Cover Image

PAPERBACK
$28.00



View/Hide Left Panel

2
Prepared Presentations and Discussion

Dr. Harold Moses, Chair, National Cancer Policy Forum: This morning we open a workshop on the effects on health research of the HIPAA Privacy Rule that went into effect in April 2003. We have a number of presentations from distinguished experts from the private and public sectors that we expect will inform the IOM National Cancer Policy Forum. This workshop has been approved by the National Research Council’s Governing Board Executive Committee. Workshop proceedings will be prepared as an edited transcript of the speakers’ remarks, our discussion, and material presented to us during the day, and the proceedings will be published by the National Academies Press as an official IOM document. At the end of the workshop, we will have an opportunity to comment on whether there should be any IOM follow up and what form, if any, that should take. The workshop will inform us, and, importantly, it could, if further efforts are undertaken, also provide helpful input to additional IOM study.

With that, I would like to introduce Susan McAndrew from the Office for Civil Rights (OCR) in the Department of Health and Human Services. Susan, if you are ready, please proceed.

Susan McAndrew, Esq., Acting Deputy Director for Health Information Privacy, DHHS Office for Civil Rights, Information on the Privacy Rule and Health Research from the DHHS Office for Civil Rights: I want to thank the Forum for inviting OCR to make this presentation and



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum 2 Prepared Presentations and Discussion Dr. Harold Moses, Chair, National Cancer Policy Forum: This morning we open a workshop on the effects on health research of the HIPAA Privacy Rule that went into effect in April 2003. We have a number of presentations from distinguished experts from the private and public sectors that we expect will inform the IOM National Cancer Policy Forum. This workshop has been approved by the National Research Council’s Governing Board Executive Committee. Workshop proceedings will be prepared as an edited transcript of the speakers’ remarks, our discussion, and material presented to us during the day, and the proceedings will be published by the National Academies Press as an official IOM document. At the end of the workshop, we will have an opportunity to comment on whether there should be any IOM follow up and what form, if any, that should take. The workshop will inform us, and, importantly, it could, if further efforts are undertaken, also provide helpful input to additional IOM study. With that, I would like to introduce Susan McAndrew from the Office for Civil Rights (OCR) in the Department of Health and Human Services. Susan, if you are ready, please proceed. Susan McAndrew, Esq., Acting Deputy Director for Health Information Privacy, DHHS Office for Civil Rights, Information on the Privacy Rule and Health Research from the DHHS Office for Civil Rights: I want to thank the Forum for inviting OCR to make this presentation and

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum to join in the conversation about what the effects of the HIPAA Privacy Rule have been on research operations. There is not time to fill you in on all of the details of the HIPAA Privacy Rule. My colleague, Christina Heide, and I have been working on this Rule since 2000, and I think Christina was working on it even before then. So, this is what we have done for the past six years, and we are quite passionate about the Privacy Rule. The most I can do this morning is to highlight some general operational parameters with regard to the Privacy Rule, where we are today with regard to how the Rule interacts with research, and where we are going in the future. I will describe some of the fundamentals to keep in mind when discussing the Privacy Rule and discuss some of the basic provisions in the Rule. I also will tell you how we got where we are, what recommendations we have received since the last modifications in August of 2002, and try to respond to your request for information on complaints that we have received. In terms of the fundamentals, there are four points. First, our purpose was to establish for the first time a uniform set of federal standards nationwide for how health plans and most health care providers should treat the identifiable health information that they receive from their patients. The Privacy Rule deals with the interaction of the consumer and the health care provider and/or the health plan for the purposes of receiving treatment and getting that treatment paid for. The impetus for HIPAA was to provide uniform transaction standards for some basic administrative and financial functions and, as the health industry back office computerized, to make sure that there were both privacy and security protections with respect to those data. So, the Privacy Rule embodies those standards. I would note now some ten years after enactment of HIPAA that we are essentially having that same debate about concerns and trade-offs as the electronic movement goes from the back-office functions into the clinical functions. What are the privacy and security provisions that are needed as the clinical side computerizes? The second fundamental point is that because we were thinking of the consumer, our key focus is on controls for how this information on treatment, payment, and health care operations can be used and disclosed. Nonetheless, we recognize that in addition to needing this information for those functions, there are other functions—other public policy purposes— for which this information is needed. For example, we recognized health research as a national public priority for the information, and we set about finding ways to ensure the information could flow for that purpose.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum The third point to keep in mind is that we deal with a limited set of entities, called covered entities, primarily health plans and health care providers, provided that they participate in electronic transactions. This will be most hospitals and large facilities and most doctors’ offices, although some practitioners who deal strictly on a cash basis or provide free clinical services may be excepted. With regard to these covered entities, we tried to provide them with one set of policies in each area, and, for research, there is one set of policies, regardless of how the research is funded or whatever the other (non-privacy) rules are that apply to that research. We wanted to give a covered entity permission to use and disclose patient health information for research purposes, but within a single set of rules that apply to all research, so there would not be multiple requirements. Whether or not the entity doing the research is itself a covered entity is a key distinction. If the entity that is doing the research is not covered by the Rule, then access to information from a covered entity is the only concern—how to obtain information needed for research from an entity that may be covered by the Rule. For those that are using health information for research and that are also covered by the Rule, the disposition of the information after obtaining it for a research purpose is also an issue. This often comes up with regard to databases and repositories. If the database or repository is outside a covered entity, the issues that have disturbed researchers are no longer a concern, and the only issue involves moving data from a covered entity to the database or repository. If the database is managed within a covered entity, then the Privacy Rule affects how that information flows out to others. There are four channels that the Rule provides for health information to flow for research purposes. They align with the general principles of the Rule. If there is a fundamental principle of the Rule it would be that patient health information ought to be limited to the core purposes for which that consumer has come to the entity; that is, treatment, payment, and the health care operations of that entity. Otherwise, information should flow only with the individual’s permission. That permission ought to be knowing and voluntary on the part of the individual. That lines up with a first principle in human research—the informed consent process. We call it authorization. Absent treatment, payment, or health care operations, and absent the patient’s permission, the Rule encourages the use of non-identifiable or deidentified information for other purposes. We did make some exceptions for certain national priority purposes, such as public health, disclosure to

