« Going Sane | Main | Unprepared »

July 13, 2012

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341cf22353ef0176166d88a1970c

Listed below are links to weblogs that reference Friday Scatter:

Comments

Glad to see you oot and aboot. You better keep blogging. Actually, I know you will because you will meet a lot of people and have a lot of stories to tell. I now have a lot of them...I'm just trying to learn how to make them HIPPA safe to share with the public. Modern life can be a drag!

Health Services Research and the HIPAA Privacy Rule

Overview

Health services researchers conduct studies designed to improve the quality of health care, reduce its cost, improve patient safety, decrease medical errors, and broaden access to essential services. The evidence-based information produced by these researchers helps health care decision-makers make more informed decisions and improve the quality of health care services. Studies in health services research are often accomplished by analyzing large databases of health care information collected or maintained by health care providers, institutions, payers, and government agencies. With the implementation of the Federal Privacy Rule, health services researchers and database custodians have sought information about the Rule and how it may affect the use and disclosure of data for health services research.

As of April 14, 2003 , the Privacy Rule requires many health care providers and health insurers to obtain additional documentation from researchers before disclosing personal health information for research and to scrutinize researchers' requests for access to health information more closely. Although the Privacy Rule introduces new rules for the use and disclosure of health information by covered entities, researchers can help to enable their continued access to health data by understanding the Privacy Rule and assisting health care entities covered by the Privacy Rule in meeting its requirements.

This factsheet discusses the Privacy Rule and how it permits certain health care providers, health plans, and other entities covered by the Privacy Rule to use and disclose personal health information for health services research. Additional information about the Privacy Rule can be found in related publications, including:

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
Clinical Research and the HIPAA Privacy Rule
Research Repositories, Databases, and the HIPAA Privacy Rule
Institutional Review Boards and the HIPAA Privacy Rule
Privacy Boards and the HIPAA Privacy Rule
Introduction to the Privacy Rule

In response to a congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services (HHS) issued the regulations Standards for Privacy of Individually Identifiable Health Information . For most covered entities, compliance with these regulations, known as the Privacy Rule, was required as of April 14, 2003.

The Privacy Rule is a response to public concern over potential abuses of the privacy of health information. The Privacy Rule establishes a category of health information, referred to as “protected health information” (PHI), which may be used or disclosed to others only in certain circumstances or under certain conditions. PHI is a subset of what is termed “individually identifiable health information.” With certain exceptions, the Privacy Rule applies to individually identifiable health information created or maintained by a covered entity. Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries.

Researchers are not themselves covered entities, unless they are also health care providers and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a covered entity (e.g., a covered hospital or health plan ), they may have to comply with that entity's Privacy Rule policies and procedures. Researchers who are not themselves covered entities, or who are not workforce members of covered entities, may be indirectly affected by the Privacy Rule if covered entities supply their data.

In addition to the Privacy Rule, other regulations may apply as well. For instance, individual records held by covered entities that are also alcohol and substance abuse treatment providers are protected by the Federal Confidentiality of Alcohol and Substance Abuse Patient Records Regulation (see 42 CFR part 2). Also, the HHS and the U.S. Food and Drug Administration (FDA) Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively) may apply to health services research. In addition, if health-related research involves electronic PHI, covered entities must also consider the requirements of the HIPAA Security Rule (45 CFR part 160 and Part 164, subparts A and C). Compliance with the Security Rule is required no later than April 20, 2005 , for all HIPAA-covered entities, except for small health plans, which have an extra year to comply.

