HIPAA regs require firm policies, documentation
July 1, 2006 4 minutes read
HIPAA regs require firm policies, documentation
Train everyone in a health care system
IRBs and research organizations continue to iron out privacy policies and details 10 years after a law was passed to require health care organizations to adhere to federal privacy rules under the Health Insurance Portability & Accountability Act (HIPAA) of 1996.
For some institutions, it's worked best to have a separate privacy committee and a separate privacy document for subjects to sign. For others, the IRB and the research informed consent form serve a dual purpose.
As IRBs continue to look for ways to improve their HIPAA compliance, two experts offer a look at a best practice model, which includes strict standards on documentation, waivers of authorization, and other issues.
"Everyone was concerned about HIPAA when it first came out, and researchers are still concerned because there are extra steps they have to go through, and everyone is learning to live with that," says Lori Coleman, MBA, division ethics and compliance officer and HIPAA privacy official in two divisions of the Hospital Corporation of America (HCA) in Denver.
"Hospitals have always been in the business of protecting patients' privacy, so we made a set of rules to tweak our policies and procedures to cover the HIPAA mandate," says Linda Mullins, ethics and compliance officer at Sunrise Hospital and Medical Center in Las Vegas. Sunrise is part of the HCA health system.
Some of the changes that occurred post-HIPAA included increased audits, better patient education, and waivers required of investigators, they say.
"We made sure we were conducting regular audits and addressing any issues we found that violated HIPAA rules," Coleman says
After HIPAA, patients were savvier about how their private health information was used, and nurses and other staff had to begin having conversations about privacy, Coleman says.
"For principal investigators, what has changed is when they are required to get a waiver of authorization from either the IRB or a privacy board versus when they can automatically gather that information," Coleman says.
"Before HIPAA, we were gathering statistics and those sorts of things, but we didn't see those as research," Coleman says. "But now HIPAA says that if it involves patient information, it is research, except if it's for performance purposes within the hospital and it's considered quality improvement and is not subject to HIPAA."
Any time a researcher plans to use patient data for the purposes of publishing it as research, it's considered research and is governed by an IRB or privacy board, Coleman adds.
Even pre-HIPAA, patients signed a release about information in medical files so the information could be used for research, Mullins notes.
Now, research informed consent and HIPAA authorization to release information has been combined, which is different from what happens with non-research patients, who sign separate consent and authorization forms, Mullins says.
Here are HCA's best practices and policies and procedures regarding HIPAA and privacy:
1. Define HIPAA elements.
Research purposes are included on the HIPAA list of private health information uses and disclosures that must be tracked and documented. The rule specifically states, "Research purposes where a waiver of authorization was provided by the Institutional Review Board or preparatory reviews for research purposes."
This means that to use protected health information, an investigator must seek a waiver by an IRB or a privacy board.
"We use our IRB as our privacy board," Coleman says.
The waiver requires that the research involves no more than minimal risk for privacy of the individual, that the research could not be practically conducted without the waiver, and that the research could not be practically conducted without access to the protected health information, Coleman explains.
The IRB rarely approves waiver of authorization for research purposes because most of the time it is practical to get the patient's authorization, Coleman says.
"We try to give de-identified information as much as possible, and that eliminates the need for accounting of disclosure," Coleman says. "You can de-identify if you remove 18 elements."
2. Write policy about patient privacy and accounting of disclosures.
HCA has a 13-page policy about patient privacy and accounting of disclosures. The policy provides details about every type of disclosure, including waiver of authorization for research.
3. Enact rules about sharing information and educate staff.
"We have the expectation that anything with electronic information has an extra layer of security," Mullins says. "If it's sent outside our network, it has to be encrypted, and we shred all paper documents that have any type of protected health information on those documents."
There should be security for all laptops that connect to the network, Mullins adds.
"Our patient information is stored on our network, so the physician or the user of the laptop would have to log in, and our network is protected by a firewall," she explains.
The policy requires sponsors to be compliant with HIPAA privacy and security standards, as well, Mullins says.
The health care system has had to educate everyone who handles private health information, including everyone from infectious disease nurses to risk management department to the emergency room department, Coleman says.
"All of those areas have to be aware of what needs to be accounted for so hospitals can have those departments enter information themselves," Coleman says.
"We required all 3,000-plus employees and agency personnel to train on our HIPAA privacy information," Mullins says. "Everyone is required to learn our policies."
Mullins also led educational classes for physicians to explain how the privacy rule worked and what was expected of physicians, and now the same training is included in orientation and annual review curriculum.
IRBs and research organizations continue to iron out privacy policies and details 10 years after a law was passed to require health care organizations to adhere to federal privacy rules under the Health Insurance Portability & Accountability Act (HIPAA) of 1996.You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content