Are you in the correct place?

This is a training module on the HIPAA Privacy and Security

rules.
• Did you access this module through Mlearning?
– If yes: Continue with this module
– If not: If you are associated with UMHS (University of Michigan
Health System), and did NOT access this course through
MLearning, you will not get credit unless you log into MLearning,
and enroll in the course - Log into Mlearning, search for “HIPAA”
and enroll in course PRIV-10012, HIPAA for Clinicians & Non-
clinicians with Research Responsibilities.
• If you DID access this through MLearning OR you are NOT
associated with UMHS, continue with this module.
1
 HIPAA Learning Module: Basic

HIPAA
Privacy and Security Rules…
For Clinicians and Non-
Clinicians Involved in
Research
University of Michigan
Updated 09/23/2013
 HIPAA Learning Module: Basic
Our Commitment to Privacy
• The University of Michigan and the University of
Michigan Health System are committed to protecting the
privacy and integrity of our patients’ health information.
• The HIPAA Privacy and Security Rules recognize the
importance and value of this commitment.
• Protecting Patient Health Information is the responsibility
of all of us.

3
 HIPAA Learning Module: Basic
Learning Objectives
• Key things for you to know:
Just Ask! Check with your supervisor or the UMHS
Compliance Office whenever you have a question or
concern
HIPAA key terms and general rules you can apply
When you can share patient information and when
there are limits to what can be used or shared
UMHS’ Notice of Privacy Practices (NPP) explains
patients’ rights regarding the use of their health
information
Your role in protecting patient information stored
electronically
4
 Reporting Concerns
• Report through Supervisor/Manager
• Otherwise, Compliance Office:
By Phone: 615-4400
By Email: Compliance-Group@med.umich.edu
Website:
http://www.med.umich.edu/compliance/index.htm
• Anonymous Compliance Hotline or Online Reporting:
Phone: (866) 990-0111
Online Reporting: http://www.tnwinc.com/WebReport/

Not sure? ….Report it anyway.

Too late? ….Report it anyway.
Already told us? ….Report it again!
You cannot be retaliated against for
5 reporting a concern in good faith!
 OVERVIEW
What this means to you and our patients
The privacy rule gives patients more control over their
Protected Health Information (PHI). So you need to
know…

 Patients’ rights regarding the use of their PHI;

 Key terms and general rules that you can apply; and,
 When you can share patient information and when
there are limits to what can be used or shared.

Overview
What this means to you and your
patients

6
 OVERVIEW
Patient Rights

The Privacy Rule gives patients the right

to:
 have their PHI protected;

 inspect and copy their records;

 request that PHI in their records be

corrected or changed;
 ask for limits on how their PHI is
used or shared;
 ask that they be contacted in a
specific way, such as at work and
not at home;
 get a list of disclosures made of
their PHI.

7
 HIPAA Learning Module: Basic
Key Terms
Notice of Privacy Practices (NPP)
• Providers and Health Plans must have a Notice of Privacy
Practices (NPP) - it provides a detailed description of the
various uses and disclosures of PHI that are permissible
without obtaining a patient’s authorization.
• You can access the UMHS’ NPP here.
• In general, anytime you release patient information for a
reason unrelated to treatment, payment (e.g., billing) or
healthcare operations (TPO), an authorization is required.

8
 GENERAL RULES
Notice of Privacy Practices

 Patients are asked to

acknowledge receipt of the
Privacy Notice on their first
encounter at UMHS, to note
in writing that they
received a copy of the
Notice.

9
 HIPAA Learning Module: Basic
Key Terms
Covered Entities
• A Covered Entity is a health care provider or a health
plan that submits bills electronically.
– Examples include: Health Systems such as the
University of Michigan Health System; Hospitals;
Physicians; Health Plans such as Blue Cross Blue
Shield of Michigan; etc.
• All Covered Entities, along with their Business Associates
and any subcontractors of their business associates, that
use or access patient information on the Covered Entity’s
behalf are subject to HIPAA.
• The University of Michigan is a Hybrid Covered Entity. Click here for
more information.

10
 HIPAA Learning Module: Basic
Key Terms
Protected Health Information (PHI)
• PHI is health information about a patient created or
received by health care providers and health plans. PHI
includes information:
– Sent or stored in any form (written, verbal, electronic);
– That identifies the patient or can be used to identify the
patient;
– That is about a patient’s past, present and/or future
treatment and payment of services.
PHI is any health information that can lead to the identity of
the individual or the contents of the information can be used
to make a reasonable assumption as to the individual’s
identity.
11
 HIPAA Learning Module: Basic
Key Terms
PHI includes one or more of these identifiers:
• Names • License Numbers
• Addresses including Zip • Vehicle Identification
Codes Numbers
• All Dates • Account Numbers
• Telephone & Fax • Biometric Identifiers
Numbers • Full Face Photos
• Email Addresses • Any Other Unique
• Social Security Numbers Identifying Number,
Characteristic, or Code
• Medical Record Numbers
•
12
Health Plan Numbers
 Test Yourself

Question:
If you have a document or an electronic device such as a
thumb/flash drive that contains patient initials and medical record
number(s), does your document or device contain PHI?

