The Effects of the HIPAA Privacy Policy Rule on Clinical Research and Registries On April 14, 2003, the privacy rule took effect and most covered entities must now comply with its provisions. The rule establishes minimum federal standards for safeguarding the privacy of individually identifiable health information. Covered entities may no longer use or disclose protected health information (PHI), except as provided for by the rule. Rachel Abramovitz Rachel Abramovitz, Esq., LL.B., LL.M., general counsel for Bradstreet, a clinical and regulatory consulting firm in North Brunswick, N.J., says the application of the privacy rule requires careful planning, thought, and analysis, but it shouldn’t put a stop to clinical research. There are four basic methods for disclosing health information to researchers under the privacy rule … …de-identification, authorizations, waivers, and limited data sets. While its implication may pose some new challenges to researchers, the benefits of the privacy rule to protect patient privacy far outweigh any negative aspects. Although most clinical researchers are not covered entities under the rule, they need to understand the provisions of the rule, to the extent that they rely on covered entities as sources of medical data. Research registries also are affected, since they are used to collect data on specific groups of patients, diseases, or pharmaceutical products. Some registries fill a mandatory public health function (cancer registries or immunization registries), while others are created at the request of private entities to track patient outcomes or treatment efficacy. Registries may be used in the conduct of retrospective-observational research or for the prospective monitoring of product use and patient outcomes. The effect of the privacy rule on clinical research and registries is a topic of much concern to researchers today. How do the rule’s specific research-related provisions apply to ongoing and new clinical trials? How should they be applied to use of existing registries, creation of new registries, access to and analysis of existing medical records, and compilation of new databases? The Rule The privacy rule is a federal regulation that was issued by the Department of Health and Human Services (HHS) in December 2000 and amended on August 14, 2002, establishing federal standards for safeguarding the privacy of PHI. The rule was issued under a mandate established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to protect the privacy of PHI that identifies individuals who are living or deceased by regulating the way in which covered entities handle PHI. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which the HHS has adopted standards. Research is defined as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Most clinical research requires that the researcher obtain access to medical records, patient charts, tissue and data repositories, and other PHI. So, while not directly affected by the rule, there is a substantial indirect effect on researchers in terms of gaining access to PHI needed to conduct research and to ensure the integrity of data being collected. The basic premise of the privacy rule is that covered entities may not use or disclose PHI, except as permitted or required under the provisions of the rule. State laws that provide more stringent standards for the protection of PHI and/or mandatory reporting of PHI continue to stand. Identifiable data related to reportable diseases continues to be reported to public health entities for public health purposes. The rule supplements and does not over ride other federal regulations relating to the protection of the privacy of human research subjects (i.e., the Federal Policy for the Protection of Human Subjects or “Common Rule” or the FDA’s Regulations for the Protection of Human Subjects). The privacy rule also protects PHI created or maintained by a “business associate” on behalf of a covered entity. A business associate is defined as a person or entity that performs, or assists in the performance of, a function or activity involving the use or disclosure of PHI on behalf of a covered entity. Covered entities may not allow business associates access to PHI unless they enter into a written contract with the business associate, ensuring that the business associate will safeguard all PHI appropriately. While certain researchers might fall under the definition of a business associate, the privacy rule does not require researchers or research sponsors to become business associates of covered entities for research purposes. Individually identifiable health information gathered or maintained by anyone other than a covered entity is not PHI, and the privacy rule does not apply to that information. So, information collected by an independent researcher, for instance, is not PHI and the privacy rule does not apply to its use or disclosure. But other federal and state laws protecting the confidentiality of such information may still apply. Compliance with the privacy rule There are four basic methods for disclosing health information to researchers under the privacy rule. The first method is de-identification. By removal of the 18 identifiers defined by the rule, health information is considered to be de-identified and is no longer defined as PHI. This method is not always feasible, not only because of the time and expense entailed in the de-identification process, but also because most clinical research cannot be conducted effectively with data that has been de-identified in this manner. The three remaining methods are authorizations, waivers, and limited data sets. The use and disclosure of PHI with an individual’s written permission in the form of an authorization is the second method of compliance. The privacy rule provides specific elements that all authorizations must contain, including the provision that