 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
HIPAA Privacy Rule, Research and the IRB What
is the HIPAA Privacy Rule? The arrival of 14 April 2003, the compliance date for the HIPAA Privacy Rule, did not eliminate the confusion regarding its impact and implementation. The Privacy Rule is a complex system of rules and constraints. Learning it is like learning a new language – which requires mastery of the grammar and exposure to a large number of examples. To facilitate the process, this paper reviews the basics, clarifies IRB responsibilities, and provides descriptions and examples of research practices acceptable under the Privacy Rule. The Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for any purpose, including research. Covered entities include health plans and health care clearinghouses, and health care providers that electronically transmit PHI. Not every healthcare provider is a covered entity but for those that are the Privacy Rule governs the use and disclosure of PHI that is transmitted or maintained in any form - electronic, paper or verbal. This discussion assumes that investigators conducting research are covered entities under the Privacy Rule. The Privacy Rule requires that a covered entity to provide individuals prior notice of its policy (Privacy Notice) regarding the way that the entity may use or disclose PHI, what its responsibilities are with respect to such information, and the rights individuals have and how they may exercise them. A covered entity's practices must be consistent with those described in the Privacy Notice and use and disclosure of PHI should be limited to the minimum necessary to achieve the purpose intended (minimum necessary standard.). The Privacy Rule also requires a covered entity to enter into a written contract (Business Associate Contract) with persons or businesses performing certain covered functions on their behalf that involve PHI. Research is not one of those functions. Therefore, disclosure of PHI for research purposes does not require a Business Associate Contract. However, the Privacy Rule specifies that a covered entity may not use or disclose PHI for research purposes unless the subject has provided, in advance, his/her written authorization (Authorization) for such use or disclosure. This Authorization is different from the requirement for informed consent. Under the Privacy Rule, an Authorization allows simply for the use and disclosure of PHI for research purposes. By contrast, informed consent is the patient's consent to participate in the research study as a whole. Under both the Common Rule and FDA regulations governing human research (federal human research policies), the function of the Institutional Review Board (IRB) is to protect the rights (including privacy) and welfare of human subjects and to minimize risks (including risks to confidentiality). The Privacy Rule supplements federal human research policies by requiring that the protection of confidentiality in research be handled in a very specific way. Research funded by states or private sponsors is not regulated by federal human research policies. The Privacy Rule is broader than federal human research policies in that it extends to all research, regardless of funding, and to both living and deceased individuals. Where the
Privacy Rule and federal human research policies are applicable,
both must be followed. Where they overlap, the most stringent
standard applies. Similarly, state law continues to apply where
it is more restrictive than the privacy rule. The minimum necessary standard does not apply to use and disclosure of PHI with patients’ Authorization. The form used to obtain valid Authorization is specific. Individuals must be provided, in writing, the relevant information on which to base their decision to allow the uses/ disclosures. Six essential elements apply to any Authorization regardless of the purpose for the use or disclosure:
The Authorization must also provide notice of a patient's right to revoke the Authorization, the ability of the investigator to condition research participation on the Authorization and of the potential for PHI to be re-disclosed. An Authorization
must be specific in the description of these elements and notices
and investigators should take care to identify and include any
secondary uses and disclosures (re-disclosures) that might be
associated with the research, e.g., disclosures to sub-investigators
not within the investigator's covered entity. The expiration
date for research Authorizations may be indicated as "end of
the study" (or "none" for an Authorization to place PHI in a
research database). Revocation - the Reliance Exception Upon receipt of written revocation, the covered entity must stop using / disclosing PHI, except to the extent that the covered entity has acted in reliance on the Authorization. For research, the reliance exception would permit the continued use and disclosure of PHI to account for subjects' withdrawal from the research study, to include in safety or efficacy analyses for a marketing application submitted to FDA, to conduct any investigation of misconduct or to report adverse events. However, information gathered after revocation may not be used or disclosed, even under the reliance exception. Other Ways to Obtain PHI for Research Short of a HIPAA Authorization, there are several ways PHI may be obtained for research. Covered entities may obtain documentation that an IRB or Privacy Board has granted a waiver of the required Authorization (Waiver). Covered entities may also use PHI without Authorization if a researcher represents that the PHI is necessary to prepare for research or that the PHI is solely for research on decedents. Protected health information used or disclosed under a Waiver is subject to the minimum necessary standard. To grant a Waiver, an IRB or Privacy Board must find that the research satisfies the following criteria: 1. There is “minimal risk
to privacy” which includes meeting three criteria:
2.