13
 Test Yourself
Answer: Yes.
Your document or device contains patient identifiers – patient
initials and medical record number – that can be used to identify the
patient(s). It does not matter that the full patient name is not
included. PHI is anything that is received, sent or stored in any
form by a health care provider or health plan:
- That identifies the patient or can be used to identify the
patient;
- That is about a patient’s past, present and/or future treatment
and payment of services.
In other words: PHI is any health information that can lead to the
identity of the individual or the contents of the information can be
used to make a reasonable assumption as to the individual’s
identity.
14
 Test Yourself

Take Away:
Do not use patient identifiers if you do not need to do so.
If the use of patient identifiers cannot be avoided, then only use
those identifiers that you minimally need and nothing more.

15
 HIPAA Learning Module: Basic
Key Terms
Treatment, Payment and Operations (TPO)
• Treatment [T] : Various activities related to patient care.
• Payment [P]: Various activities related to paying for or
getting paid for health care services.
• Health Care Operations [O]: Generally refers to day-to-day
activities of a covered entity, such as planning, management,
training, improving quality, providing services, and
education.
• NOTE: Research is not considered TPO. Written patient
authorization is required to access PHI for research unless
authorization waiver is approved by the IRB. See the education
program on research for more information.

16
 HIPAA Learning Module: Basic
Key Terms

Minimum Necessary Rule

Generally, the amount of PHI used, shared, accessed or
requested must be limited to only what is needed.
Workers should access or use only the PHI necessary to
carry out their job responsibilities.
For Example:
When we bill for a blood test, the billing company is not
provided with the entire medical record. Rather, we only
provide the applicable diagnosis and procedure codes, etc.
for the bill to be processed and paid.

17
 Key Term
Minimum Necessary

 Workers should have only

such PHI as their job
responsibilities require.

For example, someone

who delivers food trays to
patients may need PHI
about the patient’s diet,
but does not need to know
why the patient is in the
hospital.

18
 HIPAA Learning Module: Basic
Key Terms
• What is “Use” of PHI?
– Use of PHI refers to how PHI is internally accessed,
shared and utilized by the covered entity. For UMHS,
“use” refers to accessing, sharing, and utilizing PHI within
the health system. For other university providers such as
University Health Service (UHS), “use” refers to
accessing, sharing, and utilizing PHI within UHS
• What is “Disclosure” of PHI:
– Disclosure of PHI refers to how PHI is shared with
individuals or entities externally. For UMHS, “disclosure”
refers to sharing PHI with others outside of (external to)
the health system.
• Different rules apply to Use vs Disclosure of PHI

19
 HIPAA Learning Module: Basic
Key Terms
What is an Authorization?
• A written permission signed by the patient or the patient’s
personal representative (e.g., a parent) to allow a Covered
Entity to Use or Disclose a patient’s PHI for reasons generally
not related to Treatment, Payment or Healthcare Operations
(TPO purposes).
• The Authorization must include: A detailed description of
the PHI to be disclosed, who will make the disclosure, to
whom the disclosure will be made, expiration date, and the
purpose of the disclosure.

20
 HIPAA Learning Module: Basic
Types of Disclosures
There are 3 Types of Disclosures:
1. No Authorization Required
2. Authorization Required, but Must Give Opportunity to
Object
3. Authorization Required

Each one of these is covered separately in the next three

slides

21
 HIPAA Learning Module: Basic
Types of Disclosures

1. No Authorization is required to make the following disclosures:

– To disclose PHI to the patient

– To use or disclose PHI for treatment, payment or healthcare

operations (Examples: A physician discusses the patient’s
condition with another consulting physician; a health provider
submit a bill to a health insurance plan; and patient records are
reviewed for quality improvement purposes)

– Certain disclosures required by law (for example, public health

reporting of diseases, child abuse/neglect cases, etc.)

22
 HIPAA Learning Module: Basic
Types of Disclosures
2. No Authorization is Required, but Must Offer Opportunity to
Object:

- The Patient must be offered an opportunity to object before

discussing PHI with a patient’s family or friends

Before discussing patient information in an exam room, ask

the patient if it is okay to discuss information in front of the
patient’s family member or friend. Alternatively, you can
ask the family member or friend to leave, especially if the
information is highly confidential.

