| OFFICE OF RESEARCH INTEGRITY |
HIPAA's new Privacy Rule is in effect, and sponsors and clinical research professionals are learning how to apply it.
The arrival of 14 April 2003, the compliance date for the HIPAA Privacy Rule, did not eliminate the confusion with regard to its impact and implementation. The Privacy Rule is a complex system of rules and constraints. Learning it is like learning a new language-which requires mastery of the grammar and exposure to a large number of examples. To facilitate the process, this article reviews the basics, clarifies IRB responsibilities, and provides descriptions and examples of acceptable clinical research practices under the Privacy Rule.
The Privacy Rule establishes the conditions under which covered entities may use or disclose protected health information for any purpose-including research. Covered entities include health plans and health care clearing houses, and health care providers that electronically transmit protected health information. Not every health care provider is a covered entity, but for those that are, the Privacy Rule governs the use and disclosure of protected health information that is transmitted or maintained in any form-electronic, paper, or verbal. This article assumes that investigators conducting research are covered entities under the Privacy Rule.
The Privacy Rule requires that a covered entity provide individuals prior notice of its policy (Privacy Notice) regarding the way that entity may use or disclose protected health information (PHI), what its responsibilities are with respect to such information, and the rights that individuals have and how they may exercise those rights. A covered entity's practices must be consistent with those described in the Privacy Notice.
The Privacy Rule also requires a covered entity to enter into a written contract (Business Associate Contract) with persons or businesses perfoming certain covered functions on their behalf that involve PHI. Research is not one of those functions. Therefore, disclosure of PHI for research purposes does not require a Business Associate Contract.
However, the Privacy Rule specifies that a covered entity may neither use nor disclose PHI for research purposes unless the patient has provided, in advance, his or her written authorization (Authorization) for such use or disclosure. This Authorization is different from the requirement for informed consent. Under the Privacy Rule, an Authorization permits simply the use and disclosure of PHI for research purposes. By contrast, informed consent is the subject's consent to participate in a specific research study.
Under both the Common Rule and FDA regulations governing human research (federal human research policies), the function of the institutional review board (IRB) is to protect the rights (including privacy) and welfare of human subjects and to minimize risks (including risks to confidentiality). The Privacy Rule supplements federal human research policies by requiring that the protection of confidentiality in research be handled in a very specific way.
The Privacy Rule specifies that a covered entity may neither use nor disclose protected health information for research unless the patient provides authorization in advance.
Research funded by states or private sponsors is not regulated by federal human research policies. The Privacy Rule is broader than federal human research policies in that it extends to all research, regardless of funding, and to both living and dead persons.
Where the Privacy Rule and federal human research policies are applicable, both must be followed. Where they overlap, the more stringent standard applies. Similarly, state law continues to apply when it is more restrictive than the HIPAA Privacy Rule.
The form used to obtain valid Authorization is specified. Individuals must be provided, in writing, the relevant information on which to base their decision.
Six essential elements apply to any Authorization regardless of the purpose for its use or disclosure:The Authorization must also provide notice of a patient's right to revoke the Authorization, the ability of the investigator to condition research participation on the Authorization, and of the potential for protected health information to be redisclosed.
An Authorization must specifically describe these elements and notices, and investigators should take care to identify and include any secondary uses and disclosures (redisclosures) that might be associated with the research-for example, disclosures to subinvestigators not within the investigator's covered entity. The expiration date for research Authorizations may be indicated as "end of the study" (or "none" for an Authorization to place PHI in a research database).
The Privacy Rule does not require review and approval of (stand-alone) Authorization forms prior to use. However, the covered entity is accountable for compliance with these requirements and may require an internal approval procedure (by a forms committee, HIPAA compliance board, or their IRB). To enroll research subjects, investigators must obtain signatures on both the Authorization and the consent document required by federal human research policies. The regulations allow the two forms to be combined into one document. But in some cases, the requirement for an Authorization may be triggered separately or prior to the requirement for informed consent. For instance, HIPAA Authorization is required to disclose PHI already inexistence to an investigator outside of the covered entity for the purpose of determining potential eligibility for a research study.
Upon receipt of written revocation, the covered entity must stop using/disclosing protected health information, except to the extent that the covered entity has acted in reliance on the Authorization. For research, the reliance exception would permit the continued use and disclosure of PHI to account for subjects' withdrawal from the research study, to include in safety or efficacy analyses for a marketing application submitted to FDA, to conduct any investigation of misconduct, or to report adverse events. However, information gathered after revocation may not be used or disclosed, even under the reliance exception.
Short of a HIPAA Authorization, there are several ways PHI may be obtained for research. Covered entities may obtain documentation that an IRB or Privacy Board has granted a waiver of the required Authorization (Waiver). Covered entities may also use PHI without Authorization if a researcher represents that the PHI is necessary to prepare for research or that the PHI is solely for research on decedents.
To grant a Waiver, an IRB or Privacy Board must find that the research satisfies the following criteria.
Minimal risk to privacy. There is "minimal risk to privacy" which includes meeting three criteria:Practicality. The research could not be practically conducted without the Waiver.
Access. The research could not be practically conducted without access to PHI.
Covered entities must receive documentation of the Waiver before use or disclosure is permitted. This documentation must include:
Waivers are likely to be sought for retrospective studies involving medical records review or database research involving protected health information (where the patient is unavailable to give Authorization).
An IRB or Privacy Board may also grant a "partial waiver," as defined in Department of Health and Human Services (DHHS) commentary. A partial waiver can be granted separately-even if the IRB or Privacy Board does not grant a waiver of informed consent to participate in the research or a Waiver for access to PHI. Partial waivers are likely to be sought to enable investigators to contact and recruit individuals as potential research subjects. The PHI to be shared would be limited to that necessary to determine eligibility.
Oregon State University Research Office
312 Kerr Administration Building, Corvallis, OR 97331
Phone 541-737-3467 Fax 541-737-3093
researchsupport@oregonstate.edu
Copyright © 2008
Oregon State University
Contact Us | Site Map | OSU Home Page | OSU Disclaimer