Health Information Compliance Alert

When medical researchers were forcefully wed to HIPAA compliance, the union presented a myriad of challenges but as with all marriages with proper communication, that bond can flourish.

The challenges presented to medical researchers and research-oriented organizations by the Health Insurance Portability and Accountability Act are numerous, especially as it applies to the use and disclosure of protected health information. Even though the privacy rule hasn't yet been finalized, there are several issues researchers must be aware of in order to comply.

One of the biggest HIPAA challenges to medical research will be altering the criteria that Institutional Review Boards have to consider in order to waive individual authorization. The privacy standards require covered entities that conduct research to get an individual's authorization to use their health information in connection with research. However, there are ways of getting around that authorization, says Kristen Rosati, an attorney with Phoenix-based Coppersmith Gordon Schermer Owens & Nelson.

Rosati tells Eli that in order to get a waiver of the authorization, covered entities need to have either an IRB or a "privacy board" consider various factors in order to waive the individual authorization. She says when covered entities submit research proposals whether it's to their own IRBs or as a contract with outside IRBs that perform that function for them it's important to ensure that once they submit a proposal, they also educate the IRB about the new waiver criteria.

The best way to get a handle on the new waiver criteria is to take another look at the proposed modifications to the privacy rule to determine what level of risk is presented to privacy.

Rosati says the proposed modifications "kind of reorganize the waiver requirements in a way that makes a little more sense." Rosati points out that the IRB or the privacy board have to consider a number of issues in evaluating privacy risks, including whether there's an adequate plan to protect the identifiers from improper use or disclosure.

They also have to consider whether there's a suitable plan to destroy the identifiers when the research is done unless there's some type of justification to retain the identifiers, such as if they're going to pull up these research results later for longitudinal studies. Finally, they have to consider whether there are any written assurances that whoever gets the information won't be further disclosing it. Basically, Rosati asserts, privacy boards have to ensure that there's a plan in place to protect the patient information.

But these are criteria that IRBs do not presently consider, Rosati admits, so it will be a real challenge to get IRBs up to speed on making sure they include these new waiver criteria, criteria that might include having to consider whether the use or disclosure of protected health information involves more than a minimal risk to the privacy of individual patients.

And the IRB or privacy board has to consider whether the research could be conducted without the waiver, like whether it's feasible to get all the participants' authorizations to use or disclose their information, and then they have to consider whether the research could be conducted without the information. All of those items are things that traditionally aren't included in what the IRB has to consider under the common rule.

Another challenge for covered entities will be negotiating their way through the morass of rules relating to when they can continue to use and disclose information gathered under prior research. The proposed rule says that if you have informed consent or you had an IRB determination to waive authorization to use or disclose information, or if you have secured patients' authorization before the compliance deadline of April 14 of next year, then you can continue to use and disclose information under that research study, whether you collect that information after the compliance date or before. Rosati thinks many will struggle with the complexity of these provisions.

Another issue that researchers that are covered entities will have to deal with is knowing when they have to include information about disclosure for research in the individual accounting, notes Rosati. In the proposed modifications to the privacy rule, the Department of Health and Human Services has proposed exempting any disclosures that are made under someone's authorization, so if a patient authorizes use or disclosure of his information for research purposes, "that will be exempt from the accounting requirement, but if the patient doesn't authorize the waiver, and if they proceed with the research under an IRBs waiver of individual authorization, then that disclosure is not exempt from the accounting requirements," explains Rosati. She says that covered entities will have to be able to "capture disclosures they make for research purposes where there's not an individual authorization in place."

And even some at the HHS agree that researchers are facing tough times. Julie Kaneshiro, senior policy analyst at HHS' Office of Human Rights Protections,saysresearcherswillhavetrouble incorporating HIPAA's requirements into the existing research structure of an IRB review, but she believes education will help to mitigate confusion.

Kaneshiro understands the frustration in the industry, but thinks much of the concern might be allayed with some additional information about the regulation.

One thing she encourages the research community to do is to get involved in discussions with their parent organization, making sure the parent organization is aware of their research needs, and is building systems that will accommodate them. "A lot of organizations are proceeding without research in mind, but to try to jump in afterwards might be more difficult after all the structures are in place." So, it's essentially up to researchers to ensure their parent organizations accommodate their needs within the confines of the regulation.