Columbia Columbia University University Health Sciences Health Sciences Research under the Health Research under the Health Insurance Portability and Insurance Portability and Accountability Act of 1996 Accountability Act of 1996 (“HIPAA”) (“HIPAA”)
Dec 19, 2015
Columbia Columbia University Health University Health
SciencesSciencesResearch under the Health Research under the Health Insurance Portability and Insurance Portability and Accountability Act of 1996 Accountability Act of 1996
(“HIPAA”)(“HIPAA”)
Administrative Simplification
[Accountability]
InsuranceReform
[Portability]
HIPAA OverviewHIPAA Overview
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002 and
10/16/03
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002 and
10/16/03
Privacy
Compliance Date: 4/14/2003
Privacy
Compliance Date: 4/14/2003
Security
Compliance Date:4/20/2005
Security
Compliance Date:4/20/2005
Health Insurance Portability and
Accountability Act (HIPAA)
PRIVACYPRIVACY
Refers to Refers to WHATWHAT is protected — Health information about an is protected — Health information about an individual and the determination of WHO is permitted to use, individual and the determination of WHO is permitted to use, disclose, or access the informationdisclose, or access the information
PRIVACY vs. SECURITYPRIVACY vs. SECURITY
SECURITYSECURITYRefers to HOWHOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.
PRIVACYPRIVACY
WHAT does the Privacy Rule WHAT does the Privacy Rule COVERCOVER??WHAT does the Privacy Rule WHAT does the Privacy Rule COVERCOVER??
PProtected rotected HHealthealth IInformationnformation (PHI)PHI) = = Individual (Patient) identifiable information relating to the past, present or future health condition of the individual
ALL information whether maintained in electronic, paper or oral format
PRIVACYPRIVACY
WHAT does the Privacy Rule WHAT does the Privacy Rule MEANMEAN??WHAT does the Privacy Rule WHAT does the Privacy Rule MEANMEAN??
Limits the UseUse and DisclosureDisclosure of PHI Most uses or disclosures outside of treatment
or payment require actual patient authorization or an exception to authorization—e.g., research
Establishes Individual’s (Patient) rightIndividual’s (Patient) right to control access and use of PHI Right to inspect or copy PHI Right to amend incorrect information, etc…
PRIVACYPRIVACY
WHATWHAT does the Privacy Rule does the Privacy Rule MEANMEAN? (cont’d)? (cont’d)WHATWHAT does the Privacy Rule does the Privacy Rule MEANMEAN? (cont’d)? (cont’d)
Balances health information protection and individual Balances health information protection and individual rights against public health and safety needs rights against public health and safety needs
Administrative RequirementsAdministrative Requirements Privacy OfficerPrivacy Officer Privacy Board to review researchPrivacy Board to review research NoticeNotice Training & SanctionsTraining & Sanctions SafeguardsSafeguards Policies & ProceduresPolicies & Procedures
RASCAL HIPAA FormsRASCAL HIPAA FormsHuman subjects research using identifiable health information must meet one of the following criteria:
Form A) HIPAA Clinical Research AuthorizationForm A - Spanish Version HIPAA Clinical Research Authorization Form B) HIPAA Application for Waiver of AuthorizationForm C) Request for Recruitment Waiver of Authorization Form D) Investigator's Certification for Reviews Preparatory to ResearchForm E) Investigator's Certification for Research with Decedents' InformationForm F) Data Use Agreement for Disclosure of a Limited Data Set for Research PurposesForm G) Investigator's Certification for Research with De-Identified Data
HIPAA and ResearchHIPAA and Research
HIPAA mandates that a Privacy Board HIPAA mandates that a Privacy Board ensure institutional compliance with HIPAAensure institutional compliance with HIPAA
The Privacy Board function can be The Privacy Board function can be administered by an IRB or as a separate administered by an IRB or as a separate functionfunction
For research involving human subjects at For research involving human subjects at CUMC, this function is fulfilled by a Privacy CUMC, this function is fulfilled by a Privacy Board function separate from the IRB—meets Board function separate from the IRB—meets every two weeksevery two weeks
HIPAA and ResearchHIPAA and Research
Privacy Board
Authorization signed by patient for
all clinical research
Waiver Criteriaapplied before
records research
Exceptions • Preparatory to research
• Decedent• De-identified
• Limited Data Set
HIPAA AuthorizationHIPAA Authorization
Patient authorization elementsPatient authorization elements The informationThe information Who may use or disclose the informationWho may use or disclose the information Who may receive the informationWho may receive the information Purpose of the use or disclosurePurpose of the use or disclosure Expiration date or event Expiration date or event Individual’s signature and dateIndividual’s signature and date Right to revoke authorizationRight to revoke authorization Right to refuse to sign authorizationRight to refuse to sign authorization Redisclosure statementRedisclosure statement
Authorization signed by patient for
all clinical research
HIPAA Authorization HIPAA Authorization
The informationThe information Relates to “minimum necessary standard” (we Relates to “minimum necessary standard” (we
will use only the PHI we need to for the will use only the PHI we need to for the research)research)
Who may use or disclose the Who may use or disclose the informationinformation ““the PI and the research team”the PI and the research team”
Who may receive the informationWho may receive the information The sponsor/CRO/central labs/etc.The sponsor/CRO/central labs/etc.
