Privacy Restrictions Alarm Clinical Researchers

The privacy provisions established by the 1996 Health Insurance Portability and Accountability Act (HIPAA) contain extensive requirements for protecting the medical records of individuals, including participants in clinical trials and health care studies. Unfortunately, this new policy imposes on researchers a host of new rules that are likely to complicate data analysis and retention, block subject enrollment in studies, and limit access to data needed to track and analyze diseases and public health trends. At a minimum, the rules are likely to add greatly to the workload of institutional review boards and new privacy boards. To avoid major disruptions in biomedical exploration, the medical research community is calling on the Department of Health and Human Services (HHS) to address several key issues before allowing the final rules to go into effect come April 2003.

The HIPAA privacy rules require health plans and some providers (covered entities) to seek patient authorization before releasing any individually identifiable protected health information (PHI) to other entitieshospitals and doctors as well as employers or insurance companies. Health plans have leeway to transmit information needed to provide care or to pay providers. The framers of the privacy policy also sought to create exceptions that will permit the use of PHI to facilitate clinical and health care studies.

Although some patient advocates believe that the current HIPAA rules are not strict enough to ensure confidentiality of PHI, many members of the biomedical research community feel that the HIPAA policy adds an unnecessary layer of regulation to clinical studies that already adhere to extensive human protection and informed consent rules. All clinical research funded by the federal government falls under the Common Rule for human subject protection, and most commercially sponsored studies are governed by the Food and Drug Administration or other regulatory authorities. Biomedical researchers recognize the need to ensure the confidentiality of PHI, but fear that the rules will hinder the conduct of clinical trials and access to data banks.

Some streamlining
To address these and other concerns of health plans and providers, the Bush administration issued a proposed rule in March 2002 that modifies the HIPAA privacy standards and makes some significant revisions in the earlier Clinton administration policy. A main change allows health professionals to use PHI to deliver needed care without explicit consent, although plans and providers still must make all efforts to obtain timely authorization. The aim is to permit a physician to consult with a specialist or a pharmacist to fill a prescription called in on the phone before obtaining written consent. Providers and payers applaud the modification, while consumer advocates insist that it undermines the entire privacy policy.

A number of amendments address issues raised by the research community. One change supported by the Association of American Medical Colleges allows researchers to combine privacy authorization with informed consent so that an individual has to review only one form before participating in a clinical trial.

Another useful revision is to simplify the list of criteria that an IRB or privacy board must consider when evaluating a request to waive or alter HIPAA authorization requirements. Researchers complained that the original eight criteria were too vague and would lead privacy boards to be excessively strict in approving waivers. HHS responded by reducing the list to three waiver criteria that are more specific and mesh with FDA policy and the Common Ruleauthorization may be waived if a review board finds that a study poses no more than minimal risk and if the research could not be conducted without use of the information.

De-identifying data
One of the more controversial issues is the limitation imposed on researchers seeking access to epidemiological and other information in large health care databases. HHS recognized that it would be impossible for researchers to obtain authorization to use such data from hundreds of thousands of individuals and offered an alternative policy: individual consent is not needed if researchers remove all identifying factors from the data, thus eliminating the need for privacy protection. The problem is that the initial HIPAA policy required the removal of so many identifiers that the resulting de-identified data was virtually useless.

The revised regulations seek a compromise between overly strict de-identification requirementswhich would prompt researchers to seek waivers for almost every epidemiological studyand permitting researcher access to so much personal information that sophisticated electronic data matching systems would be able to identify individuals. The new proposal would permit researchers and health authoritiesbut not the publicto have access to a limited data set. This would still exclude direct identifiers such as name, address, and social security number, but include a patients admission, discharge and service dates, date of death, age, and five-digit zip code.

The National Human Research Protections Advisory Committee (NHRPAC) advises HHS to consider whether it still seeks to remove too much critical data. The group feels that researchers need geographic information on individuals, such as area of residence, work, or origin, in order to study issues such as cancer incidence. Specific addresses of persons need not be included, but zip codes and geographic subdivisions may be essential for epidemiological studies.

