HIPAA

1
HIPAA Research

• Mark Barnes
• (212) 497-3635
• mbarnes_at_ropesgray.com

2
Agenda

• HIPAAs Applicability to CUNY and CUNY
  Researchers
• Hot Topics in Research
• Subject Recruitment
• Databases and Tissue Banks
• Departing Investigators
• Accounting of Disclosures

3

• HIPAAs Applicability to
• CUNY and CUNY Researchers

4
HIPAAs Applicability to CUNY and CUNY
Researchers

• CUNY is not a Covered Entity under HIPAA
• Therefore, CUNY is not required to comply with
  HIPAAs burdensome privacy regulations known as
  the Privacy Rule

5
HIPAAs Applicability to CUNY and CUNY
Researchers

• Although CUNY is not itself a Covered Entity,
  CUNY researchers may obtain or use health/mental
  information from, or within, or as agents or
  employees of, a HIPAA Covered Entity
• Examples
• CUNY Faculty member with clinical appointment at
  hospital or private clinical practice that is
  HIPAA-covered
• CUNY student who works as intern or trainee at
  hospital or psychology practice or in social
  service agency setting that is HIPAA-covered

6
HIPAAs Applicability to CUNY and CUNY
Researchers

• CUNY researchers who do obtain or use protected
  health information (PHI) from a HIPAA Covered
  Entity will be required to comply with the HIPAA
  policies and procedures of that Covered Entity,
  including that Covered Entitys research policies
• As a general rule, Covered Entities will not let
  CUNY researchers use or disclose PHI without
  first obtaining a HIPAA research authorization
  from the patients or clients who are the subjects
  of that PHI

7
HIPAAs Applicability to CUNY and CUNY
Researchers

• The problem is that CUNY researchers cant obtain
  a HIPAA research authorization without first
  using the Covered Entitys PHI to contact
  patients to ascertain their willingness to
  participate in research, and such unauthorized
  use of PHI is itself prohibited by HIPAA and
  could lead to HIPAA sanctions for the Covered
  Entity
• As will be discussed in greater detail under the
  heading Subject Recruitment, there are three
  HIPAA-compliant ways of contacting patients to
  assess their willingness to participate in
  research and to obtain their authorization

8
HIPAAs Applicability to CUNY and CUNY
Researchers

• One of those HIPAA compliant ways of contacting
  patients without authorization is to obtain a
  partial waiver of HIPAA authorization from the
  IRB overseeing the research, which could be the
  CUNY IRB
• Thus, CUNYs IRB should know the HIPAA rules
  applicable to research so that it may grant
  partial waivers of HIPAA authorization to CUNY
  researchers, when appropriate. The CUNY IRB
  should also know those rules to be able to
  counsel CUNY researchers who pose questions
  regarding research being partially or fully
  conducted at a Covered Entity or research that
  makes use of a Covered Entitys PHI
• In such cases, CUNY and its researchers should
  inform the Covered Entity of the HIPAA issues, if
  the Covered Entity is not already aware of them

9
HIPAAs Applicability to CUNY and CUNY
Researchers

• Summary
• Although CUNY is not a HIPAA Covered Entity, CUNY
  has a strong interest in ensuring that its
  researchers and staff do not obtain PHI from
  Covered Entities in a manner that would violate
  HIPAA, and in ensuring that any Covered Entity
  whose PHI is being accessed or used by CUNY
  researchers is fully aware of and in agreement
  with such access or use
• CUNYs interest stems from (i) its concern for
  protecting the privacy and confidentiality of
  patients and research subjects (ii) maintaining
  transparent and trusting relationships with
  Covered Entities (iii) maintaining public trust
  by avoiding negative publicity alleging
  privacy/confidentiality violations by CUNY
  researchers and (iv) reducing any liability
  risks to CUNY

