HIPPA Research Policy

Transcription

1 I. Purpose The purpose of this policy is to clearly define the circumstances under which protected health information (PHI) may and may not be used internally or disclosed externally in connection with research activities. This policy will specify how the covered entity, Ochsner, delegates its research related Health Insurance Portability and Accountability Act (HIPAA) responsibilities. II. III. Scope This policy covers all PHI that is or may be created, used, or disclosed by, through, or during research activities. This policy applies to all Ochsner employees and nonemployees (including visiting faculty, students, non-ochsner residents, industrial personnel, etc...) who conduct research, assist in the performance of research, or otherwise use or disclose PHI in connection with research activities at Ochsner. In many cases, the prior review and approval of the Institutional Review Board () will be required in the implementation of this Policy. Definitions A. Data Use Agreement- a legally binding agreement required by the Privacy Rule between a covered entity and a person or entity that receives a limited data set. The DUA serves as both a means of informing data users of these requirements and a means of obtaining their agreement to abide by these requirements. B. Designated Record Set- A group of records maintained by or for Ochsner that is the medical and billing records about individuals. It includes PHI that is maintained, collected, used, or disseminated by, or for, a covered entity for each individual. The designated record set includes: 1. The medical records and billing records about individuals maintained by or for a covered health care provider (can be in a business associate s records); 2. The enrollment, payment, claims adjudication and case or medical management records systems maintained by or for a health plan; or 3. The information used, in part or in whole, to make decisions about individuals. C. Minimum Necessary Standard: When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the least amount necessary to accomplish the intended purpose of the request. D. Protected Health Information: individually identifiable information, including demographic information, related to the past, present, or future physical or mental Page 1 of 9

2 health or condition, the provision of health care to an individual, or the past, present, or future payment for such health care, which is created or received by a covered entity. IV. Policy Statements A. Ochsner Health System (Ochsner) will comply with all applicable laws, including the (HIPAA) Privacy & Security Rule (HIPAA Privacy Rule). The purpose of the HIPAA Privacy Rule is to protect the privacy rights of individuals regarding their PHI. V. Procedures/Standards and Roles & Responsibilities A. Research Use or Disclosure of PHI With Authorization 1. As a general rule, a researcher must obtain an authorization for research (authorization) from all participants in research prior to the internal use or external disclosure of PHI for any research-related purpose that is not otherwise permitted or required under this policy. 2. The researcher may incorporate the authorization within the consent form for approval by the or use a separate authorization form, which is available on the website. 3. The individual must be provided with a copy of the signed authorization. 4. The authorization need not be study-specific, provided the authorization effectively describes the future uses and disclosures to enable the individual to understand that their PHI may be used or disclosed for future research. B. Waiver of Authorization by the 1. Research authorizations otherwise required under this policy may be waived or altered by the, provided the determines that: a. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: i. An adequate plan to protect the identifiers from improper use and disclosure; ii. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and Page 2 of 9

3 iii. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart. b. The research could not practicably be conducted without the waiver or alteration; and c. The research could not practicably be conducted without access to and use of the protected health information. 2. A request for a Waiver of Authorization ( waiver) must be completed by the researcher and submitted to the for review and approval prior to initiation of the study. 3. The shall maintain the following documentation about the waiver: i) a statement identifying the and the date on which the waiver request was approved; ii) a statement that the determined that the waiver satisfied the criteria for waiver; iii) a statement that the waiver has been reviewed and approved under either normal or expedited review procedures; and iv) the documentation is signed by the chair or their designee. 4. Uses or disclosures of PHI made pursuant to an waiver are subject to the minimum necessary standard of HIPAA. C. Use and Disclosure of PHI for the Purpose of Contacting and/or Recruiting Potential Research Participants 1. Physicians, and other health care providers, may contact their own patients for purposes of recruiting them to participate in a research study without either an authorization or waiver. If approved by the, a treating physician and researcher within Ochsner may co-sign a recruitment letter to patients with no new HIPAA Privacy Rule requirements. 2. Ochsner employees may use Ochsner PHI to contact prospective research subjects, provided all the requirements of Section D below, Use and Disclosure of PHI Without Authorization Preparatory to Research, are satisfied. 3. An individual may contact a researcher about a study with no new HIPAA Privacy Rule requirements. 4. Ochsner must obtain an authorization from an individual who has indicated interest in participating in a research study prior to asking the individual any screening questions that involve PHI, unless an waiver was obtained. Page 3 of 9