HIPAA Authorization HIPAA Authorization
Purpose of the use of disclosurePurpose of the use of disclosure Short description of researchShort description of research
Expiration date or eventExpiration date or event ““end of study”; “never” for databasesend of study”; “never” for databases
Individual’s signature and dateIndividual’s signature and date Subject must receive signed copySubject must receive signed copy Must be retained for 6 yearsMust be retained for 6 years
HIPAA Authorization HIPAA Authorization Right to revoke authorizationRight to revoke authorization
Must be made in writingMust be made in writing Reliance exceptionReliance exception
Right to refuse to sign authorizationRight to refuse to sign authorization If refusal exercised, research related If refusal exercised, research related
treatment can be withheld—note you cannot treatment can be withheld—note you cannot as a provider condition signing an as a provider condition signing an authorization for research on the provision of authorization for research on the provision of non-research related treatmentnon-research related treatment
Redisclosures not protectedRedisclosures not protected Statement that redisclosures may happen and Statement that redisclosures may happen and
their PHI would no longer be protectedtheir PHI would no longer be protected
Problem areasProblem areas
Creation of research databases from Creation of research databases from treatment encounterstreatment encounters
Compound authorizations not permitted—e.g., Compound authorizations not permitted—e.g., to build a research database and do specific to build a research database and do specific research from that databaseresearch from that database
Future unspecified research cannot be Future unspecified research cannot be authorized—particular problem with Sponsor authorized—particular problem with Sponsor requested languagerequested language
Patients general right to their health Patients general right to their health information—does this extend to research information—does this extend to research related treatment?related treatment?
HIPAA Waiver of HIPAA Waiver of AuthorizationAuthorization
Most likely to be used in cases of research Most likely to be used in cases of research involving retrospective chart reviewsinvolving retrospective chart reviews
IRB/Privacy Board may also waive IRB/Privacy Board may also waive authorization to allow use of PHI by third authorization to allow use of PHI by third parties to recruit study subjects—no parties to recruit study subjects—no waiver or authorization needed to recruit waiver or authorization needed to recruit a researcher’s patients into a clinical triala researcher’s patients into a clinical trial
Waiver Criteriaapplied before
records research
HIPAA Waiver CriteriaHIPAA Waiver Criteria
1.1. Use or disclosure involves no more Use or disclosure involves no more than minimal risk to privacy of the than minimal risk to privacy of the subject based on, at least:subject based on, at least:
Adequate plan to protect the information Adequate plan to protect the information from improper use and disclosure;from improper use and disclosure;
Adequate plan to destroy identifiers; andAdequate plan to destroy identifiers; and Written assurances that the PHI will not Written assurances that the PHI will not
be disclosed further than as set forth in be disclosed further than as set forth in the waiverthe waiver
Waiver requires IRB/Privacy Board approval Waiver requires IRB/Privacy Board approval and documentation of three (3) waiver and documentation of three (3) waiver
criteria:criteria:
HIPAA Waiver Criteria, HIPAA Waiver Criteria, con’tcon’t
2.2. The research could not practicably The research could not practicably be conducted without waiver or be conducted without waiver or alterationalteration
3.3. The research could not practicably The research could not practicably be conducted without access to and be conducted without access to and use of the PHIuse of the PHI
Waiver problem areasWaiver problem areas
Case studies or—case studies generally not Case studies or—case studies generally not research must be de-identifiedresearch must be de-identified
Limited # of subject studiesLimited # of subject studies Your research involves the disclosure of Your research involves the disclosure of
health information which the patient has to health information which the patient has to authorize—e.g., HIV statusauthorize—e.g., HIV status
Your requesting a waiver for research where Your requesting a waiver for research where the Privacy Board believes you have ample the Privacy Board believes you have ample opportunity to get actual authorization—opportunity to get actual authorization—e.g., research database creatione.g., research database creation
