2d2b57aaeb7c546863211344b039a6fb.ppt
- Количество слайдов: 70
HIPAA Considerations in Research Monica Lareau, MS, CHPC Director, HIPAA Compliance/Privacy Official Integrity & Audit Services Dawn Pedinelli, RN, MBA, CCRC, CHRC Director of Research Unified Clinical Organization © 2014 Trinity Health. All Rights Reserved. 1
HIPAA Considerations in Research Monica Lareau, MS, CHPC Director, HIPAA Compliance/Privacy Official Integrity & Audit Services Dawn Pedinelli, RN, MBA, CCRC, CHRC Director of Research Unified Clinical Organization © 2014 Trinity Health. All Rights Reserved. 2
Agenda • Overview: HIPAA & the Common Rule • Authorization to use and disclose PHI • Waiver of authorization • Reviews preparatory to research • De-identified data • Limited data sets • Accounting of disclosures • Data protection • Data Governance • Case Studies © 2014 Trinity Health. All Rights Reserved. 3 3
Our 21 -State Diversified Network 90 Hospitals* in 21 Regional Health Ministries** 47 Home Care & Hospice Locations Serving 116 Counties + 4 1. 7% Mission Health Ministries +3 14 PACE Center Locations of all babies in America are delivered at Trinity Health facilities National Health Ministries*** 23, 900 Affiliated Physicians 59 Continuing 3, 900 Care Facilities Employed Physicians *Owned, managed or in JOAs or JVs. **Operations are organized into Regional Health Ministries ("RHMs"), each an operating division which maintains a governing body with managerial oversight subject to authorities. ***Includes multiple locations for Trinity Home Health Services, Trinity Senior Living Communities and PACE facilities. © 2014 Trinity Health. All Rights Reserved. © 2016 Trinity Health - Livonia, Mich. 4 4
Trinity’s Research Enterprise 25 local IRB’s in existence • • Broad range of scope and size Community hospital based Academic medical center with University based IRB Numerous partnerships with external organizations Historically a decentralized, locally driven operational model Greater emphasis on sharing best practices and standard work flows © 2014 Trinity Health. All Rights Reserved. 5 5
Overview: HIPAA & the Common Rule © 2014 Trinity Health. All Rights Reserved. 6
HIPAA Privacy Rule Designed to protect confidentiality of patient information • Medical records • Billing records Gives patients significant rights with respect to their health information Governs how protected health information may be used or disclosed by covered entities for research purposes © 2014 Trinity Health. All Rights Reserved. 7 7
“Common Rule” Most research involving human subjects operates under federal regulations known as the Common Rule (45 CFR Part 46, Subpart A) Additional FDA regulations (21 CFR Parts 50 & 56) also protect the rights of human subjects in clinical trials These regulations: • Apply to most Federally funded • and some privately funded research studies • Include protections to help ensure the privacy of subjects and the confidentiality of their information © 2014 Trinity Health. All Rights Reserved. 8 8
The Common Rule & HIPAA builds upon protections provided by the Common Rule HIPAA’s Privacy Rule creates equal standards of privacy protection for research: • Governed by federal human subject regulations • Not governed by human subject regulations 9 © 2014 Trinity Health. All Rights Reserved. 9
The Common Rule & HIPAA Common Rule will continue to provide protections for subjects participating in clinical trials Privacy Rule provides additional protections for health information • Record reviews to prepare research proposals • Record reviews for research projects 10 © 2014 Trinity Health. All Rights Reserved. 10
Question Does the HIPAA Privacy Rule Modify the Common Rule? 11 © 2014 Trinity Health. All Rights Reserved. 11
Question Does the HIPAA Privacy Rule Modify the Common Rule? No. If both the Privacy Rule and the Common Rule apply, both must be followed. The Privacy Rule only regulates the use and disclosure of PHI for research purposes. It does not address other aspects of research, such as informed consent Source: OCR FAQ #308 12 © 2014 Trinity Health. All Rights Reserved. 12
IRBs and Privacy Boards Under the Common Rule, human subject research must be approved by an Institutional Review Board (IRB) • The approving IRB may be a part of the institution where the research will be done; or • It may be a regional IRB that reviews research for many institutions Recognizing that many small organizations do not have access to an IRB, the Privacy Rule also allows for Privacy Boards to review the use or disclosure of PHI for research purposes © 2014 Trinity Health. All Rights Reserved. 13 13
