Memorandum. Factual Background

Transcription

1 Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to evaluate whether ispecimen s handling of specimens and the accompanying clinical data complies with the Health Insurance Portability and Accountability Act ( HIPAA ) regulations, 1 the Department of Health and Human Services ( HHS ) regulations governing human subjects research (called the Common Rule ), and Food and Drug Administration ( FDA ) regulations. 2 As we explain below, we conclude that ispecimen structures its specimen and data collection and distribution in a manner that complies with these regulations. Our analysis is based on the following factual background. If it is inaccurate in any manner, please let us know so that we can reevaluate our conclusions. Factual Background ispecimen provides researchers with on-demand access to clinically annotated specimens. Through its arrangements with clinical laboratories, hospitals and other health care providers that collect specimens during the provision of clinical care (the Provider Network Participants ), ispecimen uses its proprietary software to identify specimens that meet specific requirements for researchers and instructs the Provider Network Participants on processing and shipping those specimens. ispecimen installs its proprietary software behind the Provider Network Participant firewall. Once the ispecimen software is installed in the Provider Network Participant data center, ispecimen personnel access it only for software maintenance. The ispecimen software collects information about the specimens available at a Provider Network Participant, de-identifies the data according to HIPAA rules (with the exception of the specimen collection date that is used to determine when a specimen is ready for discard), and sends the data to ispecimen s data center. The specimens are also given new, coded ispecimen IDs at this time. The software at the data center matches these specimens against those desired by researchers. When a match is identified, the system sends a message to the Provider Network Participant to pull that specimen and process it according to ispecimen instructions. The specimen is re-tubed and the ispecimen software generates a new, deidentified specimen label that contains the ispecimen ID, order information, and matrix. No information identifying the patient is physically attached to the specimen when it is shipped. Limited personal identifiers, such as the original specimen ID, are stored behind the Participant s firewall with links to the ispecimen ID to ensure that the correct specimens are picked by the Participant s technicians. These limited identifiers are only visible to the Participant, cannot be accessed by ispecimen and are never released to ispecimen customers. Additionally, at the Provider Network Participant s request, these links may be completely broken once specimens are shipped to researchers, ensuring that the specimens are truly 1 45 C.F.R. Part 160 and Part 164, Subpart E C.F.R. Part 46, Subpart A.

2 anonymized and not even the Provider Network Participant could re-identify a patient from whom the specimens came. The ispecimen software also pulls clinical data associated with patients. The amount of clinical data will vary according to ispecimen s arrangement with each Provider Network Participant and might include data such as current and past diagnoses, medications, encounters and treatments, hospitalizations and surgical history, allergies and sensitivities, immunizations, and family and social histories of the patient. No HIPAA identifiers are transferred to the ispecimen datacenter in this process other than the dates of service related to the patient (such as the date a particular diagnosis was made, which aids in the selection of specimens). As with the specimens, each patient is assigned a unique ispecimen Patient ID during the process so that the patient cannot be re-identified by ispecimen or the researchers who receive data. ispecimen enters into written agreements with its research customers to ensure that a customer uses the specimens and data for scientific research and development purposes only; does not transfer the specimens to a third party unless the third party agrees to be bound by the same rules surrounding specimen use as the research customer; and uses, retains, and destroys the specimens and accompanying data in accordance with all applicable laws. Research customers must also agree to never re-identify patients from whom specimens originated, even if technology and databases are available in the future which would allow that. Analysis 1. HIPAA Compliance Under HIPAA, covered entities (health plans, health care clearinghouses, and most heath care providers) may use or disclose individually identifiable health information (also called protected health information or PHI ) only as expressly permitted by the HIPAA Privacy Rule. 3 This memorandum discusses the application of the HIPAA Privacy Rule, as amended on January 25, 2013 to implement the Health Information Technology for Economic and Clinical Health Act (the HITECH Act ). 4 As described below, we conclude that the ispecimen method of handling specimens and associated clinical data complies with HIPAA. ispecimen access to PHI behind the customer s firewall complies with HIPAA. As explained above, the ispecimen software has access to PHI behind the Provider Network Participant firewall to identify appropriate specimens and to pull clinical data associated with those specimens. The ispecimen software assigns a code to the specimen and strips all HIPAA identifiers 5 from the associated clinical data, except for limited dates of service. The ispecimen 3 See 45 C.F.R. Part 160 and Part 164, Subpart E. 4 See 78 Federal Register ( Fed. Reg. ) (Jan. 25, 2013). 5 See 45 C.F.R (the HIPAA identifiers include all of the following data about individuals and their family members, household members, or employers: name; street address, city, county, precinct, or zip code (unless only the first three digits of the zip code are used and the area has more than 20,000 residents); the month and day of dates directly related to an individual, such as birth date, admission date, discharge date, dates of service, or date of death; age if over 89 (unless aggregated into a single category of age 90 and older); telephone numbers; fax numbers; addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers, serial numbers, and license plate numbers; device identifiers and serial numbers; web Universal Resource Locators (URLs) and Internet Protocol (IP) addresses; biometric identifiers, such as fingerprints; full-face photographs and any comparable images; or any other unique identifying number, characteristic, or code). 2

