|
|
January 6, 2003
Before Christmas, you received an e-mail about new federal privacy regulations
that will be effective on April 14, 2003. In that e-mail I failed to
include the detail on the Web site which has further information about
the regulations, as well as a specific teaching module to assist you
in completing the new privacy authorization form. Therefore, I am re-sending
the e-mail in full with the additional information.
The new regulations, called the "HIPAA Privacy Regulations,"
require everyone at Hopkins to be more careful with patient information
and to use only the patient information needed for any task. They also
require physicians who treat patients or engage in research to do several
things, including providing privacy notices, obtaining certain authorizations
and keeping certain records of disclosures.
You and your staff will need to learn more about HIPAA and what you
and your staff must do to comply with its requirements. The JHU/JHHS
HIPAA Office has prepared training materials for you and your staff
which will be on the Web and also will be presented in face-to-face
sessions over the next four months. A roll-out of these materials will
occur in January.
The following is an outline of HIPAA's major requirements. Specific
teaching materials and forms will be available in the coming months
to aid you with each of these tasks.
- On and after April 14, 2003 each time you see a patient or research
participant you or the admitting desk will need to provide a Notice
of Privacy Practices to the individual. This notice tells patients
and participants how Hopkins will use and disclose their health information.
The form sets forth HIPAA requirements, state law requirements and
Hopkins specific policies. You should read it to make sure you know
what Hopkins is telling individuals about how we use and disclose
their information. The Notice will be available in final form at the
time of the roll-out in February.
- Whenever you use or disclose patient information -- whether verbally,
electronically or in writing -- be careful to share it only with those
who need to know, and use only the health information needed for the
task.
- Except for psychotherapy notes and in certain other rare instances,
if patients ask to see a copy of their medical record, Hopkins must
make it available to them. Also, if the patient asks to change or
amend their medical record, we must have a process to consider their
request and get back to them regarding our decision.
- When Hopkins shares health information with third parties who will
do work on our behalf, we usually will need a "business associate"
agreement with the third party. (The HIPAA Office has developed a
form "business associate" agreement.)
- There are several new requirements that relate to research:
(1) In addition to the informed consent currently required under the
Common Rule, researchers also will need to get, and IRBs will need
to approve, a privacy authorization for research participants.
- For ongoing research protocols that will be enrolling participants
on or after April 14, 2003, researchers will need to use this new
privacy authorization. The new form must be completed and approved
by the appropriate IRB before April 14, 2003. (Please go to www.insidehopkins
medicine.org/hipaa/. Click on "Teaching Modules" and
then on "Preparing Research Privacy Authorizations". The
form and instructions for submitting the form via e-mail are included.)
- For new research protocols, the privacy authorization requirements
will be integrated into the informed consent form. (The HIPAA and
IRB Offices are finalizing the form which will become part of the
new required template for the consent form.)
(2) If a researcher requests a waiver of consent or a waiver of written
consent under the Common Rule, the IRB will need to make special privacy
findings in addition to those findings necessary under the Common
Rule.
(3) If researchers wish to look at patients' records in their preparation
for research, researchers will need to make some simple, straightforward
representations to the IRB as to the research purposes for their use
of the patients' records. (A form will be available on the web for
this reporting.)
(4) Even though research on decedents' records generally does not
require IRB review under the Common Rule, under the HIPAA regulations,
researchers will need to make some simple, straightforward representations
to the IRB as to the research purpose for their use or disclosure
of decedents' files in research. (A form will be available on the
web for this reporting.)
(5) If a researcher has created a separate research database and the
principal purpose of the database is availability for future research,
the creation of the database needs to be acknowledged and "grandfathered"
through a waiver by the IRB. (The IRB and HIPAA Offices are working
on a streamlined form for this activity.) Future additions to these
databases will require either patient authorization or an IRB waiver
of authorization unless certain exceptions apply.
(6) Hopkins needs to keep a record of disclosures of PHI that are
made in connection with waived research, research using decedents'
records and reviews preparatory to research. (The IRB and HIPAA Offices
have developed forms for this recordkeeping.)
There are additional requirements as well. There will be a lot of
information coming to you on HIPAA and on the Privacy Regulations
in the near future. In the meantime, if you would like more information,
click on the web site which is www.insidehopkinsmedicine.org/hipaa/.
You also may contact:
Carol Richardson
Privacy Officer
Phone .…. 410-502-7983
Fax …… 410-955-0636
E-Mail crichar@jhmi.edu
Joanne E. Pollak
Vice President with HIPAA Responsibility
Phone ….. 410-614-3323
Fax …… 410-614-3465
E-Mail jpollak@jhmi.edu
As you read about these new requirements, please know that Drs. Brody
and Miller and Mr. Peterson have established a unified HIPAA Office
to serve both JHU and JHHS. The Hopkins approach will be one that addresses
the regulatory requirements within the tight time frame but also looks
at the long range implementation of a meaningful compliance plan.
Sincerely,
JOANNE E. POLLAK
Joanne E. Pollak
Vice President and General Counsel JHM and
HIPAA Administrative Coordinator for JHU / JHHS
Copyright © 2002 by JHHS and JHU
The faculty, staff and employees of Johns Hopkins Medical Institutions
are given permission to copy or print the contents of this page for
internal use only. Any other use of this information, including reproduction
or publication, is prohibited without explicit permission from Johns
Hopkins Medical Institutions' General Counsel.
|