10
HIPAAs Applicability to CUNY and CUNY
Researchers

• Summary
• What are the Legal Liability Risks to CUNY?
• Because CUNY is not a Covered Entity, it could
  not be sanctioned for failing to comply with the
  requirements of the Privacy Rule
• However, Section 1177(a)(2) of the HIPAA Statute
  makes it a criminal offense for a person to
  knowingly obtain individually identifiable
  health information relating to an individual in
  violation of the Statute and Privacy Rule
• Person has been interpreted by the Department
  of Justice (DOJ) to extend beyond Covered
  Entities, and so could apply to a Non-Covered
  Entity such as CUNY and/or its researchers and
  staff

11
HIPAAs Applicability to CUNY and CUNY
Researchers

• Summary
• What are the Legal Liability Risks to CUNY?
• Sanctions for committing the criminal offense
  include
• Fine up to 50,000, and/or imprisonment up to one
  year
• Fine up to 100,000, and/or imprisonment up to
  five years (if offense committed under false
  pretenses)
• Fine up to 250,000, and/or imprisonment up to
  ten years (if offense committed with intent to
  sell, transfer, or use individually identifiable
  health information for commercial advantage,
  personal gain, or malicious harm)
• In August 2004, the DOJ entered into a Plea
  Agreement with a man who, according to the DOJ,
  committed a criminal offense under HIPAA

12
HIPAAs Applicability to CUNY and CUNY
Researchers

• Summary
• What are the Legal Liability Risks to CUNY?
• The man was an employee of Seattle Cancer Care
  Alliance who stole the identity of one of
  Alliances cancer patients (name, date of birth,
  social security number), and then applied for and
  obtained credit cards in the patients name using
  that stolen identity
• The man then incurred 9,000 in expenses using
  those credit cards to pay for video games,
  jewelry and other personal items
• According to the DOJ, the man violated the HIPAA
  criminal standards by obtaining the patients
  individually identifiable health information, and
  then wrongfully disclosing that information to
  apply for and obtain credit cards in that mans
  name
• Under the Plea Agreement, the man must pay
  restitution to the credit card companies and
  serve 10 to 16 months in prison

13
HIPAAs Applicability to CUNY and CUNY
Researchers

• Summary
• What are the Legal Liability Risks to CUNY?
• Another legal liability risk to CUNY is a
  potential lawsuit initiated by a Covered Entity
  that is sanctioned under HIPAA for one or more
  violations of the HIPAA Statute or Privacy Rule
  caused by CUNY researchers

14

• Hot Topics in Research
• Subject Recruitment

15
Hot Topics in ResearchSubject Recruitment

• As was discussed in the preceding section, a CUNY
  researcher may not use a Covered Entitys PHI for
  research purposes without first obtaining a HIPAA
  research authorization from the patients who are
  the subjects of that PHI
• How then may a CUNY researcher contact those
  patients to ascertain their willingness to
  participate in research and to obtain their
  authorization?

16
Hot Topics in ResearchSubject Recruitment

• There are three HIPAA-compliant ways of using a
  Covered Entitys PHI to recruit research
  subjects
• Contact through treating physician
• Exception when CUNY researcher is part of Covered
  Entitys workforce
• Partial IRB waiver of HIPAA authorization

17
Hot Topics in ResearchSubject Recruitment

• Contact Through Treating Physician
• Treating providers may review their own patients
  records to assess whether patients would be
  eligible for a particular research study, and may
  contact those patients about enrolling in
  research involving treatment
• CUNY researchers could enlist the patients
  treating provider to contact the patients about
  enrolling in the study
• If the treating provider agrees to assist in the
  recruitment process, the proposed recruitment
  letter (to be signed by treating provider) must
  be included in submission to IRB required by
  Common Rule

18
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce
• A CUNY researcher who is a member of the Covered
  Entitys workforce may use PHI to identify and
  then contact patients to assess their willingness
  to participate in research
• Workforce is defined as employees, volunteers,
  trainees, and other persons whose conduct, in the
  performance of work for a covered entity, is
  under direct control of such entity, whether or
  not they are paid by the covered entity

19
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce
• The basis for this exception to the HIPAA
  research authorization requirement comes from the
  interpretation that various government agencies,
  including the Office for Civil Rights (OCR)
  (which is responsible for enforcing HIPAAs
  privacy regulations), and the National Institutes
  of Health (NIH), have given to the reviews
  preparatory to research and health care
  operations provisions of the privacy regulations

