1

The HIPAA Privacy Rule and Research

2

The Privacy Rule...

Beginning on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans*, health care clearinghouses, and certain health care providers.

*Small health plans not required to comply until April 14, 2004.

3

How Might the Privacy Rule Affect Research Recruitment?

Depends on:

What you do/where you work

Type of information you use, collect, receive or release

4

Three Rules -- Privacy Rule, Common Rule, FDA Regulations

Privacy Rule does not replace or modify the Common Rule or FDA regulations.

Privacy Rule is in addition to privacy protections of these regulations.

– Applies to covered entities regardless of funding.– Contains standards for de-identifying health

information.– Requires Authorization for certain uses and

disclosures of certain health information.– Applies to decedents’ information.

5

Who is Covered?

A health care provider who transmits health information electronically in connection with a transaction for which the Secretary has adopted standards.Example: a physician who electronically bills for

services

A health plan. A health care clearinghouse.

6

Protected Health Information (PHI) =Covered Entity + Health information + Identifier

Transmitted or maintained in any form (paper, oral, electronic, forms, web-based, etc.).

Decedents’ information included. Does not include de-identified health information or

biological tissue and certain other exceptions (e.g., employment records or education records covered by FERPA).

What is Covered?

7

For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted:

– with individual authorization, or

– without individual authorization under limited circumstances.

Not All Research Activities Need Authorization!

8

Use or Disclosure of PHI Without Authorization

1. De-identify PHI.

2. Limited Data Set with Data Use Agreement.

3. IRB or Privacy Board waiver of Authorization requirement.

4. Activity preparatory to research.

5. Research is on decedents’ information.

6. Research qualifies for the Transition Provisions.

Covered entities do not always need to get Authorization for research-related activities.

9

Options for Identifying Eligible Research Participants

Activity Preparatory to Research Authorization Waiver from IRB or Privacy

Board Authorization

10

What kinds of activities are considered preparatory to research?

Covered entities that obtain certain required representations from a researcher may use and disclose PHI for activities preparatory to research that include, but are not limited to, the following:

– Preparing a research protocol – Assisting in the development of a research hypothesis – Aiding in research recruitment, such as identifying

prospective research participants who would meet the eligibility criteria for enrollment into a research study

Under this provision, no PHI may be removed from the covered entity during the course of the review.

11

Preparatory to Research

Covered entity must obtain representation from the researcher that:

The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose.

PHI will not be removed from the covered entity. AND

PHI is necessary for research purposes.

12

Waiver of Authorization

A covered entity is permitted to use or disclose PHI for research when it obtains required documentation of the IRB or Privacy Board approval of a waiver of Authorization.

Note: A covered entity is also permitted to use or disclose PHI for research when it obtains an altered Authorization under the Privacy Rule and required documentation of the IRB or Privacy Board approval of an alteration of Authorization.

IRB/Privacy Board Criteria for Waiving or Altering Authorization

1.The use or disclosure involves no more than minimal risk because of an adequate plan/assurance:

a. To protect identifiers from improper use or disclosure.

b. To destroy identifiers at earliest opportunity, consistent with the conduct of the research.

c. That PHI will not be inappropriately reused or disclosed.

2.The research could not practicably be conducted without the waiver or alteration.

3.The research could not practicably be conducted without access to and use of PHI.

Yes No

Signature of IRB/Privacy Board Chair Date(or Designee)

14

Options for Contacting Eligible Research Participants

Health Care Operations “Health Care” Discussion with Individuals Authorization Waiver from IRB or Privacy

Board Authorization

15

Contacting Subjects: Health Care Operations

If the researcher is a workforce member of a covered entity, the researcher may contact the potential study participant, as part of the covered entity's health care operations, for the purposes of seeking Authorization.

Alternatively, the covered entity may contract with a researcher as a business associate to assist in contacting individuals on behalf of the covered entity to obtain their Authorizations.

16

Contacting Subjects: Health Care Discussions

Covered health care providers and patients may discuss the option of enrolling in a clinical trial without Authorization, regardless of whether the individual is a patient of the covered provider, and without a waiver of the Authorization.

– A physician may for treatment purposes discuss treatment alternatives with the individual, which may include the option of enrolling in a clinical trial.

