1 vumc confidentiality policy and hipaa implications for clinical research general clinical research...
TRANSCRIPT
1
VUMC Confidentiality Policy and HIPAA Implications for Clinical Research
General Clinical Research CenterSkills WorkshopMarch 2, 2007
Gaye SmithPrivacy Official
2
Vanderbilt as a Hybrid Entity
HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically.
Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity.
HIPAA regulations only apply to the Covered Entity functions.
3
Hybrid Entity Covered Entity Designation
As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes: Vanderbilt Medical Center hospitals, clinics, and practices Vanderbilt Medical Group (VMG) Vanderbilt School of Medicine (SOM) Vanderbilt School of Nursing (SON) Vanderbilt Health Plan VUMC Administration
for covered functions that involve the use and disclosure of PHI.
In July of 2006, the VACE was expanded to include the affiliated entities for which VUMC has a controlling ownership interest or management accountable.
Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VACE is determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.
4
Vanderbilt University (a hybrid-entity)/Vanderbilt University Medical Center Affiliated Covered Entity
VHCSV Home Care Services
501(c)(3)
UCHSUniv Community
Health Services, Inc. (Vine Hill)501(c)(3)
VASAPV Asthma Sinus Allergy Program
501(c)(3)
VISV Imaging Services, LLCWilliamson Imaging, LLCw/ Landman Radiology
Center
VIPV Integrated Providers
non-profit
VIP / MidSouthVIP MidSouth LLCphysician clinics
50%100%
66.6%
100%
45.56%
Affiliated Entities-27Nov06
VWCCd/b/a V-Ingram Cancer Center
Franklin
100%
VGCCd/b/a Gateway-V
Cancer Treatment Center
50%
Williamson Imaging LLC
80%
Wholly Owned - In ACENon Profit Entity
Partially Owned - In ACE
Non Profit Entity
100%
Partially Owned - In ACE
For Profit Entity
Wholly Owned - In ACEDisregarded for taxes
VSTIV St. Thomas
Imaging
51%
5
Data Categories
Individually Identifiable Health Information (IIHI) –
information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual.
Protected Health Information (PHI) –
IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.
6
Data Categories
Research Health Information (RHI) –
a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA.
IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.
7
WHAT PARTS OF RESEARCH ARE INSIDE THE HEALTHCARE COMPONENT OF THE HYBRID ENTITY?
INSIDE THE HEALTHCARE COMPONENT
PHI is health information created, used, and/or stored as a by-product of the delivery of health care services (stored in the designated record set)
Human Subjects Researchusing PHI
Clinical Trials
Health Information created as RHI and conveyed to the medical record to support treatment purposes
OUTSIDE THE HEALTHCARE COMPONENT
Research Health Information is created, used, stored, or disclosed from a research data file or system distinctly separate from the patient’s medical record
Animal and Basic Sciences Research
Human Subjects Research not using PHI
8
PHI <-> RHI(prepared by Daniel Masys, M.D.)
PHI RHIHIPAA Authorization
RHIPHI Research creates new information added to medical records
Subject toHIPAA requirements
(and potentially, penalties)
Authorizationconverts PHI to RHI
whose use is governed by terms of authorization
or IRB waiver
Internal disclosure
9
Data Handling Implications for PHI vs. RHI
PHI is subject to the HIPAA for the Privacy Rule and the Security Rule.
RHI is subject to best practices for maintaining confidentiality of research records, but not subject to HIPAA.
Subsequent uses and disclosures of RHI are governed by the terms of the authorization or waiver, not by HIPAA.
10
Uses and Disclosures for Research
HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections.
PHI can be used or disclosed for research purposes if one of the following conditions is met:
With a specific authorization signed by the patient With an IRB waiver of this authorization Under the “Preparatory to Research” criteria in IRB Policy X.A As a limited data set in conjunction with a Data Use Agreement As fully de-identified data For research on decedents Disclosures related to FDA-regulated products.
11
PHI Limited Data Set De- identified Data
Waiver from IRB
IRB waiver
Exempt research, no PHI
Accounting of disclosure NOT required
Patient Authorization
Disclosure Accounting
IS REQUIRED
or
Requirements for Use or Disclosure of Data for Human Research
IRB Exemption
or
and
Data Use Agreement
Accounting of disclosure is NOT required
Accounting of disclosure is NOT required
12
If you have privacy or information security concerns or questions contact:
Privacy Office (936-3594) or email [email protected]
Help Desk (343-4357) Your manager Compliance Reporting Line (343-0135)
Always forward patient privacy complaints to Patient Affairs (322-6154) or the Privacy Office.