Health Insurance portability and Accountability Act (HIPAA)‏

Introduction Evolved as a result of the rapid evolution of the health information system technology as well as the challenges for maintaining the confidentiality of health information Introduced as Kennedy – Kassebaum Bill, an outgrowth of the Clinton administration attempt to revamp the healthcare system.

Increase in electronic transactions could lead to unauthorized disclosures of personal health information Final Privacy Rule published December 28, 2000 Effective Date – April 14, 2001 [two year implementation period] Implementation Date – April 14, 2003 HIPAA Background

What is Required? Health care providers, health plans and clearinghouses prohibited from using or disclosing “protected health information” (PHI) without patient authorization, except when specifically required or permitted under the regulations “Protected health information” includes any identifiable health information relating to the health of an individual, the care provided or payment for care.

What is required? PHI includes information in any form or medium (electronic, paper, oral, etc.)‏ Providers must transmit health information electronically to be covered under the Rule

Impact on Clinical Research Subject privacy is increasing the amount of documentation needed for the initiation of the trial. Additional need for authorization from the subject for the release of the “individually identifiable health information” that the drug sponsor must enter into the data bank

Covered Entities Health Care providers engaged in electronic transactions & health care clearing houses: Business associates Legal Accounting Consulting Clinical research Data analysis Quality assurance Practice management

Not covered Entities Pharmaceutical, Biotech, Medical device or CRO Possibility a part of pharmaceutical or CRO is covered entity

Applicability Individual identification Name, birth date, admission date, telephone no, medical record nos. Individual health, health care treatment or payment Information maintained or disclosed in electronic format or in hard copy

Authorization for Clinical Trials The most effective way to gain authorization from the trial subjects is to obtain the consent/acknowledgment & written authorization from the subjects permitting the disclosure of & access to the clinical trial data

Authorization must include: Description of the subject information that will be reviewed Persons authorized to make the requested use or disclosure of this information Expiration date

Authorization must include: Statement that the individual’s access rights to inspect & obtain copies of their health records relative to the trial is suspended while the clinical trial is in progress & will be reinstated when the clinical trial is concluded. A statement that the subject has the right to revoke the authorization

Relationship to informed Consent HIPAA authorization can be included with the informed consent document or it can be separate from the informed consent.

SOPs/contents in HIPAA Authorization Name of the person or class of persons authorized to make the disclosure eg. PI, SI, Research coordinators Name of the person or class of the persons that will receive the disclosed information eg sponsor, monitors, CROs & statisticians Statement that information received by the users may be used for future studies or statistics Cont....

SOPs/contents in HIPAA Authorization Expiration date when authorization may disclose the information Statement containing a subject’s right to revoke their authorization for disclosure Statement documenting the possibility that the information may be disclosed by the recipient ( eg to the FDA ) Signature of subject & date of the signing of the HIPAA agreement The document should be written in a language understood by the subject & a copy of the document must be given to the subject

Institutional review Boards Where HIPAA requirements are combined with the informed consent requirement, the entire document needs to be reviewed by the IRB In cases where IRBs are not responsible for reviewing, the HIPAA authorization Privacy Board may be formed to undertake this task.

IRB or Privacy Waivers of Authorization At least 3 criteria must be met for the IRB or Privacy Board to waive authorization for research: The use or disclosure of protected health information involves no more than a minimal risk to the privacy of the individual The research could not practicably be done without the waiver

Waivers The research could not practicably be conducted without access to and the use of protected health information The research will not adversely affect privacy rights or welfare The privacy risks are reasonable in relation to anticipated benefits & the importance of the knowledge of the clinical results.

Study recruitment Covered entity’s workforce can use protected health information to identify & contact prospective research subjects They can also discuss the enrollment in a clinical trial with the potential subject before authorization is completed or there has been a waiver of authorization If a researcher is not employed by the covered entity, the researcher can still have access to the protected information as a result of a partial waiver of individual authorization by an IRB or Privacy Board.

Conclusion The privacy to subject information that HIPAA commands is not totally unjustified, especially in the world of telecommunication we live in. However, it will put a great burden on investigators & sponsors who conduct clinical research in the process of new product development HIPAA can be a barrier that could interfere with subject recruitment in conducting clinical research but IMPORTANT