HIPAA 101 : HIPAA 101 Presented by
Esther Henry
HIPAA Privacy Officer and Project Manager
University of Colorado Health Sciences Center
Bill Freud
HIPAA Security Officer; AVC, Information Systems
University of Colorado Health Sciences Center
Developed in partnership with University
Leadership Development Institute, UCHSC’s HIPAA
Compliance Office, and CU-Denver’s Center for
Innovations in Teaching and Technology
What is HIPAA? : What is HIPAA? Nine segments to HIPAA, but our focus today is on the privacy and security rules.
The UCHSC – must comply with HIPAA's Privacy Rule TODAY and with HIPAA’s Security Rule by April 21, 2005.
Why HIPAA 101? : Why HIPAA 101? Today we will cover:
Background regarding HIPAA;
The five HIPAA Privacy Principles;
The four HIPAA Security Principles;
Scenarios we’ll discuss as a group.
The HIPAA Acronym: �What's In a Name? : The HIPAA Acronym: What's In a Name?
Health Insurance Portability and Accountability Act of 1996
Purposes: insurance portability (to allow individuals to carry their health insurance from job to job); standardization of claims and health information (forms and codes)
Increased risk requires increased protection
Who has to comply with HIPAA? : Who has to comply with HIPAA? Health plans
Health care clearinghouses
Health care providers who transmit any health information in electronic form in connection with eight transactions
Why Comply?� : Why Comply?
Ethics - it’s the right thing to do!
Civil Penalties – fines of $100 for every accidental violation
Criminal Penalties - up to $250,000 for violations committed knowingly/purposefully and up to 10 years in federal prison
What is Protected Health Information?� : What is Protected Health Information?
PHI
Health Information IIHI
What items make information identifiable? : What items make information identifiable? Name
Postal address (geographic subdivisions smaller than state)
All elements of dates, except year (birth date, if over 89, must be aggregated)
Phone number
Fax number
E-mail address
Social Security number
Medical Record number
Health Plan number
Account numbers
Certificate/license numbers
URL
IP address
Vehicle identifiers
Device ID
Biometric ID
Full face/identifying photo
Any other unique identifying number, characteristic, or code
What is Protected Health Information? : What is Protected Health Information? PHI is made up of all forms of health information: oral, electronic, print, and video – everything from hallway conversations to e-mails.
A doctor's audio transcriptions about her patients?
A filled prescription?
A patient’s medical record stripped of all identifiers (name, address, ID number, etc.)?
A prospective patient's treatment appointment record at a diabetes center?
Patient Rights : Patient Rights HIPAA grants patients six rights:
Inspect their PHI (held in the designated record set) and receive a copy of it;
Request Amendments to their PHI (held in the designated record set);
Request Restrictions of the uses and disclosures of their PHI;
Request copies of their PHI via alternative means (fax, e-mail) or at alternate locations (home, office);
Obtain a list of disclosures of their PHI made after April 14, 2003, (six year period); and,
Receive a notice of UCHSC privacy practices from direct treatment providers.
Individual Information Access Rights:�Situation : Individual Information Access Rights: Situation
A dermatologist scribbles a note about his patient's skin
condition and stores the note in the patient's medical record.
The patient sees the doctor do it and asks the receptionist for a
look at the note.
1. Does the patient have a right to see the dermatologist’s note?
2. Does the patient's insuring agency have a right to see the dermatologist’s note if it needs the information to pay a claim?
3. What if the doctor were a psychiatrist treating the patient for depression and the note was a separately maintained psychotherapy note? Could the patient see the note?
�The General HIPAA Privacy Rule:��You may not use or disclose�Protected Health Information.� : The General HIPAA Privacy Rule: You may not use or disclose Protected Health Information. Major Exceptions:
To the individual;
For Treatment, Payment, health care Operations (TPO ≠ Research);
For mandatory reporting;
With an authorization (research!).
�HIPAA-Check: True OR False� : HIPAA-Check: True OR False A conversation between two doctors about a patient is not covered under HIPAA, as long as it is not recorded on tape or in print.
If you don't see patients, HIPAA regulations don't apply to you.
The Basic HIPAA Privacy Rule is: You may not use or disclose PHI.
