101live

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

HIPAA 101: 

HIPAA 101 Presented by Esther Henry HIPAA Privacy Officer and Project Manager University of Colorado Health Sciences Center Bill Freud HIPAA Security Officer; AVC, Information Systems University of Colorado Health Sciences Center Developed in partnership with University Leadership Development Institute, UCHSC’s HIPAA Compliance Office, and CU-Denver’s Center for Innovations in Teaching and Technology

What is HIPAA?: 

What is HIPAA? Nine segments to HIPAA, but our focus today is on the privacy and security rules. The UCHSC – must comply with HIPAA's Privacy Rule TODAY and with HIPAA’s Security Rule by April 21, 2005.

Why HIPAA 101? : 

Why HIPAA 101? Today we will cover: Background regarding HIPAA; The five HIPAA Privacy Principles; The four HIPAA Security Principles; Scenarios we’ll discuss as a group.

The HIPAA Acronym: What's In a Name? : 

The HIPAA Acronym: What's In a Name? Health Insurance Portability and Accountability Act of 1996 Purposes: insurance portability (to allow individuals to carry their health insurance from job to job); standardization of claims and health information (forms and codes) Increased risk requires increased protection

Who has to comply with HIPAA?: 

Who has to comply with HIPAA? Health plans Health care clearinghouses Health care providers who transmit any health information in electronic form in connection with eight transactions

Why Comply? : 

Why Comply? Ethics - it’s the right thing to do! Civil Penalties – fines of $100 for every accidental violation Criminal Penalties - up to $250,000 for violations committed knowingly/purposefully and up to 10 years in federal prison

What is Protected Health Information? : 

What is Protected Health Information? PHI Health Information IIHI

What items make information identifiable?: 

What items make information identifiable? Name Postal address (geographic subdivisions smaller than state) All elements of dates, except year (birth date, if over 89, must be aggregated) Phone number Fax number E-mail address Social Security number Medical Record number Health Plan number Account numbers Certificate/license numbers URL IP address Vehicle identifiers Device ID Biometric ID Full face/identifying photo Any other unique identifying number, characteristic, or code

What is Protected Health Information?: 

What is Protected Health Information? PHI is made up of all forms of health information: oral, electronic, print, and video – everything from hallway conversations to e-mails. A doctor's audio transcriptions about her patients? A filled prescription? A patient’s medical record stripped of all identifiers (name, address, ID number, etc.)? A prospective patient's treatment appointment record at a diabetes center?

Patient Rights: 

Patient Rights HIPAA grants patients six rights: Inspect their PHI (held in the designated record set) and receive a copy of it; Request Amendments to their PHI (held in the designated record set); Request Restrictions of the uses and disclosures of their PHI; Request copies of their PHI via alternative means (fax, e-mail) or at alternate locations (home, office); Obtain a list of disclosures of their PHI made after April 14, 2003, (six year period); and, Receive a notice of UCHSC privacy practices from direct treatment providers.

Individual Information Access Rights: Situation: 

Individual Information Access Rights: Situation A dermatologist scribbles a note about his patient's skin condition and stores the note in the patient's medical record. The patient sees the doctor do it and asks the receptionist for a look at the note. 1. Does the patient have a right to see the dermatologist’s note?  2. Does the patient's insuring agency have a right to see the dermatologist’s note if it needs the information to pay a claim?  3. What if the doctor were a psychiatrist treating the patient for depression and the note was a separately maintained psychotherapy note? Could the patient see the note?

The General HIPAA Privacy Rule: You may not use or disclose Protected Health Information. : 

The General HIPAA Privacy Rule: You may not use or disclose Protected Health Information. Major Exceptions: To the individual; For Treatment, Payment, health care Operations (TPO ≠ Research); For mandatory reporting; With an authorization (research!).

HIPAA-Check: True OR False : 

HIPAA-Check: True OR False A conversation between two doctors about a patient is not covered under HIPAA, as long as it is not recorded on tape or in print. If you don't see patients, HIPAA regulations don't apply to you. The Basic HIPAA Privacy Rule is: You may not use or disclose PHI.