The research could not be practically conducted without the Waiver.
3. The research could not be practically conducted without access to PHI. Covered
entities must receive documentation of the Waiver before use
or disclosure is permitted that includes: the identity of the
IRB or Privacy Board and Waiver approval date, a brief description
of the PHI involved, review and approval procedures utilized
(i.e., full or expedited review under either federal human research
policies or Privacy Rule regulations) and signature by the Chair
or other designated member of the reviewing board. Records Review Preparatory to Research and for Research on Decedents Investigators
may review and use PHI from within their own covered entity
without prior Authorization if the investigator represents to
the covered entity that the PHI is necessary to prepare a research
protocol or to determine its feasibility. No PHI may be removed
from the covered entity during the course of the review and
the PHI sought must be necessary for research purposes. Use/disclosure permitted without Authorization or Waiver is discussed below. The Privacy Rule permits a covered entity to disclose PHI to the individual that is the subject of the PHI without prior Authorization. Therefore, Authorization is not required when an investigator or other entity communicates with a patient face-to-face. The Privacy
Rule does not apply to health information that cannot be used
to identify an individual. Therefore, research using de-identified
data is exempt from the Privacy Rule. To be "de-identified,"
health information must not include any of 18 types of identifiers
(e.g., name and contact information, dates [except year], Social
Security number, medical record or plan beneficiary number,
URLs, email or IP addresses). An alternative to this type of
regulatory de-identification of records is a determination by
a qualified statistician that the risk of re-identification
is "very low." The details in the definition of de-identified
information are important; for example, under the Privacy Rule
a ZIP code alone is identifiable information if it is for an
area with fewer than 20,000 people, while age alone is not considered
identifiable unless the person is 90 or older. Anonymization vs. de-identification It is worth noting that the Privacy Rule and the federal human research policies define identifiable information differently. The Privacy Rule allows "de-identified" data to incorporate a code that links it to patients' identities. However, federal human research policies require IRB review of research using such linked data. Under these federal policies only "anonymized" data is exempt from IRB review, and anonymized data may include neither identifiers nor any link to patient identity. The Privacy
Rule permits the use and disclosure of a "limited data set"
for research purposes as long as there is a data use agreement
in place the provides assurance that the recipient will not
misuse the data. The recipients of a limited data set must agree
to limit the use and disclosure of the data and agree not to
re-disclose information. The PHI in a limited data set may not
be used to contact subjects. Neither an Authorization nor a
Waiver is required to disclose information in a limited data
set. The Privacy Rule protections do not apply to non-covered entities. Therefore, their use or disclosure of identifiable health information does not trigger the protections of the Privacy Rule. Other Disclosures Relative to Research: There is an exception to the Authorization requirement that permits disclosure to non-governmental entities subject to FDA jurisdiction (including pharmaceutical manufacturers and their representatives) to allow reporting of adverse events, to enable product recalls, to track products and to conduct post-marketing safety surveillance (as required by FDA).). Further, disclosure to FDA does not require Authorization because it is a required disclosure under the Privacy Rule, but FDA must be named in the research informed consent document. Where an individual participates in research involving treatment his/her right of access may be suspended for as long as the research is in progress. The individual must agree to this denial of access when consenting to participate in a clinical trial and the provider must agree to reinstate the right of access upon completion of the research. Impact on Creation of Research Databases Research
registries and databases (databases) collect medical and demographic
information and biological samples (tissue banks), when relevant,
to provide a central information source for practitioners or
for future research related to a certain disease or condition.