Added problems
A NHRPAC working group headed by attorney Mark Barnes analyzed the HIPAA policy and the March amendments and addressed a number of issues that still trouble the research community:

Data for trial design. Although the privacy policy establishes extensive procedures for individuals to authorize use of PHI for a specific research project, it says little about how researchers might access patient data that could be useful in designing protocols and research projects. Academic medical centers and hospitals often compile information on patients with diseases of potential research interest and collect human tissues and blood samples. Even though this data can be extremely valuable to investigators in the preresearch phase, it may be lost if hospitals and clinics fear that retaining this information and material could violate privacy rules. To prevent such a development, NHRPAC suggests that HHS amend the HIPAA regulations to allow a privacy board or IRB to approve preresearch use of data. An alternative is for HHS to establish a process for privacy boards to review and approve applications from institutions to build and maintain preresearch databases and tissue banks.

Clinical trial withdrawals. Another thorny issue is when and how researchers can access and use data concerning an individual who drops out of a clinical study after it has begun. This is particularly important if the withdrawal relates to an adverse event or other development affecting the safety or efficacy of a drug or product under study.

Individuals entering clinical trials authorize investigators, sponsors, IRBs, and others to use and disclose their PHI, but always retain the right to withdraw from a study, which cancels authorization for access to personal data. The sponsor and investigators still will be able to report adverse events to FDA and to submit data on that individual in a market application or other filing. In fact, the law requires sponsors to file such information with FDA. Without authorization, however, researchers and medical personnel might be prevented from discussing the reasons and events related to the withdrawal or from analyzing important research data that could increase knowledge, prevent injuries, and even save lives, NHRPAC states.

The advisory panel urges HHS to establish a process for investigators to seek privacy board approval to use subject information after withdrawal of an individuals authorization. The board would weigh the circumstances of a subjects withdrawal and the scientific need for continued data analysis. Of course, privacy boards would be overwhelmed if they have to approve such requests related to every clinical trial dropout, even if investigators limit waiver requests to cases where further analysis is most important.

Extending expiration. Researchers also face difficulty dealing with provisions in the HIPAA regulations that allow individual authorizations to expire when a research project ends and study results are reported. The March amendments offer more flexibility in defining study termination and clarify that sponsors can retain PHI to meet record retention requirements and to establish approved databases.

However, HHS emphasizes that permission to create databases and archival records does not authorize use of study data for further research or any other purpose. This erects a high barrier for sponsors and researchers who frequently need to revisit clinical trial data to assess adverse events in marketed therapies, to develop a new use of a product, or to prepare new clinical guidelines. Clinical trial data also is important in investigating later charges of research misconduct or for overseeing research integrity issues.

NHRPAC asks HHS to broaden its definition for termination of the research project to include extinguishing of the need to review, analyze, and consider the data generated by a research project, whichever is later. Or HHS can specifically establish a process for privacy boards to review applications for additional uses and disclosures of research data after that research has terminated; this latter option, though, again would add to the heavy workload of privacy boards and IRBs.

Subject enrollment.Probably the most harmful consequence of the new rule is how it may impede physicians from referring patients to clinical trials. Under HIPAA, patients give consent for providers and health plans to use PHI to carry out treatment, payment and health care operations, but that does not include research. Strictly speaking, it does not authorize a physician to even discuss clinical research opportunities with a patientmuch less identify a suitable trial participant to a colleague.

This situation is not sustainable for clinicians, patients, or researchers, says NHRPAC, and illustrates the very real ways in which HIPAA will complicate, and ultimately undermine, clinical research. Even those patient advocates on the advisory panel who back strong privacy protections agree that this is one issue likely to create unnecessary and excessive problems for the research process.

One remedy is for HHS to clarify that clinicians may discuss with investigators whether an individual patient may be eligible for a study, perhaps with limits to disclose only the minimum necessary information (for example, withholding the patients name). Another suggestion is to establish a procedure for a physician or provider to acquire authorization from patients to use PHI to seek enrollment into clinical trials, but such a move would require a change in HIPAA regulations.

If HHS fails to remedy this problem, NHRPAC envisions enormous inefficiencies in the research enrollment process that might deter some clinicians from proposing patients for studies and prevent patients from having ready access to protocols in which they would like to enroll.

Instead of developing so many detailed rules, researchers urge HHS to craft policies that will encourage investigators to take care in recording and publishing data to avoid confidentiality lapses. The real aim is to protect individual privacyand not make critical research excessively costly and troublesome to undertake.