|
Slide Presentations
National Institutes of Health
Slide Presentation on the Privacy Rule and Research
01 | 02 | 03 | 04 | 05 | 06 | 07 |
08 | 09 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 | 32 | 33 | 34 | 35 |
36 | 37 | 38 | 39 | 40 | 41 | 42 |
43
Slide 01
This presentation provides basic information about certain provisions of the Privacy Rule in the context of health research. It is not official guidance, does not contain all relevant provisions, and attendees should consult the Privacy Rule at 45 CFR Parts 160 and 164 and guidance (http://www.hhs.gov/ocr/hipaa).
Top of Page
|
Slide 02
Slide 03
The Privacy Rule...
Beginning on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans*, health care clearinghouses, and certain health care providers.
*Small health plans not required to comply until April 14, 2004.
Top of Page
|
Slide 04
How Might the Privacy Rule Affect Research?
Depends on:
What you do/where you work
Type of information you use, collect, receive or release
Top of Page
|
Slide 05
Three Rules -- Privacy Rule, Common Rule, FDA Regulations
- Privacy Rule does not replace or modify the Common Rule or FDA regulations.
- Privacy Rule is in addition to privacy protections of these regulations.
- Applies to covered entities regardless of funding.
- Contains standards for de-identifying health information.
- Requires Authorization for certain uses and disclosures of certain health information.
- Applies to decedents' information.
Top of Page
|
Slide 06
Who is Covered?
- A health care provider who transmits health information electronically in connection with a transaction for which the Secretary has adopted standards.
Example: a physician who electronically bills for services
- A health plan.
- A health care clearinghouse.
Top of Page
|
Slide 07
What is Covered?
Protected Health Information (PHI) = Covered Entity + Health information + Identifier
- Transmitted or maintained in any form (paper, oral,
electronic, forms, web-based, etc.).
- Decedents' information included.
- Does not include de-identified health information or
biological tissue and certain other exceptions (e.g.,
employment records or education records covered
by FERPA).
Top of Page
|
Slide 08
Removal of These Identifiers* Makes Information De-identified |
- Names
- Geographic info (including city and ZIP)
- Elements of dates (except year), ages over 89 years
- Telephone #s
- Fax #s
- E-mail address
- Social Security #
- Medical record, prescription #s
- Health plan beneficiary #s |
- Account #s
- Certificate/license #s
- VIN and Serial #s, license plate #s
- Device identifiers, serial #s
- Web URLs
- IP address #s
- Biometric identifiers (finger prints)
- Full face, comparable photo images
- Unique identifying #s |
*See 45 CFR 164.514(b)(2)(i) for a complete list.
Health information is de-identified if the above identifiers of the individual or of relatives, employers, or household members of the individuals are removed and the covered entity has no actual knowledge that remaining information can be used, alone or in combination with other information, to identify the individual.
Top of Page
|
Slide 09
| MEDICAL CHART |
Checklist:
Covered Entity?
|
Record No. 0012345
Name: Jane Doe
Address: 1234 NIH Way
Bethesda, MD 20892
|
Date of Birth: 12/05/60
Gender: Female
Physician: Dr. Smith
|
Diagnosis: Bronchitis
Treatment: Zithromax
|
*PHI includes demographic information about an individual. See the definitions of health information and individually identifiable health information at 45 CFR 160.103.
|
Top of Page
Slide 10
Research Study Database |
| Study ID |
Last Name |
Zip Code |
Age |
DBP |
SBP |
Heart Rate |
| 001 |
Doe |
20892 |
41 |
80 |
120 |
60 |
| 002 |
Smith |
20601 |
35 |
90 |
140 |
78 |
| 003 |
Jacob |
32548 |
38 |
81 |
130 |
70 |
| 004 |
Cho |
56482 |
45 |
85 |
120 |
67 |
|
Checklist:
Covered Entity?
|
|
| *PHI includes demographic information about an individual. See the definitions of health information and individually identifiable health information at 45 CFR 160.103. |
Top of Page
Slide 11
Key Point about Research
- For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted:
- with individual authorization, or
- without individual authorization under limited circumstances.
Top of Page
|
Slide 12
Authorizations for Research
- Must be for a specific research study - Authorization for future, unspecified research is NOT permitted but Authorization may be obtained to permit the use or disclosure of PHI to create or maintain a repository or database.
