Privacy and Confidentiality

in Clinical Research

BYHEMANG PATELYOGESH PATELJAIMIN PATEL

TEJAS GOSWAMI

ICRI- AHMEDABAD MSc. CT & CR (2011-13)

Whatsoever things I see or hear, in my attendance on the sick or even apart there from, which on no account one must spread abroad,

I will keep to myself holding such things as sacred secrets. 

- Hippocratic Oath, 4th Century, B.C.E.

The desire of a person to control the disclosure of personal health information.

The federal regulations define ‘private information’ as “information about

behaviour that occurs in a context in which an individual can reasonably

expect that no observation or recording is taking place, and information which has

been provided for specific purposes by an individual and which

the individual can reasonably expect will not be made public.”

Privacy

Confidentiality has been defined as the of maintaining the security of

information elicited from an individual in theprivileged circumstances of a professional

Relationship.

Confidentiality

The delicate balance between all employee’s, physician’s and volunteer’s need to know and the patient’s right to privacy is at the heart of HIPAA – Privacy.

Confidentiality

Privacy and confidentiality are also supported

by two principles of the Belmont Report:

Respect for persons

Beneficence

It helps establish trust between the research

participant and the researcher.

It reduces worry on the part of the individual.

It maintains the participant’s dignity. 

The participant feels respected.

It gives the participant control and promotes

autonomy.

Benefits of Maintaining Confidentiality:

Privacy Applies to the Person:o The way potential participants are identified and contactedo The setting that potential participants will interact with the researcher team and who is present during research procedureso The methods used to collect information about participantsoThe type of information being Collectedo Access to the minimum amount of information necessary to conduct the research

Confidentiality Applies to the Data:o An extension of privacyo Pertains to identifiable datao An agreement about maintenance and who has access to identifiable datao What procedures will be put in place to ensure that only authorized individuals will have access to the information, ando Limitations (if any) to these confidentiality proceduresoIn regards to HIPAA, protection of patients from inappropriate disclosures of Protected Health Information (PHI)

Privacy vs. Confidentiality: What is the Difference?

Code of Federal Regulations Title 45 Part 46: The Common Rule

Title 45, Part 46 of the Code of Federal Regulations (45 CFR 46) also known as the Common Rule.

The common rule is clear that these data need to be protected.

data through intervention/interaction with the individual, or

identifiable private information.

Protecting data is the key to protecting privacy

Food and Drug Administration Regulation: 21 CFR

The Food and Drug Administration (FDA) requires statements in the Informed Consent Form:

that describe the extent to which confidentiality of records that can identify the participant in the research will be maintained, and

that inform the participant that the FDA may view the research records.

Certificates of Confidentiality (CoC)

Certificates of Confidentiality (CoCs), issued by the National Institutes of Health (NIH), allow the researcher to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level, unless the participant consents.

12

This Federal legislation is called the

Health Insurance Portability and Accountability Act (HIPAA)

The U.S. Federal government passed a law in 1996 that created

national standards to protect patient medical records and

other personal health information.

The History of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that specifies administrative simplification provisions that: Protect the privacy of patient information Provide for electronic and physical

security of patient health information Require “minimum necessary” use and

disclosure Specify patient rights to approve the

access and use of their medical information

What is HIPAA?

At the completion of this study packet, the participant will:

• Have a basic understanding of HIPAA Privacy Standards

• Be able to provide examples of patient privacy protection

• Be able to define Protected Health Information (PHI)

• Have a basic understanding of the role of the Facility Privacy

Official (FPO)

Objectives

1996 - In Tampa, a public health worker sent to two newspapers a computer disk containing the names of 4,000 people who tested positive for HIV.

2000 - Darryl Strawberry’s medical records from a visit to a New York hospital were reviewed 365 times. An audit determined less than 3% of those reviewing his records had even a remote connection to his care.

2001 – An e-mail was sent out to a Prozac informational listserv members revealing the identities of other Prozac users.

Why do we need HIPAA?

Theft of Patient Data Identity Theft Stolen lap top

Loss of Patient Data incorrect disposal of

documents Portable devices increases the

possibility of data loss

Misuse of Patient Data Privacy Breach

HIPAA –Privacy & Security Concerns

17

HIPAA guarantees these rights to patients: Right to privacy

Right to confidential use of protected health information (PHI) for treatment, billing, and other health care operations (such as quality improvement)

Right to access and amend their health information upon request

HIPAA Patient Rights

Right to provide specific authorization for use of their health information other than for treatment, billing and other operation.

