HIPAA-Compliant Research Access to PHI



Similar documents
HIPAA COMPLIANCE. What is HIPAA?

Winthrop-University Hospital

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

UPMC POLICY AND PROCEDURE MANUAL

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

What is Covered by HIPAA at VCU?

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

IRB Application for Medical Records Review Request

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

HIPAA OVERVIEW ETSU 1

Memorandum. Factual Background

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

LA BioMed Secure

2010 i2b2/va Challenge Rules of Conduct

De-Identification of Clinical Data

Statement of Policy. Reason for Policy

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA and You The Basics

University of Cincinnati Limited HIPAA Glossary

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

What is Covered under the Privacy Rule? Protected Health Information (PHI)

Health Insurance Portability and Accountability Policy 1.8.4

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

De-identification Koans. ICTR Data Managers Darren Lacey January 15, 2013

HIPAA 101: Privacy and Security Basics

UPMC POLICY AND PROCEDURE MANUAL

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

North Shore LIJ Health System, Inc. Facility Name

PROTECTED HEALTH INFORMATION AND THE JHSPH

A. HIPAA Privacy Authorizations and Exceptions for Use of Identifiable Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Standard Operating Procedures for Research Involving Human Subjects

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

Information Privacy and Security Program Title:

HIPAA Basics for Clinical Research

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law

Business Associate Agreement

Gaston County HIPAA Manual

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

VENDOR / CONTRACTOR. Privacy Basics

Texas A&M School of Public Health HIPAA Privacy Compliance Manual For Researchers

DATA USE AGREEMENT RECITALS

IRB Month Investigator Meeting April 2014

YALE UNIVERSITY RESEARCHER S GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996 Handbook

The De-identification of Personally Identifiable Information

HIPAA ephi Security Guidance for Researchers

Presented by Jack Kolk President ACR 2 Solutions, Inc.

BUSINESS ASSOCIATE AGREEMENT

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

HIPAA Compliance for Students

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

HIPAA Privacy Board Overview

IRB, HIPAA, and Clinical Research

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

MCDONOUGH CENTER FOR FAMILY DENTISTRY, LLC

HIPAA SELF STUDY TRAINING GUIDE

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution

HIPAA and Clinical Research

Business Associate Agreement

Transcription:

HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for research purposes in the following six formats: 1. The signed authorization of the patient whose individually identifiable PHI is sought; or 2. Waiver by an IRB or a Privacy Board of all or part of the authorization requirement for use of individually identifiable PHI; or 3. A Data Use Agreement for research use of a Limited Data Set (see definition below); or 4. Review of PHI solely in preparation for research, without collecting the PHI for research use; or 5. Complete de-identification of the PHI; or 6. Use of PHI solely of decedents. 1. Research Use or Disclosure of PHI With Authorization (may include any and all individual identifiers) As a general rule, a researcher must obtain an Authorization from all participants in research prior to the internal use or external disclosure of PHI for any research related purpose that is not otherwise permitted or required under HIPAA as described in this reference sheet. The IRB will provide an Authorization template that complies with HIPAA requirements. The researcher must complete the Authorization template and submit it to the IRB for its prior review and approval. Authorization for Use for Psychotherapy Notes in Research An authorization is always required for access, disclosure or use of Psychotherapy notes for research purposes. An authorization for access, use or disclosure of Psychotherapy Notes for research may not be combined with any other authorization except another authorization for access, disclosure or use of the Psychotherapy Notes. A limited waiver of authorization may be required to contact and recruit study participants, as described under Format #2, below. 2. Research Use or Disclosure of PHI with Waiver of Authorization by IRB (may include any and all individual identifiers approved by the IRB in its waiver) In some circumstances, authorizations for research use of PHI may be waived by the IRB, provided the following three criteria are satisfied and documented (generally in addition to satisfaction of waiver of informed consent requirements pursuant to 45 CFR 46.116):

