HIPS Series > Privacy Issues for Researchers

How to take this course

As discussed at length in the introductory privacy course, protections for health information are required by Federal laws, such as HIPAA.  Every state also has its own requirements.  So do private certification organizations, such as JCAHO.

If you have access to health information, it is required that you know how to protect it.  And if you use health information for research, you need to know the specific legal limitations that apply to that activity.

Most researchers are already familiar with meeting federal standards for the protection of human subjects.  The majority of biomedical and behavioral research in the US is subject to the DHHS-codified "Common Rule" (45 CFR 46) and/or the analogous regulations of the FDA (21 CFR 50,56). 

The Common Rule and FDA protections focus on the rights, safety and welfare of research subjects, including such matters as informed consent and appropriateness of risks relative to benefits.  They also include attention to subjects' privacy and the confidentiality of information.

HIPAA's health-information-focused protections are in addition to these, not a replacement.  Protocol reviews using Common Rule/FDA criteria by IRBs are unaffected by HIPAA.

Where state laws and regulations are also in place to protect research subjects, these too remain in effect.  As discussed in the introductory course, HIPAA generally defers to state protections that are more stringent with respect to privacy.

HIPAA provides that covered entities may create a new body, called a Privacy Board, to handle local enforcment of HIPAA's rules.  Alternatively, a covered entity may choose to rely on an IRB to assess compliance with both the FDA/Common Rule requirements and the HIPAA research requirements.

Membership requirements for a Privacy Board are very similar to those for IRBs -- e.g., diversity, outside membership, avoidance of conflicts of interest.

A covered entity may also leave some decisions about compliance with the research provisions of HIPAA to its privacy official, such as determinations about whether a particular use or disclosure application needs Privacy Board/IRB review.

Research subjects, like patients generally, have recourse to the Department of Health and Human Services (DHHS) Office of Civil Rights in the event they are not satisfied with the local bodies' protective efforts.

HIPAA defines research as any "systematic investigation, including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge."

Not all kinds of research-like activity are included in this definition, however:

• Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines or protocols, fall under the category of health care operations -- provided the primary aim is not obtaining generalizable knowledge.
   
• Activities that aim primarily for generalizable knowledge of population health can fall into the category of public health activity.

Usually a determination by at least the organization's privacy official is required to designate an activity as "not research."

HIPAA generally requires separate, explicit authorization from patients to use their protected health information (PHI) for research activities.  By contrast, HIPAA's "big-three" -- treatment, payment and health care operations -- require no separate authorization.  Neither does public health.

As with any other planned information activity, research must be mentioned in the entity's privacy notice.

An authorization is not always required, however.  HIPAA provides the following pathways for research uses and disclosures of PHI, each branch of which is explained in the sections below. Authorization is required, unless...

• Waiver of authorization requirement is granted by Privacy Board/IRB.
   
• Research meets exceptions to authorization requirement for:
  
  • activities preparatory to research,
  • use of decedents' information, or
  • other disclosures required by law.
     
• Research is conducted with limited data set under a data use agreement.
   
• Only de-identified data is involved.

An organization's IRB or a Privacy Board may determine that a waiver of the authorization requirement is appropriate, if the following criteria are met.  (These will be familiar to anyone versed in the Common Rule.)

• Use or disclosure of the PHI involves no more than minimal risk to privacy of the research subjects, based on the following elements:
  
  • an adequate plan to protect data identifiers from improper use and disclosure;
  • an adequate plan to destroy data identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law); and
  • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by HIPAA.
     
• The research could not practicably be conducted without the PHI.
   
• The research could not practicably be conducted without the waiver.

More about what counts as a "data identifier" is provided in the section below on limited data sets and de-identified data.

Alternatively, criteria are provided for exceptions to the authorization requirement:

• Where the protected health information (PHI) will not leave the covered entity, will be used solely for reviews preparatory to research (e.g., for protocol development), and the researcher represents that such access is essential.
   
• Where the PHI refers solely to deceased persons (the covered entity may ask for documentation of death), and the researcher again asserts that such access is essential for the research.

Covered entities may determine their own processes for approval of these "representations."  That may involve a submission to the organization's privacy official. Or such requests may go to the Privacy Board or IRB, as with an application for a waiver.  In the latter case, the process will typically be analogous to "expedited review" under the FDA/Common Rule.

Disclosures required by law also are excepted from the authorization requirement.

There are two ways for researchers to bypass these authorization issues. 

First, a covered entity may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate "data use agreement."  LDS must have all direct identifiers removed; they may still include information that could "indirectly" identify the subject using statistical methods. 

The data use agreement must delineate the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research; limit who can use or receive the data; and require the recipient to agree not to re-identify the data or contact the individuals.  (For more details, see the LDS link.)

Second, a researcher may use PHI contained in fully de-identified information.  As the name implies, de-identified information must have all direct and indirect identifiers removed, to eliminate -- or at least make highly improbable -- re-identification using statistical techniques.  (For a list of what must be removed, see the link.)

Limited data set and de-identified data use are exempt from the disclosure accounting requirements.  However, they are still subject to the minimum necessary standard.  More about those in the next two sections.

Information uses and disclosures for research that find a way to bypass the authorization requirement are subject to the minimum necessary standard. 

A covered entity may rely on a researcher's documentation -- or the assessment of a Privacy Board or IRB -- that the information requested is the minimum necessary for the research purpose.

By contrast, research information obtained using an authorization is not bound by the minimum necessary standard -- on the theory that the research subject has given explicit permission for whatever information access the research team deems to be necessary.  (We don't think this makes ethical sense, but it is the rule.)

