The HIPAA Privacy Rule, Research, and IRBs

The arrival of 14 April 2003, the compliance date for the HIPAA Privacy Rule, did not eliminate the confusion with regard to its impact and implementation. The Privacy Rule is a complex system of rules and constraints. Learning it is like learning a new languagewhich requires mastery of the grammar and exposure to a large number of examples. To facilitate the process, this article reviews the basics, clarifies IRB responsibilities, and provides descriptions and examples of acceptable clinical research practices under the Privacy Rule.

The Privacy Rule establishes the conditions under which covered entities may use or disclose protected health information for any purposeincluding research. Covered entities include health plans and health care clearing houses, and health care providers that electronically transmit protected health information. Not every health care provider is a covered entity, but for those that are, the Privacy Rule governs the use and disclosure of protected health information that is transmitted or maintained in any formelectronic, paper, or verbal. This article assumes that investigators conducting research are covered entities under the Privacy Rule.

The Privacy Rule requires that a covered entity provide individuals prior notice of its policy (Privacy Notice) regarding the way that entity may use or disclose protected health information (PHI), what its responsibilities are with respect to such information, and the rights that individuals have and how they may exercise those rights. A covered entitys practices must be consistent with those described in the Privacy Notice.

The Privacy Rule also requires a covered entity to enter into a written contract (Business Associate Contract) with persons or businesses perfoming certain covered functions on their behalf that involve PHI. Research is not one of those functions. Therefore, disclosure of PHI for research purposes does not require a Business Associate Contract.

However, the Privacy Rule specifies that a covered entity may neither use nor disclose PHI for research purposes unless the patient has provided, in advance, his or her written authorization (Authorization) for such use or disclosure. This Authorization is different from the requirement for informed consent. Under the Privacy Rule, an Authorization permits simply the use and disclosure of PHI for research purposes. By contrast, informed consent is the subjects consent to participate in a specific research study.

Under both the Common Rule and FDA regulations governing human research (federal human research policies), the function of the institutional review board (IRB) is to protect the rights (including privacy) and welfare of human subjects and to minimize risks (including risks to confidentiality). The Privacy Rule supplements federal human research policies by requiring that the protection of confidentiality in research be handled in a very specific way.

Research funded by states or private sponsors is not regulated by federal human research policies. The Privacy Rule is broader than federal human research policies in that it extends to all research, regardless of funding, and to both living and dead persons.Where the Privacy Rule and federal human research policies are applicable, both must be followed. Where they overlap, the more stringent standard applies. Similarly, state law continues to apply when it is more restrictive than the HIPAA Privacy Rule.

Obtaining authorization
The form used to obtain valid Authorization is specified. Individuals must be provided, in writing, the relevant information on which to base their decision.Six essential elements apply to any Authorization regardless of the purpose for its use or disclosure:

• A description of the information to be used
• Who will use or disclose it
• To whom it will be disclosed
• The purpose for which it will be disclosed
• An expiration date
• A patients dated signature.

The Authorization must also provide notice of a patients right to revoke the Authorization, the ability of the investigator to condition research participation on the Authorization, and of the potential for protected health information to be redisclosed.

An Authorization must specifically describe these elements and notices, and investigators should take care to identify and include any secondary uses and disclosures (redisclosures) that might be associated with the researchfor example, disclosures to subinvestigators not within the investigators covered entity. The expiration date for research Authorizations may be indicated as end of the study (or none for an Authorization to place PHI in a research database).

The Privacy Rule does not require review and approval of (stand-alone) Authorization forms prior to use. However, the covered entity is accountable for compliance with these requirements and may require an internal approval procedure (by a forms committee, HIPAA compliance board, or their IRB). To enroll research subjects, investigators must obtain signatures on both the Authorization and the consent document required by federal human research policies. The regulations allow the two forms to be combined into one document. But in some cases, the requirement for an Authorization may be triggered separately or prior to the requirement for informed consent. For instance, HIPAA Authorization is required to disclose PHI already inexistence to an investigator outside of the covered entity for the purpose of determining potential eligibility for a research study.