- Different from, but may be combined with, informed consent.
- Review/approval by IRB/Privacy Board NOT needed under Privacy Rule. (But other regulations would require IRB review when combined with informed consent documents.)
- Must contain "core elements" & "required statements," and a signed copy must be given to the individual.
- Research Authorizations need not expire, but this must be stated.
Top of Page
|
Slide 13
Elements of an Authorization to Use or Disclose PHI |
| Core Elements (signified by * ) |
Statements (signified by - ) |
* Description of PHI to be used or disclosed
* Person(s) authorized to make the requested use or disclosure.
* Person(s) to whom the covered entity may disclose PHI.
* Each purpose for the use or disclosure.
* Expiration date or event* (e.g. "end of the research study" or "none").
* Participant Signature and
Date |
- Right to revoke Authorization plus exceptions and process.
- Ability/Inability to condition treatment, payment, or enrollment/eligibility for benefits on Authorization.
- PHI may no longer be protected by Privacy Rule once it is disclosed by the covered entity.
|
The authorization must be written in plain language, and the covered entity must provide the individual with a copy of the signed Authorization.
Top of Page
|
Slide 14
Common Rule vs. Privacy Rule
Research WITH patient permission
Common Rule/ FDA Regulated ==> IRB review and Informed consent
Privacy Rule ==> Individual authorization
Top of Page
|
Slide 15
Not All Research Activities Need Authorization!
- For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted:
- with individual authorization, or
- without individual authorization under limited circumstances.
Top of Page
|
Slide 16
Use or Disclosure of PHI Without Authorization
Covered entities do not always need to get Authorization for research-related activities.
- De-identify PHI.
- Limited Data Set with Data Use Agreement.
- IRB or Privacy Board waiver of Authorization requirement.
- Activity preparatory to research.
- Research is on decedents' information.
- Research qualifies for the Transition Provisions.
Top of Page
|
Slide 17
Option 1: De-identified Health Information
- Completely de-identified information (18 elements
removed) and no knowledge that remaining information
can (alone or in combination with other information)
identify the individual.
OR
- Statistically "de-identified" information where a qualified
statistician determines that there is a "very small" risk
that the information could be used, alone or in
combination with other reasonably available
information, to identify the individual and documents
the methods and results of the analysis.
Top of Page
|
Slide 18
Does "Unique Identifier" Include a
Re-identification Code?
- A covered entity may assign a code to allow information de-identified
under the Privacy Rule to be re-identified by the covered entity, as long
as:
- The code is not derived from or related to information about the
individual.
- The code is not otherwise capable of being translated to identify the
individual. And
- The covered entity does not use or disclose the code for any other
purpose, and does not disclose the mechanism for re-identification.
- Disclosure of a code or other means of record identification designed to
enable coded (or otherwise de-identified information) to be re-identified is
a disclosure of PHI. And
- If de-identified information is re-identified, a covered entity must use or disclose such re-identified information in accordance with the Privacy Rule.
Top of Page
|
Slide 19
Option 2: Limited Data Set with Data Use Agreement
- The Privacy Rule permits limited types of
identifiers to be released for research with
health information (referred to as a Limited
Data Set).
- Limited Data Sets can only be used and
released in accordance with a Data Use
Agreement between the covered entity and the
recipient.
Top of Page
|
Slide 20
Limited Data Set with Data Use Agreement |
| A data set that excludes the following direct identifiers can be considered a Limited Data Set |
- Names
- Postal address info (if other than city, town, state, and ZIP)
- Telephone and fax #s
- E-mail address
- Social Security #
- Medical record numbers
- Health plan #s
- Account #s
|
- Certificate/license #s
- VIN and Serial #s, license plate #s
- Device identifiers, serial #s
- Web URLs
- IP address #s
- Biometric identifiers (finger prints)
- Full face photographic images and any comparable images
|
Top of Page
Slide 21
Limited Data Set with Data Use Agreement
- The Limited Data Set CAN contain
- Elements of Dates.
- City, town, state, and ZIP.
- Other unique identifiers, characteristics and codes not previously listed as direct identifiers (previous slide).
Top of Page
|
Slide 22
MEDICAL CHART Individually Identifiable |
| MEDICAL CHART |
Checklist:
Covered Entity?
|
Record No. 0012345
Name: Jane Doe
Address: 1234 NIH Way
Bethesda, MD 20892
|
Date of Birth: 12/05/60
Gender: Female
Physician: Dr. Smith
|
Diagnosis: Bronchitis
Treatment: Zithromax
|
Top of Page
Slide 23
MEDICAL CHART Individually Identifiable Limited Data Set |
| MEDICAL CHART |
Checklist:
Covered Entity?
|
Record No.
Name:
Address: 1234 NIH Way
Bethesda, MD 20892
|
Date of Birth: 12/05/60
Gender: Female
Physician: Dr. Smith
|
Diagnosis: Bronchitis
Treatment: Zithromax
|
Top of Page
Slide 24
MEDICAL CHART De-identified |
| MEDICAL CHART |
Checklist:
Covered Entity?
|
Record No.
Name:
Address:
|
Date of Birth:
Gender: Female
Physician: Dr. Smith
|
Diagnosis: Bronchitis
Treatment: Zithromax
|
If the covered entity has actual knowledge that remaining information can be used to identify the individual, the information is considered individually identifiable, and therefore, generally is PHI.
|
Top of Page
Slide 25
The Data Use Agreement MUST
- Describe permitted uses and disclosures (recipient
cannot use or disclose PHI in a way that the covered
entity cannot).
- Identify who can use and receive the Limited Data
Set.
- Require the recipient to:
- Use or disclose information for specified purposes only.
- Apply safeguards to protect the information.
- Report known, non-permitted uses or disclosures to the
covered entity.
- Ensure that agents/ subcontractors agree to the same
standards as in the agreement.
- Not re-identify the information or contact the individuals.
Top of Page
|
Slide 26
Option 3: Waiver of Authorization
- A covered entity is permitted to use or disclose PHI for research when it obtains required documentation of the IRB or Privacy Board approval of a waiver of Authorization.
- Note: A covered entity is also permitted to use or disclose PHI for research when it obtains an altered Authorization under the Privacy Rule and required documentation of the IRB or Privacy Board approval of an alteration of Authorization.
Top of Page
|
Slide 27
IRB/Privacy Board Criteria for Waiving or Altering Authorization |
Slide 28
Required Documentation of a Waiver or Alteration of Authorization Includes:
- Identity of the approving IRB or Privacy Board.
- Date on which the waiver or alteration was approved.
- A statement that the IRB or Privacy Board has determined that all of the specified criteria for a waiver or an alteration were met.
- A brief description of the PHI for which use or access has been determined by the IRB or Privacy Board to be necessary in connection with the specific research activity.
- A statement that the waiver or alteration was reviewed and approved under either normal or expedited review procedures.
- The required signature of the IRB or Privacy Board chair or the
chair's designee.
Top of Page
|
Slide 29
Option 4: Preparatory to Research Covered entity must obtain representation from the researcher that:
Covered entity must obtain representation from the researcher that:
- The use or disclosure of PHI is sought solely to
prepare a protocol or for a similar preparatory
purpose.
- PHI will not be removed from the covered entity.
AND
- PHI is necessary for research purposes.
Top of Page
|
Slide 30
Research Recruitment Identify Subjects Contact Subjects |
| Covered Entity |
Identify Subjects |
Contact Subjects |
Yes
- Preparatory to Research provision.
- Need representation from workforce member.
|
Yes
- Health care operation to get Authorization.
- Waiver of Authorization.
|
| Researcher (non-covered) |
Yes
- Preparatory to Research provision.
- Need representation from researcher.
|
Yes
- Waiver of Authorization.
- As a business associate of covered entity for the health care operation.
|
Top of Page
Slide 31
Option 5: Research on Decedents' PHI*
Researcher must represent that:
- Use or disclosure solely for research on decedents' information.
- PHI is necessary for research, and
- Individual is a decedent, and provide documentation upon covered entity's request.
*Research on decedents' PHI could include information generated from dissecting a corpse.
Top of Page
|
Slide 32
Option 6: "Grandfathered" Research Permissions
- Grandfathered-in under the Transition Provisions if, BEFORE April 14, 2003, covered entity obtains:
- Participant's informed consent,
- Waiver by an IRB of informed consent (unless informed consent sought after compliance date), or
- Authorization or other express legal permission to use or disclose PHI for research.