20
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce
• The reviews preparatory to research provision
  45 CFR 164.512(i) states that a Covered
  Entity may use or disclose PHI without
  authorization for reviews preparatory to research
  if the Covered Entity obtains from the researcher
  representations that
• Use/disclosure of PHI is sought solely as
  necessary to prepare a research protocol or for
  similar purposes preparatory to research
• No PHI will be removed from the Covered Entity
• The PHI being reviewed is necessary for the
  research

21
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce
• As can be seen, the provision does not expressly
  address the use of PHI for the purpose of
  recruiting research subjects, but does say that
  under this exception PHI can be used/disclosed to
  prepare a research protocol OR for similar
  purposes preparatory to research
• In both December 2000 and December 2002, the OCR
  expressed its opinion that the reviews
  preparatory to research provision permits
  researchers to use PHI for the purposes of
  subject recruitment, so long as the criteria for
  that exception are met

22
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce
• The NIH provided guidance on this issue in
  February 2004
• According to the NIH, researchers who are
  workforce members of the Covered Entity may use
  PHI to identify and contact potential research
  subjects.
• For workforce members, identifying potential
  research subjects is permissible under the
  reviews preparatory to research provision, and
  contacting those potential subjects is
  permissible as a health care operation of the
  Covered Entity
• External (non-workforce members) of the Covered
  Entity may identify potential research subjects
  under the reviews preparatory to research
  provision, but, as they are not workforce and
  cannot perform healthcare operations, may not
  contact those potential subjects

23
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce (cont.)
• Summary
• A CUNY researcher who is a workforce member of
  a Covered Entity may use that Covered Entitys
  PHI to identify and contact potential research
  subjects,
• The CUNY researcher would need to be on site at
  the Covered Entity when he or she contacts
  patients, because the reviews preparatory to
  research exception expressly states that no PHI
  may be removed from the Covered Entity (i.e.,
  cant bring the contact information back to CUNY
  under this HIPAA exception)
• The CUNY researcher would still need to obtain a
  HIPAA research authorization to use/disclose PHI
  for the purposes of the research itself from
  patients who agree to participate in the research

24
Hot Topics in ResearchSubject Recruitment

• CUNY Researcher is Part of Covered Entitys
  Workforce (cont.)
• Summary
• A CUNY researcher who is not a workforce member
  of a Covered Entity may identify potential
  research subjects, but may not use that Covered
  Entitys PHI to contact potential research
  subjects
• Such researchers must either enlist the aid of
  the patients treating physicians at the Covered
  Entity, or obtain a partial waiver of HIPAA
  authorization from CUNYs or the Covered Entitys
  IRB

25
Hot Topics in ResearchSubject Recruitment

• Partial IRB Waiver of HIPAA Authorization
• HIPAA permits researchers to use PHI to contact
  patients if an IRB has waived the authorization
  requirement with respect to that initial contact,
  and the Covered Entity has obtained
  documentation of that waiver
• There is no obligation that the IRB that supplies
  the waiver be from the institution that maintains
  the PHI. Thus, CUNYs IRB could theoretically
  supply a waiver with respect to PHI that is
  partially or fully maintained by a Covered
  Entity. Documentation of that waiver would need
  to be supplied to a designated official at the
  Covered Entity, such as its IRB or Privacy
  Officer
• CUNY researchers should not begin to use or
  disclose a Covered Entitys PHI until the CUNY
  IRB waiver has been blessed by the Covered
  Entitys designated official

26
Hot Topics in ResearchSubject Recruitment

• Partial IRB Waiver of HIPAA Authorization
  (Cont.)
• In practice, a Covered Entity that has its own
  IRB may not be comfortable with having an IRB
  from a separate institution that is not a Covered
  Entity, such as CUNYs IRB, waive the HIPAA
  authorization requirement for uses of the Covered
  Entitys PHI. The Covered Entity may prefer to
  have its own IRB assess researcher petitions for
  partial waivers of HIPAA authorization
• To the extent that the CUNY IRB does grant
  partial or full waivers of HIPAA authorization,
  it must document the elements enumerated on the
  following slides, and forward a copy of that
  documentation to the Covered Entity, or make that
  documentation available to the CUNY researcher to
  supply to the Covered Entity

