Effect of the HIPAA Privacy Rule on Health Research Proceedings of a Workshop Presented to the National Cancer Policy Forum (2006) / Chapter Skim
Currently Skimming:
2 Prepared Presentationsand Discussion
2 Prepared Presentationsand Discussion
Pages 6-84
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 6... ...
Susan, if you are ready, please proceed. Susan McAndrew, Esq., Acting Deputy Director for Health Information Privacy, DHHS Office for Civil Rights, Information on the Privacy Rule and Health Research from the DHHS Office for Civil Rights: I want to thank the Forum for inviting OCR to make this presentation and
|
From page 7... ...
In terms of the fundamentals, there are four points. First, our purpose was to establish for the first time a uniform set of federal standards nationwide for how health plans and most health care providers should treat the identifiable health information that they receive from their patients.
|
From page 8... ...
We wanted to give a covered entity permission to use and disclose patient health information for research purposes, but within a single set of rules that apply to all research, so there would not be multiple requirements. Whether or not the entity doing the research is itself a covered entity is a key distinction.
|
From page 9... ...
By the same token, FDA regulations and the Common Rule do not supersede or preempt the HIPAA Privacy Rule. These regulations work within their spheres independently and jointly.
|
From page 10... ...
are basically patterned from the Common Rule informed consent waiver criteria. We started with a much different list, but because we got a lot of negative feedback on that, we collapsed the list, and we constructed it more carefully to be consistent with the Common Rule criteria to ensure that the IRBs were working within a familiar realm when dealing with the privacy balances.
|
From page 11... ...
We tried to make the Rule more compatible with not only the Common Rule, but what we knew about actual operating procedures in the field, while keeping true to our basic goal of making sure that we had through HIPAA a single set of rules that worked for research, not only research that was governed by the Common Rule, but research that was outside the rule -- subject to the FDA or other kinds of regulations. We have extensive guidance that we have issued in cooperation with our colleagues at NIH.
|
From page 12... ...
citizens. Anyone who seeks health care has HIPAA protection for their identifiable health information in a covered entity.
|
From page 13... ...
HIPAA is independent of the Common Rule and regulates not research itself but access by researchers to protected health information in covered entities. Policy makers aimed for consistency with the Common Rule and the FDA research rules, but certainly didn't harmonize the research regulatory framework.
|
From page 14... ...
One that is faced largely by academic medical centers is the accounting for disclosures in research being conducted pursuant to an IRB waiver. In large institutions with many protocols, investigators may access records held by a covered entity under an IRB waiver, many of which ultimately will not be used in the research.
|
From page 15... ...
For example, under the Common Rule, investigators can ask for informed consent for use of information in future unspecified research (sometimes bounded by type, such as cancer research, sometimes not) but under the parallel HIPAA authorization requirement, investigators may get permission only for the use of protected health information for a specific identified research project.
|
From page 16... ...
There are many important HHS agencies that are affected by HIPAA research privacy provisions: everything from NIH research, CMS Pay-for-Performance efforts, all the efforts to promote health information technology, and much that is going on at the FDA and AHRQ. The agencies involved include the Office for Civil Rights, the National Institutes of Health (NIH)
|
From page 17... ...
in statistics, do the statisticians have any special training or qualifications or Common Rule orientation.
|
From page 18... ...
Then, if you come in, and I give you essentially pro bono services, free services, because I have billed electronically, I am a covered entity and your information, even though you are a non-paying customer is covered. So, the response was -- if the information comes in to a covered entity, that information is covered regardless of whether you are a citizen or not.
|
From page 19... ...
We also are all in this together, and in fact, to make the obvious point, we are all patients and consumers of health care services. Our medical privacy is important to all of us.
|
From page 20... ...
Stories like these are on our web site, by the way. We have medical privacy stories, our horror stories we call them.
|
From page 21... ...
The California Health Care Foundation commissioned Forrester Research to do an opinion study in 2005 on national consumer health privacy following up on their benchmark 1999 study. They found that consumers remained concerned about the privacy of their personal health information.
|
From page 22... ...