Disclosures for research operating under a waiver/exception to the authorization requirement are subject to accounting requirements.  Where the study involves more than 50 records, that can be met by providing individuals with:

•  a list of all protocols for which their PHI may have been disclosed, along with the timeframe for those disclosures;
   
•  the purpose of those protocols, and the types of PHI sought; and
   
•  the researcher's name and contact information for each study.

Covered entities must assist subjects in contacting researchers when they have questions about a disclosure or any other aspects of the protocol. 

Where fewer than 50 records are involved, the listing must be more specific and detailed, commensurate with the requirements for other kinds of PHI disclosure accounting.  (For more about that, click here.) 

Covered entities may still choose to impose more detailed reporting requirements for research, even on larger studies.  (DHHS "encourages" providing more detail, but does not require it.)

Disclosure accounting is not required for data disclosures made under authority of an authorization by the subject him/herself, or for those that that are part of a limited data set or de-identified data.

As with the waiver of the minimum necessary standard, the rationale for the first of these is that the research subject has given specific permission for the use of his/her data in a study, and thus needs no notification of that activity.

When they are required, authorizations must be executed in writing and signed by the research subject.  The authorization must be "in plain language so that individuals can understand the information contained in the form, and thus be able to make an informed decision."

HIPAA authorizations are normally required to have an explicit expiration date.  In the context of research, it is sufficient to specify an expiration event -- such as "the end of the study."  Or a research authorization can have no expiration date at all, though this absence must be clearly indicated.

As with FDA/Common Rule requirements for informed consent, there are many format and content specifications for a HIPAA research authorization.  (We cover only the highlights in this course.  Click here if you want more.)  Researchers probably should rely on standard models rather than creating their own authorizations or other documents -- particularly if their organization's IRB or Privacy Board has favorites.

Normally, HIPAA authorizations cannot be combined with other types of documents (such as a privacy notice).  However research authorizations can be combined with any other legal permission related to the study, including another authorization or a Common Rule/FDA informed consent.  If there are multiple documents that limit information use or disclosure, the most restrictive one applies.

DHHS has noted that it may be advisable -- though not required -- to include the following in the research authorization:

• How PHI obtained for a research study may be used and disclosed for treatment, payment and health care operations. (Note that research-related treatment can be conditioned on provision of a research authorization.  However, treatment not related to the research cannot.)
   
• Information about sources of funding for the study and payment arrangements for investigators.  Consistent with general recommendations about informed consent, the view is that any information that might be "material to the potential subject's decision-making" should be included.

Like other kinds of HIPAA authorizations, those for research may be revoked by the subject at any time, provided that the revocation is in writing.

Revocation of an authorization is not valid to the extent that the covered entity has taken actions relying on it, such as in the provision of prior treatment.  And such revocations may be limited "as necessary to maintain the integrity of the research study."

The latter qualification would, for example, permit the continued use and disclosure of already-gathered PHI (e.g., for subsequent statistical analyses and reporting).  It would not allow new data to be collected or used. 

It is still permissible under HIPAA to discuss recruitment into research with patients for whom such involvement might be appropriate.  This common practice is considered to fall within the definition of treatment. Typically such a conversation would be undertaken by one of the patient's regular health care providers.

By contrast, a patient's information cannot be disclosed to a third party (even another care provider) for purposes of recruitment into a research study without an authorization from the individual or an approved waiver/exception of authorization.

Because of conflict of interest issues, organizations may choose to place limits on recruitment where a regular treatment provider is also an investigator for the protocol into which the patient is being recruited. But HIPAA does not cover this circumstance.

It has been a common practice to "browse" -- or "data mine" -- existing health data collections, looking for interesting patterns that could translate into research possibilities.  DHHS has reiterated in its commentary that use or disclosure of PHI for retrospective research studies may be done only with patient authorization or a waiver/exception from an IRB or Privacy Board.

It shouldn't be difficult to meet one of the waiver/exception criteria for most efforts of this kind.  (For example, in-house examinations may be qualified as "preparatory to research.")  But this is considered research -- even if you are "just looking around" in a casual way.  You can no longer proceed on your own without any permission.

Although the specifics are lengthy, the net administrative burden that HIPAA adds to existing Common Rule/FDA regulations is generally not a large one.  Compared to protocol approval generally -- and the details of informed consent particularly -- a HIPAA authorization is relatively easy. 

To approve a study under the Common Rule/FDA requirements, IRBs must already determine that there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.  Where researchers are meeting those requirements, HIPAA should change very little.  It'll just add a bit more paperwork.

Efforts to meet the Common Rule, FDA and HIPAA regulations' privacy requirements are only part of your task.  Research data collections must receive appropriate security protections for as long as they exist.  Sometimes that is for a very long time indeed.

Clinical data typically enjoy the security of an organized medical records system.  (Yes, we know it's not always all that organized.)  Research data are too often stored in hodge-podges of computer- and paper-based records with little or no attention to security. 

Whatever you collect, you must protect.  Research activities are not subject to a lesser standard for data protection under the HIPAA regulations.

Here are the key points:

(1) Under federal law, research activity using protected health information generally requires authorization.

(2) Some minimally risky types of research will be permitted under waiver/exception determinations by a Privacy Board or IRB.  Others will still require direct authorization from the patient.

(3) Federal (HIPAA) privacy protections are in addition to the existing protections of under the Common Rule and FDA regulations.

(4) If you're unsure about the particulars at your organization or have questions, consult with your organization's IRB or privacy officer.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •