Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T....
Transcript of Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T....
![Page 1: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/1.jpg)
Sharing PHI for Research
J.T.AshUniversityofHawaiiSystemHIPAAComplianceOfficer
[email protected]@hawaii.edu
![Page 2: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/2.jpg)
AgendaØHIPAAisa“TEAMSPORT”andeveryonehasaroleinprotectingprotectedhealthinformation(PHI).
ØPrivacyRule,SecurityRule,&BreachNotificationRule
ØMethodstoSharePHI(PrivacyRule)
ØWithIndividualAuthorization
ØWithoutAuthorization
ØAccountingforResearchDisclosure
ØDe-IdentifiedData
ØSecurityRule&BreachNotification
![Page 3: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/3.jpg)
HIPAA Privacy Rule
Ø https://www.youtube.com/watch?v=y751i4QqP0g
Ø TheRulerequiresappropriatesafeguardstoprotecttheprivacyofpersonalhealthinformation,andsetslimitsandconditionsontheusesanddisclosuresthatmaybemadeofsuchinformationwithoutpatientauthorization.TheRulealsogivespatientsrightsovertheirhealthinformation,includingrightstoexamineandobtainacopyoftheirhealthrecords,andtorequestcorrections.
Ø https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
Ø 45CFRPart160 andSubpartsAandEofPart164.
![Page 4: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/4.jpg)
HIPAA Security Rule
Ø TheSecurityRulerequiresappropriateadministrative,physicalandtechnicalsafeguardstoensuretheconfidentiality,integrity,andsecurityofelectronicprotectedhealthinformation.
Ø https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Ø 45CFRPart160 andSubpartsAandC ofPart164.
Ø Safeguards:Ø AdministrativeØ PhysicalØ Technical
![Page 5: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/5.jpg)
Breach Notification RuleØ NotificationtoIndividuals:IndividualswhoseunsecuredPHIhasbeen,oris
reasonablybelievedtohavebeen,accessed,acquired,used,ordisclosedasaresultofsuchbreachmustbenotifiedwithoutunreasonabledelayandinnocaselaterthan60calendardaysfollowingthediscoveryofsuchbreach.
Ø NotificationtoOthers:AUHCoveredComponentshallalsonotifyprominentlocalmediaoutletsifthebreachinvolvesmorethan500residentsoftheStatenolaterthan60daysafterdiscoveryofthebreach.
Ø NotificationtoDHHSSecretary:AUHCoveredComponentshallnotifytheDHHSSecretaryonanannualbasis,inamannerspecifiedontheDHHSWebsite,andviaareportduetotheDHHSSecretarynolaterthan60calendardaysaftertheendofthecalendaryearinwhichbreachesarediscoverediflessthan500individualsareinvolved.Ifmorethan500individualsareinvolved,theUHCoveredComponentshallnotifytheDHHSSecretaryinthemannerprovidedbytheDHHSWebsite,whichpresentlyrequiresnoticewithoutunreasonabledelayandinnocaselaterthan60daysfollowingabreach.
Ø NotificationbyaBusinessAssociate.ABusinessAssociateshallnotifyaUHCoveredComponentofabreachwithin5businessdaysthattheBusinessAssociatediscoveredabreachoccurred…
![Page 6: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/6.jpg)
Methods to Share PHI(***Satisfies Privacy Rule Obligations)
Methods to Share PHI
With Authorization
Without Authorization
De-Identified Data
![Page 7: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/7.jpg)
With Individual Authorization
ØThePrivacyRulehasageneralsetofauthorizationrequirementsthatapplytoallusesanddisclosures,includingthoseforresearchpurposes.However,severalspecialprovisionsapplytoresearchauthorizations:Ø Unlikeotherauthorizations,anauthorizationforaresearchpurposemaystatethatthe
authorizationdoesnotexpire,thatthereisnoexpirationdateorevent,orthattheauthorizationcontinuesuntilthe“endoftheresearchstudy;”and
Ø Anauthorizationfortheuseordisclosureofprotectedhealthinformationforresearchmaybecombinedwithaconsenttoparticipateintheresearch,orwithanyotherlegalpermissionrelatedtotheresearchstudy.