27
Hot Topics in ResearchSubject Recruitment

• Partial IRB Waiver of HIPAA Authorization
  (Cont.)
• CUNY IRB Documentation
• Date on which the waiver was granted
• A statement confirming that the IRB has
  determined the proposed use or disclosure to
  involve no more than minimal risk to privacy of
  research subjects based on, at least
• Adequate plan to protect the information from
  improper use and disclosure
• Adequate plan to destroy identifiers
• Written assurances that the PHI will not be
  disclosed further than set forth in the waiver

28
Hot Topics in ResearchSubject Recruitment

• Partial IRB Waiver of HIPAA Authorization
  (Cont.)
• CUNY IRB Documentation (cont.)
• Brief description of the PHI for which use or
  access has been determined necessary without
  authorization by the IRB
• Statement regarding whether the waiver was
  reviewed and authorized under expedited or normal
  review procedures
• Additionally, the foregoing documentation must be
  signed by the Chair of the CUNY IRB, or by
  another member of the CUNY IRB designated by the
  Chair

29
Hot Topics in ResearchSubject Recruitment

• Additional Considerations Regarding Subject
  Recruitment
• I. Blanket Authorizations
• What if a CUNY researcher represents to the CUNY
  IRB that no HIPAA research authorization is
  needed for a particular research study, because
  the Covered Entity, or the CUNY researchers
  contact at the Covered Entity, has obtained from
  patients signed blanket authorizations that
  purportedly permit the use of the patients PHI
  to contact them for any future research projects
  for which their inclusion is deemed appropriate
  by a physician or researcher?

30
Hot Topics in ResearchSubject Recruitment

• Additional Considerations Regarding Subject
  Recruitment
• I. Blanket Authorizations
• Commentary to the August 2002 HIPAA regulations
  makes clear that blanket authorizations from
  patients allowing the use of their PHI for
  research recruitment purposes without specifying
  the person to whom the information would be
  disclosed and the exact information to be
  disclosed are not permitted because such a
  blanket authorization would not provide
  individuals with sufficient information to make
  an informed choice about whether to sign the
  authorization and would be inconsistent with the
  decision to eliminate the distinction in the
  HIPAA regulations between research that
  includes treatment and research that does not
• However, OCR recently allowed Johns Hopkins to
  use an authorization, that although not a blanket
  consent form, broadly permits all Hopkins staff
  to review patient records for research
  recruitment purposes

31
Hot Topics in ResearchSubject Recruitment

• Additional Considerations Regarding Subject
  Recruitment
• II. Partial IRB Waiver of Informed Consent
• An August 2003 NIH Guidance suggests that any
  preparatory activities in which an investigator
  reviews identifiable information would meet the
  Common Rule definition of human subjects
  research and require informed consent of
  subjects, or waiver of informed consent
• According to that interpretation, researchers
  would need to get both an IRB partial waiver of
  authorization (HIPAA) and an IRB partial waiver
  of informed consent (Common Rule) for any
  recruitment activities that involve
  identifiable information (e.g., reviewing
  records to identify and contact potential
  subjects, maintaining identifiable information of
  potential subjects on screening logs, etc.)

32
Hot Topics in ResearchSubject Recruitment

• Additional Considerations Regarding Subject
  Recruitment
• II. Partial IRB Waiver of Informed Consent
• CUNY researchers who apply for partial waivers of
  HIPAA research authorization and/or informed
  consent should do so in applications that are
  distinct elements of the protocol
• Nevertheless, the HIPAA research authorization
  and informed consent waiver applications may be
  combined (distinct analyses, but similar
  criteria)

