October 2003 Bulletin

HIPAA’s impact on research

Beware of pitfalls, compliance challenges loom

By Michele M. Zembo, MD

The Healthcare Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now part of the culture of the practice of medicine. It established the conditions under which protected health information (PHI) may be used or disclosed by covered entities. What is less well known is that the Privacy Rule also covers PHI used for research purposes.

Before HIPAA, most research involving human subjects was governed either by the Common Rules—codified for the Department of Health and Human Services (HHS) at Title 45 Code of Federal Regulations (CFR) Part 46—and/or the Federal Drug Administration’s (FDA) human subjects protection regulations.

While these include protections to help insure privacy of subjects, the HIPAA Privacy Rule defines how PHI may be used for research purposes and protects the confidentiality of identifiable health information. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” See 45 CFR 164.501. This definition is from the Common Rule.

The Privacy Rule established the conditions under which PHI may be used or disclosed by covered entities for research purposes. It also specifies how research subjects are informed of how their PHI will be used or disclosed and their rights to gain access to their PHI. Covered entities may use or disclose PHI for research with individual authorization or without authorization under limited circumstances as defined in the Privacy Rule.

Obtaining authorization

Obtaining authorization from the individual is considered the best route for using and disclosing PHI for research purposes. When authorization is obtained, no assurances are required, no accounting of disclosures is required and the “minimum necessary” limitations do not apply. The Privacy Rule has standardized requirements for the authorization.

The National Institutes of Health (NIH) has now provided sample language for the authorizations. The authorization for research can be combined with the informed consent to participate in the research study or any other authorization. The research authorization does not need an expiration date as other authorizations under HIPAA require, but it must then include a statement that the authorization will not have an expiration date. Under the Privacy Rule, treatment cannot be conditioned on signing of any authorization. However, participation in a research study can be conditioned on an individual’s signing an authorization to use the PHI for the study. The HHS specifically rejected a proposal for a blanket authorization to cover future, unspecified research.

Rights to revoke authorization

An individual has the right to revoke his or her authorization for research. However, covered entities may continue to use and disclose PHI that was obtained prior to the time the individual revoked his or her authorization as necessary to maintain the integrity of the study.

The Privacy Rule permits covered entities to use or disclose PHI for research without an authorization under limited circumstances. One circumstance is where the PHI has been de-identified. The Privacy Rule gives strict guidance on how this is done by one of two methods: the statistical method where the risk is so small that the information could be used alone—or in combination with other reasonably available information—to identify an individual, or by the safe harbor method with the removal of identifying characteristics that are specified in the Rule.

The Final Rule adopted a new standard for uses and disclosures of PHI that is not completely de-identified. “Limited Data Sets” can be created for use in research, public health, or health care operations. The limited data set excludes 16 specific identifiers listed in the rule. The covered entity must enter into a data use agreement with the recipient of the limited data set.

The Rule stipulates what is necessary in the agreement. An authorization is not necessary for use or disclosure of decedent information if the use or disclosure is sought solely for research on the health information of decedents, documentation exists as to the death of the individuals and the PHI is necessary for research purposes. Authorization is not required under the Privacy Rule when preparing a research protocol if the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol, no PHI is removed from the covered entity in the course of the review and the PHI is necessary for research purposes.

Another permissible circumstance where authorization is not necessary
for research purposes is where an Institutional Review Board (IRB) has given a waiver of authorization. To qualify for a waiver of written authorization, the research protocol has to be reviewed by the IRB. The IRB then must determine that the use or disclosure of PHI involves no more than minimal risk to the individuals, the research could not be practically conducted without the waiver and the research cannot practically be conducted without access to and use of the PHI.

Recruitment of subjects

Under the Privacy Rule, recruitment of subjects for research is considered research and subject to authorization requirements. A treating physician may talk directly to the patient about recruitment into a research trial. If the physician is not the researcher, the recruiting physician needs to get an authorization to refer the patient to the researcher. The researcher may rely on the authorization to contact the patient.

A second authorization is needed for the actual participation in the research trial. No authorization is needed for recruitment, if the researcher is part of the same covered entity as the treating physician and considered under the preparatory research provision; however, IRB approval is needed.

Research database

Development of or use of research databases is considered research under the Privacy Rules and therefore subject to authorization requirements. The authorization is for use or disclosure of PHI to create a database or to manipulate PHI to create a database or to bank tissue for future research. The preamble to the Final Rule makes it clear that this manipulation or compilation constitutes research under HIPAA.

A database can be created or maintained by an individual physician of his or her patients without authorization—and considered to fall under the treatment, payment and operations provision of the Privacy Rule. A database of multiple physicians’ patients cannot be compiled without authorization even if the physicians are partners. IRB approval is necessary for any database for research purposes. This was true prior to HIPAA. Julie Kaneshiro, policy analyst for the HHS office for Human Research Protection, stated, “At any point you write down identifiable private information for research purposes, IRB approval is needed.”

Resident database

A resident database of patients that is created for the Accreditation Council for Graduate Medical Education (ACGME) is considered health care operations and no authorization is needed. The ACGME has required business associate agreements with any covered entity where residents receive training.

Case report issues

The issue of a case report has not been specifically addressed under HIPAA. A case report is not necessarily considered research and therefore authorization might not be required by HIPAA. However, it would be prudent to obtain an authorization. Some institutions do require an authorization for case reports.

Designated record set

The Privacy Rule provides individuals the right to inspect and copy the health information about them that is maintained in a “designated record set.” A designated record set is basically a group of records that a covered entity uses to make decisions about the individual, and includes a health care provider’s medical records and billing records and a health plan’s enrollment, payment, claims adjudication and case or medical management record systems.

While it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by a covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule’s permitted exceptions applies. The Privacy Rule permits the individual’s access rights to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access PHI will be reinstated at the conclusion of the clinical trial. A researcher may maintain records that are not part of the designated record set. However, any information that is used or necessary for treatment or treatment decisions of a research participant must also be present in the designated record set.

Exempt data

The Privacy Rule permits individuals the right to receive an accounting of disclosures of PHI made by a covered entity. With regard to research, there are exceptions to the accounting of disclosures general rule. Research disclosures made pursuant to a research authorization or disclosures in a limited data set to researchers with a data use agreement are exempt from such disclosure requirements.

Data that has been de-identified is also exempt. Disclosures that are made pursuant to a Waiver of Authorization, PHI reviewed preparatory to research, and research on decedents are not exempt from the accounting requirement. Accounting for disclosures requires the covered entity from which the PHI is coming to maintain records including who requested the PHI, for what purpose it was requested, and the date it was requested. Under certain circumstances, the Privacy Rule permits a simplified accounting of disclosures by covered entities for disclosures of PHI for research purposes.
Additional information on HIPAA's impact on research can be obtained by visiting the following Web sites: http://www.hhs.gov/ocr/hipaa/ and http://privacyruleandresearch.nih.gov/
and http://www.cms.gov/hipaa/hipaa2/default.asp

Michele M. Zembo, MD, is a pediatric orthopaedic surgeon and an associate professor, Department of Orthopaedics, Louisiana State University Medical Center. She can be reached at (504) 896-9569 or e-mail mzembo@lsuhsc.edu


Home Previous Page