�Introduction to HIPAA Privacy: �The Five Privacy Principles� : Introduction to HIPAA Privacy: The Five Privacy Principles
Minimum Necessary Principle
Doing Your Job Principle
To Each According to His Needs Principle
Authorization Principle
Unidentified Patient Principle
�#1. The Minimum Necessary Principle:�Use or disclose only the information necessary to the task.� : #1. The Minimum Necessary Principle: Use or disclose only the information necessary to the task. Access information only on a need-to-know basis. Ask: “What information do I need to know to do my job?”
Two major exceptions to this principle:
uses by health care providers using PHI for treatment;
or uses or disclosures pursuant to an authorization.
However, treatment and care come first, then HIPAA. If you need the entire medical record – request it!
The Minimum Necessary Principle: Situation : The Minimum Necessary Principle: Situation A patient is brought into the emergency room with a gunshot wound to the chest and needs immediate medical attention. The ER doctor would like to see if the patient has any known allergies in her medical record. May the doctor look at the patient's entire record, without the patient's consent?
- No, only the minimum necessary.
- Yes, this is a treatment situation (TPO).
The Minimum Necessary Principle: Situation : The Minimum Necessary Principle: Situation A patient is brought into the emergency room with a gunshot wound to the chest and needs immediate medical attention. The ER doctor would like to see if the patient has any known allergies in her medical record. May the doctor look at the patient's entire record, without the patient's consent?
- No, only the minimum necessary.
- Yes, this is a treatment situation (TPO).
The Minimum Necessary Principle: Situation : The Minimum Necessary Principle: Situation Metropolis Hospital requests the medical history of OB/GYN patient Sally from Sally's HMO in Smallville to determine if Sally would qualify for a research study conducted by Metropolis. May the Smallville HMO release Sally's entire medical record to Metropolis?
- Release the record, this is a TPO situation.
- Release only selected parts of the record relevant to Metropolis’ study.
- Don’t release anything unless Sally has authorized it.
The Minimum Necessary Principle: Situation : The Minimum Necessary Principle: Situation Metropolis Hospital requests the medical history of OB/GYN patient Sally from Sally's HMO in Smallville to determine if Sally would qualify for a research study conducted by Metropolis. May the Smallville HMO release Sally's entire medical record to Metropolis?
- Release the record, this is a TPO situation.
- Release only selected parts of the record relevant to Metropolis’ study.
- Don’t release anything unless Sally has authorized it.
�Introduction to HIPAA Privacy: �The Five Privacy Principles� : Introduction to HIPAA Privacy: The Five Privacy Principles
Minimum Necessary Principle
Doing Your Job Principle
To Each According to His Needs Principle
Authorization Principle
Unidentified Patient Principle
��#2. Doing Your Job Principle:�When you need PHI to do your job, use it.� : #2. Doing Your Job Principle: When you need PHI to do your job, use it.
If you need certain PHI to treat patients, complete insurance applications, or fill prescriptions, access that information. Similarly, release parts of PHI to those who need the information to perform their TPO duties for patients.
NOTE: This does not apply to research situations because research is not TPO. An authorization is necessary.
The Doing Your Job Principle: Situation : The Doing Your Job Principle: Situation A blood draw laboratory worker wants to consult a patient's medication record before he issues the patient's blood draw report to the doctor. Can the lab worker access those records without obtaining the patient's authorization?
Yes, the lab worker needs the info to do his job.
No, the lab worker is not engaged in direct TPO.
The Doing Your Job Principle: Situation : The Doing Your Job Principle: Situation A blood draw laboratory worker wants to consult a patient's medication record before he issues the patient's blood draw report to the doctor. Can the lab worker access those records without obtaining the patient's authorization?
Yes, the lab worker needs the info to do his job.
No, the lab worker is not engaged in direct TPO.
The Doing Your Job Principle: Situation : The Doing Your Job Principle: Situation To advertise its new weight loss drug, Fischer-Prise Pharmaceuticals asks UCHSC for demographic data of children treated for obesity. Should UCHSC release the records so that Fischer Prise can "do its job" of marketing obesity loss treatments?
Yes, Fischer Prise needs the info to do its job.
No, Fischer Prise is not engaged in TPO.
The Doing Your Job Principle: Situation : The Doing Your Job Principle: Situation To advertise its new weight loss drug, Fischer-Prise Pharmaceuticals asks UCHSC for demographic data of children treated for obesity. Should UCHSC release the records so that Fischer Prise can "do its job" of marketing obesity loss treatments?