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum law enforcement, and, in some cases, research. For these limited purposes, we allow disclosure of information without the individual’s knowledge or consent. In research, this requires an Institutional Review Board (IRB) or a privacy board waiver of patient authorization or permission for that disclosure. We have carved out a few other exceptions in the research area to try to conform permissions under the Rule with other types of information that have traditionally flowed for research; this includes decedent information and more recently—in 2002—we have created what we call the limited data set. This can include dates and other detailed information, such as geographic information, about an individual, which otherwise would not have qualified as de-identified information, provided that there is a data use agreement. That conformed our rule more closely with non-IRB research—the exempt category of research. We emphasize that the Privacy Rule does not supersede either FDA regulations on research or the Common Rule. By the same token, FDA regulations and the Common Rule do not supersede or preempt the HIPAA Privacy Rule. These regulations work within their spheres independently and jointly. So, if you are subject to both, you must comply with both. This sort of situation is not uncommon. Providers often are subject to multiple federal and state privacy schemes. We expect a knowing and voluntary permission for research so that research will be going forward with the informed consent of the individual. We have made many changes in our authorization process to coordinate with the informed consent requirement under the Common Rule. For instance, we encouraged combination of the consent and authorization forms. We also eliminated the requirement for an expiration date, because in some cases research involves a database, and there is no time limit for residence of the protected health information in that database. Regarding revocation of authorization, we clarified what can be done with research information that has already been collected, and we accept that participation in clinical trials can be conditional on authorization for use of health information from that trial. With regard to when the individual’s permission is not needed, here we basically looked to the IRB as a trusted intermediary to make the decision on when a research project could go forward with a waiver, on the research side, of informed consent and, on the privacy side, of authorization. The alternative to an IRB would have been to leave this decision to individual covered entities. We did not feel that these entities were in a position to

