The HIPAA Privacy Rule and Research

1
The HIPAA Privacy Rule and Research

• This presentation will probably involve audience
  discussion, which will create action items. Use
  PowerPoint to keep track of these action items
  during your presentation
• In Slide Show, click on the right mouse button
• Select Meeting Minder
• Select the Action Items tab
• Type in action items as they come up
• Click OK to dismiss this box
• This will automatically create an Action Item
  slide at the end of your presentation with your
  points entered.

2
The Privacy Rule...

• Beginning on April 14, 2003, the Privacy Rule
  protects the privacy of certain individually
  identifiable health information by establishing
  conditions for its use and disclosure by health
  plans, health care clearinghouses, and certain
  health care providers.

Small health plans not required to comply until
April 14, 2004.
3
How Might the Privacy Rule Affect Research
Recruitment?
Depends on What you do/where you work Type of
information you use, collect, receive or release
4
Three Rules -- Privacy Rule, Common Rule, FDA
Regulations

• Privacy Rule does not replace or modify the
  Common Rule or FDA regulations.
• Privacy Rule is in addition to privacy
  protections of these regulations.
• Applies to covered entities regardless of
  funding.
• Contains standards for de-identifying health
  information.
• Requires Authorization for certain uses and
  disclosures of certain health information.
• Applies to decedents information.

5
Who is Covered?

• A health care provider who transmits health
  information electronically in connection with a
  transaction for which the Secretary has adopted
  standards.
• Example a physician who electronically bills for
  services
• A health plan.
• A health care clearinghouse.

6
What is Covered?

• Protected Health Information (PHI)
• Covered Entity Health information Identifier
• Transmitted or maintained in any form (paper,
  oral, electronic, forms, web-based, etc.).
• Decedents information included.
• Does not include de-identified health information
  or biological tissue and certain other exceptions
  (e.g., employment records or education records
  covered by FERPA).

7
Not All Research Activities Need Authorization!

• For research, the Privacy Rule permits covered
  entities to use and disclose PHI for research
  conducted
• with individual authorization, or
• without individual authorization under limited
  circumstances.

8
Use or Disclosure of PHI Without Authorization
Covered entities do not always need to get
Authorization for research-related activities.

• De-identify PHI.
• Limited Data Set with Data Use Agreement.
• IRB or Privacy Board waiver of Authorization
  requirement.
• Activity preparatory to research.
• Research is on decedents information.
• Research qualifies for the Transition Provisions.

9
Options for Identifying Eligible Research
Participants

• Activity Preparatory to Research
• Authorization Waiver from IRB or Privacy Board
• Authorization

10
What kinds of activities are considered
preparatory to research?

• Covered entities that obtain certain required
  representations from a researcher may use and
  disclose PHI for activities preparatory to
  research that include, but are not limited to,
  the following
• Preparing a research protocol
• Assisting in the development of a research
  hypothesis
• Aiding in research recruitment, such as
  identifying prospective research participants who
  would meet the eligibility criteria for
  enrollment into a research study
• Under this provision, no PHI may be removed from
  the covered entity during the course of the
  review.

11
Preparatory to Research

• Covered entity must obtain representation from
  the researcher that
• The use or disclosure of PHI is sought solely to
  prepare a protocol or for a similar preparatory
  purpose.
• PHI will not be removed from the covered entity.
  AND
• PHI is necessary for research purposes.

12
Waiver of Authorization

• A covered entity is permitted to use or disclose
  PHI for research when it obtains required
  documentation of the IRB or Privacy Board
  approval of a waiver of Authorization.
• Note A covered entity is also permitted to use
  or disclose PHI for research when it obtains an
  altered Authorization under the Privacy Rule and
  required documentation of the IRB or Privacy
  Board approval of an alteration of Authorization.

13
IRB/Privacy Board Criteria for Waiving or
Altering Authorization
Yes
No
1.The use or disclosure involves no more than
minimal risk because of an adequate
plan/assurance a. To protect identifiers from
improper use or disclosure. b. To destroy
identifiers at earliest opportunity, consistent
with the conduct of the research. c. That
PHI will not be inappropriately reused or
disclosed. 2.The research could not
practicably be conducted without the waiver or
alteration. 3.The research could not practicably
be conducted without access to and use of PHI.
Signature of IRB/Privacy Board Chair
Date (or Designee)
14
Options for Contacting Eligible Research
Participants

• Health Care Operations
• Health Care Discussion with Individuals
• Authorization Waiver from IRB or Privacy Board
• Authorization

15
Contacting Subjects Health Care Operations

• If the researcher is a workforce member of a
  covered entity, the researcher may contact the
  potential study participant, as part of the
  covered entity's health care operations, for the
  purposes of seeking Authorization.
• Alternatively, the covered entity may contract
  with a researcher as a business associate to
  assist in contacting individuals on behalf of the
  covered entity to obtain their Authorizations.