IRBs and Privacy Boards • A covered entity (CE) is not required to have a Privacy Board • A research project reviewed by an IRB does not need review by a Privacy Board • A Privacy Board is an alternative if an IRB is not available 14 © 2014 Trinity Health. All Rights Reserved. 14
Proposed Modifications to the Common Rule A Notice of Proposed Rulemaking (NPRM) was published in the Federal Register on September 8, 2015. Proposed changes: • Informed Consent Rules – Clarity • Biospecimens • Exclusions http: //www. hhs. gov/ohrp/humansubjects/regulations/nprm 2015 summary. html# © 2014 Trinity Health. All Rights Reserved. 15 15
Education related to Proposed Changes Office for Human Research Protections (OHRP) Webinar Series on the Common Rule NPRM 6 key topics covered by the webinars: • Overview of the NPRM (approx. 34 mins. ), Jerry Menikoff, Director, OHRP • Exclusions and Exemptions (approx. 30 mins. ), Jerry Menikoff, Director, OHRP • Informed Consent (approx. 28 mins. ), Jerry Menikoff, Director, OHRP • IRB Review and Operations (approx. 18 mins. ), Julia Gorey, Policy Analyst, Division of Policy and Assurances, OHRP • Research with Biospecimens (approx. 22 mins. ), Julie Kaneshiro, Deputy Director, OHRP • Secondary Research Use of Data (approx. 21 mins. ), Ivor Pritchard, Senior Advisor to the Director, OHRP http: //www. hhs. gov/ohrp/education/training/nprmwebinars. html © 2014 Trinity Health. All Rights Reserved. 16 16
Authorization to Use & Disclose PHI © 2014 Trinity Health. All Rights Reserved. 17
Privacy Regulations CEs may use and disclose protected health information for research: • With the subject’s authorization; or • Without the subject’s authorization under limited circumstances 18 © 2014 Trinity Health. All Rights Reserved. 18
What is Authorization? • Written permission from the subject or legally authorized representative to use and disclose protected health information • Authorization is in addition to informed consent required for participation in a clinical trial • Required elements 19 © 2014 Trinity Health. All Rights Reserved. 19
Combined Authorizations For research, the authorization to use and disclose protected health information may be combined with the informed consent CEs may: • Develop a separate authorization form for researchers to use, or • Incorporate authorization requirements into their standard informed consent form © 2014 Trinity Health. All Rights Reserved. 20 20
Question May researchers condition participation in a clinical trial on an authorization? 21 © 2014 Trinity Health. All Rights Reserved. 21
Question May researchers condition participation in a clinical trial on an authorization? Yes. The Privacy Rule does not prohibit researchers from conditioning enrollment in a research study on the subject providing authorization for the use of pre-existing health information. Source: OCR FAQ #304 22 © 2014 Trinity Health. All Rights Reserved. 22
Question May researchers use a research subject’s protected health information if he revokes his authorization? 23 © 2014 Trinity Health. All Rights Reserved. 23
Question May researchers use a research subject’s protected health information if he revokes his authorization? Yes, the researcher may continue to use PHI obtained before the subject revoked his authorization for purposes needed to maintain the integrity of the research study, including • Accounting for subject’s withdrawal from the study • If needed to incorporate into FDA marketing application • To report adverse events A CE cannot continue to disclose PHI to a researcher after the date of the revocation Source: OCR FAQ #316 © 2014 Trinity Health. All Rights Reserved. 24 24
Waiver of Authorization © 2014 Trinity Health. All Rights Reserved. 25
Waiver Criteria--#1 IRB or Privacy Board may waive requirement for authorization if: Use or disclosure of PHI involves no more than minimal risk to privacy of the subject and there is • An adequate plan to protect identifiers from improper use or disclosure • An adequate plan to destroy identifiers • Written assurance that PHI will not be reused or disclosed except as required by law, for oversight of the study, or other permitted research 26 © 2014 Trinity Health. All Rights Reserved. 26
Waiver Criteria--#2 IRB or Privacy Board may waive requirement for authorization if: Research could not be practicably conducted without the waiver or alteration 27 © 2014 Trinity Health. All Rights Reserved. 27
Waiver Criteria--#3 IRB or Privacy Board may waive requirement for authorization if: Research could not be practicably conducted without access to and use of protected health information 28 © 2014 Trinity Health. All Rights Reserved. 28
