HIPAA (Health Insurance Portability and
Accountability Act 1996).
• HIPPA is the Health Insurance Portability and
Accountability Act of 1996.
• It is a Privacy rule provides Federal Privacy.
• Protection for individually identifiable health
information called Protected Health Information.
REASON FOR ARRIVAL.
•In 2000 many Patients were Diagnosed with Depression.
•They all received free -
SUPPLIES OF ANTI-DEPRESSANTS medication.
•Patient wonder why?
•After Investigation the truth has been disclosed that the
doctors shared patient information with the industries.
HIPAA (1996) OBJECTIVE:-
•The first part "Health Insurance Portability part of the
Act" To ensure that individuals would be able to maintain
their health insurance between jobs.
•The second part of the Act is the "Accountability" portion.
To ensure the security and confidentiality of patient
information/data and mandates uniform standards for
electronic data transmission of administrative and financial
data relating to patient health information
TITLE OF HIPAA:-
•Title 1: Health care access, portability and
•Title II: Administrative simplification.
•Title III: Tax related health provisions.
•Title IV: Application and enforcement of group
health plan requirements.
•Title V: Revenue offsets.
CASES THAT REQUIRE HIPAA
•CASE 1:- A Michigan -based health care system
accidentally posted the medical record of thousand of
subject on the internet.
(Reference-the Ann Arbor News February 10,1999).
•CASE 2:-A Nevada woman who purchased a used
computer discovered that the previous owner of the
computer left a database with the names addresses social
security number and a list of all prescription received by
•Reference New York Times April 4,1997)
NEW REQUIREMENT TO CLINICAL
•Researchers who conduct interventional clinical research have
questioned how the Privacy Rule will affect their research activities.
• Even before the Privacy Rule, of course, physician-investigators
have been concerned about the privacy of the medical and research-
related information of their patients and subjects.
•In fact, many have been required under the Department of Health
and Human Services (HHS) or the Food and Drug Administration
(FDA) Protection of Human Subjects Regulations (45 CFR part 46
or 21 CFR parts 50 and 56, respectively) to take measures to protect
such personal health information from inappropriate use or
•The Privacy Rule permits a covered entity to use or disclose PHI
for research under the following circumstances and conditions:
•If the subject of the PHI has granted specific written permission
through an Authorization that satisfies section 164.508.
• For reviews preparatory to research with representations obtained
from the researcher that satisfy section 164.512(i)(1)(ii) of the
•For research solely on decedents' information with certain
representations and, if requested, documentation obtained from the
researcher that satisfies section 164.512(i)(1)(ii) of the Privacy
HIPPA PRIVACY RULE IMPACT ON
•If the covered entity obtains documentation of an IRB or Privacy
Board's alteration of the Authorization requirement as well as the
•Authorization from the individual.
•If the PHI has been de-identified in accordance with the standards set
by the Privacy Rule at section 164.514(a)-(c) (in which case, the
health information is no longer PHI).
• Under a "grandfathered" informed consent of the Individual to
participate in the research, an IRB waiver of such informed consent.
•HIPAA authorization can be included with informed consent
document or can be separated form the informed consent see
PHI authorization page. Must contain a specific description of
the information to be disclosed including.
•Name of the person or class of person that will receive the
disclosed information e.g. principal investigator.
•Statement that information received by the users may be used
Expiration date or expiration event when authorities may
disclose the information.
•Statement containing a subject's right to revoke their
authorization for discloser.
1. INFORMED CONSENT:
•Statement containing a subject's right to revoke their
authorization for discloser.
•Statement documenting the ability to condition enrollment on
•Statement documenting the possibility that the information may
be re disclosed by recipient (e.g.. To the FDA)..
•Signature of subject and date of the signing of the HIPAA
2.INSTITUTIONAL REVIEW BOARDS
•Where HIPAA requirements are combined with the informed
consent requirements, the entire document needs to be reviewed
by the Institutional Review Board (IRB).
•The Office of Civil Rights as well as the FDA's General
Counsel, as April 7, 2003, had confirmed that IRB approval of
subject authorization for use or disclosure of protected health
information required by the HIPPA privacy rule is only required
if the authorization language is to be part of the IRB-approved
informed consent document for human subjects review.
•In cases where IRBs are not responsible for reviewing, the
HIPAAAuthorization Privacy Board may be formed to
undertake this task.
•Members of privacy boards should have varying backgrounds
and appropriate professional Competence. At least one member
must not be affiliated with the covered entity or research
sponsor. As with the IRB, there must be no conflicts of interest
on a case-by-case basis. A quorum consists of a majority of
•Expedited review by the chairperson or designees is allowed for
the waiver of authorization.
IRB or Privacy Waivers of Authorization
•Three criteria must be met for the IRB or Privacy Board to
waive authorization for research.
•The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of the individual.
•The research could not practicably be done without the
waiver. The research could not practicably be conducted
without access to and use of the protected health information
•The research will not adversely affect privacy rights or
welfare. The privacy risks are reasonable in relation to
anticipated benefits and the importance of the knowledge of
the clinical results.
Waiver of a Research Database.
•Research database using protected health information may
be created by a non covered entity without individuals'
•Documentation must be obtained from the IRB or the
Privacy Board that the specified waiver Criteria were
•Similarly, existing databases or repositories created prior
to the April 14, 2003, compliance data can be disclosed for
research either with individual authorizations or with a
waiver from either the IRB or the Privacy Board.
•Approval from both the IRB and the Privacy Board is not
required for the covered entity.
•The covered entity's workforce can use protected health information
to identify and contact prospective research subjects
•The covered entity's health care provider can discuss the enrollment
in a clinical trial with a potential subject before authorization is
completed or there has been an Institutional Review Board or Privacy
Board waiver of authorization.
• A clinician may use or disclose the PHI if such information is being
used to treat the subject or using an experimental treatment that may
benefit a subject.
•However, at no time can the research health care provider remove
the protected data from the covered entity's site according to the
•If a researcher is not employed by the covered entity, the researcher can still have
access to the protected information as a result of a partial waiver of individual
authorization by an IRB or Privacy Board.
•If a CRO wishes to use a physician's records to recruit patients, the study's
principal investigator should seek a partial waiver of HIPAA authorization from
the institutional review board. (The Privacy Rule waiver criteria are found at 45
•This waiver, if granted, will apply to the CRO's use of PHI in recruitment. Written
HIPAA authorization and informed consent will still be required to enroll a patient
in the actual clinical trial.
•Although not a HIPAA Requirement, Physicians concerned about patients' privacy
expectations should consider limiting recruitment to calls placed by the physician
(or office staff), letters signed by the physician, and brochures in the waiting room
instructing interested patients to contact the CRO conducting the study.
• HIPAA is the federal Health Insurance Portability and
•It consists of a set of standards that provide:-
prescriptive guidance for securing and protecting PHI.
• HIPAA provides standards for:-
•General Rules Administrative
• Physical, and Technical Safeguards .
•Policies and Procedures Documentation Requirements.
•New Drug Approval Process, forth edition
Accelelerating Global Registration Edited by Richard A
Guarino M.D Published by Marcel Dekker, INC Page no
• Clinical Research and the HIPAA Privacy Rule.
•Department Of Health and Human Services. USA Nh
Publication Number04-5495 February 2004.
•HIPAA Informed Concent/authorization form
• Privacy regulation (http://www.hhs.gov/ocr/hipaa/.)