|
1
|
- The following is an educational Powerpoint presentation on the HIPAA
rules and regulations.
If you are involved in Marketing or Fundraising, or if you work
with Business Associates, you will be required to complete one or more
additional modules, currently under development.
- To navigate through this module, use the arrows or click “Slide Show” at
bottom right, or click on the titles in the table of contents on the
left.
|
|
2
|
|
|
3
|
- The University of Michigan is committed to protecting the privacy and
integrity of our patients’ health information. The HIPAA Privacy Rule recognizes the
importance and value of this commitment.
- This session will help us continue to do our part in protecting privacy.
|
|
4
|
- The Privacy Rule was adopted under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).
- The date for compliance is April 14, 2003.
|
|
5
|
|
|
6
|
- The Privacy Rule gives patients the right to:
- have their PHI protected;
- receive a notice describing our privacy practices
- inspect and copy their records;
- request that PHI in their records be corrected or changed;
- ask for limits on how their PHI is used or shared;
- get information about their PHI in different ways, such as at work and
not at home;
- get a list of certain disclosures made of their PHI.
|
|
7
|
- Health care providers and health plans will give out a Notice of Privacy Practices (NPP) that
describes how we use and share their PHI, patients’ rights regarding PHI, our
responsibilities regarding PHI, and who to contact for more information.
- You can access our NPP by going to our HIPAA web site www.med.umich.edu/hipaa.
|
|
8
|
- Protected Health Information (PHI) includes information:
- sent or stored in any form;
- that identifies the patient or can be used to identify the patient;
- that is created or received by a covered entity (e.g., hospital,
doctor, dentist, health plan);
- that relates to a patient’s past, present and/or future treatment and
payment of services.
- Use: generally refers to how PHI
is handled (internally).
- Disclosure: generally refers to
how PHI is shared externally.
|
|
9
|
|
|
10
|
- “Covered entities” includes:
- Health care providers at UMHS, including doctors, dentists, nurses and
therapists, and where they work, such as hospitals and clinics;
- Health plans like M-CARE or Blue Cross/Blue Shield
- Health care clearinghouses like Blue Cross/Blue Shield’s DENIS system
and WebMD/Envoy.
|
|
11
|
- Treatment: various activities
related to patient care.
- Payment: various activities
related to paying for or getting paid for health care services.
- Health Care Operations: generally
refers to day-to-day activities of a covered entity, such as planning,
management, education and training, quality improvement, accreditation,
peer review.
- NOTE: Research is not considered
TPO.
|
|
12
|
|
|
13
|
- Patient permission or “authorization” is needed to use or share PHI for
certain marketing and fundraising activities.
- For example: A doctor cannot give a diaper company the names of
pregnant patients without an authorization.
- NOTE: See the education program on marketing and fundraising for more
information.
|
|
14
|
- “Psychotherapy notes” are certain notes about a counseling session that
are separate from the rest of the patient’s medical record.
- Generally, uses and disclosures of such notes require specific
authorization.
- NOTE: Stricter Michigan law applies for
mental health, see the education program on behavioral health for more
information.
|
|
15
|
- Patients are allowed to decide (written permission is not needed) if
they want some or all of their PHI to be used or shared, such as:
- for patient directories; and
- with friends and family members involved in patient care or payment
|
|
16
|
- Generally, the amount of PHI used, shared, accessed or requested must be
limited to only what is needed.
- For example: When we call an insurance company to get permission to
provide a healthcare service, we don’t need to provide the patient’s
entire medical history, only the diagnosis and procedure information
that is needed for the company to approve payment of the claim.
|
|
17
|
- Workers should have access only to the PHI that the job responsibilities
require.
- For example: Someone who delivers food trays to patients may need PHI
about the patient’s diet, but does not need to know why the patient is
in the hospital.
|
|
18
|
- In some cases, this rule does not apply, such as:
- When PHI is shared or requested among health care providers for
treatment;
- Disclosures to a patient about his or her own PHI;
- Authorized uses or disclosures approved by the patient; and,
- Uses or disclosures required by law or to comply with the privacy
regulations.
|
|
19
|
- In conducting TPO or other allowed activities, an incidental disclosure
of PHI may occur. These are allowed if steps are taken to limit them.