Research not Requiring an Authorization or a Waiver © 2014 Trinity Health. All Rights Reserved. 29
Research Not Requiring Authorization or Waiver There are some situations in which neither an authorization nor a waiver is required for research using PHI • Reviews preparatory to research • Research on decedents • Research using de-identified data • Research using a limited data set © 2014 Trinity Health. All Rights Reserved. 30 30
Reviews Preparatory to Research Review of PHI that is needed to: • Design a research study, or • Assess the feasibility of conducting a study Authorization is not required A waiver from an IRB or Privacy Board is not required 31 © 2014 Trinity Health. All Rights Reserved. 31
Question Does “reviews preparatory to research” include contacting patients to recruit them for a research study? 32 © 2014 Trinity Health. All Rights Reserved. 32
Question Do “reviews preparatory to research” include contacting patients to recruit them for a research study? Yes, but information may not be removed from the CE’s premises. A researcher who is part of the CE’s workforce could use PHI to contact patients for study recruitment. But, an outside researcher would need to get a partial waiver of authorization from the IRB in order to contact patients. Source: OCR FAQ #317 33 © 2014 Trinity Health. All Rights Reserved. 33
Research on PHI of Decedents For research conducted solely on PHI of deceased individuals • Authorization is not required • A waiver from an IRB or Privacy Board is not required • Research is conducted solely on PHI of deceased individuals, and 34 © 2014 Trinity Health. All Rights Reserved. 34
Research on PHI of Decedents Researcher must provide a statement that: • Research is conducted solely on PHI of deceased individuals • PHI sought is necessary for the research, and • Researcher will provide documentation of subjects’ deaths, if requested by the CE 35 © 2014 Trinity Health. All Rights Reserved. 35
De-Identified Data © 2014 Trinity Health. All Rights Reserved. 36
De-Identified Data that is de-identified loses its protections under HIPAA May be freely used or disclosed for research and other purposes 37 © 2014 Trinity Health. All Rights Reserved. 37
De-Identified Data To be considered “de-identified, ” data cannot contain any of 18 specific identifiers of an individual and his/her relatives, employers, or household members If any remain, a qualified statistician can determine if risk of re-identification is very small 38 © 2014 Trinity Health. All Rights Reserved. 38
Patient Identifiers Names Geographic subdivisions smaller than a state • Street address, city, county, precinct, zip code • May use first three digits of zip code if geographic unit contains more than 20, 000 people All elements of dates (except year) for birth, death, admission, discharge, and other services All ages over 89 including year Telephone numbers 39 © 2014 Trinity Health. All Rights Reserved. 39
Patient Identifiers, continued Fax numbers E-mail addresses Social Security Numbers Medical record numbers Health plan beneficiary numbers Account numbers Device identifiers Biometric identifiers, including finger and voice prints Full face photographs 40 © 2014 Trinity Health. All Rights Reserved. 40
Re-Identification Codes Privacy Rule permits reidentification codes to be assigned to de-identified data, however • Code may not be generated using any individually identifiable health information • Keyed hash message authentication code (HMAC) is not acceptable because it is derived from individually identified information 41 © 2014 Trinity Health. All Rights Reserved. 41
Limited Data Sets © 2014 Trinity Health. All Rights Reserved. 42
Limited Data Sets New concept introduced in August, 2002, modifications to the Privacy Rule Attempts to overcome limitations of de-identified data May only be used for: • Research • Public health • Healthcare operations of a CE 43 © 2014 Trinity Health. All Rights Reserved. 43
Limited Data Sets Allows some PHI identifiers to be kept with the data: • Dates of admission, discharge, and other services • Date of birth • Date of death • 5 -digit zip code 44 © 2014 Trinity Health. All Rights Reserved. 44
Limited Data Sets Requires user to have written data use agreement with CE to protect the data User agrees to • Not use or further disclose information • Use appropriate safeguards to protect PHI • Report any misuse or inappropriate disclosure • Not identify information or contact individuals 45 © 2014 Trinity Health. All Rights Reserved. 45
Accounting of Disclosures © 2014 Trinity Health. All Rights Reserved. 46