33

• Hot Topics in Research
• Databases and Tissue Banks

34
Hot Topics in ResearchDatabases and Tissue Banks

• The HIPAA and Common Rule issues pertaining to
  databases and tissue banks, as applied to CUNY,
  are similar to the issues associated with subject
  recruitment, and, in fact, intersect with those
  issues
• Because CUNY is not a Covered Entity, HIPAA
  likely does not apply to any databases or tissue
  banks maintained by CUNY
• Nevertheless, for the reasons discussed in Part
  I, CUNY has a strong interest in ensuring that
  any CUNY researchers that conduct research on, or
  otherwise use or disclose PHI derived from, a
  Covered Entitys database or tissue bank, do so
  only in accordance with HIPAA
• Note that tissue samples can be PHI if labeled
  with identifying information (e.g., admission
  date or medical record number)

35
Hot Topics in ResearchDatabases and Tissue Banks

• The general rule is that CUNY researchers may not
  conduct research on, or otherwise use or disclose
  PHI derived from, a Covered Entitys database or
  tissue bank, without first obtaining a HIPAA
  research authorization from the subjects of that
  PHI
• Contacting patients to obtain a HIPAA research
  authorization must be done according to one of
  the methods described in the preceding section on
  subject recruitment

36
Hot Topics in ResearchDatabases and Tissue Banks

• Considerations Regarding Databases/Tissue Banks
• I. HIPAA Research Authorization for Future
  Studies
• CUNY researchers may not avoid HIPAA by relying
  on a blanket authorization form obtained by
  another researcher at the Covered Entity that
  purports to permit future research studies on a
  patients database information or tissue samples
• To use or disclose any PHI derived from a Covered
  Entitys database or tissue bank, a CUNY
  researcher must first obtain a HIPAA research
  authorization that is specifically applicable to
  that researchers study, or a waiver of
  authorization
• Additionally, CUNY researchers who perform
  multiple studies on a Covered Entitys database
  or tissue bank will need to obtain separate HIPAA
  research authorizations (or separate waivers) for
  each new study that is not expressly contemplated
  and authorized by a previous authorization or
  waiver

37
Hot Topics in ResearchDatabases and Tissue Banks

• II. Coded Private Information And/or Biological
  Specimens
• According to a recent OHRP Guidance (August 10,
  2004), there may be a distinction between how
  coded or anonymized private information is
  treated under the Common Rule and under HIPAA
• Coded means information whose identifiers have
  been replaced with a number, letter, symbol, or a
  combination thereof, and whose code can be
  deciphered by using a key

38
Hot Topics in ResearchDatabases and Tissue Banks

• II. Coded Private Information And/or Biological
  Specimens
• Only information or specimens that can be linked
  to a specific individual is considered
  individually identifiable. Research on such
  information or specimens is considered to be
  human subjects research under the Common Rule
• However, information or specimens that cannot be
  linked to an individual is not individually
  identifiable and not human subjects research
  for the purposes of regulation under the Common
  Rule. Consequently, there would be no
  obligation, for example, to collect informed
  consent from the subjects of such information
  and/or specimens, as such subjects are not
  individually identifiable

39
Hot Topics in ResearchDatabases and Tissue Banks

• Coded Private Information And/or Biological
  Specimens
• According to the OHRP Guidance, coded
  information or specimens cannot be linked to an
  individual, and are thus not individually
  identifiable, when
• The key to decipher the code has been destroyed
• Agreement between investigator and holder of key
  prohibits release of key to investigator under
  any circumstances, unless and until the
  individuals have been determined by the holder of
  the key to be deceased

40
Hot Topics in ResearchDatabases and Tissue Banks

• Coded Private Information And/or Biological
  Specimens
• IRB-approved written policies and operating
  procedures for a repository or data management
  center prohibits release of the key to
  investigators under any circumstances, unless and
  until the individuals have been determined to be
  deceased
• Legal requirements prohibit the release of the
  key to investigators, unless and until the
  individuals have been determined to be deceased

41
Hot Topics in ResearchDatabases and Tissue Banks

• II. Coded Private Information And/or Biological
  Specimens
• The potentially awkward result, acknowledged by
  the Guidance, is that in certain instances,
  research using information stored in or created
  from databases or tissue banks may not be subject
  to the Common Rule by virtue of not being
  directly linkable to individuals, but may still
  be subject to HIPAA if that information is not
  de-identified as that term is defined under
  HIPAA
• Information is considered to be de-identified
  under HIPAA only if the 18 HIPAA identifiers from
  the next slide have been removed, or if a
  qualified statistician has determined the risk of
  re-identification to be very small