Revocationthe reliance exception
Upon receipt of written revocation, the covered entity must stop using/disclosing protected health information, except to the extent that the covered entity has acted in reliance on the Authorization. For research, the reliance exception would permit the continued use and disclosure of PHI to account for subjects withdrawal from the research study, to include in safety or efficacy analyses for a marketing application submitted to FDA, to conduct any investigation of misconduct, or to report adverse events. However, information gathered after revocation may not be used or disclosed, even under the reliance exception.

Short of a HIPAA Authorization, there are several ways PHI may be obtained for research. Covered entities may obtain documentation that an IRB or Privacy Board has granted a waiver of the required Authorization (Waiver). Covered entities may also use PHI without Authorization if a researcher represents that the PHI is necessary to prepare for research or that the PHI is solely for research on decedents.

Waiver of Authorization
To grant a Waiver, an IRB or Privacy Board must find that the research satisfies the following criteria.

Minimal risk to privacy. There is minimal risk to privacy which includes meeting three criteria:

• There is an adequate plan to protect patient identifiers.
• There is an adequate plan to destroy identifiers at the earliest opportunity (unless there is a health or research justification or it is required by law).
• There are adequate written assurances against re-disclosure.

Practicality. The research could not be practically conducted without the Waiver.

Access. The research could not be practically conducted without access to PHI.Covered entities must receive documentation of the Waiver before use or disclosure is permitted. This documentation must include:

• The identity of the IRB or Privacy Board
• The Waiver approval date
• A brief description of the PHI involved, and the review and approval procedures used (that is, full or expedited review under either federal human research policies or Privacy Rule regulations)
• The signature of the Chair or other designated member of the reviewing board.

Waivers are likely to be sought for retrospective studies involving medical records review or database research involving protected health information (where the patient is unavailable to give Authorization).

An IRB or Privacy Board may also grant a partial waiver, as defined in Department of Health and Human Services (DHHS) commentary. A partial waiver can be granted separatelyeven if the IRB or Privacy Board does not grant a waiver of informed consent to participate in the research or a Waiver for access to PHI. Partial waivers are likely to be sought to enable investigators to contact and recruit individuals as potential research subjects. The PHI to be shared would be limited to that necessary to determine eligibility.

Records review preparatory to research

Investigators may review and use PHI from within their own covered entity without prior Authorization if the investigator represents to the covered entity that the PHI is necessary to prepare a research protocol or to determine its feasibility. No protected health information may be removed from the covered entity during the course of the review, and the PHI sought must be necessary for research purposes.

Decedents records. Likewise, investigators may review and use information within their own covered entity for research on decedents if the investigator represents to the covered entity that the use is sought solely for research on the PHI of decedents, is necessary for the research purposes, and documentation of the death of the decedents is available. (Note: PHI of deceased persons could be released only if a personal representative of the decedent authorizes disclosure.)

No authorization required

The are circumstances in which use/disclosure is permitted without Authorization or Waiver.

Face-to-face discussion. The Privacy Rule permits a covered entity to disclose PHI to the individual that is the subject of the PHI without prior Authorization. Therefore, Authorization is not required when an investigator or other entity communicates with a patient face-to-face.

De-identification. The Privacy Rule does not apply to health information that cannot be used to identify an individual. Therefore, research using de-identified data is exempt from the Privacy Rule. To be de-identified, health information must not include any of 18 types of identifiers (such as, name and contact information, dates [except year], Social Security number, medical record or plan beneficiary number, URLs, email or IP addresses). An alternative to this type of regulatory de-identification of records is a determination by a qualified statistician that the risk of re-identification is very low. The details in the definition of de-identified information are important. For example, under the Privacy Rule a ZIP code alone is identifiable information if it is for an area with fewer than 20,000 people. Also, age alone is not considered identifiable unless the person is 90 or older.

De-identification can happen only within the covered entity (or under a Business Associate Contract). So, an investigator may use records held within his or her own entity to de-identify protected health information, and the de-identified PHI may then be disclosed without Authorization. However, if the information is re-identified, or a code that allows for re-identification is disclosed, the Privacy Rule applies.

