Differences between revisions 3 and 4
Revision 3 as of 2024-02-23 21:25:06
Size: 2648
Editor: DominicRicottone
Comment: Expert Determination
Revision 4 as of 2024-02-23 21:38:55
Size: 3478
Editor: DominicRicottone
Comment: More content
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
Explicit and written '''authorization''' is required for any use of PHI in research. A covered entity is required to appoint a '''security official''' that is responsible for maintaining security for systems of record.

Explicit and written '''authorization''' is required for any use of PHI in research. The authorization form must be in "plain language" and describe the information that would be disclosed, as well as the purpose of disclosure. Authorization can also be revoked at any time.
Line 31: Line 33:
Furthermore, if only de-identified data is used, or if only a '''limited data set''' as defined by a '''data use agreement''' is used, the research is exempt. Furthermore, if only de-identified data is used, or if only a '''limited data set''' as defined by a '''data use agreement''' is used, the research is exempt. Note that de-identified data is no longer considered PHI.
Line 34: Line 36:



=== Accounting of Disclosures ===

Individuals can request that an '''accounting of disclosures''' be produced for their PHI. This needs to cover all disclosures from the last six years.

This does not need to cover:

 * access by the entity's workforce
 * disclosures made with authorization
 * disclosures to an individual about themself
 * inclusion within limited data sets

Also recall that de-identified data is not PHI.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) protects against the dissemination of PHI.

Contents

  1. Health Insurance Portability and Accountability Act
    1. Description
      1. Exemptions
      2. Accounting of Disclosures
    2. History

Description

HIPAA protects a subset of information called PHI, which largely is defined as any information created by a covered entity. These protections extend to all people, not just U.S. citizens.

The requirements set by the act apply to all research, not just the covered entity's workforce.

A covered entity is required to appoint a security official that is responsible for maintaining security for systems of record.

Explicit and written authorization is required for any use of PHI in research. The authorization form must be in "plain language" and describe the information that would be disclosed, as well as the purpose of disclosure. Authorization can also be revoked at any time.

Exemptions

A privacy board or privacy officer can waive authorization requirements for a covered entity. That is, the requirements cannot be waived if information will leave the covered entity. The activities must fall in one of these categories:

  • research that poses none-to-minimal risk
    • This is largely an assessment of plans for de-identification and data governance
  • activities that are preparatory for research, such as identifying potential subjects
  • research of deceased individuals' information
  • research that was granted permission before the act was effective

Furthermore, if only de-identified data is used, or if only a limited data set as defined by a data use agreement is used, the research is exempt. Note that de-identified data is no longer considered PHI.

De-identification is subject to "Expert Determination".

Accounting of Disclosures

Individuals can request that an accounting of disclosures be produced for their PHI. This needs to cover all disclosures from the last six years.

This does not need to cover:

  • access by the entity's workforce
  • disclosures made with authorization
  • disclosures to an individual about themself
  • inclusion within limited data sets

Also recall that de-identified data is not PHI.

History

HIPAA is largely attributed to the work of Kassebaum and Kennedy, who introduced the Health Insurance Reform Act in 1995.

With alterations, it was passed as the Health Insurance Portability and Accountability Act in 1996 and signed by Clinton.

HHS published the regulations for HIPAA in waves:

  • the final rule for privacy was published in December 2000 and effective April 14, 2003

  • the final rule for security was published in February 2003 and effective April 20, 2005; this is the relevant effective data for most research activities
  • the final rule for enforcement was published in February 2006 and effective later that year on March 16

HIPAA was significantly amended by the HITECH Act in 2009.

CategoryRicottone

UnitedStates/InformationLaw/HealthInsurancePortabilityAndAccountabilityAct (last edited 2024-02-23 21:38:55 by DominicRicottone)