HIPAA Research

On August 21, 1996, President Clinton signed into law the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is part of a broad Congressional attempt at incremental healthcare reform with requirements outlined by the law and regulations promulgated by the Department of Health and Human Services (DHHS). While HIPAA is primarily intended to assure the portability of health care insurance, many aspects of the law deal specifically with data security and privacy, and the establishment of precise standards for the electronic interchange of patient information. Modifications to the Privacy Rule were published on August 14, 2002, and clarified and simplified some aspects of the Privacy Rule. Regardless, HIPAA will continue to present challenges, as covered entities (e.g., hospitals, physicians, academic medical centers, etc.) develop and implement new processes to comply with the law. The compliance date for the HIPAA Privacy Rule was April 14, 2003, with the Office of Civil Rights bearing responsibility for enforcement. Although both civil and criminal penalties exist for non-compliance, the major risk of HIPAA violations is the potential affect of privacy breeches on the public's impression of our institution.

The Privacy Rule is intended to protect any information maintained or transmitted by a covered entity, that identifies an individual, pertains to an individual's mental or physical health, or payment for the individual's healthcare. This information, be it electronic, paper or oral is collectively referred to as “Protected Health Information” or “PHI”.

The Privacy Rule defines the means by which individuals will be informed of uses and disclosures of their PHI, as well as their rights to access their health information, held by covered entities. The Privacy Rule is intended to protect the privacy of individuals, while at the same time ensuring that researchers continue to have access to the medical information necessary for vital research. Currently, most research involving human subjects operates under the Common Rule (45 CFR part 46, Subpart A) and/or the Food and Drug Administration's human subject protection regulations (21 CFR Parts 50 and 56). These regulations include some provisions that are similar to, but distinct from, the Privacy Rule's provisions for research. These human subject protection regulations (which apply to most federally-funded and some privately-funded research) include protections to help ensure the privacy of subjects and the confidentiality of information. The Privacy Rule builds upon these existing federal protections, and more importantly, creates equal standards of privacy protection for research governed by the existing Federal human subject regulations, as well as research that is not.

The Privacy Rule permits covered entities to use or disclose PHI for research purposes when the research participant authorizes the use or release of his/her information. This practice is consistent with the manner in which many clinical trials and record searches are conducted today (i.e., informed consent). However, the authorization required under HIPAA is separate and apart from the research informed consent. An authorization differs from an informed consent in that the authorization focuses on privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of the study and of its anticipated risks and/or benefits.

The Privacy Rule mandates certain required elements for a valid authorization. In general, the authorization must be specific as to the purpose of the use or disclosure of PHI. In other words, the particular person or class of persons to whom the PHI may be disclosed, as well as the particular purpose of the research use of the PHI, must be specified in the authorization. Additionally, an authorization does not permit the reuse of PHI for any unanticipated or unspecified future research project. However, authorizations for research purposes do not require an expiration date, and allow PHI to be used indefinitely for the research purpose specified in the authorization.

The Privacy Rule also establishes “Transition Provisions” that allow a covered entity to use and disclose PHI that was created or received for research, either before or after the compliance date (April 14, 2003), if the covered entity obtained any one of the following prior to the compliance date:

An authorization or other express legal permission from an individual to use or disclose his/her PHI for the research;
The informed consent of the individual to participate in the research; or
A waiver of informed consent by an Institutional Review Board (IRB), in accordance with the Common Rule or an exception identified in the FDA's human subject protection regulations.

If a waiver of informed consent was obtained prior to the compliance date, but the research participant's informed consent is subsequently sought after the compliance date, the covered entity must obtain the individual's authorization. For example, if a temporary waiver of informed consent for emergency research existed prior to the April 14, 2003 HIPAA compliance date, and informed consent was subsequently sought after April 14 because the waiver was no longer valid, the covered entity (e.g., Principal Investigator) would be required to obtain individual authorization before the participant's PHI could be used or disclosed for research.

In addition, if an individual signed an informed consent prior to April 14, 2003, and a protocol modification occurred after April 14, 2003 that necessitate the need for a study participant to be re-consented, an Authorization would also be required at that time.

In most instances, it would be impractical for a researcher, who needs access to a large volume of medical records or a large clinical database for research purposes, to obtain a HIPAA compliant authorization from each individual. Instead, the Privacy Rule permits the researcher to apply to the IRB for a waiver of the authorization requirement. In general, the criteria that the IRB must apply in determining whether or not to grant a waiver are:

The use or disclosure involves no more than minimal risk to privacy of individuals;
The research could not practicably be conducted without the waiver or alteration; and
The research could not practicably be conducted without access to and use of the PHI sought .

The Privacy Rule encourages covered entities to create and use de-identified information whenever possible. To de-identify information, the covered entity must not have actual knowledge that the information could be used in any way to identify an individual who is the subject of the information, and 18 individual-specific identifiers (e.g., name, address, social security number, medical record number, etc.) must be removed.

Information that meets the de-identification standards is not subject to the HIPAA Privacy Rule, and can be used or disclosed without authorization or waiver. However, a researcher who uses de-identified data for research purposes must submit a request in writing to the IRB for an exemption.

The de-identification standards under the Privacy Rule have been criticized by many academic and research communities for being too stringent. For example, the requirement that records be stripped of certain identifiers (e.g., zip codes, dates of birth, admission and discharge dates, etc.) may render the information unusable for longitudinal, epidemiological or outcomes studies. The Privacy Rule addresses these concerns by allowing the use of a limited data set for research, public health and health care operations purposes. The limited data set can include zip codes, geocodes, dates of birth and other information, and can be used without the need for individual authorization or a waiver of authorization. As a result, limited data sets can be useful for a fairly broad range of research, and can also be used for public health purposes, such as voluntary reporting of outcomes or adverse events to patient registries or to state hospital associations.

According to the Privacy Rule, the use of limited data sets is conditioned on the disclosing covered entity and the data recipient entering into a “data use agreement”. A data use agreement is required only for disclosures outside of the covered entity. The data use agreement must define who is permitted to use or receive the data, for what purpose(s) the data may be used, and prohibit the limited data set recipient from identifying or contacting the data subject. In addition, the data use agreement must require the limited data set recipient to use appropriate safeguards to prevent unauthorized use or disclosure of the data set information.

The Privacy Rule protections apply to all PHI, whether stored in paper records or in databases. Covered entities may use PHI in databases for treatment, payment or healthcare operations purposes without patient authorization. However, the use of PHI stored in a database for research purposes, even if those databases were created prior to the compliance date, requires patient authorization or a waiver of authorization from the IRB. Database administrators need to be familiar with the Privacy regulations, and obtain a waiver of authorization or begin obtaining authorizations for PHI collected and maintained in the database, as appropriate to the circumstances.

It is important to remember that de-identified data or limited data sets may be used and disclosed from databases without authorization or waiver of authorization.

The Privacy Rule clearly states that healthcare providers may continue to discuss the option of enrolling in a clinical trial with their patients, without authorization and without an IRB waiver of authorization. However, PHI may not be used or disclosed for recruitment purposes without written authorization from the individual or an IRB waiver of authorization. After written authorization or a waiver of authorization has been obtained, healthcare providers, researchers or their staff may review PHI in medical records or databases for the purpose of identifying potential research participants and to determine eligibility. At that point, only treating healthcare providers may contact the individual directly to request participation in the study.

The Privacy Rule attempts to achieve a balance between protecting privacy rights and not unduly disrupting valuable clinical research. Because compliance is Federally mandated, and researchers access PHI in many different ways and for many different purposes, it is important to become familiar with the Privacy Rule, as well as the University's privacy policies and procedures.