PARTNERS HUMAN RESEARCH COMMITTEE

Partners_Logo

 

Federal Privacy Regulations
General Overview and Effects on Research

The information presented here reflects the current interpretation of the Privacy Rule - but please be advised that changes may be necessary in response to new guidance.

I. General Overview

A general overview is provided elsewhere, but specific research-related elements of this regulation deserve emphasis.

  • At Partners, research activities are covered by the Privacy Rule, and researchers are subject to its requirements.
  • The definition of "protected health information" includes information relevant to the provision of health care as well as information generated in the context of clinical research. Hence, although some research information may not have proven clinical validity or utility, the Privacy Rule considers it to be identifiable health care information that must be protected.

  • The regulation covers information - not tissue - except to the extent any identifiable medical information is attached to the tissue sample.

  • Genetic information (as defined by the federal Genetic Information Nondiscrimination Act – see http://healthcare.partners.org/phsirb/hipaaglos.htm) is included within the definition of "health information" and is therefore considered "protected health information" if it includes any of the HIPAA identifiers. Note that tissue, DNA, or genetic information alone, without any such identifiers, are not considered PHI/identifiable and are not provided a higher standard of privacy coverage under this federal regulation. Of note, there is a state genetics privacy law - but this does not apply to IRB-approved research activities.
  • The regulation covers individually identifiable information - this is referred to as protected health information (PHI)-in any form, including written, electronic, or oral. The regulation provides a stringent definition of "de-identified."

    Of note, the Privacy Rule and the Common Rule (IRB requirements) do not agree on the issue of whether or not coded information is "identifiable."

    The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified; however, the code itself is considered identifiable.

    In contrast, the Common Rule considers coded information generally to be identifiable. Therefore, research using coded information might not be covered by the Privacy Rule as long as the researchers do not have access to the code - but - because this same research would be covered by the Common Rule, it would still require IRB review.

    Further complicating the definition of identifiable is the Privacy Rule's new carve-out of "limited data set" for research, healthcare operations and public health purposes. Limited data sets can include dates, address except for street address, and other information that is not a direct identifier but could possibly be used to identify a person. Of note, the Privacy Rule places fewer requirements on the use and disclosure of limited data sets. Partners policy is that research using data in a limited data set must be submitted to the IRB for a review of whether the research is exempt from the Common Rule or requires review.

  • The Privacy Rule creates privacy standards and also gives individuals a number of rights - these standards and rights will also apply to their research information. These include:

    • Only the minimum necessary information can be used or disclosed. There are two important exceptions: minimum necessary does not apply when PHI is being used or disclosed for treatment purposes, or if there is an authorization for use and disclosure. Also note that the minimum necessary standard applies to limited data sets. Hence for research, the minimum necessary requirement applies to situations in which a waiver of informed consent/authorization has been obtained, or a limited data set is used or disclosed.

    • Individuals must receive a notice of how their PHI will be used and protected. This notice informs individuals that their PHI may be used for research either with authorization or a waiver of authorization as determined by the IRB.

    • Patients and subjects have the right to request a history of how and to whom their PHI has been disclosed over the previous 6 years. Tracking of disclosures is not required if the disclosure was made pursuant to a written authorization. Hence for research, any disclosures made after obtaining a waiver of consent and authorization will have to be tracked. Note that disclosure of a limited data set for research does not require tracking.

    • Individuals have the right to request access to their PHI - access is limited to the designated record set (see below).

    • Individuals have the right to request that their PHI be amended. Because access is limited to the designated record set, amendment will also be limited to the designated record set.

II. Effects of the Privacy Rule on Research [top]

  • The privacy rule affects research in two different ways: Accessing existing protected health information (PHI) - i.e., epidemiological studies
  • Handling PHI that is created during a research study -- i.e., clinical trials. (Of note, most clinical trials involve both the creation of new information as well as access to existing health information.)


    A. Accessing existing PHI:

    Researchers who access existing health information for research must be aware of the Privacy Rule requirements.

    Privacy Notice: The Privacy Rule requires health care providers who have a direct treatment relationship with an individual to give the individual a Notice of Privacy Practices at least by the first time care is delivered after April 14, 2003. The Notice must specify that in accordance with federal regulations, while some research will require an individual's permission, some research can be done without obtaining permission (waived consent/authorization). A best faith effort must be made to obtain written acknowledgement of receipt of the Notice.

    • Researchers must be certain that their institutional Privacy Notice accurately describes how an individual's protected health information may be used for research. While the Partners' notice is appropriately worded to include access to medical records for research purposes, any researcher who also works outside of the Partners' system should carefully review the Privacy Notice of their other institutions.


    How to access PHI for research:
    It is important first to note that the Common Rule requires that research using identifiable information must be reviewed and approved by the IRB. The IRB will determine if informed consent is required or if a waiver of the informed consent can be approved. The Privacy Rule requirements are in addition to those of the Common Rule.

    The Privacy Rule allows access to existing PHI in three possible ways:

1. The researcher obtains individuals' permission. The permission must address both the Common Rule and the Privacy Rule.

  • The Privacy Rule requires an authorization.
  • The Common Rule requires an informed consent.
  • The required elements of the authorization and informed consent are not identical.
  • A single document that includes all required elements of both the Common and Privacy Rules can be used.

2. Researchers can apply for IRB approval of a waiver of informed consent/authorization. The Privacy Rule and the Common Rule each have slightly different criteria that must be met in order to waive the requirement for an authorization or an informed consent. For consistency, the IRB policy on waiver will include all elements required by both the Common Rule and the Privacy Rule.