Recruitment IssuesRecruitment Issues
PI who is also subjects MD may contact PI who is also subjects MD may contact his/her patients directly about researchhis/her patients directly about research
IRB approved recruitment letters ok—IRB approved recruitment letters ok—should be signed by treating MD—active should be signed by treating MD—active versus passive consentversus passive consent
IRB approved advertisement—subjects IRB approved advertisement—subjects call investigator or screening servicecall investigator or screening service
Not OK—recruiting out of waiting rooms; Not OK—recruiting out of waiting rooms; investigators with no relationship calling investigators with no relationship calling patients directlypatients directly
Authorization and Waiver Authorization and Waiver exceptionsexceptions
There can be no disclosure of PHI to There can be no disclosure of PHI to researchers from CU or NYPH researchers from CU or NYPH without authorization or waiver unless without authorization or waiver unless the disclosure is for:the disclosure is for:
1.1. Preparatory research—i.e., to assess Preparatory research—i.e., to assess feasibility of research; formulate a feasibility of research; formulate a research hypothesis; or define research hypothesis; or define recruitment cohortrecruitment cohort
2.2. Or an exception applies—e.g., Or an exception applies—e.g., decedent; de-identified; limited data setdecedent; de-identified; limited data set
Exceptions Documented• Preparatory to research
Reviews Preparatory to Research
CE obtains a representation from the CE obtains a representation from the researcher that:researcher that: Use or disclosure is sought solely to review Use or disclosure is sought solely to review
protected health information as necessary protected health information as necessary to prepare a research protocol; to prepare a research protocol;
No protected health information is to be No protected health information is to be removed from the covered entity by the removed from the covered entity by the researcher in the course of the review; and researcher in the course of the review; and
The protected health information is The protected health information is necessary for the research purposes. necessary for the research purposes.
De-Identified Health De-Identified Health InformationInformation
1.1. If information is “de-identified” in If information is “de-identified” in accordance with “generally accepted accordance with “generally accepted statistical and scientific principles or statistical and scientific principles or methods”methods”
2.2. If all identifiers listed in a “safe harbor” are If all identifiers listed in a “safe harbor” are removed—this safe harbor requires the removed—this safe harbor requires the removal of 18 identifiers (of limited use)removal of 18 identifiers (of limited use)
3.3. Dummy identifier to facilitate linkage within Dummy identifier to facilitate linkage within CE permittedCE permitted
Research on a decedentDe-identified
Limited data set
Limited Data SetLimited Data Set Permits identifiers not permitted by de-Permits identifiers not permitted by de-
identification safe harbor such as:identification safe harbor such as:
Zip code, town, city & state, date of Zip code, town, city & state, date of birth/death and dates of servicebirth/death and dates of service
Benefit: no need for waiver or authorization Benefit: no need for waiver or authorization if only disclosing a limited data set to a if only disclosing a limited data set to a researcher; accounting rule doesn’t applyresearcher; accounting rule doesn’t apply
Requires a “data use agreement” with the Requires a “data use agreement” with the intended recipientintended recipient
Limited Data SetLimited Data Set Authorized for public health, research, Authorized for public health, research,
and health care operations purposes:and health care operations purposes:
1.1. Public health uses—disease registries Public health uses—disease registries maintained by private sector or universities or maintained by private sector or universities or other types of studies for public health purposesother types of studies for public health purposes
2.2. Possible health care operations use—hospital Possible health care operations use—hospital sharing of limited data set information with local sharing of limited data set information with local hospital associationhospital association
3.3. Possible research use—establishment of Possible research use—establishment of research databases and repositoriesresearch databases and repositories
HIPAA SecurityHIPAA Security
Soumitra SenguptaSoumitra SenguptaInformation Security OfficerInformation Security Officer