Yes, Fischer Prise needs the info to do its job.
No, Fischer Prise is not engaged in TPO.
The Doing Your Job Principle: Situation : The Doing Your Job Principle: Situation
Phil is the receptionist for CU Sports Injury Clinic. After
reading about the new HIPAA Privacy Rule, Phil has some
concerns about how he can protect patient privacy and still do
his job.
Can Phil call out a person's full name to summon her into the examining room?
Can Phil discuss a patient's appointment with other workers in the waiting area, where they may be overheard?
A doctor asks Phil to retrieve a medical record. Can Phil retrieve the record?
If a Clinic doctor asks Phil to schedule a patient to see a specialist (knee specialist, sports psychologist, etc.), is Phil violating the patient’s privacy by knowing the nature of the patient’s affliction?
�Introduction to HIPAA Privacy: �The Five Privacy Principles� : Introduction to HIPAA Privacy: The Five Privacy Principles
Minimum Necessary Principle
Doing Your Job Principle
To Each According to His Needs Principle
Authorization Principle
Unidentified Patient Principle
���#3: To Each According to His Needs Principle:�Create authorizations for specific needs and do not use PHI beyond the needs specified.� : #3: To Each According to His Needs Principle: Create authorizations for specific needs and do not use PHI beyond the needs specified. Authorizations are usually required:
To use or disclose PHI for research;
For access to or disclosure of psychotherapy notes; and
To use PHI for marketing or fundraising.
��To Each According to His Needs Principle: Authorization Versus Consent to Treatment� : To Each According to His Needs Principle: Authorization Versus Consent to Treatment
Both are written permissions. However, there is a crucial distinction between the two documents: an authorization
details what may be done with information about a patient
or human subject. A consent allows you to treat a
patient, enroll a subject in a study, etc.
A consent cannot be used in place of an authorization.
They have separate roles.
�� To Each According to His Needs Principle : To Each According to His Needs Principle
Elements of an Authorization
In writing
In plain language
Is specific!
Describe info to be used/disclosed and why
Describe who can make the used/disclosure
Identify who will receive the info
Required statements
Expiration date or, for research, expiration event
Signature and date
Slide31 : A public health clinic for indigent patients has patients sign an authorization that their names and treatment history can be used "for nonprofit research and treatment purposes." Can this document justify sharing information with a medical sociologist at the University of Colorado to further his research?
Suppose the clinic had to disclose the patient treatment information to meet state reporting requirements to the Colorado Department of Social Services? Could it release the treatment records without patient authorization? To Each According to His Needs Principle: Situation
�Introduction to HIPAA Privacy: �The Five Privacy Principles� : Introduction to HIPAA Privacy: The Five Privacy Principles
Minimum Necessary Principle
Doing Your Job Principle
To Each According to His Needs Principle
Authorization Principle
Unidentified Patient Principle
���#4. Authorization Principle:�If you are in doubt about releasing PHI to�someone, get an authorization.� "When in doubt, check it out."� : #4. Authorization Principle: If you are in doubt about releasing PHI to someone, get an authorization. "When in doubt, check it out."
If you are not sure whether you can release all or part of a
patient's PHI without an authorization (or you are not sure
what PHI you can access), remember the Authorization
Principle.
You may have to secure a new authorization from the
individual, or review his/her previous authorizations.
Remember: Authorizations are not required to use PHI for
treatment, payment or health care operations (TPO).
�The Authorization Principle: Authorization Frequency� : The Authorization Principle: Authorization Frequency Must we obtain an individual’s authorization every time his or her PHI will be disclosed?
For example, if a patient signs an authorization to release PHI for research purposes, that authorization covers multiple releases to the same or different research entities, as long as they are all listed on the authorization.
However, if a research group wants parts of the patient’s PHI that are not listed on the authorization, a new authorization will be required before the group can access the information.
If in doubt, check it out!
�Authorization Principle: Designing the Proper Authorization Form� : Authorization Principle: Designing the Proper Authorization Form
I authorize Dr. Spock to use my child's medical
research record for whatever purpose she
deems appropriate for perpetuity.
