Скачать презентацию Health Insurance Portability and Accountability Act HIPAA Скачать презентацию Health Insurance Portability and Accountability Act HIPAA

32438dc9ab698f54e614c797ec6b108e.ppt

  • Количество слайдов: 43

Health Insurance Portability and Accountability Act – HIPAA Privacy Rule Institutional Review Board and Health Insurance Portability and Accountability Act – HIPAA Privacy Rule Institutional Review Board and Research Education

Who should complete this training? • Required for anyone involved in the Institutional Review Who should complete this training? • Required for anyone involved in the Institutional Review Board (IRB) • Required for anyone involved in Human Subject Research – Must complete this training prior to submitting research documents – Required annually

Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Federal law that applies Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Federal law that applies to health care providers, health plans and health care clearinghouses (Covered Entities) • Created to: – Protect the privacy of health care information – Improve access to health insurance – Promote standardization of electronic health records and to safeguard their use

Other Privacy Laws • California Privacy Laws – Require reporting of intentional and unintentional Other Privacy Laws • California Privacy Laws – Require reporting of intentional and unintentional breaches • Misdirected mailings, faxing • PHI provided to wrong parties – 5 business days to report to California Department of Public Health (CDPH) and to patient – Complete CDPH plan of correction documenting mitigation efforts taken – Fines and Penalties may apply

Security Laws • Standards - required safeguards designed to ensure the confidentiality, integrity, and Security Laws • Standards - required safeguards designed to ensure the confidentiality, integrity, and availability of electronic protected health information • Requires establishment of administrative, physical and technical safeguards • Compliance assurance by the entire workforce

HIPAA and Research • Research is subject to HIPAA and Privacy Laws if the HIPAA and Research • Research is subject to HIPAA and Privacy Laws if the study uses an individuals identifiable health information • If data is used to identify, recruit, or enroll participants or any data gathered can identify the individual, either directly or indirectly, then HIPAA applies

IRB and the Privacy Rule • The IRB will facilitate research-related privacy requirements, however; IRB and the Privacy Rule • The IRB will facilitate research-related privacy requirements, however; • The Principal Investigator is responsible for establishing and maintaining federal and state privacy and security compliance, including maintaining appropriate documentation

Covered Entity • Anyone who transmits and stores electronic health records • Kaweah Delta Covered Entity • Anyone who transmits and stores electronic health records • Kaweah Delta Health Care District and all it’s entities and service areas are subject to Federal HIPAA, Security and Patient Privacy laws, rules and regulations

What is the Privacy Rule? • Rules for Covered Entities (CE) for using and What is the Privacy Rule? • Rules for Covered Entities (CE) for using and disclosing individually identifiable health information known as Protected Health Information (PHI) • Protects the privacy of PHI of individuals who are living or deceased • Supplements the Common Rule and the FDA’s protections for human subjects

Who is Covered? • All District “workforce” – All employees – Independent contractors – Who is Covered? • All District “workforce” – All employees – Independent contractors – Students – Residents/Medical Staff – Temporary help – Volunteers/Guild – Clergy – All contracted entities that receive PHI electronic data from the District

Protected Health Information- PHI • PHI is the health and demographic information maintained by Protected Health Information- PHI • PHI is the health and demographic information maintained by CE of individuals • PHI can be transmitted or maintained electronically or in any other form (hard copy, xray films, labels, etc. ) • PHI can include identifiable information • Pertains to past, present or future: – Physical or mental health – Diagnosis and/or treatment – Payment for health care

Patient Personal Identifiers • • • Name Address, city, zip Telephone number Fax number Patient Personal Identifiers • • • Name Address, city, zip Telephone number Fax number E-mail address Social Security number Date of Birth Account number Medical Record number Insurance plan ID Treatment Dates License/Certificate number Full face photo images Other comparable images IP address URL Vehicle ID Biometric identifiers including finger & voice prints • Any other unique identifying number, characteristic or code • •

What is Covered? Treatment, Payment and Operations (TPO) • Treatment - provision of Health What is Covered? Treatment, Payment and Operations (TPO) • Treatment - provision of Health Care Services – Coordination of care with a third party – Consultation between health care providers – Referral of a patient to another provider • Payment - activities to obtain reimbursement for care – Determination of eligibility or coverage – Billing and collections – Disclosure to consumer reporting agency

What is Covered? Treatment, Payment and Operations (TPO) • Operations – activities that make What is Covered? Treatment, Payment and Operations (TPO) • Operations – activities that make an entity a health care provider – Quality improvement – Credentialing and peer review – Licensing – Legal services, audit functions, compliance – Business planning and development – General administration and management – Customer service/grievance resolution