Research databases may also be created to facilitate identification
and subsequent contact of patients for participation in clinical
trials. Such databases are also important to researchers who
study epidemiological patterns of disease or track the success
of health interventions across broadly dispersed populations. Impact on Patient Recruitment - Scenarios of Acceptable Practice The most
significant impact of this regulation for investigators is in
the area of patient recruitment. In an update to the Privacy
Rule, effective August 14, 2002, the DHHS clarified that recruitment
of subjects for research is indeed "research." Therefore, common
recruitment practices such as records review and use of databases
are now subject to the restrictions imposed by the Privacy Rule. Investigators typically find their research patients in one of three ways:
Identifying Patients for a Study within the Investigator's Practice (within the entity) The provision for review of PHI preparatory to research allows investigators to access and review their own patients' PHI to determine which patients might be eligible for a trial. Removal of PHI from the investigator's own covered entity is not permitted. Recent guidance from the Office of Civil Rights (OCR), assigned the task of enforcing compliance with the Privacy Rule, confirms that a researcher or other member of the covered entity's workforce may use PHI to contact prospective subjects. Because HIPAA does not limit disclosures to patients about their own information, covered entities may continue to discuss the option of enrolling in a clinical trial without an Authorization or Waiver. However, the covered entity's Privacy Notice must mention its intent to use/disclose PHI for this purpose. Advertising Potential Patient Initiates Contact Most advertising
campaigns result in the interested, potential recruit contacting
the investigator. These respondents have initiated the first
contact and have, therefore, implicitly given their permission
to be contacted by study staff. Because HIPAA does not limit
disclosures to individuals of their own information, once contact
is made, the investigator or study staff may discuss the option
of enrolling in the clinical trial without an Authorization
or Waiver. Investigator Initiates Contact A recruitment
center may pass a prescreened list of candidates (PHI) on to
the investigator for the investigator to initiate contact. If
a recruitment center is a covered entity, Authorization is required
for the PHI to pass. However, Privacy Rule protections are triggered
only if the recruitment center is a covered entity - and many
are not. Referrals
From Other Physicians Referral Letters To facilitate
referrals, an investigator may ask treating physicians to send
out letters to their patients describing the study. The investigator's
IRB must approve any such patient letter prior to use. "Honest Brokers" An "honest broker" may serve as an intermediary to facilitate patient referral. To identify eligible patients, an honest broker can de-identify PHI and code it in such a way that it can be re-identified. The investigator reviews the de-identified information to determine which patients meet study criteria. Since de-identified data is exempt, this part of the procedure would not require prior Authorization by patients. The broker then re-identifies the patients meeting the study criteria and provides the names of the identified patients to their personal physician(s). The patients' personal physician contacts the patients to introduce the study, ascertains their interest and obtains Authorization to share their PHI and be contacted by the investigator(s). The honest broker must be an agent of the referring covered entity and s/he cannot be one of the research investigators. Other than educating the Institutional Review Board about acceptable flows of PHI (which is not insignificant) the Privacy Rule has little effect on IRB responsibilities. The only direct change to IRB responsibilities is the addition of two specific instances where IRB authority to approve now exists:
Besides these two instances, the covered entity is responsible for Privacy Rule compliance, which is much broader than research. There is no requirement that the IRB be involved with any other HIPAA compliance responsibility. The Privacy Rule requires covered entities to implement an administrative and procedural framework to control PHI and to ensure compliance with its provisions. These responsibilities cannot be transferred to a third party. Where the IRB is an actual part of the covered entity’s workforce (within universities, research foundations, hospitals, etc.) it may be an appropriate place to delegate some or all of these responsibilities. However, and IRB carrying out these additional responsibilities is acting as part of the covered entity and not as an IRB per se. Regardless, HIPAA Privacy Rule protections are intended to protect the rights and welfare of patients. Some IRBs have claimed authority to review all research Authorizations under 21 CFR 56 or 45 CFR 46. Others are finding it sufficient (for Authorizations separate from the informed consent) to request written assurance from an investigator that research Authorizations are/have been obtained as required. Either way, IRB review and HIPAA requirements, extend well beyond each other. IRBs have always been responsible for making a thorough assessment of research design and conduct to ensure patient safety, including privacy protection. The Privacy Rule provides some new, specific elements to consider in this process. The real contribution of the Privacy Rule to the IRB process is that it provides IRBs with greater information about the flow of PHI among parties to research -- improving the assessment of privacy risks -- and provides patients with greater information about the uses and disclosures of their PHI. HIPAA compliance alone is not a marker for adequate protection of patient privacy in research, but is one component of an IRB's overall responsibility to ensure patient safety. References • Code
of Federal Regulations, Title 45 CFR, Part 160 and 164: Standards
for Privacy of Individually Identifiable Health Information;
Final Rule, Federal Register, August 14, 2002. Prepared
by: |
|
|
| Home
| People
| Services
| Process Application Forms | Facts Sheet | Contact Us | Reporting |
|
Terms of Use / Privacy Statement / Security Statement ©Copyright, The Goodwyn Institutional Review Board, Ltd. (Goodwyn IRB®). All rights reservedxxx. |