![Page 8: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/8.jpg)
Without Authorization
ØACoveredEntitymustobtainoneofthefollowing:Ø DocumentedInstitutionalReviewBoard(IRB)BoardApprovalØ PreparatorytoResearchØ ResearchonProtectedHealthInformationofDecedentsØ LimitedDataSetswithaDataUseAgreement
![Page 9: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/9.jpg)
Documented Institutional Review Board (IRB) Board Approval
ØAcoveredentitymayuseordiscloseprotectedhealthinformationforresearchpurposespursuanttoawaiverofauthorizationbyanIRBorPrivacyBoard,providedithasobtaineddocumentationofALL ofthefollowing:Ø IdentificationoftheIRBorPrivacyBoardandthedateonwhichthealterationorwaiverof
authorizationwasapproved;Ø AstatementthattheIRBorPrivacyBoardhasdeterminedthatthealterationorwaiverof
authorization,inwholeorinpart,satisfiesthethreecriteriaintheRule;Ø AbriefdescriptionoftheprotectedhealthinformationforwhichuseoraccesshasbeendeterminedtobenecessarybytheIRBorPrivacyBoard;
Ø Astatementthatthealterationorwaiverofauthorizationhasbeenreviewedandapprovedundereithernormalorexpeditedreviewprocedures;and
Ø Thesignatureofthechairorothermember,asdesignatedbythechair,oftheIRBorthePrivacyBoard,asapplicable.
![Page 10: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/10.jpg)
Institutional Review Board (IRB) Waiver of Authorization
ØThefollowingthreecriteriamustbesatisfiedforanIRBorPrivacyBoardtoapproveawaiverofauthorizationunderthePrivacyRule:Ø Theuseordisclosureofprotectedhealthinformationinvolvesnomorethanaminimal
risktotheprivacyofindividuals,basedon,atleast,thepresenceofthefollowingelements:
ØAnadequateplantoprotecttheidentifiersfromimproperuseanddisclosure;ØAnadequateplantodestroytheidentifiersattheearliestopportunityconsistentwithconductoftheresearch,unlessthereisahealthorresearchjustificationforretainingtheidentifiersorsuchretentionisotherwiserequiredbylaw;and
ØAnadequatewrittenassurancesthattheprotectedhealthinformationwillnotbereusedordisclosedtoanyotherpersonorentity,exceptasrequiredbylaw,forauthorizedoversightoftheresearchproject,orforotherresearchforwhichtheuseordisclosureofprotectedhealthinformationwouldbepermittedbythissubpart;
Ø Theresearchcouldnotpracticablybeconductedwithoutthewaiveroralteration;andØ Theresearchcouldnotpracticablybeconductedwithoutaccesstoanduseofthe
protectedhealthinformation.
![Page 11: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/11.jpg)
Preparatory to Research
ØRepresentationsfromtheresearcher,eitherinwritingororally,thattheuseordisclosureoftheprotectedhealthinformationissolelytopreparearesearchprotocolorforsimilarpurposespreparatorytoresearch,thattheresearcherwillnotremoveanyprotectedhealthinformationfromthecoveredentity,andrepresentationthatprotectedhealthinformationforwhichaccessissoughtisnecessaryfortheresearchpurpose.
![Page 12: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/12.jpg)
Research on Protected Health Information of Decedents
ØRepresentationsfromtheresearcher,eitherinwritingororally,thattheuseordisclosurebeingsoughtissolelyforresearchontheprotectedhealthinformationofdecedents,thattheprotectedhealthinformationbeingsoughtisnecessaryfortheresearch,and,attherequestofthecoveredentity,documentationofthedeathoftheindividualsaboutwhominformationisbeingsought.
![Page 13: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/13.jpg)
Limited Data Sets with a Data Use Agreement
ØAdatauseagreemententeredintobyboththecoveredentityandtheresearcher,pursuanttowhichthecoveredentitymaydisclosealimiteddatasettotheresearcherforresearch,publichealth,orhealthcareoperations.
