I am collaborating with researchers at another institution, and they are
requiring me to take their training modules on research protection, even
though I have already taken similar training here at Children's Mercy
Hospital. I could gripe and grumble, but it is an opportunity for me to
review some very important material. I'm going to quote some of the training
material and add some comments of my own.
First of all, what is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
is a federal law that is best known for allowing individuals to maintain
health insurance when they change employers. An additional purpose of HIPAA
is to provide security and privacy for health information. The privacy
section of HIPAA, called the Privacy Rule, governs the uses and disclosure
of patient information for all purposes, including for research.
The main concern of HIPAA for a researcher involves the use of individually
identifiable health information. As a researcher, you need to make sure that
IIHI does not get disclosed to the wrong people. There have been incidents
where patients with health care problems that they wanted to keep private
were instead subjected to aggressive marketing by drug companies. If you
think about it, the temptation for the drug companies is almost irresistable.
If they could get their hands on a list of people who suffer from a malady
that they have a new drug for, they would be able to send their promotional
literature only to patients who they knew would benefit from that drug.
When patients share their health care information, they want to make sure
that it goes only to people who really need that data to provide them with
the treatments that they need. They don't offer up their information to help
drug companies make a bigger profit.
As a general rule, you need to ask the patients permission before you share
any IHII with a research group. The HIPAA web site mentioned five exceptions
to the need to get permission.
a) a waiver of the individual authorization requirement is obtained
from the Human Subjects Committee
b) the information is completely de-identified and no longer governed by
HIPAA
c) the information is compiled into a 'limited data set' and a data use
agreement is executed
d) the activity qualifies as 'preparatory to research'
e) the researcher is accessing information solely on decedents
The request for written authorization should provide your patients with the
following information:
* A description of the information that will be used or disclosed
* The names or classes of individuals authorized to make the use or
disclosure
* The names or classes of individuals authorized to receive the use or
disclosure
* Description of each purpose of the requested use or disclosure.
* An expiration date or event for the authorization
* A statement that the individual has a right to revoke the authorization
* A reference to the covered entity's right to condition service on the
authorization, or the consequences of refusal to sign
* A statement that the information used or disclosed pursuant to the
authorization may be subject to re-disclosure by the recipient and no
longer protected by the Privacy Rule
* The subject's right to a signed, dated copy of the authorization
The IRB can waive individual authorization if you can convince them that
the research could not practicably be conducted without the alteration
or waiver; and the research could not practicably be conducted without
access to and use of the protected health information.
They give an important reminder that you should only collect the
minimum amount of information necessary to do the research. So, for example,
your should not ask for a birthdate when an age would be sufficient
information.
If you do ask for a waiver of authorization, be sure that you can show that
you are a responsible person who is respectful of privacy. You do this by
providing
i. An adequate plan to protect the identifiers from improper use and
disclosure;
ii. An adequate plan to destroy the identifier at the earliest
opportunity consistent with conduct of the research, unless there is a
health or research justification for retaining the identifiers or such
retention is otherwise required by law; and
iii. Adequate written assurances that the protected health information
will not be reused or disclosed to any other person or entity, except as
required by law, for authorized oversight of the research study, or for
other research for which the use or disclosure of protected health
information would be permitted by the Privacy Rule;
A limited use data set contains no direct identifiers (such as name
or address) but which does contain information that could potentially
identify a patient indirectly. I heard a story, which I have not been able to
verify, but supposedly, if you know a person's birthdate and their five digit
zip code, you can figure out who that person is exactly. But studies that
look at time trends or geographic clustering will need such information. To
share such information outside the health care organization that you work
for, you need to negotiate a limited use data agreement. This agreement
requires that the third party will not to use the indirect identifiers to try
to discover the true identity of any patient. The agreement also requires
them to use appropriate safeguards with the data.
A review preparatory to research is limited access to IIHI to determine
things like how many eligible research subjects you might be able to accrue
over a limited time period and if the existing records contains sufficiently
detailed information to allow you to conduct your research. This web site
reminds you though that
The preparatory review may not be used for study recruitment because
researchers may not record names and contact information from the charts.
Neither can this provision be used to answer a scientific question.
The web site also covered a lot of other important topics:
- how to conduct research on people who have already died,
- who is allowed to recruit patients to a study,
- how to set up a research repository,
- research subjects access to research records, and
- computer security issues.
All of these are worthy of future discussion on my weblog and I'll try to
talk about them when I get time.
I had to take a quiz and I got one question wrong:
For your research project, you request tissue samples that are labeled
without identifiers, except for the date of surgery. How will you obtain
the samples?
- Written authorization from the patient
- Data Use Agreement
- Waiver of authorization
- A statement in the consent to treat
I had selected the first bullet. If this is a prospective trial, there is
no way that you can argue that it is impractical to get written
authorization, because you already have to get consent to perform the
surgery. It is indeed possible under certain conditions to use a data use
agreement instead, or maybe to get a waiver of authorization, but I would
have thought that the first option should be used whenever possible. The web
site itself states that
Written authorization from the subject is the default requirement for
use of health information in research. Prospective research, such as a
clinical trial, generally requires this type of permission.
Now granted, the question didn't state explicitly that this was prospective
research, but I would have thought that they would have worded the question
using a phrase like "sample from a tissue bank" if the study was
retrospective.
That's a minor quibble, though, considering that I could get one question
wrong and still pass the quiz.
Further reading
This page was last modified on
08/21/07.
You are welcome to link to this page or other pages on this web site.
Individual educational uses are also okay. Please contact me for permission to
use these pages in any other way. For more details, please consult my
copyright notice.