Use and Disclosure of PHI for Research
The Privacy Rule permits covered entities to use or disclose PHI for research purposes either with an individual's specific written permission, termed an “Authorization,” or without it, if certain conditions are met. A covered entity is permitted to use or disclose PHI for research purposes if it:

Obtains the individual's Authorization for the research use or disclosure of PHI as specified under section 164.508 of the Privacy Rule,

Obtains satisfactory documentation of an Institutional Review Board (IRB) or Privacy Board's waiver of the Authorization requirement that satisfies section 164.512(i) of the Privacy Rule,

Obtains satisfactory documentation of an IRB or Privacy Board's alteration of the Authorization requirement as well as the altered Authorization from the individual,

Uses or discloses PHI for reviews preparatory to research with representations from the researcher that satisfy section 164.512(i)(1)(ii) of the Privacy Rule,

Uses or discloses PHI for research solely on decedents' PHI with representations from the researcher that satisfy section 164.512(i)(1)(iii) of the Privacy Rule,

Provides a limited data set and enters into a data use agreement with the recipient as specified under section 164.514(e) of the Privacy Rule,

Uses or discloses information that is de-identified in accordance with the standards set by the Privacy Rule at section 164.514(a)-(c) (in which case, the health information is no longer PHI), or
Uses or discloses PHI based on a permission that predates the applicable compliance date of the Privacy Rule (generally, April 14, 2003), i.e., an express legal permission to use or disclose the information for the research, an informed consent of the individual to participate in the research, or a waiver by an IRB of informed consent to participate in the research. See the Privacy Rule at section 164.532(c).

Overview of the Impact of the Privacy Rule on Health Services Research
Health services research differs from other types of research in several ways. For example, in contrast to a clinical trial where the researcher may have the opportunity to ask each subject for his or her Authorization to use or disclose his or her PHI, health services researchers often work with large, population-level databases containing thousands or even millions of records. As a result, health services researchers frequently do not interact with the individual subjects of their research. In such circumstances, contacting data subjects to ask for their Authorization prior to a health services research study may not be practicable or even possible.

Another difference is that databases used in health services research may be compiled by entities such as hospitals, insurers, private organizations, and government agencies. Such database custodians have likely adopted their own policies to protect personal privacy while permitting the use of data for legitimate research. The Privacy Rule imposes national requirements that covered entities must meet before granting researchers access to the PHI in their databases.

Health services researchers should understand that the Privacy Rule distinguishes between a research study and a study that a covered entity may undertake as part of its health care operations to understand and improve its own service (i.e., a quality improvement study or assessment related to covered functions). The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” This definition is adapted from the definition of “research” found in the HHS Protection of Human Subjects Regulations at 45 CFR part 46. The Privacy Rule distinguishes between research and studies for quality assessment and improvement purposes based on whether the primary purpose of the study in question is to obtain generalizable knowledge. If the primary purpose of such a study is to obtain generalizable knowledge, then the activity cannot be considered to be a health care operations activity. Rather, it meets the definition of “research,” and any use or disclosure of PHI for such study must be made in accordance with the Privacy Rule's provisions on the use and disclosure of PHI for research. If, however, a covered entity is conducting a quality improvement or assessment study—-the primary purpose of which is not to develop or contribute to generalizable knowledge—then the study is considered to be a health care operation, and the covered entity may use or disclose PHI for the study as part of its health care operations under the Privacy Rule.

Unlike the Privacy Rule, a quality improvement or assessment study involving human subjects may be considered research under the HHS Protection of Human Subjects Regulations if the study was designed to contribute to generalizable knowledge regardless of whether that is its primary purpose. Thus, a covered entity conducting a health care operations study under the Privacy Rule (i.e., where creating generalizable knowledge is not the primary purpose of the study) still may be conducting “research” under the HHS Protection of Human Subjects Regulations . Thus, the covered entity may have to comply with the HHS Protection of Human Subjects Regulations, even though any uses or disclosures in question could be made without complying with the Privacy Rule's requirements that apply to uses and disclosures for research. The HHS Protection of Human Subjects Regulations apply to all research involving human subjects that is conducted or supported by any component of HHS, or under an applicable assurance, unless the research involves one or more of the categories of exempt research described under the HHS regulations at 45 CFR 46.101(b). The HHS Protection of Human Subjects Regulations require, among other things, an IRB to review research involving human subjects. The HHS Protection of Human Subjects Regulations at 45 CFR 46.102(f) define a “human subject,” in part, as a living individual about whom an investigator conducting research obtains “identifiable private information... Private information must be individually identifiable (i.e., the identity of the subject is or may be readily ascertained [emphasis added] by the investigator or associated with the information).”

