HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery

Transcription

1 HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery Research A. General Rules. There are four pathways for covered entities ( CEs ) to obtain permission under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) to use and disclose protected health information ( PHI ) for research or research related purposes. Research is defined in the HIPAA Final Rule (45 CFR, et. seq.) as a systematic investigation including research development, testing and evaluation, designed to develop or contribute to general reliable knowledge, 45 CFR Evaluative activities, such as quality assurance, which are not meant to generate knowledge that is generalizable beyond the four walls of the CE, are not considered research. The four pathways are as follows: 1. Consent for health care operations. Consents generally permit a CE provider to use or disclose PHI for TPO purposes--that is, for treatment, payment and health care operations. 45 CFR (a)(1)(ii), (a)(i). Certain studies or evaluations of treatment rendered within a CE provider may constitute health care operations, and PHI may be used in connection with those activities pursuant to a HIPAA compliant consent. In particular, health care operations as defined in the Final Rule to include quality assurance, clinical guidelines and outcomes studies, as well as population based activities relating to improving health or reducing health care costs. 45 CFR Authorization. For a CE to conduct research involving PHI, or for a researcher to obtain PHI from a CE for research purposes, the CE or researcher must obtain patient authorization (or a waiver or alteration of the authorization requirement). 45 CFR (a)(1)(iv) and Authorization will generally be necessary for research involving treatment of human subjects or human clinical trials, since the

2 research subject (or the subject s authorized representative) will generally be available to provide the required authorization. Authorizations, however, may be impractical to obtain for research involving existing medical records or databases, where subjects may have died, moved, or simply be too numerous to contact. a. Authorization Exceptions. There are authorization exceptions for: (i) Review of PHI necessary to prepare a research protocol or for similar purposes preparatory to research, as long as PHI is not removed from the premises, 45 CFR (i)(1)(ii); (ii) Research on decedents provided that the investigator provides the CE with documentation of death upon request, 45 CFR (i)(1)(iii); (iii) Certain disclosures necessary to facilitate mandatory reporting to the FDA by CEs that are subject to FDA jurisdiction (e.g., pharmaceutical companies, medical device manufacturers) 45 CFR (b)(1)(iii)(A)- (D); and disclosures. (iv) HIPAA mandated 3. Waiver. An Institutional Review Board ( IRB ) or a Privacy Board organized in compliance with HIPAA requirements can waive or alter the requirements of patient authorization for research if the waiver meets eight (8) specified waiver criteria discussed below. Note that IRBs are only required to review federally supported or conducted research involving human subjects, and human clinical trials conducted under FDA jurisdiction. A Privacy Board will be needed to review requests for authorization waivers for other types of research projects that involve PHI (e.g., database research). In this regard, also note that the IRB of a CE may serve as its Privacy Board for purposes of these other research projects. -2-

3 It is anticipated that most retrospective medical records research and identifiable database research will need to be conducted pursuant to authorization waivers granted by IRBs and Privacy Boards since it generally will not be practicable to obtain written authorizations from all research subjects who historically participated in the studies. a. Criteria. To grant a waiver, the IRB/Privacy Board must find: (i) The disclosure involves no more than minimal risk to the individual; (ii) The waiver or alteration will not adversely affect privacy rights and welfare of the individual; (iii) The research could not practicably be conducted without PHI or waiver; (iv) The research could not practicably be conducted without access to the PHI sought; (v) The Privacy risks are reasonable in relation to anticipated benefits to individuals and the importance of the knowledge that may reasonably be expected to result from the research; (vi) There is an adequate plan to protect PHI from improper use and disclosure and to destroy identifiers at the earliest opportunity consistent with the conduct of the research; and (vii) Adequate written assurances have been provided that PHI will not be reused or disclosed to any other person (except as required or permitted by law). 45 CFR (i)(2). -3-

