Another Layer of Regulations: Research Under HIPAA (HIPAA on the Job series)

by Margret Amatayakul, RHIA, FHIMSS

HIPAA presents special challenges to providers who perform research. According to the Institute of Medicine, approximately 80,000 biomedical research studies using about 23 million volunteers are conducted per year. Most have some federal funding either through National Institutes of Health or Food and Drug Administration (FDA) processes.

Some of the challenges imposed by HIPAA directly relate to formal research studies, while others are more indirect consequences of the highly regulated nature of research on human subjects in general. In this article, we’ll take a closer look at the actions required for use of protected health information (PHI) in research.

What Are the Regulations?

Research on human subjects is primarily regulated by the Department of Health and Human Services, which requires a researcher to have institutional review board (IRB) approval to conduct federally funded biomedical research.¹ The FDA, the Public Health Service, and various state statutes also impose regulations on such research.^2,3 While not very common, privately funded research does not fall under the IRB requirements. HIPAA, however, requires the creation and use of a privacy board to administer the privacy requirements.

Key to understanding how HIPAA plays such an important role in research is the IRB regulations’ definition of human subject: it is a “living individual about whom an investigator conducting research obtains either data through intervention or interaction with the individual, or identifiable private information.” An example of private information is cited in IRB regulations as a medical record. Therefore, a research study that is based solely on a review of medical records is as much research on human subjects as a study in which physical procedures are performed on a person or a person’s environment is manipulated to collect data.

“Actions Required for Use of PHI in Research,” below, provides a summary of the various actions required by HIPAA for use and disclosure of PHI in research studies.

Actions Required for Use of PHI in Research

When Is an Authorization Required?

HIPAA’s primary research requirement governs when an authorization for use and disclosure of PHI is required from a patient and what form the authorization may take. In other words, the authorization can be combined with informed consent for research, stand-alone, altered, or waived.

The decision about whether to use a compound authorization (one combined with the consent for research) or stand-alone authorization is complex.

The compound authorization option was included in HIPAA to reduce the burden of administering a separate document. However, the informed consent for research is so important that some researchers fear that adding the authorization for use and disclosure of PHI could result in an item being overlooked in the process of obtaining the informed consent.

Alternatively, protecting the confidentiality of identifiable private information is already one element of the consent for research, and other researchers see the HIPAA requirements as a natural extension.

If a stand-alone authorization is selected, the next decision may be whether to use the standard authorization typically employed for release of information or to create a special authorization. HIPAA does not specify which authorization must be used, only that it includes the core elements of a valid authorization (see “Core Elements” below). HIPAA even accommodates an expiration date like “end of research study” or “none” if an exact date is not known or the purpose is the creation and maintenance of a research database.

In addition to the form of authorization used, HIPAA permits the authorization to be altered or waived by the IRB or privacy board based on the researcher’s assessment of privacy risk and justification. Some research studies may be blinded studies in which the participants should not have access to their medical records during the course of the study. With IRB or privacy board approval, the authorization may specify that patients waive their right to access and amend the medical record until the end of the research study.

Further, an IRB or privacy board may waive the requirement to obtain authorization for use and disclosure of information where there is justification of minimal risk to the patients’ privacy. This might occur in a situation where the research is conducted using medical record review only. Some states, however, have stricter laws and require that patients be contacted for an authorization or, at minimum, be given notice that their records may be used in a research study unless they opt out.

A related issue is whether an organization’s IRB should take on the task of monitoring authorizations for use and disclosure of PHI, or whether a separate privacy board should be created for this purpose. HIPAA does not require both an IRB and a privacy board, but it does not prevent an organization from having both entities.

Because of the volume of research and intensity of review that is required to ensure that research on human subjects meets all the regulatory safety requirements, the decision to create a separate privacy board is complex. In an informal survey of providers conducting a heavy volume of research, one-third indicated they would not create such a privacy board, one-third indicated they were strongly considering it or planned to create such a privacy board, and one-third had not made a decision at the time the survey was conducted.

When Is an Authorization Not Required?

