Upload
dangcong
View
218
Download
0
Embed Size (px)
Citation preview
5/18/2011
1
New Developments in Privacy & Research
Kristen Rosati, Esq.
Coppersmith Schermer & Brockelman PLCCoppersmith Schermer & Brockelman PLCCoppersmith Schermer & Brockelman PLCCoppersmith Schermer & Brockelman PLC
HCCA Research Compliance ConferenceHCCA Research Compliance ConferenceHCCA Research Compliance ConferenceHCCA Research Compliance Conference
June 15, 2011June 15, 2011June 15, 2011June 15, 2011
Session Overview
Our schizophrenic national agenda on research and privacy: the tension between the public good and individual rights
HIPAA Privacy Compliance in Clinical Research Impending HITECH Act Privacy Rule requirements Business associate agreements in clinical research HIPAA Breach Notification Requirements
Informed Consent Research Collaborations Investigator Departures
2
5/18/2011
2
Office of the National Coordinator
Office of the National Coordinator for Health Information Technology, Federal Health Information Technology Strategic Plan, 2001-2015 at http://healthit.hhs.gov/portal/server.pt?open=512&objID=1211&parentname=CommunityPage&parentid=2&mode=2:
In the long run, the government is pursuing a vision of a learning health system, in which a vast array of health care data can be appropriately aggregated, analyzed, and leveraged using real-time algorithms and functions.
In order to support information exchange vital for research, information in an EHR, with the appropriate privacy protections, should be accessible by researchers, research systems, biorepositories, registries, and other types of research databases.
ONC Strategic Plan continued
Privacy and security are the bedrock of building trust, a must-have component that is essential to achieving meaningful use and realizing the value of health IT. Patients and providers must feel confident that laws, policies, and processes are in place to keep their information private and secure, and that they will be enforced when violations occur. . . . These added privacy and security protections [in the amendments to the HIPAA rules] are an integral piece of the governments increased efforts to broaden the use of IT in health care.
5/18/2011
3
The Digital Infrastructure for a Learning
Health System: Foundation for Continuous Improvement in Health and Health Care - Workshop Summary (Dec. 20, 2010) http://iom.edu/Reports/2010/The-Digital-Infrastructure-for-a-
Learning-Health-System.aspx
3-part workshop series, sponsored by ONC, to address promoting technical advances and innovation, generating and using information, engaging patients and the public, and fostering stewardship and governance
Office for Civil Rights HIPAA Compliance
Proposed amendments to the HIPAA rules to implement the HITECH Act*: 75 Fed. Reg. at 40868 (July 14, 2010)
Comments closed September 13, 2010
Final regulations anticipated during the first half of 2011
OCR will not enforce the new regulations until 180 days after the effective date of the final regulations
*American Recovery and Reinvestment Act of 2009 (ARRA) --Division A, Title XIII and Division B, Title IV: Health Information Technology for Economic and Clinical Health Act (HITECH Act)
5/18/2011
4
7
Current rule: CE may receive payment for a disclosure of PHI where that disclosure is permitted by the regulations (such as for research)
HITECH Act prohibits indirect or direct receipt of remuneration in exchange for a disclosure of PHI without the individuals authorization (with exceptions) Proposed rule would prohibit indirect or direct remuneration in
exchange for a disclosure of PHI without authorization (with exceptions on the next slide)
Remuneration is not defined-- will it include non-financial remuneration?
[HITECH Act 13405(d); Proposed 45 CFR 164.508]
No Sale of PHI
8
For public health purposes
For research, where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI
For treatment and payment
For the sale, transfer, merger or consolidation of the covered entity and related due diligence
To or by a business associate to perform activities for the covered entity, where the only remuneration provided is by the covered entity to the business associate for the performance of such activities
To an individual for access or accounting
Where required by law to disclose PHI
Where the only remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI, or a fee is otherwise expressly permitted by another law
[Proposed 45 CFR 164.508]
No Sale of PHI-- Exceptions
5/18/2011
5
9
Does not apply to disclosures of PHI for research under 164.512(i) (the general rule on research disclosures) or 164.514(e) (disclosures of a Limited Data Set for research), where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the [PHI] for such purposes.
What is a reasonable cost-based fee?
Comments urged OCR to allow organizations to recoup investment and other indirect costs in the fees they charge for PHI
Not permitting recoupment of a wide range of costs may be an unconstitutional taking of property
Who will determine the appropriate amount and how will that be done?
