Understanding HIPAA Compliance in Research Settings

Slide Note
Embed
Share

Health Insurance Portability and Accountability Act (HIPAA) plays a crucial role in safeguarding protected health information (PHI) in research conducted by covered entities like UConn Health. This content covers the definitions of PHI, the 18 identifiers defined by HIPAA, common methods to comply with HIPAA regulations, and the importance of obtaining authorization to use and disclose PHI in research settings.


Uploaded on Jul 29, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Office of the Vice President for Research Human Subjects Protection Program IRB Submission Process Module 4 - Health Insurance Portability and Accountability Act (HIPAA) 2024 1

  2. Health Insurance Portability and Accountability Act (HIPAA) HIPAA provides for confidentiality of protected health information (PHI) and regulates how a covered entity may use individually identifiable health information for research. Because UConn Health is a covered entity researchers who use or disclose individually identifiable health information must comply with HIPAA. Individually identifiable health information is referred to as protected health information or PHI In order to be considered PHI the health information must be associated with one or more of the 18 identifiers defined by HIPAA. 2

  3. Protected Health information (PHI) Protected Health Information isidentifiable health information. PHI Includes: Individual s past, present, or future physical or mental health or condition information. The provision of health care to the individual. At least one of the 18 personal identifiers (see next slide). In any format: written, spoken, or electronic (including videos, photographs, and x-rays) 3

  4. The 18 Identifiers Defined by HIPAA 1- Name 7- Account #s 13- Device Identifiers 2- E-mail 8- License #s 14- Vehicle Identifiers and serial # 3- URLs 9- Health Plan Beneficiary #s 15- Device Identifiers and their serial # 4- IP Address 10- Medical Record # 16- Biometric Identifiers (finger and voice prints) 5- Phone #s 11- Social Security # 17- Full face photo. 6- Fax #s 12- All elements of dates (except Year) 18- Any unique identifying #, characteristic or code. 4

  5. Common Methods to Comply with HIPAA The most common methods used to comply with HIPAA are: Obtaining Authorization Obtaining a Waiver or Alteration of Authorization Certifying PHI will be De-identified 5

  6. Authorization to Use and Disclose Protected Health Information A signed HIPAA Authorization represents an individual s agreement to the use and disclosure of the individual s PHI for the specified research purpose. A signed Authorization is typically required when interacting with subjects (in person or on-line) and collecting PHI Authorization must be obtained prior to the use and/or disclosure of PHI. To be valid, unless otherwise approved by the IRB, the Authorization must contain all elements and statements required by the regulation The Authorization template is available on the IRB website and contains the required statements and elements 6

  7. Waiving or Altering Authorization When it is not feasible for researchers to obtain a complete written Authorization from research participants HIPAA may allow for a waiver/alteration of authorization if certain criteria are met. The waiver/alteration may apply to the entire study or to only a certain phase of a study. The investigator must complete and submit the Request for Alteration or Waiver of Authorization form posted on the IRB website. The form addresses all of the criteria to be evaluated by the IRB in determining whether the alteration/waiver can be granted. A waiver/alteration is not granted for the convenience of the researcher. The researcher must justify, among other things, why obtaining a complete authorization is not practicable. Examples of when a Waiver of Authorization may be granted: a. A retrospective review of medical records with no subject interaction (Complete HIPAA Waiver) b. Collection of PHI during telephone screening (Partial HIPAA Waiver) 7

  8. Alteration vs. Waiver of Authorization HIPAA also allows for an alteration of authorization. With an alteration some required elements of the authorization are waived or altered, but authorization is not completely waived. Example: An alteration to request that the need for signature be removed if the subject is to be presented with the authorization on-line and the subject clicks a yes button to acknowledge have read the form and agree to the terms. 8

  9. Certification of De-Identification Research that involves the creation/use of de-identified protected heath information is exempt from HIPAA requirements. There are three ways to certify that data will be/is de-identified: (1) Removing all 18 identifiers defined within the HIPAA regulations from the data. (2) Obtaining a determination by a qualified statistician who reviews the abstracted data and indicates that risk of re-identification using that data is very small. (3) Not using, reviewing or recording identifiers during the course of the study. The investigator is required to sign and submit to the IRB the form titled HIPAA Certification of De-Identification available on the IRB website. All study team members performing the records review should sign and date the Certification of De-Identification Form. 9

  10. Conclusion This presentation has reviewed the most common ways in which HIPAA is addressed in research. However there are also other mechanisms such as limited data sets and data use agreements, preparatory to research provisions and provisions for use of decedent information. For more information on any of the aforementioned contact the IRB Office as noted on the next slide. 10

  11. Questions irb@uchc.edu cagganello@uchc.edu 11

Related


More Related Content