- Limited PHI (e.g., patient’s hospital room/location number) is

included in the “Hospital Directory” but patients are offered an
“Opt Out” opportunity and certain disclosures to clergy members
23
 HIPAA Learning Module: Basic
Types of Disclosures
3. Authorization Is Required:

Written authorization is required from the patient for the

following:
– To access, use or disclose PHI for research (unless an
Institutional Review Board such as the U-M IRBMED approves
a waiver of authorization)
– To conduct certain fundraising activities
– For marketing activities and sale of PHI

NOTE: There are additional HIPAA Training Modules for individuals

involved in Research, Fundraising and/or Marketing Activities.
Contact the Compliance Office at 734-615-4400
24
 HIPAA Learning Module: Basic
Incidental Disclosures
Incidental Disclosures
Some disclosures are not completely avoidable. These are permitted
under HIPAA and are called “Incidental Disclosures”
• Examples of “Incidental Disclosures”: Visitors hear a patient’s
name called out in a waiting room; a hospital patient in a 2-bed
room hears a physician speaking to the other patient.
• HIPAA requires reasonable steps to be taken to minimize
incidental disclosures such as:
– Speaking in soft tones when discussing PHI in open areas such
as the recovery room, emergency department, etc.;
– Do not discuss PHI in public hallways, elevators or other
public locations such as the cafeteria;
Only use the minimum necessary to minimize incidental disclosures
25
 HIPAA Learning Module: Basic
“Highly Confidential” Information
Highly Confidential Information
• Michigan and other Federal law provide even more protection than
HIPAA in some cases. These “Highly Confidential” areas include:
– Mental Health and Substance Abuse
– HIV/AIDS Testing or Treatment
– Genetic Tests/Information
– Certain communicable diseases (e.g., sexually transmitted disease,
hepatitis, etc.)
– Certain diagnostic and treatment services rendered to minors like
pregnancy and prenatal care
– If you have questions about handling highly confidential
information, ask your supervisor or contact
hipaaquestions@umich.edu.
• Discuss with your supervisor about special precautions to protect
highly confidential information
26
 Test Yourself

Question:
You are a nurse asking a newly admitted patient a number of questions
as part of the admission process. You see that the patient is HIV
positive. Would it be appropriate for you to discuss the patient’s HIV
status in front of the patient’s accompanying family member?

27
 Test Yourself

Answer: No.

Because HIV status is highly confidential information, it is subject to

greater protections beyond HIPAA. If you need to discuss the patient’s
HIV status, you must take extra precautions to prevent others (including
other patients) from overhearing the information. In this scenario, you
should not discuss any highly confidential information in front of the
patient’s family member without patient’s permission. Instead, require
that the family member to leave the room before proceeding with
gathering your information to complete your admission paperwork.

28
 HIPAA Learning Module: Basic
Accessing Electronic PHI

• Use your electronic access to information systems only to

perform your job-related duties and only access PHI on a
need-to-know basis
• All electronic systems are audited – a log of all accesses is
maintained and designed to protect patient privacy
• Inappropriate access to a patient’s electronic medical record
can lead to disciplinary action, up to and including
termination from employment

29
 Test Yourself

Question:
Would it be permissible for you to look up a coworker’s address in the
electronic medical record so you can send the coworker a get well card?

30
 Test Yourself

Answer: No.

You cannot access a coworker’s electronic medical record. If you

need information about a coworker, check with your supervisor.
Accessing the electronic medical record system for purposes other
than to complete your job responsibilities is not permitted.
Inappropriate access to a patient’s electronic medical record can
lead to disciplinary action, up to and including discharge.

31
 HIPAA Learning Module: Basic
Right of Access to Medical Record Information
• Patients have the right to obtain a copy of their medical
record – generally within 30 days of their request. Some
exceptions exist
• Patients have a right to request an electronic copy of their
health information held in an electronic medical record
system
• If a patient request copies – paper or electronic – direct them
to the Medical Records/Health Information Management
Department which will manage the request within the
appropriate time frames

32
 HIPAA Learning Module: Basic
Sharing Immunization Records
• HIPAA allows Health Care Providers to share immunization
records directly with schools with either written or verbal consent
from the parent or guardian (for minor child) or from the individual
(for adults)
• If verbal consent is obtained, document the consent in the patient’s
medical record
• Best Practice at UMHS: Immunization records can be obtained
directly by the patient or, the parent in the case of a minor, through
the patient portal (MyChart). Encourage the person to sign up for
the patient portal and they can then access immunization records
directly and provide the record to the school themselves

33
 HIPAA Learning Module: Basic
Information Security
• Use difficult to break passwords
• Never share your password with another person
• Log off from all electronic record applications (e.g., the electronic
medical record system) before walking away from the computer
• Secure all electronic records using encryption – Call IT support to
set up secure electronic systems
• Do not save any PHI on unencrypted portable electronic devices
such as laptop computers, flash/thumb drives, electronic tablets, etc.,
whether you personally own the device or if it was purchased by
UMHS
• Immediately report to your Supervisor or the UMHS Compliance
Office if any of these devices are lost or stolen