Introduction to HIPAA Privacy: The Five Privacy Principles : 

Introduction to HIPAA Privacy: The Five Privacy Principles Minimum Necessary Principle Doing Your Job Principle To Each According to His Needs Principle Authorization Principle Unidentified Patient Principle

#1. The Minimum Necessary Principle: Use or disclose only the information necessary to the task. : 

#1. The Minimum Necessary Principle: Use or disclose only the information necessary to the task. Access information only on a need-to-know basis. Ask: “What information do I need to know to do my job?” Two major exceptions to this principle: uses by health care providers using PHI for treatment; or uses or disclosures pursuant to an authorization. However, treatment and care come first, then HIPAA. If you need the entire medical record – request it!

The Minimum Necessary Principle: Situation: 

The Minimum Necessary Principle: Situation A patient is brought into the emergency room with a gunshot wound to the chest and needs immediate medical attention. The ER doctor would like to see if the patient has any known allergies in her medical record. May the doctor look at the patient's entire record, without the patient's consent?       - No, only the minimum necessary.       - Yes, this is a treatment situation (TPO).      

The Minimum Necessary Principle: Situation: 

The Minimum Necessary Principle: Situation A patient is brought into the emergency room with a gunshot wound to the chest and needs immediate medical attention. The ER doctor would like to see if the patient has any known allergies in her medical record. May the doctor look at the patient's entire record, without the patient's consent?       - No, only the minimum necessary.       - Yes, this is a treatment situation (TPO).      

The Minimum Necessary Principle: Situation: 

The Minimum Necessary Principle: Situation Metropolis Hospital requests the medical history of OB/GYN patient Sally from Sally's HMO in Smallville to determine if Sally would qualify for a research study conducted by Metropolis. May the Smallville HMO release Sally's entire medical record to Metropolis? - Release the record, this is a TPO situation. - Release only selected parts of the record relevant to Metropolis’ study.      - Don’t release anything unless Sally has authorized it.

The Minimum Necessary Principle: Situation: 

The Minimum Necessary Principle: Situation Metropolis Hospital requests the medical history of OB/GYN patient Sally from Sally's HMO in Smallville to determine if Sally would qualify for a research study conducted by Metropolis. May the Smallville HMO release Sally's entire medical record to Metropolis? - Release the record, this is a TPO situation. - Release only selected parts of the record relevant to Metropolis’ study.      - Don’t release anything unless Sally has authorized it.

Introduction to HIPAA Privacy: The Five Privacy Principles : 

Introduction to HIPAA Privacy: The Five Privacy Principles Minimum Necessary Principle Doing Your Job Principle To Each According to His Needs Principle Authorization Principle Unidentified Patient Principle

#2. Doing Your Job Principle: When you need PHI to do your job, use it. : 

#2. Doing Your Job Principle: When you need PHI to do your job, use it. If you need certain PHI to treat patients, complete insurance applications, or fill prescriptions, access that information. Similarly, release parts of PHI to those who need the information to perform their TPO duties for patients.   NOTE: This does not apply to research situations because research is not TPO. An authorization is necessary.

The Doing Your Job Principle: Situation : 

The Doing Your Job Principle: Situation A blood draw laboratory worker wants to consult a patient's medication record before he issues the patient's blood draw report to the doctor. Can the lab worker access those records without obtaining the patient's authorization? Yes, the lab worker needs the info to do his job. No, the lab worker is not engaged in direct TPO.  

The Doing Your Job Principle: Situation : 

The Doing Your Job Principle: Situation A blood draw laboratory worker wants to consult a patient's medication record before he issues the patient's blood draw report to the doctor. Can the lab worker access those records without obtaining the patient's authorization? Yes, the lab worker needs the info to do his job. No, the lab worker is not engaged in direct TPO.  

The Doing Your Job Principle: Situation: 

The Doing Your Job Principle: Situation To advertise its new weight loss drug, Fischer-Prise Pharmaceuticals asks UCHSC for demographic data of children treated for obesity. Should UCHSC release the records so that Fischer Prise can "do its job" of marketing obesity loss treatments? Yes, Fischer Prise needs the info to do its job. No, Fischer Prise is not engaged in TPO.

