved in the care or payment for care prior to death, unless inconsistent with an expressed preference of the decedent

This would be a permitted (not required) disclosure, and would not change the authority of the decedents personal representative to act on behalf of the decedent

[Proposed 45 CFR 164.510(b)]

Decedents PHI

5/18/2011

9

17

HITECH Act requires HHS to issue guidance on methods for de-identification of protected health information

OCR March 2010 workshop on de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns, see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/deidentificationworkshop2010.html

Future Changes to De-identification?

HIPAA Breach Notification

HITECH Act requires any covered entity or business associate that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured PHI unsecured PHI unsecured PHI unsecured PHI must notify individuals whose unsecured PHI has been (or is reasonably believed to have been) accessed, acquired, or disclosed as a result of a breachbreachbreachbreach

Unsecured PHI is not secured per HHS guidance (which will be issued annually) most recent guidance is in HHS August 24, 2009 guidance (at 74 Fed. Reg. 42740): secured PHI requires encryption or destruction

Applies to electronic and paper PHI

Works as safe harbor to reporting requirement

5/18/2011

10

HIPAA Breach Notification

HHS regulations for breach notification: 45 CFR Part 164, Subpart D (published at 74 Fed Reg. 42740 (Aug. 24, 2009))

Applies to CEs and BAs

Breach: the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI (i.e. which poses a significant risk of financial, reputational, or other harm to an individual)

Exceptions.

HIPAA Breach Notification

Not a breach if the information does not include direct identifiers, date

of birth, or zip code

Direct identifiers (45 CFR 164.514(e)(2)) : Name;

Postal address information, other than town or city, State, and zip code;

Telephone numbers and fax numbers;

Electronic mail addresses, URLs and Internet Protocol (IP) addresses;

Social security numbers;

Medical record numbers and health plan beneficiary numbers;

Account numbers;

Certificate/license numbers;

Vehicle identifiers and serial numbers, including license plate numbers;

Device identifiers and serial numbers;

Biometric identifiers, including finger and voice prints; and

Full face photographic images and any comparable images.

5/18/2011

11

HIPAA Breach Notification

So, if you disclose a Limited Data Set for research (which may include dates related to a patient and address information above the street level or PO Box), the unauthorized use or disclosure of the Limited Data Set may be reportable if it includes dates of birth or zip codes

Rationale: Date of birth or zip code makes it possible to re-identify an individual when information is paired with publicly available data

Evaluate whether the recipient has a reporting obligation: only CEs and BAs have reporting obligations under HITECH

HIPAA Breach Notification

Exceptions continued:

Unintentional use of PHI by a workforce member or a person acting under the authority of the CE or BA, if it was in good faith, within scope of authority, and does not result in further use or disclosure that violates HIPAA

Inadvertent disclosure to another at the CE or BA (or within an organized health care arrangement), if the recipient is authorized to see PHI and does not result in further use or disclosure that violates HIPAA

Good faith belief that recipient would not reasonably have been able to retain the PHI

5/18/2011

12

HIPAA Breach Notification

CEs must notify each individual whose unsecured PHI has been, or is reasonably believed by the CE to have been, accessed, acquired, or disclosed as a result of a breach

BAs must notify the CE, not the individuals; BA notice to CE must contain information about individuals affected

Method of notice Individual notice by first class mail (or email if individual agrees)

Alternative method if insufficient contact information (if for more than 10 individuals, then website posting or media notice)

Notice to prominent media outlets if more than 500 residents of the state or jurisdiction are affected

Concurrent notice to HHS if more than 500 residents are affected; an annual report to HHS including every breach

HIPAA Breach Notification

Timing of notice

Without unreasonable delay and in no case later than 60 days of discovery of breach by CE or business associate

CE learns of breach when it is known to any employee, officer or other agent, other than the person who committed the breach

Can delay with law enforcement request that notice will impede a criminal investigation or cause damage to national security

5/18/2011

13

HIPAA Breach Notification

Content of notice A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

The steps individuals should take to protect themselves from potential harm resulting from the breach.

A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.

