HIPAA and Research

1
HIPAA and Research

• Lewis J. Smith, M.D.
• Executive Director
• Office for the Protection of Research Subjects
• Northwestern University

2
HIPAA

• Health Insurance Portability and Accountability
  Act of 1996
• Improve efficiency in healthcare delivery by
  standardizing electronic data interchange
• Protect confidentiality and security of health
  data through setting and enforcing standards
• Build upon existing Federal protections by
  creating equal standards for all research
  (whether or not governed by existing Federal
  human subject regulations)

3
Privacy Standards

• Limit non-consensual use and release of private
  health information
• Give patients new rights to access their medical
  records and to know who has accessed them
• Restrict most disclosure of health information to
  minimum needed for the intended purpose
• Establish new criminal and civil sanctions for
  improper use or disclosure
• Establish new requirements for access to records
  by researchers and other

4
Key Concepts

• Covered Entity and Business Associate
• Use and Disclosure
• Protected Health Information
• Privacy Notice
• Authorization, Waiver, Exception
• Privacy Board vs. IRB
• Minimum Necessary Standard
• Individual Rights

5
Covered Entities (CE)

• Health care providers (even 1 physician offices)
• Health plans
• Employers
• Health care clearinghouses
• Indirectly - business associates of CEs that
  receive protected information

6
Covered Entities

• Free standing
• Hybrid entity
• Affiliated covered entity (ACE)
• Organized health care arrangement (OHCA)

7
What is Northwestern University?

• Hybrid entity
• All research by NU faculty falls under the NU
  umbrella
• Research at NU is not part of the covered entity
• Therefore, research at NU is considered outside
  HIPAA
• NU HIPAA Research Policy
• Why do we have to comply?

8
Use and Disclosure

• Use
• Sharing within the covered entity
• Not tracked
• Disclosure
• Sharing outside the covered entity
• If no authorization, tracked for accounting to
  individual

9
Protected Health Information (PHI)

• Individually identifiable health information that
  is maintained or transmitted by a covered entity
• Relates to past, present or future health
  information
• Identifies the individual, directly or indirectly
• Cannot be accessed for research without
  authorization, waiver or exception
• Includes data created during research (e.g.,
  research databases)

10
Allowed Use of PHI for Research

• With authorization of subject
• With an approved waiver of authorization
• With an exception
• If PHI is de-identified or limited data set with
  data use agreement
• If PHI is being used to prepare a research
  protocol
• If subject is deceased
• For healthcare operations (QA/QI), public health

11
HIPAA Does Not Apply

• Study does not collect PHI
• All health information obtained directly from the
  subjects
• Study is closed to accrual and subjects will not
  be re-consented on or after April 14, 2003
• All subject involvement, contact and data
  collection complete by April 14, 2003

12
Exception De-Identification

• Requires deletion of specific items
• Limited geocoding (e.g., first 3 digits of zip
  code)
• Dates are year only (age gt89 ? age 90)
• If link-field (code) included, still requires IRB
  review

13
Requirements for De-Identification

• An individual with appropriate expertise and
  using generally accepted statistical and
  scientific principles and methods determines that
  the information is not individually identifiable
  (e.g., the risk is very small), or
• Key identifiers have been removed (see list) that
  if used alone or in combination with other
  information could be used to identify an
  individual

14
Identifiers

• Names
• Geographic subdivisions smaller than a state,
  except for first 3 digits of a zip code (with
  caveats based on population)
• All elements of dates (except year) related to an
  individual (birth date, admission or discharge
  date, date of death, etc.)
• Telephone and fax numbers e-mail addresses
• License plate , SS, MR, health plan , IP
  addresses, etc.

