logging in or signing up johnson Lassie Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 76 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 19, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: The Global Privacy Environment and Its Impact on Records-Based Human Subject Biomedical Research Presentation To: The National Science Foundation Center for Discrete Mathematics & Theoretical Computer Science (DIMACS) Rutgers University DIMACS Center Piscataway, NJ December 10, 2003 Oliver M. Johnson , II Chief Privacy Officer Merck & Co., Inc.Slide2: Overview The Global Privacy and Data Protection Environment Impact on Records-Based Biomedical Research ConclusionsSlide3: The Global Privacy and Data Protection Environment Slide4: Definitions Privacy: the “right to be let alone.” Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 205 (1890) Data Protection: the administrative, technical and physical controls one uses to protect the confidentiality and ensure the proper use of personal information.Slide5: Privacy as a Social Issue The Business Perspective Globalization Personalization Data Consolidation Personal Information a Valuable Corporate Asset The Public Perspective Growing Public Awareness Strong Public Sentiment Personal Information a Fundamental Personal Asset We are increasingly dependent on the ability to establish understanding and trust with large numbers of people from various cultures and perspectives.Slide6: Privacy as a Cultural Issue Europe Personal privacy is a fundamental human right. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms Long history and culture of protecting individuals from government and private intrusions into personal affairs. Most EU countries have had privacy laws for decades. Omnibus legislative approach. U.S. Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right. 4th Amendment to the United States Constitution Relatively recent legislative focus on protecting individuals from private intrusions into personal affairs. Sectoral legislative approach.Slide7: Privacy as an Ethical Issue Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret. Hippocrates (c. 400 B.C.) World Medical Association Declaration of Helsinki (1964) U.S. Common Rule (Established 1979 / Codified 1991) U.S. Food and Drug Administration Regulations (1980) OECD Privacy and Transborder Flow Guidelines (1980) CIOMS International Biomedical Research Guidelines (1983, 1992, 2002) CIOMS International Epidemiological Study Guidelines (1991) ICH Good Clinical Practice Guideline (1996) Slide8: EU Data Protection Directive of 1995 Covers all personally identifiable information Covers all types of entities (e.g., Research, Business, Government) Also adopted by Iceland, Norway and Liechtenstein (EEA) Prohibits transfers to non-EEA countries lacking “adequate” data protection Adequacy Determinations: Canada, Hungary, Switzerland, Argentina, Guernsey, U.S. Safe Harbor, Model Contracts National EU Data Protection Laws Prohibit transfers to non-EU countries lacking “adequate” data protection Member States must abide by EU Commission adequacy determinations EU / U.S. Safe Harbor Agreement Enables individual U.S. companies to receive EEA personal information Applies only to transfers from EEA countries Applies only to transfers to certified U.S. companies Privacy as a Legal Issue - EuropeSlide9: Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations Covered Entities: Health Care Plans, Health Care Clearinghouses, Health Care Providers Business Associates of Covered Entities Personally Identifiable Health Information State Privacy Legislation Health and Medical Information Data Security Genetic Research Electronic Communications Privacy Act of 1986 (ECPA) FTC Code of Fair Information Practices (1999) Children’s Online Privacy Protection Act of 1998 (COPPA) New Federal Telemarketing, Spam and Fax Laws (2003) Privacy as a Legal Issue - U.S.Slide10: Legal Summary – Rest of World Privacy laws pending or enacted in: Non-EEA Europe Albania, Bosnia, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia, Slovenia, Switzerland Asia Pacific Australia, Hong Kong, India (pending), Japan, New Zealand, Taiwan, Thailand Middle East / Africa Israel, South Africa Latin America Argentina, Brazil, Chile, Mexico (pending), Paraguay, Peru North America Canada Many of these laws are based on the European model.Slide11: Laws apply common principles but create significantly different administrative requirements Privacy as a Business IssueSlide12: Privacy Principles Respect: Understand and respect the privacy perspectives of the individual. Necessity: Collect personal information only for identified business purposes. To the extent possible, use non-identifiable information, and limit