New Requirements for VA Research

VHA Handbook 1200.05, October 15, 2010, Requirements for the Protection of Human Subjects in Research (defining procedures for implementing 38 CFR Part 16 (at http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2326)

Providing for Privacy and Confidentiality. . . the investigator must either dedicate specific sections of the protocol to privacy and confidentiality, or the investigator must develop an additional document that specifically addresses all privacy and confidentiality issues in the protocol; this becomes part of the IRB protocol file. The description needs to be sufficiently specific for the reader to understand how this requirement protects the subjects privacy and the confidentiality of the data. These procedures must be in compliance with all applicable VA and other Federal requirements.

26

5/18/2011

14

New Requirements for VA Research

j. Providing for Information Security. . . . The investigator must either dedicate specific sections of the protocol to information security, or the investigator must develop an additional document that specifically addresses all information security issues in the protocol; it becomes part of the IRB protocol file. The plan must clearly identify and include, but not be limited to:

(1) Whether or not individually identifiable information is to be collected or used;

(2) How the data is to be collected or acquired;

(3) Where the data (original and all copies) is to be stored and corresponding security systems;

(4) How the data is to be transported or transmitted from one location to another;

(5) Who is to have access to the data and how they are to access it (anyone who has access to the data is responsible for its security);

27

New Requirements for VA Research

j. Providing for Information Security. . . .

(6) All entities or individuals outside VHA to whom the data is to be disclosed, and the justification for such disclosure and the authority (e.g., the HIPAA authorization);

(7) Who is to have access and be responsible for the security of the information (e.g., the Coordinating Center, the statistician, and PI who has ultimate responsibility);

(8) Mechanisms used to account for the information;

(9) Security measures that must be in place to protect individually identifiable information if collected or used; and

(10) How and to whom a suspected or confirmed loss of VA information is to be reported.

28

5/18/2011

15

29

Questions?

Kristen B. Rosati

Coppersmith Schermer & Brockelman PLC

2800 North Central Avenue, Suite 1200

Phoenix, Arizona 85004

tel (602) 381-5464/fax (602) 772-3764

Email: krosati@csblaw.com

www.csblaw.com

REFERENCE SLIDES:

HIPAA AND RESEARCH

30

5/18/2011

16

31

HIPAA Privacy Rule Compliance

The HIPAA research rules apply anytime a covered entity internally accesses or externally discloses protected health information (PHI) for the purpose of research

HIPAA does not apply to pharma companies and others that are not covered entities

Eight HIPAA options are available to use or disclose PHI for research the covered entity must meet the requirements of only one

32

HIPAA Research Option #1

Remove or code the identifiers (if code is not derived from identifiers), including: Name;

Geographic location information (unless it is only the first three digits of the zip code are used and the area has more than 20,000 residents);

The month and day of dates directly related to an individual, such as birth date, admission date, discharge date, dates of service, or date of death;

Age if over 89 (unless aggregated into a single category of age 90 and older);

Numbers related to the patient;

Biometric identifiers, such as fingerprints

Full-face photographs and any comparable images; or

Any other unique identifying number, characteristic, or code

DeDe--Identify PHIIdentify PHI

5/18/2011

17

33

HIPAA Research Option #1

Have a qualified statistician determine that the

risk is very small that any identifiers presented

could be used alone, or in combination with

other available information, to identify the

patient

DeDe--Identify PHIIdentify PHI

34

Comparison with the Common Rule

De-identified if investigator cannot reasonably determine identity

Coding Destroy key to code before research begins;

Investigators and holder of key enter into agreement prohibiting release of key to investigators until individuals are deceased;

Have IRB approve written policies and procedures for a repository or data management center that prohibit the release of the key to investigators until individuals deceased; or

Determine that other legal requirements exist that prohibit release of key to investigators

5/18/2011

18

35

HIPAA Research Option #2

Partially de-identify PHI: remove all identifiers

except dates related to individual (dates of

service), geographic designations (above street

level), and other identifiers not expressly listed in

regulations

Must have Data Use Agreement in place with

recipient

Use a Limited Data SetUse a Limited Data Set

36

Comparison with the Common Rule

A Limited Data Set likely will not be identifiable

(investigator likely will not be able to readily

ascertain the identity of the subjects)