Name ____________________
Signed ____________________
Date _______________
�Authorization Principle: Designing the Proper Authorization Form� : Authorization Principle: Designing the Proper Authorization Form I authorize Dr. Spock to disclose my child's (name of child) height, weight, and disease history information to Dr. Seuss at the Barnes Children's Hospital in Carmel, Indiana, for Barnes’ Child Obesity research project, study number CN14864. This information may be disclosed until January 1, 2004.
[more]
�Authorization Principle: Designing the Proper Authorization Form� : Authorization Principle: Designing the Proper Authorization Form I understand that I have the right to revoke this authorization,
in writing, at any time by sending a written notification to
(Institution’s) Privacy Officer at (address or e-mail). I
understand that such a revocation is not effective to the extent
that (Name of Practice) has relied on the use or disclosure of
the protected health information.
Name _____________ Signed _________________
Date ______________
I understand that information used or disclosed pursuant to this
authorization may be subject to redisclosure by the recipient,
and may no longer be protected by federal or state law.
�Introduction to HIPAA Privacy: �The Five Privacy Principles� : Introduction to HIPAA Privacy: The Five Privacy Principles
Minimum Necessary Principle
Doing Your Job Principle
To Each According to His Needs Principle
Authorization Principle
Unidentified Patient Principle
��#5: Unidentified Patient Principle: Don’t release or use patient identifiers; avoid their use whenever possible. : #5: Unidentified Patient Principle: Don’t release or use patient identifiers; avoid their use whenever possible.
Individually innocuous data items, when viewed together, can be used to identify someone. For example, the three identifiers below, when combined, may point to only one patient:
Age: 89 Gender: Male Residence: Tinytown, Colorado
The best practice is to eliminate identifiers that are not absolutely necessary.
Unidentified Patient Principle : Unidentified Patient Principle Here's a before-and-after table of Identified and Deidentified information:
Identified (Original) Information Deidentified Version
Smithon Wesson Patient 6 (Coded number/
letter sequence.)
Birthdate: 07/04/49 Birthdate: 1949
Residence: 1234 Main, Residence: Colorado
Possum Trot, Colorado
Phone: 634-5789 Phone: (Omitted)
Zip code: 80338 Zip Code: Omitted if from a
small town(<20,000)
Privacy Rule Summary : Privacy Rule Summary Do not use or disclose PHI.
Five Privacy Principles:
Minimum Necessary Principle
Doing Your Job Principle
To Each According to His Needs Principle
Authorization Principle
Unidentified Patient Principle
HIPAA 101 : HIPAA 101 Presented by
Esther Henry
HIPAA Privacy Officer and Project Manager
University of Colorado Health Sciences Center
Bill Freud
HIPAA Security Officer; AVC, Information Systems
University of Colorado Health Sciences Center
Developed in partnership with University
Leadership Development Institute, UCHSC’s HIPAA
Compliance Office, and CU-Denver’s Center for
Innovations in Teaching and Technology
Introduction to the �HIPAA Security Rule: Introduction and Objectives� : Introduction to the HIPAA Security Rule: Introduction and Objectives
“Privacy” and “security” go hand-in-hand.
Protect PHI from unauthorized disclosure at all times.
Anyone who maintains PHI, in any form, is
responsible for compliance with the HIPAA security
practices.
Introduction to the �HIPAA Security Rule: �Introduction and Objectives� : Introduction to the HIPAA Security Rule: Introduction and Objectives
Protect electronic PHI via
strong passwords, anti-virus software, data backup, and possibly encryption
Provide physical security
Properly dispose of paper and electronic PHI
The General HIPAA Security Rule:� : The General HIPAA Security Rule: Protected Health Information
should be reasonably safeguarded
from intrusion or loss.
The General HIPAA Security Rule:�The Four Security Principles : The General HIPAA Security Rule: The Four Security Principles
Defense in Depth Principle
Lock and Key Principle
Going Completely to Waste Principle
"Be Prepared" Principle
� The General HIPAA Security Rule:�The Four Security Principles � : The General HIPAA Security Rule: The Four Security Principles
Defense in Depth Principle
Lock and Key Principle
Going Completely to Waste Principle
"Be Prepared" Principle
Defense in Depth : Defense in Depth Not hard on the outside and soft on the inside –
Like an atomic fireball
Hard all the way through!
