1. Privacy and Confidentiality
in
Clinical Research
BY
HEMANG PATEL
YOGESH PATEL
JAIMIN PATEL
TEJAS GOSWAMI
ICRI- AHMEDABAD MSc. CT & CR (2011-13)
2. Whatsoever things I see or hear, in my
attendance on the sick or even apart there
from, which on no account one must spread
abroad,
I will keep to myself holding such things as
sacred secrets.
- Hippocratic Oath, 4th Century, B.C.E.
3. The desire of a person to control the disclosure of
personal health information.
The federal regulations define ‘private information’ as
“information about behaviour that occurs in a context
in which an individual can reasonably
expect that no observation or recording is taking
place, and information which has been provided for
specific purposes by an individual and which
the individual can reasonably expect will not be made
public.”
4. Confidentiality has been defined as the
of maintaining the security of
information elicited from an individual in the
privileged circumstances of a professional
Relationship.
5. The delicate balance between all employee‟s,
physician‟s and volunteer‟s need to know and
the patient‟s right to privacy is at the heart of
HIPAA – Privacy.
7. It helps establish trust between the research
participant and the researcher.
It reduces worry on the part of the individual.
It maintains the participant‟s dignity.
The participant feels respected.
It gives the participant control and promotes
autonomy.
8. Privacy Applies to the Confidentiality Applies
to the Data:
Person: o An extension of privacy
o The way potential participants o Pertains to identifiable data
are identified and contacted o An agreement about maintenance
o The setting that potential and who has access to identifiable
participants will interact with the data
researcher team and who is o What procedures will be put in
present during research place to ensure that only
procedures authorized individuals will have
o The methods used to collect access to the information, and
information about participants o Limitations (if any) to these
oThe type of information being confidentiality procedures
Collected oIn regards to HIPAA, protection of
o Access to the minimum amount of patients from inappropriate
information necessary to conduct disclosures of Protected Health
the research Information (PHI)
9. Title 45, Part 46 of the Code of Federal Regulations (45 CFR
46) also known as the Common Rule.
The common rule is clear that these data need to be
protected.
data through intervention/interaction with the individual, or
identifiable private information.
Protecting data is the key to protecting privacy
10. The Food and Drug Administration (FDA)
requires statements in the Informed Consent
Form:
that describe the extent to which
confidentiality of records that can identify the
participant in the research will be
maintained, and
that inform the participant that the FDA may
view the research records.
11. Certificates of Confidentiality (CoCs), issued
by the National Institutes of Health
(NIH), allow the researcher to refuse to
disclose identifying information on research
participants in any
civil, criminal, administrative, legislative, or
other proceeding, whether at the
federal, state, or local level, unless the
participant consents.
12. The U.S. Federal government passed a law in 1996 that created
national standards to protect patient medical records and
other personal health information.
This Federal legislation is called the
Health Insurance Portability and Accountability
Act (HIPAA)
12
13. The Health Insurance Portability and Accountability
Act (HIPAA) is a federal law that specifies
administrative simplification provisions that:
Protect the privacy of patient information
Provide for electronic and physical
security of patient health information
Require “minimum necessary” use and
disclosure
Specify patient rights to approve the
access and use of their medical
information
14. At the completion of this study packet, the participant will:
• Have a basic understanding of HIPAA Privacy Standards
• Be able to provide examples of patient privacy protection
• Be able to define Protected Health Information (PHI)
• Have a basic understanding of the role of the Facility Privacy
Official (FPO)
15. 1996 - In Tampa, a public health worker sent to two
newspapers a computer disk containing the names of
4,000 people who tested positive for HIV.
2000 - Darryl Strawberry‟s medical records from a
visit to a New York hospital were reviewed 365
times. An audit determined less than 3% of those
reviewing his records had even a remote connection
to his care.
2001 – An e-mail was sent out to a Prozac
informational listserv members revealing the
identities of other Prozac users.