The Doing Your Job Principle: Situation: 

The Doing Your Job Principle: Situation To advertise its new weight loss drug, Fischer-Prise Pharmaceuticals asks UCHSC for demographic data of children treated for obesity. Should UCHSC release the records so that Fischer Prise can "do its job" of marketing obesity loss treatments? Yes, Fischer Prise needs the info to do its job. No, Fischer Prise is not engaged in TPO.

The Doing Your Job Principle: Situation : 

The Doing Your Job Principle: Situation Phil is the receptionist for CU Sports Injury Clinic. After reading about the new HIPAA Privacy Rule, Phil has some concerns about how he can protect patient privacy and still do his job. Can Phil call out a person's full name to summon her into the examining room? Can Phil discuss a patient's appointment with other workers in the waiting area, where they may be overheard? A doctor asks Phil to retrieve a medical record. Can Phil retrieve the record? If a Clinic doctor asks Phil to schedule a patient to see a specialist (knee specialist, sports psychologist, etc.), is Phil violating the patient’s privacy by knowing the nature of the patient’s affliction?

Introduction to HIPAA Privacy: The Five Privacy Principles : 

Introduction to HIPAA Privacy: The Five Privacy Principles Minimum Necessary Principle Doing Your Job Principle To Each According to His Needs Principle Authorization Principle Unidentified Patient Principle

#3: To Each According to His Needs Principle: Create authorizations for specific needs and do not use PHI beyond the needs specified. : 

#3: To Each According to His Needs Principle: Create authorizations for specific needs and do not use PHI beyond the needs specified. Authorizations are usually required: To use or disclose PHI for research; For access to or disclosure of psychotherapy notes; and To use PHI for marketing or fundraising.

To Each According to His Needs Principle: Authorization Versus Consent to Treatment : 

To Each According to His Needs Principle: Authorization Versus Consent to Treatment Both are written permissions. However, there is a crucial distinction between the two documents: an authorization details what may be done with information about a patient or human subject. A consent allows you to treat a patient, enroll a subject in a study, etc. A consent cannot be used in place of an authorization. They have separate roles.

To Each According to His Needs Principle: 

To Each According to His Needs Principle Elements of an Authorization In writing In plain language Is specific! Describe info to be used/disclosed and why Describe who can make the used/disclosure Identify who will receive the info Required statements Expiration date or, for research, expiration event Signature and date

Slide31: 

A public health clinic for indigent patients has patients sign an authorization that their names and treatment history can be used "for nonprofit research and treatment purposes." Can this document justify sharing information with a medical sociologist at the University of Colorado to further his research?   Suppose the clinic had to disclose the patient treatment information to meet state reporting requirements to the Colorado Department of Social Services? Could it release the treatment records without patient authorization? To Each According to His Needs Principle: Situation

Introduction to HIPAA Privacy: The Five Privacy Principles : 

Introduction to HIPAA Privacy: The Five Privacy Principles Minimum Necessary Principle Doing Your Job Principle To Each According to His Needs Principle Authorization Principle Unidentified Patient Principle

#4. Authorization Principle: If you are in doubt about releasing PHI to someone, get an authorization. "When in doubt, check it out." : 

#4. Authorization Principle: If you are in doubt about releasing PHI to someone, get an authorization. "When in doubt, check it out." If you are not sure whether you can release all or part of a patient's PHI without an authorization (or you are not sure what PHI you can access), remember the Authorization Principle.   You may have to secure a new authorization from the individual, or review his/her previous authorizations. Remember: Authorizations are not required to use PHI for treatment, payment or health care operations (TPO).

The Authorization Principle: Authorization Frequency : 

The Authorization Principle: Authorization Frequency Must we obtain an individual’s authorization every time his or her PHI will be disclosed? For example, if a patient signs an authorization to release PHI for research purposes, that authorization covers multiple releases to the same or different research entities, as long as they are all listed on the authorization.   However, if a research group wants parts of the patient’s PHI that are not listed on the authorization, a new authorization will be required before the group can access the information. If in doubt, check it out!