No Sale of PHI Research Exception
10
Prohibition on sale doesnt exclude:
disclosure of research results
disclosure of Limited Data Sets
LDS expressly added to research and public health exceptions
quality assurance/ performance improvement activities
Section 13405(d)(2)(G) of the HITECH Act provides authority to the OCR to make additional exceptions for disclosures of PHI that the OCR judges to be similarly necessary and appropriate as the other enumerated statutory exemptions to the sale of PHI
No Sale of PHI Research Exception
5/18/2011
6
11
No grandfather provision
Past grandfather provision permitted use of PHI to continue if the informed consent/waiver obtained before HIPAA was valid under pre-HIPAA law
No Sale of PHI Research Exception
12
Authorization for future research
OCR sought comment on whether and how to change its interpretation that an authorization may not seek permission for use in unspecified future research
Options considering:
Permitting, if authorization adequately describes future research
Permitting, with certain required elements or statements
Permitting, with limits on sensitive research areas, such as genetic or mental health research
Working with OHRP on consistency with Common Rule
Research Authorizations
5/18/2011
7
13
Compound authorizations
Proposed rule would permit compound authorizations, which combine authorization for a clinical trial and authorization to contribute PHI to a research repository, as long as the form provides the individual with an opportunity opt-in to the research repository
[Proposed 45 CFR 164.508(b)]
Potential problem:
Opt-in will reduce participation in research repositories
Research Authorizations
14
BAAs required if have third party de-identify PHI or create Limited Data Set
BAAs not required to disclose PHI for research on behalf of the covered entity, because research is not a covered function under HIPAA
OCR has clarified informally that this applies beyond disclosure to the researcher, and also encompasses research management and other services
Business Associate Agreements in Research
5/18/2011
8
15
Add organizations that provide patient safety activities listed at 42 CFR 3.20 (to implement the Patient Safety and Quality Improvement Act)
Add Health Information Organizations, e-prescribing gateways, or other persons that provide data transmission or other persons that provide data transmission or other persons that provide data transmission or other persons that provide data transmission services, services, services, services, which transmit protected health information (PHI) to a covered entity and require access to that PHI on a routine basis
Add entities that offer a personal health record to individuals on behalf of a covered entity
[HITECH Act 13408; proposed 45 CFR 160.103]
Changes to the Definition of Business Associate
16
Proposed rule: Would protect for only 50 years after death [Proposed 45 CFR 164.502(f)]
Would permit to permit CEs to disclose a decedents PHI to family members and others who were involved in the care or payment for care prior to death, unless inconsistent with an expressed preference of the decedent
This would be a permitted (not required) disclosure, and would not change the authority of the decedents personal representative to act on behalf of the decedent
[Proposed 45 CFR 164.510(b)]
Decedents PHI
5/18/2011
9
17
HITECH Act requires HHS to issue guidance on methods for de-identification of protected health information
OCR March 2010 workshop on de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns, see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/deidentificationworkshop2010.html
Future Changes to De-identification?
HIPAA Breach Notification
HITECH Act requires any covered entity or business associate that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured PHI unsecured PHI unsecured PHI unsecured PHI must notify individuals whose unsecured PHI has been (or is reasonably believed to have been) accessed, acquired, or disclosed as a result of a breachbreachbreachbreach
Unsecured PHI is not secured per HHS guidance (which will be issued annually) most recent guidance is in HHS August 24, 2009 guidance (at 74 Fed. Reg. 42740): secured PHI requires encryption or destruction
Applies to electronic and paper PHI
Works as safe harbor to reporting requirement
5/18/2011
10
HIPAA Breach Notification
HHS regulations for breach notification: 45 CFR Part 164, Subpart D (published at 74 Fed Reg. 42740 (Aug. 24, 2009))
Applies to CEs and BAs
Breach: the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI (i.e. which poses a significant risk of financial, reputational, or other harm to an individual)
Exceptions.
HIPAA Breach Notification
Not a breach if the information does not include direct identifiers, date
of birth, or zip code
Direct identifiers (45 CFR 164.514(e)(2)) : Name;
Postal address information, other than town or city, State, and zip code;
Telephone numbers and fax numbers;
Electronic mail addresses, URLs and Internet Protocol (IP) addresses;
Social security numbers;
Medical record numbers and health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Biometric identifiers, including finger and voice prints; and
Full face photographic images and any comparable images.