Right to have their name withheld from patient directories (having their name not listed as being present in a facility other than for treatment, billing, and other operations).

Right to request that information concerning their care is not released to specific individuals.

Right to request that specific individuals are not told of their presence in a facility.

19

Every patient should receive a document called a Notice and be asked to sign an Authorization.

This Notice gives patients:

Information about their rights. A description of how their PHI may be used by the

facility. A comprehensive list of others to whom their health

information may be disclosed.

The Notice must be given to the patient on the first treatment date or as soon as is practical in an emergent

situation.

HIPAA Patient Rights

20

An Authorization is a form: signed by the patient for use and disclosure of

specific PHI that are not related to treatment, payment, or health care operations.

There are some uses and disclosures where an authorization is not required.

When in doubt about information for which a signed authorization is required….

~ Please ASK your instructor ~

Continue…

21

o Every health care organization is expected to develop policies and procedures to guide HIPAA practices within their facility.oEvery person who provides care or assistance to patients in that facility is expected to understand and comply with HIPAA regulations. It is essential that all patient health information be kept confidential.

oOrganizations or individuals that violate HIPAA rules are subject to monetary fines (up to $250,000!) and civil or criminal charges (up to 10 years in jail!).

oFailure to comply may also:ohurt the reputation of the facilityoput accreditation at risko result in costly lawsuits

Failure to Comply

22

Patients have the right to register complaints with Federal agencies and with the facility if they feel their rights have been violated.

Every facility has a Privacy Officer who is responsible for overseeing HIPAA implementation.

If you are uncertain about what information may be given out, talk to your instructor, a nurse on the unit where you are assigned, or contact the Privacy Officer.

What do YOU need to know?

23

One of the biggest threats to patient privacy is UNINTENTIONAL disclosure of information ~Examples include:

Discussing patient information where other patients, visitors or staff may overhear ~ such as in elevators, hallways, dining facilities, or other common areas.

Leaving sensitive information in a location where patients or visitors could possibly see it.

Unauthorized Disclosures

24

continue….Another threat to patient privacy is when a staff

member intentionally uses or discloses information in an unauthorized way: Copying information and taking it home Removing medical records and giving them

to those with no legal right of possession Deliberately sharing information with

unauthorized person(family members, friends, colleagues, news reporters, etc)

Using confidential information to gossip about patients

Leaving a computer unattended after logging in to an application

Sharing passwords with others or leaving passwords around a computer

25

Always be cognizant of:• Where you are• Who is around you• What information can be seen or

heard• How you can “minimize possible

incidental disclosure to others”

You must ensure that PHI is only shared:

• With those who need to know• At the minimum level necessary

continue….

As a Nurse:• Don’t browse through a patient

charts or files out of curiosity• Access only portions of medical

record that you need to perform your role as a student nurse

It is essential that everyone with access to PHI be aware of what is going on in their surroundings.

continue….

1. User ID or Log-In Name (aka. User Access Controls)2. Passwords3. Workstation Security4. Portable Device Security – USB, Laptops 5. Data Management, e.g., back-up, archive, restore.6. Remote Access - VPN7. Recycling Electronic Media & Computers8. E-Mail – 9. Safe Internet Use – virus 10. Reporting Security Incidents / Breach

Good Computing Practices

10 Safeguards for Users

Laptop and File Encryption:

o WinZip (password protect + encrypt)o 7-zip (free, password protect + encrypt)oTrue crypt (free, complete folder encryption)oFile Vault (folder encryption on Macintosh)

Encrypted USB Drives:

Kingston Data Traveler

Iron Key (Fully encrypted)28

Security Controls

Sharing Passwords– You are responsible for your password. If you shared

your password, you will be disciplined even if other person does no inappropriate access

Not signing off systems – You are responsible and will be disciplined if another

person uses your ‘not-signed-off’ system and application

29

Types of Security Failure

Sending EPHI outside the institution without encryption

– Under HITECH you may be personally liable for losing EPHI data

Losing PDA and Laptop in transit with unencrypted PHI or PII

– Under HITECH and NY State SSN Laws, you may be personally liable, and you will be disciplined for loss of PHI or PII

continue….