Authorization Principle: Designing the Proper Authorization Form : 

Authorization Principle: Designing the Proper Authorization Form I authorize Dr. Spock to use my child's medical research record for whatever purpose she deems appropriate for perpetuity. Name ____________________ Signed ____________________ Date _______________

Authorization Principle: Designing the Proper Authorization Form : 

Authorization Principle: Designing the Proper Authorization Form I authorize Dr. Spock to disclose my child's (name of child) height, weight, and disease history information to Dr. Seuss at the Barnes Children's Hospital in Carmel, Indiana, for Barnes’ Child Obesity research project, study number CN14864. This information may be disclosed until January 1, 2004.  [more]

Authorization Principle: Designing the Proper Authorization Form : 

Authorization Principle: Designing the Proper Authorization Form I understand that I have the right to revoke this authorization, in writing, at any time by sending a written notification to (Institution’s) Privacy Officer at (address or e-mail). I understand that such a revocation is not effective to the extent that (Name of Practice) has relied on the use or disclosure of the protected health information. Name _____________ Signed _________________ Date ______________   I understand that information used or disclosed pursuant to this authorization may be subject to redisclosure by the recipient, and may no longer be protected by federal or state law.

Introduction to HIPAA Privacy: The Five Privacy Principles : 

Introduction to HIPAA Privacy: The Five Privacy Principles Minimum Necessary Principle Doing Your Job Principle To Each According to His Needs Principle Authorization Principle Unidentified Patient Principle

#5: Unidentified Patient Principle: Don’t release or use patient identifiers; avoid their use whenever possible.: 

#5: Unidentified Patient Principle: Don’t release or use patient identifiers; avoid their use whenever possible. Individually innocuous data items, when viewed together, can be used to identify someone. For example, the three identifiers below, when combined, may point to only one patient: Age: 89 Gender: Male Residence: Tinytown, Colorado The best practice is to eliminate identifiers that are not absolutely necessary.

Unidentified Patient Principle: 

Unidentified Patient Principle Here's a before-and-after table of Identified and Deidentified information:   Identified (Original) Information Deidentified Version Smithon Wesson Patient 6 (Coded number/ letter sequence.) Birthdate: 07/04/49 Birthdate: 1949 Residence: 1234 Main, Residence: Colorado Possum Trot, Colorado Phone: 634-5789 Phone: (Omitted) Zip code: 80338 Zip Code: Omitted if from a small town(<20,000)

Privacy Rule Summary: 

Privacy Rule Summary Do not use or disclose PHI. Five Privacy Principles: Minimum Necessary Principle Doing Your Job Principle To Each According to His Needs Principle Authorization Principle Unidentified Patient Principle

HIPAA 101: 

HIPAA 101 Presented by Esther Henry HIPAA Privacy Officer and Project Manager University of Colorado Health Sciences Center Bill Freud HIPAA Security Officer; AVC, Information Systems University of Colorado Health Sciences Center Developed in partnership with University Leadership Development Institute, UCHSC’s HIPAA Compliance Office, and CU-Denver’s Center for Innovations in Teaching and Technology

Introduction to the HIPAA Security Rule: Introduction and Objectives : 

Introduction to the HIPAA Security Rule: Introduction and Objectives “Privacy” and “security” go hand-in-hand. Protect PHI from unauthorized disclosure at all times.  Anyone who maintains PHI, in any form, is responsible for compliance with the HIPAA security practices.

Introduction to the HIPAA Security Rule: Introduction and Objectives : 

Introduction to the HIPAA Security Rule: Introduction and Objectives  Protect electronic PHI via strong passwords, anti-virus software, data backup, and possibly encryption Provide physical security Properly dispose of paper and electronic PHI

The General HIPAA Security Rule: : 

The General HIPAA Security Rule: Protected Health Information should be reasonably safeguarded from intrusion or loss.

The General HIPAA Security Rule: The Four Security Principles: 

The General HIPAA Security Rule: The Four Security Principles Defense in Depth Principle  Lock and Key Principle Going Completely to Waste Principle "Be Prepared" Principle

The General HIPAA Security Rule: The Four Security Principles : 

The General HIPAA Security Rule: The Four Security Principles Defense in Depth Principle Lock and Key Principle Going Completely to Waste Principle "Be Prepared" Principle

Defense in Depth: 

Defense in Depth Not hard on the outside and soft on the inside – Like an atomic fireball Hard all the way through!