the personal information that is used and disclosed to that which is necessary for the identified purposes. Notice: Provide notice to individuals regarding the information that will be collected, how it will be used, and who will have access to it. Choice: Allow individuals to determine whether personal information about them will be collected, used and disseminated.Slide13: Data Protection Principles Data Integrity: Use personal information in accordance with the notice given and the choices exercised. Keep personal information accurate, complete and current in regard to the purpose for which is was collected. Access and Correction: Allow individuals reasonable access, on request, to personal information about them, and correct information that is incorrect or incomplete. Transfers to Agents: Obtain written assurances from agents that they will collect, use, and secure personal information pursuant to Merck’s instructions. Security: Secure personal information from loss, misuse, unauthorized access, disclosure and alteration. Enforcement: Provide communications, training, monitoring and enforcement with respect to Merck privacy policies and procedures.Slide14: Impact on Records-Based Biomedical Research European Style Laws: European Style Laws Personal Information: information which identifies, or is used alone or in combination with other information to identify an individual. Sensitive Persona Information: Personal Information relating to race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. Research Requirements (EU Directive, Article 8): Research Requirements (EU Directive, Article 8) Sensitive Personal Information may not be used unless: Each data subject gives “explicit” consent; The data are necessary to protect the “vital interests” of the data subject or another person and the data subject is physically or legally not able to give consent; The data are “manifestly made public” by the data subject; or The data are required for preventive medicine, medical diagnosis, provision of care or treatment, or management of healthcare services, provided the user is operating under rules of professional secrecy. International Transfers (EU Directive, Articles 25, 26) : International Transfers (EU Directive, Articles 25, 26) No transfers of Personal Information from the European Economic Area (EEA) to non-EEA countries unless: Each data subject consents to the transfer; The transfer is necessary or legally required on important public interest grounds; The transfer is necessary to protect the data subject’s “vital interests;” The transfer is made under a “model contract” between the EEA sender and the non-EEA receiver; The transfer is to a U.S. Safe Harbor company; or The transfer is to Argentina, Canada, Guernsey, Hungary, or Switzerland.Exceptions: Exceptions European Union Member States may, for reasons of “substantial public interest,” create exceptions to the general rule. (EU Directive, Article 8, 4) Some European countries, such as Italy, have laws expressly allowing epidemiologic research without data subject consent. Practical Application: Practical Application In most European countries medicine is socialized, and governments maintain comprehensive medical databases. Most governments extract data from these databases and make them available to researchers. Data provided typically include ages, dates, gender, race, geographic information, medical information. Governments generally consider these data non-identifiable. Slide20: What is HIPAA? The Health Insurance Portability and Accountability Act of 1996; and Three sets of regulations issued by the Clinton Department of Health and Human Services in 2000: Privacy Regulations - April 14, 2003 Compliance Deadline Transaction Standards - October 16,2002 Compliance Deadline Security Regulations – 2005 Compliance DeadlineSlide21: Who is covered? HIPAA “Covered Entities” Health Care Providers that transmit health data electronically in connection with 1 or more of 8 “HIPAA Transactions” Physicians Hospitals Clinics Group Practices Pharmacies Health Care Plans HMOs Health Insurers Medicare PBMs Group Health Plans Medicaid Health Care Clearinghouses Entities that transmit data into a HIPAA “standard” format from a non-standard format or vice versa “Business Associates” of HIPAA Covered Entities Entities that use protected health information (PHI) for or on behalf of covered entitiesWhat is covered?: What is covered? Protected Health Information: individually identifiable health information in the possession of a HIPAA covered entity that relates to an identifiable individual’s past, present, or future health, healthcare, or to payment for an individual’s healthcare.Slide23: Research Requirements Uses or disclosures