Health services researchers may have had less contact with the process of IRB review than biomedical researchers. Because of the type of data used, health services research often is not considered research involving human subjects and may be exempt from the HHS Protection of Human Subjects Regulations. For example, the HHS Protection of Human Subjects Regulations would not apply if the research involved the collection or study of only existing records, and the research information was recorded by the investigator(s) in such a manner that (an) individual subject(s) could not be identified either directly or through identifiers linked to the subject(s). However, such data may be PHI under the Privacy Rule. Under the Privacy Rule, health information is individually identifiable if it identifies the individual or if there is a reasonable basis to believe the information could be used to identify the individual. Such information may include certain data elements, such as dates of service and ZIP Codes, that may not be considered to be identifiable private information under the HHS Protection of Human Subjects Regulations.

It is important to recognize that the Privacy Rule permits covered entities, such as certain hospitals, clinics, and other health care providers, to continue gathering information on their patients for treatment, payment, and health care operations purposes and to put this information into their own databases for these purposes without Authorization. Covered entities also are permitted to disclose PHI without Authorization to government-authorized public health authorities for disease surveillance, disease prevention, and other public health purposes, such as reporting disease and injury, in accordance with the Privacy Rule. In addition, the Privacy Rule permits other disclosures when required by law, for example, for State-mandated reporting to cancer registries. Thus, many databases that are now used for health services research will continue to be maintained and updated and will remain available to researchers, although, in some cases, under new terms.

How Covered Entities May Use and Disclose Data for Health Services Research Without Authorization From Data Subjects

Although covered entities may use or disclose PHI for research purposes on obtaining the Authorization of each data subject as indicated above, obtaining Authorization may not be practicable in certain health services research situations. This section explains in greater detail the conditions under which a covered entity may use or disclose PHI for research under the Privacy Rule without obtaining an Authorization from each data subject.

De-Identified Data Sets
The Privacy Rule permits covered entities to use and disclose data that have been de-identified without obtaining an Authorization and without further restrictions on use or disclosure because de-identified data are not PHI and, therefore, are not subject to the Privacy Rule. A covered entity may de-identify PHI in one of two ways. The first way, the “safe-harbor” method, requires the removal of every one of 18 identifiers enumerated at section 164.514(b)(2) of the Privacy Rule. Data that are stripped of these 18 identifiers are regarded as de-identified, unless the covered entity has actual knowledge that it would be possible to use the remaining information alone or in combination with other information to identify the subject.

The second way to de-identify PHI is to have a qualified statistician determine, using generally accepted statistical and scientific principles and methods, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by the anticipated recipient to identify the subject of the information. The qualified statistician must document the methods and results of the analysis that justify such a determination.

It is important to note that the Privacy Rule permits a covered entity to assign to, and retain with, the de-identified health information a code or other means of record re-identification, if the following conditions are met . First , the re-identification code may not be derived from or related to information about the individual or otherwise be capable of being translated to identify the individual. For example, an encrypted individual identifier (e.g., an encrypted Social Security number) would make otherwise de-identified health information identifiable. An encrypted individual identifier does not meet the conditions for use as a re-identification code for de-identified health information because it is derived from individually identifiable information. Second, the covered entity may not use or disclose the code for any other purpose or disclose the mechanism for re-identification.

Limited Data Sets
In some cases, de-identified data may lack critical information needed for health services research (e.g., nine-digit ZIP Codes or dates of treatment). When such indirect identifiers are needed for the research, a covered entity may provide the data to a researcher as a limited data set. No Authorization or waiver or alteration of Authorization by an IRB or Privacy Board is required for a covered entity to use or disclose a limited data set.

Limited data sets are data sets stripped of certain direct identifiers that are specified in the Privacy Rule. Limited data sets may be used or disclosed only for public health, research, or health care operations purposes. Because limited data sets contain certain identifiers , they are not de-identified information under the Privacy Rule. Importantly, unlike de-identified data, PHI in limited data sets may include the following: Addresses other than street name or street address or post office boxes, all elements of dates (such as admission and discharge dates), and unique codes or identifiers not listed as direct identifiers at section 164.514(e).