#1: Defense in Depth Principle: Provide reasonable information security for your computerized PHI. : 

#1: Defense in Depth Principle: Provide reasonable information security for your computerized PHI. How do you provide for "information security?" “Strong passwords" Password-protected screen savers Anti-virus protection software Data backup Use extra care with e-mail

Defense in Depth Principle: Strong Password Protection Rules : 

Defense in Depth Principle: Strong Password Protection Rules Passwords "strong" enough to resist guessing Use strong passwords on personal computer, to access server, e-mail, and applications that contain PHI.  

Defense in Depth Principle: E-mail Encryption : 

Defense in Depth Principle: E-mail Encryption E-mail or documents attached to an e-mail sent within the campus or hospital system do not need to be encrypted. E-mail sent to or from UCHSC to UCH, TCH, UPI is considered internal and doesn’t need encryption. Make reasonable efforts to either encrypt or de-identify information if PHI must be sent over the Internet.  

Defense in Depth Principle: Backing up PHI Data : 

Defense in Depth Principle: Backing up PHI Data Back up your PHI on a regular basis, to floppy, CD, zip drive or tape. UCHSC Information Systems offers a backup service for central and departmental servers, with data stored off-site. Contact your LAN (local area network) administrator or Information Systems with questions regarding backup procedures.

Defense in Depth Principle: Providing Virus Protection: 

Defense in Depth Principle: Providing Virus Protection Protect computers from virus corruption. Anti-virus software is installed on most UCHSC systems and configured to automatically update to combat the newest viruses. If you don't know who sent you an unexpected e-mail message, don't open it. The e-mail may contain a computer virus.

Defense in Depth Principle: Remote Access to PHI : 

Defense in Depth Principle: Remote Access to PHI If accessing campus PHI via a remote site (such as a home or off-campus office), protect your PHI by installing : Anti-virus software, and configure it to update automatically. And if using DSL or cable modem, a personal firewall too.

Defense in Depth Principle: Information System Activity Review : 

Defense in Depth Principle: Information System Activity Review If you use a computer or server that hosts PHI: Perform risk assessment Develop unit-specific policies for handling PHI Ensure physical security Maintain patches and updates Develop role based security – minimum necessary access Issue unique user ID’s Maintain and review audit logs Maintain security incident tracking reports

Defense in Depth Principle: Questions: 

Defense in Depth Principle: Questions Which is usually the most secure place to store PHI data? on your personal computer. on a floppy disk (Zip disk). on your PDA (e.g., Palm Pilot). on your organization's central server. [more]

Defense in Depth Principle: Questions: 

Defense in Depth Principle: Questions Which is usually the most secure place to store PHI data? on your personal computer. on a floppy disk (Zip disk). on your PDA (e.g., Palm Pilot). on your organization's central server. [more]

Defense in Depth Principle: Questions (cont.): 

Defense in Depth Principle: Questions (cont.) Which of these PHI communications will NOT require encryption on your part? Posting info on an Internet web page. Sending e-mail from your UCHSC address to another UCHSC address. Sending e-mail from your UCHSC e-mail address to a TCH e-mail address. Sending the PHI as a file attachment via America Online.

Defense in Depth Principle: Questions (cont.): 

Defense in Depth Principle: Questions (cont.) Which of these PHI communications will NOT require encryption on your part? Posting info on an Internet web page. Sending e-mail from your UCHSC address to another UCHSC address. Sending e-mail from your UCHSC e-mail address to a TCH e-mail address. Sending the PHI as a file attachment via America Online.

The General HIPAA Security Rule: The Four Security Principles: 

The General HIPAA Security Rule: The Four Security Principles Defense in Depth Principle  Lock and Key Principle Going Completely to Waste Principle "Be Prepared" Principle

#2: Lock and Key Principle: Lock up all PHI that's not in immediate use. : 

#2: Lock and Key Principle: Lock up all PHI that's not in immediate use. Laptops and PDAs (e.g., Palm Pilots) with PHI files should be locked away.   PHI stored on laptops or PDAs should be protected with strong passwords and possibly encrypted files. And lock up the laptop or PDA when not in use! Paper PHI files should be stored in a locked cabinet or drawer. Make sure your area is locked up before you leave.

