HIPAA Insurance Portability Act HIPAA. HIPAA Privacy Rule - Education Module for Institutional Review Boards

Similar documents
EVMS Medical Group A. RESEARCH USE AND OR DISCLOSURE WITHOUT AUTHORIZATION:

Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION

7 ATLzr UNIVERSITY OF CALIFORNIA. January 30, 2014

HIPAA: What Researchers Need to Know

Human Research Protection Program (HRPP) HIPAA and Research at Brown

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

UBMD Policy for HIPAA Compliant Subject Recruitment

RELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES

City and County of San Francisco Department of Public Health DPH Health Information Data Use Agreement

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH

Children s Hospital of Philadelphia SOP 707 Page Effective Date: Title: Requirements for and

COLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB)

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

University of Mississippi Medical Center Data Use Agreement Protected Health Information

HIPAA Basics For Clinical Research

HIPAA and Research at UB

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures

UCLA Health System Data Use Agreement

Standards for Privacy of Individually Identifiable Health Information

HIPPA Research Policy

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

This form is to be used in conjunction with the Application for IRB Review

Project Number Application D-2 Page 1 of 8

DUA Toolkit. A guide to Data Use Agreements in the HMO Research Network

UPMC POLICY AND PROCEDURE MANUAL

HARVARD CATALYST DATA USE AGREEMENT FOR LIMITED DATA SETS

HIPAA s Medical Privacy Standards:

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

Secondary Use of Data and Specimens

Limited Data Set Data Use Agreement For Research

Effective Date: 08/2013

HIPAA Policy 5032 Statement of Policy on Use and Disclosure of Protected Health Information for Research Purposes

HILLSBOROUGH COUNTY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) PROCEDURES

HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

It s as AWESOME as You Think It Is!

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Texas Tech University Health Sciences Center HIPAA Privacy Policies

COMPLIANCE DEPARTMENT. LSUHSC-S Louisiana State University Health Sciences Center Shreveport ACKNOWLEDGEMENT RECEIPT

104 Delaware Health Care Claims Database Data Access Regulation

HHS Proposed Rule Modification for the HIPAA Standards for Privacy of Individually Identifiable Health Information (NPRM)

HIPAA Privacy Release Form

Application for Approval of Projects Which Use Human Subjects

Data and Specimen Repositories

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Another covered entity can be a business associate.

HIPAA Privacy Rule and Research

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

This form cannot act as an authorization to assign commissions. Appointment Form Only. Steps to obtain an Appointment:

Health Insurance Portability and Accountability Act Category: Administration 04/30/2015 Vice President for Legal Prior Effective Date:

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Privacy Regulations HIPAA-Administrative Simplification Internal Assessment

Executive Policy, EP HIPAA. Page 1 of 25

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

Legal Issues in the Use of Electronic Data Systems for Social Science Research

~Cityof. ~~Corpu~ ~.--=.;: ChnstI City Policies HR29.0 NO.

1. Does the plan exist for purposes of providing or paying for the cost of medical care?

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HIPAA Policy Minimum Necessary Use December 1, 2015

E-Protocol Document Checklist and GPS IRB Guide - Students

CHAPTER 33 HIPAA PRIVACY REGULATIONS

Marketing This authorization authorizes marketing activities for which this medical practice will will not receive direct or indirect compensation.

University of Wisconsin Milwaukee

POLICY FOR THE PROTECTION OF HUMAN SUBJECTS IN RESEARCH

Effective Date: 4/3/17

HIPAA Compliance Guide

DuPont Company HIPAA Privacy Policies and Procedures

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

PATIENT REGISTRATION FORM

PRIVACY IMPLEMENTATION HANDBOOK PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE

SUBJECT: Disclosure and accounting of protected health information (PHI).

State Data Requests Memo Introduction Defining research

LIMITED DATA SET REQUEST AND DATA USE AGREEMENT

AUTHORIZATION TO RELEASE PROTECTED HEALTH INFORMATION

HIPAA Privacy Rule Policies and Procedures

Let s get started with the module HIPAA and Data Sharing.

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

PRIVACY STANDARDS OVERVIEW

ELA Settlement Services, LLC Data Collection Form

HIPAA Privacy Procedure #13

Last Approval Date: April 2017

ADMINISTRATIVE POLICY & PROCEDURE

HIPAA Privacy & Security Considerations Student Orientation

Trinity Family Physicians

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

PREPARATORY TO RESEARCH & PRESCREENING Appreciating Our Differences

THE CLINICAL SKIN CENTER

H E A L T H C A R E L A W U P D A T E

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

USE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR MARKETING PURPOSES

HIPAA & The Medical Practice

Ra m sd ell P ed iatrics, I nc.

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

Transcription:

HIPAA Insurance Portability Act HIPAA HIPAA Privacy Rule - Education Module for Institutional Review Boards

The HIPAA Privacy Rule protects the privacy and security of an individual s health information held by a Covered Entity (45 CFR sections 160, 164). The HIPAA Privacy Rule supplements the Common Rule and the FDA s protections for human subjects.

Introduction HIPAA is federal law that applies to health care providers, health plans, and health care clearinghouses. These are Covered Entities ( CE s ). The University of California is a hybrid Covered Entity with both covered and non-covered functions. All UC covered entities constitute a single health care component (SHCC).

Protected Health Information - PHI What is Protected Health information? Information pertaining to an individual s past, present, or future: 1. Physical or mental health 2. Diagnosis and/or treatment 3. Payment for health care The information includes personal identifiers, and Information that is created, used, or disclosed by a Covered Entity.