authorizations only pertain to a specific research study. An authorization obtained for a prior research study may not be applied to additional or subsequent studies or to the creation or maintenance of a research repository or database, i.e. a registry. While the required language for an authorization may be included in the traditional informed consent, the privacy rule does not require as much. On the contrary, inclusion of the authorization language in the informed consent requires the review and approval of the authorization language by each research site’s institutional review board (IRB), while maintaining a separate authorization form does not require any form of review or approval by an IRB to comply with the rule’s requirements. The third method is to obtain a waiver or alteration of an authorization requirement from an IRB or privacy board. When it is not feasible to obtain separate patient authorizations, for instance in the case of a retrospective registry study, an IRB or a privacy board may approve a waiver or an alteration of the authorization requirement. Waivers may only be granted if the IRB or privacy board concludes that the use or disclosure of the PHI involves no more than minimal risk to the privacy of the individuals involved, that the research could not practicably be conducted without the waiver, and that the research could not practicably be conducted without access to or use of the PHI. In the case of multisite research, a waiver need not be obtained from each IRB separately, although covered entities may choose to require duplicate IRB or privacy board reviews before disclosing PHI to researchers. Finally, the fourth method allows for the use of a “limited-data set,” along with a “data-use agreement.” A limited-data set comprises PHI that excludes 16 of the 18 direct identifiers defined by the rule. Researchers may not obtain access to such information, unless a data-use agreement is in place. A data-use agreement is an agreement entered into by the covered entity and the researcher and it establishes the ways in which the information in a limited-data set may be used and how it will be protected. Under a data-use agreement researchers undertake to handle the data in a manner similar to that which applies to the covered entities under the privacy rule and to use the data for specific purposes only. The rule’s transition provisions Many researchers are currently asking themselves how the rule applies to them and what they need to do to ensure that their ongoing clinical trials, new trials, or patient registries are HIPAA compliant. Researchers conducting retrospective research may need to analyze existing medical and pharmacy claims databases, review existing medical records and patient charts, and analyze existing clinical-trial data. Researchers conducting prospective registry studies may need to collect outcomes data on an ongoing observational basis. Application of the privacy rule to studies of this nature is not always simple. According to the transition provisions of the privacy rule, covered entities may use or disclose PHI for research purposes if the PHI was created or received before or after the compliance date, as long as an authorization or express legal consent, informed consent, or IRB-approved waiver of informed consent was obtained before the compliance date. In other words, covered entities may continue to disclose PHI created after the compliance date, as long as an authorization, informed consent, or waiver of informed consent was obtained before April 14, 2003. This provision would apply to any future research using data obtained on the basis of a pre-April 14, 2003, authorization/consent/waiver and would allow for the use of PHI from existing medical registries for future research. But PHI and patient authorization both obtained after the compliance date may not be used for any research other than the specific study cited in the authorization. So, new patient registries created after the compliance date with patient authorizations after April 14, 2003, may no longer be used for additional research studies unless one of the four methods of compliance is implemented (de-identification, new patient authorization, IRB or privacy board waiver, or limited data set with a data-use agreement). The bottom line Proper application of the privacy rule requires careful planning, thought, and analysis, but it by no means puts a stop to clinical research. Some covered entities may need to change their current practices related to documenting research uses and disclosures, while others may choose to limit researchers’ access to PHI altogether. Researchers can assist covered entities in understanding the provisions of the privacy rule, thus minimizing the readjustment period and allowing essential research to continue. Research and registries remain essential elements in the process of testing and approving new drugs and treatments as well as evaluating post-approval products and generating meaningful post-approval data. The privacy rule attempts to strike a delicate balance between the right of the individual to preserve the privacy of his or her health information and the needs of the scientific community to conduct research for the benefit of the general population. While its implication may pose some new challenges to researchers, the benefits of the privacy rule that protect patient privacy far outweigh any negative aspects. Rachel Abramovitz, Esq., LL.B., LL.M., general counsel for Bradstreet, a clinical and regulatory consulting firm in North Brunswick, N.J. PharmaVoice welcomes comments about this article. E-mail us at [email protected]. Legal Counsel: complying with HIPAA Some covered entities may need to change their current practices related to documenting research uses and disclosures … … while others may choose to limit researchers’ access to PHI altogether. October 2003