- For example: a patient can see another patient’s name on a sign-in
sheet if no medical information is on the sheet or may hear a patient’s
name as it is called in the waiting room.
|
|
20
|
- Take steps or reasonable safeguards to secure and protect PHI.
- For example:
- Speak in soft tones when discussing PHI;
- Do not discuss PHI in
public hallways or in elevators;
- Use (but do not share) computer passwords; and
- Lock cabinets when your area is not monitored by other UMHS employees,
e.g. at night.
|
|
21
|
- A vendor providing a service for us where they need have access to PHI
must sign an agreement called a Business Associate agreement promising
to keep PHI confidential.
- For example: a database vendor that receives or has access to PHI to
maintain a clinical database is required to sign a business associate
agreement.
- Employees, volunteers, trainees and others whose work we control are not
considered business associates, and therefore, no business associate
agreement with them is needed.
|
|
22
|
- Patient permission or “authorization” is usually needed to use or share
PHI for research.
- Conduct of research generally is governed under federal regulations for
the protection of human subjects (the “Common Rule”); and use or
sharing of PHI for research is governed by HIPAA
|
|
23
|
- Common Rule
- a systematic investigation, including research development, testing, and
evaluation, designed to develop or contribute to generalizable knowledge
- applies only to human subjects (i.e. live people)
- HIPAA
- a systematic investigation, including research development, testing, and
evaluation, designed to develop or contribute to generalizable knowledge
- applies to records, both for current and for deceased patients
|
|
24
|
- General Rule
- PHI (for living or deceased individuals) may be used or disclosed for
research purposes only with written “authorization” (permission) from
the patient
|
|
25
|
- What information will be used or disclosed
- Who can use or disclose
- Who can receive the information
- Purpose of disclosures
- Right to revoke authorization
- Notification of any consequences of refusing to sign the authorization
(e.g., no participation in the research project)
- Warning: once authorized information is disclosed, it may no longer be
protected under HIPAA
- Expiration date or event (may be “at the end of the project” or “none”)
- Signature, date, and (if applicable), authority of representative to
sign
|
|
26
|
- Authorization requirement is subject to some exceptions:
- Waiver of authorization (approved by IRB or Privacy Board)
- Use of PHI “preparatory to research”
- Use of decedents’ information for research purposes
- Disclosure of limited amounts of PHI under a “data use agreement”
|
|
27
|
- 1. Waiver of Consent and Authorization
- Most studies regulated under the Common Rule are conducted under active
written informed consent
- Some studies qualify for a “waiver” of written informed consent or a
waiver of documentation of consent under the Common Rule
- HIPAA permits a waiver of “authorization” – but Common Rule and HIPAA
requirements are not identical
|
|
28
|
- IRB-Common Rule:
- Minimal risk to subjects
- No adverse effect on subject’s rights
- Impracticable to do research without waiver
- Information to subjects when appropriate
- IRB or Privacy Board-HIPAA:
- Minimal risk to subjects’ privacy
- Adequate plan to protect identifiers
- Adequate plans to destroy identifiers (break links) when and if
possible
- Written assurance no inappropriate re-use or re-disclosure
- Impracticable to do research without waiver and without access to PHI
|
|
29
|
- 2. PHI may be used without authorization for “reviews preparatory to
research”
- Researcher must demonstrate to UM (through the IRB or Privacy Board)
that:
- the PHI will be used only to prepare a protocol
- no PHI will be removed from UM or disclosed outside UM
- the PHI to be used is necessary for the research purpose
- Purpose of exception is to prepare a protocol, e.g., facilitate study
design work or feasibility analysis – can also facilitate subject
recruitment in some cases
- Exception is available only to UM workforce members (no sharing outside
