HIPAA and Research: How Have the First Two Years Gone?

HIPAA and Research: How Have the First Two Years Gone?

PERSPECTIVES HIPAA and Research: How Have the First Two Years Gone? DAVID S. FRIEDMAN, MD, MPH ● PURPOSE: To assess the impact of the Health Insuran...

136KB Sizes 0 Downloads 51 Views

PERSPECTIVES HIPAA and Research: How Have the First Two Years Gone? DAVID S. FRIEDMAN, MD, MPH

● PURPOSE:

To assess the impact of the Health Insurance Portability and Accountability Act (HIPAA) on research in ophthalmology. ● DESIGN: A personal perspective with a review of relevant publications. ● METHODS: Review of experience at a single institution as it transitioned to enforcing HIPAA guidelines. ● RESULTS: HIPAA has been costly to institutions and will continue to be so. At Johns Hopkins alone, nearly 26,000 employees have had to take HIPAA compliance training and pass examinations with an overall estimated cost of nearly $2 million in the first year. At the same time, complying with HIPAA regulations has increased institutional awareness of privacy issues. ● CONCLUSIONS: HIPAA has added a layer of regulation to research that has increased the burden of researchers but is unlikely to prevent most research from taking place. Although there are clear benefits to the heightened awareness of the implications of research on study subjects’ privacy, the costs of implementing HIPAA have been very high, and further refinements are likely necessary. (Am J Ophthalmol 2006;141:543–556. © 2006 by Elsevier Inc. All rights reserved.)

A

LTHOUGH SOME HAVE DECRIED THE ARRIVAL OF

the Health Insurance Portability and Accountability Act (HIPAA) as a major obstacle to carrying out research in the United States,1 the truth has been that with appropriate response to the privacy regulations adopted under HIPAA, virtually all research that was possible before the act remains so, and the rights of participants and individuals seeking health care have been better protected.

Accepted for publication Sep 19, 2005. From the Dana Center for Preventive Ophthalmology, Johns Hopkins University School of Medicine, Baltimore, Maryland. Supported in part by the Robert E. McCormick Scholars Award from Research to Prevent Blindness and the Douglas Jahnigen Scholars Award from the American Geriatrics Society. Inquiries to David S. Friedman, MD, MPH, Wilmer 120, 600 N Wolfe Street, Baltimore, MD 21287; e-mail: [email protected] 0002-9394/06/$32.00 doi:10.1016/j.ajo.2005.09.022

©

2006 BY

The HIPAA privacy regulations are an attempt by the US government to protect the privacy of individuals receiving medical treatment. The privacy regulations went into effect in 2003 and required both private medical offices and academic medical centers, among others, to take steps to ensure patient privacy. As a member of the Johns Hopkins Medical Institutions Review Board (IRB), I have had the opportunity to observe the impact of HIPAA on research in the academic setting. This editorial will summarize our experience from my point of view and offer guidance for those hoping to carry out research in the HIPAA era. The privacy regulations clearly define what information needs to be protected to be in compliance, and this information is called protected health information (PHI). PHI is individually identifiable health information. The rules for the use of PHI can be viewed as divided into three categories: category I, which allows the use of PHI in connection with treatment, payment, and billing for services, and health care operations; category II, which allows the use of PHI in research with a signed authorization by each study subject or a waiver of this requirement by either an Institutional Review Board or a Privacy Board; and category III, which allows the use of PHI in situations that do not require HIPAA authorization or waiver. Most human subjects research that retains identifiers falls into category II. Category III includes review of records preparatory to research, or research on a “limited data set” (see http://privacyruleandresearch.nih.gov/ pr_08.asp#8d for an extensive listing of what identifiers need to be excluded to satisfy this criterion). Limited data sets are restricted in what data may be stored to ensure that it would be difficult to identify an individual on the basis of the data collected. Also included in category III are disclosures of PHI that may be required by law (to the US Food and Drug Administration [FDA], or public health authorities, for example). As noted above, anyone conducting research in which PHI will be used generally must receive a signed authori-

ELSEVIER INC. ALL

RIGHTS RESERVED.

543

zation by each study subject or a waiver by either an Institutional Review Board of a Privacy Board. The committee approving the form of authorization or granting the waiver is most often an IRB (it is a natural role for the IRB because the mission of the IRB is to protect the safety and welfare of study participants), but is can also be a Privacy Board. PHI is broadly defined to include any information about an individual’s (living or deceased) health in any form (written, electronic, faxes, and so on). If the entity collecting the information is a covered entity or part of a covered entity, none of this information may be collected for research purposes without an authorization or the grant of a waiver. A covered entity is “a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS [Health and Human Services] has adopted a standard.” Written authorization from the research subject for the collection of PHI is also required unless the committee (I will refer to this as the IRB to simplify the discussion) grants a waiver of this requirement.

AUTHORIZATION AUTHORIZATION TO USE PHI MAY BE GRANTED BY A STUDY

subject either as part of the consent form, or separately as a unique document. This means either that the consent form for the study includes boilerplate language that explains the HIPAA privacy regulations and the rights and protections afforded to the participant, or there is a separate form. At Johns Hopkins, we have elected to incorporate HIPAA privacy language into the consent form. Arguments in favor of this are that it is easier to track acceptance of HIPAA policies by participants when only one consent form is used. Furthermore, it is more likely that consents will be completed without accidentally neglecting to obtain HIPAA authorization. However, the addition of HIPAA privacy language into the consent can make the process of consenting to the research actually being done even more confusing for the participant. The boilerplate language is generally in the back of the consent form, and is not brief—at Johns Hopkins, the HIPAA privacy language takes up nearly a full page of the consent form. The HIPAA privacy language fulfills the researcher’s obligation to explain how PHI will be handled by the researchers and includes a listing of all individuals who may at any time see the PHI (including funding agencies, lawyers for the hospital, and outside researchers). It also explains that the use of PHI generally is in perpetuity, but the subject can call and rescind this permission if so desired, and a number is listed for this purpose. One unsettling aspect of the HIPAA privacy regulations is that they apply only to “covered entities.” This means that some research organizations, pharmaceutical companies, and other corporations that do not fall under this definition are not subject to the privacy regulations. At Johns Hopkins we had one research participant lodge a complaint after an unrelated academic institution called her to join a research study. This happened because an outside recipient of PHI from our institution that was not a covered entity sold that person’s private health information (specifically, they sold her diagnosis) to another researcher hoping to recruit subjects. Believe it or not, although this would be strictly forbidden for Johns Hopkins to do without written authorization by the participant or an IRB waiver, it was completely legal for a noncovered organization receiving data from us to use it without limitation. In response to this event, Johns Hopkins altered its practices and now requires all research collaborators to agree not to use PHI for recruitment, advertisement, or related purposes when participating in research with us. The US Department of Health and Human Services (DHHS) writes: “The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health

WAIVERS THE PRIVACY REGULATION IS SPECIFIC ABOUT THE CIR-

cumstances under which an IRB may grant a waiver of written authorization. An IRB may only grant HIPAA waivers if the researcher demonstrates that the risk to privacy is minimal, that the research cannot be conducted without the waiver and that PHI is required to do the research. To guarantee that the risk to privacy is minimal, the investigator must have in place an adequate plan to protect privacy, must destroy the PHI at the earliest possible time, and must assure the IRB that the PHI will not be disclosed for any purpose other than the research itself unless required to do so by law. In addition, the investigator must clearly state the specific PHI that is being collected, and should collect as little PHI as possible. One interesting component of the HIPAA privacy provisions is that a waiver may be obtained from any IRB or Privacy Committee, so in multicenter studies only one IRB needs to review and grant the waiver request. It is over the issue of waivers that many of the initial problems with HIPAA (as it pertains to research) were encountered. Some institutions refused to allow waivers at times when such waivers were the only way to guarantee the successful completion of the research. For example, as a practical matter, studies involving physicians in private practice in which those physicians are exceedingly unlikely to identify and refer subjects can only be completed if an outside researcher is allowed to identify potentially eligible subjects through a review of charts. Initially some institutions did not allow this, but with greater clarification of the rules, it is clear that this is a legitimate reason for a waiver. 544

AMERICAN JOURNAL

OF

OPHTHALMOLOGY

MARCH 2006

information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule.” International studies pose unique problems. If a US researcher from a covered entity is involved in the study, the data collected by that researcher are subject to the privacy regulations when the researcher arrives on these shores with the data. Informing subjects in a rural village abroad that private information obtained and used in the US is subject to US laws and discussing with them how it is to be protected may be more confusing than enlightening. How this issue should be handled remains in flux.

The added layer of complexity for reviewing charts and referring subjects for research has led many institutions to try to have all patients presenting for care sign a HIPAA privacy authorization. Although this greatly simplifies the process, some patients will invariably refuse to sign, and the institution must keep track of this refusal and not allow any research involving PHI to be carried out with those patient’s medical record.

