research amp hipaa
play

Research & HIPAA October, 2016 Overview HIPAA & Research - PowerPoint PPT Presentation

Nov 10, 2022 •156 likes •752 views

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement HIPAA Security 2 HIPAA & Research HIPAA & Research 4 HIPAA & Research PHI Disclosure for PHI Use for Research Research

  1. Research & HIPAA October, 2016

  2. Overview  HIPAA & Research  Increased Enforcement  HIPAA Security 2

  3. HIPAA & Research

  4. HIPAA & Research 4

  5. HIPAA & Research PHI Disclosure for PHI Use for Research Research • Patient Authorization • Patient Authorization • Full Waiver • Full Waiver • Partial Waiver Disclose • Partial Waiver • Preparatory to Research • Preparatory to Research • Decedents • Decedents • Limited Data Sets • Limited Data Sets M i n i m u m N e c e s s a r y 5

  6. Protected Health Information (1) Names (including initials); (10) Account numbers; (2) Street address, city, county, precinct, zip (11) Certificate/license numbers; code, and equivalent geo-codes (12) Vehicle identifiers and serial (3) ALL elements of dates (except year) for dates numbers, including license plate numbers; directly related to an individual and all ages over (13) Device identifiers/serial numbers; 89 (this would include procedure dates, date of (14) Web addresses (URLs); admission, date of lab work, etc.) (15) Internet IP addresses; (4) Telephone numbers; (16) Biometric identifiers, incl. finger and (5) Fax numbers; voice prints; (6) Electronic mail addresses; (17) Full face photographic images and (7) Social security numbers; any comparable images; and (8) Medical record numbers; (18) Any other unique identifying number, (9) Health plan ID numbers; characteristic, or code 6

  7. Research Requirements  Authorization  Waiver of HIPAA Authorization  Specific elements  Factors considered  Signed by the patient or personal  Must save for 6 years representative  Save for 6 years 7

  8. HIPAA Research Authorization Elements  Core Elements  Required Statement   Description of PHI to be used or Individual’s right to revoke disclosed  Notice of the CE’s ability or  Names of those authorized to inability to condition treatment, make the requested use or payment, enrollment, or eligibility disclosure for benefits on the authorization   Names of persons who may use Potential for redisclosure by the the PHI or to whom the CE may recipient and no longer protected make the requested disclosure by the Privacy Rule  Description of each purpose  Expiration date of the authorization  Signature and date https://privacyruleandresearch.nih.gov/pdf/authorization.pdf 8

  9. HIPAA Research Authorization  Combined with consent  “compound authorization”  Stand-alone 9

  10. Exceptions  De-identified  PHI of Deceased  Limited Data Set  Preparatory to Research 10

  11. De-Identified “Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.” 11

  12. Privacy Rule provides two methods by which health information can be designated as de-identified. De-Identified 12

  13. De-Identified (1) Names (including initials); (10) Account numbers; (2) Street address, city, county, precinct, zip (11) Certificate/license numbers; code, and equivalent geo-codes (12) Vehicle identifiers and serial (3) ALL elements of dates (except year) for dates numbers, including license plate numbers; directly related to an individual and all ages over (13) Device identifiers/serial numbers; 89 (this would include procedure dates, date of (14) Web addresses (URLs); admission, date of lab work, etc.) (15) Internet IP addresses; (4) Telephone numbers; (16) Biometric identifiers, incl. finger and (5) Fax numbers; voice prints; (6) Electronic mail addresses; (17) Full face photographic images and (7) Social security numbers; any comparable images; and (8) Medical record numbers; (18) Any other unique identifying number, (9) Health plan ID numbers; characteristic, or code 13

  14. Deceased “Research on Protected Health Information of Decedents. Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. See 45 CFR 164.512(i)(1)(iii).” 14

  15. Limited Data Set “A covered entity may use and disclose a limited data set for research activities conducted by itself, another covered entity, or a researcher who is not a covered entity if the disclosing covered entity and the limited data set recipient enter into a data use agreement. Limited data sets may be used or disclosed only for purposes of research, public health, or health care operations. Because limited data sets may contain identifiable information, they are still PHI.” 15

  16. Limited Data Set  “Date Use Agreement”  Specific uses of the limited data set  Identify who is permitted to receive it  Specific stipulations on how the data will be used. 16

  17. Limited Data Set May include : Must exclude : • Town, city, state and zip code • Name • Address (other than town, city, zip) • Elements of dates related to an • Phone and fax individual • Email address • Date of Birth • SSN • Admission Date • MRN • Health plan beneficiary numbers • Discharge Date • Account Numbers • Death Date • Certificate/license numbers • VIN • Device identifiers • URLs and IP addresses • Biometric identifiers • Full face photos • Any other unique number, characteristic or code that could be used to identify the individual 17