3 software thus creates a Limited Data Set, as defined by HIPAA, because the data includes dates related to patients. 6 In the Preamble to the final amendments to the HIPAA regulations, the HHS Office for Civil Rights ( OCR ) explained that because de-identification and the creation of a Limited Data Set for research purposes are health care operations, a covered entity is permitted to disclose PHI to a third party for such purposes under a HIPAA Business Associate Agreement. 7 ispecimen integrates a HIPAA-compliant Business Associate Agreement into its agreement with Provider Network Participants so that it may de-identify and create Limited Data Sets on behalf of the Participants. ispecimen use of the Limited Data Set to process the specimens complies with HIPAA. The ispecimen software gathers dates of specimen collection and other healthcare events so that it can ensure that the specimen meets the requirements of the researchers. ispecimen s use of this Limited Data Set is permitted for two reasons. One, ispecimen uses dates in performance of its Business Associate functions on behalf of its customers, to match the customers specimens with researchers. Two, ispecimen may use the Limited Data Set for these research purposes because its agreements with Provider Network Participants include a Data Use Agreement, which provides assurance that ispecimen will use the PHI only for those purposes. 8 ispecimen completely de-identifies the specimens and associated clinical data before providing them to researchers, complying with HIPAA. ispecimen uses the Limited Data Set only to ensure that specimens meet the researchers requirements, and then strips the dates from the specimens and associated clinical data before providing them to the researcher. ispecimen sends only fully de-identified data to researchers. 9 Disclosure of de-identified data complies with HIPAA. Specimens without accompanying HIPAA identifiers are not themselves treated as PHI. Where specimens provided for research are not associated with the HIPAA identifiers, the specimens themselves are not treated as PHI and the release of the specimens is not governed by HIPAA. 10 The OCR has concluded that specimens themselves are not PHI unless they are associated with HIPAA identifiers. 11 The ispecimen process does not trigger the need for an accounting. Because Provider Network Participants disclose only a Limited Data Set to ispecimen and because 6 See 45 C.F.R (c) (A Limited Data Set is partially de-identified patient information. A Limited Data Set excludes all of the direct identifiers in the regulations, except that a Limited Data Set may include: (1) geographic designations above the street level or P.O. Box; (2) dates directly related to a patient, such as dates of service, birth date, admission date, discharge date, or date of death; or (3) any other unique identifying number, characteristic, or code that is not expressly listed as an identifier ). 7 See 78 Fed. Reg (Jan. 25, 2013) C.F.R (e)(4) (listing requirements for a Data Use Agreement). 9 See 45 C.F.R (a)-(b). 10 See Research Repositories, Databases, and the HIPAA Privacy, at 3 (OHRP and NIH, Jan. 12, 2004), (found at 11 Id. at 11 ( Under the Privacy Rule, neither blood nor tissue, in and of itself, is considered individually identifiable health information; therefore, research involving only the collecting of blood or tissue would not be subject the Privacy Rule s requirements. Remember, however, blood and tissue are often labeled with information (e.g. admission date or medical record number) that the Privacy Rule considers individually identifiable and thus, PHI. A covered entity s use or disclosure of this information for research results from an analysis of blood and tissue, if containing or associated with individually identifiable information would be PHI. ). 3

