Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979
Add to Shopping Cart

HIPAA: Seting Ethical Client Boundaries 
3 CEUs HIPAA: Seting Ethical Client Boundaries


Manual of Articles Sections 5 - 11
Section 5
Informed Consent & Clinical Research Involving Children & Adolescents: Implications of HIPAA Revision, Ethics

Question 5 | Ethics CEUs Answer Booklet | Table of Contents | Confidentiality CEU Courses
Social Worker CEUs, Psychologist CEs, Counselor CEUs, MFT CEUs

When Is Clinical Research Governed by HIPAA?
Successful compliance with APA ethical standards for informed consent must include an understanding of the relation between HIPAA (Public Law 104-191) and clinical research. In 1996, HIPAA was approved by Congress to create standardized formatting of health care records across providers, institutions, localities, and states. Recognizing that uniform standards for creating, transmitting, and storing of health care records increased the potential for privacy violations. Congress included HIPAA Privacy Standards (45 CFR Part 160 and Subparts A and E of Part 164; effective April 14,2003) to limit the use and release of health information, give patients greater access to and control of their records, and establish legal accountability and penalties for unauthorized use and disclosure of individually identifiable health information.

Definitions
Understanding the implications of HIPAA for clinical research involving children and adolescents requires familiarity with HIPAA terminology and definitions.

Protected health information (PHI). HIPAA regulations apply only to PHI. PHI is defined as oral, written, typed, or electronic individually identifiable information related to (a) a person's past, present, or future physical or mental health; (b) provision of health care to the person; or (c) past, present, or future payment for health care. For health information to come under the definition of PHI, it must be created by an employer or by a covered entity. Research data derived from diagnostic or treatment information created by an investigator or acquired from existing health care records would be considered PHI.

Covered entity. A covered entity is defined as a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with financial or administrative activities related to health care. Investigators who are responsible for data collection involving mental health assessments or treatment that will be entered into a research participant's health care records or used for health care decisions is a covered entity. Health care organizations or independent practitioners from whom health care data may be obtained are also covered entities.

Definitions of treatment and research. HIPAA defines treatment as "the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another" (45 CFR 164.501). Research is defined as "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge" (45 CF 164.501).

Research governed by HIPAA. Research in general is not considered a HIPAA-covered function. However, research activities that involve a covered entity or include treatment, payment, or the administration of health care operations must adhere to relevant HIPAA regulations. Psychologists conducting research involving direct delivery of services or assessments and diagnoses that will be used for a patient's treatment decisions should consider themselves covered entities under HIPAA. Psychologists who are not directly involved with patient care but are involved in the design or analysis of data for intervention or quality improvement research for a health care facility or other covered entity must use HIPAA-compliant procedures appropriate for that entity. Investigators who are not involved in direct delivery of services or intervention research but who provide consultation to or plan to use in their research PHI created by a covered entity must provide assurances of HIPAA compliance to the covered entity.

HIPAA permits institutions to segregate non-health care and health care related functions. However, constructing such institutional policies in ways that are HIPAA compliant are difficult. Thus investigators who work in academic settings affiliated with a medical institution or other health care facility must consult with their institution's legal counsel to determine whether, irrespective of their specific research activities, they are subsumed under the institution's HIPAA umbrella (Barnes & Kulynych, 2003).

Implications of HIPAA. HIPAA requires that if a person has legal authority to act on behalf of a minor in making health care decisions, a covered entity must treat such a person (called a personal representative) as the individual. Exceptions are permitted if there is reason to believe the patient or participant has been abused or is endangered by the personal representative or that treating the individual as a personal representative would not be in the best interests of the patient or participant (45 CFR 164.502g). This requirement refers to parents who are generally recognized as personal representatives of their minor children and court-appointed guardians or holders of relevant power of attorney.

HIPAA notice of privacy practices. When health care will be provided as part of a research protocol, HIPAA requires that prospective participants and their guardians receive a Notice of Privacy Practices that describes the psychologist's policies for use and disclosure of PHI, and the patient's and guardian's rights and investigator's obligations under the Privacy Rule (45 CFR 164.520). In most instances, the Notice will be given to prospective participants or their legal guardians at the same time as informed consent is obtained, because the Notice provides information relevant to the scope and limits of confidentiality (Fisher, 2003c). The Notice must be provided to participants and guardians in written form and separate from other informed consent procedures or documents.

HIPAA authorization to use PHI for research. To create, use, or disclose PHI for research purposes, a covered entity must receive a signed authorization from the prospective participant or a legal guardian limited to the specific research project (45 CFR 164.508[c]). Research is one of the few activities for which HIPAA permits authorization for the use or disclosure of PHI to be combined with informed-consent information and other types of written permission for the same research (45 CFR 164.508[b][3][i]). In addition, unlike nonresearch treatments, investigators who conduct clinical trials can condition provision of treatment within the research protocol based on authorization (45 CFR164.508[b][4][i]).

HIPAA authorization is also required for psychologists conducting records research on PHI collected by other persons or institutions that are covered entities. With few exceptions, when records contain identifiable health information, covered entities cannot give investigators access without a patient- or guardian-signed authorization that details the specific information that can be used and that states that its use is limited to the specific research purposes and to the specific investigative team for a specific period of time.
- Fisher, Celia; Informed consent and clinical research involving children and adolescents: implications of the revised APA ethics code and HIPAA; Journal of Clinical Child & Adolescent Psychology; Nov 2004; Vol. 33; Issue 4.
The article above contains foundational information. Articles below contain optional updates.

Personal Reflection Exercise #1
The preceding section contained information about the implications of the revised HIPAA on informed consent and clinical research with children and adolescents. Write three case study examples regarding how you might use the content of this section in your practice.

Ethics CEUs QUESTION 5
What type of research must adhere to relevant HIPAA regulations? Record the letter of the correct answer the Ethics CEUs Answer Booklet

 
Others who bought this Confidentiality Course
also bought…

Scroll DownScroll UpCourse Listing Bottom Cap

Ethics CEUs Answer Booklet for this course | Confidentiality CEU Courses
Forward to Section 6 - Manual Article
Back to CD Track 4
Table of Contents
Top

The article above contains foundational information. Articles below contain optional updates.
Compliance Front And Center As HHS Keeps Up HIPAA Heat - Law360 (subscription) - April 06, 2017

Compliance Front And Center As HHS Keeps Up HIPAA Heat
Law360 (subscription)
This attention on documentation of HIPAA compliance is likely the result of the OCR's recent HIPAA audit, the frequent assessments of large civil penalties for HIPAA violations by the OCR, and the U.S. Department of Justice Fraud Section's new formal ...

From Collector: Clearing the Hurdles - ACA International - April 25, 2017

From Collector: Clearing the Hurdles
ACA International
If you collect medical debt, that's old news— your clients have likely required you to be HIPAA compliant for years. But here's something Mark Hinely, Esq., regulatory compliance specialist at KirkpatrickPrice LLC, says he often hears from covered ...
Finxera Receives SOC 2 Type I Attestation, HIPAA Security Rule ...Virtual-Strategy Magazine

all 2 news articles »
United States: HHS Expected to Release Significant HIPAA Privacy Guidance This Year; Compliance Audits Proceed ... - Mondaq News Alerts (registration) - March 29, 2017

United States: HHS Expected to Release Significant HIPAA Privacy Guidance This Year; Compliance Audits Proceed ...
Mondaq News Alerts (registration)
On March 27, 2017, Iliana Peters, Senior Adviser for HIPAA Compliance and Enforcement at the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) spoke about OCR enforcement, current trends, and breach reporting statistics ...

and more »
Former OCR Advisor on HIPAA Compliance and Data Breaches: “This is a Management Problem, Not a User Problem” - Healthcare Informatics - April 13, 2017

Healthcare Informatics

Former OCR Advisor on HIPAA Compliance and Data Breaches: “This is a Management Problem, Not a User Problem”
Healthcare Informatics
The Department of Health and Human Services' Office for Civil Rights (OCR) has stepped up its enforcement activities in recent years, and 2016 was a very busy year in Health Insurance Portability and Accountability Act (HIPAA) enforcement activity. In ...
Metro Community Provider Network agrees to $400k HIPAA settlementBecker's Hospital Review
Health Center Agrees to $400K OCR HIPAA SettlementHealthITSecurity.com
Overlooking risks leads to breach, $400,000 settlement | HHS.govU.S. Department of Health and Human Services

all 8 news articles »

OnlineCEUcredit.com Login


Forget your Password Reset it!