- Grandfathering ends when any change made after compliance date makes prior permission invalid.
Top of Page
|
Slide 33
EXAMPLE: Transition Provisions
- A study needs 1000 participants enrolled.
- 600 enrolled by signing informed consent before April 14, 2003.
- 400 will enroll after April 14, 2003.
- How many participants need to give Authorization? 400
- How many informed consents were transitioned (presuming the informed consent was not nullified by revisions)? 600
Top of Page
|
Slide 34
If the Transition Provisions do not Apply and the information is PHI...
A covered entity will need one of the following:
- Authorization,
- IRB/Privacy Board waiver or alteration of Authorization,
- Appropriate representations and/or documentation when the use or disclosure is on decedents' information or for reviews preparatory to research,
or
- Data Use Agreement for limited data set disclosures.
Top of Page
|
Slide 35
Public Health Disclosures to a Public Health Authority
- Disclosure without Authorization permitted to a public health authority and certain other entities for public health activities.
EXAMPLE: Adverse event reporting to a person subject to the jurisdiction of FDA (e.g., clinical trials drug sponsor), FDA or NIH (where authorized to receive such reports).
- A covered entity may disclose PHI related to an adverse event to NIH if required to do so by NIH regulations. Even if not required to do so, the researcher may disclose adverse events to NIH as a public health authority, as noted above.
- Also see guidance on public health at http://www.cdc.gov/privacyrule/
Top of Page
|
Slide 36
Privacy Rights Affecting Research
The Privacy Rule generally entitles individuals to, among other things:
- Access and request amendments to their PHI in health records.
- Receive an accounting of certain disclosures.
- Revoke an Authorization.
Top of Page
|
Slide 37
Access to Research Records
- Individuals have the right to inspect and obtain a copy of their PHI maintained by covered entities in a "designated record set."
- For research records, patients may have right to access records if:
- The records involve medical records (e.g., some clinical trials) or they are used to "make decisions about individuals." AND
- The researcher is a covered entity or a business associate of a covered entity.
- EXCEPT: While a trial is ongoing, covered researchers may
deny access if the individual agrees in advance (e.g., in an
Authorization) and has been informed that access resumes
upon completion of research.
Top of Page
|
Slide 38
Accounting for Disclosures
- "Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information."
- A covered entity is generally required to account for PHI research disclosures made after the compliance date without Authorization.
- Including for research disclosures of PHI for:
- Reviews preparatory to research.
- Research using decedents' PHI.
- Research under a waiver of Authorization (including waivers that meet the transition provision requirements).
- Disclosures for public health activities.
- Most disclosures mandated by law.
Top of Page
|
Slide 39
Types of Accounting
- Generally
Description of PHI, date, recipient, recipient address if known, purpose.
- Multiple disclosures to same person for same purpose
Description of PHI, date of first disclosure; recipient; recipient address if known; purpose; frequency, periodicity or no. of disclosures, date of last disclosure.
- For disclosures of PHI of 50 or more individuals for a particular research purpose
Name of protocol, description of protocol or research activity and PHI disclosed, date or period of time during which disclosure occurred or may have occurred and last date of disclosure, name, address, and phone no. of sponsor and recipient (and a requirement to assist in contacting the sponsor/researcher), statement that the PHI may or may not have been disclosed for a particular protocol or research activity.
Top of Page
|
Slide 40
Accounting - When NOT needed
Accounting is NOT needed for disclosures of PHI:
- Pursuant to an Authorization.
- In Limited Data Sets with a Data Use Agreement.
- To the individual.
- Made before April 14, 2003.
- Which have been de-identified.
- To carry out treatment, payment, or health care operations purposes.
- For certain other purposes.
Top of Page
|
Slide 41
Top of Page
Slide 42
Revoking an Authorization
- Individuals have the right to revoke their Authorization.
- EXCEPT, covered entities may continue to use or disclose PHI that was obtained before a revocation if necessary to maintain the integrity of the research study. (Reliance exception)
- For example, researcher can continue using PHI to account for a subject's withdrawal from study.
Top of Page
|
Slide 43
|
