HIPAA Privacy Rule Paul Below Clinical Research Consultant

2 Training Objectives Overview of the HIPAA Privacy Rule and its impact on clinical research Quiz

3 Disclaimer / Disclosure This presentation is intended for educational and informational purposes only and should not be construed to be legal advice The presenter does not have a significant equity interest in any of the companies mentioned in the following slides

4 What is HIPAA? HIPAA stands for “Health Insurance Portability and Accountability Act of 1996” Lengthy federal statute that addresses a variety of health care issues Original intent of the law was to allow individuals to carry their health insurance plans to new jobs Scope expanded to include such items as Medicare fraud and simplifying the electronic exchange of information to expedite payments

5 HIPAA Privacy Rule HIPAA Title II (Administrative Simplification) mandated creation of standards to protect health information privacy HHS created regulations – Standards for Privacy of Individually Identifiable Health Information – a.k.a., the “Privacy Rule” Compliance with the rule for most was required by April 14, 2003

6 HIPAA Legislation HIPAA Act (1996) Title II Administrative Simplification Transaction Standards Standard Code Sets Unique Health Identifiers Privacy (Sec 264) Security Standards Electronic Signatures Privacy Rule 45 CFR 160 & 164 Enforcement by HHS Office of Civil Rights Source: “HIPAA Primer”, E. Rusnik, Research Practitioner, Nov-Dec 2002, Vol. 3, No. 6, pgs

7 Privacy National Standard The Privacy Rule is a national standard that creates a “floor” for privacy protections It preempts state laws that are contrary or provide lesser protections It does not replace other laws (federal, state) that grant additional privacy protections (e.g., alcohol/drug treatment, STD, HIV/AIDs, genetics, child abuse reporting) Institutions can adapt more protective policies and practices

8 Why is the Privacy Rule Needed? A banker who also served on his county health board cross-referenced patient information with his customer accounts. He called due the mortgages of anyone diagnosed with cancer (The National Law Journal, May 30, 1994, p. A1) Others examples of medical privacy violations in the news available at Health Privacy Project website ( privacystories814.pdf)

9 Privacy Rule General Provisions The Privacy Rule imposes limits on the ways that health care insurers and providers (“covered entities”) may use or disclose health information for a variety of purposes Patients own their health information and have more control over its use (privacy rights) In some cases, authorization is required by the patient prior to the use or disclosure of their “protected health information”

10 Individual Privacy Rights Right to access (inspect and copy) medical records Right to amend medical records Right to request restrictions on disclosures Right to revoke authorization for use or disclosure Right to account for disclosures within previous 6 years

11 Institutional Obligations Have written privacy policies, including a description of staff that has access to protected health information, how it will be used and when it may be disclosed Must train their employees in their privacy procedures Must designate an individual to be responsible for ensuring the privacy policies are followed (Privacy Officer)

12 HIPAA Vocabulary Covered Entities Business Associates Protected Health Information De-identified Data Notice of Privacy Practices Authorization Form/Clause

13 Covered Entities Definition = A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with certain defined transactions (health care claims, payment, plan enrollment, referrals, coordination of benefits, etc.) Only Covered Entities are required to adhere to the Privacy Rule

14 Covered Entities (cont) Sponsors are not Covered Entities simply by virtue of sponsoring clinical research and are not technically regulated under HIPAA However, almost all clinical trial data is health information created by covered entities so sponsors must be aware of HIPAA compliance in order to be able to use the data

15 Business Associate Definition = External individuals or entities that perform a service on behalf of a Covered Entity (not members of their workforce) Includes legal, accounting, management, consulting, administrative, data aggregation, and financial services that create or access PHI Examples: web-hosting or data storage companies, third party billing companies, third parties assisting with recruitment or screening

16 Business Associate (cont) Generally does not include outside researchers, sponsors or coordinating & statistical centers The Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher or sponsor

17 Business Associate (cont) Clinical trial sites will likely seek assurances from sponsors through provisions in their clinical trial agreements that all data recipients will protect the privacy of the research data and will use such data only for agreed upon purposes

18 Research & HIPAA Research Definition = systematic investigation including development, testing, and evaluation, designed to develop or contribute to generalizable knowledge (includes development of research repositories and databases) Research is a function not directly regulated by the Privacy Rule Researchers are covered entities if they are also health care providers that electronically transmit personally identifiable health information

19 Protected Health Information (PHI) Definition = any health information that is “individually identifiable” and is transmitted or maintained in any form or medium Data that is de-identified is not protected by the Privacy Rule