4 4. De-Identified Information. A CE may use or disclose de-identified information (which does not constitute PHI) for research purposes. There are two ways to de-identify data under HIPAA: a. Determination and documentation by a statistical expert that the risk is very small that the information could be used to identify the individual, 45 CFR (a); or b. Removal of 18 specified identifiers, including name, birth date, admission date, discharge date, date of death (except year); ages over 89; social security numbers; addresses; medical record numbers; license plate numbers; telephone numbers; medical device identifiers/serial numbers; and for geographic region, identifiers other than state or the initial three digits of the zip code; and, any other unique, identifying number, characteristic or code. 45 CFR (b). B. Open Research Issues 1. Research Protocols. Where does the authorization exception for development of a research protocol (and other activities preparatory to research) end and the need for authorization (or waiver of authorization) for research begin? The scope of the authorization exception for protocol development is unclear. It is intended to permit researchers to have access to PHI as may be necessary to develop hypotheses on which a protocol can be based, and to develop the protocol to the point that it can be brought to an IRB/Privacy Board for approval. To obtain access to PHI for these purposes, the researcher must represent in writing to the covered entity that: (1) the use or disclosure of PHI is sought solely for protocol development purposes, (2) the PHI for which access is sought is necessary for research purposes, and (3) the PHI will not be removed from the CE s premises. 45 CFR (i)(1)(iii). In addition, if the researcher is an employee (or workforce member) of a covered entity (or a covered component of a hybrid entity), then the extent of access of the researcher to PHI for protocol development -4-

5 purposes would be determined on an individualized basis under the CE s minimum necessary standard policies and procedures. It should be noted that the protocol development exception is not intended to be used by the researcher to identify potential study participants. 2. Organ Banks. Are organ banks covered entities (or covered components)? An organ bank may or may not be a covered entity (or covered component) depending on whether it is a health care provider or performs health care provider functions on behalf of a hybrid entity (such as an University). If the organ bank harvests organs, tissues or fluids, analyzes them for pathology, and/or transplants or uses them for therapeutic purposes, and if the organ bank charges for its services in connection with a HIPAA standardized transaction, then the organ bank would be a health care provider. As such, it could only use or disclose identifiable specimens from living patients for research purposes with patient authorization or an IRB/Privacy Board waiver. Organs from decedents can be used for research purposes without a HIPAA authorization under the decedent s exception to the authorization requirement. If, however, the organ bank does not conduct HIPAA standard transactions, then it would not be a covered entity or component. As such, HIPAA would not apply to the organ bank, except to the extent that the organ bank seeks to obtain organs, tissues or samples that involve the PHI of living subjects from hospitals, physicians and other covered entities. In such circumstances, the organ bank would need to obtain the benefit of an authorization or an IRB/Privacy Board waiver to access the PHI related to the specimens from the covered entity. 3. Specimens. To what extent do organs, tissues and bodily fluids constitute PHI? Research samples generally fall into three categories: unlinked samples, coded samples and identified samples. Unlinked samples lack identifiers or codes that can link a particular -5-

6 sample to an identified specimen or human being. Assuming that all 18 of the identifiers listed in the Final Rule are absent, an unlinked sample would constitute de-identified information, and thus not be considered PHI. Coded samples are samples supplied by repositories to investigators from identified specimens along with a code, but without any personally identifying information. Such coded samples may be de-identified information in the hands of researchers who do not have access to the code; but would be PHI for researchers who have access to the code. Identified samples are samples with personal identifiers that would allow the researcher to link the biological information derived from the sample directly to the individual from whom the material was taken. The personal identifiers associated with these samples constitute PHI. Complicating the analysis is that all organs, tissues, and bodily fluid samples contain genetic material. As such, all samples have intrinsically identifying characteristics--that is, they may be identified by the donor s DNA sequence. To be fully de-identified under the Final Rule, information must not contain any unique, identifying numbers, characteristic or code. 45 CFR (b). Does this mean that genetic material should always be treated as PHI? Or should unlinked samples only be treated as PHI if the researcher has access to genotype information of particular subjects to which the gene sequence may be matched? In this regard, what are the implications of the creation of DNA data banks for inmates, and commercial DNA databanks? Will the potential for linkage of samples to particular individuals through these databanks, over time, cause samples containing genetic material, in the future, to be viewed as PHI? 4. Organ Research. If an organ proves unsuitable for transplant, can the transplant team transfer the organ to researchers without the authorization of a live donor? This is a relatively commonplace practice in academic medical centers today. It, however, would be barred under HIPAA without patient authorization or waiver of authorization if the organ is accompanied by PHI linking it to its donor. -6-