Lock and Key Principle: Visitors : 

Lock and Key Principle: Visitors If you work in a visible or public area: Properly position your desk and computer Use a password-protected screen saver. Protect printer and fax machine Put away paper PHI

The General HIPAA Security Rule: The Four Security Principles : 

The General HIPAA Security Rule: The Four Security Principles Defense in Depth Principle  Lock and Key Principle Going Completely to Waste Principle "Be Prepared" Principle

#3. Going Completely to Waste Principle: Thoroughly and immediately dispose of PHI that you no longer need and do not need to retain.: 

#3. Going Completely to Waste Principle: Thoroughly and immediately dispose of PHI that you no longer need and do not need to retain. All paper PHI should be shredded before being trashed.   There should be a shredder within reasonable proximity of your work area.   Note: shredding by hand doesn't effectively destroy identifying information.

Going Completely to Waste Principle: Disposing of Computers : 

Going Completely to Waste Principle: Disposing of Computers Empty "trash bin" If you are giving your computer away or throwing it out, stronger clean-up measures are needed. Use disk wiping tool Contact Environmental Health and Safety (EH&S)

The General HIPAA Security Rule: The Four Security Principles : 

The General HIPAA Security Rule: The Four Security Principles Defense in Depth Principle  Lock and Key Principle Going Completely to Waste Principle "Be Prepared" Principle

#4: "Be Prepared" Principle: Prepare yourself, your coworkers and your workplace for HIPAA compliance. : 

#4: "Be Prepared" Principle: Prepare yourself, your coworkers and your workplace for HIPAA compliance. Know: how to select and change your password where your PHI is stored and how it is backed up how to determine if your computer is running anti-virus software and how to find out if it is up-to-date. Report repeated logon failures to LAN Administrator or Help Desk. Notify Help Desk of use of web server (i.e. IIS, Apache, ColdFusion), web development software (i.e. Front Page, DreamWeaver), or SQL.

"Be Prepared" Principle: Situation: 

"Be Prepared" Principle: Situation Alvin has been through HIPAA training, but he is still confused about his digital security needs. He's not sure if his PC has the proper virus protection or which transmissions containing PHI and being sent over the Internet need encryption. Who should Alvin contact for help? The HIPAA Privacy Officer A department colleague who transmits similar PHI on his/her PC Information Systems The Department of Health and Human Services

"Be Prepared" Principle: Situation: 

"Be Prepared" Principle: Situation Alvin has been through HIPAA training, but he is still confused about his digital security needs. He's not sure if his PC has the proper virus protection or which transmissions containing PHI and being sent over the Internet need encryption. Who should Alvin contact for help? The HIPAA Privacy Officer A department colleague who transmits similar PHI on his/her PC Information Systems The Department of Health and Human Services

HIPAA Security Rule: Summary: 

HIPAA Security Rule: Summary "Privacy" and "security" go hand-in-hand. Protected Health Information should be reasonably safeguarded from intrusion or loss. Remember the Four Security Principles: Defense in Depth Principle Lock and Key Principle Going Completely to Waste Principle "Be Prepared" Principle

HIPAA Privacy and Security: 

HIPAA Privacy and Security What do I do if I have questions about HIPAA’s Rules? Attend a HIPAA Drop-In Question and Answer Session (scheduled upon request) Look for answers on UCHSC HIPAA web page at http://www.uchsc.edu/hipaa/ Contact UCHSC HIPAA Privacy or Security Officers; see info at http://www.uchsc.edu/hipaa/contacts.htm

THE END!: 

THE END! http://www.uchsc.edu/hipaa General http://comirbweb.uchsc.edu Research Esther.Henry@UCHSC.edu Privacy Sherry.Fischer@UCHSC.edu Security William.Freud@UCHSC.edu Security Lisa.Jensen@UCHSC.edu Research Kim.Buda@UCHSC.edu Research Lawellin.David@tchden.org Research Steve.Zweck-Bronner@UCHSC.edu Legal

HIPAA 201: Research : 

HIPAA 201: Research Presented by Esther Henry HIPAA Privacy Officer and Project Manager University of Colorado Health Sciences Center Lisa Jensen Director, COMIRB

Is Anything Grandfathered?: 

Is Anything Grandfathered? Yes! Individuals who were consented into a study prior to April 14, 2003 or studies that received a waiver of consent prior to April 14, 2003. Databases with PHI for which you received some kind of legal permission from the subject of the PHI to use his or her information. HIPAA will apply to: All individuals consented or re-consented into a study after April 14, 2003 must sign an authorization; and, Exempt research; needs waiver of authorization from COMIRB unless the study is closed or you are not using PHI.