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum make waiver judgments, however, nor do I believe that it would serve research purposes to have covered entities making these decisions about the necessity for research without permission. Our criteria for IRB waiver of HIPAA authorization (disclosure involves no more than minimal risk to privacy, research not practicable without waiver, and research not practicable without protected health information) are basically patterned from the Common Rule informed consent waiver criteria. We started with a much different list, but because we got a lot of negative feedback on that, we collapsed the list, and we constructed it more carefully to be consistent with the Common Rule criteria to ensure that the IRBs were working within a familiar realm when dealing with the privacy balances. And we tried to explain how some of these new balances would work when we take these criteria and focus them on privacy. Finally, we dealt in the Rule with situations in which neither authorization under the Rule nor waiver of permission by an IRB would be required. These are limited situations, and they are largely based on interactions that we had with the research community about their activities that did not involve an IRB or informed consent. The first of these is the category: preparatory to research. This category is to ensure that there is sufficient access to information necessary to create a research protocol in the first place. Unfortunately, this has often been confused in some of the literature with recruitment, but it was not intended to be a recruitment tool, largely because one of the conditions is that the identifiable information accumulated cannot be taken from the covered entity. The limited data set I would touch on only to say that this is a provision from 2002 in response to a comment from the research community. There has not been much focus on this in the literature, and I am interested in why that is. There still seem to be many questions and concerns about the stringency with which the Privacy Rule defines de-identified information. The goal of the limited data set was to provide for research purposes more robust data that are closer to comparable non-personally-identifiable data by Common Rule standards, but with the protection of a data use agreement because we do not consider this information to be de-identified. It was a way of getting more information available to the research community in a form that we thought would resolve most of the concerns about the stringency of the HIPAA de-identification standards. We have been very reluctant to lower the standard for de-identified information further, however, because we remain convinced that a lesser standard would allow protected health information to become public in all contexts, not just in research.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum So, those are the basic ways that information can be used. In the Privacy Rule, we have tried to create a balance between the individual’s expectations for privacy of his or her health information and the need for this information, not just for the basic purposes of health care but for other important purposes. Admittedly, we have tried to tip the balance a little in favor of the individual, not only toward control through consent and the authorization process for the use of the health information for these other purposes, but also through disclosing to the individual as much as possible how the information was used. So, the individual is informed throughout this process. We last modified the Privacy Rule in 2002. When we did so, we included many of the provisions that I have just reviewed in response to comments that we got from the research community. We tried to make the Rule more compatible with not only the Common Rule, but what we knew about actual operating procedures in the field, while keeping true to our basic goal of making sure that we had through HIPAA a single set of rules that worked for research, not only research that was governed by the Common Rule, but research that was outside the rule—subject to the FDA or other kinds of regulations. We have extensive guidance that we have issued in cooperation with our colleagues at NIH. I think there is probably more research advisory and technical assistance on our web site than on any other single topic—eight sets of guidance materials and hundreds of frequently asked questions (FAQs) that came out between 2003 and 2005. We are certainly very eager to know how they are doing and if they have been helpful. Since 2002, we have continued conversations about the Privacy Rule and its research provisions. We have the official comments from the Secretary’s Advisory Committee on Human Research Protections, as well as recommendations from our official privacy advisory committee, the National Committee on Vital and Health Statistics. To the extent the Forum was interested in complaints, I can report that we have had over 20,000 complaints since April of 2003. I can’t give you a number on how many of those involved research. However, there have definitely been complaints involving research issues, such as concerns about calls that complainants have received from third parties. Complainants were unaware of how callers got their information, and occasionally individuals who have a particular rare condition complain of calls for a variety of purposes, such as recruitment to different research projects. They just want to be taken off the list. But, by no means is research a major complaint item for us.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Dr. Moses: Thank you very much. Are there questions? Dr. Mark Clanton, Deputy Director, NCI: I was involved in the implementation of HIPAA rules at a health plan five or six years ago, so I am generally familiar with the Privacy Rule. Is there language that limits the protections of HIPAA for citizens that relates to certain research and identifiable information in the international context? It appears that the number of biorepositories is going to increase in countries other than the United States, and DNA or tissue data of various kinds are going to be transmitted from those repositories back into the United States for processing and analysis. I’m wondering how HIPAA applies to data that are sent to us from outside of the country. Ms. McAndrew: The effect of the Privacy Rule is not limited to U.S. citizens. Anyone who seeks health care has HIPAA protection for their identifiable health information in a covered entity. With regard to activities overseas, our reach would extend to the entity and whether or not that entity is within the jurisdiction of the United States. If the information comes into this country and is being analyzed by an entity that is covered by HIPAA, then that entity is in possession of identifiable health information subject to HIPAA protections. Dr. Moses: Thank you, Ms. McAndrew. Let’s now proceed with the writing of the privacy rules in the Department of Health and Human Services presented by Marcy Wilder. Marcy Wilder, Esq., Partner, Hogan and Hartson, Washington, DC, and Former Deputy General Counsel, DHHS, Writing the Privacy Rule in DHHS: I am Marcy Wilder, an attorney with the law firm of Hogan and Hartson in Washington, DC. Before joining the firm, I was the deputy general counsel at DHHS and was the lead lawyer working on the HIPAA Privacy Rule. In that capacity, I led a team of lawyers advising the 65 policy makers that were working on the Rule. You may have been affected by the Privacy Rule, and, as you ran into trouble spots in implementing it, you probably have wondered—what was HHS thinking? I have a unique perspective as someone who worked very hard to get this Rule right and then left HHS and now has spent six years working with academic medical centers, pharmaceutical companies, technology vendors, hospitals, and others to try to implement the privacy provisions. I think it is fair to say as a regulator looking at the big picture that HHS did a lot of things right, but I think that there are also a number of places where change and improvement are needed.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum HHS was seeking a balance. We were seeking to protect patient privacy and yet avoid creating undue barriers to medical research. That is true as far as it goes, but it is also true that HIPAA was not a regulation about research. Research was not a central consideration, nor the thing that got the most attention, and it was also a difficult issue. It was clear that the agency was trying to protect health information. It was clear that that information was needed by providers to treat patients and to get paid. Plans needed the information to make payments and for health care operations, to run their businesses, to make the health care system go. It was also clear that before protected health information could be used for marketing, the agency was going to require the patient to consent, to provide authorization, to give permission. The conversations about research were complicated. Research was already regulated. We were not regulating research, and although we knew that the HIPAA Privacy Rule would affect medical research, it was not clear how. So, as a more difficult conversation that was not central to the policy debate, it was put off until late in the process. In the end, research did get a fair amount of attention, although not from people who were intimately familiar with how the research world operated. We knew about the Common Rule that for almost 25 years had regulated research privacy. We knew that IRBs determined whether research protocols contained provisions adequate to protect the privacy of participants and to maintain the confidentiality of data. Many made the argument that provisions were already in place to protect the privacy of participants in research. But as we talked to researchers and looked at the comments we were receiving, we had the impression that privacy was not a central concern for IRBs. Nobody was identifying major problems, but privacy wasn’t a focus, and there seemed to be a need to ensure that health information was given protection consistent with the heightened attention required by HIPAA. HIPAA is independent of the Common Rule and regulates not research itself but access by researchers to protected health information in covered entities. Policy makers aimed for consistency with the Common Rule and the FDA research rules, but certainly didn’t harmonize the research regulatory framework. Maybe harmonization is something we will talk about: whether or not it is a good idea or what needs to be done to achieve it. At the time of the 2000 rulemaking, however, comments received by HHS mostly did not propose alternatives but instead focused on the negative impact privacy protections would have on health care and medical research. Usually, in a complicated rulemaking, stakeholders with diverse views come