34
 HIPAA Learning Module: Basic
Protecting Electronic Data
Sensitive information stored on computers and other electronic
devices must be appropriately secured. To do this, you should:
• Avoid internet threats
• Encrypt the data
• Create and use strong passwords
• Secure computers and other mobile devices
• Report immediately if the device is lost or stolen
Refer to:
http://www.safecomputing.umich.edu/main/phishing_alerts/
http://www.itcs.umich.edu/help/faq/viruses.php
35
 HIPAA Learning Module: Basic
Strong Passwords
• Use at least 8 characters (9 or more is ideal), unless limited by system
In addition to capabilities
encryption, a • Use at least 3 of the following character types:
“strong” o lowercase letters
o uppercase letters
password is an o numbers
important way o symbols (@, %, $, &, etc.)
o punctuation marks (?, !, etc.)
to protect
• Do not use names, identifiers, simple phrases or words in any language
confidential ("password", "michigan", your user ID, "hello2u", etc.)
information
• Do not use sequences of characters or keys ("123456", "abcdef",
stored "qwerty", etc.)
electronically • Use different passwords on different systems so if one password is lost
or stolen, there is no risk to the other systems
• To help you remember your password, create an acronym from a phrase
and substitute letters with numbers and symbols. For example, pick a
phrase that is meaningful to you, such as "Moose Tracks ice cream is
better with sprinkles". Using that phrase as your guide, you might use
"MT1c1bw$" (where the "i"s have been replaced with "1"s and the "s"
with "$") for your password
• For more information, see http://www.itcs.umich.edu/itcsdocs/r1162/
36
 HIPAA Learning Module: Basic
Internet Threats

Phishing Malware

Internet
Threats

Personal E-mail Cloud Computing

37
 HIPAA Learning Module: Basic
Internet Threats - Phishing
Phishing is unwanted e-mail
(“spam”) that tries to trick you

Phishing into revealing confidential

information, like your user
name and passwords, credit
card information, etc.

Internet Threats

Do NOT reply to any e-

mail message that might Do NOT click on links or
be a phishing attempt. download files if you are
not sure they are safe.

See http://www.med.umich.edu/u/compliance/area/phishing.htm for more information.

38
 HIPAA Learning Module: Basic
Internet Threats: Malware

Malware is software designed to

harm your computer. Malware gets
into your computer through e-mail
attachments, compromised websites, Malware
etc.

Internet
Threats
Examples: Computer virus, Malware is blocked through
worms and spyware. It can an up-to-date antivirus
destroy your data and cause software program and
inappropriate access to or antispyware scanning
disclosure of sensitive program. Contact your IT
information such as PHI. Support for help. Computing

39
 HIPAA Learning Module: Basic
Internet Threats: Cloud Computing
Cloud computing gives
access to computer files and Gmail, Google Calendar,
programs over the internet, Google Docs, etc. are
and may include backing up examples of “Cloud
or synchronizing those files Services”
with a cloud service
provider.
Internet
Threats
NEVER store PHI or
other sensitive Cloud
information on public
cloud services* Computing
*A Business Associate Agreement is required before doing so. As of 09/2013, no cloud service
Provider has entered into a BAA with either U of M or with the UMHS.

40
 HIPAA Learning Module: Basic
Internet Threats: Personal Email

UMHS Users: Email within the UMHS Users: E-mail sent outside of
UMHS E-mail System is secure the UMHS E-mail System is NOT
(using your “@med.umich.edu” secure. Examples:
e-mail to others within the same “@umich.edu” or
system.) “@gmail.com” email account

Internet
Threats

Personal Do NOT transmit PHI or

other sensitive information
to or from your personal
E-mail email

41
 HIPAA Learning Module: Basic
Emailing PHI
• For UMHS E-mail Users: E-mail to e-mail transmission within
the UMHS E-mail System (“med.umich.edu”) is considered
secure, but use/send only the minimum necessary PHI.
– E-mail from the UMHS e-mail system to any other system is
not secure (This includes email to a “umich.edu” address or
to a hotmail®, yahoo®, comcast®, or other type of personal
e-mail address)
• For non-UMHS users: Check with your supervisor for
department-specific procedures for emailing PHI
• Do not send documents or files that contain PHI from the
UMHS E-mail System to an external system or vice versa. Use a
secure file transfer system such as MiShare or check with your
supervisor. Click here for more information.

42
 HIPAA Learning Module: Basic
Encryption
Proper Encryption makes data on computers and other
electronic devices unreadable. Users must have an “encryption
key” to “unlock” the encryption to access the data.

All sensitive information, including PHI, must be encrypted prior to

being sent electronically outside of the University of Michigan
Health System. These outside/external communications include
electronic communications sent from persons within UMHS to
persons within U of M.

