Hipaa Privacy Rule Legal Citation

However, the provisions of the confidentiality rule as interpreted by HHS have made it more difficult to effectively use these valuable resources for research. Therefore, patients should be contacted again for individual approval of additional studies conducted using the data and samples collected, unless researchers receive a waiver or change of approval from an IRB or privacy committee. Re-contacting patients for additional approval is not only convenient, but can be intrusive and stressful for patients and their families, even when possible. The Committee is of the view that future authorization for the use of these databases and biosample banks should be appropriate for privacy purposes, provided that an IRB or Privacy Board oversees the research. Therefore, HHS should eliminate the discrepancy between the data protection rule and the common rule by providing guidance explicitly stating that future research may continue if the permit describes the types or categories of research that may be conducted using the PHRs stored in the biological sample and if an IRB or data protection board determines that the proposed new research is not compliant. to the initial consent and The authorization is incompatible. and poses minimal risk. Hybrid entity. The confidentiality rule allows a covered entity that is a single legal entity and performs both covered and non-covered functions to register as a “hybrid entity”.

77 (The activities that make a person or organization a covered entity are its “covered functions”. 78) To be a hybrid entity, the covered entity must designate in writing its business activities performing covered functions as one or more “components of health care”. According to this designation, most of the requirements of the data protection rule apply only to healthcare components. A covered entity that does not use this designation is subject to the confidentiality rule in its entirety. SACHRP made a similar recommendation, stating that the data protection rule requires sufficient privacy protection without applying this part of the privacy rule to research. Indeed, the SDSP concluded that the cost and burden of complying with SOA requirements was so high that institutions would likely bear the risk of non-compliance rather than the cost of compliance. Noting that researchers must establish a specific standard of confidentiality before an IRB or Privacy Board issues an exemption from authorization, or before an affected entity grants a researcher access to PHI in preparation for research, SAHRP recommended that relevant companies inform patients in the HIPAA Privacy Practice Notice. that their PHI may be used and disclosed for research purposes without their permission if adequate data protection safeguards are in place.

The IOM Committee agrees and recommends that HHS reform the accounting requirements for disclosures of protected health information for research. In the interest of transparency, institutions should maintain a publicly accessible list of all studies approved by an IRB or privacy board instead of the SOP requirement. However, as the health system moves towards wider adoption of electronic health records, automatic tracking of audit trails will be an important element. Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.64 Additional guidance from HHS, as well as certain changes in the interpretation of HHS, would reduce misunderstandings about the provisions of the data protection rules by covered entities. IRBs and data protection committees and would help harmonize federal health research regulations, which in turn would reduce complexity for the researchers and institutions involved. and thereby contribute to ensuring consistent and adequate protection of patient privacy. Therefore, HHS should develop revised and expanded guidelines on the confidentiality rule. Health inspection activities. Affected entities may disclose protected health information to health regulators (as generally defined) for the purposes of legally authorized health surveillance activities, such as audits and investigations necessary to monitor the health system and government benefit programs.32 Complaints.

A relevant entity must have procedures in place for individuals to complain about compliance with their privacy policies and procedures and the data protection rule.71 The entity concerned must explain these procedures in its statement of privacy practices.72 Personal representatives. The Privacy Rule requires that a covered entity treat a “personal representative” in the same manner as the individual with respect to the use and disclosure of the individual`s protected health information, as well as the individual`s rights under the Rule.84 A personal representative is a person who is legally authorized to make health care decisions on behalf of a person or to act on behalf of a deceased person or the estate.