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization 5. Researcher Certification Situations

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization 5. Researcher Certification Situations

Option 1: De-identify!: 

Option 1: De-identify! If your data is de-identified it is not subject to HIPAA as it is not PHI. De-identified means all 18 identifiers are stripped!

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization 5. Researcher Certification Situations

Option 2: Limited Data Set: 

Option 2: Limited Data Set A limited data set excludes 16 of the 18 identifying fields. It lets you use two of the 18 fields that make information identifiable: Dates; and Zip code, town, city, and state. If you have a limited data set you do not need patient authorization. You do need a data use agreement.

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization 5. Researcher Certification Situations

Authorization for Research: Page 1: 

Authorization for Research: Page 1

Authorization for Research: Page 1 : 

Authorization for Research: Page 1

Authorization for Research: Page 1: 

Authorization for Research: Page 1

Authorization for Research: Page 1: 

Authorization for Research: Page 1

Authorization for Research: Page 1: 

Authorization for Research: Page 1

Authorization for Research: Page 2: 

Authorization for Research: Page 2 The PI (or staff acting on behalf of the PI) will also make the following health information about me available to: (check all that apply and describe type and number of the procedures done where applicable) Recipient (name person or class of persons)___________________________________  All Research Data Collected in this Study  Name and phone number  Demographic information (age, sex, ethnicity, address, etc.)  Diagnosis(es)  History and Physical  Laboratory or Tissue Studies _____________________________________________  Radiology Studies______________________________________________________  AIDS or HIV test (or results) ____________________________________________  Psychological tests _____________________________________________________  Survey________________________________________________________________  Research Visit records  Portions of previous Medical Records that are relevant to this study  Billing/Charges  Other (Specify) ______________________________________________________ For the Specific Purpose of  Evaluation of this research project  Evaluation of laboratory/tissue samples  Data management  Data analysis Other* _______________________________________________________________ *Cannot say “for any and all research”, “for any purpose”, etc.

Authorization for Research: Page 2: 

Authorization for Research: Page 2 The PI (or staff acting on behalf of the PI) will also make the following health information about me available to: (check all that apply and describe type and number of the procedures done where applicable) Recipient (name person or class of persons)___________________________________  All Research Data Collected in this Study  Name and phone number  Demographic information (age, sex, ethnicity, address, etc.)  Diagnosis(es)  History and Physical  Laboratory or Tissue Studies _____________________________________________  Radiology Studies______________________________________________________  AIDS or HIV test (or results) ____________________________________________  Psychological tests _____________________________________________________  Survey________________________________________________________________  Research Visit records  Portions of previous Medical Records that are relevant to this study  Billing/Charges  Other (Specify) ______________________________________________________ For the Specific Purpose of  Evaluation of this research project  Evaluation of laboratory/tissue samples  Data management  Data analysis Other* _______________________________________________________________ *Cannot say “for any and all research”, “for any purpose”, etc.

Authorization for Research: Page 3: 

Authorization for Research: Page 3 I give my authorization knowing that: I do not have to sign this authorization. But if I do not sign it the researcher has the right to not let me be in the research study. I can cancel this authorization any time. I have to cancel it in writing. If I cancel it, the researchers and the people the information was given to will still be able to use it because I had given them my permission, but they won’t get any more information about me. I can read the Notice of Privacy Practices at the facility where the research is being conducted to find out how to cancel my authorization. The records given out to other people may be given out by them and might no longer be protected. I will be given a copy of this form after I have signed it. This authorization will expire on: _____(Date) OR  The end of the research study  Will not expire ______________________Patient’s Signature Date _________________________

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization 5. Researcher Certification Situations

Option 4: Waiver of Authorization: 

Option 4: Waiver of Authorization Seek a waiver of authorization from COMIRB Qualify for this option if: There is no “practicable” way to get an authorization; There is no more than a minimal risk to the privacy of the individual; and, The research could not be conducted without access to the PHI.