43
 HIPAA Learning Module: Basic
Encryption
Encryption Resources

At UMHS, Contact Medical Center Information Technology (MCIT)

for assistance with encryption.

For Non-UMHS: Check with your supervisor and work with your IT
Support for determining appropriate encryption methods available to
you. See http://safecomputing.umich.edu/protect-personal/what-is-
encryption.php for more information.

44
 Test Yourself
Question:
Which of the following is a strong password?
A. Michigan1
B. 1234abcd
C. MT1c1bw$

45
 Test Yourself
Answer: C.
A. Michigan1 This is a weak password. Do not use names,
identifiers, simple phrases or words in any
language ("password", "michigan", your user
ID, "hello2u", etc.)

B. 1234abcd This is a weak password. Do not use sequences

of characters or keys ("123456", "abcdef",
"qwerty", etc.)
C. MT1c1bw$ This is a strong password. Mix
numbers, letters and special
characters to create a strong
password

46
 HIPAA Learning Module: Basic
Securing computers & mobile devices
Computers, Etc. Mobile Devices
• Log out or Lock your
computer when you • Mobile devices
Laptops & Tablets
leave with PHI or other
sensitive
• Position your screen information should
away from public be encrypted and
areas Smart Phones & Cell Phones password
• Place Printers and fax protected. If not
machines where PHI able to encrypt,
can be printed should Cameras & Recorders they should
not be positioned in physically secured
public areas (like in a locked drawer
waiting rooms) Thumb Drives, Memory Cards, or safe
47 CDs/DVDs & External Hard Drives
 HIPAA Learning Module: Basic
Report Lost or Stolen Devices
Report immediately if the device is lost or stolen

Even if you just suspect a security incident (e.g., your laptop

might have been stolen, but you don’t know for sure),
immediately notify your IT Service Provider.
Within UMHS - Contact the MCIT Help Desk at (734) 936-
8000.

48
 HIPAA Learning Module: Basic
HIPAA 2013 Modifications

HIPAA was modified between 2009 and 2013.

Under these modifications…

49
 HIPAA Learning Module: Basic
HIPAA 2013 Modifications

All violations are PRESUMED a “BREACH”

4-prong test:
As a result: All HIPAA incidents must be 1. Nature and extent of
analyzed under a 4-prong test to overcome information involved,
this Breach presumption. This analysis is including the types of
identifiers and risk of re-
conducted by the UMHS Compliance Office. identification
This analysis must be documented and 2. Unauthorized person who
retained for 6 years. (Thus, do NOT do this used the PHI or to whom it
was disclosed
analysis yourself!) 3. Whether the PHI was
actually acquired or viewed
You don’t need to know the 4- 4. Extent to which risk to the
PHI has been mitigated
prong test, BUT YOU MUST
REPORT ALL PRIVACY
50 CONCERNS!
 HIPAA Learning Module: Basic
HIPAA 2013 Modifications
When there is a Breach, the Covered Entity must provide
written “Breach” notice:

To Every Individual Affected

To Federal Government - Department of Health & Human
Services/Office for Civil Rights (“OCR”)
To Media – If >500 individuals residing in single state or
“jurisdiction” (e.g., SE Michigan)

The Covered Entity is subject to tight time frames for

sending these breach notices
So it is important that you Immediately report all HIPAA
concerns!
51
 HIPAA Learning Module: Basic
HIPAA 2013 Modifications
When is a “Breach” discovered?

Breach is “discovered” as soon as an employee or another agent

knows or should reasonably have known of the incident causing
the breach

The “clock” will start ticking the moment you become aware of
a privacy or information security violation

Your duty: Report the violation immediately – even just a

suspected violation

52
 HIPAA Learning Module: Basic
HIPAA 2013 Modifications
Under the 2013 modifications:
• Civil Fines Increased Up to $1.5
million per HIPAA violation per
year (prior max was
$25,000/violation/year)
• Criminal fines: $250,000/up to 10
years imprisonment, criminal
penalties expanded to individuals.
NOTE: Individuals (This means
You!) can be subject to criminal
prosecution, fines and imprisonment
53
 HIPAA Learning Module: Basic
Disciplinary Action

The Covered Entity’s policies

require disciplinary action be
taken against individuals for
violating HIPAA, up to and
including discharge.

54
54
 HIPAA Learning Module: Basic

PRACTICAL APPLICATION

FOR HEALTH CARE

PROFESSIONALS …
 GENERAL RULES
How Do I Apply These Rules?
 Accessing a patient’s electronic
medical record is allowed if
access is necessary for you to
do your job, including taking
care of the patient (for
treatment) or quality
improvement (for health care
operations.)
 Accessing a patient’s electronic
medical record is not
appropriate if access is not
necessary (do not access for
curiosity purposes)
56
 GENERAL RULES
If Protections Are in Place:
 Except in public locations like
the cafeteria or elevator, you
can talk with other providers or
patients, even if you may be
overheard.
 You can verbally arrange for
services at nursing stations.
 You can discuss a patient’s
condition with the patient, other
providers
 You can discuss information
with the patient, even in a
patient’s semi-private room.