4 5. All other uses and disclosures of PHI for the purpose of contacting and/or recruiting potential research participants may require either an authorization or waiver. Contact the for guidance. D. Use and Disclosure of PHI Without Authorization Preparatory to Research 1. Researchers may use or disclose PHI without an authorization or waiver for the development of a research protocol, provided that the obtains from the researcher representations that: a. Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research; b. No PHI is to be removed from the covered entity by the researcher in the course of the review; and c. The PHI for which use or access is sought is necessary for the research purposes. 2. Uses or Disclosures of PHI preparatory to research are subject to the minimum necessary standard of HIPAA. E. Use and Disclosure of a Decedent s PHI Without Authorization 1. Researchers may use and disclose a decedent s PHI for research without an authorization or waiver, provided that the researcher documents that all the following criteria are satisfied: i) the use of the decedent s PHI will be solely for research; ii) the researcher has documentation of the death of the decedent about whom information is being sought, and iii) the PHI sought is necessary for the purposes of the research. 2. The researcher must provide documentation that all of the above criteria are satisfied. This will be provided to the via an 3. Uses or disclosures of a decedent s PHI for research purposes are subject to the minimum necessary standard of HIPAA. F. Use or Disclosure of De-Identified Health Information 1. De-identified health information is exempt from HIPAA and may be used or disclosed for research purposes without an authorization or waiver. 2. The researcher must provide documentation to the that the health information has been de-identified by one of the following two methods: Page 4 of 9

5 a. Statistical Method. The may determine that health information is deidentified for purposes of this policy, if an independent, qualified statistician or similar expert: i. Determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and ii. The researcher documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. The expert may not be anyone directly involved in the research study. b. Removal of All Identifiers. Identifiers concerning the individual and the individual s employer, relatives, and household members must be removed pursuant to the HIPAA Privacy Rule. c. The de-identified information may be assigned a code (re-identification code) that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that (1) the code is not derived from or related to information about the individual, and (2) the key to such a code is not accessible to the researcher requesting to use or disclose the deidentified health information. G. Limited Data Set 1. An Ochsner researcher may use or disclose a limited data set for any research purpose without an authorization or Waiver if either the or HIPAA Compliance Office confirms that the researchers has met the requirements of this. a. A limited data set may be used or disclosed only if there is a Data Use Agreement between Ochsner and the recipient of the limited data set. The HIPAA Compliance Office acts on behalf of Ochsner to develop the written agreement. It establishes the permitted uses and disclosures of such information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; b. Establish who is permitted to use or receive the limited data set; and c. Provide that the limited data set recipient will: i. Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; Page 5 of 9

6 ii. iii. iv. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and v. Not identify the information or contact the individuals. H. Individual s Access to Research Information 1. As a general rule, individuals who participate in research have a right to access their own PHI that is maintained in a designated record set. 2. An individual's access to PHI created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research. I. Individual s Revocation of Research Authorization 1. An individual may revoke an authorization at any time, provided that the revocation is in writing, except to the extent that the covered entity [e.g., researcher] has taken action in reliance thereon. 2. The researcher may continue to use and disclose, for research integrity and reporting purposes, any PHI collected about the individual pursuant to a valid authorization before it was revoked, unless the authorization or consent form specifically limited this use or disclosure. 3. The principal investigator shall keep copies of all revocations of authorizations for a specific protocol, and report them to the at the time of continuing review. J. Accounting of Disclosures 1. An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures where an authorization has been signed, a limited data set disclosed, or totally de-identified information was disclosed. Page 6 of 9

7 2. The HIPAA Compliance Office must keep records of all disclosures of PHI in the following circumstances: a. Disclosures pursuant to an waiver; b. Disclosures of PHI used in preparation of a research protocol; and c. Disclosure of a decedent s PHI used for research. The who acts on behalf of the covered entity to confirm requirements are met for these three types of disclosures must instruct the researcher to utilize whatever disclosure tracking system the HIPAA Compliance Office uses to account for these disclosures. 3. A simplified accounting procedure may be used if the research use or disclosure involves the PHI of more than 50 people. Under the simplified accounting procedure: a. The individual must be provided a list of research protocols in which the individual s PHI may have been used. b. The list must provide the following: i. The name of the protocol or other research activity; ii. iii. iv. A description of the purpose of the study and the type of PHI disclosed; The timeframe during which such disclosures occurred; and The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed. c. Upon request, Health Information Management will assist the individual in contacting those researchers to whom it is likely that the individual s PHI was actually disclosed. VI. VII. Enforcement and Exceptions A. Failure to comply with this policy may result in disciplinary action up to and including termination of employment for employees or termination of contract or service for third-party personnel, students or volunteers. Internal References OHS.CI.010 Page 7 of 9

8 OHS.CI.011 OHS.CI.021 OHS.HIM.046 VIII. External References 45 CFR CFR CFR CFR CFR CFR CFR CFR Fed. Reg IX. Policy History Former Policy # [Remainder of page intentionally left blank, approval signatures and reviewers listed on next page] Page 8 of 9

9 X. Approved Warner Thomas, President and Chief Executive Officer Michael Hulefeld, Executive Vice President and System Chief Operating Officer William W. Pinsky, M.D., Executive Vice President and Chief Academic Officer Page 9 of 9