Feature Article

HIPAA IN RESEARCH: REVIEWED, REVISED, REVISITED

By Susan Fish, PharmD, MPH, Director of Human Subjects Protection

Author has nothing to disclose with regards to commercial support.

Educational Objectives:

  • Describe the history and purpose of the HIPAA Privacy Rule
  • Describe the relationship between the HIPAA Privacy Rule and the federal IRB regulations, guidances, and local policies
  • Using the HIPAA Research Decision Algorithm, choose the correct HIPAA-related forms to use
  • Describe changes made in the implementation of the HIPAA Privacy Rule at BUMC

PRINT | CLOSE WINDOW

 

Are you confused about which HIPAA form to submit? Are you frustrated by having your subjects sign two forms: the IRB Consent Form and HIPAA Authorization Form? Do you question why the HIPAA and IRB offices are separate?

In response to these questions, BUMC is implementing new HIPAA policies that will help alleviate these concerns.


Almost three years ago, the HIPAA Privacy Rule went into effect. That was prior to INSPIR and before anyone had experience implementing the requirements of the Rule. Now it is time to revisit, reassess, clarify, and simplify the HIPAA process. This article will review the requirements of HIPAA, provide a decision algorithm for determining the types of HIPAA forms required at BUMC for a given study, and explain other changes related to the implementation of HIPAA.

The purpose of the HIPAA Privacy Rule was to protect the privacy of people’s health information, at a time when many insurers were transmitting such information electronically. Part of the Rule pertained to the use and disclosure (sharing) of health information for “payment, treatment, and operations.” More pertinent to research was the portion of the Rule that dealt with the use and disclosure of health information for research purposes.

TAKE HOME LESSON #1: HIPAA HAS DIFFERENT REQUIREMENTS FOR RESEARCH THAN FOR CLINICAL SITUATIONS.

The protections of the HIPAA Privacy Rule are additive to the protections to privacy and confidentiality already in effect in the Common Rule (IRB regulations), that derive from the Belmont Principles. For an extensive discussion of these protections that have been in place since 1981, see the Clinical Research Times May 2004 Feature Article entitled, “Privacy and Confidentiality: It’s More Than HIPAA”. Many feel that the HIPAA Privacy Rule’s protections are redundant (AAMC), but the law’s requirements actually give research subjects much more information about who can see their protected health information (PHI), how private it will be kept, and for how long. It also requires subjects to be told when the information won’t be kept private, and gives subjects the right to know whether they can have access to their data collected in the research. This article is not intended to be a complete training about HIPAA. If you are not familiar with the Rule’s application to research, please see BUMC’s extensive information on its web site (www.bumc.bu.edu/hipaa) and the links to federal guidances.

HIPAA RESEARCH DECISION ALGORITHM

There are some research situations where HIPAA may not apply, other situations where it will always apply, and still others where “it depends.” These fine distinctions associated with HIPAA make understanding the Rule all the more challenging. Please view the HIPAA Research Decision Algorithm, which should help clarify whether or not HIPAA pertains to your study, how to proceed if you are collecting identified data, de-identified, or limited data, and help you determine which HIPAA form(s) should be submitted to the BUMC IRB. Several of the boxes are linked to definitions and helpful web sites. Once you work your way through the decisions, you will end up at one or more HIPAA form(s) that are required for your study. If you click on the green box, you will be taken to the appropriate web site for the BUMC form.

The HIPAA Research Decision Algorithm is correct for almost all studies, but there will be exceptions. If you have questions, please contact the IRB office.

DOES HIPAA APPLY TO MY STUDY OR NOT?

HIPAA applies if you are a member of the “workforce of a covered entity” and you need “protected health information” for your research. BUMC has determined that if the principal investigator of a study is a member of the workforce of a covered entity, then all of the research staff members are also considered workforce members for that particular study. To determine whether your study entails protected health information and for a list of the 18 HIPAA identifiers, please see the HIPAA web site.

If your study requires information from medical records, whether or not the subjects are also your patients, HIPAA applies.

IF HIPAA APPLIES TO MY STUDY, WHAT FORM(S) DO I NEED?

If you have determined that HIPAA applies to your study, then work your way through the HIPAA Research Decision Algorithm. Remember to follow each path, since you may need more than one form.

HIPAA AUTHORIZATION LANGUAGE NOW IN INSPIR CONSENT FORM

The single most important simplification for you to know about is that beginning January 9, 2006, the language required for HIPAA authorization will be included in the informed consent form, rather than in a separate document. Thus far, the BUMC IRB has required separate HIPAA authorization and IRB consent forms. The IRB felt that explaining the research study and obtaining informed consent was complicated enough without having to include the extensive language required for HIPAA authorization within the consent form as well.