  18. Preparatory to Research “Preparatory to Research . Representations from the researcher, either in writing or orally, that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any protected health information from the covered entity, and representation that protected health information for which access is sought is necessary for the research purpose. See 45 CFR 164.512(i)(1)(ii). This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.” 18

  19. Minimum Necessary “The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.” 19

  20. Breach Reporting Requirements  Where there is a “Breach”  We Must Notify the Patient & the Department of Health and Human Services

  21. Breach Regulations Disclosure in Violation of HIPAA Reportable Breach Unless Low Risk of Compromise If Reportable Notify the Patient, OCR, and the Press (if >500) 21

  22. Breach Wall of Shame 22

  23. Increased Enforcement

  24. Office for Civil Rights HIPAA Enforcement: Increased Enforcement 12 10 8 No. of Resolution 6 Agreements 4 No. of Civil Money Penalties 2 0 2016: Over $18 Million in Resolution Agreements

  25. Resolution Agreement  Feinstein Institute for Medical Research, 2016  $3.9 million  Unencrypted laptop stolen out of an employee’s car  Disclosed ePHI of 13,000 people  Lack of risk assessment  Failed to implement policies, procedures, safeguards  Three year corrective action plan 25

  26. Pay Attention To:  Paper  Shred it  Attention to Binders  Physical Security  Transport  Appropriate Approvals  Data Security 26

  27. HIPAA Security

  28. Conducting Research Securely  In a perfect world, you would only need to focus research.  However, this is not the case, as there are things that come along with research that we need to address:  Security Requirements  Bad guys – hackers and criminals  Errors and failures 28

  29. Security Requirements  HIPAA – Protected health information  FERPA – Student record information  PCI – Payment card industry  FISMA – Federal contracts  FDA – Medical devices  Joint Commission – Accreditation  State Laws – Mental health, breach notification  Other Federal Laws – Chemical dependency; Export Control  Institutional Standards  OSU Information Security Standards (ISS)  OSU Information Security Control Requirements (ISCR)  Industry Standards 29

  30. Security Requirements OSU Information Risk Management Program  Organizational policies, standards, and requirements that address laws and regulations applicable to the university 30

  31. Security Requirements OSU Information Risk Management Program  Security Standard covers 30 identified risk areas  Specifies security requirements for each area 31

  32. Security Requirements Risk Assessments  In order to protect data when conducting research, we need to understand several things: 1. Where did the data originate? 2. Where does the data need to go? 3. Who can access the data? 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

284 views • 25 slides
Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy, Confidentiality & Security Subcommittee May 15, 2018 Beyond HIPAA Initiative Builds on NCVHSs past work and the work of other government and private

240 views • 10 slides
HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security

575 views • 33 slides
Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to obtaining a persons medical records for court proceedings and law enforcement purposes. A) Entities covered by HIPAA The medical records of a patient

405 views • 6 slides
HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c.

HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c.

HIPAA COW Webinar: HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c. HIPAA COW Webinar November 11, 2010 Presentation Overview TOP 3 HIPAA Compliance Risks Unauthorized Use and Disclosure of

522 views • 28 slides
HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern | 12pm Central | 11am

793 views • 53 slides
HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental

HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental

HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING March 2012 HIPAA Humor (North Dakota Dept of Health) 2 HIPAA-Ectomy - the removal of individual

1.19k views • 61 slides
HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it from DUMATEK ! Get you HIPAA Security P&P and CND here! ONLY $5040.00 This solution becomes ongoing and proprietary to your company. HIPAA

107 views • 10 slides
Wellness Checkup Wellness Roadmap HIPAA Wellness Rules ADA GINA ERISA COBRA

Wellness Checkup Wellness Roadmap HIPAA Wellness Rules ADA GINA ERISA COBRA

Wellness Checkup Wellness Roadmap HIPAA Wellness Rules ADA GINA ERISA COBRA ACA HIPAA Privacy Tax 2 Stop #1 HIPAA Wellness Rules HIPAA Wellness Rules: What is a GHP? Apply to group health plans (GHPs) that

464 views • 28 slides
Role of Equipment Manager in HIPAA HIPAA Role of Equipment Manager in & & HIPAA and

Role of Equipment Manager in HIPAA HIPAA Role of Equipment Manager in & & HIPAA and

Role of Equipment Manager in HIPAA HIPAA Role of Equipment Manager in & & HIPAA and Medical Device Standards HIPAA and Medical Device Standards Organizations (e.g., DICOM, IHE) Organizations (e.g., DICOM, IHE) Charles Parisot, GE

687 views • 43 slides
[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution The 18 th Annual

[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution The 18 th Annual

[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution The 18 th Annual Meeting of the Applied Research Ethics National Association December 5, 2003 1 Washington DC Faculty John Falletta, MD Duke University