UM, e.g. with collaborators at other sites)
- The information reviewed under this exception may not be used for the
research project itself or for any future project; only name/contact
information should be extracted for recruitment
|
|
30
|
- Researcher must demonstrate to UM (through the IRB or Privacy Board)
that:
- use or disclosure is only for research on decedents’ information
- deaths are documented
- PHI to be used or disclosed is necessary for the research purpose
- Note: deceased individuals are not considered human subjects under the
Common Rule
|
|
31
|
- 4. PHI in a “limited data set” may be used or shared without
authorization for research purposes
- The researcher must sign a “Data Use Agreement”
(a simple one-page contract)
- At UM, the Data Use Agreement must be filed with and approved by the
Privacy Board or its designee (DRDA is authorized; additional
procedures are in development)
|
|
32
|
- A limited data set may include:
- geographic information like city and zip code (but not street address)
- dates (including dates of birth, death, admission and discharge), and
age in hours, days, months or years
- A limited data set may not include any of the following information with
respect to the patient, patient’s household members, or patient’s
employer:
- Name; street address; telephone and fax numbers; e-mail, URL, and IP
addresses
- Social security, medical record, health plan beneficiary or account
numbers, certificate/license numbers, vehicle identifiers and serial
numbers, including license plate numbers
- Device identifiers and serial numbers; biometric identifiers, including
finger and voice prints; and full face photographic or comparable
images
|
|
33
|
|
|
34
|
- Privacy Board (PB)
- HIPAA permits a privacy board to grant a waiver to the “authorization”
requirement that applies to most research activities
- Includes people with relevant experience and expertise, including at
least one non-affiliated (community) member
- At UMHS, the PB will handle, at
least on a temporary basis, projects that IRBMED would not otherwise be
required to review (e.g., research databases, exempt research,
non-regulated research)
- Institutional Review Board (IRB)
- Functions under the Common Rule to review, approve, and maintain
oversight over human subjects research; HIPAA permits the IRB to approve
authorization waivers as well
- Includes people with relevant and diverse experience and expertise,
including at least one non-scientist and at least one non-affiliated
(community) member
- At UMHS, the IRBMED will incorporate HIPAA requirements into its regular
review process, except for projects that do not require use or sharing
of PHI
|
|
35
|
- HIPAA allows either an IRB or a “Privacy Board” to grant a “waiver of
authorization” for use or disclosure of PHI for research purposes
(including creation/maintenance of research databases)
- At UMHS, the Privacy Board also will assist in other ways, including:
- Certifications for reviews preparatory to research
- Certifications for research on decedents’ information
- Approval of data use agreements
- Clearinghouse/expertise on privacy issues relevant to human subjects
research projects
- A privacy board is not authorized to review and approve research under
the Common Rule
|
|
36
|
- HIPAA requires covered entities (e.g., UMHHC) to “account” for many
research-related disclosures made without patient authorization
- Exceptions:
- internal uses do not need to be tracked
- disclosures made through a limited data set with a data use agreement
do not need to be tracked
- disclosures of “deidentified data” do not need to be tracked (no
information listed HERE included in the data set)
- disclosures made in studies involving more than 50 subjects do not need
to be tracked if we keep a list available of all such studies,
including title, PI, and contact information
- Policies/procedures for accounting are under development
|
|
37
|
- No PHI in Research
- If you are conducting a project without use of PHI, HIPAA does not
apply but IRBMED’s informed consent template must be used for all new
projects and scheduled continuation reviews beginning April 1
- Caution!
