HIPAA IN RESEARCH: REVIEWED, REVISED, REVISITED
By Susan Fish, PharmD, MPH, Director of Human Subjects
Are you confused about which HIPAA form to
submit? Are you frustrated by having your subjects sign two forms: the
IRB Consent Form and HIPAA Authorization Form? Do you question why the
HIPAA and IRB offices are separate?
Almost three years ago, the HIPAA Privacy Rule went into effect. That was prior to INSPIR and before anyone had experience implementing the requirements of the Rule. Now it is time to revisit, reassess, clarify, and simplify the HIPAA process. This article will review the requirements of HIPAA, provide a decision algorithm for determining the types of HIPAA forms required at BUMC for a given study, and explain other changes related to the implementation of HIPAA.
The purpose of the HIPAA Privacy Rule was to protect the privacy of people’s health information, at a time when many insurers were transmitting such information electronically. Part of the Rule pertained to the use and disclosure (sharing) of health information for “payment, treatment, and operations.” More pertinent to research was the portion of the Rule that dealt with the use and disclosure of health information for research purposes.
TAKE HOME LESSON #1: HIPAA HAS DIFFERENT REQUIREMENTS FOR RESEARCH THAN FOR CLINICAL SITUATIONS.
The protections of the HIPAA Privacy Rule are additive to the protections to privacy and confidentiality already in effect in the Common Rule (IRB regulations), that derive from the Belmont Principles. For an extensive discussion of these protections that have been in place since 1981, see the Clinical Research Times May 2004 Feature Article entitled, “Privacy and Confidentiality: It’s More Than HIPAA”. Many feel that the HIPAA Privacy Rule’s protections are redundant (AAMC), but the law’s requirements actually give research subjects much more information about who can see their protected health information (PHI), how private it will be kept, and for how long. It also requires subjects to be told when the information won’t be kept private, and gives subjects the right to know whether they can have access to their data collected in the research. This article is not intended to be a complete training about HIPAA. If you are not familiar with the Rule’s application to research, please see BUMC’s extensive information on its web site (www.bumc.bu.edu/hipaa) and the links to federal guidances.
There are some research situations where HIPAA may not apply, other situations where it will always apply, and still others where “it depends.” These fine distinctions associated with HIPAA make understanding the Rule all the more challenging. Please view the HIPAA Research Decision Algorithm, which should help clarify whether or not HIPAA pertains to your study, how to proceed if you are collecting identified data, de-identified, or limited data, and help you determine which HIPAA form(s) should be submitted to the BUMC IRB. Several of the boxes are linked to definitions and helpful web sites. Once you work your way through the decisions, you will end up at one or more HIPAA form(s) that are required for your study. If you click on the green box, you will be taken to the appropriate web site for the BUMC form.
HIPAA applies if you are a member of the “workforce of a covered entity” and you need “protected health information” for your research. BUMC has determined that if the principal investigator of a study is a member of the workforce of a covered entity, then all of the research staff members are also considered workforce members for that particular study. To determine whether your study entails protected health information and for a list of the 18 HIPAA identifiers, please see the HIPAA web site.
If your study requires information from medical records, whether or not
the subjects are also your patients, HIPAA applies.
IF HIPAA APPLIES TO MY STUDY, WHAT FORM(S) DO I NEED?
HIPAA AUTHORIZATION LANGUAGE NOW
IN INSPIR CONSENT FORM
Over the course of HIPAA implementation, however, we found that using two forms may be more complex for both subjects and researchers, as well as a set-up for potential HIPAA non-compliance. Currently researchers must remember to present to the subject two approved forms, obtain two signatures on two forms, and retain two signed forms for each enrolled research subject. Therefore, the authorization language has now been simplified and will be in the consent form template in INSPIR.
This new approach of including the HIPAA authorization language in the research consent form applies to all new studies submitted beginning January 9, 2006. New studies submitted beginning January 9, 2006 will NOT have the option of using separate HIPAA authorization and consent forms. The HIPAA and IRB web sites will include specific directions addressing how to insert the template authorization language into your INSPIR protocols.
For ongoing studies, the use of separate HIPAA Authorization and ICF documents will continue. It will not be required for researchers to combine these documents for ongoing studies because HIPAA documents only require one-time approval and do not expire. If the PI wishes to combine the HIPAA Authorization and ICF for an ongoing study, this may done at the time of Continuing Review.
TAKE HOME LESSON #2: EFFECTIVE JANUARY 9, 2006, HIPAA AUTHORIZATION LANGUAGE WILL BE INCLUDED IN THE CONSENT FORM.
The HIPAA forms listed above have not changed since their initial implementation. However, the process for submission of these documents has changed—the principal investigator needs to attach these HIPAA forms in Section S but does not need to sign them. By submitting the form as an attachment to a protocol, the PI is attesting to the statement above the signature line.
If there is no research protocol in INSPIR associated with your HIPAA submission (possibly Decedent Research or Preparatory to Research), then you will continue to fax or mail the paper form to the IRB office after the PI has signed it. A signature is required for the paper forms because, unlike INSPIR submissions, there is no electronic signature.
As always, the stamped and approved HIPAA forms will be in the external attachments of the appropriate protocol within INSPIR. Approved forms without an associated INSPIR protocol will be mailed or emailed to the researcher.
TAKE HOME LESSON #3: PRINCIPAL INVESTIGATOR’S SIGNATURE IS ONLY REQUIRED ON HIPAA FORMS NOT ASSOCIATED WITH AN INSPIR SUBMISSION.
When the HIPAA Privacy Rule went into effect several years ago, investigators asked the IRB why such high specificity was necessary for the HIPAA Authorization Form. From the feedback we received, this high specificity frequently confused subjects. For this reason, we will begin a new approach allowed by the Rule of listing classes or groups, rather than specific items. For example, rather than listing every diagnostic test needed from a medical record, the authorization is simply for “information from your hospital or office health records at BUMC or elsewhere. This information is reasonably related to the conduct and oversight of the research study.” Or rather than listing every outside lab where blood samples might be sent, the authorization is for “people or groups that we hire to do certain work for us, such as data storage companies or laboratories.” In this way, information is being provided on the groups or classes of PHI used or disclosed and to whom it might be disclosed.
The HIPAA Privacy Rule provides the research subject with the right to know who, what, when and where his/her PHI was used without his/her authorization. Therefore, if HIPAA applies to your study and you used a Waiver of Authorization, Preparatory to Research, or Decedent Research, you must account for the disclosures. Please see the appropriate section of the HIPAA web site for more information. For a review of the April 2003 presentations about HIPAA in Research, you may see the HIPAA and Research Presentation on the HIPAA site.
To streamline and fully integrate the HIPAA and IRB processes, the IRB
office has assumed responsibility for review and approval of all HIPAA
documentation. As of January 9, 2006, the IRB Coordinators will include
HIPAA forms in their review and approval process for their assigned INSPIR
protocols. General questions regarding HIPAA can be directed to the IRB
This Quiz applies to the recertification period from July 1, 2007 to June 30, 2009. CME credits are also available.