Accounting of Disclosures Patients have the right to obtain an accounting of certain disclosures of their health information for up to 3 years after the disclosure was made Research disclosures are included unless • The patient authorized use of his PHI • The data was de-identified • The data was part of a limited data set © 2014 Trinity Health. All Rights Reserved. 47 47
Accounting of Disclosures Accounting must include: • Date of disclosure • Person to whom information was disclosed • Brief description of information disclosed • Copy of request for disclosure 48 © 2014 Trinity Health. All Rights Reserved. 48
Accounting of Disclosures If a research project involves fewer than 50 patient records: • Must track access to each patient’s record “Simplified” accounting for research projects involving 50 or more records: • May give patient a list of all protocols for which his records may have been reviewed, including: • Name and description of study • Timeframe of disclosures • Name & contact information for researcher 49 © 2014 Trinity Health. All Rights Reserved. 49
Practice Issue Often, HIM Department receives a record “pull list” but does not know why records are being requested • Disclosures for treatment, payment, and healthcare operations do not have to be included in an accounting of disclosures, but- • Some research disclosures do need to be tracked for an accounting of disclosures © 2014 Trinity Health. All Rights Reserved. 50 50
Solution It’s reasonable to: • Ask requesters the purpose of their request • Ask researchers to provide documentation of IRB approval © 2014 Trinity Health. All Rights Reserved. 51 51
Data Protection © 2014 Trinity Health. All Rights Reserved. 52
Do Your IRB’s Discuss Data Protection? Improper disclosure of research participants’ protected health information results in $3. 9 million HIPAA settlement Feinstein Institute for Medical Research (FIMR) A biomedical research institute in New York not-for-profit arm of Northwell Health, Inc. , (formerly known as North Shore Long Island Jewish Health System) a large health system in New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices. 2012 - laptop containing the electronic protected health information (e. PHI) of approximately 13, 000 patients and research participants was stolen from an employee’s car. 3 year Corrective Action Plan http: //www. hhs. gov/sites/default/files/FIMR%20 Resolution%20 Agreement%20 and%20 Corrective%20 A ction%20 Plan. pdf © 2014 Trinity Health. All Rights Reserved. 53 53
OCR Violations FIMR impermissibly disclosed the e. PHI of 13, 000 individuals when an FIMRowned laptop computer containing e. PHI was left unsecured in the back seat of an employee’s car. See 45 C. F. R. § 164. 502(a). (ii) FIMR failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the e. PHI held by FIMR, . See 45 C. F. R. § 164. 308(a)(1)(ii)(A). (iii) FIMR failed to implement policies and procedures for granting access to e. PHI by its workforce members. See 45 C. F. R. § 164. 308(a)(4)(ii)(B). FIMR failed to implement physical safeguards for a laptop that contained e. PHI to restrict access to unauthorized users. See 45 C. F. R. § 164. 310(c). (v) FIMR failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain e. PHI into and out of a facility, and the movement of these items within the facility. See 45 C. F. R. § 163. 310(d). (vi) FIMR failed to implement a mechanism to encrypt e. PHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard e. PHI. See 45 C. F. R. § 164. 312(a)(2)(iv). © 2014 Trinity Health. All Rights Reserved. 54 54
$1. 55 M settlement - North Memorial Health North Memorial is a not-for-profit health care system in Minnesota that serves the Twin Cities north, central, and west communities. North Memorial reported July 25, 2011, an unencrypted laptop that contained the electronic protected health information of approximately 2, 800 individuals (later amended to include an additional 6, 697 individuals) who received care from North Memorial was stolen from an Accretive Health (“Accretive”) workforce member’s locked vehicle. North Memorial noted that Accretive was its business associate. 2 year Corrective Action Plan http: //www. hhs. gov/sites/default/files/North%20 Memorial%20 RA%20 and%20 CAP%20 March%202016 %20%28508%29. pdf © 2014 Trinity Health. All Rights Reserved. 55 55
