Protecting Privacy and Encouraging Research

The privacy regulations arising from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have caused considerable concern—in many cases, excessive concern among healthcare plans, hospitals, and pharma companies. The "frequently asked question" section at the Department of Health and Human Services' HIPAA Web site (www.hhs.gov/ocr/hipaa/) shows the range of topics providers are worried about: Will it still be legal to use a sign-up sheet in a waiting room? Can a spouse or friend legally pick up a prescription? Can hospitals inform the local clergy that a parishioner is in the hospital? (The answers, by the way, are yes, yes, and yes with permission.)

For pharma companies, the greatest worry is that HIPAA will impede healthcare research by preventing physicians and hospitals from sharing patient data. Here, too, a closer look at the regulations shows that the reality is nowhere near as bad as companies have feared. On the one hand, the regulations are narrower, in terms of who and what they cover, than many people realize. On the other hand, they recognize the unique needs of researchers and have provisions designed to protect research.

Covered Entities

Privacy, under HIPAA, means protection for individuals (patients or research subjects) from the use or disclosure of their healthcare information, described in the HIPAA regulations as "protected health information" (PHI). The privacy rule, however, applies only to covered entities—an important distinction. In general, there are three kinds of covered entities:

• health plans

• healthcare clearinghouses

• healthcare providers that conduct certain transactions in electronic form.

It is important to note that many individuals and entities involved in research, such as sponsoring pharmaceutical companies, are not covered entities. Therefore, even though they may handle PHI, they are not covered by HIPAA and do not have an obligation to comply with its regulations, unless they otherwise agree—for example, in a contract with a covered entity.

In most research situations, the HIPAA-covered entity will be a healthcare provider. HIPAA also applies to individual employees of covered entities, so individual physician researchers or lab technicians who work for a health system are bound by HIPAA. Research sponsors, on the other hand, such as drug or device companies, may not be covered entities. The same holds true for CROs or independent IRBs. Generally, a laboratory, as long as it is not providing a service or product related to an individual's healthcare needs, will not be covered.

Obviously, there are many organizations, such as large research universities, that have units that perform the activities of a covered entity and units that do not. These hybrid entities can designate which portions of their activities are covered (for instance, a university would designate its medical center) and which are not. For example, if a university research lab does not perform diagnostic analyses of individual patients' treatment, it would not be considered a treatment provider, and could fall within the non-covered portion, even though it is within the university structure. The hybrid entity needs to have policies and procedures that address how it keeps information from flowing freely between the covered and non-covered portions.

In certain circumstances, a covered entity may disclose PHI to another entity that is performing services for it if they enter into a business associate agreement, through which the covered entity obtains satisfactory assurance that the business associate will safeguard the information appropriately. The same person or entity's access to the same information may require different types of patient permission, depending on how the PHI is used.

In general, it is permissible for an individual physician to use a patient's PHI for treatment purposes without any authorization. If the physician uses the patient's PHI for research purposes, however, and particularly if the PHI is going to be published as part of research results, the physician has gone beyond the permissible uses authorized by HIPAA, and a separate authorization or waiver will be required. If no authorization is obtained, data from the research may be accessible in certain forms, but any data including the subject's PHI is not.

For epidemiological or laboratory research from databases, repositories of tissue samples, or other clinical data, critical threshold issues are posed for the entity that holds that information. Under what terms did they receive permission to compile the data? Can they simply provide access to researchers upon request? Generally, the initial authorization to collect the data will determine the extent to which it can be disclosed.

When Can PHI Be Used?

There are three circumstances in which PHI can be used for research:

• when the information has been de-identified (so it's no longer PHI)

• with the patient's written permission (authorization)

• under certain other limited exceptions that encourage research.

De-identification De-identification is a helpful concept, but de-identifying is difficult, because HIPAA requires the elimination of 18 separate elements that could be used to identify the individual—including name, address, social security number, birth date, admission and discharge dates, and zip code.

If a study requires only a patient's age range (under 89), sex, and general area of the country, de-identification may be an option because this kind of general demographic information is not considered PHI. Thus, the covered entity could disclose it to an unaffiliated researcher or sponsor without any other HIPAA requirements or obligations. If the covered entity has developed a method of coding additional protected information about the individual from whom the de-identified information was obtained, however, the code itself cannot be disclosed.

