Memorandum
To: University Deans, Department Chairs and Department Administrators
From: Arthur S. Levine, M.D., Senior Vice Chancellor for the Health Sciences and Dean, School of Medicine, University of PittsburghJames V. Maher, Ph.D., Senior Vice Chancellor and Provost, University of Pittsburgh, Loren H. Roth, M.D., M.P.H., Associate Senior Vice Chancellor for the Health Sciences, University of Pittsburgh; Senior Vice President for Medical Services, UPMC Health System, Marshall W. Webster, M.D., President, University of Pittsburgh Physicians
Date: November 12, 2002
Health Insurance Portability and Accountability Act - Research
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. HIPAA established, among other things, mandatory rules governing the privacy of all patient identifiable health information (also referred to as “protected health information” or “PHI”) regardless of form. Subsequent regulations implementing the HIPAA privacy rule must be complied with by April, 2003, for all health care providers, health plans, and health care clearinghouses and third parties who have access to identifiable health information.
Certain provisions of HIPAA address the use and disclosure of identifiable health information for research purposes. In this regard, HIPAA is generally consistent with the applicable provisions of the current Federal Policy regulations (45 CFR 46) governing human research subject protections, although there are some important differences. Together, these regulations will have an enormous impact primarily on two aspects of human subject research: 1) access to and the use of identifiable health information to facilitate research subject recruitment; and 2) retrospective research studies involving the use of existing, identifiable, health information.
A Research Practice Fundamentals (RPF) module on HIPAA requirements will be available shortly. Successful completion of this module will provide compliance certification to carry out research using patient records.
Pertinent Regulatory Requirements
1. Federal Policy Regulations:
The federal policy regulations define a “human subject” as a living individual about whom an investigator conducting research obtains 1) data through intervention or interaction with the individual, or 2) identifiable private information. Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated by the investigator with the information) in order for obtaining the information to constitute research involving human subjects. Unless determined (i.e., by the Institutional Review Board) that a certain research activity is exempt, no investigator may involve an individual as a human subject in research covered by the federal policy regulations unless the investigator has obtained prospectively the legally effective (i.e., written and signed) informed consent of the subject.
The federal policy regulations specify that research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens is exempt from these regulations if the sources are publicly available or if the information is recorded by the investigator in such a manner that the subjects cannot be identified directly or through identifiers linked to the subjects.
The federal policy regulations include provisions whereby the IRB can grant a waiver of the requirement to obtain prospectively the written informed consent of human subjects. However, it is often difficult to provide adequate and appropriate justifications for the corresponding regulatory criteria for granting such a waiver. As a result, it is frequently impossible for the IRB to waive the requirement for informed consent for research studies involving the collection of identifiable private (e.g., health) information.
2. HIPAA Regulations:
HIPAA specifies that a covered entity may not use or disclose identifiable health information for research purposes unless the patient has provided, in advance, his/her written authorization for such use or disclosure. Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
In accordance with HIPAA, prior written authorization of the patient-subject is not required for the review of identifiable health information performed preparatory to research. In this situation the covered entity must obtain from the researcher a representation that a) use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; b) no protected health information is to be removed from the covered entity by the researcher in the course of the review; and c) the protected health information for which use or access is sought is necessary for the research purposes.
The HIPAA regulations also include provisions whereby the IRB can grant a waiver of
the requirement to obtain prospectively the written authorization of patients for the research use and disclosure of their identifiable health information. While the HIPAA criteria for granting a waiver of the research authorization requirement are somewhat less stringent in comparison to federal policy criteria for waiver of the informed consent
requirement, the IRB must be in compliance with both policies. Thus, it remains
frequently impossible for the IRB to waive the requirement for written authorization/informed consent for research studies involving the use and disclosure of identifiable health information.
Impact of Federal Policy and HIPAA Regulations
1. Access to and the Use of Identifiable Health Information to Facilitate Research Subject Recruitment:
It is a common practice of investigators to access and review identifiable health information for the purpose of identifying patients who meet study eligibility criteria. The names of such patients are typically recorded by the investigator and subsequently provided to the patients’ personal physicians. These physicians then contact their patients to introduce the research study and ascertain if the patient would be interested in study participation and/or subsequent contact by the investigators.
Since the investigators are obtaining identifiable private information about living individuals for the purpose of conducting research, the above-described activity constitutes human subject research in accordance with the federal policy regulations. This activity is not exempt from the federal policy regulations because the investigators are, in fact, recording the identities of the human subjects. Thus, this activity requires the prior written informed consent of the involved patients-subjects, or the IRB must grant a waiver of this informed consent requirement.
The above-described activity also meets the HIPAA definitions of “use and disclosure” of identifiable health information and thus also necessitates the prior written authorization of the involved patients or an IRB waiver of this authorization requirement. (Note that the federal policy informed consent form and the HIPAA Research Authorization form can be combined into one document.) This activity does not fall under the HIPAA exception addressing reviews of identifiable health information performed preparatory to research, as an IRB-approved research protocol is already in existence for the study. Even if an exception were to be granted in this situation, no protected health information (e.g., patient identities) can be removed from the covered entity (e.g., UPMC HS) by the researcher in the course of the review. Note that HIPAA defines protected health information to include demographic information collected from an individual.
2. Retrospective Research Involving the Collection and Use of Existing Identifiable Health Information:
Many significant contributions to health care have emanated from retrospective research studies involving the analysis of existing patient information. Since the federal policy
regulations are silent with regard to access to identifiable health information, compliance with the respective exempt category of these regulations can be achieved, for many of these studies, if the investigator simply records the desired information (or the desired information is recorded for the investigator) in such a manner whereby the patients-subjects cannot be identified directly or through identifiers linked to the patients-subjects data.
It must be emphasized, however, that HIPAA addresses specifically the “use and disclosure” of identifiable health information. Since the HIPAA definition of “use” includes the utilization and/or examination of this information, it will not be permissible under HIPAA (i.e., in the absence of respective patient authorization) for investigators, themselves, to access identifiable patient records for the purpose of subsequently recording, even in a de-identified manner, information for research purposes. It may be argued that the HIPAA exception addressing reviews of identifiable health information performed preparatory to research could be applied to this situation. However, the examples included under this HIPAA exception are not directly applicable. Moreover, the physical recording of the health information would seem to constitute a procedure performed as part of the conduct of the research, not a procedure performed preparatory to the research.
Both the federal policy and HIPAA regulations mandate that retrospective research studies involving the collection and use of identifiable health information require the prior written informed consent/authorization of the involved patients-subjects or an IRB waiver of this informed consent/authorization requirement.
Possible Approaches to Achieve Research Goals and Regulatory Compliance
1. Research Registries or Repositories
Utilizing this approach, a medical department, division or center would obtain, upon the provision of clinical care, the written informed consent/authorization of its patients to place their identifiable health information into a research registry for the purposes of 1) future research studies involving the analysis of health information related to the disease or condition (e.g., heart disease, breast cancer, etc.) for which the patient is being evaluated or treated, and 2) the identification and subsequent contact of patients for participation in future clinical trials related to this disease or condition. Although
corresponding requirements would include the IRB approval of a protocol addressing the research registry and the corresponding written informed consent/authorization document, this approach will solve many of the previously described problems associated with Federal Policy and HIPAA regulatory compliance.
Since prospective written informed consent/authorization of the patients-subjects has already been obtained for the collection and use of their identifiable health information for research purposes, there is no need to re-contact the patients-subjects to obtain their written consent/authorization for a specific retrospective research study; provided that the specific study is consistent with the purpose(s) of the future research defined in the original consent/authorization document and is being performed by the investigators listed on this document. To avoid problems regarding the latter condition, the research registry protocol and consent/authorization should generally list “department faculty,” “division faculty,” etc. as the responsible investigators.
