For pharma companies, the greatest worry is that HIPAA will impede healthcare research by preventing physicians and hospitals from sharing patient data. Here, too, a closer look at the regulations shows that the reality is nowhere near as bad as companies have feared. On the one hand, the regulations are narrower, in terms of who and what they cover, than many people realize. On the other hand, they recognize the unique needs of researchers and have provisions designed to protect research.
Privacy, under HIPAA, means protection for individuals (patients or research subjects) from the use or disclosure of their healthcare information, described in the HIPAA regulations as "protected health information" (PHI). The privacy rule, however, applies only to covered entities—an important distinction. In general, there are three kinds of covered entities:
In most research situations, the HIPAA-covered entity will be a healthcare provider. HIPAA also applies to individual employees of covered entities, so individual physician researchers or lab technicians who work for a health system are bound by HIPAA. Research sponsors, on the other hand, such as drug or device companies, may not be covered entities. The same holds true for CROs or independent IRBs. Generally, a laboratory, as long as it is not providing a service or product related to an individual's healthcare needs, will not be covered.
Obviously, there are many organizations, such as large research universities, that have units that perform the activities of a covered entity and units that do not. These hybrid entities can designate which portions of their activities are covered (for instance, a university would designate its medical center) and which are not. For example, if a university research lab does not perform diagnostic analyses of individual patients' treatment, it would not be considered a treatment provider, and could fall within the non-covered portion, even though it is within the university structure. The hybrid entity needs to have policies and procedures that address how it keeps information from flowing freely between the covered and non-covered portions.
In certain circumstances, a covered entity may disclose PHI to another entity that is performing services for it if they enter into a business associate agreement, through which the covered entity obtains satisfactory assurance that the business associate will safeguard the information appropriately. The same person or entity's access to the same information may require different types of patient permission, depending on how the PHI is used.
In general, it is permissible for an individual physician to use a patient's PHI for treatment purposes without any authorization. If the physician uses the patient's PHI for research purposes, however, and particularly if the PHI is going to be published as part of research results, the physician has gone beyond the permissible uses authorized by HIPAA, and a separate authorization or waiver will be required. If no authorization is obtained, data from the research may be accessible in certain forms, but any data including the subject's PHI is not.