ØThedatauseagreementmust:Ø Establishthepermittedusesanddisclosuresofthelimiteddatasetbytherecipient,
consistentwiththepurposesoftheresearch,andwhichmaynotincludeanyuseordisclosurethatwouldviolatetheRuleifdonebythecoveredentity;
Ø Limitwhocanuseorreceivethedata;andØ Requiretherecipienttoagreetothefollowing:
Ø Nottouseordisclosetheinformationotherthanaspermittedbythedatauseagreementorasotherwiserequiredbylaw;
Ø Useappropriatesafeguardstopreventtheuseordisclosureoftheinformationotherthanasprovidedforinthedatauseagreement;
![Page 14: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/14.jpg)
Limited Data Sets with a Data Use Agreement
Ø Reporttothecoveredentityanyuseordisclosureoftheinformationnotprovidedforbythedatauseagreementofwhichtherecipientbecomesaware;
Ø Ensurethatanyagents,includingasubcontractor,towhomtherecipientprovidesthelimiteddatasetagreestothesamerestrictionsandconditionsthatapplytotherecipientwithrespecttothelimiteddataset;and
Ø Nottoidentifytheinformationorcontacttheindividual.
![Page 15: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/15.jpg)
Accounting for Research Disclosure
ØThePrivacyRulegivesindividualstherighttoreceiveanaccountingofcertaindisclosuresofprotectedhealthinformationmadebyacoveredentity.
ØThisaccountingmustincludedisclosuresofprotectedhealthinformationthatoccurredduringthesixyearspriortotheindividual’srequestforanaccounting,orsincetheapplicablecompliancedate(whicheverissooner),andmustincludespecifiedinformationregardingeachdisclosure.
ØAmoregeneralaccountingispermittedforsubsequentmultipledisclosurestothesamepersonorentityforasinglepurpose.
ØAmongthetypesofdisclosuresthatareexemptfromthisaccountingrequirementare:Ø Researchdisclosuresmadepursuanttoanindividual’sauthorization;Ø Disclosuresofthelimiteddatasettoresearcherswithadatauseagreement
![Page 16: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/16.jpg)
What is De-identified Data?ØDe-identifieddata isnotconsideredPHI
ØNoobligationstothePrivacy/Security/BreachNotificationRules
ØMayuseanddisclosede-identifieddatawithoutrestriction
![Page 17: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/17.jpg)
Expert Determination & Safe Harbor
![Page 18: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/18.jpg)
What is De-identified Data?ØRemovalof all18uniqueidentifiers
Ø NameØ AllgeographicsubdivisionssmallerthanaState,includingstreetaddress,city,county,
precinct,zipcode,andtheirequivalentgeocodes,exceptfortheinitialthreedigitsofazipcodeif,accordingtothecurrentpubliclyavailabledatafromtheBureauoftheCensus:(1)thegeographicunitformedbycombiningallzipcodeswiththesamethreeinitialdigitscontainsmorethan20,000peopleand(2)theinitialthreedigitsofazipcodeforallsuchgeographicunitscontaining20,000orfewerpeopleischangedto000.
Ø Allelementsofdates(exceptyear)fordatesdirectlyrelatedtoanindividual,includingbirthdate,admissiondate,dischargedate,dateofdeath;andallagesover89andallelementsofdates(includingyear)indicativeofsuchage,exceptthatsuchagesandelementsmaybeaggregatedintoasinglecategoryofage90orolder.
Ø TelephonenumbersØ FaxnumbersØ EmailaddressesØ SocialSecuritynumbersØ Medicalrecordnumbers
![Page 19: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/19.jpg)
What is De-identified Data?ØRemovalof all18uniqueidentifiers(ExpertDetermination&SafeHarbor)
Ø HealthplanbeneficiarynumbersØ AccountnumbersØ Certificate/licensenumbersØ Vehicleidentifiers/serialnumbersØ Deviceidentifiers/serialnumbersØ WebURLsØ IPaddressnumbersØ BiometricidentifiersØ Full-facephotographicimagesandanycomparableimagesØ Anyotheruniqueidentifyingnumber,characteristic,orcode;and
Ø Thecoveredentitydoesnothaveactualknowledgethattheinformationcouldbeusedaloneorincombinationwithotherinformationtoidentifyanindividualwhoisasubjectoftheinformation.
![Page 20: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/20.jpg)
Security Rule & Breach Notification
ØStillneedtoworkwithyourITsupporttoensuretheyhaveanenvironmentthatcansatisfytheobligationsoftheSecurityRule
ØStillneedtoworkwithyourInfoSecsupporttoensuretheyhavethepolicies/proceduresinplacetosatisfytheobligationsoftheBreachNotificationRule
![Page 21: Sharing PHI for Research - University of Hawaii · 2017-10-27 · Sharing PHI for Research J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu.](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f07b9377e708231d41e6ae8/html5/thumbnails/21.jpg)
[email protected] •(808)956-7241