4 ispecimen s agreements with Provider Network Participants contain a Data Use Agreement, Provider Network Participants do not have an obligation to include disclosures to ispecimen in response a patient s request for an accounting. 12 Revenue sharing with ispecimen customers is not a prohibited sale of PHI. Section 13405(d) of the HITECH Act 13 and the final HIPAA regulations provide that a covered entity may not directly or indirectly receive remuneration from or on behalf of the PHI recipient, in exchange for the PHI, unless the covered entity obtains an individual s authorization. 14 The final HIPAA regulations incorporate a number of exceptions where authorization is not required, including an exception where for research purposes pursuant to (i) [IRB waiver of HIPAA authorization, reviews to prepare for research, or research involving decedents] or (e) [use or disclosure of Limited Data Sets], the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. 15 We believe the OCR would conclude that no remuneration flows to the Provider Network Participants for PHI in the current arrangement. The only PHI that flows to ispecimen are dates, which are used by ispecimen only for the purpose of ensuring that the specimens meet the researchers requirements, but which then are stripped from the data before transmission to the researchers. The OCR explained that the transmission of PHI by a covered entity to a research sponsor in a clinical trial is not prohibited by this rule, because the payment to the covered entity is not primarily for the PHI: [W]e do not consider sale of protected health information in this provision to encompass payments a covered entity may receive in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, because any provision of protected health information to the payer is a byproduct of the service being provided. Thus, the payment by a research sponsor to a covered entity to conduct a research study is not considered a sale of protected health information even if research results that may include protected health information are disclosed to the sponsor in the course of the study. Further, the receipt of a grant or funding from a government agency to conduct a program is not a sale of protected health information, even if, as a condition of receiving the funding, the covered entity is required to report protected health information to the agency for program oversight or other purposes. (Certain of these disclosures would also be exempt from the sale requirements, depending on whether the requirement to report data was included in regulation or other law.) In contrast, a sale of protected health information occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). For example, a disclosure of protected health information by a covered entity to a third party researcher that is conducting the research in exchange for remuneration would fall within these provisions, unless C.F.R (a) ( An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: (viii) as part of a limited data set. ). 13 Codified at 42 U.S.C (d). 14 See 45 C.F.R (a)(5)(ii). 15 Id. 4

5 the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes (see below). 16 We think the OCR would come to the same conclusion here. ispecimen is compensating Provider Network Participants for the services involved in the procurement of the specimens and associated de-identified clinical data that it provides to researchers. While dates are important to verify the specimen can be used for research, the compensation is by no means primarily for the dates (which are stripped before providing the specimens to the end user researchers). 2. Common Rule Compliance The use of de-identified specimens is not human subjects research. The Common Rule regulations govern human subjects research funded or conducted by a federal agency or research that is subject to an institution s Federalwide Assurance (a contract that permits an institution to conduct federally-funded research). 17 Human subjects include living individual(s) about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable personal information. 18 The HHS Office for Human Research Protections ( OHRP ) has provided guidance that if specimens are not collected for currently proposed research and investigators cannot readily ascertain the identity of the subjects, the release of those specimens to investigators is not human subjects research. 19 Under the ispecimen model, Provider Network Participants are not conducting human subjects research by permitting the use of their specimens and de-identified clinical data for research. First, the specimen and data are created for clinical care purposes, not research. Second, the end user researchers (the investigators) do not obtain any identifiable personal information about the patients and thus cannot readily ascertain the identity of the individual. Moreover, even if a Provider Network Participant maintains a link between the patient s identity and the code assigned by the ispecimen software to the specimen and clinical data, that does not mean the Provider Network Participant is itself conducting human subjects research. OHRP does not consider providing coded information or specimens as engagement in human subjects research, as long as the institution is prohibited from releasing the code to the investigators. 20 HIPAA prohibits the Provider Network Participants from releasing the code to the investigators under the current arrangement Fed. Reg. at 5607, C.F.R (a) C.F.R (f). 19 See Guidance on Research Involving Coded Private Information or Biological Specimens (Oct. 16, 2008) (found at 20 Id. at 3-4 ( OHRP does not consider research involving only coded private information or specimens to involve human subjects as defined under 45 CFR (f) if the following conditions are both met: (1) the private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and (2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because, for example: (a) the investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased (note that the HHS regulations do not require the IRB to review and approve this agreement); (b) there are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the individuals are deceased; or (c) there are other legal requirements prohibiting the release of the key to the investigators, until the individuals are deceased. 5