16
Contacting Subjects Health Care Discussions

• Covered health care providers and patients may
  discuss the option of enrolling in a clinical
  trial without Authorization, regardless of
  whether the individual is a patient of the
  covered provider, and without a waiver of the
  Authorization.
• A physician may for treatment purposes discuss
  treatment alternatives with the individual, which
  may include the option of enrolling in a clinical
  trial.
• A physician may speak to the individual about a
  clinical trial as part of asking the individual
  to sign an Authorization to permit the covered
  provider to use or disclose the individual's PHI
  for the research study.
• Also, the Privacy Rule generally permits a
  covered entity to communicate with individuals
  and to disclose their PHI to them.
• If a physician knows of a study in which his or
  her patient might enroll that is being conducted
  by others, the physician may
• Discuss such a trial with the patient and give
  the patient the researcher's contact information
  so the patient may contact the researcher
  directly.
• Contact the researchers about the patient so long
  as de-identified information is disclosed, the
  individual's Authorization or IRB or Privacy
  Board waiver of Authorization is obtained, or
  other conditions that satisfy the Privacy Rule
  are met.
• For example, it is acceptable to give a clinical
  summary of a patient to a researcher to determine
  if the patient might meet enrollment criteria, if
  such discussions omit the patient's name,
  address, medical record number, and any other
  identifying information set forth in section
  164.514(a)-(c) of the Privacy Rule.

17
Contacting Subjects Authorization Waiver

• If the covered entity obtains documentation that
  an IRB has partially waived the Authorization
  requirement to disclose PHI to a researcher for
  recruitment purposes, the covered entity could
  disclose to the researcher that PHI necessary for
  the researcher to contact the individual.

18
Summary Research Recruitment
Contact Subjects
Identify Subjects

• Yes
• Preparatory to Research provision.
• Need representation from workforce member.

• Yes
• Health care operation to get Authorization.
• Waiver of Authorization.

Covered Entity

• Yes
• Preparatory to Research provision.
• Need representation from researcher.

• Yes
• Waiver of Authorization.
• As a business associate of covered entity for the
  health care operation.

Researcher (non-covered)
19
Identifying AND Contacting Subjects Call Centers

• Call centers in many cases will not be part of a
  covered entity (health plan, health care
  clearinghouse, certain health care providers),
  and thus, are not required to comply with the
  Privacy Rule.
• If a call center is part of a covered entity,
  e.g., part of a covered health care provider that
  is also a researcher, it may speak with an
  individual without Authorization for purposes of
  communicating about the research study or
  obtaining the individual's Authorization to use
  or disclose his or her PHI for the study.
• However, any use or disclosure of the
  individual's PHI for the research study itself or
  other purposes is subject to the conditions set
  forth in the Privacy Rule.

20
Identifying AND Contacting Subjects Authorization

• A covered entity may include an individual's PHI
  in a clinical research recruitment database and
  access to the recruitment database, provided the
  individual has given permission through a written
  Authorization.
• The Authorization must inform the individual of
• the purpose for which (e.g., for the
  pre-screening log for one or more clinical
  trials) and
• what PHI will be used and meet the other
  requirements at section 164.508 of the Privacy
  Rule.
• Unless otherwise permitted by the Privacy Rule, a
  subsequent Authorization must be obtained from
  the individual before a covered entity may use or
  disclose the individual's PHI for the clinical
  trial itself.

21
Authorizations for Research

• Must be for a specific research study
  Authorization for future, unspecified research is
  NOT permitted but Authorization may be obtained
  to permit the use or disclosure of PHI to create
  or maintain a repository or database.
• Different from, but may be combined with,
  informed consent.
• Review/approval by IRB/Privacy Board NOT needed
  under Privacy Rule. (But other regulations would
  require IRB review when combined with informed
  consent documents.)
• Must contain core elements required
  statements, and a signed copy must be given to
  the individual.
• Research Authorizations need not expire, but this
  must be stated.

22
Elements of an Authorization to Use or Disclose
PHI

• Core Elements (signified by )
• Description of PHI to be used or disclosed
• Person(s) authorized to make the requested use or
  disclosure.
• Person(s) to whom the covered entity may disclose
  PHI.
• Each purpose for the use or disclosure.
• Expiration date or event (e.g. end of the
  research study or none).

Statements (signified by ) Right to revoke
Authorization plus exceptions and
process. Ability/Inability to condition
treatment, payment, or enrollment/eligibility for
benefits on Authorization. PHI may no longer be
protected by Privacy Rule once it is disclosed by
the covered entity.
Participant Signature Date
The authorization must be written in plain
language, and the covered entity must provide the
individual with a copy of the signed
Authorization.
23
Privacy Rule Resources for Researchers

• Office for Civil Rights (OCR) Web site
• http//www.hhs.gov/hipaaprivacy/research/