Columbia University Biomedical and Columbia University Biomedical and Health Information Services (CUBHIS)Health Information Services (CUBHIS)
HIPAA RecapHIPAA Recap
Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act ( (HIPAAHIPAA) - ) - 19961996 Administrative SimplificationAdministrative Simplification
Transaction code standards (November Transaction code standards (November 2003)2003)
Privacy (April 2003)Privacy (April 2003) Information SecurityInformation Security (April 2005) (April 2005)
DefinitionsDefinitions PProtected rotected HHealth ealth IInformation (nformation (PHIPHI))
Health or medical information identifiably linked Health or medical information identifiably linked to a specific individual, such as information about: to a specific individual, such as information about:
their identity –their identity – demographic and financial data demographic and financial data their medical condition and treatment –their medical condition and treatment – clinical clinical
datadata EElectronic lectronic PHIPHI ((EPHIEPHI))
PHI PHI stored on or transmittedstored on or transmitted via our computers via our computers andand networks, networks, includingincluding CDs, PDAs, tapes, CDs, PDAs, tapes, andand clinical equipmentclinical equipment
Goal of HIPAA Security regulation is to – Goal of HIPAA Security regulation is to –
Secure EPHISecure EPHI
CConfidentialityonfidentiality Prevent unauthorized access or release of Prevent unauthorized access or release of
EPHIEPHI Prevent abuse of access (identity theft, Prevent abuse of access (identity theft,
gossip)gossip) IIntegrityntegrity
Prevent unauthorized changes to EPHIPrevent unauthorized changes to EPHI AAvailabilityvailability
Prevent service disruption due to malicious Prevent service disruption due to malicious or accidental actions, or natural disasters.or accidental actions, or natural disasters.
Concepts of Info SecurityConcepts of Info Security
Administrative SafeguardsAdministrative Safeguards Policies and ProceduresPolicies and Procedures ResponsibilityResponsibility Awareness and TrainingAwareness and Training Incident Processing, SanctionsIncident Processing, Sanctions
Physical SafeguardsPhysical Safeguards Workstation Use and SecurityWorkstation Use and Security Facility Access ControlFacility Access Control Device and Media ControlDevice and Media Control
Technical SafeguardsTechnical Safeguards Access ControlAccess Control Audit ControlAudit Control Encryption and Integrity controlEncryption and Integrity control
Regulation specificationRegulation specification
Development of Policies and ProceduresDevelopment of Policies and Procedures
Information Security Information Security Mgmt ProcessMgmt Process
Information Access Information Access Mgmt & ControlMgmt & Control
General Info SecurityGeneral Info Security Info Sec: Audit and Info Sec: Audit and EvaluationEvaluation
Workstation Use and Workstation Use and SecuritySecurity
Workforce Security Workforce Security Clearance, Term and Clearance, Term and AuthAuth
Info Sec: Backup, Info Sec: Backup, Device & Media Device & Media ControlControl
Info Sec: Facility Access Info Sec: Facility Access Control & SecurityControl & Security
Info Sec: Disaster Info Sec: Disaster Contingency & Contingency & Recovery PlanRecovery Plan
Info Sec: Security Info Sec: Security Incident ProcedureIncident Procedure
Action items to Action items to compliancecompliance
Information Security Best Practices
Infrastructure securityInfrastructure security Computer network and systems securityComputer network and systems security
Firewalls, Intrusion Detection/Prevention Firewalls, Intrusion Detection/Prevention systemssystems
Secure remote access – VPNSecure remote access – VPN Assuring availability: Bandwidth restrictions to Assuring availability: Bandwidth restrictions to
the Internetthe Internet Anti-virus (Symantec)Anti-virus (Symantec) Anti-spyware (Pest Patrol)Anti-spyware (Pest Patrol) Host Integrity Check (Tripwire)Host Integrity Check (Tripwire) Communication with patients (Relay Health)Communication with patients (Relay Health)
Facilities SecurityFacilities Security Data Centers (planned upgrade)Data Centers (planned upgrade)
Action items to Action items to compliancecompliance
Infrastructure securityInfrastructure security Workforce SecurityWorkforce Security Authentication and TerminationAuthentication and Termination
Columbia UNI, CUMC/NYP LDAP, Weill Columbia UNI, CUMC/NYP LDAP, Weill Cornell LDAPCornell LDAP
Termination from NYP, CU, WC Human Termination from NYP, CU, WC Human Resources, CU Student Information Services, Resources, CU Student Information Services, WC Students, Service Corporation, WC Students, Service Corporation, Private/Temp employees, etc.Private/Temp employees, etc.
