HIPPA training is required for all people dealing with patient data HIPPA applies to Health Plans, Health Care Providers, and any "Business Associates"
HIPPA protects information that is
- Created/maintained/transmitted/received by a covered entity or buisness associate
- Identifies an individual
- Relates to the individual's mental or physical health, or payment of health care, or provision of health care to the individual.
Information that is protected is called "Protected Health Information" or PHI.
- any information from a patient that has been deceased by more than 50 years.
- information held in employment records
- information held by educational institution about a student (but still subject to FERPA).
PHI does not replace state laws. More stringent state laws do apply.
PHI is subject to
- Federal policy for protection of human subjects (known as the "Common Rule")
- FDA's protection of Human Subjects Regulation
- University IRB policies and procedures.
HIPPA allows use of PHI for research if
- The research participant has signed an authorization
- An IRB has waived or altered requirement for a signed authorization
- The research is solely on decedents
- The review of PHI is necessary to develop a protocol
- The PHI is part of a "Limited Data Set" and is subject to "Data Use Agreement
- The PHI is "De-Identified" as set forth in HIPAA
To create a "Limited Data Set" you must remove:
- Names, addresses, SSN, MRNs, Benificiary account number, Account numbers, face images, ...
Limited Data sets must be subject to "Data Use Agreement". UMN IRB ha its own form of Data Use agreement on website. Any other agreement must be approved by IRB.
To create a "de-identified" data set you must remove: Addresses, names, etc...
Use of PHI disclosures without the individual's authorization when:
- providing treatment to the patient
- arranging for, requesting or receiving payment for a treatment
- Health Care Operations
Do not discuss PHI or leave files with PHI in public areas Encrypt PHI whenever possible. Do not review PHI of other unless you have a business need to do so.
If you see a violation of PHI You can call: 612-624-7447 File it with UReport or send an email to email@example.com or firstname.lastname@example.org
Requests for the use of UMN health data for research must be directeed through "Clinical and Translational Science Institute's data access and informatics consluting group (CTSI)".