6 The HHS Advance Notice of Proposed Rulemaking. On July 26, 2011, OHRP issued an Advance Notice of Proposed Rulemaking ( ANPRM ) a request for public comment before a proposed rule is issued to revamp the Common Rule. 21 While the ANPRM sought public comment on whether consent should be required to use de-identified specimens for research, OHRP also suggested that a general consent in a conditions of admission form would be sufficient if consent is required in the future. 22 Of course, the ANPRM is not yet a proposed rule, and could be changed substantially before it is finalized. Moreover, any new rule would be applied prospectively only to specimens collected after the date of any final rule. 23 We do not recommend a change in procedures in response to the ANPRM. 3. FDA Compliance Specimens procured through the ispecimen Network may be used for FDAregulated IVD studies. The FDA regulates clinical investigations conducted in support of applications for research or marketing permits for products regulated by the FDA. 24 The FDA regulations define clinical investigation as any experiment that involves a test article and one or more human subjects where the researcher is required to submit the data to the FDA for approval. 25 Human subject means an individual who is or becomes a participant in research, either as a recipient of the test article or as a control. 26 The FDA regulations on Investigational Device Exemptions ( IDE ) apply the FDA human subject protection regulations to the use of human specimens. 27 In general, the FDA requires informed consent from an individual before he or she can be used as a subject in research regulated by the FDA. 28 However, in 2006, FDA issued guidance that it will permit the use of de-identified human specimens without informed consent when the specimens are used for FDA-regulated in vitro diagnostic device ( IVD ) investigations, in the following circumstances: 29 a) The investigation meets the IDE criteria at 21 C.F.R (c) (3) (a diagnostic device, if the sponsor complies with applicable requirements in (c) and if the testing: (i) is noninvasive, (ii) does not require an invasive sampling procedure that presents significant risk, (iii) does not by design or intention introduce energy into a subject, and 21 See 76 Fed. Reg (July 26, 2011) (found at 26/pdf/ pdf). 22 See 76 Fed. Reg (explaining the proposal to require written consent for research use of any specimens collected for clinical purposes after the effective date of the new rules (such as research with excess pathological specimens). Such consent could be obtained by use of a brief standard consent form agreeing to generally permit future research. This brief consent could be broad enough to cover all specimens to be collected related to a particular set of encounters with an institution. ). 23 Id C.F.R C.F.R. 50.3(c) C.F.R (p) C.F.R (p) C.F.R ( No investigator may involve a human being as a subject in research covered by these regulations unless the investigator has obtained the legally effective informed consent of the subject or the subject's legally authorized representative. ). 29 Guidance on Informed Consent for In Vitro Diagnostic Device Studies Using Leftover Human Specimens That Are Not Individually Identifiable, 4 (Apr. 25, 2006) ( FDA IVD Guidance ) (found at pdf). 6

7 (iv) is not used as a diagnostic procedure without confirmation of the diagnosis by another, medically established diagnostic product or procedure). b) The study uses leftover specimens. These include remnants of specimens collected for routine clinical care or analysis that would have been discarded, specimens obtained from specimen repositories, or leftover specimens that were previously collected for other research purposes. c) The specimens are not individually identifiable, in that the identity of the subject is not known to and may not readily be ascertained by the investigator or any other individuals associated with the investigation, including the sponsor (the study personnel ). If the specimen is coded, it is not individually identifiable if the study personnel cannot link the specimen to the subject. d) Any clinical information accompanying the specimens does not make the specimen source identifiable to the study personnel. e) The individuals caring for the patients are different from and do not share information about the patient with the study personnel. f) The specimens are provided to the investigator(s) without identifiers and the supplier of the specimens has established policies and procedures to prevent the release of personal information. g) The study has been reviewed by an IRB in accordance with 21 CFR Part 56 [with exception omitted]. ispecimen s process allows researchers to use specimens and their accompanying clinical data for use in IRB-approved IVD studies that are exempt from IDE regulations, in conformance with this FDA IVD Guidance. As described above, the specimens are leftover and the specimens and any clinical data are de-identified and are in no way identifiable to the investigators or other study personnel. In addition, with third party researchers, the individuals caring for the patients are different than those conducting the investigation. If a Provider Network Participant uses the specimens it produces for its own research, the Participant would need to evaluate whether those specimens could be used for IVD studies. 7