57
 GENERAL RULES
If Protections Are in Place:
 You can talk about patient
conditions in our education
programs.
 Prescriptions can be discussed
between you and a pharmacy or
with the patient by phone.
 Messages can be left on
answering machines or with
those who answer the phone,
but the message should be
limited to minimum necessary
and sensitive information like
HIV status should not be
disclosed.
58
 GENERAL RULES
If Protections Are in Place:

 You must try to honor patient

requests about how and where
to reach them, such as at work
instead of at home.
 Sign-in sheets can be used but
should not ask the reason for
the visit.
 Patients’ names can be called in
waiting rooms or over speakers.

59
 GENERAL RULES
If Protections Are in Place:
 Charts at bedsides or outside
exam rooms are allowed, but
consider having them face
backwards (a reasonable
safeguard to minimize
incidental disclosure.)
 Patient care signs can be posted,
such as for special diet needs.
 X-ray boards and whiteboards
are allowed.
 PHI can be shared in group
therapy settings for treatment.

60
 HIPAA Learning Module: Basic

ADDITIONAL
INFORMATION
FOR THOSE INVOLVED IN
RESEARCH…
 RESEARCH
Key Terms
The definition of “research” is the same under the Common
Rule and HIPAA BUT the application is different . . .

Common Rule HIPAA

• a systematic investigation, • a systematic investigation,
including research development, including research development,
testing, and evaluation, designed testing, and evaluation, designed
to develop or contribute to to develop or contribute to
generalizable knowledge generalizable knowledge
• applies only to human subjects • applies to records and data, for
(i.e. live people) living and generally for
deceased patients

62
 RESEARCH
HIPAA Authorization IS Needed

 Written Patient permission or

“authorization” is needed to
use or share PHI for research.

63
 RESEARCH
Authorization Requirements
Authorization must address specific issues and include all of
the following elements:
• What information will be used or disclosed
• Who can use or disclose
• Who can receive the information
• Purpose of disclosures
• Right to revoke authorization
• Notification of any consequences of refusing to sign the authorization (e.g., no
participation in the research project)
• Warning: once authorized information is disclosed, it may no longer be protected
under HIPAA
• Expiration date or event (may be “at the end of the project” or “none”)
• Signature, date, and (if applicable), authority of representative to sign

64
 RESEARCH
Authorization Exceptions
• Authorization requirement is subject to some exceptions:
1. Waiver of authorization (approved by IRB or Privacy
Board)
2. Use of PHI “preparatory to research”
3. Use of decedents’ information for research purposes
4. Disclosure of limited amounts of PHI under a “data use
agreement”

65
 RESEARCH
Authorization Exceptions
1. Waiver of Consent and Authorization
– Most studies regulated under the Common Rule are
conducted under active written informed consent
– Some studies qualify for a “waiver” of written informed
consent or a waiver of documentation of consent under
the Common Rule
– HIPAA permits a waiver of “authorization” – but
Common Rule waiver of informed consent versus a
HIPAA waiver of authorization are NOT the same thing

66
 RESEARCH
Waivers
A waiver may be granted by an IRB or a Privacy Board only if
certain conditions are met:
IRB-Common Rule: IRB or Privacy Board-HIPAA:
• Minimal risk to subjects • Minimal risk to subjects’ privacy
– Adequate plan to protect identifiers
• No adverse effect on subject’s
– Adequate plans to destroy identifiers (break
rights links) when and if possible
– Written assurance no inappropriate re-use or
• Impracticable to do research re-disclosure
without waiver
• Impracticable to do research
• Information to subjects when without waiver and without
appropriate access to PHI

Even if your project is “exempt” from IRB oversight under the

Common Rule, you still may need a waiver from the IRB or
67
Privacy Board under HIPAA!
 RESEARCH
Authorization Exceptions
2. PHI may be used without authorization for “reviews
preparatory to research”
– Researcher must demonstrate to UM (through the IRB or Privacy Board) that:
• the PHI will be used only to prepare a protocol
• no PHI will be removed from UM or disclosed outside UM
• the PHI to be used is necessary for the research purpose
– Purpose of exception is to prepare a protocol, e.g., facilitate study design work or
feasibility analysis – can also facilitate subject recruitment in some cases
– Exception is available only to UM workforce members (no sharing outside UM,
e.g. with collaborators at other sites)
– The information reviewed under this exception may not be used for the research
project itself or for any future project; only name/contact information should be
extracted for recruitment