Security Incident Processing and SanctionsSecurity Incident Processing and Sanctions OthersOthers
Action items to Action items to compliancecompliance
Information Information Asset OwnerAsset Owner Responsibility Responsibility Risk Assessment and managementRisk Assessment and management Tier A – Tier A – More than 20 usersMore than 20 users – –
A A Detailed Security QuestionnaireDetailed Security Questionnaire and a set of and a set of formalformal DocumentationDocumentation about security of the assetabout security of the asset
Tier B – Tier B – Less than 20 usersLess than 20 users – – A A Limited Security Questionnaire Limited Security Questionnaire – – 11 security 11 security questionsquestions
Implementation of Security ControlsImplementation of Security Controls Audit and evaluationAudit and evaluation Disaster Contingency and Recovery PlanDisaster Contingency and Recovery Plan Additional information in Policy documentsAdditional information in Policy documents
Responsibility action Responsibility action itemsitems
Report Report EPHI applications with more EPHI applications with more than 20 usersthan 20 users to us to initiate rigorous to us to initiate rigorous security risk assessmentsecurity risk assessment
For applications with less than 20 users, For applications with less than 20 users, CUBHIS is scheduling for an external CUBHIS is scheduling for an external agency to conduct security sessions for agency to conduct security sessions for asset owners to asset owners to
Learn about necessary security methodsLearn about necessary security methods Help fill out the limited QuestionnaireHelp fill out the limited Questionnaire
CUBHIS is also available for server and CUBHIS is also available for server and workstation management services for workstation management services for assets that need better management assets that need better management (“(“Custodial functionsCustodial functions”)”)
Action itemsAction items
We will incorporate security training with We will incorporate security training with privacy training; call upon us to discuss HIPAA privacy training; call upon us to discuss HIPAA security to your department.security to your department.
All new Clinical Systems must be technically All new Clinical Systems must be technically evaluated and approved by Dr. Randy Barrows evaluated and approved by Dr. Randy Barrows Jr., Asst VP, CUBHIS Clinical Resources.Jr., Asst VP, CUBHIS Clinical Resources. Approval criteria includes Approval criteria includes HIPAA Security HIPAA Security checkcheck requirements. requirements.
All EPHI assets are required to be registeredAll EPHI assets are required to be registered We are working with IRB and Privacy Board to We are working with IRB and Privacy Board to
incorporate Security checks for research incorporate Security checks for research systems, Expect a guidance from IRB about systems, Expect a guidance from IRB about security of all research, not just EPHI research.security of all research, not just EPHI research.