5/18/2011

19

37

HIPAA Research Option #3

HIPAA requires numerous elements

May combine HIPAA authorization with informed

consent document

Will require IRB approval if combined

Combining is tricky where seeking

authorization to store PHI in a research

repository or tissue bank

Obtain subject authorizationObtain subject authorization

38

HIPAA Authorization Problems

HIPAA authorization may not seek permission to

use or disclose PHI for future unspecified

researchauthorization must be protocol specific

or must be for storage in a research repository

only

Cannot combine HIPAA authorization with

informed consent, if informed consent seeks

permission to use the PHI for future unspecified

research use separate document or separately

signed section

5/18/2011

20

39

HIPAA Authorization Problems

Cannot combine authorizations to participate in a clinical trial, with authorizations to store PHI May require participant to sign authorization to use or disclose PHI for clinical trial, as condition of participating in trial

Cannot require participant to sign authorization to collect PHI for storage in repository (if PHI will be used beyond the particular clinical trial)

Cannot combine these authorizations (into a compound authorization)

Options: separate forms, separate signatures, or check off that makes clear that participant does not have to agree to portion that authorizes collection of PHI for repository

40

Comparison with the Common Rule

An informed consent document must discuss

how the information will be treated

confidentially in the study

5/18/2011

21

41

HIPAA Research Option #4

Use or disclosure of PHI involves no more than minimal risk

to their privacy, based on: (a) an adequate plan to

protect PHI from improper use and disclosure; (b) an

adequate plan to destroy PHI at the earliest opportunity

consistent with conduct of the research (unless there is a

health or research justification for retention or if retention is

required by law); and (c) adequate written assurances

that the PHI will not be reused or disclosed to any other

person or entity, except as required by law, for authorized

oversight of the study, or for other research permitted by

the rules; and

Have IRB waive or alter the need for an Have IRB waive or alter the need for an authorizationauthorization

42

HIPAA Research Option #4

The research could not practicably be conducted without

the waiver or alteration of authorization; and

The research could not practicably be conducted without

access to and use of information identifying the subjects

Can ask for partial waiver

Waiver continued.Waiver continued.

5/18/2011

22

43

Comparison with the Common Rule

Waiver of informed consent has similar analysis:

(1) the research involves no more than minimal

risk to the subjects;

(2) the waiver or alteration will not adversely

affect the rights and welfare of the subjects;

(3) the research could not practicably be

carried out without the waiver or alteration; and

(4) whenever appropriate, the subjects will be

provided with additional pertinent information

after participation

44

HIPAA Research Option #5

PHI solely to prepare for research, PHI necessary

for research, and PHI will not be removed from

premise

What activities are to prepare for research?

Developing protocol, identifying potential

participants

What constitutes removal from premises?

Remote access okay if no printing, copying, saving or

electronically faxing

Obtain representations that PHI is for Obtain representations that PHI is for activities to prepare for researchactivities to prepare for research

5/18/2011

23

45

Comparison with the Common Rule

Access to identifiable patient information is

human subject research that requires IRB

review and waiver of informed consent (if

Common Rule applies)

46

HIPAA Research Option #6

Contact of own patients for participation is

treatment or health care operations

Can have non-employed third party contact

patients (including investigator) if business

associate agreement in place

Can ask IRB to partially waive HIPAA

authorization for recruitment

Patient RecruitmentPatient Recruitment

5/18/2011

24

47

Comparison with the Common Rule

Contacting patients for recruitment is human

subject research requiring IRB review (if

Common Rule applies)

48

HIPAA Research Option #7

Researcher only seeks decedents PHI, PHI is

necessary for the research, and will provide

documentation of death at request of covered

entity

Obtain representations regarding Obtain representations regarding research involving decedentsresearch involving decedents

5/18/2011

25

49

Comparison with the Common Rule

Common Rule applies only to research involving

living human subjects

50

HIPAA Research Option #8

Example: Disclosure to OHRP or FDA during an

investigation or compliance review

Common Rule Comparison

Permitted, as well

Disclosure is required by lawDisclosure is required by law