Anonymization vs. de-identification. It is worth noting that the Privacy Rule and the federal human research policies define identifiable information differently. The Privacy Rule allows de-identified data to incorporate a code that links it to patients identities. However, federal human research policies require IRB review of research using such linked data. Under these federal policies only anonymized data is exempt from IRB review, and anonymized data may include neither identifiers nor any link to patient identity.

Limited data set. The Privacy Rule permits the use and disclosure of a limited data set for research purposes as long as a data use agreement is in place that provides assurance that the recipient will not misuse the data. The recipients of a limited data set must agree to limit the use and disclosure of the data and agree not to re-disclose information. The PHI in a limited data set may not be used to contact subjects. Neither an Authorization nor a Waiver is required to disclose information in a limited data set.

A limited data set specifies 16 data elements (as opposed to the 18 to de-identify data) that must be stripped. Dates of admission, discharge, birth and death, and geographical information such as five-digit zip code and the individuals state, county, city or precinct may be included. Limited data sets are not considered de-identified. They would be used for situations where it would be unreasonable to try to obtain Authorization, such as registries for public health or epidemiological research.

Non-covered entities. The Privacy Rule protections do not apply to non-covered entities. Therefore, their use or disclosure of identifiable health information does not trigger the protections of the Privacy Rule.

Other disclosures relative to research
An exception to the Authorization requirement permits disclosure to nongovernmental entities subject to FDA jurisdiction (including pharmaceutical manufacturers and their representatives) to allow reporting of adverse events, to enable product recalls, to track products, and to conduct postmarketing safety surveillance (as required by FDA). Further, disclosure to FDA does not require Authorization, because it is a required disclosure, but FDA must be named on the research informed consent form.

Impact on informed consent
When persons participate in research involving treatment, their right of access to their own protected health information may be suspended for as long as the research is in progress. The individual must agree to this denial of access when consenting to participate in a clinical trial and the provider must agree to reinstate the right of access upon completion of the research.

Impact on research databases
Research registries and databases collect medical information, demographic information, and biological samples (tissue banks), when relevant, to provide a central information source for practitioners or for future research related to a certain disease or condition. Research databases may also be created to facilitate identification and subsequent contact of patients for participation in clinical trials. Such databases are also important to researchers who study epidemiological patterns of disease, or who track the success of health interventions across broadly dispersed populations.

Covered entities are permitted to disclose PHI to a database for research purposes, provided the disclosure is made pursuant to a Waiver, an Authorization, or consists of only a limited data set. When an Authorization is required, it must specifically identify and limit the use/disclosure to the creation of a database (or tissue bank). Additionally, a covered entitys Privacy Notice must mention its intent to use/disclose PHI for databases.

Any future research trial using the database or tissue bank requires a separate, IRB-approved protocol and a corresponding trial-specific informed consent/Authorization document (or a Waiver). No Authorizations are permitted that attempt to cover future unspecified research.

Acceptable subject recruitment practice
The most significant impact of this regulation for investigators is in the area of subject recruitment. In an update to the Privacy Rule, effective 14 August 2002, the DHHS clarified that recruitment of subjects for research is indeed research. Therefore, common recruitment practices, such as records review and use of databases, are now subject to the restrictions imposed by the Privacy Rule.

Recruiting subjects includes both the challenge of getting the information to the potential recruits and getting them interested in the study. It is important to remember that a research Authorization only permits the use and disclosure of PHI created for research. If a covered entity has an existing relationship with the subject, and it wants to use or disclose the PHI it obtained prior to the research for determining eligibility, a separate Authorization (or Waiver) may be required. Methods for the identification of potential subjects and recruitment must be included in the IRB application to review the research.

Investigators typically find their research subjects in one of three ways:

• Identifying patients from within their own practice
• Obtaining referrals from other physicians or recruitment centers.
• Locating potential subjects through advertising (primarily in newspapers and on the radio).

