health insurance portability and accountability act (hipaa) and human research
DESCRIPTION
Health Insurance Portability and Accountability Act (HIPAA) and Human Research. Vanderbilt University Medical Center Education Module. Vanderbilt as a Hybrid Entity. - PowerPoint PPT PresentationTRANSCRIPT
Health Insurance Portability and Accountability Act (HIPAA)
and Human Research
Vanderbilt University Medical Center
Education Module
VUMC Privacy
& SecurityTraining
Vanderbilt as a Hybrid Entity
HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically.
Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity.
HIPAA regulations only apply to the Covered Entity functions.
VUMC Privacy
& SecurityTraining
Hybrid Entity Covered Entity Designation
As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes:
• Vanderbilt University Medical Center hospitals, clinics, and practices
• Vanderbilt Medical Group (VMG)• Vanderbilt School of Medicine (SOM)• Vanderbilt School of Nursing (SON)• Vanderbilt Health Plan• VUMC Administration
for covered functions that involve the use and disclosure of PHI.
Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VCE is hereafter determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.
VUMC Privacy
& SecurityTraining
Data Categories
• Individually Identifiable Health Information (IIHI) –
information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual.
• Protected Health Information (PHI) –
IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.
VUMC Privacy
& SecurityTraining
Data Categories
• Research Health Information (RHI) –
a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA.
IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.
PHI <-> RHI(prepared by Daniel Masys, M.D.)
PHI RHIHIPAA Authorization
RHIPHI Research creates new information added to medical records
Subject toHIPAA requirements
(and potentially, penalties)
Authorizationconverts PHI to RHI
whose use is governed by terms of authorization
or IRB waiver
Internal disclosure
VUMC Privacy
& SecurityTraining
Data Categories
• De-identified Data –
IIHI that has been stripped of the 18 identifiers of the individual or relatives, employers, or household members of the individual as defined in the HIPAA regulations. Fully de-identified data is no longer considered PHI and therefore is not subject to HIPAA requirements.
• Limited Data Set (LDS) -
PHI that excludes direct identifiers of the individual or relatives, employers, or household members of the individual with certain exceptions including city, state, zip code, elements of dates, and other numbers, characteristics or codes not listed as direct identifiers.
VUMC Privacy
& SecurityTraining
HIPAA Defined Identifiers That Must be Removed from PHI to be a Limited Data Set
• Names;• Postal address information, other than town or city, State, and zip code;• Telephone numbers;• Fax numbers;• Electronic mail addresses;• Social security numbers;• Medical record numbers;• Health plan beneficiary numbers;• Account numbers;• Certificate/license numbers;• Vehicle identifiers & serial numbers, including license plate numbers;• Device identifiers and serial numbers;• Web Universal Resource Locators (URLs);• Internet Protocol (IP) address numbers;• Biometric identifiers, including finger and voice prints; and• Full face photographic images and any comparable images.
VUMC Privacy
& SecurityTraining
Identifiers That Must Be Removed In Addition to Those Required for a LDS if the Data is to be
Fully De-Identified
• All geographic subdivisions smaller than a State, including street address, county, precinct, and their equivalent geocodes, except for the initial three digits of a zip code under certain circumstances;
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all individual ages over 89;
• Any other unique identifying number, characteristic, or code, except as permitted under the implementation specifications for re-identification.
VUMC Privacy
& SecurityTraining
Uses and Disclosures for Research
HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections.
PHI can be used or disclosed for research purposes if one of the following conditions is met:
• With a specific authorization signed by the patient• With an IRB waiver of this authorization• Under the “Preparatory to Research” criteria in IRB Policy X.A• As a limited data set in conjunction with a Data Use Agreement• As fully de-identified data• For research on decedents• Disclosures related to FDA-regulated products.
VUMC Privacy
& SecurityTraining
PHI Limited Data Set De- identified Data
Waiver from IRB
IRB waiver
Exempt research, no PHI
Accounting of disclosure NOT required
Patient Authorization
Disclosure Accounting
IS REQUIRED
or
Requirements for Use or Disclosure of Data for Human Research
IRB Exemption
or
and
Data Use Agreement
Accounting of disclosure is NOT required
Accounting of disclosure is NOT required
Requirements for Use or Disclosure of Data for Research
The table below shows, generally, how the HIPAA rules apply to the IRB oversight of human research.
IRB Process HIPAA Requirement
Studies with full or expedited review using PHI
Authorization OR
IRB Waiver of Authorization
B(4) Exempt Studies Limited Data Set with a Data Use Agreement OR De-identified Data
Other Exempt Research and Preparatory to Research
De-identified Data OR
Meets “Preparatory to Research” criteria of IRB Policy X.A OR
Research on decedents only
VUMC Privacy
& SecurityTraining
Use of PHI for Research Requires Patient Authorization or
Waiver of Authorization from the IRB
• PHI may be disclosed to a researcher who is also a
health care provider pursuant to patient authorization or IRB Waiver
• Use of PHI with proper patient authorization does NOT require disclosure tracking.
• Use of PHI through an IRB Waiver of Authorization DOES require disclosure tracking (even for use by a Vanderbilt researcher)
• Disclosure Tracking may be done for each record through the online system accessed through StarPanel; or a direct link on the HIPAA website; or in batch using a Disclosure Template available from the Privacy Office
VUMC Privacy
& SecurityTraining
Use of a Limited Data Set
• HIPAA allows the VCE to disclose partially de-identified data – called a limited data set – for research purposes without obtaining patient authorization or an IRB waiver of authorization.
• Use of a Limited Data Set does NOT trigger the requirement for disclosure tracking.
• Use of a Limited Data Set always requires a Data Use Agreement.
• The IRB application forms contain the required elements of a Data Use Agreement for use and disclosure of data within Vanderbilt University in the Section labeled Intra-Vanderbilt Data Use Agreement.
• A stand alone external Data Use Agreement must be prepared whenever the LDS will be shared for use or disclosure by a person or entity not employed by Vanderbilt University. This language can be obtained from the Office of Grants and Contract Management or the Privacy Office.
VUMC Privacy
& SecurityTraining
Research Activities Without IRB Review
HIPAA permits researchers to conduct certain research activities that are not subject to IRB review.
• Use of PHI consistent with the “Preparatory to Research” criteria defined in IRB Policy X.A
• Use of PHI for research on decedents.
HIPAA requires researchers requesting data for such research activities to provide written representations that:
• the information is being used only for such purposes;
• is necessary; and
• will not be removed from VUMC; or
• only involves deceased individuals, as applicable.
Managers of areas that release data for these research purposes will manage the collection of these representations when a request for data is made.
VUMC Privacy
& SecurityTraining
Contact Information
• Questions related to HIPAA requirements for research may be directed to the Privacy Office at 936-3594 or email [email protected]
• Questions related to IRB requirements may be directed to the IRB Office at 322-2918.