As a person living with AIDS, when I walk into my infectious disease doc every three months for my blood draws, and I have a ten minute conversation, occasionally we will talk about daily versus twice daily dosing. Imagine a future with robust health information technology that has built into it from the beginning effective privacy and security measures so that when I report that my daily dosing of Viramune® is working, that that goes into the system.
|
From page 23... ...
There are so many people who have no idea what HIPAA is about and what the implications are. If one major negative headline appears, I think the impact is going to really be detrimental to not just the research community, but also to anybody who is interested in the handling of medical records.
|
From page 24... ...
We might have the Rock Hudson of medical privacy coming down the pike. The issue is not that it happens.
|
From page 25... ...
That is variability in the interpretation of the HIPAA Privacy Rule as it applies to research. I wanted to start with two beliefs that I have, just so that you understand where I am coming from, and they are probably not very different from beliefs that others in this room share.
|
From page 26... ...
In that particular news article, Jocelyn Kaiser reported that for outcomes research, in many cases, the Privacy Rule is limiting the ability to do outcome studies based on medical records. In that regard, many of us have seen the smaller hospitals and community hospitals just dropping out of protocols altogether.
|
From page 27... ...
International registries have definitely suffered delays. We have heard that for multi-institutional protocols, they will go through multiple IRBs, and because each IRB variably interprets both Common Rule and now HIPAA guidelines, it has become really a nightmare to do these protocols and that has been particularly true for international studies.
|
From page 28... ...
The other example was a cohort study that was looking at preeclampsia, a disease that occurs during pregnancy. The only way that we could recruit these subjects into our ongoing cohort study after HIPAA was to persuade each patient to enroll in a registry, which is a way that investigators have been getting blanket use of medical records.
|
From page 29... ...
But they were a series of recommendations proposing that, if research isn't going to be exempt, there be some ways to harmonize the Common Rule and HIPAA and some ways to do away with some of the more onerous requirements. So, -- moving from these very specific stories to what I think are some of the underlying issues -- the IRBs are in a difficult position; on the one hand they are protectors of human subjects, but on the other hand, they are a service organization that is ensuring that informed consent can take place and that research can go on.
|
From page 30... ...
To summarize, some of the issues that are fundamental and very variably interpreted are: who is part of the covered entity? How do we stream
|
From page 31... ...
What is hard to adapt to is that every single covered entity in the entire United States is interpreting things differently and variably over time. In a world where
|
From page 32... ...
I think that some of what is going on quite clearly is a lack of understanding of the Rule, and in that case certification, or certainly a clearer in-servicing of IRB committees, would be very useful. But, as Marcy said, there are some elements of the Rule, some situations, in which there really does need to be more harmonization of the Privacy Rule with the Common Rule.
|
From page 33... ...
Joanne Pollak, Esq., General Counsel and Vice President, Johns Hopkins Health System, Academic Health Center Research Impacts of the Privacy Rule: Thank you very much for giving me this opportunity, together with the others. I really feel the quality of the discussion here this morning is very, very high, and I think you are hearing both sides of the issue.
|
From page 34... ...
Mark Barnes, who will talk this afternoon, is the master of splitting into parts, and in the hybrid entity concept, you can actually have a hybrid person. It has gotten to be so dysfunctional in terms of collaboration that if you are in the school of medicine at Hopkins, for example, and your research study is reviewed and approved and you are gathering protected health information from and through the covered entity, your research study is going to be part of a covered activity.
|
From page 35... ...
Trying to differentiate between what is deemed to be part of our mission and for which we can use protected health information and what we need permission for is a difficult crosswalk. I will just summarize the first of the issues I planned to discuss, because we talked a little bit about it already.
|
From page 36... ...
I think it is very, very confusing to people, particularly in our cancer research studies, to be confronted two years after the original trial with another authorization form when they are not enrolling in any new research or new clinical trial. I think the Common Rule, FDA rules, and the interpretation of the HIPAA privacy regulations should be the same, that is, a person may consent to future unspecified research if the description of what is allowed is sufficiently clear, and I believe that this change does not require an amendment to the HIPAA privacy regulations; instead a change in HHS's interpretation of the Privacy Rule would be needed.
|
From page 37... ...