31

Lost laptop/Device49%

Third Party/Outsourcer16%

Paper records9%

Malicious insider9%

Electronic backup7%

Hacked system5%

Malicious code4% Undisclosed

2%

Study on Data Breaches (Nov 2007)

What you need to know about Information Security

This section explains:• What information must be protected• PHI identifiers• The Notice of Privacy Practices (NOPP) for PHI• Purposes other than Treatment, Payment, or

Operations (TPO)• Examples of TPO• Exceptions to the “Minimum Necessary” standard• When you should view, use, or share PHI

Protected Health Information (PHI)

PHI:

Is information related to a patient’s past, present or

future physical and/or mental health or condition

Can be in any form: written, spoken, or electronic

(including video, photographs, and x-rays)

Includes at least one of the 18 personal identifiers in

association with health information

You must protect an individual’s PHI which is collected or created as a consequence of a health care

provision.

What Information Must Be Protected?

These rules apply to you when you view, use, and share PHI

Any health information with identifiers (on the following page) is Protected Health Information (PHI)

continue….

Name Postal address All elements of dates

except year Telephone number Fax number Email address URL address IP address Social security

number Account numbers License numbers

Medical record number Health plan beneficiary # Device identifiers and

their serial numbers Vehicle identifiers and

serial number Biometric identifiers

(finger and voice prints) Full face photos and

other comparable images Any other unique

identifying number, code, or characteristic

The 18 Identifiers defined by HIPAA are:

Protected Health Information (PHI) Identifiers

Treatment (T), Payment (P), Operations (O)

The Notice of Privacy Practices (NOPP) allows PHI to be used and disclosed for

purposes of TPO

Notice of Privacy Practices for PHI

TPO includes teaching, medical staff/peer review, legal, auditing,

customer service, business management, and releases

mandated by law

Patients have the right to: Request restrictions on release of their PHI Receive confidential communications Inspect and copy medical records (access) Request amendment to medical records Make a complaint Receive an accounting of any external releases. Obtain a paper copy of the Notice of Privacy

Practices on request

Notice of Privacy PracticesPatient Rights

40

Written Authorization required to release medical information

Physician or care team may share information with referring physician without an authorization “patient in common”

All legal requests for release of information should be forwarded to the HIPAA Compliance Office for review

Authorization to Release Medical Information

41

Good Clinical Practice (GCP)

ICH HARMONISED TRIPARTITE GUIDELINE ,GUIDELINE

FOR GOOD CLINICAL PRACTICE , E6(http://www.ich.org/LOB/media/

MEDIA482.pdf)

Good Clinical Practice (GCP) is an international ethical and scientific quality standard for designing, conducting, recording and reporting trials that involve the participation of human subjects.

Compliance with this standard provides public assurance that the rights, safety and well-being of trial subjects are protected, consistent with the principles that have their origin in the Declaration of Helsinki, and that the clinical trial data are credible”

42

Department Health and Human Services (HHS)

45 CFR 46, “Common Rule” The Federal Policy for the protection of human subjects and is codified by a number of federal agencies.45 CFR subpart B: Protection for Pregnant Women, Human Fetuses & Neonates45 CFR subpart C: Protection for Prisoners45 CFR subpart D: Protection for Children

Federally FundedFDA Regulated

21 Code of Federal Regulations (CFR)21 CFR Parts 50: Human Subject Protection21 CFR PART 54: Financial Disclosure21 CFR 56: Institutional Review Boards21 CFR 312: Investigational New Drug Application21 CFR 803,812: Devices

• Health Insurance Portability and Accountability Act (HIPAA) – Office of Civil Rights

• National Coverage Decision (NCD) –Office of Inspector General (OIG)• VA Policies & Procedures

Which Regulations do you Follow?

43

PATIENT PRIVACY

At some point in our lives we will all be a patient

Treat all information as though it was your own

http://hipaa.ucsf.edu/education/downloads/ConfidentialityStatement.pdf

http://www.research.uci.edu/ora/hrpp/privacyAndConfidentiality.htm

archhttp://privacyruleandrese.nih.gov/clin_research.asp.

www.ncbi.nlm.nih.gov/pubmed/10107515

Reference