There are several situations in which an authorization for use and disclosure of information is not required for research or certain aspects of research. For example, an authorization is not required when PHI has been de-identified and is no longer protected.

HIPAA identifies 19 safe-harbor data elements to be removed to create de-identified information. As an alternative, the rule also permits a statistical algorithm to be used to de-identify information. The August 14, 2002, final modification to the privacy rule also permits a limited data set of PHI to be used, without patient authorization, but with a data use agreement with the recipient of the limited data set. If either de-identified information or a limited data set are used for research, no accounting for disclosure is required if the patient requests such an accounting.

An authorization is not required for use and disclosure of PHI preparatory to research, as long as the researcher represents that the use of the information is solely for research preparation and will not be removed from the covered entity. Similarly, information about decedents is also exempt from requiring an authorization (by the next of kin or executor) for use in research if the researcher represents that use of the information is solely and necessary for research. Documentation of death may be required by the provider prior to disclosure.

Use and disclosure of PHI both on decedents and preparatory to research are subject to potential state law preemption. Where state law permits such disclosures without authorization, however, there is concern on the part of many organizations that “preparatory research” may be abused and used as an excuse to gain access to PHI for other than treatment, payment, or operations purposes. HIPAA requires researcher representation of the purpose, and some organizations are taking this a step further to require that the representation be in writing and authorized by a department chairperson or other person of authority. This provides an opportunity to verify the authority and identity of the requestor and to remind such users of their obligations to safeguard the information. A representation may have the components described in “Actions Required for Use of PHI in Research” above.

How to Account for Research Disclosures

When an authorization is obtained for use and disclosure of PHI in a research study, an accounting for disclosures is not required. Likewise, information that has been de-identified or reduced to a limited data set does not require an accounting. However, for reviews preparatory to research or where an IRB or privacy board has waived the requirement for research, an accounting for disclosure is required. The August 14, 2002, final modification provides an option to simplify this task. If a research study has included more than 50 people, an accounting for disclosures may state that “protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity.” The accounting would be required to:

• name the protocol
  
• provide a plain language description of the protocol and criteria for selecting particular records
  
• describe the type of PHI that was disclosed
  
• give the date or period of time during which such disclosures occurred or may have occurred including the date of the last such disclosure during the accounting period
  
• supply the name, address, and telephone number of the sponsoring entity and researcher to whom the information was disclosed
  

In addition, the organization is obligated to assist any person requesting an accounting to contact the entity that sponsored the research and researcher.

If an organization conducts many large studies over a long period of time, this process may simplify accounting for disclosures. In this way, the provider does not have to track every single patient whose record may have been included in a large study. However, the task of determining whether a person was reasonably likely to have been included in a study and assisting them in contacting the research sponsor and researcher could be more effort than simply accounting for every such disclosure in a log.

Research is a vital activity in healthcare, and it is not HIPAA’s intent to stifle it. But individuals are concerned that their health information may not be fully protected in such studies and they want to know when and by whom their information is being used. Most research studies do an excellent job of protecting health information. In fact, it may be the requests for preparatory review and the databases created for use of information in the future that pose the greatest risk to breaches of confidentiality. These requests and repositories must have the same due diligence applied for privacy and security as any other system of medical records or health information.

Notes

1. Public Welfare, Department of Health and Human Services. “Protection of Human Subjects.” Code of Federal Regulations, 2001. 45 CFR 46. Available online at www.access.gpo.gov/nara/cfr/index.html.

2. Food and Drug Administration, Department of Health and Human Services. “Protection of Human Subjects.” Code of Federal Regulations, 2002. 21 CFR 50. Available online at www.access.gpo.gov/nara/cfr/index.html.

3. Food and Drug Administration, Department of Health and Human Services. “Institutional Review Boards.” Code of Federal Regulations, 2002. 21 CFR 56. Available online at www.access.gpo.gov/nara/cfr/index.html.

Margret Amatayakul (margretcpr@aol.com) is president of Margret\A Consulting, LLC, an independent consulting firm based in Schaumburg, IL.