#1: Defense in Depth Principle:�Provide reasonable information security for your computerized PHI.� : #1: Defense in Depth Principle: Provide reasonable information security for your computerized PHI.
How do you provide for "information
security?"
“Strong passwords"
Password-protected screen savers
Anti-virus protection software
Data backup
Use extra care with e-mail
Defense in Depth Principle: �Strong Password Protection Rules� : Defense in Depth Principle: Strong Password Protection Rules
Passwords "strong" enough to resist guessing
Use strong passwords on personal computer, to
access server, e-mail, and applications that
contain PHI.
Defense in Depth Principle: �E-mail Encryption� : Defense in Depth Principle: E-mail Encryption
E-mail or documents attached to an e-mail sent within the
campus or hospital system do not need to be encrypted.
E-mail sent to or from UCHSC to UCH, TCH, UPI is
considered internal and doesn’t need encryption.
Make reasonable efforts to either encrypt or de-identify
information if PHI must be sent over the Internet.
Defense in Depth Principle: Backing up PHI Data� : Defense in Depth Principle: Backing up PHI Data
Back up your PHI on a regular basis, to floppy, CD, zip drive or tape.
UCHSC Information Systems offers a backup service for central and departmental servers, with data stored off-site.
Contact your LAN (local area network) administrator or Information Systems with questions regarding backup procedures.
Defense in Depth Principle: Providing Virus Protection : Defense in Depth Principle: Providing Virus Protection
Protect computers from virus corruption.
Anti-virus software is installed on most UCHSC systems and configured to automatically update to combat the newest viruses.
If you don't know who sent you an unexpected e-mail message, don't open it. The e-mail may contain a computer virus.
�Defense in Depth Principle: Remote Access to PHI� : Defense in Depth Principle: Remote Access to PHI
If accessing campus PHI via a remote site (such as a home or
off-campus office), protect your PHI by installing :
Anti-virus software, and configure it to update automatically.
And if using DSL or cable modem, a personal firewall too.
Defense in Depth Principle:�Information System Activity Review� : Defense in Depth Principle: Information System Activity Review If you use a computer or server that hosts PHI:
Perform risk assessment
Develop unit-specific policies for handling PHI
Ensure physical security
Maintain patches and updates
Develop role based security – minimum necessary access
Issue unique user ID’s
Maintain and review audit logs
Maintain security incident tracking reports
Defense in Depth Principle: Questions : Defense in Depth Principle: Questions
Which is usually the most secure place to store PHI data?
on your personal computer.
on a floppy disk (Zip disk).
on your PDA (e.g., Palm Pilot).
on your organization's central server.
[more]
Defense in Depth Principle: Questions : Defense in Depth Principle: Questions
Which is usually the most secure place to store PHI data?
on your personal computer.
on a floppy disk (Zip disk).
on your PDA (e.g., Palm Pilot).
on your organization's central server.
[more]
Defense in Depth Principle: Questions (cont.) : Defense in Depth Principle: Questions (cont.)
Which of these PHI communications will NOT require
encryption on your part?
Posting info on an Internet web page.
Sending e-mail from your UCHSC address to another UCHSC address.
Sending e-mail from your UCHSC e-mail address to a TCH e-mail address.
Sending the PHI as a file attachment via America Online.
Defense in Depth Principle: Questions (cont.) : Defense in Depth Principle: Questions (cont.)
Which of these PHI communications will NOT require
encryption on your part?
Posting info on an Internet web page.
Sending e-mail from your UCHSC address to another UCHSC address.
Sending e-mail from your UCHSC e-mail address to a TCH e-mail address.
Sending the PHI as a file attachment via America Online.
� The General HIPAA Security Rule:�The Four Security Principles : The General HIPAA Security Rule: The Four Security Principles
Defense in Depth Principle
Lock and Key Principle
Going Completely to Waste Principle
"Be Prepared" Principle
#2: Lock and Key Principle:� Lock up all PHI that's not in immediate use. : #2: Lock and Key Principle: Lock up all PHI that's not in immediate use.
Laptops and PDAs (e.g., Palm Pilots) with PHI files should be
locked away.
PHI stored on laptops or PDAs should be protected with
strong passwords and possibly encrypted files. And lock up
the laptop or PDA when not in use!
Paper PHI files should be stored in a locked cabinet or drawer.