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum to the table. Everybody is pretty familiar with what you are trying to do, and they have points of view. “Don’t do it this way.” “Do it this way.” “This is a very bad idea.” “That just might work.” But for the HIPAA Privacy Rule, the comments tended to be—and from a number of sectors—what I think of as the “not doable” chorus, which leaves the regulator to make a decision whether it is truly not doable or whether a best efforts attempt needs to be made. After the initial implementation of the Rule, it became clear there were instances where the Rule was impeding research, and there were aggressive advocacy efforts for changes. As a result, in the 2002 final rule HHS added new provisions such as the limited data set provisions, an alternative for accounting of disclosures, and simplified criteria for research authorization waivers. So, there were some fixes at that time, but over the past three or four years since then, it has become evident that more change is needed. I think part of the frustration that researchers are experiencing is due to the fact that much of the voluminous guidance on research and HIPAA does a good job of explicating what is in the Rule which helps people better implement what is there. But it does not, however, and maybe shouldn’t, go to some of the issues that actually need fixing, that is, where the problem is not misunderstanding or overzealous compliance, but rather intrinsic to the Rule requiring an actual regulatory change. Because research wasn’t a central concern of the rulemaking, in part because there was not then an experience base of efforts to apply aggressive privacy protections in the research context, there remain some issues that need further attention. For example, there are some areas where the burdens on research are heavy and the privacy benefits slim. One that is faced largely by academic medical centers is the accounting for disclosures in research being conducted pursuant to an IRB waiver. In large institutions with many protocols, investigators may access records held by a covered entity under an IRB waiver, many of which ultimately will not be used in the research. Every paper record examined means a disclosure form to fill out; every electronic record examined means a system, a screen, to go through for access, and a click to record that use of the record. These are processes that (given the numbers of research projects, investigators, and potential research subjects) require very substantial time and dollar resources to create and follow for both the researcher and the management of the entities involved. Accounting for record access is not necessarily bad, but when you look at the cost/benefit analysis of the accounting for disclosure for IRB-approved research, it is very questionable whether there are privacy benefits to the patient or participant

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum commensurate with the costs to the research and health care enterprise. I note this especially in view of the fact that very few participants or patients ever request an accounting for disclosure. Moreover, even if there was a measurable benefit to the patient in keeping track of these kinds of disclosures, on balance, it likely would not justify the resources expended. The second area that needs attention involves situations where the Privacy and Common Rule diverge, and research suffers as a result of our failure to harmonize the two frameworks. For example, under the Common Rule, investigators can ask for informed consent for use of information in future unspecified research (sometimes bounded by type, such as cancer research, sometimes not) but under the parallel HIPAA authorization requirement, investigators may get permission only for the use of protected health information for a specific identified research project. The right of participants to consent to the use of their data in future unspecified research was taken away by the Privacy Rule. There are workarounds for this, but the lack of elegance in the workarounds reflects the fundamental tension between HIPAA and the Common Rule. The policy question of to what extent individuals should be able to consent to the use of their information for future research ought to be answered and guidance provided. Another small example and one that probably should be fixed and can be easily fixed involves translation of consent and authorization into an unanticipated foreign language. The Common Rule has a relatively easy process for obtaining informed consent when an unanticipated need for a translation arises. The process involves a summary consent form in the participants language, an oral translation of the full form, and an “oral informed” consent with documentation. The Privacy Rule does not have a parallel process. The last example, which I think is an enormous issue that deserves more attention, involves the new federal standard for de-identification of health information that was created by the Privacy Rule. There has been a lot of back and forth as to whether it is too narrow or whether the statistician method of de-identification is enough of an alternative. Can it be made to work better and be more available? And are the liability burdens of deidentifying data properly distributed? Problems arise when an investigator would like to use de-identified information, but the research does not go forward because the covered entity that has the information either does not have the motivation to de-identify, does not want to spend the money to de-identify, or is worried about complaints and liability for non-compliance with the Rule’s de-identification requirements. Is there some other way to

