1

VUMC Confidentiality Policy and HIPAA Implications for Clinical Research

General Clinical Research CenterSkills WorkshopMarch 2, 2007

Gaye SmithPrivacy Official

gaye.smith@vanderbilt.edu343-3019

2

Vanderbilt as a Hybrid Entity

HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically.

Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity.

HIPAA regulations only apply to the Covered Entity functions.

3

Hybrid Entity Covered Entity Designation

As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes: Vanderbilt Medical Center hospitals, clinics, and practices Vanderbilt Medical Group (VMG) Vanderbilt School of Medicine (SOM) Vanderbilt School of Nursing (SON) Vanderbilt Health Plan VUMC Administration

for covered functions that involve the use and disclosure of PHI.

In July of 2006, the VACE was expanded to include the affiliated entities for which VUMC has a controlling ownership interest or management accountable.

Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VACE is determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.

4

Vanderbilt University (a hybrid-entity)/Vanderbilt University Medical Center Affiliated Covered Entity

VHCSV Home Care Services

501(c)(3)

UCHSUniv Community

Health Services, Inc. (Vine Hill)501(c)(3)

VASAPV Asthma Sinus Allergy Program

501(c)(3)

VISV Imaging Services, LLCWilliamson Imaging, LLCw/ Landman Radiology

Center

VIPV Integrated Providers

non-profit

VIP / MidSouthVIP MidSouth LLCphysician clinics

50%100%

66.6%

100%

45.56%

Affiliated Entities-27Nov06

VWCCd/b/a V-Ingram Cancer Center

Franklin

100%

VGCCd/b/a Gateway-V

Cancer Treatment Center

50%

Williamson Imaging LLC

80%

Wholly Owned - In ACENon Profit Entity

Partially Owned - In ACE

Non Profit Entity

100%

Partially Owned - In ACE

For Profit Entity

Wholly Owned - In ACEDisregarded for taxes

VSTIV St. Thomas

Imaging

51%

5

Data Categories

Individually Identifiable Health Information (IIHI) –

information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual.

Protected Health Information (PHI) –

IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.

6

Data Categories

Research Health Information (RHI) –

a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA.

IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.

7

WHAT PARTS OF RESEARCH ARE INSIDE THE HEALTHCARE COMPONENT OF THE HYBRID ENTITY?

INSIDE THE HEALTHCARE COMPONENT

PHI is health information created, used, and/or stored as a by-product of the delivery of health care services (stored in the designated record set)

Human Subjects Researchusing PHI

Clinical Trials

Health Information created as RHI and conveyed to the medical record to support treatment purposes

OUTSIDE THE HEALTHCARE COMPONENT

Research Health Information is created, used, stored, or disclosed from a research data file or system distinctly separate from the patient’s medical record

Animal and Basic Sciences Research

Human Subjects Research not using PHI

8

PHI <-> RHI(prepared by Daniel Masys, M.D.)

PHI RHIHIPAA Authorization

RHIPHI Research creates new information added to medical records

Subject toHIPAA requirements

(and potentially, penalties)

Authorizationconverts PHI to RHI

whose use is governed by terms of authorization

or IRB waiver

Internal disclosure

9

Data Handling Implications for PHI vs. RHI

PHI is subject to the HIPAA for the Privacy Rule and the Security Rule.

RHI is subject to best practices for maintaining confidentiality of research records, but not subject to HIPAA.

Subsequent uses and disclosures of RHI are governed by the terms of the authorization or waiver, not by HIPAA.

10

Uses and Disclosures for Research

HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections.

PHI can be used or disclosed for research purposes if one of the following conditions is met:

With a specific authorization signed by the patient With an IRB waiver of this authorization Under the “Preparatory to Research” criteria in IRB Policy X.A As a limited data set in conjunction with a Data Use Agreement As fully de-identified data For research on decedents Disclosures related to FDA-regulated products.

11

PHI Limited Data Set De- identified Data

Waiver from IRB

IRB waiver

Exempt research, no PHI

Accounting of disclosure NOT required

Patient Authorization

Disclosure Accounting

IS REQUIRED

or

Requirements for Use or Disclosure of Data for Human Research

IRB Exemption

or

and

Data Use Agreement

Accounting of disclosure is NOT required

Accounting of disclosure is NOT required

12

If you have privacy or information security concerns or questions contact:

Privacy Office (936-3594) or email Privacy.Office@vanderbilt.edu

Help Desk (343-4357) Your manager Compliance Reporting Line (343-0135)

Always forward patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office.