Before disclosing a limited data set to a researcher, a covered entity must enter into a data use agreement with the researcher. Among other requirements set forth in section 164.514(e)(4) of the Privacy Rule, the data use agreement must identify who will receive the limited data set, establish how the data may be used and disclosed by the recipient, and provide assurances that the data will be protected. If the covered entity learns that the researcher has violated this agreement, the entity must take reasonable steps to end or repair the violation and, if such steps are unsuccessful, stop disclosing PHI to the researcher and report the problem to the HHS Office for Civil Rights. Additional information on limited data sets and data use agreements can be found in the booklet Protecting Personal Health Information in Research:Understanding the HIPAA Privacy Rule.

Waiver or Alteration of the Authorization Requirement by an IRB or Privacy Board
For some types of research, de-identified information or a limited data set may not be sufficient for the research purposes. It also may be impracticable for researchers to obtain written Authorization from research participants, for example, for some research conducted on existing databases or repositories where no contact information is available. To address these situations, the Privacy Rule contains criteria for waiving or altering the Authorization requirement by an IRB or another review body, called a Privacy Board. The Privacy Rule permits a covered entity to use or disclose PHI for research purposes without Authorization (or with an altered Authorization) if the covered entity receives proper documentation that an IRB or Privacy Board has granted a waiver (or an alteration) of the Authorization requirement for the research use or disclosure of PHI.

The Privacy Rule establishes criteria to be used by an IRB or Privacy Board in approving a waiver or alteration of the Authorization requirement . For a covered entity to use or disclose PHI under a waiver or alteration of the Authorization requirement, it must obtain documentation of, among other things, the IRB's or Privacy Board's determination that the following criteria have been met:

The use or disclosure involves no more than a minimal risk to the privacy of individuals based on at least the presence of (1) an adequate plan presented to the IRB or Privacy Board to protect PHI identifiers from improper use and disclosure; (2) an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and (3) adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule;

The research could not practicably be conducted without the requested waiver or alteration; and ,

The research could not practicably be conducted without access to and use of the PHI.
Additional information about the waivers and alterations of Authorization can be found in the publications Institutional Review Boards and the HIPAA Privacy Rule and Privacy Boards and the HIPAA Privacy Rule .

Research Involving Decedents' PHI
A covered entity may provide access to decedents' records for research purposes if the covered entity receives from the researcher (1) representations that the decedents' PHI is necessary for the research and is being sought solely for research on decedents (not, e.g., for research on living relatives of decedents) and (2) on request of the covered entity, documentation of the deaths of the study subjects.

No Authorization or waiver or alteration of Authorization by an IRB or Privacy Board is needed for use or disclosure of decedents' PHI for research, if these conditions are met.

Reviews Preparatory to Research
Covered entities may permit researchers to review PHI in medical records or elsewhere to prepare a research protocol or for similar preparatory to research purposes . This review allows the researcher to determine, for example, whether a sufficient number or type of records exist to conduct the research. Importantly, the covered entity may not permit the researcher to remove any PHI from the covered entity.

To permit the researcher to conduct a review preparatory to research, the covered entity must receive from the researcher representations that:

The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes,

No PHI will be removed from the covered entity during the review, and

The PHI that the researcher seeks to use or access is necessary for the research purposes.
Additional information on activities preparatory to research can be found in the publications Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule, Institutional Review Boards and the HIPAA Privacy Rule, and Clinical Research and the HIPAA Privacy Rule.

Research Permissions “Grandfathered” by the Transition Provisions of the Privacy Rule
The Privacy Rule contains a transition provision that, under certain conditions, allows covered entities to continue to use or disclose PHI for research without an Authorization or waiver or alteration of the Authorization requirement. For many such uses and disclosures of PHI in connection with research, a covered entity may rely on any one of the following that was obtained prior to the applicable compliance date (usually, April 14, 2003):

An Authorization or other express legal permission from an individual to use or disclose PHI for the research,