15
De-Identified Data

• Qualifies for an Exception
• May not be appropriate for
• Relational databases (genotype-phenotype
  relations)
• Longitudinal studies
• Certain outcomes studies (may need date of event)
• Epidemiological studies

16
Exception Limited Data Set

• Middle option for research, public health and
  health care operations
• Can include zipcodes, geocodes, DOB, dates of
  admission/discharge/service, non-excluded
  identifiers
• Exclude direct identifiers (name, address,
  telephone , etc.)
• Requires data use agreement
• Needs IRB review

17
Data Use Agreement

• Defines who can use or receive data
• Defines for what purpose the data may be used
• Provides adequate assurances that data will be
  safeguarded and not used for unauthorized
  purposes
• Includes recipient agreement
• not to re-identify data or contact data subject
• to report improper uses and disclosures
• to push down privacy protection obligations to
  subcontractors

18
Exception Reviews Preparatory to Research(e.g.,
design study, assess feasibility)

• Requires notification by investigator in writing
  (or orally) to covered entity
• Identification plan included in IRB protocol
• Staff of covered entity may use PHI to
  identify/contact potential subjects Common Rule
  is more restrictive
• No PHI may be removed from the covered entity
• Does not apply to recruitment
• Exception not need for PI to review own patients
  records

19
Exception Research on Decedent PHI

• Covered as any other PHI not covered under
  Common Rule
• Requires notification of IRB
• Covered entity may need evidence of death
• Tracking needed for accounting of disclosures
• Does not require authorization (e.g., from next
  of kin)

20
Privacy Notice

• A covered entity must tell individuals how their
  PHI is used and disclosed
• Do this by providing a privacy notice and making
  a good faith effort to obtain written
  acknowledgement of receipt
• NU researchers do not need to provide to research
  participants

21
Authorization for Research

• Specific to a study
• Needs IRB (or privacy board) review/approval
• Different from informed consent - can incorporate
  into consent
• Must contain specific core elements
• Use standard format (e.g., template)

22
Authorization Elements

• Core Elements
• What PHI will be used or disclosed
• Who is authorized to make, use and/or receive the
  PHI
• Purpose for use or disclosure
• Expiration date of the authorization (e.g., end
  of study or none

23
Authorization Elements

• Statements
• Right to revoke authorization plus exceptions
• Ability/inability to condition treatment,
  payment, or enrollment/eligibility typical
  consent elements
• PHI may no longer be protected by the privacy
  rules once it is disclosed by the covered entity

24
Sample Authorization Language - 1

• We will review your medical record for
  information about the diagnosis and treatment of
  your fill in the disease.
• The researcher and research team members (or
  research staff) will have access to this
  information.
• We may give the sponsor of this research name,
  the Food and Drug Administration (FDA) if
  applicable, the Department of Health and Human
  Services if applicable, the Northwestern
  University Institutional Review Board, and list
  any others access to this information.

25
Sample Authorization Language - 2

• We will use this information to make sure it is
  safe for you to be in this study or We will use
  this information to make sure you are eligible to
  be in this study.
• We will need to have access to this information
  until the end of the study in give approx. time
  if known or We will need to have access to
  this information forever.

26
Sample Authorization Language - 3

• You have the right to change your mind about
  allowing us to have access to this information.
  If you do, you will need to do this in writing.
• You have the right to refuse to allow us access
  to this information. If you do, you will not be
  able to participate in this research study.
• If we disclose information about you to anyone
  outside of this study, you will lose your privacy
  rights.

27
Sample Authorization Language - 4

• While you are in this study you will not be able
  to have access to any of your medical records
  related to this study.
• When the study is over, you will have the right
  to access your medical records again.

28
Research without Authorization

• Waiver of authorization - IRB or Privacy Board
• De-identified PHI (rare)
• Limited data set with data use agreement (can
  include DOB and zip code) cannot contact
  subjects!!
• Activity preparatory to research (identify
  subjects, cannot contact them or take any
  information away from CE)
• Research on decedents information
• Grandfather clause (consented prior to April 14,
  2003)
• Disclosure to a public health authority or
  required by law

29
Waiver Criteria - 1

• The use or disclosure of PHI involves no more
  than minimal risk to the privacy of individuals
  based on, at least, the presence of the following
  elements
• An adequate plan to protect the identifiers from
  improper use/disclosure
• An adequate plan to destroy the identifiers at
  the earliest possible time consistent with the
  research, unless there is a health or research
  justification for retaining identifiers or is
  otherwise required by law
• Adequate written assurances that PHI will not be
  reused/disclosed to any other person or entity,
  except as required by law, for authorized
  oversight of the research or for other research
  for which use/disclosure would be permitted in
  this subpart

30
Waiver Criteria - 2

• The research could not practicably be conducted
  without the waiver
• The research could not practicably be conducted
  without access to and use of the PHI.
• The research does not fall under one of the
  categories in which authorization is not needed.