OCR Violations North Memorial provided Accretive with access to North Memorial’s protected health information (PHI) without obtaining a written business associate agreement. North Memorial began providing Accretive with access to North Memorial’s PHI on March 21, 2011, and did not enter into a written business associate agreement with Accretive until October 14, 2011. See 45 C. F. R. § 164. 308(b) and 45 C. F. R § 164. 502(e). From March 21, 2011 to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289, 904 individuals to Accretive when North Memorial provided Accretive with access to PHI without obtaining Accretive’s satisfactory assurances, in the form of a written business associate agreement, that Accretive would appropriately safeguard the PHI. See 45 C. F. R. § 164. 502(a). North Memorial failed to conduct an accurate and thorough risk analysis that incorporated all of North Memorial’s information technology equipment, applications, and data systems using electronic PHI. See 45 C. F. R. § 164. 308(a)(1)(ii)(A). © 2014 Trinity Health. All Rights Reserved. 56 56
Research Data Protection Safeguards • • Confidentiality Agreements No unencrypted data storage No removable media (ideally) Citrix Share File or remote access is recommended No PHI in emails Procedures for lost data Data retention/destruction disclosure standards Data Access Standards © 2014 Trinity Health. All Rights Reserved. 57 57
Data Governance © 2014 Trinity Health. All Rights Reserved. 58
Data Governance Considerations Are there any governance structures outside of the IRB to coordinate: Source data requests HIPAA incident response Legal/Compliance issues Reporting of IRB business and outcomes Information Security protocols for data transfers Comprehensive Data Protection component of research agreement © 2014 Trinity Health. All Rights Reserved. 59 59
Structure Considerations • The structure will be determined by the size, scope and complexity of the facility/program • Smaller Facilities may want to integrate into existing structures on an ad hoc basis • Larger Facilities should have a dedicated research governance structure © 2014 Trinity Health. All Rights Reserved. 60 60
IG Structure In Smaller facilities…. Research could participate as a member of: • Medical Executive Committee • Quality/Accreditation Committee In larger facilities and health systems…. Research could be a sub group of: • • Clinical Governance Compliance © 2014 Trinity Health. All Rights Reserved. 61 61
Expanding Research Considerations The White House is unveiling final Privacy and Trust Principles for the Precision Medicine Initiative (PMI). The principles provide broad guidance for future PMI activities regarding: governance; transparency; participant empowerment; respect for participant preferences; data sharing, access, and use; and data quality and integrity. The principles articulate a set of core values and responsible strategies for sustaining public trust and maximizing the benefits of precision medicine. https: //www. whitehouse. gov/precision-medicine © 2014 Trinity Health. All Rights Reserved. 62 62
Case Studies © 2014 Trinity Health. All Rights Reserved. 63
Research utilizing Hospital Data • • Research population extracted from surgical information system ~ 2000 • Researcher carries data on a jump drive and accesses hospital records in physician lounge • Jump drive lost • Researcher looks for the jump drive for two weeks and then hangs a sign in the physician lounge asking for its return • • Local Hospital is conducting IRB approved research Reported at IRB meeting two months later Who is Responsible for investigation and reporting this incident? A. The researcher B. The hospital C. The IRB © 2014 Trinity Health. All Rights Reserved. 64 64
Research Utilizing Hospital Data Who is responsible? The hospital The data was disclosed from the hospital data systems and the patients involved received care at the hospital. There were no data release/protection agreements in place. The data was lost inside of the hospital © 2014 Trinity Health. All Rights Reserved. 65 65
Can we use this data? Proposed internal research-asking to use Medicare Shared Savings Plan (MSSP) ACO data © 2014 Trinity Health. All Rights Reserved. 66 66
Can we use MSSP data for Research? Not without specific permission from CMS • The MSSP data use agreement prohibits using the data for any use outside the Accountable Care Organization. • There is a formal research application process that must be undertaken to use this data • When in doubt, call Legal and Privacy © 2014 Trinity Health. All Rights Reserved. 67 67
Presenters Contact Information Monica Lareau, MS, CHPC • Director, HIPPA Compliance /Privacy Official • • • monica. lareau@trinity-health. org (734) 343 -0037 Dawn Pedinelli, RN, MBA, CCRC, CHRC • Director of Research • • • dawn. pedinelli@trinity-health. org (734) 343 -2695 © 2014 Trinity Health - Livonia, MI © 2014 Trinity Health. All Rights Reserved. 68 68
AHIMA IG Sample Charter © 2014 Trinity Health. All Rights Reserved. 69 69
Questions? ? © 2014 Trinity Health - Livonia, MI © 2014 Trinity Health. All Rights Reserved. 70 70