I believe the solution is to amend the HIPAA Privacy regulations to state that if the Common Rule or FDA rules are followed, no accounting for disclosures would be required. If the Common Rule or FDA rules are not followed, then an accounting would be required.
|
From page 38... ...
It's burdensome and the application of the minimum necessary standard is uncertain. HIPAA privacy regulations should apply only to true medical records, not all protected health information maintained in the archives.
|
From page 39... ...
They are very grateful for IRBs at academic medical centers and others that look out for and help understand and think through the risks and how to provide appropriate informed consent. That said, they are research companies, and they regard the data that they collect as really, really important.
|
From page 40... ...
Since the Privacy Rule doesn't apply in non-covered entities, the presumption is that the research data are unprotected. You heard it this morning.
|
From page 41... ...
The objective of HIPAA is excellent: protecting privacy while ensuring health care and health benefits by keeping protected health information within covered entities. On the research side, however, research institutions are trying to both protect research and the privacy of those who choose to participate in research.
|
From page 42... ...
Research facilities that are not covered entities have a regulatory advantage over those that are subject to HIPAA. We have guidance for the various rules, but I am not sure we have anybody that has the jurisdiction to get the guidances harmonized, to advise on how to put the HIPAA parts together with the FDA and Common Rule parts, and as a lawyer I am going to be interested to see as we go forward whether we can find somebody that can do that.
|
From page 43... ...
But we have a problem with the limited data set also, because who can sign the data use agreement? The risk is on the covered entity.
|
From page 44... ...
It is also a problem for the sponsors when IRBs think that in reconciling the differences between them, they have to impose on the sponsor/recipient the same use restrictions that would apply if the sponsor was a covered entity. This goes well beyond the kind of restriction that Joanne talked about, such as promises not to use the data in marketing.
|
From page 45... ...
Some IRBs think HIPAA requires them to prohibit in the informed consent any statements about how the sponsor will use the data. So, some IRBs say you can't say this is how you are going to protect the data, or you are going to use it for cancer research, or you are going to make it available for cancer research under oversight of some other IRB, because that is not under IRB supervision.
|
From page 46... ...
I think that one way would be to do some case analyses in selected cancer centers, for example, to actually gather data on the protocols that were considered in that institution over the last six months, group clinical trials, epidemiologic studies -- what was the impact? How many protocols
|
From page 47... ...
It would just be additional man hours. So, I doubt there are data that would assign a specified amount of time spent on HIPAA compliance as is being suggested about the IRB protocols.
|
From page 48... ...
Dr. Patricia Ganz, Professor of Medicine, UCLA: One of the things that was addressed earlier on is that many of these issues are in the Common Rule already, and there was already a lot of variability in the way in which IRBs were handling their work.
|
From page 49... ...
Perhaps there is higher compliance with those elements as a result, but it came about in a very arcane way given that, as was said, the Privacy Rule was not meant to emphasize research; it was really meant to focus on the covered entity and data transfer. To me it caused a paradoxical improvement in use of the Common Rule, but at a huge administrative burden and cost.
|
From page 50... ...
Data on those two questions: what science isn't being done and what patients aren't getting that they might want, I think, could be gathered through case studies at four or five, or some group of, major medical centers. Anecdotes become data at some point.
|
From page 51... ...
With regard to public health practice as opposed to research, the Privacy Rule expressly permits disclosures of HIPAA protected health information without individual authoriza
|
From page 52... ...
, state legal departments, and many private firms on the new requirements and how best to communicate those requirements to the covered entities. Guidance on the Privacy Rule was that it allows covered entities to disclose protected health information to registries as required by state laws.
|
From page 53... ...
A determination that the program is not a covered entity but is, in fact, a public health program funding the provision of health care is one of the issues that has been actively worked through with regard to HIPAA. The program has also had to work through ongoing communications with covered entities to enable the continued submission of surveillance data, including identifiable information, by more than 21,000 practices.
|
From page 54... ...
