Stats: HIPAA and research (September 22, 2005)

HIPAA and research (September 22, 2005)

This page is moving to a new website.

I am collaborating with researchers at another institution, and they are requiring me to take their training modules on research protection, even though I have already taken similar training here at Children's Mercy Hospital. I could gripe and grumble, but it is an opportunity for me to review some very important material. I'm going to quote some of the training material and add some comments of my own.

First of all, what is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that is best known for allowing individuals to maintain health insurance when they change employers. An additional purpose of HIPAA is to provide security and privacy for health information. The privacy section of HIPAA, called the Privacy Rule, governs the uses and disclosure of patient information for all purposes, including for research.

The main concern of HIPAA for a researcher involves the use of individually identifiable health information. As a researcher, you need to make sure that IIHI does not get disclosed to the wrong people. There have been incidents where patients with health care problems that they wanted to keep private were instead subjected to aggressive marketing by drug companies. If you think about it, the temptation for the drug companies is almost irresistable. If they could get their hands on a list of people who suffer from a malady that they have a new drug for, they would be able to send their promotional literature only to patients who they knew would benefit from that drug.

When patients share their health care information, they want to make sure that it goes only to people who really need that data to provide them with the treatments that they need. They don't offer up their information to help drug companies make a bigger profit.

As a general rule, you need to ask the patients permission before you share any IHII with a research group. The HIPAA web site mentioned five exceptions to the need to get permission.

a) a waiver of the individual authorization requirement is obtained from the Human Subjects Committee
b) the information is completely de-identified and no longer governed by HIPAA
c) the information is compiled into a “limited data set” and a data use agreement is executed
d) the activity qualifies as “preparatory to research”
e) the researcher is accessing information solely on decedents

The request for written authorization should provide your patients with the following information:

* A description of the information that will be used or disclosed
* The names or classes of individuals authorized to make the use or disclosure
* The names or classes of individuals authorized to receive the use or disclosure
* Description of each purpose of the requested use or disclosure.
* An expiration date or event for the authorization
* A statement that the individual has a right to revoke the authorization
* A reference to the covered entity’s right to condition service on the authorization, or the consequences of refusal to sign
* A statement that the information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule
* The subject’s right to a signed, dated copy of the authorization

The IRB can waive individual authorization if you can convince them that

the research could not practicably be conducted without the alteration or waiver; and the research could not practicably be conducted without access to and use of the protected health information.

They give an important reminder that you should only collect the minimum amount of information necessary to do the research. So, for example, your should not ask for a birthdate when an age would be sufficient information.

If you do ask for a waiver of authorization, be sure that you can show that you are a responsible person who is respectful of privacy. You do this by providing

i. An adequate plan to protect the identifiers from improper use and disclosure;

ii. An adequate plan to destroy the identifier at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

iii. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by the Privacy Rule;

A limited use data set contains no direct identifiers (such as name or address) but which does contain information that could potentially identify a patient indirectly. I heard a story, which I have not been able to verify, but supposedly, if you know a person's birthdate and their five digit zip code, you can figure out who that person is exactly. But studies that look at time trends or geographic clustering will need such information. To share such information outside the health care organization that you work for, you need to negotiate a limited use data agreement. This agreement requires that the third party will not to use the indirect identifiers to try to discover the true identity of any patient. The agreement also requires them to use appropriate safeguards with the data.

A review preparatory to research is limited access to IIHI to determine things like how many eligible research subjects you might be able to accrue over a limited time period and if the existing records contains sufficiently detailed information to allow you to conduct your research. This web site reminds you though that

The preparatory review may not be used for study recruitment because researchers may not record names and contact information from the charts. Neither can this provision be used to answer a scientific question.

The web site also covered a lot of other important topics:

how to conduct research on people who have already died,
who is allowed to recruit patients to a study,
how to set up a research repository,
research subjects access to research records, and
computer security issues.

All of these are worthy of future discussion on my weblog and I'll try to talk about them when I get time.

I had to take a quiz and I got one question wrong:

For your research project, you request tissue samples that are labeled without identifiers, except for the date of surgery. How will you obtain the samples?

Written authorization from the patient

Data Use Agreement

Waiver of authorization

A statement in the consent to treat

I had selected the first bullet. If this is a prospective trial, there is no way that you can argue that it is impractical to get written authorization, because you already have to get consent to perform the surgery. It is indeed possible under certain conditions to use a data use agreement instead, or maybe to get a waiver of authorization, but I would have thought that the first option should be used whenever possible. The web site itself states that

Written authorization from the subject is the default requirement for use of health information in research. Prospective research, such as a clinical trial, generally requires this type of permission.

Now granted, the question didn't state explicitly that this was prospective research, but I would have thought that they would have worded the question using a phrase like "sample from a tissue bank" if the study was retrospective.

That's a minor quibble, though, considering that I could get one question wrong and still pass the quiz.

Further reading

Stats: Privacy concerns in research