- If you do a blood test or radiological scan or other procedure only
for research purposes, and not related to treatment, the information
may not be PHI and your project is not regulated by HIPAA; but
- If the test or results information passes through the subject’s UM
medical record (because CPI is used and/or information is posted to
CareWeb or other clinical information systems), then HIPAA may apply
|
|
38
|
- Some research-related disclosures are “grandfathered” under HIPAA
- “Express legal permission” (usually written permission) from the
individual to use or disclose their PHI for research
- Written informed consent obtained before
April 14, 2003
- Waiver granted by IRB before April 14, 2003 (but if subject is later
consented, consent must be HIPAA-compliant)
|
|
39
|
- Multicenter Trials
- Four ways to share PHI with other centers:
- Written permission from the subject/patient (authorization)
- Waiver from IRB or Privacy Board
- Limited Data Set with Data Use Agreement
- Deidentified data (nothing on “PHI” list)
- When we need information from other centers for our own research
projects:
- The updated IRBMED informed consent template is intended to comply with
the privacy rule and to allow any health care provider or health plan
to disclose PHI to us (or UMHHC to disclose PHI to our
co-investigators) for research purposes.
- However, every site may have its own rules and policies.
- If another site or a sponsor requires an additional form to be signed
by your subject, IRBMED must review and approve that form in advance.
|
|
40
|
|
|
41
|
- We can create and maintain databases or registries for treatment,
payment, and health care operations (“TPO”) purposes (e.g., CareWeb;
PathNet; data warehouse) without permission – TPO activities include:
- Clinical care, billing, utilization review
- Quality assurance/assessment, accreditation activities
- Education, planning
- IRB or Privacy Board approval is required to access a TPO database for
research purposes (even reviews preparatory to research)
- Written patient permission or IRBMED or Privacy Board approved waiver is
needed to create and maintain a database or registry solely for research
purposes . . . patient permission, if sought, must be specific as to
research purpose (HIPAA prohibits “blanket” authorizations)
|
|
42
|
- “Screening logs”
- If no use or disclosure of PHI, no HIPAA issue (information received
directly from a subject through a survey is not PHI; but if the survey
information is verified or supplemented by medical record information,
then PHI has been used).
- If the log includes PHI but was created or used for TPO purposes, then
ok to continue maintaining without patient permission.
- If the log includes PHI and is used only for research purposes, need
patient permission or IRB or Privacy Board waiver to continue entering
data after April 14.
- Alternatives for sending data from screening log to sponsors (without
patient permission):
- “De-identify” the data (no elements listed on the “PHI” list may be present in the data set sent)
- Provide a “limited data set” with a data use agreement
- Obtain a waiver of authorization from the Privacy Board
|
|
43
|
- Existing Datasets
- HIPAA does not require that existing datasets be destroyed
- New data cannot be added into an existing research dataset without
written authorization or waiver, unless the data is first deidentified
(all identifiers listed on the “PHI
list” are eliminated) or made part of a limited data set
- Data cannot be removed from an existing dataset for research purposes
without IRB or Privacy Board approval
|
|
44
|
- IRBMED
- Any research project subject to federal regulations for the protection
of human subjects.
- Reviews preparatory to research may be submitted to IRBMED
- Privacy Board
- Waiver of authorization for a project that does not require IRBMED
review (e.g., exempt from Common Rule oversight)
- Review preparatory to research
- Research on decedents’ information
- Limited data sets disclosures
|
|
45
|
- We already follow many other laws, rules and guidelines to protect
privacy
- Generally, the Privacy Rule supersedes contrary state law, but there are
times when Michigan law controls.
In many cases, both must be followed.
- In cases where Michigan law provides more protection, Michigan law
should be followed. For example
in AIDS/HIV or for mental health records Michigan law should be
followed.
|
|
46
|
- The privacy regulations impose penalties for violations including:
- Civil penalties of $100 per person for each violation (e.g., for each
patient record inappropriately disclosed), with a $25,000 limit per
calendar year for each type of violation
- Criminal penalties up to $250,000 and 10 years in jail.
- UMHS policies include disciplinary action up to and including discharge.
|
|
47
|
|
|
48
|
- You must complete the next section, “Frequently Asked Questions.”
- To continue and get credit for completing this module, click HERE.
Be sure to click on the last slide when finished, to get a
certificate and credit.
|
Notes