68
 RESEARCH
Authorization Exceptions
3. PHI may be used or shared for research on decedents’
information . . .
– Researcher must demonstrate to UM (through the IRB or
Privacy Board) that:
• use or disclosure is only for research on decedents’
information
• deaths are documented
• PHI to be used or disclosed is necessary for the research
purpose
– Note: deceased individuals are not considered human
subjects under the Common Rule, but in most
circumstances their records and data are still subject to
HIPAA
69
 RESEARCH
Authorization Exceptions

4. PHI in a “limited data set” may be used or shared

without authorization for research purposes
– The researcher must sign a “Data Use Agreement”
(a simple one-page contract)
– At UM, the Data Use Agreement must be filed with and
approved by the Privacy Board or its designee (Contact
the UMHS Compliance Office for further guidance.)

70
 RESEARCH
Limited Data Sets - Definition
• A limited data set may include:
– geographic information like city and zip code (but not street address)
– dates (including dates of birth, death, admission and discharge), and
age in hours, days, months or years
• A limited data set may not include any of the following
information with respect to the patient, patient’s
household members, or patient’s employer:
– Name; street address; telephone and fax numbers; e-mail, URL, and
IP addresses
– Social security, medical record, health plan beneficiary or account
numbers, certificate/license numbers, vehicle identifiers and serial
numbers, including license plate numbers
– Device identifiers and serial numbers; biometric identifiers, including
finger and voice prints; and full face photographic or comparable
images

71
 RESEARCH
Privacy Board and IRB
Privacy Board (PB) Institutional Review Board (IRB)
• HIPAA permits a privacy board to • Functions under the Common Rule
grant a waiver to the “authorization” to review, approve, and maintain
requirement that applies to most oversight over human subjects
research activities research; HIPAA permits the IRB to
approve authorization waivers as well
• Includes people with relevant
experience and expertise, including • Includes people with relevant and
at least one non-affiliated diverse experience and expertise,
(community) member including at least one non-scientist
and at least one non-affiliated
• At UMHS, the PB makes (community) member
determinations regarding HIPAA
compliance for exempt human • At UMHS, the IRBMED incorporates
subjects’ research and for activities HIPAA requirements into its regular
not regarded as human subjects review process, except for projects
research that do not require use or sharing of
PHI

72
 RESEARCH
Implementation at UMHS
 HIPAA allows either an IRB or a “Privacy Board” to grant a “waiver of
authorization” for use or disclosure of PHI for research purposes
(including creation/maintenance of research databases)
 At UMHS, the Privacy Board also assists in other ways, including:
 Certifications for reviews preparatory to research
 Certifications for research on decedents’ information
 Approval of data use agreements
 Clearinghouse/expertise on privacy issues relevant to human
subjects research projects
 A privacy board is not authorized to review and approve research under
the Common Rule

73
 RESEARCH
Implementation at UMHS
 HIPAA requires covered entities to “account” for many
research-related disclosures made without patient
authorization
 Exceptions:
 internal uses do not need to be tracked
 disclosures made through a limited data set with a data use agreement
do not need to be tracked
 disclosures of “deidentified data” do not need to be tracked (no
information listed HERE included in the data set)
 disclosures made in studies involving more than 50 subjects do not need
to be tracked if we keep a list available of all such studies, including title,
PI, and contact information

 See UMHS policies/procedures for accounting of

disclosures or contact the IRBMED
74
 RESEARCH
What Does HIPAA Mean for You?
• No PHI in Research
– If you are conducting a project without use of PHI, HIPAA
does not apply but IRBMED’s informed consent template
must be used for all new projects and scheduled continuation
reviews
– Caution!
• If you do a blood test or radiological scan or other procedure only for
research purposes, and not related to treatment, the information may
not be PHI and your project is not regulated by HIPAA; but
• If the test or results information passes through the subject’s UM
electronic medical record (“EMR”) (because the medical record
number is used and/or information is derived from and/or posted to the
EMR or other clinical information systems), then HIPAA may apply

75
 RESEARCH
Application: Multicenter Trials
Multicenter Trials
• Four ways to share PHI with other centers:
– Written permission from the subject/patient (authorization)
– Waiver from IRB or Privacy Board
– Limited Data Set with Data Use Agreement
– Deidentified data (nothing on “PHI” list)

• When we need information from other centers for our

own research projects:
– The IRBMED informed consent template is intended to comply with the privacy rule
and to allow any health care provider or health plan to disclose PHI to us (or UMHS to
disclose PHI to our co-investigators) for research purposes.
– However, every site may have its own rules and policies.
– If another site or a sponsor requires an additional form to be signed by your subject,
IRBMED must review and approve that form in advance.