Make sure your area is locked up before you leave.
Lock and Key Principle: �Visitors� : Lock and Key Principle: Visitors
If you work in a visible or public area:
Properly position your desk and computer
Use a password-protected screen saver.
Protect printer and fax machine
Put away paper PHI
� The General HIPAA Security Rule:�The Four Security Principles � : The General HIPAA Security Rule: The Four Security Principles
Defense in Depth Principle
Lock and Key Principle
Going Completely to Waste Principle
"Be Prepared" Principle
#3. Going Completely to Waste Principle:�Thoroughly and immediately �dispose of PHI that you no longer need�and do not need to retain. : #3. Going Completely to Waste Principle: Thoroughly and immediately dispose of PHI that you no longer need and do not need to retain.
All paper PHI should be shredded before being trashed.
There should be a shredder within reasonable proximity of your
work area.
Note: shredding by hand doesn't effectively destroy identifying
information.
Going Completely to Waste Principle: Disposing of Computers� : Going Completely to Waste Principle: Disposing of Computers Empty "trash bin"
If you are giving your computer away or throwing it
out, stronger clean-up measures are needed.
Use disk wiping tool
Contact Environmental Health and Safety (EH&S)
� The General HIPAA Security Rule:�The Four Security Principles � : The General HIPAA Security Rule: The Four Security Principles
Defense in Depth Principle
Lock and Key Principle
Going Completely to Waste Principle
"Be Prepared" Principle
#4: "Be Prepared" Principle:�Prepare yourself, your coworkers and your workplace for HIPAA compliance.� : #4: "Be Prepared" Principle: Prepare yourself, your coworkers and your workplace for HIPAA compliance.
Know:
how to select and change your password
where your PHI is stored and how it is backed up
how to determine if your computer is running anti-virus software and how to find out if it is up-to-date.
Report repeated logon failures to LAN Administrator or Help Desk.
Notify Help Desk of use of web server (i.e. IIS, Apache, ColdFusion), web development software (i.e. Front Page, DreamWeaver), or SQL.
"Be Prepared" Principle: �Situation : "Be Prepared" Principle: Situation
Alvin has been through HIPAA training, but he is still confused
about his digital security needs. He's not sure if his PC has the
proper virus protection or which transmissions containing PHI
and being sent over the Internet need encryption. Who should
Alvin contact for help?
The HIPAA Privacy Officer
A department colleague who transmits similar PHI on his/her PC
Information Systems
The Department of Health and Human Services
"Be Prepared" Principle: �Situation : "Be Prepared" Principle: Situation
Alvin has been through HIPAA training, but he is still confused
about his digital security needs. He's not sure if his PC has the
proper virus protection or which transmissions containing PHI
and being sent over the Internet need encryption. Who should
Alvin contact for help?
The HIPAA Privacy Officer
A department colleague who transmits similar PHI on his/her PC
Information Systems
The Department of Health and Human Services
HIPAA Security Rule: �Summary : HIPAA Security Rule: Summary "Privacy" and "security" go hand-in-hand.
Protected Health Information should be reasonably safeguarded from intrusion or loss.
Remember the Four Security Principles:
Defense in Depth Principle
Lock and Key Principle
Going Completely to Waste Principle
"Be Prepared" Principle
HIPAA Privacy and Security : HIPAA Privacy and Security What do I do if I have questions about HIPAA’s Rules?
Attend a HIPAA Drop-In Question and Answer Session (scheduled upon request)
Look for answers on UCHSC HIPAA web page at http://www.uchsc.edu/hipaa/
Contact UCHSC HIPAA Privacy or Security Officers; see info at http://www.uchsc.edu/hipaa/contacts.htm
THE END! : THE END! http://www.uchsc.edu/hipaa General
http://comirbweb.uchsc.edu Research
Esther.Henry@UCHSC.edu Privacy
Sherry.Fischer@UCHSC.edu Security
William.Freud@UCHSC.edu Security
Lisa.Jensen@UCHSC.edu Research
Kim.Buda@UCHSC.edu Research
Lawellin.David@tchden.org Research
Steve.Zweck-Bronner@UCHSC.edu Legal
�HIPAA 201: Research� : HIPAA 201: Research Presented by
Esther Henry
HIPAA Privacy Officer and Project Manager
University of Colorado Health Sciences Center
Lisa Jensen
Director, COMIRB
Is Anything Grandfathered? : Is Anything Grandfathered? Yes!