DISCLOSURES WHEN PHI IS DISCLOSED BY A COVERED ENTITY TO AN-

RECRUITING PATIENTS AND CHART REVIEWS REFERRING PATIENTS TO A COLLEAGUE FOR RESEARCH HAS

become more complicated since the enactment of HIPAA. If the physician carrying out the research also cares for the patient herself, then no authorization is required because the physician in question has the right to see that patient’s PHI. If one is referring a patient to a researcher, and PHI is part of the referral, then a signed authorization is required before referral (see below for a more detailed discussion of authorizations). If a researcher would like to limit the burden on her colleagues by prescreening potentially eligible subjects, she can receive deidentified data without an authorization. One other route for referring patients is to notify them of the research and allow them to contact the researcher directly. Although this is certainly the easiest approach, it is also the least likely to result in patient enrollment. Finally, the IRB may grant a waiver to allow for review of charts without HIPAA authorization, but all requirements for a waiver must be satisfied. For group practices, if a physician would reasonably be expected to have access to the patient’s medical records (for coverage, for example), then she would be able to review charts without a HIPAA privacy authorization or waiver. It is important to realize that the HIPAA privacy provisions do not supersede the general rules regarding human subjects research (Code of Federal Regulations Title 45, Part 46; and Title 21, Part 50). Therefore, in addition to requiring HIPAA authorization or waiver, all human subjects research must be reviewed by an IRB in accordance with federal regulations, whether or not an entity is “covered” by the privacy regulations. Chart reviews that collect identifiable data on living individuals qualify as human subjects research and as such require IRB review and approval. If no identifiers are collected, such research is exempt, which means that it does not require IRB approval, although many institutions require a submission to the IRB to ensure that the study satisfies the regulations regarding exempt research. VOL. 141, NO. 3

HIPAA

AND

other entity, it must be tracked in many situations. Any research subject can ask for a record of disclosures made in research protocols involving a waiver (for example, most records research) or most disclosures required by law. No tracking is required for disclosures where the subject has authorized the disclosure. This is a substantial burden on researchers because they are expected to record this sharing of data and have this record readily accessible. To date at Johns Hopkins, no request for an accounting has been filed by a research subject. As stated above, some disclosures are required by law. These include some state registries (for example, birth defects), reporting of communicable diseases, reporting to the FDA in sponsored trials, and disclosures to law enforcement (such as reporting suspected abuse).

ARCHIVAL RESEARCH PERHAPS THE GREATEST FAILING OF HIPAA IS THE UNDUE

burden it places on research on archives contained within covered entities. Medical archives that include collections of books, letters, and other materials are subject to HIPAA, whether or not they are specifically medical documents. This means that if a letter contains an allusion to a person’s illness, it cannot be shared for purposes other than research or published without an authorization by the person herself, or by a legal representative (if one can be found), even if the person is deceased. This means that for many archives for which no authorization can be obtained, before sharing materials with nonresearchers or allowing publication, an archivist must read the material, photocopy it, and black out any references to health conditions. This policy is incredibly inconsistent because a historical society (which is not a covered entity) can hand over entire documents without having to first redact the sections relating to health issues. Although true archival research in covered entities may proceed under HIPAA, free access to archival materials is clearly being hamstrung by this application of the regulations, and a more explicit approach in which only medical documents need to be protected would be more reasonable. RESEARCH

545

high-quality research can easily continue in the HIPAA privacy era. Has it been worth the price? It is hard to say. Implementing and keeping track of our compliance with HIPAA regulations has been extremely expensive, and the efforts at Hopkins have of necessity been duplicated at countless centers across the country. However, since the rollout of HIPAA, researchers are much more aware of the implications of the loss of privacy of their subjects, and the privacy of subjects is better protected.

CONCLUSIONS UNROLLING THE HIPAA PRIVACY REGULATIONS AT JOHNS

Hopkins has been expensive; it has required nearly 26,000 faculty and staff to pass a written test on their understanding of the privacy regulations, and it has resulted in a more cumbersome bureaucratic process before embarking on a research project. It is estimated that HIPAA compliance will cost Hopkins about $2 million annually. The HIPAA regulations have also created confusion at times, and may place obstacles in the way of important research projects. One author documented that a large number of applications to the IRB that required revisions were subsequently dropped and never carried out.2 Although the author worries about the lost research, I take the opposite point of view—poor studies or studies that did not protect the rights of participants were not carried out. Sitting on the IRB, it seems that in all cases a reasonable resolution of HIPAA privacy requirements can be achieved and that

546

AMERICAN JOURNAL

REFERENCES 1. Kaiser J. Patient records. Privacy rule creates bottleneck for U.S. biomedical researchers Science 2004;305:168 –169. 2. O’Herrin JK, Fost N, Kudsk KA. Health Insurance Portability Accountability Act (HIPAA) regulations: effect on medical record research. Ann Surg 2004;239:772–776.

OF

OPHTHALMOLOGY

MARCH 2006

Biosketch David S. Friedman, MD, MPH, is an Associate Professor at the Wilmer Eye Institute of Johns Hopkins University School of Medicine, Baltimore, Maryland, in the Department of International Health at Johns Hopkins Bloomberg School of Public Health. Dr Friedman received his Medical degree from Harvard Medical School, his Masters degree of Public Health from Johns Hopkins, and trained at Wills Eye Hospital, after which he served as a glaucoma fellow with Dr Harry Quigley.

VOL. 141, NO. 3

HIPAA

AND

RESEARCH

546.e1