– A physician may speak to the individual about a clinical trial as part of asking the individual to sign an Authorization to permit the covered provider to use or disclose the individual's PHI for the research study.

– Also, the Privacy Rule generally permits a covered entity to communicate with individuals and to disclose their PHI to them.

If a physician knows of a study in which his or her patient might enroll that is being conducted by others, the physician may:

– Discuss such a trial with the patient and give the patient the researcher's contact information so the patient may contact the researcher directly.

– Contact the researchers about the patient so long as de-identified information is disclosed, the individual's Authorization or IRB or Privacy Board waiver of Authorization is obtained, or other conditions that satisfy the Privacy Rule are met.

– For example, it is acceptable to give a clinical summary of a patient to a researcher to determine if the patient might meet enrollment criteria, if such discussions omit the patient's name, address, medical record number, and any other identifying information set forth in section 164.514(a)-(c) of the Privacy Rule.

17

Contacting Subjects: Authorization Waiver

If the covered entity obtains documentation that an IRB has partially waived the Authorization requirement to disclose PHI to a researcher for recruitment purposes, the covered entity could disclose to the researcher that PHI necessary for the researcher to contact the individual.

18

Summary: Research Recruitment

Identify Subjects Contact Subjects

Covered Entity

Researcher (non-covered)

Yes• Preparatory to

Research provision.• Need representation

from workforce member.

Yes• Preparatory to

Research provision.• Need

representation from researcher.

Yes• Health care operation to

get Authorization.• Waiver of Authorization.

Yes• Waiver of Authorization.• As a business associate of

covered entity for the health care operation.

19

Identifying AND Contacting Subjects: Call Centers

Call centers in many cases will not be part of a covered entity (health plan, health care clearinghouse, certain health care providers), and thus, are not required to comply with the Privacy Rule.

If a call center is part of a covered entity, e.g., part of a covered health care provider that is also a researcher, it may speak with an individual without Authorization for purposes of communicating about the research study or obtaining the individual's Authorization to use or disclose his or her PHI for the study.

However, any use or disclosure of the individual's PHI for the research study itself or other purposes is subject to the conditions set forth in the Privacy Rule.

20

Identifying AND Contacting Subjects: Authorization

A covered entity may include an individual's PHI in a clinical research recruitment database and access to the recruitment database, provided the individual has given permission through a written Authorization.

The Authorization must inform the individual of:– the purpose for which (e.g., for the pre-screening log for one or

more clinical trials) and – what PHI will be used and meet the other requirements at

section 164.508 of the Privacy Rule. Unless otherwise permitted by the Privacy Rule, a

subsequent Authorization must be obtained from the individual before a covered entity may use or disclose the individual's PHI for the clinical trial itself.

21

Authorizations for Research

Must be for a specific research study – Authorization for future, unspecified research is NOT permitted but Authorization may be obtained to permit the use or disclosure of PHI to create or maintain a repository or database.

Different from, but may be combined with, informed consent. Review/approval by IRB/Privacy Board NOT needed under

Privacy Rule. (But other regulations would require IRB review when combined with informed consent documents.)

Must contain “core elements” & “required statements,” and a signed copy must be given to the individual.

Research Authorizations need not expire, but this must be stated.

Core Elements (signified by )

Description of PHI to be used or disclosed

Person(s) authorized to make the requested use or disclosure.

Person(s) to whom the covered entity may disclose PHI.

Each purpose for the use or disclosure.

Expiration date or event* (e.g. “end of the research study” or “none”).

Participant Signature Date

Statements (signified by )

Right to revoke Authorization plus exceptions and process.

Ability/Inability to condition treatment, payment, or enrollment/eligibility for benefits on Authorization.

PHI may no longer be protected by Privacy Rule once it is disclosed by the covered entity.

The authorization must be written in plain language, and the covered entity must provide the individual with a copy of the signed Authorization.

Elements of an Authorization to Use or Disclose PHI

23

Privacy Rule Resources for Researchers

Office for Civil Rights (OCR) Web site

http://www.hhs.gov/hipaaprivacy/research/http://www.hhs.gov/hipaaprivacy/research/