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum distribute those burdens that will protect privacy but remove what in some areas is a significant barrier to important research? This has been a topic of discussion from the beginning. I think HHS went a long way in addressing it by adding the provisions for the use of limited data sets and by providing the statistician method of de-identification. But I think more needs to be done. On the other hand, I hope everybody was sensitive to OCR’s concerns that, although there may be a case for making this information available with less stringent standards, including dates and zip codes, for instance, there is a real concern that a lesser standard will risk leaking health information beyond the research setting. When advocating change, there must first be a dialogue that takes the concerns of the regulators into consideration. Issues must be clearly identified, and policy alternatives must be developed and aggressively promoted. You can’t fight something with nothing. We will need concrete examples of how research is affected and alternatives that address the concerns that the regulators have expressed. If not, the issues will sound too hard to the ears of the regulator, and nothing may be done. Second, we need ally agencies within HHS. I think there will be many, because many HHS agencies are involved in HIPAA, involved in research. There are many important HHS agencies that are affected by HIPAA research privacy provisions: everything from NIH research, CMS Pay-for-Performance efforts, all the efforts to promote health information technology, and much that is going on at the FDA and AHRQ. The agencies involved include the Office for Civil Rights, the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Agency for Healthcare Research and Quality (AHRQ), the Centers for Medicare and Medicaid Services (CMS), the Office of E-Health Standards and Services, and the Office of the National Coordinator of Health Information Technology. They have all encountered challenges associated with implementing the research provisions of the Privacy Rule. My guess is there are already internal conversations about this, and engaging the right allies within HHS will be important to any effort to make changes. So, the bottom line is, yes there are challenges. Yes, some of them will require changes or perhaps more guidance. That will need to be determined, but the research rules can be modified. Advisory committees, Congress, and agencies within HHS itself have recognized that the HIPAA Privacy Rule research provisions need improvement. The IOM recommendations will matter. Dr. Moses: Thank you. We do have time for questions.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum to SACHRP. Today is in some ways a reunion of a meeting that happened two or three years ago. But let me go to what we did and what we recommended. There are a lot of people who just wanted human subjects research to be exempted from the HIPAA Privacy Rule. That was one of the positions expressed early on, for example, by the AAMC, but it just wasn’t going to happen politically. Therefore, we focused our efforts and attention within SACHRP less on trying to undo the regulations than trying to work within the regulations, with slight amendments to the regulations or differences in interpretation or guidance in order to ease the plight of researchers who were trying to conduct research, while at the same time preserving to the extent possible the privacy interests of their subjects. There are about seven or eight specific recommendations that we made to HHS and each of them addresses a particular problem that we found in the application of the Privacy Rule regulations to human subjects research, both biomedical and social science. Accounting was the first problem addressed in our recommendations. Those of you who know HIPAA know the requirement that deals with disclosure of identifiable health information for research purposes that is not permitted by an authorization. In these circumstances, a covered entity, primarily an academic medical center, a physician group practice, or a mental health facility, among others, is required to document in the individuals’ medical records that were reviewed, who accessed the records, on what date, for what purpose, and how much of each record was accessed. So, in other words, retrospective medical chart review, if it involves disclosure to someone outside the facility, would require that every single reviewed record have that notation in it, an accounting of disclosures. There is a difference within HIPAA between uses and disclosures. Disclosures are essentially transmissions of the information outside of the single covered entity to a different covered entity or a non-covered entity. When your own employed medical staff, for example, looks at records then, because those people are within the covered entity, it is not a disclosure, it is a use. But for people outside of the covered entity, for example, from another medical center or an affiliated medical center, perhaps, then that would be a disclosure outside of the entity that would require an accounting. This has required that there be an enormous number of accountings done of all of these kinds of research disclosures that previously, frankly, went on for years without any patient ever complaining that their privacy had been violated and to our knowledge, at least, any particular problems emerging in retrospective medical records research.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Now, in response to some of the early criticisms—these rules went out, as you probably know, in waves, and there were some amendments to them—there was a particular amendment. When 50 or more records are disclosed, not pursuant to a research authorization signed by the subject, but instead, pursuant, for example, to a waiver of informed consent and a waiver of authorization granted by an IRB or privacy board, this amendment allowed the covered entity, instead of accounting in every record, to make a list of all of the studies that would have accessed the whole set of records during a time period. Then if a patient asked for an accounting of the disclosures, a list of all of the potential studies that had accessed a patient’s records would be handed over instead of an individual accounting of what specific people had accessed the patient’s records. It was meant to ease the process, but it means that, if an institution pursued it, patients are handed a list that could be a hundred pages of medical records reviews. It may scare patients to death and, in many cases, their records actually were not reviewed for all of those studies. Then, if you use that exception, you are required as an institution, if the patients ask, to ease and assist their access to the researchers to see if their records really were accessed for that particular study. So, basically you have a choice under the way these rules are written. You can either record every single accounting in every single record when it is accessed not pursuant to an authorization, or you can use the exception for those record reviews that are 50 or more records. But whatever happens, it has resulted in a massive amount of attention, time, effort, and energy devoted to recording these disclosures in all of these medical records all over the country, and it can provide a disincentive for institutions to allow research studies involving over 50 subjects. So, SACHRP said, after noting these problems, that we thought it ought to be sufficient, even for disclosures outside the covered entity pursuant to a waiver that had been granted by an IRB or privacy board, to inform patients when they come into the facility and they get their notice of privacy practices, that this is a research institution, or we assist research, and this is what happens here. This is not unrestricted access. This is access the way it was since the inception of the Common Rule. If you come here, that is what happens, and your coming here is implied consent to this kind of records research. The second recommendation involved de-identification of data. I think all of you know that HIPAA has essentially a higher standard for de-identification of data than under the Common Rule’s anonymization