Patient authorization Authorizations are by far the most common method of facilitating access to PHI. Authorizations are specific permissions by the individual under HIPAA for use or disclosure of PHI for a particular purpose. The authorization for research must pertain to a specific study, or to the creation of a research repository or database. It must be in writing and signed by the individual, and the actual uses and disclosures must be described to the extent possible.

At a minimum, an authorization must express the following: "Because you are participating in a research study of a drug being developed by Company A, information about you and your treatment with this drug will be provided to Company A. By signing this authorization, you agree to the disclosure of your PHI to Company A."

There are three different types of consent that a patient must give as part of the research process:

• consent to treatment

• consent to participation in research, which has many required elements under federal law

• HIPAA authorization in which the patient consents to the use and disclosure to others of healthcare information that could be used to identify him or her.

These three different consents may be combined in a single document or treated separately. As a practical matter, it generally is easier for a patient to be confronted with one document rather than three.

The original privacy regulations required that the authorization have a specific expiration date. But the revised regulations permit the use of the word "none" or "end of research study" to satisfy that element of the authorization. This is particularly applicable to the creation of databases and repositories.

There are other required statements that must appear in authorizations. For example, authorizations must contain a statement of the individual's right to revoke the authorization, with an explanation of how that can be done. Fortunately, information already used or disclosed does not have to be retracted when an authorization is revoked; any information on which the researcher already is relying for completion of the research, or that already has been provided to the research sponsor, can continue to be used. Going forward, the revocation only will affect disclosure of information that has not become integral to the research project.

There must be a statement about whether participation in the research study is conditioned on the signing of the authorization, which is often the case. Permitting this use of the authorization encourages research. By contrast, medical treatment for a patient not participating in a research study cannot be conditioned upon the signing of an authorization for any other purpose.

The individual signing the authorization must be informed that, because the authorization permits the disclosure of PHI to a third party that is not a covered entity, like a pharmaceutical company sponsor, there will be no legal restriction (under HIPAA) on the subsequent re-disclosure by the company of the information. The disclosing entity may impose some restrictions on the recipient by agreement. Often, the research site or institution will attempt to include language in its agreement with the research sponsor, in which the sponsor must agree to protect the confidentiality of PHI. Agreeing to this language may be appropriate, but it is not required by HIPAA.

In the authorization, individuals must agree that their right to have access to their medical records may be suspended while the clinical trial is pending. This is one of the few exceptions to the patient's right to access, but it must be stated in the authorization to be effective.

For a facility that maintains a tissue repository or other data bank for research purposes, patients must, upon admission, sign an authorization for the disclosure of their information to the repository. Individuals cannot, however, provide a blanket authorization to the repository to disclose the information to any researcher who wants it in the future. That future request must be dealt with separately.

Alternatives

De-identification and authorization are two methods of removing barriers that prevent the research sponsor from receiving data containing PHI. If neither of those is available, HIPAA provides four alternative approaches:

• waiver

• limited data set

• preparatory research information

• research on decedents' information.

Waiver A waiver is a procedure by which a specified third party can permit disclosure of PHI without the patient's authorization. This third party can be either the Institutional Review Board (IRB) supervising the research or a Privacy Board, a new entity authorized under HIPAA to perform some HIPAA-related functions similar to those performed by the IRB.

Waivers can be complete or partial. In a complete waiver, no authorization is required for the covered entity to use or disclose the PHI for the research project. Partial waivers remove the authorization requirement only for certain aspects of the research project. The IRB or Privacy Board also can alter or approve changes in the requirements for authorization.

There is no required number of members of a Privacy Board, but the members must have varying and appropriate backgrounds. A sponsor may have representation on the Privacy Board, provided that the board includes at least one member who is not affiliated with the covered entity or the sponsor. Members of the Privacy Board must not have any interest in the research project that would pose a conflict of interest with their Privacy Board responsibilities. Privacy Boards can be smaller than IRBs, and used to keep the burden on IRBs from becoming too great. Most institutions, however, have simply used their IRBs rather than setting up independent Privacy Boards; this avoidance of duplication is appropriate.

The waiver provision is one of the regulations most weighted toward encouraging research because it permits a few people to wipe away all the HIPAA protections that the individual would otherwise have.