Individuals who were consented into a study prior to April 14, 2003 or studies that received a waiver of consent prior to April 14, 2003.
Databases with PHI for which you received some kind of legal permission from the subject of the PHI to use his or her information.
HIPAA will apply to:
All individuals consented or re-consented into a study after April 14, 2003 must sign an authorization; and,
Exempt research; needs waiver of authorization from COMIRB unless the study is closed or you are not using PHI.
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
5. Researcher Certification Situations
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
5. Researcher Certification Situations
�Option 1: De-identify! : Option 1: De-identify! If your data is de-identified it is not subject to HIPAA as it is not PHI.
De-identified means all 18 identifiers are stripped!
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
5. Researcher Certification Situations
Option 2: Limited Data Set : Option 2: Limited Data Set A limited data set excludes 16 of the 18 identifying fields.
It lets you use two of the 18 fields that make information identifiable:
Dates; and
Zip code, town, city, and state.
If you have a limited data set you do not need patient authorization.
You do need a data use agreement.
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
5. Researcher Certification Situations
Authorization for Research: Page 1 : Authorization for Research: Page 1
Authorization for Research: Page 1 : Authorization for Research: Page 1
Authorization for Research: Page 1 : Authorization for Research: Page 1
Authorization for Research: Page 1 : Authorization for Research: Page 1
Authorization for Research: Page 1 : Authorization for Research: Page 1
Authorization for Research: Page 2 : Authorization for Research: Page 2 The PI (or staff acting on behalf of the PI) will also make the following health information about me available to: (check all that apply and describe type and number of the procedures done where applicable)
Recipient (name person or class of persons)___________________________________
All Research Data Collected in this Study
Name and phone number
Demographic information (age, sex, ethnicity, address, etc.)
Diagnosis(es)
History and Physical
Laboratory or Tissue Studies _____________________________________________
Radiology Studies______________________________________________________
AIDS or HIV test (or results) ____________________________________________
Psychological tests _____________________________________________________
Survey________________________________________________________________
Research Visit records
Portions of previous Medical Records that are relevant to this study
Billing/Charges
Other (Specify) ______________________________________________________
For the Specific Purpose of
Evaluation of this research project
Evaluation of laboratory/tissue samples
Data management
Data analysis
Other* _______________________________________________________________
*Cannot say “for any and all research”, “for any purpose”, etc.
Authorization for Research: Page 2 : Authorization for Research: Page 2 The PI (or staff acting on behalf of the PI) will also make the following health information about me available to: (check all that apply and describe type and number of the procedures done where applicable)
Recipient (name person or class of persons)___________________________________
All Research Data Collected in this Study
Name and phone number
Demographic information (age, sex, ethnicity, address, etc.)
Diagnosis(es)
History and Physical
Laboratory or Tissue Studies _____________________________________________
Radiology Studies______________________________________________________
AIDS or HIV test (or results) ____________________________________________
Psychological tests _____________________________________________________
Survey________________________________________________________________
Research Visit records
Portions of previous Medical Records that are relevant to this study
Billing/Charges
Other (Specify) ______________________________________________________
For the Specific Purpose of
Evaluation of this research project
Evaluation of laboratory/tissue samples
Data management
Data analysis
Other* _______________________________________________________________
*Cannot say “for any and all research”, “for any purpose”, etc.
Authorization for Research: Page 3 : Authorization for Research: Page 3 I give my authorization knowing that: I do not have to sign this authorization. But if I do not sign it the researcher has the right to not let me be in the research study.
I can cancel this authorization any time. I have to cancel it in writing.
If I cancel it, the researchers and the people the information was given to will still be able to use it because I had given them my permission, but they won’t get any more information about me.
I can read the Notice of Privacy Practices at the facility where the research is being conducted to find out how to cancel my authorization.
The records given out to other people may be given out by them and might no longer be protected.
I will be given a copy of this form after I have signed it.
This authorization will expire on: _____(Date)
OR The end of the research study Will not expire
______________________Patient’s Signature Date _________________________
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
5. Researcher Certification Situations
Option 4: Waiver of Authorization : Option 4: Waiver of Authorization Seek a waiver of authorization from COMIRB
Qualify for this option if:
There is no “practicable” way to get an authorization;
There is no more than a minimal risk to the privacy of the individual; and,
The research could not be conducted without access to the PHI.