Therefore, it is disclosed, and we had to get IRB approval, the data use agreement, and the accounting documentation, et cetera. So, there was a lot of training required of our field staff on the intricacies of the HIPAA privacy rule, a lot more provider materials, the provider web site, and all kinds of information.
|
From page 55... ...
But most of the data that we collect is de-identified. What about the response rates for these particular items, the ones that were indirectly identifiable, and some that were de-identified, before and after HIPAA?
|
From page 56... ...
Dr. Burt: If our field staff did the abstraction, they might see the sampling sheet, the people who were sampled for the abstraction, or they might see the name on the medical records.
|
From page 57... ...
: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was written to facilitate continuation of health insurance coverage among American workers who change employers, specifically "to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to longterm care services and coverage, to simplify the administration of health insurance, and for other purposes." The Act contains a Privacy Rule, an extensive set of policies and procedures intended to protect the privacy of health information in the use and disclosure of data covered by the Act.
|
From page 58... ...
Understanding the nature, magnitude and impact of this problem will require further research. Population-based cancer registries are used in many ways for research including descriptive analysis of routinely collected data, special studies requiring collection of additional data from medical records, record linkage studies, and direct patient contact studies.
|
From page 59... ...
Sarah Carr, Senior Advisor, Office of Science Policy, NIH, NIH Perspective: Questions about the Impact of the Privacy Rule on NIH Supported Research: NIH is very pleased to be participating in this Forum session, and we welcome your exploration of the HIPAA privacy rule and its impact on health research. I am standing in today for Dr.
|
From page 60... ...
I will now review some of the harmonization issues we see. As we discussed today, research is regulated by the Common Rule, FDA regulations at times, as well as the HIPAA Privacy Rule.There are important differences between the Privacy Rule and the Common Rule -- for example, the scope and applications of the Rules differ; and they define key terms in different ways -- that can result in confusion and inconsistency in interpretation.
|
From page 61... ...
The Common Rule has been interpreted by OHRP to permit informed consents that are broader than for a specific study, whereas the current interpretation of the Privacy Rule requires authorizations to be study specific. There are also content differences between consents and authorizations.
|
From page 62... ...
Or are there more fundamental problems at work, and if so, what can be done about them? Another question for us is whether the complexity of the Rule and differences from the Common Rule create inefficiencies and barriers without providing any additional privacy protection.
|
From page 63... ...
Are there ways to reduce the complexity and burden of the Privacy Rule on research while continuing to provide the necessary privacy protections for research participants? NIH also thinks we need to share perspectives about the benefits of research and the value of privacy and collectively address whether these two important goals are still in balance.
|
From page 64... ...
Paula Kim, Translating Research Across Communities (TRAC) Network and Mary Lou Smith, Y-Me, National Breast Cancer Organization and Co-Founder, Research Advocacy Network, Patient Advocacy Perspectives: Importance of Balancing Privacy Protections and Research Data Sharing in Advancing Public Health: Ms.
|
From page 65... ...
What I heard today is that we have federal law and we have state law and sometimes those two don't match up and that is one place where there is confusion. We have HIPAA law, IRBs and the Common Rule.
|
From page 66... ...
At the end of the day, however, patients have to understand all this and buy into it, buy into research. We know we only have three percent of cancer patients that accrue to clinical trials.
|
From page 67... ...
We have talked a little bit about potential duplication in the regulation of research. Now let me briefly talk about the era of personal genetic information as it relates to what we are doing with the data, the sharing, the information, and the data release.
|
From page 68... ...
EFFECT OF THE HIPAA PRIVACY RULE ON HEALTH RESEARCH I don't think I am sharing with this community anything that you don't already know. I would offer, however, based on my experience from eight years working on behalf of advocates, and also working very closely with the NCI, FDA, industry, and with researchers, that agencies and the research community (of which I consider industry a part)
|
From page 69... ...
I think we need to clarify what are best practices and ways of getting information about best practices out to the research community. Right now, there is not enough clarity and many varying interpretations of the HIPAA Privacy Rule.
|
From page 70... ...