In addition to addressing the collection and use of the patients’-subjects’ identifiable health information for future retrospective research studies, the informed consent/ authorization document for the research registry should also request permission of the patients-subjects to allow the listed investigators to review their identifiable health information to determine if they may be eligible for participation in future, prospective clinical trials involving their disease or condition. The informed consent/authorization document should further request permission to contact the patients-subjects to ascertain their interest in participating in these clinical trials should they meet eligibility criteria. Of course, patient-subject participation in a future clinical trial would require their separate, trial-specific, written informed consent.
2. Honest Broker De-Identification of Health Information
An “honest broker” is an individual or system utilized by the health care provider or health plan to collect and provide health information to research investigators in such a manner whereby it would not be reasonably possible for the investigators or others to identify the corresponding patients-subjects directly or indirectly. The information provided to the investigators by the honest broker may incorporate linkage codes to permit information collation and/or subsequent inquiries, however the information linking this code to the patient’s identity is retained by the honest broker and subsequent inquiries are conducted through the honest broker. Of course, the honest broker cannot be one of the research investigators.
Since neither the federal policy nor HIPAA regulations require prior written informed consent/authorization of patients for the research use of their de-identified health
information, this approach would address satisfactorily the issues associated with the conduct of retrospective research involving existing health information. This approach can also be used to identify eligible patients for subsequent recruitment into clinical trials. For example, based on defined search criteria, the honest broker would provide a listing of potential eligible subjects, identified by code number only, and their corresponding health information to the clinical trial investigators. The investigators would determine which of these patients appear to meet eligibility criteria and convey the respective code number back to the honest broker. The honest broker would subsequently provide the names of the identified patients to the patients’ personal physicians who would contact the patients to 1) introduce the research study; 2) ascertain their interest in study participation; and 3) obtain their approval to be contacted by the investigators. Note that direct contact of the patients by the honest broker would constitute “cold-calling,” which is prohibited by the IRB.
HIPAA defines multiple data elements that must be removed from health information in order for the information to be recognized as de-identified. Alternately, HIPAA will permit, without prior patient authorization, the use and disclosure of health information for research which includes a “limited data set”. A limited data set is protected health information which excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: names; postal address information, other than town or city, State, and zip code; telephone numbers; Fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images. If the health information provided to the investigators is based on a limited data set, the investigators must also sign a UPMC Health System (UPMCHS) “data use agreement” which addresses various HIPAA conditions related to subsequent uses and disclosures of such information.
In connection with HIPAA, a UPMCHS policy, entitled Use and Disclosure of Protected Health Information for Research Purposes Pursuant to the HIPAA Privacy Rules, is being finalized. This policy will specify, among other things, that for retrospective research involving the collection and analysis of health information investigators must either obtain prospectively the written informed consent/authorization of the patients for the use of their identifiable information or must use an honest broker (including appropriate processes and systems) to de-identify the health information. In order to ensure appropriate institutional oversight, the honest broker process should be developed at the department or school level (i.e., rather than each investigator having his/her own honest broker system) and must be prospectively approved by the UPMCHS Privacy Officer and the IRB. Alternatively, departments or schools may opt to use a third party honest broker such as that provided by the Office of Clinical Research, Health Sciences, or MARS, Inc.
Additionally, in the future, a research privacy module will be developed and incorporated into the Web-based Research Practice Fundamentals education and certification programs. Once developed, all human subject investigators will be required to complete this training.
We recognize that the HIPAA and Federal Policy regulations governing the use of health information for research purposes have and will create difficulties and obstacles for investigators. Nonetheless, compliance with the applicable requirements is not optional. We ask that you begin immediately to take action so as to ensure adherence to the HIPAA policies by the date of their enforcement; i.e., April, 2003. Also, please distribute copies of this memo to your faculty. Note that due to the differences between the Federal Policy and HIPAA requirements described above, all current IRB approvals of exempt research projects directed at the collection and analysis of existing, de-identified health information will be terminated effective April 1, 2003. If you have questions regarding HIPAA, contact the HIPAA Program Office at 42-623-3791. If you have questions about research registries or honest broker systems, contact Teresa Merolli, IRB Senior Research Review Coordinator, at 412-578-8564.