3. Researchers can use or disclose a limited data set if the covered entity enters into a data use agreement with the recipient of the data. A data use agreement includes statements that the recipient of the data set will NOT identify the individuals. The limited data set is only available for research, public health and health care operations. The Privacy Rule does not require an authorization or a waiver for accessing this information, but it should be noted that because this information may be considered identifiable by the Common Rule, it may require IRB review. It will be Partners policy that any use or disclosure of a limited data set must be submitted to the IRB for determination of whether or not the protocol is exempt from the Common Rule or if it needs IRB review.

Please note: the Privacy Rule protects the identifiable health information of decedents as well as living individuals, until 50 years after the date of death.

Many medical records studies involve accessing records/PHI of both living and deceased individuals. In such cases, the investigator should proceed as with a medical records study that involved only living individuals and should submit a medical records protocol application and request a waiver of consent and authorization. For medical records studies that involve accessing records/PHI solely of deceased individuals, the investigator may consult the IRB as to the appropriate process and requirements. Such studies will not constitute human subjects research but will usually still trigger certain requirements under the Privacy Rule. Namely, the investigator will be asked to document that:

  • These records are needed for research and
  • That the records will be used solely for research.
  • In addition, the Privacy Rule also states that entities (i.e., Partners) may request documentation of deaths. Therefore, investigators should be prepared to provide, upon request, such documentation.

Records/information pertaining to individuals who have been deceased for more than 50 years is not considered to be PHI under the Privacy Rule; however, investigators should still follow the processes outlined above for medical records studies involving such information.

Privacy standards and individuals' rights:

If a waiver has been approved, the following requirements must be met:

  • Only the minimum necessary PHI can be used or disclosed. The investigator will be asked to justify what PHI is necessary.
  • All disclosures made without an authorization/informed consent must be tracked for six years. (Please note that disclosures of Limited Data Sets do NOT need to be tracked.) The tracking must include the following information:
    • Date of the disclosure
    • Name of the entity or person (and if known address) who received the PHI
    • Brief description of the PHI disclosed and
    • Brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure


B. Research in which PHI is created: [top]

The classic example of this type of research is the clinical trial. Such research will continue to undergo IRB review as required by the Common Rule, but the HIPAA-Privacy Rule adds some new requirements.

Accessing existing PHI as part of a clinical trial: Many clinical research protocols also require access to existing PHI. If this is the case, the requirements described in the section above on accessing existing PHI must also be met. The elements required for informed consent/authorization for access to records can be included as a part of the consent form for the trial.

Privacy Notice: Any participant in a clinical research study must have received, and acknowledged in writing, a copy of the institution's Privacy Notice. If an individual has already received the notice during another health care encounter, that is adequate. But, if an individual has not received a Privacy Notice, then it is the responsibility of the investigator to provide such notice. And the researcher must ask the subject to sign a document stating that the notice was received.

Subject Recruitment:
As noted at the beginning of this document, the information presented here reflects the current interpretation of the Privacy Rule - but changes may be necessary in response to new guidance from DHHS. The topic of subject recruitment has been identified as one area on which DHHS may provide additional guidance.

Researchers may recruit study participants in a number of ways. Privacy protections must be considered for each.

As background, research in which an individual is contacted or recruited for enrollment must be reviewed and approved by an IRB. The Common Rule requires an IRB to consider the process for subject recruitment as part of its review. (Please see existing Partners policies on recruitment ).

The Privacy Rule adds a new privacy focus to this review, as explained below. By way of overview:

(i) an individual may contact a researcher about a study with no new Privacy Rule requirements;
(ii) a treating physician may share deidentified information with a researcher (also within the Partners system) to determine a patient's eligibility for a study with no new Privacy Rule requirements;
(iii) as is current practice, if approved by the IRB, a treating physician and researcher within Partners may co-sign a recruitment letter to patients with no new Privacy Rule requirements; but
(iv) if a treating physician shares identifiable health information with a researcher to discuss potential enrollment in research, the Privacy Rule requires that either the patient's authorization must be obtained or the IRB must be asked to approve this sharing with waived authorization; and
(v) if a researcher wants to review medical records to identify potential subjects, then as is current practice, the researcher must apply for a waiver to the IRB, and the waiver determination will now include Privacy Rule criteria as well as the Common Rule criteria.

Informed consent/authorization:
A single document will be used. This document must include required elements of informed consent under the Common Rule as well as authorization under the Privacy Rule.

The primary differences and new requirements include:

  • Specific authorization for the use and disclosure of any information generated during the research. The authorization must include a description of how PHI created during the research will be used and/or disclosed, among other requirements.
  • The right to withdraw from the research study - AND to withdraw any identifiable information - of note, if the information has already been used to perform an analysis or other evaluation, the results of that analysis can be retained. But the individual's PHI generally cannot be used or disclosed in new ways after the revocation.

Individuals' Rights:

  • Subjects' access to their information:

    The Privacy Rule gives individuals the right to access their information, but this access is limited to the "designated record set." The designated record set is that information used for treatment and/or billing decisions. Information that is generated in research and lacks clinical validity or clinical utility generally will be outside of the designated record set, and thus the Privacy Rule's right of access generally will not apply to this information.

  • Subjects' right to amend their PHI:

    The Privacy Rule gives individuals the right to request that their PHI be amended. A system for handling requests for such amendments will be in place for the entire institution. Researchers will utilize the institutional system for amending PHI.

Updated 10/2013