76
 RESEARCH
Application: Subject Recruitment
Alternatives Under HIPAA
Pros Cons
For internal use only; should only get
Review Preparatory
Simple Application to Privacy Board name/number; can’t use information
to Research
collected for the project
Waiver of Possible accounting requirement;
Authorization from Simple Application to Privacy Board IRBMED approval needed re:
Privacy Board recruiting procedures
(Partial) Waiver of Can disclose information outside Time required for IRBMED
Authorization from UM (e.g., use survey vendors); can application; possible accounting
IRBMED use information for the project requirement
No disclosure of PHI (docs with
Tell Patients About
existing treatment relationship can
Study Opportunities Makes recruitment process passive
always tell their patients about
But Let Them Contact and therefore likely less effective
possible studies) so no HIPAA
Study Staff
issues
Generally must discuss with/obtain
Can use information collected for
Written Permission from patient at point of care; may
the project; no accounting
need IRB review/approval

77
 RESEARCH
Application: Databases and Registries
• We can create and maintain databases or registries for
treatment, payment, and health care operations (“TPO”)
purposes without patient authorization - TPO activities include:
– Clinical care, billing, utilization review
– Quality assurance/assessment, accreditation activities
– Education, planning

• IRB or Privacy Board approval is required to access a TPO

database for research purposes (even reviews preparatory to
research)
• Written patient permission or IRBMED or Privacy Board
approved waiver is needed to create and maintain a database or
registry solely for research purposes . . . patient permission, if
sought, must be specific as to research purpose (HIPAA
prohibits “blanket” authorizations)
78
 RESEARCH
Application: Databases and Registries
“Screening logs”
• If no use or disclosure of PHI, no HIPAA issue (information
received directly from a subject through a survey is not PHI; but if
the survey information is verified or supplemented by medical
record information, then PHI is used.)
• If the log includes PHI but was created or used for TPO purposes,
then ok to continue maintaining without patient permission.
• If the log includes PHI and is used only for research purposes,
need patient authorization or IRB or Privacy Board waiver of
authorization.
• Alternatives for sending data from screening log to sponsors
(without patient or IRB/Privacy Board authorization):
– “De-identify” the data (no elements listed on the “PHI” list may be present
in the data set sent)
– Provide a “limited data set” with a data use agreement
79
 RESEARCH
Application: Databases and Registries
Existing Datasets
• HIPAA does not require that existing datasets be
destroyed
• New data cannot be added into an existing research
dataset without written authorization or waiver, unless
the data is first deidentified (all identifiers listed on the
“PHI list” are eliminated) or made part of a limited data
set
• Data cannot be removed from an existing dataset for
research purposes without IRB or Privacy Board
approval

80
 RESEARCH
Application: IRBMED or Privacy Board?

• IRBMED • Privacy Board

– Any research project – Waiver of authorization
subject to federal for a project that does not
regulations for the require IRBMED review
protection of human (e.g., exempt from
subjects. Common Rule oversight)
– Reviews preparatory to – Review preparatory to
research may be research
submitted to IRBMED – Research on decedents’
information
– Limited data sets
disclosures
81
 HIPAA Learning Module: Basic

ADDITIONAL INFORMATION
FOR YOUR AWARENESS…
 HIPAA Learning Module: Basic
Key Terms

Business Associate:
• Vendors who have access to or use PHI on our behalf must have a
Business Associate Agreement - a signed agreement promising to
keep PHI confidential in accordance with HIPAA.
• Example: A company developing order entry software must see
actual PHI so they would need a written agreement.
NOTE: Contact the UM Procurement Office for help to determine
if a Business Associate Agreement is needed with a vendor.
You may need to take the additional HIPAA training module on
business associates, depending on your job responsibilities. Talk to
your Supervisor or call the UMHS Compliance Office (615-4400)
83
 MARKETING AND FUNDRAISING
Written Permission IS Needed
 Patient permission or
“authorization” is needed to use or
share PHI for certain marketing
and fund-raising activities.
For example, a doctor cannot give a
diaper company the names of
pregnant patients without an
authorization that includes what the
PHI will be used for, who can use it
and for how long.
NOTE: Contact the UMHS
Compliance Office for more
information about fundraising and
marketing of 3rd party products or
84 services.
 Questions?

• For questions about HIPAA:

http://www.med.umich.edu/u/compliance/area/privacy/index.htm

• For more information:

– http://www.hhs.gov/ocr/privacy/
– http://www.cms.hhs.gov/HIPAAGenInfo/

85
85
 FAQs

• You must complete the next section on

Frequently Asked Questions (FAQs).
• Click HERE to Continue to the FAQ Section.
• External Individuals who are taking this
module prior to interacting with UMHS:
After reviewing the FAQ section, be sure to
click on and complete the form on the last
slide of the FAQ section. This is the only way
for you to get a certificate and credit for this
education module.
86