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum standard. You can anonymize data under the Common Rule, which, in most cases has never been interpreted as strictly by any IRB, research administrator, or institutional official as the de-identification standard set out by HIPAA. There is the discontinuity that even when something qualifies as anonymized under the Common Rule, it may not qualify as de-identified under HIPAA. We suggested that there be some kind of synchronization of the standards between research under the Common Rule on the one hand and HIPAA’s Privacy Rule on the other, so that the strict de-identification standards be looked at to see if it would be possible to reduce the number of data elements that would have to be omitted, particularly in regard to things like address, zip codes, geographic subdivisions, treatment dates, et cetera. The limited data set was designed as a particular exception within the HIPAA standards, that allows a covered entity to retain treatment dates, other dates of service, as well as geographic identifiers in a disclosure, just not specific street addresses, but there has to be a limited data use agreement between all the parties that are sharing the information. The result is that there are data use agreements all over the place; there are data use agreements that are just signed as a matter of course. At some point, the cost of compliance outweighs the benefit to the patient. Our thinking was that when it comes especially to the treatment date and the location, given that there have not been abuses that we know of in the past, given that IRBs and privacy boards can look at these issues and decide them, there should be a relaxation of the de-identification standard so that it would be synonymous with IRB or privacy board application of the Common Rule standard. Review preparatory to research is another category that is an exception under HIPAA. Remember the HIPAA general rule is you can’t disclose information without an authorization, except for treatment, payment, and operations. One of the exceptions is that you can go to a privacy board or an IRB sitting as a privacy board and get a waiver based on the minimal risk to privacy criteria. There is another exception, the so-called review preparatory to research exception. Here, individual researchers can look at records within covered entities to see if it is possible, for example, to test a hypothesis within that patient population, to try to understand the frequency of the disease or condition within the patient population, to look at patterns of treatment within a patient population, to try to design a study or write a protocol. Before the researcher accesses the records, he or she must sign a review preparatory to research agreement that pledges limitation of use to these purposes, that the researcher will not disclose the

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum information outside the covered entity, and that the access is needed for the review preparatory to research. Through a series of HHS interpretations, individual researchers have been allowed to use the review preparatory to research as a method of identifying prospective subjects and getting their contact information, and, if the researcher is within the covered entity, that researcher is allowed under HIPAA—maybe not under the Common Rule, but under HIPAA—to contact those patients to see if they want to come into the study. However, if you are a researcher outside of the covered entity, then you can identify people during review preparatory to research if the covered entity allows you to come in, but you can’t contact people to ask them if they want to be in the study. That is because if you contact them, then you have exceeded the institutional bounds in lay person’s language, whereas a researcher employed by the facility is already within the institutional bounds. There are many documents that try to define and refine this distinction, but the basic problem is that for the voluntary medical staff at a large academic medical center—perhaps not Mayo or Sloan Kettering where people are directly employed, but a community hospital situation or an NYU type model, where some of the faculty are employed, but most of the faculty are community physicians who simply have privileges there—these researchers are for HIPAA purposes deemed to be outside the facility. It seemed to us odd to have this striking discontinuity between the treatment of internal researchers, the employed physician at NYU, and the treatment of the external researcher, who is on the medical staff at NYU, but not employed and not part of the covered entity, but instead part of the faculty and the faculty practice plan. So, in the end we said rather than focusing on these fine distinctions between the internal and external researchers created by the preparatory to research interpretations, there should be a more functional definition. The key to the distinction and the ability of researchers to use protected health information should be based on whether the covered entity exercises effective control over that individual’s activities. We would regard membership and privileges of medical staff, the ability to terminate medical staff membership, or discipline medical staff as being effective control, thus, bringing the external NYU medical staff member into the covered entity for purposes of this facet of the Privacy Rule. As I said, we weren’t trying to undo the rules, just trying to fix them as best we could. With regard to future uses of information and authorization for future uses, unfortunately HIPAA came along at a very uncertain time histori-

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum cally. This was at the time that all of us were beginning to understand the immense value of biorepositories and data repositories. We had always known they were valuable, and OHRP, researchers, IRBs, research administrators, and ethicists were beginning to grapple with what it means to have a biorepository and to what extent do you have to refer back to the terms of the original consent, either a treatment consent or a research consent, to know how the biorepository can be used. In addition, there are many different variables. Identifiers can be omitted, and the repository information can be anonymized under the Common Rule, but then if the consent didn’t originally say that the data or the specimen or both would be anonymized, what does it all mean? Where are the lines? What should the rules be? Are the existing biorepositories or data repositories contaminated by their source and the way that they were gathered in the first place? Leaving aside the research repositories, we also have huge pathology repositories created as the standard of care for storage of pathology specimens. These tissues and biopsies and the specimen slides are collected and stored under treatment consents. What does all this mean for future use? At the time that all of this was being considered, HIPAA comes along. It was a period of gestation in the national research community, but the HIPAA rules were essentially laid on top of all of this raging debate about the ethics and the laws around informed consent for biorepositories and data banks. It was when NHRPAC, the Donna Shalala committee, originally commented on the application of HIPAA to biorepositories. We asked for a clarification, because I personally had represented places like Sloan Kettering and other cancer centers and hospitals and knew that they had these massive biorepositories, these specimen banks. I was thinking, if we just keep the specimen bank, is that itself a research activity that would require a waiver from a privacy board, even though there wasn’t an actual IRB protocol for the storage activity itself? This is just storage before anything is used for a particular purpose. So, I said, naively, HHS can’t mean that the storage activity itself (even though the specimens have not been used for research, and we don’t know when and where or even if they will be used for research) is a research use, and therefore, it has to have a waiver or research authorization? You can’t mean that, HHS, can you? The answer came back in the original commentary, when HHS looked at the rules: of course, we mean that, HHS said. By the way if you have got these biorepositories and data banks and you are keeping them as a platform for future research and that is why you set them aside, you need an IRB protocol for that. It resulted in an interpretation not only of HIPAA but

