Answer: Not necessarily. PHI is information about the health of an individual, the health condition of an individual or the payment for health services rendered to an individual.
If we just had a DOB and that DOB was not linked to any other health information and could not be sourced to a provider e. Question 1: As per the HIPAA regulations, we need to keep a log of all persons who have viewed PHI in our database in order to provide a list of disclosures, if and when a participant requests it.
Do we need to log a new entry each time a member of our research team views the data, or do we only need to enter a new entry in the log when someone outside of the team views the data? All Hopkins members of the research team may view the PHI without keeping a disclosure log. What about the results of research laboratory tests? This is defined as.
This does not mean that the research record does not contain protected health information or PHI. In your question, if the interview included questions about health status or history, this would be PHI. You should know that this is not a settled area of the law. Different experts have different opinions. But until there is further clarification, this is our position on this issue. Consult OHSR about specific requests for provision of copies of research records or information to non-Hopkins entities.
Question 1: I am enrolling subjects in a clinical study. Answer: A subject must sign an Authorization that allows the non-JHU provider to disclose PHI to you for the purposes of research involving that subject. Answer: The extent to which HIPAA applies to international research is currently a matter of debate; however, once identifiable health information is received by a covered entity, that information becomes PHI with a narrow exception for overseas foreign nationals receiving health care from US agencies.
This means that when a researcher sends identified health information collected internationally across a JHM network or stores such information on a JHM computer or server, the information becomes PHI. Because HIPAA concepts can be difficult to translate in international studies, researchers have several options. Another option, where cultural barriers are significant, is to request permission to exclude HIPAA language from the consent form and process. This may be most appropriate where no data will be transferred to the U.
Your email address will not be published. Closer to Home: Hybrid Entities Similarly, research conducted within a hybrid entity qualifies for the HIPAA Exemption only when it is conducted completely within the covered component s. Researchers who want to take advantage of the HIPAA Exemption should ensure that all members of the study team are part of a covered entity. Need help? Check out this Covered Entity Guidance Tool. Secondary research for which consent is not required: Secondary research uses of identifiable private information or identifiable biospecimens, if at least one of the following criteria is met:.
The application of this new exemption — like the application of HIPAA itself — is complex, and without sufficient guidance, research institutions, IRBs, and the general public may have difficulty understanding the circumstances under which the HIPAA Exemption may and may not be relied upon as an exemption from Common Rule requirements.
The adoption of this HIPAA Exemption has been predicated on an understanding that when both HIPAA and the Common Rule apply to specific human subjects research activities, the overlapping regulatory requirements can lead to confusion, duplicative review, and extra burden on the researcher and his or her institution. With limited exceptions for specific issues that are not the primary focus of this guidance, such as de-identified data sets, limited data sets, or review of information preparatory to research, the HIPAA Privacy Rule requires a covered entity, before utilizing PHI for research purposes, either i to secure a written authorization from an individual that gives the researcher permission to use or disclose PHI for the purposes described in the authorization, or ii to have the written authorization requirement waived or altered by an IRB or Privacy Board.
The three criteria for approving a waiver or alteration of authorization are as follows:. A The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:. B The research could not practicably be conducted without the waiver or alteration; and. The most common form of identifiable information likely to be covered by this exemption is identifiable health information found in existing clinical or research records e.
Investigators seeking to collect information directly from research subjects by asking them to complete a health information questionnaire would not be covered by the exemption, as that activity would be considered primary collection of information. This provision introduces a clearer distinction between when the Common Rule and the HIPAA Privacy Rule apply to research in order to avoid duplication of regulatory burden. We believe that the HIPAA protections are adequate for this type of research, and that it is unduly burdensome and confusing to require applying the protections of both HIPAA and an additional set of protections.
One of the main ramifications of the shift toward use of the HIPAA Exemption for such studies is that research administration and staff or less optimally, researchers themselves will often be responsible for determining whether a research project qualifies for the HIPAA Exemption. If they conclude that a particular project does so qualify, there would no longer be an IRB reviewing the study and confirming that the research team is correct in concluding that the HIPAA Exemption is being utilized appropriately.
To ensure that such decisions are made in a legally and ethically appropriate fashion, research institutions will need to provide training and to develop policies and procedures to ensure that researchers seeking to utilize the HIPAA Exemption will be offered guidance from institutional officials regarding appropriate use of the exemption and will be monitored appropriately in their use of it.
Additionally, for the situations in which a research project would need to rely upon a HIPAA waiver or alternation of authorization as opposed to an express HIPAA authorization to qualify for the HIPAA Exemption, IRBs or Privacy Boards depending on the institution will play an important role in examining and determining that the uses of the identifiable information contemplated by the secondary research project will involve no more than a minimal risk to the privacy of individuals and that the research could not practicably be conducted without the waiver or alteration, criteria that are required to be satisfied under the HIPAA Privacy Rule.
The law gave the U. Department of Health and Human Services the responsibility of adopting rules to help patients and other health care consumers keep as much of their personal information private as possible. The HIPAA privacy rule applies to "covered entities", and even though employers are generally not covered entities, they are definitely affected by the rules applying to entities that are covered.
This article presents basic information about the HIPAA privacy rule in question and answer format and is specifically focused on the most important things that employers need to know about how the privacy rule will affect them.
The rule protects from unauthorized disclosure any personally-identifiable health information protected health information, or PHI that pertains to a consumer of health care services. Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; under 45 C. The privacy rule applies to health plans, health care clearinghouses, and health care providers.
It applies to employers only to the extent that they somehow operate in one or more of those capacities.
0コメント