Identifying subjects for a study within the investigators practice (within the entity). The provision for review of PHI preparatory to research allows investigators to access and review their own patients PHI to determine which patients might be eligible for a trial. Removing protected health information from the investigators own covered entity is not permitted. Recent guidance from the Office of Civil Rights (OCR), which is assigned the task of enforcing compliance with the Privacy Rule, confirms that a researcher or other member of the covered entitys workforce may use PHI to contact prospective subjects. Because HIPAA does not limit disclosures to patients about their own information, covered entities may continue to discuss the option of enrolling in a clinical trial without an Authorization or Waiver. However, the covered entitys Privacy Notice must mention its intent to use/disclose PHI for this purpose.

Advertising. Recruitment advertisements appear in newspapers, on public transportation, on radio, on television, and on the Internet. The recruitment advertising may be managed by individual investigators or by central recruitment centers. Recruitment centers publish advertising or provide Web sites that focus on symptoms and treatment for certain diseases and conditions. They distribute information to patients and caregivers about clinical trials that are currently recruiting subjects. Patients may opt-in and register (voluntarily providing PHI) with these centers to receive information on clinical trials (and may opt-out at any time). Registered patients respond to the center if they are interested in a specific trial and may be referred directly to an investigator or to someone at the recruitment center who may administer a trial-specific screening interview.

Even though the Privacy Rule may not apply (many recruitment centers are non-covered entities), federal human research policies remain in effect. For instance, those policies consider advertisements and screening interviews and scripts to be part of the informed consent process, which therefore must be approved by the governing IRB(s) prior to use.

Potential subject initiates contact. Most advertising campaigns result in the interested, potential recruit contacting the investigator. These respondents have initiated the first contact and have, therefore, implicitly given their permission to be contacted by study staff. Because HIPAA does not limit disclosures to individuals of their own information, once contact is made, the investigator or study staff may discuss the option of enrolling in the clinical trial without an Authorization or Waiver.

However, if the next step for the investigator is to conduct a screening interview that results in recording protected health information from potential subjects prior to administration of the research Authorization and informed consent, then the investigator must obtain an Authorization or be granted a partial waiver for this use. If an IRB is presented a screening script for review, it makes sense for the IRB to evaluate its acceptability in terms of the criteria required to grant a Waiver. The IRB can grant a partial waiver for use of the PHI collected at the same time it grants IRB approval for the actual script.

Investigator Initiates Contact. A recruitment center may pass a prescreened list of candidates (PHI) on to the investigator so that the investigator can initiate contact. If a recruitment center is a covered entity, Authorization is required to pass the list (PHI) to the investigator. However, Privacy Rule protections are triggered only if the recruitment center is a covered entityand many are not.

If the recruitment center is a covered entity, then the investigator must ensure that the recruitment center has obtained appropriate Authorizations under the Privacy Rule or that the recruitment centers IRB or Privacy Board has issued a Waiver for this specific disclosure and contact.

If the recruitment center is not a covered entity, then the Privacy Rule does not apply. The PHI may pass to the investigator without Authorization or Waiver; and the investigator may contact the recruits, who have initiated the first contact and voluntarily contributed information. This is a form of self-referral. In this context, the provisions of the Privacy Rule do not apply until the investigator intends to record PHI for the research.

Referrals from other physicians. It is common for investigators to ask their colleagues for assistance in identifying patients eligible for clinical trials. The most common approach targets patients with a specific disease or condition. The treating physician reviews patient charts or a clinical data repository from his or her own covered entity against the study entry criteria and identifies patients meeting the criteria. If this protected health information is shared between covered entities, it is a disclosure that triggers Privacy Rule protections. The investigator must determine that the referring physician has obtained either Authorizations from referred patients or a Waiver for this specific purpose.

It is the treating physicians responsibility to obtain patient Authorizations or the Waiver from his or her own IRB or Privacy Board to share PHI outside of his or her covered entity. The Authorization may also include permission for the investigator to contact the patient. The treating physician should usually make the initial contact. Patients expect that information on their medical condition will be kept confidential. Many patients would consider it a serious breach of confidentiality to be contacted by someone not involved in his or her care.