31
Examples of Research Done with Waiver of
Authorization

• Pilot studies using web-based surveys with
  identifiers
• Medical record reviews
• Health services research
• Other areas in which it is impracticable to
  obtain authorization

32
Waiver of Consent (Common Rule) vs. Waiver of
Authorization (HIPAA)

• No more than minimal risk to privacy, based on,
  at least
• plan to protect identifiers
• plan to destroy identifiers ASAP
• written assurance that PHI will not be used or
  disclosed with few exceptions
• Research cannot be done without waiver
• Research cannot be done without this PHI

• No more than minimal risk
• Not adversely affect rights and welfare of
  subjects
• Research cannot be done without waiver
• When appropriate, information will be provided
  after research completed

33
Minimum Necessary Standard

• Applies to studies with waiver of authorization,
  use/disclosure of decedents PHI, use preparatory
  to research, and limited data sets
• Does not apply to use/disclosure made with
  authorization
• CE must try to limit the PHI it uses, discloses
  or requests to the minimum necessary to achieve
  the purpose

34
Individual RightsAccess to Their Medical Records

• Right to access information in a designated
  record set, including research record results,
  unless a permitted exception applies (see below)
• Access to clinical trial data can be suspended
  while the clinical trial is in progress,
  providing the participant agreed to this when
  consenting
• Right to request amendment!!
• Right to accounting of disclosures
• Right to request restrictions on disclosures

35
Accounting for Disclosures

• Covered entities must account for all disclosures
  provided with waiver of authorization or
  exception what data and where did it go?
• Records of disclosures must be kept for at least
  6 years

36
Subject Recruitment

• PHI cannot be accessed for research purposes
  without consent or waiver of consent exception
  preparatory to research
• Waiver criteria may be difficult to meet to
  review charts for recruitment partial waiver
• Inappropriate to designate staff outside
  clinical care providers to access PHI for
  research or recruitment

37
Subject Recruitment

• Accessing records is based on health care role
• Applies to staff within the clinic
• Research only staff must rely on physician/health
  care provider referrals
• Not intended to make research impractical, but to
  protect individuals right to privacy
• Conducting research does not constitute a right
  to an individuals PHI

38
Subject Recruitment

• A researcher who is not part of the covered
  entity may not use the preparatory research
  provision to contact prospective research
  subjects.
• The outside researcher could obtain contact
  information through a partial waiver of
  individual authorization by an IRB. This allows
  a researcher to obtain PHI as necessary to
  identify potential research subjects.
• Initial contact with the potential subjects
  should come via the subjects health care
  provider.

39
Anonymization vs. De-IdentificationIRB vs. HIPAA

• Both require deletion of direct identifiers
• Anonymization cannot have a link field there is
  no way to go back de-id can (CE has the link,
  not the researcher)
• Anonymization makes protocol eligible for
  exemption from IRB review
• De-id makes data exempt from HIPAA regulations
• If link field (coded data), need IRB review

40
Issues

• Reconciling different requirements of Common Rule
  and HIPAA
• Identifying relationship of researcher to covered
  and non-covered entities implications for
  access to PHI
• HIPAA requires mandatory training and you just
  received it!

41
Issues

• IRBs can use expedited review procedures as
  permitted by the common rule to review requests
  for Waiver of Authorization and Exception.
• If informed consent or re-consent (change in
  consent) is obtained on or after April 14, 2003,
  must obtain authorization as well.
• Whether to include authorization in consent or
  have separate forms.

42
Recruitment Scenarios

• www.northwestern.edu/research/OPRS/irb/hipaa

43
FAQs

• www.northwestern.edu/research/OPRS/irb/hipaa