42
Hot Topics in ResearchDatabases and Tissue Banks

• II. Coded Private Information And/or Biological
  Specimens
• De-Identified information cannot have any of
  the following 18 HIPAA identifiers
• Names
• Geographic subdivisions smaller than a State
• Dates (except year) directly related to patient
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice
  prints

43
Hot Topics in ResearchDatabases and Tissue Banks

• II. Coded Private Information And/or Biological
  Specimens
• Thus, when CUNY researchers seek a partial waiver
  of HIPAA authorization from the CUNY IRB to
  perform research on a Covered Entitys coded
  database or tissue bank, the IRB should assess
  whether the information and/or specimens are
  individually identifiable from a Common Rule
  perspective
• If the information and/or specimens are not
  individually identifiable under Common Rule
  standards, then there would be no need for CUNY
  researchers to collect informed consent or apply
  for an IRB waiver of informed consent, although
  they may still need to apply for an IRB waiver of
  HIPAA authorization if the information does not
  qualify as being de-identified under HIPAA

44
Hot Topics in ResearchDatabases and Tissue Banks

• III. CUNYs Own Databases and Tissue Banks
• Even though HIPAA is not directly applicable to
  CUNY, there are other sources of confidentiality
  requirements that are applicable to CUNY,
  including the following Common Rule requirements
  
• IRBs are required to find that there are
  adequate provisions to protect the privacy of
  subjects and to maintain the confidentiality of
  data
• 45 CFR 46.111(a)(7)
• Informed consent forms must state the extent, if
  any, to which confidentiality of records
  identifying the subject will be maintained 45
  CFR 46.116(a)(5)
• Thus, while HIPAA has added new layers of
  complexity and has caused research sites, IRBs,
  investigators, and subjects to re-focus on
  confidentiality and privacy, confidentiality and
  privacy protections are not new

45
Hot Topics in ResearchDatabases and Tissue Banks

• III. CUNYs Own Databases and Tissue Banks
• CUNY should inventory all databases and
  repositories that contain identifiable data
  and/or tissue
• Protocols should be drafted, and IRB files opened
  or re-activated, so that IRB oversight and
  respect for privacy/confidentiality is ensured
  for each database and repository
• As of April 21, 2005, electronic databases will
  be required to comply with HIPAA Security Rule as
  well
• Covered Entities must be aware of all electronic
  databases for HIPAA Security Rule assessment

46

• Hot Topics in Research
• Other Issues

47
Hot Topics in Research Departing Investigators

• What if a CUNY Faculty Member leaves CUNY and
  wants to take with him or her identified data or
  tissue samples from CUNY?
• Alternatively, what if a newly appointed CUNY
  Faculty Member wants to bring with him or her to
  CUNY identified data or tissue samples from his
  or her former institution that is a HIPAA Covered
  Entity?
• This is in large part an ownership question on
  which institutions prospectively should adopt
  clear policies
• The lack of clear prior understanding can lead to
  serious disputes (see Washington University v.
  Catalona)
• Law remains unclear with regard to ownership
  rights of subjects, investigators, and
  institutions in data and research materials

48
Hot Topics in Research Departing Investigators

• HIPAA issues
• The movement of data/samples from the Covered
  Entity to CUNY is presumably a disclosure by
  either the newly appointed CUNY Faculty Member or
  the Covered Entity to CUNY
• Options in context of specific study?
• Options in context of general database/repository
  maintenance?
• What if Covered Entity is compensated by CUNY or
  the newly appointed CUNY Faculty Member for its
  efforts in effecting the transfer or in compiling
  and maintaining the database or tissue
  repository?
• These are issues that are coming down the
  pipeline, for which guidance and resolution will
  likely soon be needed

49
Questions?

• Mark Barnes
• Ropes Gray LLP
• 212-497-3635
• mbarnes_at_ropesgray.com