The privacy regulations arising from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have caused considerable
concern—in many cases, excessive concern among healthcare plans, hospitals, and pharma companies. The "frequently asked question"
section at the Department of Health and Human Services' HIPAA Web site (
http://www.hhs.gov/ocr/hipaa/) shows the range of topics providers are worried about: Will it still be legal to use a sign-up sheet in a waiting room?
Can a spouse or friend legally pick up a prescription? Can hospitals inform the local clergy that a parishioner is in the
hospital? (The answers, by the way, are yes, yes, and yes with permission.)
For pharma companies, the greatest worry is that HIPAA will impede healthcare research by preventing physicians and hospitals
from sharing patient data. Here, too, a closer look at the regulations shows that the reality is nowhere near as bad as companies
have feared. On the one hand, the regulations are narrower, in terms of who and what they cover, than many people realize.
On the other hand, they recognize the unique needs of researchers and have provisions designed to protect research.
Privacy, under HIPAA, means protection for individuals (patients or research subjects) from the use or disclosure of their
healthcare information, described in the HIPAA regulations as "protected health information" (PHI). The privacy rule, however,
applies only to covered entities—an important distinction. In general, there are three kinds of covered entities:
- health plans
- healthcare clearinghouses
- healthcare providers that conduct certain transactions in electronic form.
It is important to note that many individuals and entities involved in research, such as sponsoring pharmaceutical companies,
are not covered entities. Therefore, even though they may handle PHI, they are not covered by HIPAA and do not have an obligation
to comply with its regulations, unless they otherwise agree—for example, in a contract with a covered entity.
In most research situations, the HIPAA-covered entity will be a healthcare provider. HIPAA also applies to individual employees
of covered entities, so individual physician researchers or lab technicians who work for a health system are bound by HIPAA.
Research sponsors, on the other hand, such as drug or device companies, may not be covered entities. The same holds true for
CROs or independent IRBs. Generally, a laboratory, as long as it is not providing a service or product related to an individual's
healthcare needs, will not be covered.
Obviously, there are many organizations, such as large research universities, that have units that perform the activities
of a covered entity and units that do not. These hybrid entities can designate which portions of their activities are covered (for instance, a university would designate its medical center)
and which are not. For example, if a university research lab does not perform diagnostic analyses of individual patients'
treatment, it would not be considered a treatment provider, and could fall within the non-covered portion, even though it
is within the university structure. The hybrid entity needs to have policies and procedures that address how it keeps information
from flowing freely between the covered and non-covered portions.
In certain circumstances, a covered entity may disclose PHI to another entity that is performing services for it if they enter
into a business associate agreement, through which the covered entity obtains satisfactory assurance that the business associate
will safeguard the information appropriately. The same person or entity's access to the same information may require different
types of patient permission, depending on how the PHI is used.
In general, it is permissible for an individual physician to use a patient's PHI for treatment purposes without any authorization.
If the physician uses the patient's PHI for research purposes, however, and particularly if the PHI is going to be published
as part of research results, the physician has gone beyond the permissible uses authorized by HIPAA, and a separate authorization
or waiver will be required. If no authorization is obtained, data from the research may be accessible in certain forms, but
any data including the subject's PHI is not.