The IRB or Privacy Board must determine that the use or disclosure of PHI involves minimal risk to the individual participant's privacy, by proving that the research protocol has an adequate plan to protect identifiers from improper use and disclosure and to destroy them as soon as they are no longer necessary. The researchers also must promise not to re-disclose the PHI except in connection with oversight of the research.

The researchers also must show that they cannot conduct the research without the waiver (it's too difficult to get authorizations) and that they can't do the research without the PHI. The IRB or Privacy Board must document its determinations. From the sponsor's perspective, including privacy protection in the research protocol may persuade an IRB to waive all other privacy requirements.

Limited data set The limited data set is another creation of the revised regulations that assists researchers. Certain limited PHI can be disclosed for research purposes without authorization or waiver, including certain information that technically is PHI, such as city, state, zip code, and dates or other numbers or codes that are not direct identifiers (not social security numbers). The covered entity and researcher must enter into a Data Use Agreement that outlines the specific permitted uses and disclosures by the recipient, and provides assurances and agreements that will prevent further unauthorized use of the information.

Preparation research Another encouragement of research is an exception to the need for authorization or waiver for the purpose of permitting a researcher to see PHI in order to prepare a research protocol or study. If the covered entity obtains a representation from the researcher that the PHI is needed solely to be reviewed in preparation for developing a research protocol, that the information will be viewed on the premises of the covered entity, and that it is necessary to plan the research, the PHI may be disclosed.

Decedents In the case in which the individual whose PHI is needed is deceased, the regulations provide that the researcher need only represent to the covered entity that the use or disclosure is only for research purposes —and is necessary for the research—and the disclosure will be permitted by the covered entity.

There are additional permitted uses and disclosures that may tangentially affect research uses. For instance, PHI may be disclosed, without an authorization, to a person or entity that has a responsibility to report information to the FDA. In the research context, this rule may permit disclosure of the results of a research study to manufacturers during and following clinical trials. Those manufacturers, in turn, may be required to report the data to the FDA.

Patients' Rights

In addition to protecting privacy through such restrictions, HIPAA also provides to patients affirmative rights that implicate the area of research.

The first such right is the patient's right of access to PHI. HIPAA grants patients the right to see their medical records at a convenient time and place. There is an exception to this right during a clinical trial, because it may affect the validity of the trial if patients are able to determine, for example, whether they are in a control group or receiving the drug being studied. In order for the suspension of this right to be effective, however, it must be stated in the authorization so that the patient agrees to this by signing the authorization. The individual also must be informed that the right of access will be restored at the conclusion of the clinical trial.

The individual is entitled only to records in a designated record set. The covered entity doesn't have to comb its files for every last scrap about a patient or research subject. This is particularly helpful to researchers, who may have extracted particular information about a multitude of patients, and collected that information within a larger database. Those records would not be available to an individual patient who simply requests access to his file.

Under HIPAA, the individual is entitled to an accounting of disclosures of PHI that the covered entity makes. Disclosure, in this case, means communicating PHI outside the covered entity, so it does not refer to anything that occurs, for example, between the covered entity and members of its workforce. The requirement to maintain records sufficient to permit a covered entity to respond to a request for an accounting means that some pharmaceutical company sponsors' information, including the number of times study data was provided to the manufacturer, will be made available to the patient.

Certain disclosures need not be accounted for. Most important for research purposes is the accounting exception for any disclosure that the patient has authorized. Also, disclosures of PHI as part of a limited data set (PHI with the most obvious identifiers eliminated), under a data use agreement, do not need to be in the accounting. This is another way in which the limited data set is such a useful device for research.

An accounting must include information about what PHI was disclosed, to whom it was disclosed, the reason, and so on. If multiple disclosures have been made to the same person or entity, the disclosure information can be grouped in a reasonable way. Where disclosures concern 50 or more individuals, which may happen in the course of a large clinical trial, the accounting request may be satisfied by providing the information about the study more generally (providing basic information that describes the protocol, the researcher's name and contact information, and the time period of the study). In this way, a standard response can be available for any study participants who request an accounting.

Congress and regulatory agencies are attempting to balance the rights of patients to control the use of their identifiable health information with the need for medical progress to continue through human subject research. Because of the accommodation to research in HIPAA, there are many routes by which a desired research goal can be accomplished—without unduly jeopardizing the patient's privacy.

Philip H. Lebowitz is a partner in the Health Care Practice of law firm Duane Morris. He can be reached at lebowitz@duanemorris.com.