Health services research looks at the quality of health care, the cost of health care, and access to care. There are types of research that fall under the Common Rule, and there are types of health care research that involve large data repositories or survey information.
|
From page 71... ...
Most universities we found had identified themselves as hybrid entities with the medical school and related services being covered entities, and all the research firms and schools of public health were non-covered entities. In most cases, IRBs had the responsibility for both the Common Rule and the Privacy Rule, although some had a subcommittee to handle HIPAA matters.
|
From page 72... ...
Almost half (45 percent) described a study that had been stopped or altered because of the HIPAA Privacy Rule.
|
From page 73... ...
Now let us turn to Mark Barnes. Mark Barnes, Esq., Partner, Ropes and Gray, New York, SACHRP Recommendations for Changes in the Privacy Rule Regarding Health Research: I think the reason that I was asked to talk today was to tell you about the Secretary's Advisory Committee on Human Research Protections' (SACHRP)
|
From page 74... ...
Those of you who know HIPAA know the requirement that deals with disclosure of identifiable health information for research purposes that is not permitted by an authorization. In these circumstances, a covered entity, primarily an academic medical center, a physician group practice, or a mental health facility, among others, is required to document in the individuals' medical records that were reviewed, who accessed the records, on what date, for what purpose, and how much of each record was accessed.
|
From page 75... ...
But whatever happens, it has resulted in a massive amount of attention, time, effort, and energy devoted to recording these disclosures in all of these medical records all over the country, and it can provide a disincentive for institutions to allow research studies involving over 50 subjects. So, SACHRP said, after noting these problems, that we thought it ought to be sufficient, even for disclosures outside the covered entity pursuant to a waiver that had been granted by an IRB or privacy board, to inform patients when they come into the facility and they get their notice of privacy practices, that this is a research institution, or we assist research, and this is what happens here.
|
From page 76... ...
The limited data set was designed as a particular exception within the HIPAA standards, that allows a covered entity to retain treatment dates, other dates of service, as well as geographic identifiers in a disclosure, just not specific street addresses, but there has to be a limited data use agreement between all the parties that are sharing the information. The result is that there are data use agreements all over the place; there are data use agreements that are just signed as a matter of course.
|
From page 77... ...
So, in the end we said rather than focusing on these fine distinctions between the internal and external researchers created by the preparatory to research interpretations, there should be a more functional definition. The key to the distinction and the ability of researchers to use protected health information should be based on whether the covered entity exercises effective control over that individual's activities.
|
From page 78... ...
Identifiers can be omitted, and the repository information can be anonymized under the Common Rule, but then if the consent didn't originally say that the data or the specimen or both would be anonymized, what does it all mean? Where are the lines?
|
From page 79... ...
Now, this next is a somewhat obscure point, so I will spend little time on it, although it actually makes a great deal of difference for IRBs and privacy boards. Under the Common Rule there is a set of activities that would be human subjects research except for an exemption.
|
From page 80... ...
Under HIPAA on the other hand, that same activity in the context of a research study is itself a use of data that is not exempt from the requirements of HIPAA authorization or of a waiver from a privacy board or IRB. So, the bottom line is that there is an activity that is exempt under the Common Rule, but, because it involves identified data, it is not exempt under HIPAA.
|
From page 81... ...
In fact, we have used a condensed authorization form in some cases, processing it through the IRB or privacy board for approval. Finally, let me touch on access to protected health information by public health authorities which is a particular issue in cancer.
|
From page 82... ...
So, anyway, we asked that OCR determine that quality assurance agencies that are part of government, or quasi-government agencies, or agencies like AHRQ, are public health authorities so that they need not go through individual privacy board waivers or authorizations to do their work. Those were our recommendations that we sent to Secretary Thompson.
|
From page 83... ...
Ask some questions to get at the involvement of others, even some that previously may not have been involved in research issues. I have never gone to a meeting about IRBs and the Common Rule where there were so many lawyers, but conversations about HIPAA always involve a lot of lawyers.
|
From page 84... ...
This completes the workshop on the effects of the HIPAA Privacy Rule on health research.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.