5/18/2011
11
HIPAA Breach Notification
So, if you disclose a Limited Data Set for research (which may include dates related to a patient and address information above the street level or PO Box), the unauthorized use or disclosure of the Limited Data Set may be reportable if it includes dates of birth or zip codes
Rationale: Date of birth or zip code makes it possible to re-identify an individual when information is paired with publicly available data
Evaluate whether the recipient has a reporting obligation: only CEs and BAs have reporting obligations under HITECH
HIPAA Breach Notification
Exceptions continued:
Unintentional use of PHI by a workforce member or a person acting under the authority of the CE or BA, if it was in good faith, within scope of authority, and does not result in further use or disclosure that violates HIPAA
Inadvertent disclosure to another at the CE or BA (or within an organized health care arrangement), if the recipient is authorized to see PHI and does not result in further use or disclosure that violates HIPAA
Good faith belief that recipient would not reasonably have been able to retain the PHI
5/18/2011
12
HIPAA Breach Notification
CEs must notify each individual whose unsecured PHI has been, or is reasonably believed by the CE to have been, accessed, acquired, or disclosed as a result of a breach
BAs must notify the CE, not the individuals; BA notice to CE must contain information about individuals affected
Method of notice Individual notice by first class mail (or email if individual agrees)
Alternative method if insufficient contact information (if for more than 10 individuals, then website posting or media notice)
Notice to prominent media outlets if more than 500 residents of the state or jurisdiction are affected
Concurrent notice to HHS if more than 500 residents are affected; an annual report to HHS including every breach
HIPAA Breach Notification
Timing of notice
Without unreasonable delay and in no case later than 60 days of discovery of breach by CE or business associate
CE learns of breach when it is known to any employee, officer or other agent, other than the person who committed the breach
Can delay with law enforcement request that notice will impede a criminal investigation or cause damage to national security
5/18/2011
13
HIPAA Breach Notification
Content of notice A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
The steps individuals should take to protect themselves from potential harm resulting from the breach.
A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
New Requirements for VA Research
VHA Handbook 1200.05, October 15, 2010, Requirements for the Protection of Human Subjects in Research (defining procedures for implementing 38 CFR Part 16 (at http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=2326)
Providing for Privacy and Confidentiality. . . the investigator must either dedicate specific sections of the protocol to privacy and confidentiality, or the investigator must develop an additional document that specifically addresses all privacy and confidentiality issues in the protocol; this becomes part of the IRB protocol file. The description needs to be sufficiently specific for the reader to understand how this requirement protects the subjects privacy and the confidentiality of the data. These procedures must be in compliance with all applicable VA and other Federal requirements.
26
5/18/2011
14
New Requirements for VA Research
j. Providing for Information Security. . . . The investigator must either dedicate specific sections of the protocol to information security, or the investigator must develop an additional document that specifically addresses all information security issues in the protocol; it becomes part of the IRB protocol file. The plan must clearly identify and include, but not be limited to:
(1) Whether or not individually identifiable information is to be collected or used;
(2) How the data is to be collected or acquired;
(3) Where the data (original and all copies) is to be stored and corresponding security systems;
(4) How the data is to be transported or transmitted from one location to another;
(5) Who is to have access to the data and how they are to access it (anyone who has access to the data is responsible for its security);
27
New Requirements for VA Research
j. Providing for Information Security. . . .
(6) All entities or individuals outside VHA to whom the data is to be disclosed, and the justification for such disclosure and the authority (e.g., the HIPAA authorization);
(7) Who is to have access and be responsible for the security of the information (e.g., the Coordinating Center, the statistician, and PI who has ultimate responsibility);
(8) Mechanisms used to account for the information;
(9) Security measures that must be in place to protect individually identifiable information if collected or used; and
(10) How and to whom a suspected or confirmed loss of VA information is to be reported.
28
5/18/2011
15
29
Questions?
Kristen B. Rosati
Coppersmith Schermer & Brockelman PLC
2800 North Central Avenue, Suite 1200
Phoenix, Arizona 85004
tel (602) 381-5464/fax (602) 772-3764
Email: [email protected]
www.csblaw.com
REFERENCE SLIDES:
HIPAA AND RESEARCH
30
5/18/2011
16
31
HIPAA Privacy Rule Compliance
The HIPAA research rules apply anytime a covered entity internally accesses or externally discloses protected health information (PHI) for the purpose of research
HIPAA does not apply to pharma companies and others that are not covered entities
Eight HIPAA options are available to use or disclose PHI for research the covered entity must meet the requirements of only one
32
HIPAA Research Option #1
Remove or code the identifiers (if code is not derived from identifiers), including: Name;
Geographic location information (unless it is only the first three digits of the zip code are used and the area has more than 20,000 residents);
The month and day of dates directly related to an individual, such as birth date, admission date, discharge date, dates of service, or date of death;
Age if over 89 (unless aggregated into a single category of age 90 and older);
Numbers related to the patient;
Biometric identifiers, such as fingerprints
Full-face photographs and any comparable images; or
