This Course will address the Health Insurance Portability and Accountability Act (HIPAA). We will begin by discussing the intended purpose and enforcement of HIPAA. The eighteen data elements that HIPAA protects will be presented. We will discuss privacy and protection and identifiable data in research, full protection waivers, alterations and exemptions. We will discuss both investigator and institutional privacy requirements and responsibilities. Finally a The Patient Safety and Quality Improvement Act will be presented. The module will end with a brief quiz.
- Review the purpose and enforcement of HIPAA
- Examine 18 data elements under HIPAA
- Review investigator and institutional responsibilities and requirements in research with private health information.
- Examine waivers, alterations and exemptions
Health Insurance Portability and Accountability Act
This Course will address the Health Insurance Portability and Accountability Act (HIPAA). We will begin by discussing the intended purpose and enforcement of HIPAA. The eighteen data elements that HIPAA protects will be presented. We will discuss privacy and protection and identifiable data in research, full protection waivers, alterations and exemptions. We will discuss both investigator and institutional privacy requirements and responsibilities. Finally The Patient Safety and Quality Improvement Act will be presented. The Course will end with a brief quiz.
Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA – Definitions
Individually Identifiable Health Information (IIHI)
Any information, including demographic information collected from an individual, that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of the provision of health care to an individual; and that identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Protected Health Information (PHI)
All Individually Identifiable Health Information and other information on treatment and care that is transmitted or maintained in any form or medium (electronic paper, oral, etc . . .)
Pertains to any individually identifiable health information; the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
The release or divulgence of information by an entity to persons or organizations outside of that entity.
The mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment, or health care operations or not for other permitted disclosures such as those required by law and for public health purposes.
When using any PHI, a covered entity must make all reasonable efforts to limit itself to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request”
The purpose of HIPAA (1996) and The Patient Safety and Quality Improvement Act of 2005 (PSQIA) is to protect health information privacy. HIPAA is the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. It is a federal law that provides portability of health insurance coverage when an employee changes jobs, provides accountability that protects health data integrity, confidentiality, and availability. HIPAA sets national standards for electronic data transmission concerning transactions (eligibility, claims, payment, and others) and identifiers, and use of standard medical codes (e.g.: ICD-9, CPT-4, no use of “local” codes). HIPAA also sets national standards for privacy (operational, consumer control, administration) and security (administrative, physical, technical, network) of health information.
Privacy, in the context of HIPAA, is the right of an individual to keep his/her individual health information from being used or disclosed inappropriately for non-health related purposes. The privacy protections of HIPAA apply to individually identifiable health information (IIHI).
HIPAA protects written documentation and all paper records. It protects spoken and verbal information including voice mail messages. It also protects electronic databases and any electronic information containing protected health information (PHI) stored on a computer, PD, memory card, USB drive, or other electronic media.
HIPAA carries significant civil penalties for failure to comply. There are also criminal penalties for knowingly or wrongfully disclosing health information protected by HIPAA, and for committing an offense under false pretenses. In other words, it is unlawful to sell health information of client lists for personal gain or malicious harm.
The Patient Safety and Quality Improvement Act of 2005 (PSQIA) was designed to enhance the data available to assess and resolve patient safety and health care quality issues. It authorizes HHS to impose civil money penalties for violations of patient safety confidentiality. It also protects patient safety work product from subpoena. PSQIA can be seen as an adjunct to HIPAA.
HIPAA and research
The Privacy Rule protects the privacy of individually identifiable health information, but allows researchers to have access to medical information to conduct vital medical research. The Privacy Rule was designed to build upon the protections in the Code (45 CFR 46, Subpart A) and (21 CFR Parts 50 and 56). The Privacy Rule also extends protections to research not covered by these portions of the Code. (ref 63)
For research purposes, health information must be de-identified (all individual identifiers must be removed). HIPAA still allows research to be conducted using individual health information with proper authorizations from individuals to use their health information or with an alteration to or waiver of authorization approved by an IRB. (ref 63)
Sharing of covered elements for research is considered a “use” of PHI. All databases containing PHI must adhere to the information privacy and security standards as required by the federal HIPAA regulations.
Data Elements Protected Under HIPAA
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
HIPAA information can be disclosed while complying with the regulations. If the IRB has approved research and one or more of the following conditions exists: the activity is prepatory to research, the research involves only decedent PHI, the research uses a “limited data set” and data use agreement, the patients or participants have signed an authorization to use the PHI for research, the IRB has granted a waiver for required patient/participant signed authorization.
To use or disclose protected health information, a covered entity must either obtain the permission of the research participant or obtain one of the following: 1) documented IRB approval or 2) Privacy Board approval. Either of these serves as documentation that an alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes has been approved.
Data are “individually identifiable” if they include any of the eighteen types of identifiers, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. De-identified data means that all eighteen PHI data elements have been removed prior to receipt by the researcher—no further action is required to meet HIPAA compliance. De-identified data are not PHI. A covered entity is allowed to disclose information that has been properly de-identified according to the Code (45 CFR 164.502(d) and 164.514 (a)-(c).)
Investigator and institutional privacy requirements
HIPAA requires that a covered entity limits the PHI it releases/discloses to a researcher to the “information reasonably necessary to accomplish the purpose.” A covered entity relies on the research’s request and the documentation from the IRB to describe the minimum PHI necessary to accomplish research goals. A signed authorization from the research participant supersedes the minimum necessary restriction. If PHI is released or disclosed to a researcher, then the researcher becomes responsible for ensuring that the use and disclosure of the PHI complies with HIPAA regulations.
Recruiting and screening
Research recruitment techniques must meet HIPAA standards for privacy and confidentiality. Investigators must separate the roles of researcher and clinician. Investigators must not use their clinical access privileges to search patient records for potential participants. Physicians may contact only their own patients to recruit for research studies. If investigators receive data from a covered entity to complete their research, then the principal investigators or designated researchers must provide a copy of the fully executed IRB approval form to the covered entity holding the data before the data can be released for research.
The researcher must provide and maintain database security, including physical security and access to control and manage the access, use, and disclosure of the PHI. PHI should be stored in locked areas, desks, and cabinets. Lock down mechanisms should be obtained for devices and equipment in easily accessible areas if applicable.
HIPAA requires that computer security precautions must be taken. Computer screens should be arranged so that they are not visible by unauthorized persons. Individuals using the computers should log off before leaving workstation. The workstation itself should be configured to automatically log off and require user to login if there is no activity for more than 15 minutes. A screensaver should be set with password protection to engage after five minutes of inactivity. All research data must be managed appropriately. Documents and databases with electronic PHI (ePHI) should be stored securely on a network file server. They should not be stored on a workstation (C: drive). Researchers should not allow coworkers to use their computers without first logging off.
Portable devices include hand-held, notebook, and laptop computers, personal digital assistants, cell phones, and pocket or portable memory devices such as thumb and jump drives. There should always be password protection on these devices. ePHI should be deleted when it is no longer needed. Application software should be kept up-to-date. Critical software and data should be backed up onto a secured network. Encryption should be used when transporting ePHI on any mobile computing device and encryption keys should be backed up.
This Module addressed the Health Insurance Portability Act (HIPAA). We began by discussing the intended purpose and enforcement of HIPAA. The eighteen data elements that HIPAA protects were presented. We discussed privacy and protection and identifiable data in research, full protection waivers, alterations and exemptions. We discussed both investigator and institutional privacy requirements and responsibilities. Finally The Patient Safety and Quality Improvement Act was presented. The Module will end with a brief quiz.