As might be expected in these days of an overregulated health care industry, HIPAA regulates clinical research much as it does treatment, payment, health care operations, marketing and fundraising, and the like. Of course research was heavily regulated before HIPAA was anything more than a gleam in the eye of the Department of Health and Human Services lawyers and Congressmen and women with the requirements for such things as institutional review boards (“IRBs”), informed consent to the research protocols, and the like. See the Common Rule (45 C.F.R. Part 46, Subpart A) and/or the Food and Drug Administration’s (“FDA”) human subject protection regulations (21 C.F.R. Parts 50 and 56), which have some provisions that are similar to, but separate from, the HIPAA Privacy Rule’s provisions for research. Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. But HIPAA adds another layer of privacy protection that you must be aware of if you are going to engage in clinical research or allow other entities to use your health information in their research projects.
First, what is research? The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge (45 C.F.R. 64.10).
A number of ways exist to legally conduct research using health information:
- First, not all kinds of research-like activities are covered by HIPAA. Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines or protocols, fall under the category of health care operations, provided that obtaining generalizable knowledge is not the primary purpose. And activities that aim at very broadly generalizable knowledge for population health also fall into a different category—namely, public health.
- The health information is not protected health information (“PHI”). For example, after a patient has been deceased for fifty (50) years, his or her individually identifiable health information maintained in a system of records is no longer PHI. 45 C.F.R. 160.103, paragraph (2)(iv).
- The researcher obtains a signed authorization from the research participant as will be explained more fully below.
- The PHI has been properly de-identified.
- The use and/or disclosure of information regarding a subject for research purposes has been approved by an IRB or a Privacy Board. See 45 C.F.R. 164.512(i)(1)(i).
- Use Preparatory to Research: The researcher represents, either in writing or orally, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and that PHI for which access is sought is necessary for the research purpose. See 45 C.F.R. 164.512(i)(1)(ii). This provision might be used, for example, to assess the feasibility of conducting a particular research study.
- Limited Data Sets with a Data Use Agreement. A data use agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. See 45 C.F.R. 164.514(e). A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual. See the De-identification Policy on the CD accompanying my Compliance Guide to HIPAA & the DHHS Regulations, 6th edition, or The Complete Guide to HIPAA Policies and Procedures, both with accompanying CD of sample policies and procedures.
- With an authorization: The Privacy Rule also permits covered entities to use or disclose PHI for research purposes when a research participant authorizes the use or disclosure of information about himself or herself. Typically, a research participant’s authorization will be sought for most clinical trials and some records research. To use or disclose PHI with authorization by the research participant, the covered entity must obtain an authorization that satisfies the requirements of 45 C.F.R. 164.508. In addition to the requirements for all authorizations, several special provisions apply to research authorizations:
- Unlike other authorizations, an authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the “end of the research study.”
- An authorization for the use or disclosure of PHI for a research study may be combined with a consent to participate in the research, or with any other legal permission related to the research study.
- An authorization for the use or disclosure of PHI for a research study may be combined with an authorization for a different research activity, provided that, if research-related treatment is conditioned on the provision of one of the authorizations, such as in the context of a clinical trial, then the compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the individual an opportunity to opt in to the unconditioned research activity.
Five other things to note:
- Those involved in human subject research must receive formal training in the protection of human subjects.
- The minimum necessary rule applies when disclosing PHI to third-party researchers.
- A business associate agreement is not required for uses or disclosures to a researcher, but may be necessary if other entities, such as a copy or destruction service, are used by the researcher.
- The patient right to an accounting of uses and disclosures under 45 C.F.R. §§ 164.512(i) and 164.528(b)(4) apply with some changes from the general rule.
- These HIPAA rules do not prevent reporting to regulatory agencies, law enforcement officials, and health departments when necessary to prevent a threat to the public, but always look up the Privacy Rule’s requirements for allowing such disclosures.
Compared to the brainpower needed to design a research protocol, conduct it, and evaluate its results, complying with HIPAA’s research requirements should not be too onerous. Remember to document all that you do in this regard. HIPAA requires you to maintain records of HIPAA compliance for six years, but because some research may last much longer, you would want to keep this documentation for at least the life of the study. DHHS requires that research records be kept for three years after the life of the study, and other laws, such as research that supports an FDA application, see, for example, 21 C.F.R. 312.62 and 21 C.F.R. 812.140, may have longer retention requirements. Finally, you might want a longer retention period to, say, protect a copyright in the method of research or its findings or for other business reasons.
Premium members and those who have purchased either of the books mentioned above can download a sample policy on use and disclosure of PHI for research purposes from the Premium Member section of the Veterans Press website or by contacting Alice McCart at alice@veteranspress.com or toll-free at 855-341-8783.