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum also in a new interpretation, or one that was not clear to us before, of the Common Rule. So these authorization requirements have now been layered on top of all of the other problems in the area of future research. We have two particular problems with the authorization requirement. I think this was alluded to in what Sarah said in regard to some of the NCI issues. One problem is that an authorization is supposed to be for a very specific purpose. OHRP and even FDA have allowed consent to have broad purposes, specific purposes if you know them, but also broad purposes for future use, leaving the definition of the requirements for an authorization under HIPAA more restrictive in the breadth of purpose that is allowable. Therefore, when we consent people to future uses and disclosures under HIPAA, there is somewhat of an ambiguous area in regard to how broadly we can seek and get their authorization. Because drafters did not want there to be confusion in the patients’ minds about what they were signing, HIPAA requires that an authorization always has to be for a particular purpose and can only be for a particular research study, and it can’t be combined with anything else. You can combine the informed consent for a study with the HIPAA authorization into one document, as long as it meets the requirement for authorization. That is the reason I took you through the interpretation that led to all this. What it means is that when you have a primary interventional study, and you want to set aside specimens, or data for potential specimens, or data themselves for potential future uses, you have got to have the primary protocol approved, but now to be compliant with HIPAA, you must also have a protocol approved to store the specimens. That means you need two authorizations. OHRP lets you combine the consents. NCI, as all of you know, has that little check mark—the patient can elect whether the specimen is saved for research or not; if saved, whether it can be used for cancer or other research purposes. But on the authorization side, there must be two separate authorizations. We recommended that the Privacy Rule should allow authorizations in these situations to be combined, and we also said that there should be an attempt to allow broader drafting in the HIPAA authorizations in regard to the preservation, the maintenance, the updating, and ultimately the future research uses of these identified specimens or data themselves. Now, this next is a somewhat obscure point, so I will spend little time on it, although it actually makes a great deal of difference for IRBs and privacy boards. Under the Common Rule there is a set of activities that would be human subjects research except for an exemption. You can look at identi-

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum fied records and record the data somewhere else in an anonymized fashion without a link, and OHRP does not look at that as a research activity under the Common Rule. It is an exempt activity because there is nothing being recorded that is identifiable and traceable back to the subject. Under HIPAA on the other hand, that same activity in the context of a research study is itself a use of data that is not exempt from the requirements of HIPAA authorization or of a waiver from a privacy board or IRB. So, the bottom line is that there is an activity that is exempt under the Common Rule, but, because it involves identified data, it is not exempt under HIPAA. We basically said, please fix that discontinuity between the two Rules. The next problem issue is international research. There is a little bit of commentary within HIPAA and the original Q&A. My example is that a covered U.S. research entity has a study going on in Zimbabwe, and its doctors, who are part of the U.S. covered entity, go over to Zimbabwe, and they look over the individually identifiable data of subjects in Zimbabwe. They look at the data; they use the data; they disclose the data and bring it back to the U.S. covered entity and give it to others in the research institution, and maybe subcontractors, like the University of Zimbabwe and the infectious disease department of the University of Zimbabwe. If they do that, then does HIPAA follow extraterritorially that researcher who is part of a covered entity? As a lawyer, I think the answer to that is yes. In fact, I don’t see how you can say it is not the case. There is a whole body of law on extraterritorial applications of law. These are generally laws that have important public policy purposes, criminal laws and the like. They tend to follow, and there is no exemption within HIPAA for the international activities of U.S. covered entities. So, this has resulted in some very odd situations, For example, there will be a study by a U.S. covered entity, but it is the public health school, which may not be covered, and it involves another covered entity and a medical staff member with an appointment there and part employment at another covered entity. A social work department in yet another academic institution is involved, and people from various parts of this constellation of U.S. institutions are going to the University of Zimbabwe and getting all these records and bringing the information back and sharing it. IRBs in all these institutions have access to the identifiable data in case there is a research integrity question. So, to make a long story short, the international research implications of HIPAA are basically a mess and maybe they are meant to mean what I

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum just said, but if so, we would like to have some guidance on it. We would like to be told how you do it, what you do and what it all means. Ms. Pollak: There is an additional problem. Most of these countries have their own IRBs and their own consent forms. They will not agree to the dual consent form combining HIPAA authorization with informed consent. So, you end up with two forms, even if they are shortened. It is alarming to people; they think they are giving up some kinds of rights. Therefore, your participant pool goes way down. Based on our experience with this sort of thing, our IRBs believe that in certain countries it is impracticable to get informed consent or an authorization, and so they are waived. In those countries, researchers are just supposed to talk consent through with the subjects according to a script. But clarification would be helpful. Mr. Barnes: Thank you because I was skipping over one of the recommendations in that regard a little too quickly. We requested that for international projects OCR allow us an alteration mechanism, through a privacy board or an IRB sitting as a privacy board, to condense that complicated HIPAA authorization to one or two paragraphs that are understandable in the cultural context of (in our example) Zimbabwe and our HIV prevention study there. Clearly, the form will not have everything in it. For example, it will not say as required by HIPAA (because nobody in Harare would understand it) that if pursuant to HIPAA we give your information to somebody not covered by HIPAA, and they disclose it, they will do so with impunity under U.S. law. I have never figured out a way to say that particular thing easily, but I guarantee there is nobody in Zimbabwe that will understand that. In fact, we have used a condensed authorization form in some cases, processing it through the IRB or privacy board for approval. Finally, let me touch on access to protected health information by public health authorities which is a particular issue in cancer. HIPAA does not infringe on that access, but then there are agencies like AHRQ. The last I heard, HHS general counsel’s interpretation was that AHRQ was not a public health authority. So, AHRQ would have to go through the HIPAA waiver process or obtain an authorization in order to get access to data. There are public health authorities that do public health surveillance, but they also do public health research, and the line between what is public health research and what is the exercise of police power under public health has been a matter of some contention within the public health community. Every good health department has its own IRB and debates and decides these issues. However, for AHRQ, for other sorts of government quality assurance and research, for quality assurance agencies within the states,