(1)The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on HIPAA-prescribed criteria. (2) The research could not practicably be conducted without the waiver; and (3) The research could not practicably be conducted without access to and use of the PHI. A request for Waiver of Authorization must be completed by the researcher and submitted to the IRB for prior review and approval. Uses or Disclosures of PHI made pursuant to a Waiver are subject to the HIPAA Minimum Necessary rules. Limited Waiver of Authorization Solely for the Purpose of Prescreening, Contacting and/or Recruiting Potential Research Participants. Since a researcher cannot practicably obtain a potential research participant s authorization for review of PHI in advance of contacting the potential participant, the IRB may issue a limited waiver of authorization permitting specified access and use of PHI solely for prescreening and recruitment contact pursuant to an approved protocol. Physicians and other health care professionals who have a direct treatment relationship with an individual may review that individual s PHI for eligibility with respect to a research protocol and may initiate a discussion with the individual about potential participation as a research subject in a protocol relevant to the treatment relationship. This scenario does not require an Authorization or a Waiver of Authorization. Individuals responding to an advertisement or otherwise initiating contact and indicating interest in participating in a research study may be given an explanation of the study (including, but not limited to, the name of the principal investigator and description of the study) without Authorization or Waiver of Authorization; however, either their authorization or a waiver of authorization is required to review their PHI in health care records to determine potential eligibility. 3. Research Use of a Limited Data Set A researcher may use or disclose a Limited Data Set for research without an Authorization or IRB Waiver of Authorization. A limited data set as defined in HIPAA is described below. Although even a Limited Data Set is nearly de-identified, this limited amount of PHI consisting of certain geographic data and dates may be adequate for a broader array of research studies than completely de-identified data. A Limited Data Set is just that limited. A Limited Data Set contains PHI that is nearly de-identified. A Limited Data Set may NOT include any of the direct identifers listed under the HIPAA definition of deidentified health information (. SEE ATTACHED SHEET HIPAA: DEIDENTIFIED HEALTH INFORMATION) EXCEPT the following: o State, county, city, town, census track, precinct, zip code or any other geocodes above the level that would identify an individual household; and/or o All elements of dates directly related to an individual, including birth date, admission date, discharge date, dates of health care procedures or other services, and date of death. The Limited Data Set must exclude ALL OTHER direct identifiers listed in the attached sheet entitled HIPAA: DEIDENTIFIED HEALTH INFORMATION.

A Limited Data Set may be used or disclosed only if there is a Data Use Agreement between the entity providing the data and the recipient of the limited data set. A researcher may find the need to access full PHI in order to abstract from that a Limited Data Set for research use. Because this abstraction activity requires access to fully identifiable PHI, a researcher may ONLY engage in this abstraction activity under the following circumstances: o The researcher must have an IRB waiver of authorization; or o In addition to a Data Use Agreement, the researcher must enter into abusiness Associate Agreement with the Covered Entity to create the Limited Data Set on the covered entity s behalf for the researcher s use. IMPORTANT: Contact the University Privacy Officer for help in this situation. 4. Access to PHI solely for Preparation for Research Researchers may access PHI in the records of Covered Entities without an Authorization or IRB Waiver of Authorization for the purposes of development of a research protocol or assessment of feasibility of a research protocol, provided that the researcher documents to the satisfaction of the Covered Entity s PHI data custodian (e.g. the medical records manager) that all the following criteria are satisfied (typically via an attestation form provided by the Covered Entity to be signed by the individual researcher): The use or disclosure of PHI is solely to prepare or assess feasibility of a research protocol; The researcher shall not record individually identifiable PHI or remove PHI from the records reviewed (for example, researcher may review identifiable PHI but may only record aggregate data or individual data that does not include any individual identifiers); The PHI sought is necessary for the purposes of the research; and Preparatory to research does not include patient contact or recruitment. 5. Use or Disclosure of Completely De-Identified Health Information. The HIPAA definition of completely de-identification protected health information is not the same as what many researchers have been accustomed to consider anonymized data. The completely deidentified form of data defined in HIPAA may not be adequate for many research studies. Its advantage is that it presents no risk of privacy violation and therefore requires relatively little documentation for research access or use and is not subject to any restrictions on downstream use and disclosure. Individual health information that conforms to the HIPAA definition of de-identified is exempt from HIPAA and may be used or disclosed for research purposes without an Authorization or Waiver of Authorization or Data Use Agreement. SEE ATTACHED SHEET entitled HIPAA: DEIDENTIFIED HEALTH INFORMATION. Re-identification Code. The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to use or disclose the de-identified health information. 6. Use and Disclosure of Decedent s Individually Identifiable PHI Without Authorization Researchers may use and disclose a decedent s individually identifiable PHI for research without an Authorization or IRB Waiver, provided that the researcher documents that all the following criteria are satisfied:

The use will be solely for research on the PHI of a decedent; and The researcher has documentation of the death of the individual about whom information is being sought, and The PHI sought is necessary for the purposes of the research. The researcher will provide documentation to the data custodian that all of the above criteria are satisfied in accordance with the data management registration process of the individual business unit. Uses or Disclosures of a decedent s PHI for research purposes are subject to the HIPAA Minimum Necessary rules.

HIPAA: DEIDENTIFIED HEALTH INFORMATION ALL of the following identifiers of the individual or of relatives, employers, or household members of the individual, must be removed from PHI for it to meet the DEIDENTIFICATION standard: (A) Names; (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000. (C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan beneficiary numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers; (P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and (ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. (c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information