20 Data De-Identification 1.Names 2.Geographic subdivisions smaller than State 3.Dates (except year) related to the patient 4.Telephone numbers 5.Fax numbers 6. addresses 7.Social Security numbers 8.Medical record numbers 9.Health plan beneficiary numbers 10.Account numbers 11.Certificate/license numbers 12.Vehicle identifiers & serial numbers 13.Device identifiers & serial numbers 14.Web URLs 15.Internet Protocol (IP) addresses 16.Biometric identifiers (finger, voice prints) 17.Full face photos 18.Any other unique identifying numbers or codes De-identified data is not PHI if it does not contain the following 18 identifiers:

21 Permitted Uses of PHI Covered entities are permitted to use and disclose “minimum necessary” PHI for such things as: Treatment, payment, healthcare operations For public health uses When required by law Patient must be given a “Notice of Privacy Practices”

22 Notice of Privacy Practices Describes permitted uses and disclosures of PHI for treatment, payment, healthcare operations, public health uses, uses by oversight agencies If the covered entity is a provider, they must make a good faith effort to obtain written acknowledgement of receipt Covered entities that want to use and disclose patient information for research must include this intent in their privacy notice

23 Permitted Uses (cont) Research is not considered “treatment” and requires a special authorization for PHI use Quality assurance, utilization management and quality improvement studies are all permitted activities that fall under “health care operations” but can be a grey area

24 Authorization Form/Clause Authorization grants permission to a Covered Entity to use and disclose PHI to a researcher Authorizations are generally protocol-specific Although authorization to use PHI is similar to informed consent and will generally be obtained during the consent process, it has different purposes and requirements

25 HIPAA Authorization vs. Informed Consent Authorization To use and disclose protected health information Driven by Privacy Rule IRBs/Privacy Boards can grant waiver to allow PHI use without authorization Maybe reviewed by IRB or Privacy Board Informed Consent To participate in the research based on the risks and benefits Driven by FDA regulations IRBs can waive consent requirements for minimal risk or emergency research Reviewed and approved by IRB

26 Authorization (cont) Authorization may be combined with the informed consent form or may be a separate document If separate documents, information must be consistent between the two The Privacy Rule does not require IRBs to review and approve stand-alone HIPAA authorization forms (however, some IRBs may still require approval of authorization forms)

27 IRB Approval of Authorization Forms Recent letter from OCR clearly states that IRB review and approval of a stand-alone HIPAA authorization is not required under the Privacy Rule. ICH guidance that IRB approve all written materials provided to subjects does not include HIPAA authorizations – “misinterpretation”. Source: Letter from the Office of Civil Rights, 15 April 2003, to the International Pharmaceutical Privacy Consortium

28 Authorization (cont) Authorizations can be created by the covered entity or by a third party (such as the sponsor) Responsibility for ensuring research authorization is accurate rests with the sites Must include specific elements defined in 45 CFR and be in “plain language”

29 Required Elements A meaningful description of the PHI and each purpose for the use and disclosure Name of person(s) authorized to make the disclosure Names of all users of the PHI Expiration date (for research, can be “end of the research study” or “none”) A statement about what may happen if the authorization is not signed (for research, permissible to exclude trial participation)

30 Required Elements (cont) Instructions on how to revoke authorization Must be in writing If research authorization revoked, can still use previously collected PHI if it is needed to maintain integrity of the study (account for subject withdrawals, adverse events, support FDA submissions) A warning that once information has been released, it may be released again without further authorization. Signature & date of the individual

31 Authorization (cont) HIPAA has a “grandfather” clause if the subject has signed an IRB-approved informed consent form prior to 14 April 2003 Investigators are not required to obtain an authorization for use/disclosure of PHI from these subjects unless the subjects must be reconsented after HIPAA takes effect

32 Authorization Exceptions Authorization is not required in research when: PHI is used for activities “preparatory to research” (i.e., preparing a protocol, recruitment) Involves decedents Researchers must “represent” to the Covered Entity that PHI use is: Necessary for research purposes Will not be removed from premises Will only be used for the stated activity

33 Exceptions (cont) Authorization is not required in research when a treating physician or members of the Covered Entity’s workforce do the following: Discuss research with their own patients Review their own patient records to determine patient eligibility Contact their own patients for study recruitment

34 Exceptions (cont) Third parties can review PHI preparatory to research but cannot contact potential subjects or record contact information without a “waiver of authorization”