Authorized Use & Disclosures • Reviewing a patient’s past medical history for treatment • Authorized Use & Disclosures • Reviewing a patient’s past medical history for treatment • Using “minimum necessary” information for Quality Assurance purposes (operations) • Reporting cases of communicable diseases and immunizations as mandated by law • Billing insurance companies for medical care (payment) • Using PHI for research with patient’s authorization

Unauthorized Uses & Disclosures • Using patient information for research without the patients approval Unauthorized Uses & Disclosures • Using patient information for research without the patients approval or authorization waiver • Posting comments on social medial about patients • Discussing a patient’s HIV diagnosis with family in the room without patient permission • Looking up your co-workers lab results • Emailing PHI to your personal email account

Individual Rights • To receive a notice of privacy practices - how medical information Individual Rights • To receive a notice of privacy practices - how medical information about them may be used and disclosed and how they can get access • To access, inspect and get a copy of their own information • To amend their own PHI • To receive an accounting for the past 6 years of all disclosures • To request further restrictions on use and disclosures

Individual Rights • Deceased individuals – ceases to be PHI 50 years after date Individual Rights • Deceased individuals – ceases to be PHI 50 years after date of death • Sale of PHI – prohibited without specific written patient authorization • Fundraising – may be used, however patient can formally opt out • Electronic records – patients can request and CE must comply • Insurance billing - Patients may request that CE not bill their insurance and choose to pay out of pocket

Administrative Requirements • • • Privacy Officer – Judy Cotta add phone # Comply Administrative Requirements • • • Privacy Officer – Judy Cotta add phone # Comply with all federal/state regulations Policies and procedures Training – All workforce Safeguards to protect privacy Complaint & investigation process Sanctions for failure to comply Process to mitigate harm due to a breach Federal and State reporting of breaches

Use and Disclosure of PHI • Some uses require authorization • Some uses require Use and Disclosure of PHI • Some uses require authorization • Some uses require giving the individual opportunity to agree or object • Some uses continue to be required by other laws/permitted by HIPAA • Other uses require the information to be “deidentified” • All require only the minimum necessary PHI be accessed Balance between protecting individual health information and public health and safety needs!

HIPAA Penalties • May apply to the individual, the organization and/or its officers • HIPAA Penalties • May apply to the individual, the organization and/or its officers • Individuals can be found criminally liable, no grace for serious and deliberate acts • State and Federal civil fines and penalties may apply • Under the jurisdiction of the Office for Civil Rights, Department of Health and Human Services

HIPAA and Research • Individually identifiable health insurance that is collected and used solely HIPAA and Research • Individually identifiable health insurance that is collected and used solely for research is NOT considered PHI • Researches obtaining PHI from a CE must obtain the subject’s authorization or must justify the exception to the requirement: – Waiver of authorization – Limited Data Set – De-identified Data Set

HIPAA and Research • Conditions under which the CE may release PHI for research HIPAA and Research • Conditions under which the CE may release PHI for research purposes – Authorization received by subject or subjects representative, for specific study, not for future studies – Decedent research – Limited Data Set – De-identified Data Set – Disclosures related to FDA-regulated products

Researcher’s Responsibility • To obtain PHI, a researcher must provide a Letter of Approval Researcher’s Responsibility • To obtain PHI, a researcher must provide a Letter of Approval from the IRB and one of the following: – Subject’s authorization to release PHI, or – Certification of Waiver by IRB – Request for Limited Data Set or De-identified Data Set

IRB’s Responsibility • Assure the CE that all research-related HIPAA requirements have been met: IRB’s Responsibility • Assure the CE that all research-related HIPAA requirements have been met: – Provide letter of approval to researcher – Certify and document that waiver of authorization criteria is met – Review and approve all authorizations and data use agreements – Retain records documenting actions taken for 6 years

Preparatory to Research Activities • With prior IRB approval, permits CE to use or Preparatory to Research Activities • With prior IRB approval, permits CE to use or disclose PHI for purposes preparatory to research that include, but not limited to the following: – Preparing a research protocol – Assisting in the development of a research hypothesis – Aiding in research recruitment, such as identifying prospective participants who would meet the eligibility requirements for enrollment into study

Preparatory to Research Activities • Allows researcher to: – Identify, but NOT contact potential Preparatory to Research Activities • Allows researcher to: – Identify, but NOT contact potential study participants – Review PHI in medical records or elsewhere to prepare for research • Does not allow: – Removal of PHI from District – Emails containing PHI to be sent outside of District email accounts

Preparatory to Research Activities • Does not allow: – Removal of PHI from District Preparatory to Research Activities • Does not allow: – Removal of PHI from District – Emails containing PHI to be sent outside of District email accounts

Informed Consent vs Authorization • Informed Consent – Description of study – Discusses anticipated Informed Consent vs Authorization • Informed Consent – Description of study – Discusses anticipated risk and benefits of study – Describes how the confidentiality of records will be protected – Agreement to participate in the study • Authorization – Focus on privacy risks – How, why and whom the PHI will be used/disclosed – Agrees to the use/disclosure of PHI

