Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Glossary Accounting of Disclosures: This provision of the Privacy Rule gives indi- viduals the right to receive a list of certain disclosures that a covered entity has made of their protected health information in the past 6 years, including disclosures made for research purposes. Association for the Accreditation of Human Research Protection Programs, Inc. (AAHRPP): An independent, nonprofit entity that accredits organiza- tions’ human research protection programs. Authorization: An individual’s written permission to allow a covered entity to use or disclose specified protected health information (PHI) for a par- ticular purpose. Authorization states how, why, and to whom the PHI will be used and/or disclosed for research, and seeks permission for that use or disclosure. Autonomy: The capacity of a rational individual to make an informed, uncoerced decision. Business Associate: A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of protected health information, such as data analysis, claims processing or administration, utilization review, and quality assur- ance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, account-  

 BEYOND THE HIPAA PRIVACY RULE ing, consulting, data aggregation, management, administrative, accredita- tion, or financial services to or for a covered entity where performing those services involves disclosure of protected health information by the covered entity or another business associate of the covered entity to that person or entity. Chronic Conditions Warehouse: Section 723 of the Medicare Prescrip- tion Drug, Improvement, and Modernization Act of 2003 instructed the Secretary of the U.S. Department of Health and Human Services to make Medicare data more readily available to researchers studying chronic ill- ness in the Medicare population, with the intent to help “identify areas for improving the quality of care provided to chronically ill Medicare beneficiaries, [and] reduce program spending.” The Chronic Conditions Warehouse implements this requirement of the Act and contains fee-for- services claims, enrollment/eligibility, and assessment data. Researchers can efficiently access data on 21 predefined chronic health conditions, such as diabetes, breast cancer, Alzheimer’s, and depression. Common Rule: The federal rule that governs most federally funded research conducted on human beings and aims to ensure that the rights of human subjects are protected during the course of a research project, histori- cally focusing on protection from physical and mental harm by stressing autonomy and consent. Confidentiality: Addresses the issue of how personal data that have been collected for one approved person may be held and used by the organiza- tion that collected the data, what other secondary or further uses may be made of the data, and when the permission of the individual is required for such uses. Covered Entity: A health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard. Data Use Agreement: An agreement into which the covered entity enters with the intended recipient of a limited dataset that establishes the ways in which the information in the limited dataset may be used and how it will be protected. Deidentified Information: The Privacy Rule provides for two methods to deidentify personally identifiable health information. Under the statistical method, a statistician or person with appropriate training verifies that enough 

 GLOSSARY identifiers have been removed that the risk of identification of the individual is very small. Under the safe harbor method, data are considered deidentified if the covered entity removes 18 specified personal identifiers from the data. Effectiveness: The extent to which a specific test or intervention, when used under ordinary circumstances, does what it is intended to do. Efficacy: The extent to which a specific test or intervention produces a beneficial result under ideal conditions (e.g., a clinical trial). Fair Information Practices: Principles affording individuals the meaning- ful right to control the collection, use, and disclosure of information, and imposing affirmative responsibilities to safeguard information on those who collect it. Food and Drug Administration (FDA) Protection of Human Subjects Reg- ulations: Regulations intended to protect the rights of human subjects enrolled in research involving products that the FDA regulates (i.e., drugs, medical devices, biologicals, foods, and cosmetics). Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that either process or facilitate the processing of health infor- mation received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard trans- action, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity. Health Care Provider: A provider of services (as defined in Section 1861(u) of HIPAA, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in Section 1861(s) of HIPAA, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health Information: Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or uni- versity, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 