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum for other kinds of entities that follow-up people long term in databases in NCI and cooperative groups, there has been a great deal of confusion. Although I have not been involved intimately as I once was, since these issues have started to be resolved in the last couple of years, the last I left it, there were different parts of the NIH that had different views on how HIPAA applied to them. So, anyway, we asked that OCR determine that quality assurance agencies that are part of government, or quasi-government agencies, or agencies like AHRQ, are public health authorities so that they need not go through individual privacy board waivers or authorizations to do their work. Those were our recommendations that we sent to Secretary Thompson. You have the recommendations and the background text that supports each of the recommendations in your briefing materials. To my knowledge, none of our recommendations has been adopted yet. So, I commend them to your attention. Ms. McAndrew: I can report, on behalf of the department, that they were properly acknowledged, and they are under consideration. Ms. Stocks: The matter of AHRQ being recognized as a public health authority has been addressed. There is a question and answer up on the OCR web site, and we have access as long as we use the data for public health purposes. Dr. Moses: Any other comments or questions? We have come to the end of our discussion on HIPAA, which has been very informative for me, and I think some very interesting things have come out. I would like to thank all the invited speakers for their presentations and the members of the Forum and others for their comments and contributions to the discussion. There are no formal actions that the Forum can take to go further with this; that will be up to the IOM and others. But we could approve staff assistance to IOM helping to take this toward a committee study. So, the question is whether we can support that. If there is further work, this would be under an IOM Board. It would not be cancer specific, since I think we all agree this is a broad health and biomedical research issue; so, it is appropriate I think that it go to the broader IOM. Dr. Burish: I am not against it, but are there other options? It has been a great session, and I just worry that there will be more meetings about more meetings. What are our options? Dr. Moses: Let me respond. I think the best outcome that we could hope for would be a committee report with firm recommendations, and I’m told that IOM is interested in that option, and that NIH may be as well.

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Ms. Carr: I certainly think that NIH is interested in facilitating further analysis of the issues, and we would want to see any study done very carefully so that it would get beyond some of the problems with the data that have been gathered so far. Dr. Burish: I think you addressed my concern. I wasn’t sure whether this group had the authority or authorization to take directly some of the actions you have talked about. Apparently, it does not. I am in favor of an IOM committee. Ms. Boswell: As IOM designs a study, may I encourage you to not just focus on the economic impact of the Privacy Rule on the people that you survey. I think it is very telling that of the speakers that you felt you should invite to have a discussion today, most of them that were non-government people were lawyers. It’s a bad sign if three years after implementation researchers need their lawyers in order to understand what they are supposed to be doing. Ask some questions to get at the involvement of others, even some that previously may not have been involved in research issues. I have never gone to a meeting about IRBs and the Common Rule where there were so many lawyers, but conversations about HIPAA always involve a lot of lawyers. I think that is a problem for our research. I think our research ought to be a lot more user friendly to the patients than to have lawyers being the folks that are so involved. Dr. Ferrell: I want to state a compelling issue: almost everything we have heard today has been from the perspective of the researchers, the organizations, and institutions. I think it is really critical to hear the voice of the patients. Dr. Moses: We have had two patient advocates. Dr. Ferrell: I think we have glossed over Mary Lou’s and Paula’s comments that their groups, Y- Me, for example, are sources of information, and I am sorry that our Forum member, Ellen Stovall of the National Coalition for Cancer Survivorship, could not be here today. I hope IOM would seek out patient advocacy groups. I think we do need to hear what the patients with cancer who are participating in research want, and whether they understood what they signed, and how it could be done better for the patient. Mr. Kean: Just one quick point, just for reassurance purposes. I am very supportive of doing this, but when you made the comment that this issue is much broader than cancer—and it is, and the IOM study should be broader than cancer—there were a lot of suggestions made today about focusing in just as you just did, Betty, on some of the cancer specific issues and the

OCR for page 6
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum cancer centers. I would hope in carrying this out that doesn’t get buried, because there are some cancer specific things that should be looked at. Dr. Moses: I totally agree. We have actually discussed that, and I expect that IOM will keep those things in mind. Now, I would like to thank you all for your attention. This completes the workshop on the effects of the HIPAA Privacy Rule on health research.