1.25k views • 99 slides
EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau

EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau

EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau Chief, Information Security and Technology 1 What is HIPAA? 2 HIPAA What: Health Insurance Portability and How: Congress mandated the establishment

444 views • 9 slides
HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections

HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections

Office of the Secretary Office for Civil Rights (OCR) HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections March 2013 Christina Heide, JD Senior Health Information Privacy Policy Specialist HHS

342 views • 15 slides
DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as

111 views • 7 slides
Beyond HIPAA: Stewardship By Design as applied to data, device, and app exemplars NCVHS

Beyond HIPAA: Stewardship By Design as applied to data, device, and app exemplars NCVHS

Beyond HIPAA: Stewardship By Design as applied to data, device, and app exemplars NCVHS Subcommittee on Privacy, Confidentiality and Security September 2018 Beyond HIPAA Initiative Builds on NCVHSs past work and the work of other

189 views • 15 slides
HOW TO STAY HIPAA COMPLIANT WITH MOBILE DEVICES EMERGING TRENDS COMMITTEE HOT TOPICS M.E.D.X App

HOW TO STAY HIPAA COMPLIANT WITH MOBILE DEVICES EMERGING TRENDS COMMITTEE HOT TOPICS M.E.D.X App

HOW TO STAY HIPAA COMPLIANT WITH MOBILE DEVICES EMERGING TRENDS COMMITTEE HOT TOPICS M.E.D.X App Presentation DISCLOSURE RIKESH T. PARIKH, M.D. CO-FOUNDER OF MOBILE ENCRYPTED DATA XCHANGE (M.E.D.X) A peer-to-peer, HIPAA-compliant, mobile app

325 views • 18 slides
HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When

HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When

Presenting a live 90-minute webinar with interactive Q&A HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests THURS DAY, OCTOBER 16, 2014 1pm East ern

908 views • 52 slides
Centegra Health System/ Eruptr 1 Agenda Organization overview What is Search?

Centegra Health System/ Eruptr 1 Agenda Organization overview What is Search?

Centegra Health System/ Eruptr 1 Agenda Organization overview What is Search? Why should you be using search marketing? Centegra case studies Lessons learned Tips for maximizing search campaigns Questions

1.01k views • 44 slides
Analyst meeting November 2016 Forward looking statement This presentation may contain

Analyst meeting November 2016 Forward looking statement This presentation may contain

Analyst meeting November 2016 Forward looking statement This presentation may contain information that includes or is based on forward-looking statements within the meaning of the federal securities law that are subject to various risks and

746 views • 52 slides
Ministry LHIN Performance Agreement (MLPA) Report Presentation to the Hamilton Niagara Haldimand

Ministry LHIN Performance Agreement (MLPA) Report Presentation to the Hamilton Niagara Haldimand

Ministry LHIN Performance Agreement (MLPA) Report Presentation to the Hamilton Niagara Haldimand Brant (HNHB) Local Health Integration Network (LHIN) Board of Directors May 30, 2012 What is the Ministry LHIN Performance Agreement (MLPA)?

805 views • 15 slides
Telebehavioral Health Technology Compliance for HIPAA Alex Obert Sr. Application Specialist

Telebehavioral Health Technology Compliance for HIPAA Alex Obert Sr. Application Specialist

Telebehavioral Health Technology Compliance for HIPAA Alex Obert Sr. Application Specialist Carolinas Healthcare System Content HITECH Act Types of Telemedicine Providers Carolinas HealthCare System Use Technology Options

214 views • 8 slides
How an FSA Works You are responsible for projecting the eligible expenses that you will incur

How an FSA Works You are responsible for projecting the eligible expenses that you will incur

There are two types of FSA Accounts: Health Care Spending Account (HCSA) & Dependent Care Assistance Program (DCAP) You may elect to participate in one or both types of accounts How an FSA Works You are responsible for projecting the

591 views • 16 slides
Information 2016 AAHIM Annual Meeting Jim Hoover Partner Suite 3400 420 North 20th Street

Information 2016 AAHIM Annual Meeting Jim Hoover Partner Suite 3400 420 North 20th Street

Latest Legal Developments In HIPAA and Release of Information 2016 AAHIM Annual Meeting Jim Hoover Partner Suite 3400 420 North 20th Street Birmingham, Alabama 35203 direct 205-458-5111 jhoover@burr.com www.burr.com Privacy

644 views • 51 slides
Data Sharing Strategies How to Address Superutilizers within the Confines of Confidentiality

Data Sharing Strategies How to Address Superutilizers within the Confines of Confidentiality

Data Sharing Strategies How to Address Superutilizers within the Confines of Confidentiality Gerald (Jud) E. DeLoss Greensfelder, Hemker & Gale, P.C. December 9, 2016 This presentation and outline are limited to a discussion of general

488 views • 21 slides

More recommend