35 Waiver of Authorization Require IRB or Privacy Board approval Applicable for registry and database studies, external researchers involved in recruitment Required criteria for waiver: Use or disclosure of PHI involves no more than minimal risk to subject privacy (written assurance and adequate plan for protection) Research could not be practicably be conducted without access to and use of the PHI and without the waiver (cost can be a consideration)

36 Research Databases Authorization or waiver is required to use PHI in a database for future research (unless the database is limited to decedents’ PHI) If database is not maintained by a Covered Entity, authorization must indicate that PHI is not protected by the Privacy Rule and can be redisclosed without notice If database is maintained by a Covered Entity, use for a particular study requires a new, protocol-specific authorization or waiver

37 HIPAA References Standards for Privacy of Individually Identifiable Health Information - Final Rule (Amended), Federal Register, 67: ; 14 August 2002 “Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule,” NIH Publication No , April 2003 “HIPAA and Human Subjects Research: A Question & Answer Reference Guide,” M. Barnes and J. Kulynych, Barnett International, March 2003

38 HIPAA Website Resources Department of Health and Human Services – Office of Civil Rights ( DHHS – HIPAA Privacy Rule and Research ( Atlantic Information Services, Inc. ( Phoenix Health Systems ( Georgetown University - Health Privacy Project (

39 Training Objectives Overview of the HIPAA Privacy Rule and its impact on clinical research Quiz

40 HIPAA Quiz - #1 What kinds of research are covered by HIPAA? A.Clinical trials only B.Research funded by the federal government only C.Epidemiologic research based on research records only D.Any research done by a covered entity that uses PHI

41 HIPAA Quiz - #1 What kinds of research are covered by HIPAA? A.Clinical trials only B.Research funded by the federal government only C.Epidemiologic research based on research records only D.Any research done by a covered entity that uses PHI The Privacy Rule covers categories of research that might even be considered exempt by HHS/FDA standards

42 HIPAA Quiz - #2 All ongoing research subjects who are active in a clinical study after 14 April 2003 must sign a HIPAA authorization. A.True B.False

43 HIPAA Quiz - #2 All ongoing research subjects who are active in a clinical study after 14 April 2003 must sign a HIPAA authorization. A.True B.False HIPAA grandfather clause

44 HIPAA Quiz - #3 The Privacy Rule requires that a HIPAA authorization form (if separate from the informed consent form) must be reviewed by the IRB or Privacy Board. A.True B.False

45 HIPAA Quiz - #3 The Privacy Rule requires that a HIPAA authorization form (if separate from the informed consent form) must be reviewed by the IRB or Privacy Board. A.True B.False Recent HHS guidance says it is not necessary although some IRBs will still require

46 HIPAA Quiz - #4 Revocation of a HIPAA authorization does not require a sponsor to remove the subject’s data that has already been collected from their database. A.True B.False

47 HIPAA Quiz - #4 Revocation of a HIPAA authorization does not require a sponsor to remove the subject’s data that has already been collected from their database. A.True B.False HHS allows PHI that is already collected to be used as necessary for the NDA

48 HIPAA Quiz - #5 Revocation of a HIPAA authorization does not necessarily require a subject to withdrawal from the study if they have not also withdrawn informed consent. A.True B.False

49 HIPAA Quiz - #5 Revocation of a HIPAA authorization does not necessarily require a subject to withdrawal from the study if they have not also withdrawn informed consent. A.True B.False They must be withdrawn because no further PHI can be collected from them

50 HIPAA Quiz - #6 Protected health information may be disclosed without authorization or waiver to government agencies as required by law. A.True B.False

51 HIPAA Quiz - #6 Protected health information may be disclosed without authorization or waiver to government agencies as required by law. A.True B.False For example: Child abuse and neglect reporting to local health authorities, AE reporting and product defect reporting to FDA, Security reporting to the Department of Homeland Security

52 HIPAA Quiz - #7 Only the treating physician or members of the Covered Entity’s workforce may contact their patients to discuss potential participation in a study. A.True B.False

53 HIPAA Quiz - #7 Only the treating physician or members of the Covered Entity’s workforce may contact their patients to discuss potential participation in a study. A.True B.False However, third party researchers may only do so with a partial waiver of authorization

54 HIPAA Quiz - #8 Pharmaceutical companies are considered Business Associates when sponsoring clinical trials with Covered Entities. A.True B.False

55 HIPAA Quiz - #8 Pharmaceutical companies are considered Business Associates when sponsoring clinical trials with Covered Entities. A.True B.False Some Covered Entities will request this but it is not recommended – nothing prohibits this kind of agreement between sponsors and investigator sites