Personal Identifiers Personal Identifiers under HIPAA are: Name Dates of Treatment Address Account # Phone Certificate/License # Fax Email Address Social Security # Date of Birth Medical Record # Health Plan ID# Device Identifiers & Serial Numbers Vehicle Identifiers & Serial Numbers URL IP Address Biometric Identifiers, including fingerprints Full face photo and other like image

Covered Entity s Responsibility The CE is responsible for protecting PHI. The CE must ensure that PHI: Is only used or released for treatment, payment or operations (TPO) and as permitted or required by law; or If not used for TPO, is released only with the patient s authorization, or If not used for TPO, is released only under an exception to the authorization requirement.

HIPAA and Research Individually identifiable health information that is collected and used solely for research is NOT PHI. Researchers obtaining PHI from a CE must obtain the subject s authorization or must justify an exception to the authorization requirement. The exceptions are: Waiver of authorization Limited Data Set De-identified Data Set

CE s Release of PHI for Research Purposes Conditions under which the CE may release PHI for research purposes: Authorization by subject or subject s representative Waiver of authorization by IRB or Privacy Board Decedent research Limited data set De-identified data set Disclosures related to FDA-regulated product Otherwise, you can t touch it!

Impact on University s Researchers To obtain PHI from a CE, a researcher must provide the CE with a Letter of Approval from an Internal Review Board (IRB) or Privacy Board and one of the following: Subject s Authorization to release PHI, or Certification of Waiver of Authorization by IRB or Privacy Board, or Request for Limited Data Set or De-identified Data Set The researcher may request from the CE only the minimum information necessary to conduct the research.

IRB s Responsibility Assure the CE that all research-related HIPAA requirements have been met: Provide letter of approval to the researcher to conduct research with PHI. Certify and document that waiver of authorization criteria are met. Review and approve all authorizations and data use agreements. Retain records documenting HIPAA actions for six years.

Subject s Authorization The authorization must include specific elements. The authorization may be part of or attached to the research consent form. An IRB or a Privacy Board must approve the language of the authorization. The original signed authorization is retained by the CE; the subject gets a copy.

Authorization Elements Required by HIPAA Description of information to be used Name or class of persons authorized to disclose information Name or class of recipients of the information Description of research purpose Expiration date of authorization

Authorization Expiration Right to revoke authorization That HIPAA protections may not apply to pre-disclosed information Consequences of a refusal to sign an authorization Signature and date If the research has no expiration date, the authorization must state No Expiration Date.

Waiver of Authorization Expiration may be a specific date or relate to the individual or to the purpose: February 25, 2006 End of the research study 5 years after last patient is enrolled After the stated date or event, the researcher can no longer use the PHI. Investigator provides IRB approval of Waiver of Authorization to CE.

Waiver of Authorization IRB approval provides: 1. IRB name, date of approval, brief description of PHI; and 2. Statement that IRB has approved Waiver of Authorization under normal or expedited review per Common Rule; and 3. Statement that IRB or Privacy Board has determined that research could not practicably be conducted without waiver and without PHI.

Waiver of Authorization IRB approval also states that: IRB or Privacy Board has determined that research poses no more than minimal risk to subject s privacy based on written assurance that the PHI will not be reused or disclosed, and Researcher has provided adequate plan to: Protect identifiers from improper use or disclosure; and Destroy the identifiers unless retention is justified or required by law IRB or Privacy Board must retain documentation of waiver criteria for six years NOTE: The CE is responsible for providing an accounting to the subject of release of PHI under a research waiver.

Limited Data Set (LDS) LDS may include: Zip code Full dates of birth or death Full date(s) of service Geographic subdivision (city) LDS may not include other personal identifiers of subject, relatives, employer, or household members NOTE: The CE does not have to account to the subject for disclosures using a limited data set.

De-identification: Two Methods Remove all eighteen personal identifiers of subject, relatives, employer, or household members; or Biostatistician confirms that individual cannot be identified. NOTE: The CE does not have to account to the subject for disclosures using deidentified data.

Use and Disclosure of PHI for Decedents Research Provide representation to the CE that the use or disclosure is solely for research on decedents protected health information. Similar to Waiver of Authorization Requires approval by an IRB or a Privacy Board or a UC Privacy Officer

Protocol Approved Before April 14, 2003 If a study is active before April 14, 2003, subjects enrolled before April 14 th do not have to sign a HIPAA authorization or be re-consented. If a study is active before April 14, new subjects entered after April 14 th must sign a HIPAA authorization addendum to the consent form. UC authorization addendum language is provided by the IRB or Privacy Board. The IRB or Privacy Board need not re-review the protocol so long as it is unchanged but for the authorization addendum.

Protocol Modified or First Approved After April 14, 2003 If a study is modified or first approved after April 14, 2003, subjects must sign a consent form containing HIPAA authorization language or a HIPAA authorization addendum to the consent form. HIPAA authorization language that is embedded within a consent form must have a separate signature line from the informed consent signature line (Cal. Civil Code 56.11).

Conclusion HIPAA Privacy Rule The HIPAA Privacy Rule: Places responsibility on the Covered Entity to meet HIPAA requirements for disclosing PHI to a researcher Places responsibility on the IRB to assure the Covered Entity that health information will be protected under the research protocol Does not replace Common Rule or FDA human subject protection regulations Does not override any California Law that provides greater protection for the privacy of health information

Conclusion HIPAA Privacy Rule If you have questions regarding the Privacy Rule, contact your campus Privacy Officer or IRB Director.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback