April 14, 2004 marks the paper anniversary of the compliance date for the Privacy Rule of the Health Insurance Portability and Accountability Act (commonly referred to as HIPAA), a part of the most significant and far-reaching U.S. health-care legislation in the past decade. As an extension of health care, and as an initially unintended consequence, HIPAA has also affected how clinical research in this country is conducted, and the administrative burdens associated with HIPAA have trickled down to the individual clinical investigator. This article will look back on a year of clinical research under the HIPAA Privacy Rule, explain and explore its burdens, as well as look forward to potential changes in the law in the years to come.
The Final Rule
HIPAA is divided into three rules: the Privacy Rule, Security Rule (dealing with transmission of health-care information) and the Transactions and Code Set Rule. Each rule had its own focus, boundaries, plan for implementation and compliance date. Because the Privacy Rule governs the transmission of health information, it has had the largest effect on research.
Although the initial HIPAA legislation passed in 1996, it was more than four years before the Department of Health and Human Services made regulations available. It was another three years and four amendments later before we had the final, binding Privacy Rule and regulations. The final rule in its entirety can be found on the DHHS website (dhhs.gov).
This constant flux in the regulations confused regulators, industry personnel and clinical investigators alike. Consequently, prior to and immediately following the April 14, 2003 compliance date, many current and potential investigators were reluctant to engage in research activities for fear that they would be subject to different and restrictive guidelines under the Privacy Rule.
The Privacy Rule Explained
The HIPAA Privacy Rule established the minimum federal standards for protecting the privacy of individually identifiable health information. Individually identifiable health information, also referred to as protected health information or PHI, is medical or health information that contains specific identifiers (such as name, Social Security number, etc.). Under the Privacy Rule, covered entities are not allowed to use or disclose PHI without obtaining prior authorization from an individual. It's important to note that, although the Privacy Rule preempts state and local privacy laws, it only preempts those laws that are less rigorous or contrary to it. Therefore, local statutes that are more stringent than the federal Privacy Rule must be observed in addition to the Privacy Rule. It's also important to note that the Privacy Rule only covers the use and disclosure of patient information; all applicable federal, state and local laws and regulations concerning medical research and the disclosure of health information related to that research are still in effect.
Are You Covered?
Prior to initiating any clinical research project, clinical investigators should first determine if they or any other parties involved in the project are considered a "covered entity," as this is the primary factor in determining who is subject to the Privacy Rule.
The HIPAA Privacy Rule covers three classifications of entities, which may be organizations, institutions or individuals. They are: 1) covered entities; 2) hybrid entities and 3) business associates. Any entity that doesn't meet at least one of these definitions is not considered subject to the HIPAA Privacy Rule.
• Covered entities. Most, if not all, clinical investigators can be defined as covered entities. HIPAA defines covered entities as health plans, health care clearinghouses and/or health care providers who electronically transmit health information for treatment, payment and health-care operations. A common example of this transmission would be the transfer of health information from a clinical investigator to an insurer. The DHHS has created tools to help entities, such as clinical investigators, identify whether or not they are covered by HIPAA. These tools can be accessed through the HIPAA link on the CMS site: www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.
• Hybrid entities. A hybrid entity, as its name suggests, is an entity (again, including organizations, institutions or individuals) that performs both covered and non-covered functions. A common example of a hybrid entity in a research setting is a university hospital. In this example, the university hospital (the hybrid entity) performs both covered functions, in the form of health-care operations, as well as non-covered functions, the university's academic operations. In order to qualify as a hybrid entity, one must clearly discriminate between which parts are covered and which parts are not. By law, any part of a hybrid entity that electronically transmits health information for treatment, payment and health-care operations must follow the Privacy Rule.
• Business associate. A business associate is an entity that performs activities related to the Privacy Rule on behalf of a covered entity. As a result, the business associate may be responsible for receiving or disclosing Protected Health Information. Before a covered entity can disclose PHI to a business associate, the entity must first obtain assurances that the business associate will properly safeguard the PHI. These assurances are usually obtained in the form of a written contract commonly called a business associate agreement. Because the Privacy Rule does not directly regulate research, entities such as sponsor companies, contract research organizations, site management organizations and other non-covered business entities related to research are typically not considered business associates.
Minimum Criteria for an Authorization Waiver 1. Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements: (a) an adequate plan to protect health information identifiers from improper use or disclosure; (b) an adequate plan to destroy identifiers at the earliest opportunity if there isn't a health or research justification or legal requirement to retain them; (c) adequate written assurances that the protected health information will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study or for other research uses and disclosures permitted by the Privacy Rule. 2. Research could not practicably be conducted without the waiver or alteration. 3. Research could not practicably be conducted without access to and use of protected health information.
The Privacy Rule includes a limited provision that grandfathers certain permissions for research obtained prior to the compliance date. These transition provisions allowed covered entities to use and disclose PHI for research purposes before, during and after the compliance date, provided that any one of the following permissions was obtained before April 14, 2003:
• an authorization or other express legal permission from an individual to use or disclose PHI for the research;
• the informed consent of the individual to participate in the research; or
• a waiver of informed consent by an IRB.
The traditional review of medical records by a clinical investigator or his staff in preparation for a clinical research trial is permitted by the Privacy Rule. The rule doesn't require any prior or further authorization by the prospective research participant, provided the PHI is not removed from the covered entity's premises (this includes transmitted electronically). In addition, the physician or his staff may contact a prospective research participant to determine his candidacy and interest during the recruitment process if this type of use and disclosure is explained and agreed to by the patient in the covered entity's Privacy Notice.
This type of use or disclosure can be widened to other covered entities or non-covered entities, as well. However the specific information to be used or disclosed and the entities that would be granted access to this information must be outlined in the clinical investigator's privacy notice and the patient must agree to its terms before the information is used or disclosed.
For those instances when the reviewer of the medical records isn't part of the clinical investigator's practice (i.e., is not within the covered entity) and/or the reviewer has no treatment relationship with the clinical investigator's patients, the reviewer must first obtain either individual authorization from each prospective research participant or a partial waiver of authorization from an IRB or Privacy Board. Both the individual authorization and the partial waiver of authorization must occur prior to the clinical investigator (the covered entity) sending or allowing access to any of the PHI. These instances typically arise when a site management organization is employed to aid and/or supplement the clinical investigator's staff in a clinical research trial.
In order to obtain a waiver of authorization, the IRB or Privacy Board must determine if minimum criteria are met (See "Minimum Criteria for an Authorization Waiver," below).
Finally, any receptionist scripts used to explain a research study should receive IRB approval.
• Advertising. Recruiting done outside of the clinical investigator's practice, such as through advertising or outside referrals from patients, involves voluntary disclosures of PHI and therefore is not covered by the Privacy Rule. However, any subsequent disclosure of the information obtained through the recruiting process can be considered PHI and is protected by the Privacy Rule. Also, all advertisements in relation to or preparation for a study are subject to regulations concerning human subject protection and thus must receive IRB approval prior to use.
• Physician referrals. Referrals from other physicians outside of the clinical investigator's practice are another common source of prospective research participants. Because this involves the use and disclosure of PHI between covered entities, it invokes the Privacy Rule and either an authorization or a partial waiver of authorization should be obtained first.
One of the underlying principles of the HIPAA Privacy Rule is the patient's right to authorize, not authorize or revoke his authorization of the use or disclosure of his PHI by a covered entity. Because this type of use or disclosure is essential to the conduct of clinical research trials and the transmission of data gathered in those trials, individual authorization has become as integral a part of clinical research in the United States as informed consent. As required by the Privacy Rule, a "valid" authorization must take the form of a written document and, like the informed consent, a signed copy must be provided to the research trial participant.
Before the Privacy Rule went into effect, only an informed-consent form was necessary for prospective research participants to read, understand and sign. With the advent of the Privacy Rule, a valid authorization has been added to the core documents required prior to a subject's participation in a clinical research trial.
The authorization is required for the investigator to use and/or disclose the research participant's PHI gathered as a part of a clinical trial. A research authorization differs entirely from an informed-consent form and is not intended to replace consent. The authorization may stand separately or be included as part of an informed-consent document, provided that the essential requirements for both documents are met. Unless integrated into an informed consent, a research authorization does not require review and approval of an IRB prior to its use.
As established in the Privacy Rule, research authorizations can differ slightly from traditional authorizations. For example, there are certain circumstances in which a researcher whose research patient revokes his authorization can still use or disclose PHI after the authorization has been revoked. The reasons for this would include accounting for subject withdrawal, investigating scientific misconduct or reporting adverse events.
Another unique characteristic of a research authorization is that it can limit or temporarily deny an individual's access to his PHI as it relates to the study. However, the covered entity must inform the research participant when his PHI access will be restored. Typically, this right is restored upon the completion of the research trial. This provision maintains confidentiality and allows the masking of trial data to ensure unbiased responses.
While providing a national standard for privacy of health information, the Privacy Rule has presented clinical investigators with a greater administrative burden by increasing regulatory requirements in an already heavily regulated environment. It's unclear whether the addition of the Privacy Rule has actually helped to make PHI in research trials more secure and, if it has, whether the benefit of these safeguards outweighs the clerical burdens. For this, only time will tell.
Dr. Abelson, an associate clinical professor of ophthalmology at Harvard Medical School and senior clinical scientist at Schepens Eye Research Institute, consults in ophthalmic pharmaceuticals. Mr. Slugg is a Senior Manager and HIPAA privacy officer and Mr. Izen is a research associate at Ophthalmic Research Associates in North Andover.
1. Code of Federal Regulations, Title 45, Part 160 and 164 (U.S. Gov't. Printing Office, Washington, D.C.).
2. Code of Federal Regulations, Title 45, Part 46 (U.S. Gov't. Printing Office, Washington D.C.).
3.Code of Federal Regulations, Title 21, Part 56 (U.S. Gov't. Printing Office, Washington D.C.).
4. Code of Federal Regulations, Title 21, Part 50 (U.S. Gov't. Printing Office, Washington D.C.).
5. Department of Health and Human Services: Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule. NIH Publication #03-5388, September 25, 2003.