The informed consent of the individual to participate in the research, or

A waiver by an IRB of informed consent in accordance with applicable laws and regulations governing informed consent, unless informed consent is sought after the compliance date.
The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed: (1) Names; (2) all geographic subdivisions smaller than a State, except for the initial three digits of the ZIP Code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; (3) all elements of dates, except year, and all ages over 89 or elements indicative of such age;
(4) telephone numbers; (5) fax numbers; (6) email addresses; (7) Social Security numbers; (8) medical record numbers; (9) health plan beneficiary numbers; (10) account numbers;
(11) certificate or license numbers; (12) vehicle identifiers and license plate numbers; (13) device identifiers and serial numbers; (14) URLs; (15) IP addresses; (16) biometric identifiers; (17) full-face photographs and any comparable images; and (18) any other unique, identifying characteristic or code, except as permitted for re-identification in the Privacy Rule.

A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.

The following direct identifiers of the individual or of relatives, employers, or household members must be removed for PHI to qualify as a limited data set: (1) Names; (2) postal address information, other than town or city, State, and ZIP Code; (3) telephone numbers; (4) fax numbers; (5) email addresses; (6) Social Security numbers; (7) medical record numbers; (8) health plan beneficiary numbers; (9) account numbers; (10) certificate or license numbers; (11) vehicle identifiers and license plate numbers; (12) device identifiers and serial numbers; (13) URLs; (14) IP addresses; (15) biometric identifiers; and (16) full-face photographs and any comparable images.

Other Privacy Rule Requirements When PHI Is Used or Disclosed for Research

Minimum Necessary Standard

When using or disclosing PHI for research without an Authorization, a covered entity must make reasonable efforts to limit the PHI used or disclosed to the minimum necessary amount to accomplish the research purpose. However, when disclosing PHI to a researcher who has provided proper documentation or representations as required under Section 164.512(i) of the Privacy Rule (i.e., documentation of an IRB or Privacy Board waiver or alteration of Authorization or representations and documentation as required for reviews preparatory to research or for research on decedents' PHI) a covered entity may reasonably rely on the researcher's request consistent with such documentation and representations as the minimum necessary amount of PHI for the research. See section 164.514(d)(3)(iii)(D) of the Privacy Rule.

Right to an Accounting of Disclosures
The Privacy Rule grants individuals new rights, including the right to receive an accounting of research disclosures made by a covered entity without the individual's Authorization (e.g., under a waiver of Authorization), except for disclosures of a limited data set. The individual has a right to such an accounting of disclosures made by a covered entity in the 6 years prior to the date on which the accounting is requested, not including the period prior to the compliance date of the Privacy Rule . For such disclosures, in general, individuals who request an accounting must be told which PHI was disclosed, to whom it was disclosed, and the date and purpose of the disclosure. Covered entities must provide the address of the recipient, if known.

For certain research disclosures made by a covered entity, two other options exist to facilitate providing an accounting. When multiple disclosures of PHI are made to the same person or entity for a single purpose, the accounting for such disclosures may consist of the information described above for the first disclosure, plus the number or frequency of disclosures, and the date of the last disclosure during the time period covered by the request.

In addition, if during the period covered by the accounting the covered entity has disclosed the records of 50 or more individuals for a particular research purpose, the covered entity may provide to the requester a more general accounting, with the following information:

The name and description of the protocols for which their PHI may have been disclosed,

A brief description of the type of PHI disclosed,

The date or period of time of the disclosures, including the date of the last such disclosure during the accounting period,

The contact information of the researcher and the research sponsor, and

A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or research activity.
Section 164.528(b)(4)(ii) of the Privacy Rule requires that, on request, the covered entity must help the individual contact the sponsor and researcher when it is reasonably likely that the individual's PHI was disclosed for a particular protocol. Additional information on accounting for disclosures can be found in the booklet Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule .

In which subject matter got created fine, fairly confidential, you will view you will be sentimentally required for the thought, I really similar to this subject matter.

Which content appeared to be written good, quite exclusive, you can witness you're sentimentally necessary for the idea, I truly like this content.

The comments to this entry are closed.

August 2012

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

I Got Sisters and You Should Read Them

Free Pamphlets

Department of Apocalypse