Over the course of HIPAA implementation, however, we found that using two forms may be more complex for both subjects and researchers, as well as a set-up for potential HIPAA non-compliance. Currently researchers must remember to present to the subject two approved forms, obtain two signatures on two forms, and retain two signed forms for each enrolled research subject. Therefore, the authorization language has now been simplified and will be in the consent form template in INSPIR.

This new approach of including the HIPAA authorization language in the research consent form applies to all new studies submitted beginning January 9, 2006. New studies submitted beginning January 9, 2006 will NOT have the option of using separate HIPAA authorization and consent forms. The HIPAA and IRB web sites will include specific directions addressing how to insert the template authorization language into your INSPIR protocols.

For ongoing studies, the use of separate HIPAA Authorization and ICF documents will continue. It will not be required for researchers to combine these documents for ongoing studies because HIPAA documents only require one-time approval and do not expire. If the PI wishes to combine the HIPAA Authorization and ICF for an ongoing study, this may done at the time of Continuing Review.

TAKE HOME LESSON #2: EFFECTIVE JANUARY 9, 2006, HIPAA AUTHORIZATION LANGUAGE WILL BE INCLUDED IN THE CONSENT FORM.

OTHER HIPAA FORMS

HIPAA WAIVER OF AUTHORIZATION

HIPAA DEIDENTIFIED DATA

HIPAA LIMITED DATA SET

HIPAA PREPARATORY TO RESEARCH

HIPAA DECEDENT RESEARCH

The HIPAA forms listed above have not changed since their initial implementation. However, the process for submission of these documents has changed—the principal investigator needs to attach these HIPAA forms in Section S but does not need to sign them. By submitting the form as an attachment to a protocol, the PI is attesting to the statement above the signature line.

If there is no research protocol in INSPIR associated with your HIPAA submission (possibly Decedent Research or Preparatory to Research), then you will continue to fax or mail the paper form to the IRB office after the PI has signed it. A signature is required for the paper forms because, unlike INSPIR submissions, there is no electronic signature.

As always, the stamped and approved HIPAA forms will be in the external attachments of the appropriate protocol within INSPIR. Approved forms without an associated INSPIR protocol will be mailed or emailed to the researcher.

TAKE HOME LESSON #3: PRINCIPAL INVESTIGATOR’S SIGNATURE IS ONLY REQUIRED ON HIPAA FORMS NOT ASSOCIATED WITH AN INSPIR SUBMISSION.

OTHER HIPAA SIMPLIFICATIONS

When the HIPAA Privacy Rule went into effect several years ago, investigators asked the IRB why such high specificity was necessary for the HIPAA Authorization Form. From the feedback we received, this high specificity frequently confused subjects. For this reason, we will begin a new approach allowed by the Rule of listing classes or groups, rather than specific items. For example, rather than listing every diagnostic test needed from a medical record, the authorization is simply for “information from your hospital or office health records at BUMC or elsewhere. This information is reasonably related to the conduct and oversight of the research study.” Or rather than listing every outside lab where blood samples might be sent, the authorization is for “people or groups that we hire to do certain work for us, such as data storage companies or laboratories.” In this way, information is being provided on the groups or classes of PHI used or disclosed and to whom it might be disclosed.

REMINDER FOR HIPAA COMPLIANCE

The HIPAA Privacy Rule provides the research subject with the right to know who, what, when and where his/her PHI was used without his/her authorization. Therefore, if HIPAA applies to your study and you used a Waiver of Authorization, Preparatory to Research, or Decedent Research, you must account for the disclosures. Please see the appropriate section of the HIPAA web site for more information. For a review of the April 2003 presentations about HIPAA in Research, you may see the HIPAA and Research Presentation on the HIPAA site.


HIPAA INTEGRATION INTO THE IRB OFFICE

To streamline and fully integrate the HIPAA and IRB processes, the IRB office has assumed responsibility for review and approval of all HIPAA documentation. As of January 9, 2006, the IRB Coordinators will include HIPAA forms in their review and approval process for their assigned INSPIR protocols. General questions regarding HIPAA can be directed to the IRB office.


Quiz

This Quiz applies to the recertification period from July 1, 2007 to June 30, 2009. CME credits are also available.

Click here and close window if you are a BUMC researcher
and would like to take the quiz now.