of PHI require: Signed, HIPAA “authorizations” from each study participant in addition to consents complying with the Common Rule and FDA Regulations; IRB or “Privacy Board” waivers of some or all of the authorization requirements; or “De-identification” of patient data via one of two methods: Removing each of 18 prescribed data elements; or Statistical Analysis and opinion.Slide24: Waivers and Alterations (HIPAA vs. CR) HIPAA 45 CFR 164.512(i)(2)(ii) A. Use or disclosure involves no more than minimal risk to the privacy of individuals, as indicated by F-H below; B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C. Research could not practicably be conducted without the alteration or waiver; D. Research could not practicably be conducted without access to and use of PHI; E. Privacy risks to individuals are reasonable in relation to the anticipated benefits if any, to the individuals, and the importance of the knowledge that may be reasonably expected to result from the research; F. Adequate plan to protect identifiers from improper use and disclosure; G. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and H. Adequate written assurances that PHI will not be reused or disclosed for other purposes. Common Rule 45 CFR 46.116(d) A. Research involves no more than minimal risk to subjects; B. Waiver or alteration will not adversely affect the rights and welfare of subjects; C. Research could not practicably be carried out without the waiver or alteration; and D. Whenever appropriate, subjects will be provided with additional pertinent information after participationSlide25: De-identification (Two Methods) HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i) Names Geographic subdivisions smaller than a state Zip codes Dates (birth, admission, discharge, death) Age, if over 89 Telephone numbers Fax numbers E-mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate and license numbers Vehicle identification and serial numbers License plate numbers Device identifiers and serial numbers URLs Internet Protocol address numbers Biometric identifiers (finger and voice prints) Full face photos and comparable images Any other unique identifiers Statistical 45 CRF 164.514(b)(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and Documents the methods and results.HIPAA Research Exceptions: HIPAA Research Exceptions Limited Data Sets Research on Decedents Work Preparatory to Research Slide27: Limited Data Sets Allowed Admission Dates Discharge Dates Service Dates Death Dates Age (in hours, months or days) Age (for those over 90) Five Digit Zip Codes Demographic Data Direct Identifiers Not Allowed Names Street Addresses Telephone and Fax Numbers e-Mail Addresses Social Security Numbers Certificate or License Numbers Vehicle ID and Serial Numbers URLs and IP Addresses Full Face Photos and Comparable ImagesSlide28: Limited Data Sets Data Use Agreement Required: Data will be used only for research; Researcher will not re-identify subjects; and Researcher will not contact subjects. Minimum Necessary Rule Applies Must account for disclosuresResearch Regarding Decedents: Research Regarding Decedents PHI regarding decedents may be used for research. Researcher must provide to the institution: Verification that PHI will be used and disclosed solely for research on decedents; Representation that the PHI is necessary for the research; and Documentation of death. Minimum Necessary Rule applies Must account for disclosuresWork Preparatory to Research: Work Preparatory to Research PHI may be used without an authorization or waiver for reviews preparatory to research. Covered entity must obtain from the researcher representations that: Use or disclosure of PHI is sought solely to prepare a research protocol “or for similar purposes preparatory to research.” No PHI will be removed from the covered entity by the researcher; and The PHI is necessary for the identified research purposes. Slide31: Work Preparatory to Research HHS has said in commentary on HIPAA that work preparatory to research includes activities such as: Protocol development Patient pre-screening Subject recruitment Minimum Necessary Rule applies Must account for disclosures Summary and Conclusions: Summary and Conclusions The governments of many countries with privacy and data protection laws have made special accommodations for records-based biomedical research. HIPAA provides new rules, but reasonably practical mechanisms for records-based biomedical research. It is important to consider state laws in the U.S., particularly in California. Remember that all privacy legal, regulatory and ethical regimes are based on the same principles.Slide33: Thank You! Oliver Johnson oliver_johnson@merck.com 908-423-7321 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