 BEYOND THE HIPAA PRIVACY RULE Health Insurance Portability and Accountability Act of 1996 (HIPAA): An Act that requires, among other things, under the Administrative Simplifi- cation subtitle, the adoption of standards for protecting the privacy and security of personally identifiable health information. Hybrid Entity: A single legal entity that is a covered entity, performs busi- ness activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care com- ponents of a hybrid entity may be business associates of one or more of its health care components, depending on the nature of the relationship. Informed Consent: A legal form required by the Common Rule that describes the potential risks and benefits of research and seeks permission to involve the subject. Institutional Review Boards (IRBs): “An administrative body established to protect the rights and welfare of human research subjects recruited to participate in research activities conducted under the auspices of the institution with it is affiliated. The IRB has the authority to approve, require modification in, or disapprove all research activities that fall within its jurisdiction as specified by both the federal regulations and local institutional policy” (Department of Health and Human Services IRB Guidebook). Limited Dataset: Refers to protected health information that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual’s authorization or a waiver or an alteration of authorization for its use and disclosure, with a data use agreement. Nonmaleficence: The ethical principle of doing no harm, based on the Hippocratic maxim, primum non nocere, first do no harm. Privacy: In this report, the privacy of personal health information pertains to the collection, storage, and use of personal information and addresses the question of who has access to personal information and under what conditions. Privacy Board: A board that is established to review and approve requests for waivers or alterations of authorization in connection with a use or dis- closure of protected health information as an alternative to obtaining such 

 GLOSSARY waivers or alterations from an Institutional Review Board. A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual’s privacy rights and related interests. The board must include at least one member who is not affiliated with the covered entity, is not affiliated with any entity conducting or sponsoring the research, and is not related to any person who is affiliated with any such entities. A Privacy Board cannot have any member participating in a review of any project in which the member has a conflict of interest. Protected Health Information: Protected health information is personally identifiable health information created or received by a covered entity. Public Health: The Privacy Rule defines a public health authority as any “federal, tribal, or local agency or person or entity acting under a grant of authority or contract with the agency, including state and local health depart- ments, the Food and Drug Administration, the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration.” Public Health Practice: “The collection and analysis of identifiable health data by a public health authority for the purpose of protecting the health of a particular community, where the benefits and risks are primarily designed to accrue to the participating community” (Hodge, 2005; Hodge and Gostin, 2004). Public Health Research: “The collection and analysis of identifiable health data by a public health authority for the purpose of generating knowledge that will benefit those beyond the participating community who bear the risks of participation” (Hodge, 2005; Hodge and Gostin, 2004). Public Responsibility in Medicine and Research (PRIM&R): An organiza- tion whose mission is to promote ethical research in both humans and animals. Quality Improvement: “Systematic, data-guided activities designed to bring about immediate, positive change in the delivery of health care in a particu- lar setting” (Baily et al., 2006). Research: A systematic investigation, including research development, test- ing, and evaluation, designed to develop or contribute to generalizable knowledge. Respect for Persons: The ethical principle requiring that individuals be 

0 BEYOND THE HIPAA PRIVACY RULE treated as autonomous agents, and that individuals with diminished autonomy are entitled to protection (HEW, 1979). Security: “The procedural and technical measures required (a) to prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) to prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm” (Turn and Ware, 1976). Selection Bias: This phenomenon occurs when data are more likely to be collected from one subset of the population than from a representative sample of the entire population. This can cause systematic differences between the characteristics of the individuals included in a study and the individuals not included. Waiver of Authorization: The documentation that the covered entity obtains from a researcher or an IRB or a Privacy Board that states that the IRB or Privacy Board has waived or altered the Privacy Rule’s requirement that an individual must authorize a covered entity to use or disclose the individual’s protected health information for research purposes. REFERENCES Baily, M. A., M. Bottrell, J. Lynn, and B. Jennings. 2006. The ethics of using QI methods to im- prove health care quality and safety. A Hastings Center Special Report 36(4):S1–S40. HEW (Department of Health, Education and Welfare). 1979. The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research. http://ohsr. od.nih.gov/guidelines/belmont.html (accessed August 21, 2008). Hodge, J. G., Jr. 2005. An enhanced approach to distinguishing public health practice and human subjects research. Journal of Law, Medicine & Ethics 33(1):125–141. Hodge, J. G., and L. O. Gostin. 2004. Public health practice vs. Research: A report for public health practitioners including cases and guidance for making distinctions. Atlanta, GA: Council of State and Territorial Epidemiologists. Turn, R., and W. H. Ware. 1976. Privacy and security issues in information systems. The RAND Paper Series. Santa Monica, CA: The RAND Corporation.