7 5. Pre-Existing Consent. Can a researcher rely on a pre-existing Common Rule consent to continue to use PHI for treatment related research after the HIPAA compliance date (April 14, 2003)? The question is whether the Final Rule draws a distinction between research use and treatment use after the compliance date of pre-existing PHI, based on a pre-compliance date consent. The answer appears to be that a covered entity can use or disclose preexisting PHI for both purposes, in connection with research related treatment, based on any form of pre-compliance date human subject research consent. See 45 CFR (b)(3). As DHHS states in the commentary to the Final Rule, if a covered entity obtained a consent, authorization or other express legal permission from the individual who is the subject of the research, it would be able to rely upon that consent, authorization or permission, consistent with any limitations it expressed, to use or disclose the protected health information it created or received prior to or after the compliance date of this regulation. 65 Fed. Reg (December 28, 2001). 6. Condition To Treatment. Can the researcher condition research related treatment on the patient s authorization to access pre-existing PHI? A CE can condition research related treatment on the patient giving a HIPAA compliant authorization. See 45 CFR (b)(4)(i). According to DHHS, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information. Standards for Privacy of Individually Identifiable Health Information ( Guidance ), July 6, 2001, Pg Specification Requirement. Can the researcher rely on the authorization to conduct unanticipated follow-up or supplemental studies? The answer to this question depends on the scope of the initial authorization given by the subject. To be HIPAA compliant, -7-

8 the authorization must describe the PHI to be disclosed in a specific and meaningful fashion and the authorization must specify an expiration date or event. See 45 CFR (c). Unless the initial authorization is drafted to cover follow-up, retesting, ancillary or other studies, then a new authorization or waiver may be necessary for these purposes. 8. Research Subject Identification. How can researchers identify potential research subjects after the compliance date? Identification of research subjects will become more challenging after the compliance date. Clinicians at academic medical centers and in private practice will no longer be able to make referrals to researchers without patient authorization or waiver of authorization. While researchers can comb medical records without authorization for purposes of developing research protocols, and other purposes preparatory to research, it is not clear that researchers are authorized to do so for subject identification purposes. It can also be anticipated that some CEs may prevent outside researchers from accessing medical records for even protocol development purposes without Privacy Board review or approval. 9. Revocation. If an authorization is revoked or expires after data derived from the research has been imbedded in a database, can the database continue to be used for research purposes? The answer to this question is not entirely clear. To the extent that the researcher has reasonably relied on the original authorization, the researcher can continue to use the subject s PHI for the intended research purposes. This may absolve the researcher from the responsibility of expunging PHI from the database upon receipt of a revocation or upon expiration of the authorization. But, it may not absolve the researcher (or others) from using the database for future research purposes that were not expressly contemplated by the original authorization. The rules therefore raise issues regarding the reuse/replicability of scientific -8-

9 results, the continued integrity of research databases, and ultimately the scientific validity of database research. 10. Patient Registries. Can CEs make reports to patient disease registries? Patient registries collect information on patient diseases for research, drug development, and quality improvement purposes. Certain patient registries are maintained by state public health departments (e.g., registries of sexually transmitted diseases). No authorization is necessary for CEs to make state mandated reports to patient registries maintained by the state. However, patient authorization (or waiver of authorization) may be required to make reports that include PHI to private patient registries maintained by trade associations (e.g., American Cancer Association), pharmaceutical companies, or other private organizations. To the extent that PHI is communicated to a private patient registry in furtherance of quality improvement activities conducted by the registry solely on behalf of the CE (e.g., some cancer registries), the patient registry may be a business associate of the CE. See 45 CFR (e)(1); (e)(1). As such, PHI may be reported by the CE to the patient registry under a business associate contract. To the extent that PHI reported to the patient registry would be used for other purposes (e.g., for the registry s own research or for disclosure to others), patient authorization or waiver of authorization would appear necessary to permit the report to be made. 11. Multisite Research. If an investigator is conducting multi-site research, will an IRB/Privacy Board waiver approved by one CE site be effective to permit the research to be conducted without patient authorization at all CE sites? A CE can reasonably rely on a waiver approved by any IRB/Privacy Board, but is not required to accept the judgment of any IRB/Privacy Board. Each CE is free to reject a waiver approved by any IRB/Privacy Board, including its own. It is relatively unlikely, however, that a CE would, in fact, reject a decision of its own IRB/Privacy Board. To avoid multiple, duplicative or inconsistent IRB/Privacy Board determinations, it is -9-