johnson Lassie Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 76 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 19, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: The Global Privacy Environment and Its Impact on Records-Based Human Subject Biomedical Research Presentation To: The National Science Foundation Center for Discrete Mathematics & Theoretical Computer Science (DIMACS) Rutgers University DIMACS Center Piscataway, NJ December 10, 2003 Oliver M. Johnson , II Chief Privacy Officer Merck & Co., Inc.Slide2: Overview The Global Privacy and Data Protection Environment Impact on Records-Based Biomedical Research ConclusionsSlide3: The Global Privacy and Data Protection Environment Slide4: Definitions Privacy: the “right to be let alone.” Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 205 (1890) Data Protection: the administrative, technical and physical controls one uses to protect the confidentiality and ensure the proper use of personal information.Slide5: Privacy as a Social Issue The Business Perspective Globalization Personalization Data Consolidation Personal Information a Valuable Corporate Asset The Public Perspective Growing Public Awareness Strong Public Sentiment Personal Information a Fundamental Personal Asset We are increasingly dependent on the ability to establish understanding and trust with large numbers of people from various cultures and perspectives.Slide6: Privacy as a Cultural Issue Europe Personal privacy is a fundamental human right. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms Long history and culture of protecting individuals from government and private intrusions into personal affairs. Most EU countries have had privacy laws for decades. Omnibus legislative approach. U.S. Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right. 4th Amendment to the United States Constitution Relatively recent legislative focus on protecting individuals from private intrusions into personal affairs. Sectoral legislative approach.Slide7: Privacy as an Ethical Issue Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret. Hippocrates (c. 400 B.C.) World Medical Association Declaration of Helsinki (1964) U.S. Common Rule (Established 1979 / Codified 1991) U.S. Food and Drug Administration Regulations (1980) OECD Privacy and Transborder Flow Guidelines (1980) CIOMS International Biomedical Research Guidelines (1983, 1992, 2002) CIOMS International Epidemiological Study Guidelines (1991) ICH Good Clinical Practice Guideline (1996) Slide8: EU Data Protection Directive of 1995 Covers all personally identifiable information Covers all types of entities (e.g., Research, Business, Government) Also adopted by Iceland, Norway and Liechtenstein (EEA) Prohibits transfers to non-EEA countries lacking “adequate” data protection Adequacy Determinations: Canada, Hungary, Switzerland, Argentina, Guernsey, U.S. Safe Harbor, Model Contracts National EU Data Protection Laws Prohibit transfers to non-EU countries lacking “adequate” data protection Member States must abide by EU Commission adequacy determinations EU / U.S. Safe Harbor Agreement Enables individual U.S. companies to receive EEA personal information Applies only to transfers from EEA countries Applies only to transfers to certified U.S. companies Privacy as a Legal Issue - EuropeSlide9: Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations Covered Entities: Health Care Plans, Health Care Clearinghouses, Health Care Providers Business Associates of Covered Entities Personally Identifiable Health Information State Privacy Legislation Health and Medical Information Data Security Genetic Research Electronic Communications Privacy Act of 1986 (ECPA) FTC Code of Fair Information Practices (1999) Children’s Online Privacy Protection Act of 1998 (COPPA) New Federal Telemarketing, Spam and Fax Laws (2003) Privacy as a Legal Issue - U.S.Slide10: Legal Summary – Rest of World Privacy laws pending or enacted in: Non-EEA Europe Albania, Bosnia, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia, Slovenia, Switzerland Asia Pacific Australia, Hong Kong, India (pending), Japan, New Zealand, Taiwan, Thailand Middle East / Africa Israel, South Africa Latin America Argentina, Brazil, Chile, Mexico (pending), Paraguay, Peru North America Canada Many of these laws are based on the European model.Slide11: Laws apply common principles but create significantly different administrative requirements Privacy as a Business IssueSlide12: Privacy Principles Respect: Understand and respect the privacy perspectives of the individual. Necessity: Collect personal information only for identified business purposes. To the extent possible, use non-identifiable