16. Theft of Patient Data
Identity Theft
Stolen lap top
Loss of Patient Data
incorrect disposal of
documents
Portable devices increases the
possibility of data loss
Misuse of Patient Data
Privacy Breach
17. HIPAA guarantees these rights to patients:
Right to privacy
Right to confidential use of protected health
information (PHI) for treatment, billing, and
other health care operations (such as quality
improvement)
Right to access and amend their health
information upon request
17
18. Right to provide specific authorization for use of
their health information other than for
treatment, billing and other operation.
Right to have their name withheld from patient
directories (having their name not listed as being
present in a facility other than for
treatment, billing, and other operations).
Right to request that information concerning their
care is not released to specific individuals.
Right to request that specific individuals are not
told of their presence in a facility.
19. Every patient should receive a
document called a Notice and be
asked to sign an Authorization.
This Notice gives patients:
Information about their rights.
A description of how their PHI may be used by the
facility.
A comprehensive list of others to whom their health
information may be disclosed.
The Notice must be given to the patient on the first
treatment date or as soon as is practical in an emergent
situation. 19
20. Continue…
An Authorization is a form:
signed by the patient for use and disclosure of
specific PHI that are not related to
treatment, payment, or health care operations.
There are some uses and disclosures where an
authorization is not required.
When in doubt about information for which a signed
authorization is required….
~ Please ASK your instructor ~
20
21. o Every health care organization is expected to develop
policies and procedures to guide HIPAA practices within
their facility.
o Every person who provides care or assistance to
patients in that facility is expected to understand and
comply with HIPAA regulations. It is essential that all
patient health information be kept confidential.
oOrganizations or individuals that violate HIPAA rules
are subject to monetary fines (up to $250,000!) and civil
or criminal charges (up to 10 years in jail!).
oFailure to comply may also:
o hurt the reputation of the facility
o put accreditation at risk
o result in costly lawsuits
21
22. Patients have the right to register complaints
with Federal agencies and with the facility if they
feel their rights have been violated.
Every facility has a Privacy Officer who is
responsible for overseeing HIPAA
implementation.
If you are uncertain about what information may
be given out, talk to your instructor, a nurse on
the unit where you are assigned, or contact the
Privacy Officer.
22
23. One of the biggest threats to patient privacy is
UNINTENTIONAL disclosure of information ~
Examples include:
Discussing patient information where other
patients, visitors or staff may overhear ~ such as in
elevators, hallways, dining facilities, or other common
areas.
Leaving sensitive information in a location where
patients or visitors could possibly see it.
23
24. continue….
Another threat to patient privacy is when a staff member
intentionally uses or discloses information in an
unauthorized way:
Copying information and taking it home
Removing medical records and giving them to those
with no legal right of possession
Deliberately sharing information with unauthorized
person(family members, friends, colleagues, news
reporters, etc)
Using confidential information to gossip about
patients
Leaving a computer unattended after logging in to an
application 24
25. continue….
Always be cognizant of:
• Where you are
• Who is around you
• What information can be seen or heard
• How you can “minimize possible incidental
disclosure to others”
You must ensure that PHI is only shared:
• With those who need to know
• At the minimum level necessary
25
26. continue….
As a Nurse:
• Don’t browse through a patient charts or
files out of curiosity
• Access only portions of medical record that
you need to perform your role as a student
nurse
It is essential that everyone with access to PHI be
aware of what is going on in their surroundings.
27. 1. User ID or Log-In Name (aka. User Access Controls)
2. Passwords
3. Workstation Security
4. Portable Device Security – USB, Laptops
5. Data Management, e.g., back-up, archive, restore.
6. Remote Access - VPN
7. Recycling Electronic Media & Computers
8. E-Mail –
9. Safe Internet Use – virus
10. Reporting Security Incidents / Breach
28. Laptop and File Encryption:
o WinZip (password protect + encrypt)
o 7-zip (free, password protect + encrypt)
oTrue crypt (free, complete folder encryption)
oFile Vault (folder encryption on Macintosh)
Encrypted USB Drives:
Kingston Data Traveler
Iron Key (Fully encrypted) 28
29. Sharing Passwords
– You are responsible for your password. If you shared
your password, you will be disciplined even if other
person does no inappropriate access
Not signing off systems
– You are responsible and will be disciplined if another
person uses your „not-signed-off‟ system and
application
29
30. continue….