Option 4: Waiver of Authorization Waiver Request Form: 

Option 4: Waiver of Authorization Waiver Request Form Describe the protected health information (PHI) that will be collected: IN ORDER FOR THIS WAIVER TO BE APPROVED, THERE MUST BE NO MORE THAN MINIMAL RISK TO PRIVACY OF THE SUBJECT, BASED ON THE ANSWERS TO THE FOLLOWING QUESTIONS: 1. How will subject identifiers be protected? 2. What is the plan to destroy the identifiers ASAP? [Please state if there is a health or research justification for retaining the identifiers of if retention is required by law.] 3. Will the data be made available to anyone other than the study personnel? If so, to whom? And if so, why? Can this project be done without PHI? Why is it not possible to get the authorization of the subjects whose PHI you want to use? CONFIRMATION: I confirm that the Protected Health Information (PHI) will not be re-used or disclosed except as required by law, for authorized oversight of the research or for other research that has been reviewed and approved by the IRB with specific approval regarding access to this PHI. ___________________________________ ______________________ PI Signature Date

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization 5. Researcher Certification Situations

The Five Ways to do Research in HIPAA: 

The Five Ways to do Research in HIPAA 1. De-identify Your Data 2. Limited Data Set 3. Authorization 4. Waiver of Authorization Researcher Certification Situations Decedent Research Reviews Preparatory to Research

Option 5: Decedent Research: 

Option 5: Decedent Research Researcher must certify: Decedents’ PHI only; Decedents are actually deceased!; and PHI is necessary for research. At the HSC, there will be a form to complete for this option.

Option 5: Reviews Preparatory to Research: 

Option 5: Reviews Preparatory to Research Researcher must certify: No PHI will be recorded, nor will PHI be removed from the premises where the PHI was accessed; Use or disclosure is solely to prepare a research protocol, assess a population, etc.; and, PHI is necessary for research. Acceptable methods for reviews preparatory to research are dictated by each institution. You must comply with the requirements of the institution that owns the research data. At the HSC, there will be a form to complete for this option.

Can you use Review Prep Option to Recruit Patients? : 

Can you use Review Prep Option to Recruit Patients? No! Accessing medical records to identify potential participants is considered to be research activity (not pre-research) so it requires prior IRB approval. Review Prep Option does not permit you to contact the patients! Just to determine if they are there. (Catch and Release!)

Patient Recruitment: Provider access to his/her own patient records: 

Patient Recruitment: Provider access to his/her own patient records Once a study is approved by COMIRB a health care provider may review his/her current and former patient records to identify potential participants and may contact those individuals without the need for an authorization. At enrollment, subjects should sign an authorization.

Patient Recruitment: Provider access to records of patients treated in the same clinical service but not seen by the physician: 

Patient Recruitment: Provider access to records of patients treated in the same clinical service but not seen by the physician Current Patients: after receiving COMIRB approval the provider may review the records and contact the patients without authorization Former Patients: cannot access records of patients who have not been seen in five years by the service and cannot contact those patients without COMIRB approval and HIPAA authorization

Patient Recruitment: Provider access to records of patients outside of his/her clinical service: 

Patient Recruitment: Provider access to records of patients outside of his/her clinical service May ask provider with relationship to patient to: Get recruitment authorization for you to contact patient (Authorization to pass patient’s name and contact info to you.); or, Ask patient to contact you.

Patient Recruitment: Advertisements: 

Patient Recruitment: Advertisements Patients may contact you in response to an advertisement. Situation if patient doesn’t enroll: You may not send any PHI to study sponsors without an authorization from the individual who is the subject of the PHI.

THE END!: 

THE END! http://www.uchsc.edu/hipaa General http://comirbweb.uchsc.edu Research Esther.Henry@UCHSC.edu Privacy Sherry.Fischer@UCHSC.edu Security William.Freud@UCHSC.edu Security Lisa.Jensen@UCHSC.edu Research Kim.Buda@UCHSC.edu Research Lawellin.David@tchden.org Research Steve.Zweck-Bronner@UCHSC.edu Legal

authorStream Live Help