information, and limit the personal information that is used and disclosed to that which is necessary for the identified purposes. Notice: Provide notice to individuals regarding the information that will be collected, how it will be used, and who will have access to it. Choice: Allow individuals to determine whether personal information about them will be collected, used and disseminated.Slide13: Data Protection Principles Data Integrity: Use personal information in accordance with the notice given and the choices exercised. Keep personal information accurate, complete and current in regard to the purpose for which is was collected. Access and Correction: Allow individuals reasonable access, on request, to personal information about them, and correct information that is incorrect or incomplete. Transfers to Agents: Obtain written assurances from agents that they will collect, use, and secure personal information pursuant to Merck’s instructions. Security: Secure personal information from loss, misuse, unauthorized access, disclosure and alteration. Enforcement: Provide communications, training, monitoring and enforcement with respect to Merck privacy policies and procedures.Slide14: Impact on Records-Based Biomedical Research European Style Laws: European Style Laws Personal Information: information which identifies, or is used alone or in combination with other information to identify an individual. Sensitive Persona Information: Personal Information relating to race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. Research Requirements (EU Directive, Article 8): Research Requirements (EU Directive, Article 8) Sensitive Personal Information may not be used unless: Each data subject gives “explicit” consent; The data are necessary to protect the “vital interests” of the data subject or another person and the data subject is physically or legally not able to give consent; The data are “manifestly made public” by the data subject; or The data are required for preventive medicine, medical diagnosis, provision of care or treatment, or management of healthcare services, provided the user is operating under rules of professional secrecy. International Transfers (EU Directive, Articles 25, 26) : International Transfers (EU Directive, Articles 25, 26) No transfers of Personal Information from the European Economic Area (EEA) to non-EEA countries unless: Each data subject consents to the transfer; The transfer is necessary or legally required on important public interest grounds; The transfer is necessary to protect the data subject’s “vital interests;” The transfer is made under a “model contract” between the EEA sender and the non-EEA receiver; The transfer is to a U.S. Safe Harbor company; or The transfer is to Argentina, Canada, Guernsey, Hungary, or Switzerland.Exceptions: Exceptions European Union Member States may, for reasons of “substantial public interest,” create exceptions to the general rule. (EU Directive, Article 8, 4) Some European countries, such as Italy, have laws expressly allowing epidemiologic research without data subject consent. Practical Application: Practical Application In most European countries medicine is socialized, and governments maintain comprehensive medical databases. Most governments extract data from these databases and make them available to researchers. Data provided typically include ages, dates, gender, race, geographic information, medical information. Governments generally consider these data non-identifiable. Slide20: What is HIPAA? The Health Insurance Portability and Accountability Act of 1996; and Three sets of regulations issued by the Clinton Department of Health and Human Services in 2000: Privacy Regulations - April 14, 2003 Compliance Deadline Transaction Standards - October 16,2002 Compliance Deadline Security Regulations – 2005 Compliance DeadlineSlide21: Who is covered? HIPAA “Covered Entities” Health Care Providers that transmit health data electronically in connection with 1 or more of 8 “HIPAA Transactions” Physicians Hospitals Clinics Group Practices Pharmacies Health Care Plans HMOs Health Insurers Medicare PBMs Group Health Plans Medicaid Health Care Clearinghouses Entities that transmit data into a HIPAA “standard” format from a non-standard format or vice versa “Business Associates” of HIPAA Covered Entities Entities that use protected health information (PHI) for or on behalf of covered entitiesWhat is covered?: What is covered? Protected Health Information: individually identifiable health information in the possession of a HIPAA covered entity that relates to an identifiable individual’s past, present, or future health, healthcare, or to payment for an individual’s healthcare.Slide23: Research Requirements Uses