10 advisable for multi-site research to be conducted pursuant to a joint, cooperative research agreement. Under the joint research agreement, the various CEs could designate a single IRB/Privacy Board to review and oversee the research at all locations, and agree to rely reasonably on its decisions. 12. Waiver Criteria. Are the waiver criteria mutually inconsistent? If so, how are IRB/Privacy Boards to make waiver determinations? Two of the eight waiver criteria appear, on their face, to be somewhat inconsistent. Those criteria are that: (a) the waiver will not adversely affect the privacy rights and welfare of the individual, and (b) privacy risks are reasonable in relation to anticipated benefits. See 45 CFR (i)(2). The former criterion appears categorically to prohibit any adverse effect on privacy, while the latter criterion contemplates a balancing of adverse affect on privacy against potential research benefits. So, the question is, does the Final Rule require no, or permit some, adverse effect on privacy in approving a waiver? The answer is unclear. Also, other waiver criteria include a requirement that the research could not practicably be conducted without the PHI and the waiver. Id. The standard of practicability is not defined and may vary with the size of the research project and the resources of the researcher. For example, it may be impractical for a single investigator with meager means to obtain authorizations from research subjects for even a modest retrospective review of medical records; but, it may be entirely feasible for a well-heeled university to solicit patient authorizations for the same study. It is left to be seen how IRBs and Privacy Boards will interpret and apply this impracticability standard. 13. Access. Can a research subject, during the course of research, gain access to his or her medical records to determine whether he or she is in a placebo group? In general, a research subject has a right under the Final Rule to access his or her PHI upon written request. The subject s right to access, however, can be temporarily suspended for as long -10-

11 as research that involves treatment is in progress, provided that the individual agreed to the denial of access when consenting to participate in the research and is informed that the right to access will be reinstated upon completion. 45 CFR (a)(2)(iii). This provision can be invoked by the CE to temporarily suspend the subject s access to research records. The open question is whether the temporary suspension is terminated by a revocation of authorization for research related treatment. In such circumstances, the research related treatment can be viewed as no longer in progress and the research can be viewed as completed (at least with respect to the research subject). This may provide a means for research subjects to gain access to blinded study information during the course of research, thereby potentially jeopardizing research study results. 14. Certificates of Confidentiality. Can HHS access PHI under HIPAA that is subject to a certificate of confidentiality? Certificates of confidentiality are granted by HHS under 301(d) of the Public Health Services Act, 42 USC 241(d), to protect particularly sensitive information (e.g., drug or alcohol rehabilitation, criminal offense information) from compulsory legal process. The certificate of confidentiality renders such sensitive information immune from subpoena and discovery by federal and state agencies. Under the HIPAA Final Rule, however, all PHI maintained by a covered entity may be accessed by HHS for HIPAA compliance and enforcement purposes. These inconsistent provisions hold the potential to pit one arm of HHS (NIH) against another arm of HHS (OCR). 15. Peer Review. Does the subject s right to access PHI override state peer review protections? Generally, the answer to this question should be no, as long as all peer review records are excluded from the covered entity s designated record set. Under the Final Rules, a research subject only has access to his/her designated record set. Designated records set is defined in the Final Rule to mean: -11-

12 A group of records maintained for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. 45 CFR Peer review records are more properly characterized as records used for making decisions about practitioners involved in the patient s care, than records used by the covered entity to make decisions about the patient. As such, peer review records should be excludable from the CE s designated record set. It should also be noted that to the extent peer review records are maintained on a de-identified basis, they are also outside the scope of patient access rights under HIPAA. 16. Retention of PHI. What constitutes adequate research justification for not destroying identifiers at the earliest opportunity consistent with the conduct of research? One of the criterion for granting an authorization waiver is that the researcher present to the IRB/Privacy Board an adequate plan to protect PHI from improper use and disclosure and to destroy identifiers at the earliest opportunity consistent with the conduct of research. 45 CFR (i)(2). In DHHS Guidance on the Final Rule issued on July 6, 2001, DHHS indicates that identifiers need to be destroyed at the conclusion of research unless there is adequate research justification for obtaining the identifiers. It is unclear, however, what will be deemed by DHHS to constitute such adequate research justification. 17. De-Identification. Will the HIPAA de- -12-