Referral letters. To facilitate referrals, an investigator may ask treating physicians to send out letters to their patients describing the study. The investigators IRB must approve any such letter before it is used.

Many referral letters introduce the study to eligible patients and invite them to contact someone in the treating physicians office (which has an existing relationship with the patient) who can provide them with more information about the study. If the patient is interested in being referred to the study, his or her Authorization is required for the treating physician to share the patients PHI with the investigator.

If the treating physicians office sends the letter to all patientsnot just those identified by record reviewand the investigator has no access to the list of recipients, no Privacy Rule protections are triggered. The letter may provide the investigators contact information to allow patient self-referral and is thus analogous to any other non-targeted advertisement.

Honest brokers. An honest broker may serve as an intermediary to facilitate patient referral. To identify eligible patients, an honest broker can de-identify PHI and code it in such a way that it can be re-identified. The investigator reviews the de-identified information to determine which patients meet study criteria. Because de-identified data is exempt, this part of the procedure would not require prior Authorization by patients. The broker then re-identifies the patients meeting the study criteria and provides the names of the identified patients to their personal physician(s). The patients personal physician contacts the patients to introduce the study, ascertains their interest, and obtains Authorization to share their protected health information and be contacted by the investigator(s). The honest broker must be an agent of the referring covered entity and cannot be one of the research investigators.

Whats an IRB to do?
Other than educating the IRB about acceptable flows of protected health information (which is not insignifiacant) the Privacy Rule has little effect on IRB responsibilities. The only direct change to IRB responsibilities is the addition of two specific instances in which IRB authority to approve now exists:

• When a research site combines Authorization with informed constent documentation, the IRB is the final authority on the content of the document and will review the Authorization for compliance with the detailed requirements of the Privacy Rule.
• When a Waiver (or partial Wavier) is requested, either an IRB or privacy board must approve it.

Other than these two instances, the covered entity is responsible for Privacy Rule compliance, which is much broader than research. There is no requirement that the IRB be involved with any other HIPAA compliance responsibilites related to research.The Privacy Rule requires that covered entities implement an administrative and procedural framework to control PHI and to ensure compliance with its provisions. These responsibilities cannot be transferred to a third party. Where the IRB is an actual part of the covered entitys own work force (as at universities, research foundations, and hospitals) it may be an appropriate place to delegate some or all of these responsibilites. However, an IRB carrying out these additional responsibilities is acting as part of the covered entity and not as an IRB per se.

Regardless, HIPAA Privacy Rule protections are intended to protect the rights and welfare of patients. Some IRBs have claimed authority to review all research Authorizations under 21 CFR 56 or 45 CFR 46. Others are finding it sufficient (for Authorizations separate from the informed consent) to request written assurance from an investigator that research Authorizations are being or have been obtained as required. Either way, IRB review and HIPAA requirements, while they overlap, extend well beyond each other.

IRBs have always been responsible for making a thorough assessment of research design and conduct to ensure subject safety, including privacy protection. The Privacy Rule provides some new, specific elements to consider in this process. The real contribution of the Privacy Rule to the IRB process is that it provides IRBs with greater information about the flow of protected health information between parties to researchimproving the assessment of privacy risksand provides patients with greater information about the uses and disclosures of their PHI. HIPAA compliance alone is not a marker for adequate protection of patient privacy in research, but is one component of an IRBs overall responsibility to ensure subject safety.

References

1. Code of Federal Regulations, Title 45, Part 160 and 164 (U.S. Government Printing Office, Washington, DC).

2. Code of Federal Regulations, Title 45, Part 46 (U.S. Government Printing Office, Washington, DC).

3. Code of Federal Regulations, Title 21, Part 50 (U.S. Government Printing Office, Washington, DC).

4. Code of Federal Regulations, Title 21, Part 56 (U.S. Government Printing Office, Washington, DC).

5. Office of Civil Rights, OCR Guidance Explaining Significant Aspects of the Privacy Rule (OCR, Washington, DC, December 2002). Also available at www.hhs.gov/ocr/hipaa/privacy.html.