HIPAA and Research Compliance: Privacy Rules and Reporting Procedures

HIPAA and Research Refresher and rev. 2021 Kelsey Williams and Paul Colomb Compliance and Privacy 1

18 PHI Identifiers Name Address (all geographic subdivisions smaller than state, including street address, city county, and zip code) All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) Telephone numbers Fax number Email address Social Security Number Medical record number Health plan beneficiary number Account number Certificate or license number Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web URL Internet Protocol (IP) Address Finger or voice print Photographic image - Photographic images are not limited to images of the face. Any other characteristic that could uniquely identify the individual

HIPAA Privacy General Rule A covered entity may not use or disclose protected health information, except as permitted or required. Use: Sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information Disclose: Release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information

Minimum Necessary Rule Minimum Necessary is the core principle behind the HIPAA Privacy Regulation. For all uses and disclosures of patient information, the minimum necessary rule should be followed access, use, or disclose what you need and only what you need to do your job. When accessing patient information, ask yourself: Do I have permission to access this information? Do I need this information to perform my job? What exact information do I need to perform my job? Does my co-worker need to know this information? Should I discuss it with them?

Do you know how to report? If you suspect that a potential privacy incident has occurred, notify the compliance department immediately at Compliance@Ochsner.org The compliance department will contact you and begin an internal investigation. When necessary, the compliance department will notify the patient(s) involved and will work to remediate the incident, using education, training, progressive discipline and other methods in accordance with the institution s sanctions policy. **Please refrain from using SOS as a reporting tool for privacy related incidents**

Paperwork Most of the breaches that compliance handles involve patient paperwork (ex. After Visit Summary - AVS - documents) If you see patient paperwork left unattended or in clear view, ask the employee to flip it over, secure it, or to shred it if no longer needed Always double check the names on paperwork before giving it out to patients

Email, Faxes & HIPAA If you do need to send PHI to an external recipient, it s best to communicate via telephone rather than email. Faxing- be sure that you have the recipient s correct information. Always use a coversheet with your contact information so that recipients can contact you if the fax goes astray. <encrypt> in the subject line will encrypt an email message, not the subject. Lock the file and provide a password in a separate email

FairWarning: Relevant Policies Employees should not access other employees records upon request, without a work-related reason. While this is not a HIPAA breach if the employee-patient has given consent, it is against Ochsner policy Examples: rescheduling appointments, checking on lab results, medication refills, etc. Employees should access their information through authorized means, such as MyOchsner, contacting the appointment desk, their physician s office, or obtaining a paper copy of records. Several FairWarning investigations have resulted in breaches because an employee left Epic logged in and unattended, and someone else accessed an employee s record from the unattended workstation.

FairWarning: How does it work?

HIPAA Hints PHI can be shared over the phone, when appropriate Take steps to verify who s on the phone Document how you verified them Registration errors can lead to breaches when the wrong patient or guarantor is chosen Clinical information linked to the wrong patient or provider Statements mailed to the wrong person or address Collection calls to patients never seen

HIPAA Updates COVID-19 Related

HIPAA and Case Studies in Research Are case studies research? The answer to this question determines whether case studies are subject to research regulations. The federal definition of research from 45 CFR 46.102(d) is: Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported under a program which is considered research for other purposes. Based on this definition, a single or even a few case studies in an article is not research by the federal definition

HIPAA and Case Studies in Research Do case studies need IRB approval? The IRB approval is not needed for one or a few case studies, because they are not considered research. If you are presenting or publishing one or a few case studies, there is no need to obtain an IRB determination. If a larger collection of case studies is compiled together, then it may be Research according to the Common Rule. If you are presenting/publishing more than a few case studies, it would be prudent to receive an IRB exemption determination.

HIPAA and Case Studies in Research Although IRB approval is not required, certain HIPAA Privacy Rule requirements apply to the use and disclosure of PHI for a case report: Investigators who remove ALL HIPAA identifiers from the case report data prior to disclosure of the data (e.g., prior to submission of the case report to a journal) do not need to obtain a signed privacy authorization from the subject of the case report This includes photographs Investigators who wish to publish a case report that is not completely de-identified to the standards of the HIPAA Privacy Rule (i.e., that contains any direct or indirect identifiers), must first obtain each patient s signed HIPAA-compliant authorization

Data Governance and Sharing Committee

DGSC Committee Goals Promote Awareness and Transparency Evaluation of business cases and data scope appropriateness Increase Consistency Establishment of Data Sharing Standards & Best Practices Ensure System Alignment Maintenance of documentation around request details & committee decisions

DGSC Committee Representation* IS / CMIO Data and Analytics Research Legal Compliance HIM/ Coding Revenue Cycle OHN Audit Quality *The Data Governance and Sharing Committee will re-evaluate divisional participation on an ongoing basis

What should be reviewed by DGSC? allowing a 3rd party newuse- cases for existing shared data sharing new data with an existing 3rd party sharing any data with a new 3rd party sharing new data with an existing 3rd party sharing any data with a new 3rd party allowing a 3rd party newuse- cases for existing shared data DGSC

Questions? Compliance & Privacy compliance@ochsner.org Anonymous Compliance Line Toll Free 888-273-8442 https://ochsner.ethicspoint.com Please visit our site on Ochweb for more information.