13 identification standards, paradoxically, cause researchers to request access to more PHI through waivers than would otherwise have been the case? The Association of American Medical Colleges and the Biotechnology Industry Organization have argued in comments to DHHS on the Final Rules that the de-identification standards will have the paradoxical effect of resulting in greater disclosure of PHI to researchers than would be the case if the de-identification standards were somewhat less strict (e.g., if they permitted retention of dates of birth, zip code information, and date of treatment information which are useful data points for longitudinal, epidemiological, and outcomes studies). The argument is that the strict de-identification standard in the Final Rule will necessitate researchers requesting waivers to access to all PHI in circumstances where information with fewer identifiers would have sufficed. Under the strict standard, researchers will have to more frequently avail themselves of the IRB/Privacy Board waiver process, which adds administrative burden. In granting a waiver, the IRB/Privacy Board is required to limit the researcher s access to PHI to the minimum extent necessary to conduct the intended study. This should mitigate the concern that the researcher will ultimately access more PHI than if the researcher could simply use somewhat less cleansed de-identified information. 18. Privacy Board. Should a lawyer be a member of the CE s Privacy Board? The Privacy Board is required to be composed of members with appropriate competency to review the effect of the proposed research on the individual s privacy rights and related interests. 45 CFR (i)(B). DHHS has indicated that this means that Privacy Boards should include members with appropriate privacy and legal expertise. While it may be useful to have a lawyer well versed in patient privacy rights serve as a member of the Privacy Board, it is not advisable to have a lawyer who represents the CE sit on the Privacy Board. This is because of the potential professional conflicts of interest and waiver of attorney-client -13-

14 privilege that may occur when a lawyer simultaneously serves as attorney and his/her own client. 19. IRB Requirements. If the research is exempt from IRB review, is it also exempt from HIPAA IRB/Privacy Board waiver requirements? Not necessarily. An IRB and Privacy Board serve somewhat distinct purposes. IRBs are responsible for reviewing overall risks of the research, including potential privacy risks, in relation to the anticipated overall potential benefits of the research. The Privacy Board, in contrast, only assesses privacy risks. IRBs are only required to review federally supported or conducted research and FDA clinical trials that involve human subjects. Privacy Boards, in contrast, will be needed to assess privacy rules for any research involving PHI where it would be impracticable to obtain patient authorization (regardless of whether the research involves human subjects). Moreover, the exceptions to IRB review requirements for OHRP and FDA purposes are different from the waiver exceptions for HIPAA purposes. Thus, there will be circumstances where IRB approval is not required, but a Privacy Board waiver must be obtained (e.g., emergency use of test articles for FDA clinical trials purposes will require a Privacy Board waiver if patient authorization for use of PHI in connection with the test article cannot be obtained from the patient or patient s representative; research conducted in established or commonly accepted educational settings). 20. Research Disruption. Will HIPAA cause a lock-down of databases by CEs and hinder research? Currently, a fair amount of PHI is shared in academic medical centers between clinicians and researchers. Under the Final Rule, covered entities will generally only be permitted to release PHI to researchers pursuant to an authorization or waiver of authorization granted by an IRB/Privacy Board. Because of the threat of HIPAA liability and penalties, it can be anticipated that covered entities will become more protective of PHI and will only release PHI in circumstances permitted by the Final Rule. It is somewhat hyperbolic to characterize the effect of the Final Rule as -14-

15 a lock-down of databases, but in some instances the Final Rule will prevent, impede or delay access to PHI for research purposes. This is the trade-off that DHHS appears to have intentionally made to give what it believes is due protection to patient privacy rights. It is left to be seen what impact this trade-off will have on the pace and progress of scientific discovery. -15-