The federal Medical Privacy Rule, authorized by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), limits how covered physicians may use and disclose protected health information (PHI) for any purpose.
The Privacy Rule is complex, especially as applied to research. Academic medical centers (AMCs) have detailed policies and procedures in place to ensure that faculty research meets the rule's requirements. By comparison, community physicians who are unaffiliated with AMCs may have fewer compliance resources.
In this article, I summarize key aspects of Privacy Rule research compliance for readers who are familiar with the rule's basic concepts. This summary is not legal advice; each physician should consult legal counsel to resolve specific compliance problems and to determine whether the Privacy Rule supplements or replaces a given state's medical privacy laws. (This article is limited in scope and does not cover how the Privacy Rule affects research databases or retrospective [eg, chart review] studies; nor does it cover the HIPAA Security Rule.)
A prospective sponsor might request summary information about a physician's patients to establish whether the physician's practice is a viable site for a clinical trial. The Privacy Rule permits the physician to review her medical records for this “pre-research” purpose, provided that no PHI is disclosed to the sponsor.
If a third party, such as a contract research organization (CRO) or another researcher will review medical or billing records for this purpose, the review must occur at the practice and the physician must obtain the following representations: The use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research:
No PHI will be removed from the covered entity during the review; and The PHI that the researcher [or CRO] seeks to review is necessary for the purpose(s) of the review.To document HIPAA compliance, the physician should ask the third party to provide these representations in writing.
Alternatively, the Privacy Rule allows the physician to share “de-identified” data without restriction. The Privacy Rule's standard for de-identification is quite strict, typically requiring removal of eighteen specific identifiers that range from names and social security numbers to dates of treatment and full zip codes. (For further information on de-identification, see the National Institutes of Health guidance referenced in this article.)
The Privacy Rule permits a physician to recruit her own patients, by, for example, sending a letter to patients potentially eligible to enroll in a clinical trial, or by discussing enrollment during an office visit. (The institutional review board overseeing the study must approve the recruitment plan.)
If a CRO wishes to use a physician's records to recruit patients, the study's principal investigator should seek a partial waiver of HIPAA authorization from the institutional review board. (The Privacy Rule waiver criteria are found at 45 C.F.R.§164.512 [i][1][i].) This waiver, if granted, will apply to the CRO's use of PHI in recruitment. Written HIPAA authorization and informed consent will still be required to enroll a patient in the actual clinical trial.
Although not a HIPAA requirement, physicians concerned about patients' privacy expectations should consider limiting recruitment to calls placed by the physician (or office staff), letters signed by the physician, and brochures in the waiting room instructing interested patients to contact the CRO conducting the study.
A physician generally must obtain written HIPAA research authorization to enroll a patient in a clinical trial. Though a research sponsor may provide a template consent form, typically the research site, which is the covered entity, must supply the HIPAA authorization. The study's authorization and consent forms are usually combined, which is permitted, provided that the combined form contains all of the elements required by both the Privacy Rule and federal research regulations.
A HIPAA research authorization must contain all the elements of a valid general HIPAA authorization. (The core elements of a valid general authorization are found at 45 C.F.R. §164.508[c][1] – [2].) Unlike a general HIPAA authorization, however, a HIPAA research authorization may have an expiration date of “none” (if permitted by state law). The physician may require patients who want to participate to sign the research authorization. The research authorization must indicate whether a patient's right to access research information entered in medical or billing records will be suspended until the study ends.
Beyond this brief introduction to the Privacy Rule's research requirements, further guidance is available through the National Institutes of Health, at privacyruleandresearch.nih.gov.
Every HIPAA authorization must also tell the patient how to revoke authorization. If a patient does revoke authorization, the physician conducting the trial may continue to use and disclose (eg, provide to the research sponsor) PHI obtained before the revocation. After revocation the physician may use and disclose the patient's new PHI only as necessary to maintain the integrity of the research (eg, to report an adverse event or the death of a study subject).
HIPAA continues to apply when the results of clinical trials (or case studies) are published or presented to an audience. Except when conducting internal medical education activities, physicians must obtain written HIPAA authorization before publishing papers or making presentations containing PHI. An institutional review board may not waive authorization for the publication or presentation of research.
Physicians whose publications or presentations will contain patient-level data should determine whether the eighteen HIPAA identifiers have been removed, and also whether the remaining information could be combined with other publicly-available information to reveal the identity of a participant. Materials involving photographs, rare diseases, or highly publicized cases should be reviewed with particular care.
Articles from Journal of Oncology Practice are provided here courtesy of American Society of Clinical Oncology
