HIPAA Privacy Rule: Effect on Medical Research

On 27 March 2002, the U.S. Department of Health & Human Services published proposed amendments to privacy regulations issued in December 2000 (Privacy Rule). In a nutshell, the Privacy Rule, required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), governs the use and disclosure of individually identifiable, protected health information by certain health care providers and entities (referred to as covered entities).

With respect to clinical research, the Privacy Rule affects all research involving protected health information (PHI), regardless of whether the research is subject to other regulations (such as the Common Rule). The Privacy Rule applies to research involving medical treatment, such as clinical trials, as well as to research occurring behind the scenes (such as research on data contained in patient medical records).

If adopted, the proposed amendments would modify many of the complex and burdensome requirements that are part of the existing Privacy Rule. Even with these modifications, however, the Privacy Rule will have a significant impact on all individuals and entities involved in medical research. This article summarizes the Privacy Rule and the proposed modifications, and examines the impact on those affected.

Conditions for research-related uses and disclosures of PHI
In general, the Privacy Rule permits the use of PHI for research

• with the authorization of the subject.
• pursuant to a waiver of this authorization requirement by an institutional review board (IRB) or privacy board.
• if the PHI has been de-identified.
• if the PHI is being used to prepare a research protocol.
• if the subject is deceased.A summary of these conditionsalong with a discussion of how, if at all, they are affected by the proposed amendmentsis set forth below.

Express authorization of subject. Under the Privacy Rule, an individual may authorize the use of his or her PHI for research purposes provided this authorization is in writing and includes several core elements. For example, the authorization must include

• a description of the information to be used or disclosed.
• the identity of those disclosing the information and those to whom the information may be disclosed (such as to a sponsoring drug company).
• an expiration date for the authorization.
• specific patient notifications, such as the right of the subject to revoke the authorization (as well as certain exceptions to this right).

If adopted, the proposed amendments would modify several of these requirements. First, under the existing Privacy Rule, additional authorizations are needed for research studies that involve treatment. Under the proposed amendments, however, the authorization requirements for research involving treatment would be the same as they are for research that is solely records-based (and, as such, researchers will be able to use a single authorization form, even where the PHI at issue will be used for multiple research purposes).

Second, although the existing Privacy Rule prohibits combining a subjects authorization with any other legal permission(s) relating to the research study (such as an informed consent document), the proposed amendments generally will allow such combined authorizations.

Third, the existing Privacy Rule requires the authorization document to state whether the use or disclosure of PHI will result in the covered entitys receipt of direct or indirect remuneration. The proposed amendments would eliminate this requirement (except where the information will be used or disclosed for marketing purposes).

Waiver of authorization by IRB or privacy board. A researcher may use or disclose PHI without the authorization of the research subject if an IRB or a duly established privacy board approves a waiver (or a partial alteration) of the authorization requirement. Under the Privacy Rule, as modified by the proposed amendments, several requirements must be met in order for such a waiver to be approved.

First, the use or disclosure of the PHI would have to involve no more than minimal risk to the subject, as evidenced by

• plans to protect identifiers from improper use and disclosure.
• plans to destroy the identifiers at the earliest opportunity.
• adequate written assurances against redisclosure.

Second, the IRB or privacy board must be satisfied that the research could not practicably be conducted without the waiver and without access to, and use of, the PHI.

Use of de-identified PHI. The Privacy Rule permits a covered entity to de-identify protected health information, thereby allowing the information to be used and disclosed freely. In general, PHI is de-identified if there is no reasonable basis to believe that the information can be used to identify the individual at issue. Under the Privacy Rule, PHI may be de-identified in one of two ways. Under the statistical method, a statistician analyzes the de-identification methods to determine whether re-identification of the subject by the anticipated recipient of the information is likely. Under the safe harbor method, PHI is deemed to be de-identified if 18 enumerated identifiers (such as date of birth, social security number, and zip code) are removed from the information.

The research community has expressed concerns that the requirements of the safe harbor method render de-identified information virtually useless for research purposes. In response to these concerns, the proposed amendments, if adopted, would permit the use and disclosure of a limited data set for research purposes. This limited data set would include information regarding admission, discharge, service dates, date of death, age, and five-digit zip code, provided

• the information does not include direct identifiers (that is, name, street address, social security number, and so on).
• the recipients of the data agree to limit the use and disclosure of the data and agree not to re-identify the information.

Use of PHI for research protocol preparation. Under the Privacy Rule, protected health information may be reviewed by a researcher as necessary to prepare a research protocol or for similar purposes preparatory to research, provided the researcher makes certain representations to the covered entity disclosing the PHI (for example, the information sought is necessary for the research purposes and is sought solely to prepare the protocol) and does not remove the PHI from the covered entity. Once the research protocol is approved, however, the researcher may not use that PHI at issue for actual research purposes until and unless one of the other conditions governing the use or disclosure of PHI is satisfied (for example, there has been an express authorization by the subject).Use of a deceaseds PHI. Under the Privacy Rule, a covered entity may use or disclose the PHI of a deceased person if it is necessary for research purposes. Although the researcher must represent to the covered entity that the decedents information will be used solely for research, authorization from a decedents family or estate is not required.

Additional Privacy Rule issues affecting research
Additional Privacy Rule issues affecting research include the right to revoke authorization, expiration of authorization, access to PHI by the subject, accounting for research disclosures, and research transition provisions.

Right to revoke authorization. Under the Privacy Rule, an authorization to use or disclose PHI must be revocable by the subject at any time. However, this right of revocation is limited to the extent that the covered entity has taken action in reliance on the original authorization. The Department of Health & Human Services (HHS) received comments expressing concern that this provision might prohibit researchers from continuing to analyze the data collected prior to a revocation; however, HHS declined to modify this provision in the proposed amendments. HHS did state that, although a revocation will prohibit a covered entity from further disclosing PHI for research purposes, certain continued uses of the information are allowed as appropriate to preserve the integrity of the research study. HHS has specifically requested comments from the public on appropriate ways to balance the individuals right of choice and the researchers reliance on the authorization.

Expiration of authorization. The Privacy Rule requires that an authorization have an expiration date (or expiration event). The proposed amendments clarify this requirement in two important ways.

• The proposed amendments would revise the Rule to expressly permit the expiration date to be the end of the research study.
• The proposed amendments would provide that where the PHI will be used for the creation and maintenance of a research database or similar repository, none is an acceptable expiration date.

Access to PHI by the subject. Under the Privacy Rule, an individual may access and, under some circumstances, amend his or her protected health information. Importantly, however, where such PHI is created or obtained in the course of research, the individuals access may be suspended for the duration of the research provided the individual agrees to such a suspension of access when he or she consents to participate in the research, and the covered entity reinstates the individuals right of access upon completion of the research.