Subject’s Authorization • Must include specific elements • May be part of or attached Subject’s Authorization • Must include specific elements • May be part of or attached to the research consent form • Must use standard IRB authorization language • Original signed authorization must be retained by the CE • Subject must be given a copy

HIPAA Required Authorization Elements • • • Meaningful description of information to be used HIPAA Required Authorization Elements • • • Meaningful description of information to be used Name of persons authorized to disclose information Name of recipients of the information Description of research purpose Authorization expiration date Right to revoke authorization Disclosure of refusal consequences HIPAA protections may not apply Signature of the individual and date

HIPAA Required Authorization Expiration • If the study has no expiration date, the authorization HIPAA Required Authorization Expiration • If the study has no expiration date, the authorization must state “no expiration date” • Expiration may be a specific date or relate to the purpose, for example…. . – “July 28, 2014” – “End of the research study” – 5 years after last patient is enrolled” • After the stated date or event, researcher can no longer use the PHI

Authorization Waiver • Investigator/researcher provides IRB approval of Authorization Waiver to CE • IRB Authorization Waiver • Investigator/researcher provides IRB approval of Authorization Waiver to CE • IRB approval: – IRB name, date of approval, brief description of PHI; and – Statement of IRB approved Authorization Waiver under normal or expedited review; and – Statement that IRB has determined that research could not be conducted without waiver and without PHI, minimum necessary data

The 30 -Day Cure • For failure to obtain proper authorization before beginning research The 30 -Day Cure • For failure to obtain proper authorization before beginning research the PI must either: – Obtain appropriate authorization within 30 days of identifying the problem to be able to continue the study, or – Immediately destroy all affected data and specimens and obtain the correct authorization to be able to begin the research again

The 30 -Day Cure • For failure to obtain a waiver before beginning research, The 30 -Day Cure • For failure to obtain a waiver before beginning research, the PI must: – Immediately destroy all affected data and specimens and – Obtain a waiver to begin the research again • These actions must be completed within 30 days of when the deficiency was discovered or should have reasonably known. – If unsure, check with the IRB office

What is Minimum Necessary? • Limits unnecessary or inappropriate access to and disclosure of What is Minimum Necessary? • Limits unnecessary or inappropriate access to and disclosure of protected health information • Requires that entity takes reasonable steps to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose

Decedent Research • Provide documentation to the CE that the use or disclosure is Decedent Research • Provide documentation to the CE that the use or disclosure is solely for the purpose for research on decedents PHI – Similar to Authorization Waiver – Represents that authorization from next of kin or legal representative may be difficult or impossible to obtain – Requires review and approval by the IRB

Limited Data Set (LDS) • May include: – Zip code – Full dates of Limited Data Set (LDS) • May include: – Zip code – Full dates of birth or death – Full dates of service – City • May not include: – Other personal identifies of subject, relatives, employer or household members • CE does not have to account for LDS disclosures

De-identification • Remove all eighteen personal identifiers of subject, relatives, employer or household members De-identification • Remove all eighteen personal identifiers of subject, relatives, employer or household members • CE does not have to account for disclosures using de-identified data

Conclusion • Responsibility on the CE to meet HIPAA requirements for disclosing PHI to Conclusion • Responsibility on the CE to meet HIPAA requirements for disclosing PHI to a researcher • Responsibility on the IRB to assure the CE that health information will be protected under the research protocol • Does not replace Common Rule or FDA human subject protection regulations • Does not override California Privacy Law

HIPAA/Privacy/Research Resources • http: //privacyruleandresearch. nih/gov/clin_re search. asp • http: //privacyruleandresearch. nih. gov/pdf/HI PAA_Privacy_Rule_Booklet. HIPAA/Privacy/Research Resources • http: //privacyruleandresearch. nih/gov/clin_re search. asp • http: //privacyruleandresearch. nih. gov/pdf/HI PAA_Privacy_Rule_Booklet. pdf • http: //hhs. gov/ocr/privacy/hipaa/understandi ng/coveredentities/research. html • http: //www. hhs. gov/ocr/privacy/hipaa/under standing/

Source Acknowledgements • University of Florida • University of California • U. S. Department Source Acknowledgements • University of Florida • University of California • U. S. Department of Health and Human Services, National Institute of Health • Office for Civil Rights • Center for Medicare & Medicaid Services

Questions? • Contact Kevin Ferguson, M. D. , IRB Chairman, 559 -624 -5217 • Questions? • Contact Kevin Ferguson, M. D. , IRB Chairman, 559 -624 -5217 • Contact Susan Delgado, GME Program Coordinator, 559 -624 -5220 • Contact Judy Cotta, Compliance and Privacy Officer, 559 -624 -2154