Action itemsAction items
ManagerManager responsibility responsibility Workforce Clearance, Termination and Workforce Clearance, Termination and
AuthorizationAuthorization Facilities access to sensitive information Facilities access to sensitive information
assetsassets Education, security reminders, sanctionsEducation, security reminders, sanctions
End UserEnd User responsibility responsibility ““Acceptable UseAcceptable Use”” Safe practicesSafe practices Sensitivity towards patient privacySensitivity towards patient privacy
Responsibility action Responsibility action itemsitems
Disruption of Patient CareDisruption of Patient Care Increased cost to the institutionIncreased cost to the institution Legal liability and lawsuitsLegal liability and lawsuits Negative PublicityNegative Publicity Identity theft (monetary loss, credit Identity theft (monetary loss, credit
fraud)fraud) Disciplinary actionDisciplinary action
Consequences of Consequences of Security FailureSecurity Failure
Intentional AttacksIntentional Attacks Malicious SoftwareMalicious Software (Virus, Spyware) (Virus, Spyware) Stolen PasswordsStolen Passwords (Keyloggers, Trojans) (Keyloggers, Trojans) Impostors Impostors e-mailing to infect and steale-mailing to infect and steal
info (Phishing)info (Phishing) TheftTheft (Laptop, PDA, CD/USB storage (Laptop, PDA, CD/USB storage
devices, etc.)devices, etc.) Abuse of privilegeAbuse of privilege (Employee/VIP (Employee/VIP
clinical data)clinical data) Theft of copyrighted materialTheft of copyrighted material (Kazaa) (Kazaa)
Types of Security FailureTypes of Security Failure
Employee CarelessnessEmployee Carelessness Sharing PasswordsSharing Passwords Not signing offNot signing off systems systems Downloading and Downloading and executing unknown executing unknown
softwaresoftware Sending EPHI outside the institution Sending EPHI outside the institution
without encryptionwithout encryption LosingLosing PDA and Laptop in transit PDA and Laptop in transit Pursuing risky behaviorPursuing risky behavior – Improper web – Improper web
surfing, and instant messagingsurfing, and instant messaging Not questioning, reporting, or challengingNot questioning, reporting, or challenging
suspicious or improper behaviorsuspicious or improper behavior
Types of Security FailureTypes of Security Failure
Install Install anti-virus, anti-spywareanti-virus, anti-spyware solutions, solutions, Install Install security patchessecurity patches Update definitions dailyUpdate definitions daily Use cautionUse caution when viewing web pages, e- when viewing web pages, e-
mail attachments, and using games and mail attachments, and using games and programsprograms
Chose strong passwords, refuse to share it,Chose strong passwords, refuse to share it, change if you suspect a breachchange if you suspect a breach
Protect your laptop or PDA Protect your laptop or PDA with a with a password, and turn on encryptionpassword, and turn on encryption on on sensitive folders, including copies in CD, sensitive folders, including copies in CD, Floppy, USB storage devices, etc.Floppy, USB storage devices, etc.
Methods to Protect against Methods to Protect against FailuresFailures
Do not abuse clinical access privilegeDo not abuse clinical access privilege, , report if you observe an abuse (if report if you observe an abuse (if necessary, anonymously)necessary, anonymously)
Do not be responsible for another Do not be responsible for another person’s abuse by neglecting to sign person’s abuse by neglecting to sign off, this negligence off, this negligence may easily lead to may easily lead to your suspension and terminationyour suspension and termination
Do not copyDo not copy, duplicate, or move EPHI , duplicate, or move EPHI without a proper authorizationwithout a proper authorization
Do not email EPHI without encryption Do not email EPHI without encryption to addresses outside the institutionto addresses outside the institution
Methods to Protect against Methods to Protect against FailuresFailures
Strictly follow principles of Strictly follow principles of ‘Minimum ‘Minimum necessary’necessary’ and and ‘Need-to-know’‘Need-to-know’ for all accesses– for all accesses– the 3 fundamental missions of the institution the 3 fundamental missions of the institution are are Care, Education Care, Education andand Research. Research.
Challenge improper behaviorChallenge improper behavior, question , question suspicious behavior, report violations and suspicious behavior, report violations and security problems to proper authorities – email security problems to proper authorities – email to to [email protected]@columbia.edu or or [email protected]@cumc.columbia.edu or call or call Privacy Privacy Office (1-212-305-7315)Office (1-212-305-7315) or call or call CUBHIS CUBHIS Helpdesk (1-212-305-HELP)Helpdesk (1-212-305-HELP)
Communicate with colleagues and staff about Communicate with colleagues and staff about secure and ethical behaviorsecure and ethical behavior
Methods to Protect against Methods to Protect against FailuresFailures
Current WebsiteCurrent Website Go to Go to
http://www.cumc.columbia.edu/cubhis/http://www.cumc.columbia.edu/cubhis/ Select Select SecuritySecurity, and then , and then CUMC HIPAACUMC HIPAA
Email toEmail to [email protected]@cumc.columbia.edu or or
[email protected]@columbia.edu
More InformationMore Information