HIPAA
|
|
1. What is HIPAA? HIPAA has many parts. One section associated with
"Administrative Simplification" has four main parts. The first part includes national
standards for transactions of electronic patient health, administrative and
financial data between health care providers and health plans.
The second part, known as the "Privacy Rule", concerns the privacy
of an individual's health information. The third part, known as the
"Security Rule", addresses security standards for safeguarding health
information maintained in electronic form.
The fourth part sets up a system of national identifiers for employers, health
plans and providers. The Privacy Rule
which takes effect on 4/14/2003 and the Security rule which takes effect
4/20/2005 both affect research that uses health information that can be linked to the
individual who is its source through personal identifiers. 2. What is the Privacy Rule? The HIPAA Privacy Rule takes effect on August 14, 2002.
The Privacy Rule includes standards to:
the right to: Inspect, copy and request
amendments to their medical records Request restrictions on uses and
disclosures of their health information Request a listing of certain
releases of their health information Receive a Notice of Privacy
Regulations File a formal complaint about
violations of privacy protections Revoke an authorization for
use/disclosure of identifiable health information The Privacy Rule also:
3. What are the major implications for researchers as a
result of the Privacy Rule? The HIPAA Privacy Rule is extremely complex and has required
the development and implementation of new policies and procedures.
In practical terms the major changes are as follows:
4. I've heard that research is exempt from HIPAA; if that's
true, why all the institutional effort towards HIPAA?
Selected FAQs from HHS/OCR FAQ page
Question: If
research subjects' consent was obtained before the compliance date, but the
Institutional Review Board (IRB) subsequently modifies the informed consent
document after the compliance date and requires that subjects be reconsented, is
authorization now required from these previously enrolled research subjects
under the HIPAA Privacy Rule? Answer: Yes.
If informed consent or reconsent (ie., asked to sign a revised consent or
another informed consent) is obtained from research subjects after the
compliance date, the covered entity must obtain individual authorization as
required at 45 CFR 164.508 for the use or disclosure of protected health
information once the consent obtained before the compliance date is no longer
valid for the research. The revised informed consent document may be combined
with the authorization elements required by 45 CFR 164.508. See the fact sheet
and frequently asked questions about the research provisions on this web site
for more information about Institutional Review Boards.
Question:
Does
the HIPAA Privacy Rule permit the creation of a database for research purposes
through an Institutional Review Board (IRB) or Privacy Board waiver of
individual authorization? Answer:
Yes. A covered entity may use or disclose protected health information
without individuals’ authorizations for the creation of a research database,
provided the covered entity obtains documentation that an IRB or Privacy Board
has determined that the specified waiver criteria were satisfied. Protected
health information maintained by a covered entity in such a research database
could be used or disclosed for future research studies as permitted by the
Privacy Rule – that is, for future studies in which individual authorization
has been obtained or where the Rule would permit research without an
authorization, such as pursuant to an IRB or Privacy Board waiver. See the fact
sheet and frequently asked questions about the research provisions on this web
site for more information about Institutional Review and Privacy Boards.
Question: When is a researcher a covered health care provider under HIPAA? Answer:
A researcher is a covered health care
provider if he or she furnishes health care services to individuals, including
the subjects of research, and transmits any health information in electronic
form in connection with a transaction covered by the Transactions Rule. See 45
CFR 160.102, 160.103. For example, a researcher who conducts a clinical trial
that involves the delivery of routine health care, such as an MRI or liver
function test, and transmits health information in electronic form to a third
party payer for payment, would be a covered health care provider under the
Privacy Rule. Researchers who provide health care to the subjects of research or
other individuals would be covered health care providers even if they do not
themselves electronically transmit information in connection with a HIPAA
transaction, but have other entities, such as a hospital or billing service,
conduct such electronic transactions on their behalf. For further assistance in
determining covered entity status, see the “decision tool” at www.hhs.gov/ocr/hipaa/.
Question:
Can
the preparatory research provision of the HIPAA Privacy Rule at 45 CFR
164.512(i)(1)(ii) be used to recruit individuals into a research study? Answer:
The preparatory research provision permits covered entities to use or
disclose protected health information for purposes preparatory to research, such
as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii)
does not permit the researcher to remove protected health information from the
covered entity’s site. As such, a researcher who is an employee or a member of
the covered entity’s workforce could use protected health information to
contact prospective research subjects. The preparatory research provision would
allow such a researcher to identify prospective research participants for
purposes of seeking their authorization to use or disclose protected health
information for a research study. In addition, the Rule permits a covered entity
to disclose protected health information to the individual who is the subject of
the information. See 45 CFR 164.502(a)(1)(i). Therefore, covered health care
providers and patients may continue to discuss the option of enrolling in a
clinical trial without patient authorization, and without an Institutional
Review Board (IRB) or Privacy Board waiver of the authorization. See the fact
sheet and frequently asked questions about the research provisions on this web
site for more information about Institutional Review and Privacy Boards.
However, a researcher who is not a part of the covered entity may not use the
preparatory research provision to contact prospective research subjects. Rather,
the outside researcher could obtain contact information through a partial waiver
of individual authorization by an IRB or Privacy Board as permitted at 45
CFR164.512(i)(1)(i). The IRB or Privacy Board waiver of authorization permits
the partial waiver of authorization for the purposes of allowing a researcher to
obtain protected health information as necessary to recruit potential research
subjects. For example, even if an IRB does not waive informed consent and
individual authorization for the study itself, it may waive such authorization
to permit the disclosure of protected health information as necessary for the
researcher to be able to contact and recruit individuals into the study.
Question: May
a covered entity accept documentation of an external Institutional Review
Board's (IRB) waiver of authorization for purposes of reasonably relying on the
request as the minimum necessary? Answer:
Yes.
The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on
a researcher’s documentation of an Institutional Review Board (IRB) or Privacy
Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information
requested is the minimum necessary for the research purpose. See 45 CFR
164.514(d)(3)(iii). This is true regardless of whether the documentation is
obtained from an external IRB or Privacy Board or from one that is associated
with the covered entity.
Question:
What does the HIPAA Privacy Rule say about a research participant's right
of access to research records or results? Answer :
With
few exceptions, the Privacy Rule gives patients the right to inspect and obtain
a copy of health information about
themselves that is maintained by a covered entity or its business associate in a
“designated record set.” A designated record set is basically a group of
records which a covered entity uses to make decisions about individuals, and
includes a health care provider’s medical records and billing records, and a
health plan’s enrollment, payment, claims adjudication, and case or medical
management record systems. While it may be unlikely that a researcher would be
maintaining a designated record set, any research records or results that are
actually maintained by the covered entity as part of a designated record set
would be accessible to research participants unless one of the Privacy Rule’s
permitted exceptions applies. One of the permitted
exceptions applies to protected health information created or obtained by a
covered health care provider/researcher for a clinical trial. The Privacy Rule
permits the individual’s access rights in these cases to be suspended while
the clinical trial is in progress, provided the research participant agreed to
this denial of access when consenting to participate in the clinical trial. In
addition, the health care provider/researcher must inform the research
participant that the right to access protected health information will be
reinstated at the conclusion of the clinical trial. |
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.
|