Sending EPHI outside the institution without
encryption
– Under HITECH you may be personally liable for
losing EPHI data
Losing PDA and Laptop in transit with
unencrypted PHI or PII
– Under HITECH and NY State SSN Laws, you may
be personally liable, and you will be disciplined for
loss of PHI or PII
31. Study on Data Breaches (Nov 2007)
Malicious code
4% Undisclosed
Hacked system 2%
5%
Electronic backup
7%
Malicious insider Lost
9% laptop/Device
48%
Paper records
9%
Third
Party/Outsourcer
16%
31
32. This section explains:
• What information must be protected
• PHI identifiers
• The Notice of Privacy Practices (NOPP) for PHI
• Purposes other than Treatment, Payment, or
Operations (TPO)
• Examples of TPO
• Exceptions to the “Minimum Necessary” standard
• When you should view, use, or share PHI
33. You must protect an individual’s PHI which is
collected or created as a consequence of a health care
PHI: provision.
Is information related to a patient‟s past, present or
future physical and/or mental health or condition
Can be in any form: written, spoken, or electronic
(including video, photographs, and x-rays)
Includes at least one of the 18 personal identifiers in
association with health information
34. continue….
These rules apply to you when you
view, use, and share PHI
Any health information with identifiers (on the
following page) is Protected Health
Information (PHI)
35. The 18 Identifiers defined by HIPAA are:
Name
Medical record number
Postal address
Health plan beneficiary #
All elements of dates
except year Device identifiers and
their serial numbers
Telephone number
Vehicle identifiers and
Fax number serial number
Email address Biometric identifiers
URL address (finger and voice prints)
IP address Full face photos and
Social security other comparable images
number Any other unique
Account numbers identifying
License numbers number, code, or
characteristic
36. The Notice of Privacy Practices (NOPP) allows PHI to
be used and disclosed for purposes of TPO
Treatment (T), Payment (P), Operations (O)
TPO includes teaching, medical
staff/peer
review, legal, auditing, customer
service, business
management, and releases
mandated by law
37.
38.
39. Patients have the right to:
Request restrictions on release of their PHI
Receive confidential communications
Inspect and copy medical records (access)
Request amendment to medical records
Make a complaint
Receive an accounting of any external releases.
Obtain a paper copy of the Notice of Privacy
Practices on request
40. Written Authorization required to
release medical information
Physician or care team may share
information with referring physician
without an authorization “patient in
common”
All legal requests for release of
information should be forwarded to
the HIPAA Compliance Office for
review
40
41. Good Clinical Practice (GCP) is an international ethical and
scientific quality standard for designing, conducting, recording and
reporting trials that involve the participation of human subjects.
Compliance with this standard provides public assurance that the
rights, safety and well-being of trial subjects are
protected, consistent with the principles that have their origin in the
Declaration of Helsinki, and that the clinical trial data are
credible”
ICH HARMONISED TRIPARTITE GUIDELINE
,GUIDELINE
FOR
GOOD CLINICAL PRACTICE , E6
(http://www.ich.org/LOB/media/MEDIA482.pdf)
41
42. Department Health and Human Services (HHS)
FDA Regulated Federally Funded
21 Code of Federal Regulations (CFR) 45 CFR 46, “Common Rule”
21 CFR Parts 50: Human Subject The Federal Policy for the protection of
Protection human subjects and is codified by a number
of federal agencies.
21 CFR PART 54: Financial Disclosure 45 CFR subpart B: Protection for Pregnant
21 CFR 56: Institutional Review Boards Women, Human Fetuses & Neonates
21 CFR 312: Investigational New Drug 45 CFR subpart C: Protection for
Application Prisoners
45 CFR subpart D: Protection for Children
21 CFR 803,812: Devices
• Health Insurance Portability and Accountability Act (HIPAA) – Office of Civil Rights
• National Coverage Decision (NCD) –Office of Inspector General (OIG)
• VA Policies & Procedures
42
43. PATIENT PRIVACY
At some point in our lives we will all be a patient
Treat all information as though it was your own
43