Any other unique identifying number, characteristic, or code
DeDe--Identify PHIIdentify PHI
5/18/2011
17
33
HIPAA Research Option #1
Have a qualified statistician determine that the
risk is very small that any identifiers presented
could be used alone, or in combination with
other available information, to identify the
patient
DeDe--Identify PHIIdentify PHI
34
Comparison with the Common Rule
De-identified if investigator cannot reasonably determine identity
Coding Destroy key to code before research begins;
Investigators and holder of key enter into agreement prohibiting release of key to investigators until individuals are deceased;
Have IRB approve written policies and procedures for a repository or data management center that prohibit the release of the key to investigators until individuals deceased; or
Determine that other legal requirements exist that prohibit release of key to investigators
5/18/2011
18
35
HIPAA Research Option #2
Partially de-identify PHI: remove all identifiers
except dates related to individual (dates of
service), geographic designations (above street
level), and other identifiers not expressly listed in
regulations
Must have Data Use Agreement in place with
recipient
Use a Limited Data SetUse a Limited Data Set
36
Comparison with the Common Rule
A Limited Data Set likely will not be identifiable
(investigator likely will not be able to readily
ascertain the identity of the subjects)
5/18/2011
19
37
HIPAA Research Option #3
HIPAA requires numerous elements
May combine HIPAA authorization with informed
consent document
Will require IRB approval if combined
Combining is tricky where seeking
authorization to store PHI in a research
repository or tissue bank
Obtain subject authorizationObtain subject authorization
38
HIPAA Authorization Problems
HIPAA authorization may not seek permission to
use or disclose PHI for future unspecified
researchauthorization must be protocol specific
or must be for storage in a research repository
only
Cannot combine HIPAA authorization with
informed consent, if informed consent seeks
permission to use the PHI for future unspecified
research use separate document or separately
signed section
5/18/2011
20
39
HIPAA Authorization Problems
Cannot combine authorizations to participate in a clinical trial, with authorizations to store PHI May require participant to sign authorization to use or disclose PHI for clinical trial, as condition of participating in trial
Cannot require participant to sign authorization to collect PHI for storage in repository (if PHI will be used beyond the particular clinical trial)
Cannot combine these authorizations (into a compound authorization)
Options: separate forms, separate signatures, or check off that makes clear that participant does not have to agree to portion that authorizes collection of PHI for repository
40
Comparison with the Common Rule
An informed consent document must discuss
how the information will be treated
confidentially in the study
5/18/2011
21
41
HIPAA Research Option #4
Use or disclosure of PHI involves no more than minimal risk
to their privacy, based on: (a) an adequate plan to
protect PHI from improper use and disclosure; (b) an
adequate plan to destroy PHI at the earliest opportunity
consistent with conduct of the research (unless there is a
health or research justification for retention or if retention is
required by law); and (c) adequate written assurances
that the PHI will not be reused or disclosed to any other
person or entity, except as required by law, for authorized
oversight of the study, or for other research permitted by
the rules; and
Have IRB waive or alter the need for an Have IRB waive or alter the need for an authorizationauthorization
42
HIPAA Research Option #4
The research could not practicably be conducted without
the waiver or alteration of authorization; and
The research could not practicably be conducted without
access to and use of information identifying the subjects
Can ask for partial waiver
Waiver continued.Waiver continued.
5/18/2011
22
43
Comparison with the Common Rule
Waiver of informed consent has similar analysis:
(1) the research involves no more than minimal
risk to the subjects;
(2) the waiver or alteration will not adversely
affect the rights and welfare of the subjects;
(3) the research could not practicably be
carried out without the waiver or alteration; and
(4) whenever appropriate, the subjects will be
provided with additional pertinent information
after participation
44
HIPAA Research Option #5
PHI solely to prepare for research, PHI necessary
for research, and PHI will not be removed from
premise
What activities are to prepare for research?
Developing protocol, identifying potential
participants
What constitutes removal from premises?
Remote access okay if no printing, copying, saving or
electronically faxing
Obtain representations that PHI is for Obtain representations that PHI is for activities to prepare for researchactivities to prepare for research
5/18/2011
23
45
Comparison with the Common Rule
Access to identifiable patient information is
human subject research that requires IRB
review and waiver of informed consent (if
Common Rule applies)
46
HIPAA Research Option #6
Contact of own patients for participation is
treatment or health care operations
Can have non-employed third party contact
patients (including investigator) if business
associate agreement in place
Can ask IRB to partially waive HIPAA
authorization for recruitment
Patient RecruitmentPatient Recruitment
5/18/2011
24
47
Comparison with the Common Rule
Contacting patients for recruitment is human
subject research requiring IRB review (if
Common Rule applies)
48
HIPAA Research Option #7
Researcher only seeks decedents PHI, PHI is
necessary for the research, and will provide
documentation of death at request of covered
entity
Obtain representations regarding Obtain representations regarding research involving decedentsresearch involving decedents
5/18/2011
25
49
Comparison with the Common Rule
Common Rule applies only to research involving
living human subjects
50
HIPAA Research Option #8
Example: Disclosure to OHRP or FDA during an
investigation or compliance review
Common Rule Comparison
Permitted, as well
Disclosure is required by lawDisclosure is required by law