or disclosures of PHI require: Signed, HIPAA “authorizations” from each study participant in addition to consents complying with the Common Rule and FDA Regulations; IRB or “Privacy Board” waivers of some or all of the authorization requirements; or “De-identification” of patient data via one of two methods: Removing each of 18 prescribed data elements; or Statistical Analysis and opinion.Slide24: Waivers and Alterations (HIPAA vs. CR) HIPAA 45 CFR 164.512(i)(2)(ii) A. Use or disclosure involves no more than minimal risk to the privacy of individuals, as indicated by F-H below; B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C. Research could not practicably be conducted without the alteration or waiver; D. Research could not practicably be conducted without access to and use of PHI; E. Privacy risks to individuals are reasonable in relation to the anticipated benefits if any, to the individuals, and the importance of the knowledge that may be reasonably expected to result from the research; F. Adequate plan to protect identifiers from improper use and disclosure; G. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and H. Adequate written assurances that PHI will not be reused or disclosed for other purposes. Common Rule 45 CFR 46.116(d) A. Research involves no more than minimal risk to subjects; B. Waiver or alteration will not adversely affect the rights and welfare of subjects; C. Research could not practicably be carried out without the waiver or alteration; and D. Whenever appropriate, subjects will be provided with additional pertinent information after participationSlide25: De-identification (Two Methods) HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i) Names Geographic subdivisions smaller than a state Zip codes Dates (birth, admission, discharge, death) Age, if over 89 Telephone numbers Fax numbers E-mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate and license numbers Vehicle identification and serial numbers License plate numbers Device identifiers and serial numbers URLs Internet Protocol address numbers Biometric identifiers (finger and voice prints) Full face photos and comparable images Any other unique identifiers Statistical 45 CRF 164.514(b)(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and Documents the methods and results.HIPAA Research Exceptions: HIPAA Research Exceptions Limited Data Sets Research on Decedents Work Preparatory to Research Slide27: Limited Data Sets Allowed Admission Dates Discharge Dates Service Dates Death Dates Age (in hours, months or days) Age (for those over 90) Five Digit Zip Codes Demographic Data Direct Identifiers Not Allowed Names Street Addresses Telephone and Fax Numbers e-Mail Addresses Social Security Numbers Certificate or License Numbers Vehicle ID and Serial Numbers URLs and IP Addresses Full Face Photos and Comparable ImagesSlide28: Limited Data Sets Data Use Agreement Required: Data will be used only for research; Researcher will not re-identify subjects; and Researcher will not contact subjects. Minimum Necessary Rule Applies Must account for disclosuresResearch Regarding Decedents: Research Regarding Decedents PHI regarding decedents may be used for research. Researcher must provide to the institution: Verification that PHI will be used and disclosed solely for research on decedents; Representation that the PHI is necessary for the research; and Documentation of death. Minimum Necessary Rule applies Must account for disclosuresWork Preparatory to Research: Work Preparatory to Research PHI may be used without an authorization or waiver for reviews preparatory to research. Covered entity must obtain from the researcher representations that: Use or disclosure of PHI is sought solely to prepare a research protocol “or for similar purposes preparatory to research.” No PHI will be removed from the covered entity by the researcher; and The PHI is necessary for the identified research purposes. Slide31: Work Preparatory to Research HHS has said in commentary on HIPAA that work preparatory to research includes activities such as: Protocol development Patient pre-screening Subject recruitment Minimum Necessary Rule applies Must account for disclosures Summary and Conclusions: Summary and Conclusions The governments of many countries with privacy and data protection laws have made special accommodations for records-based biomedical research. HIPAA provides new rules, but reasonably practical mechanisms for records-based biomedical research. It is important to consider state laws in the U.S., particularly in California. Remember that all privacy legal, regulatory and ethical regimes are based on the same principles.Slide33: Thank You! Oliver Johnson oliver_johnson@merck.com 908-423-7321