Option 4: Waiver of Authorization�Waiver Request Form : Option 4: Waiver of Authorization Waiver Request Form Describe the protected health information (PHI) that will be collected:
IN ORDER FOR THIS WAIVER TO BE APPROVED, THERE MUST BE NO MORE THAN MINIMAL RISK TO PRIVACY OF THE SUBJECT, BASED ON THE ANSWERS TO THE FOLLOWING QUESTIONS:
1. How will subject identifiers be protected?
2. What is the plan to destroy the identifiers ASAP? [Please state if there is a health or research justification for retaining the identifiers of if retention is required by law.]
3. Will the data be made available to anyone other than the study personnel? If so, to whom? And if so, why?
Can this project be done without PHI?
Why is it not possible to get the authorization of the subjects whose PHI you want to use?
CONFIRMATION:
I confirm that the Protected Health Information (PHI) will not be re-used or disclosed except as required by law, for authorized oversight of the research or for other research that has been reviewed and approved by the IRB with specific approval regarding access to this PHI.
___________________________________ ______________________
PI Signature Date
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
5. Researcher Certification Situations
The Five Ways to do Research in HIPAA : The Five Ways to do Research in HIPAA 1. De-identify Your Data
2. Limited Data Set
3. Authorization
4. Waiver of Authorization
Researcher Certification Situations
Decedent Research
Reviews Preparatory to Research
Option 5: Decedent Research : Option 5: Decedent Research Researcher must certify:
Decedents’ PHI only;
Decedents are actually deceased!; and
PHI is necessary for research.
At the HSC, there will be a form to complete for this option.
Option 5: Reviews Preparatory to Research : Option 5: Reviews Preparatory to Research Researcher must certify:
No PHI will be recorded, nor will PHI be removed from the premises where the PHI was accessed;
Use or disclosure is solely to prepare a research protocol, assess a population, etc.; and,
PHI is necessary for research.
Acceptable methods for reviews preparatory to research are dictated by each institution. You must comply with the requirements of the institution that owns the research data.
At the HSC, there will be a form to complete for this option.
�Can you use Review Prep Option to Recruit Patients?� : Can you use Review Prep Option to Recruit Patients? No! Accessing medical records to identify potential participants is considered to be research activity (not pre-research) so it requires prior IRB approval.
Review Prep Option does not permit you to contact the patients! Just to determine if they are there. (Catch and Release!)
�Patient Recruitment: �Provider access to his/her own patient records : Patient Recruitment: Provider access to his/her own patient records Once a study is approved by COMIRB a health care provider may review his/her current and former patient records to identify potential participants and may contact those individuals without the need for an authorization.
At enrollment, subjects should sign an authorization.
Patient Recruitment: �Provider access to records of patients treated in the same clinical service but not seen by the physician : Patient Recruitment: Provider access to records of patients treated in the same clinical service but not seen by the physician Current Patients: after receiving COMIRB approval the provider may review the records and contact the patients without authorization
Former Patients: cannot access records of patients who have not been seen in five years by the service and cannot contact those patients without COMIRB approval and HIPAA authorization
Patient Recruitment: Provider access to records of patients outside of his/her clinical service : Patient Recruitment: Provider access to records of patients outside of his/her clinical service May ask provider with relationship to patient to:
Get recruitment authorization for you to contact patient (Authorization to pass patient’s name and contact info to you.); or,
Ask patient to contact you.
Patient Recruitment:�Advertisements : Patient Recruitment: Advertisements Patients may contact you in response to an advertisement.
Situation if patient doesn’t enroll: You may not send any PHI to study sponsors without an authorization from the individual who is the subject of the PHI.
THE END! : THE END! http://www.uchsc.edu/hipaa General
http://comirbweb.uchsc.edu Research
Esther.Henry@UCHSC.edu Privacy
Sherry.Fischer@UCHSC.edu Security
William.Freud@UCHSC.edu Security
Lisa.Jensen@UCHSC.edu Research
Kim.Buda@UCHSC.edu Research
Lawellin.David@tchden.org Research
Steve.Zweck-Bronner@UCHSC.edu Legal