Research & HIPAA October, 2016 Overview HIPAA & Research - PowerPoint PPT Presentation

Research & HIPAA October, 2016

Overview  HIPAA & Research  Increased Enforcement  HIPAA Security 2

HIPAA & Research

HIPAA & Research 4

HIPAA & Research PHI Disclosure for PHI Use for Research Research • Patient Authorization • Patient Authorization • Full Waiver • Full Waiver • Partial Waiver Disclose • Partial Waiver • Preparatory to Research • Preparatory to Research • Decedents • Decedents • Limited Data Sets • Limited Data Sets M i n i m u m N e c e s s a r y 5

Protected Health Information (1) Names (including initials); (10) Account numbers; (2) Street address, city, county, precinct, zip (11) Certificate/license numbers; code, and equivalent geo-codes (12) Vehicle identifiers and serial (3) ALL elements of dates (except year) for dates numbers, including license plate numbers; directly related to an individual and all ages over (13) Device identifiers/serial numbers; 89 (this would include procedure dates, date of (14) Web addresses (URLs); admission, date of lab work, etc.) (15) Internet IP addresses; (4) Telephone numbers; (16) Biometric identifiers, incl. finger and (5) Fax numbers; voice prints; (6) Electronic mail addresses; (17) Full face photographic images and (7) Social security numbers; any comparable images; and (8) Medical record numbers; (18) Any other unique identifying number, (9) Health plan ID numbers; characteristic, or code 6

Research Requirements  Authorization  Waiver of HIPAA Authorization  Specific elements  Factors considered  Signed by the patient or personal  Must save for 6 years representative  Save for 6 years 7

HIPAA Research Authorization Elements  Core Elements  Required Statement   Description of PHI to be used or Individual’s right to revoke disclosed  Notice of the CE’s ability or  Names of those authorized to inability to condition treatment, make the requested use or payment, enrollment, or eligibility disclosure for benefits on the authorization   Names of persons who may use Potential for redisclosure by the the PHI or to whom the CE may recipient and no longer protected make the requested disclosure by the Privacy Rule  Description of each purpose  Expiration date of the authorization  Signature and date https://privacyruleandresearch.nih.gov/pdf/authorization.pdf 8

HIPAA Research Authorization  Combined with consent  “compound authorization”  Stand-alone 9

Exceptions  De-identified  PHI of Deceased  Limited Data Set  Preparatory to Research 10

De-Identified “Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.” 11

Privacy Rule provides two methods by which health information can be designated as de-identified. De-Identified 12

De-Identified (1) Names (including initials); (10) Account numbers; (2) Street address, city, county, precinct, zip (11) Certificate/license numbers; code, and equivalent geo-codes (12) Vehicle identifiers and serial (3) ALL elements of dates (except year) for dates numbers, including license plate numbers; directly related to an individual and all ages over (13) Device identifiers/serial numbers; 89 (this would include procedure dates, date of (14) Web addresses (URLs); admission, date of lab work, etc.) (15) Internet IP addresses; (4) Telephone numbers; (16) Biometric identifiers, incl. finger and (5) Fax numbers; voice prints; (6) Electronic mail addresses; (17) Full face photographic images and (7) Social security numbers; any comparable images; and (8) Medical record numbers; (18) Any other unique identifying number, (9) Health plan ID numbers; characteristic, or code 13

Deceased “Research on Protected Health Information of Decedents. Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. See 45 CFR 164.512(i)(1)(iii).” 14

Limited Data Set “A covered entity may use and disclose a limited data set for research activities conducted by itself, another covered entity, or a researcher who is not a covered entity if the disclosing covered entity and the limited data set recipient enter into a data use agreement. Limited data sets may be used or disclosed only for purposes of research, public health, or health care operations. Because limited data sets may contain identifiable information, they are still PHI.” 15

Limited Data Set  “Date Use Agreement”  Specific uses of the limited data set  Identify who is permitted to receive it  Specific stipulations on how the data will be used. 16

Limited Data Set May include : Must exclude : • Town, city, state and zip code • Name • Address (other than town, city, zip) • Elements of dates related to an • Phone and fax individual • Email address • Date of Birth • SSN • Admission Date • MRN • Health plan beneficiary numbers • Discharge Date • Account Numbers • Death Date • Certificate/license numbers • VIN • Device identifiers • URLs and IP addresses • Biometric identifiers • Full face photos • Any other unique number, characteristic or code that could be used to identify the individual 17

Preparatory to Research “Preparatory to Research . Representations from the researcher, either in writing or orally, that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any protected health information from the covered entity, and representation that protected health information for which access is sought is necessary for the research purpose. See 45 CFR 164.512(i)(1)(ii). This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.” 18

Minimum Necessary “The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.” 19

Breach Reporting Requirements  Where there is a “Breach”  We Must Notify the Patient & the Department of Health and Human Services

Breach Regulations Disclosure in Violation of HIPAA Reportable Breach Unless Low Risk of Compromise If Reportable Notify the Patient, OCR, and the Press (if >500) 21

Breach Wall of Shame 22

Increased Enforcement

Office for Civil Rights HIPAA Enforcement: Increased Enforcement 12 10 8 No. of Resolution 6 Agreements 4 No. of Civil Money Penalties 2 0 2016: Over $18 Million in Resolution Agreements

Resolution Agreement  Feinstein Institute for Medical Research, 2016  $3.9 million  Unencrypted laptop stolen out of an employee’s car  Disclosed ePHI of 13,000 people  Lack of risk assessment  Failed to implement policies, procedures, safeguards  Three year corrective action plan 25

Pay Attention To:  Paper  Shred it  Attention to Binders  Physical Security  Transport  Appropriate Approvals  Data Security 26

HIPAA Security

Conducting Research Securely  In a perfect world, you would only need to focus research.  However, this is not the case, as there are things that come along with research that we need to address:  Security Requirements  Bad guys – hackers and criminals  Errors and failures 28

Security Requirements  HIPAA – Protected health information  FERPA – Student record information  PCI – Payment card industry  FISMA – Federal contracts  FDA – Medical devices  Joint Commission – Accreditation  State Laws – Mental health, breach notification  Other Federal Laws – Chemical dependency; Export Control  Institutional Standards  OSU Information Security Standards (ISS)  OSU Information Security Control Requirements (ISCR)  Industry Standards 29

Security Requirements OSU Information Risk Management Program  Organizational policies, standards, and requirements that address laws and regulations applicable to the university 30

Security Requirements OSU Information Risk Management Program  Security Standard covers 30 identified risk areas  Specifies security requirements for each area 31

Security Requirements Risk Assessments  In order to protect data when conducting research, we need to understand several things: 1. Where did the data originate? 2. Where does the data need to go? 3. Who can access the data? 32