Most health providers are aware that several new sets of rules about handling patient information are being formulated by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The potential impact on research is being energetically debated as investigators await announcement of the final HIPAA rules.

The new rule most likely to affect research is the "Standards for Privacy of Individually Identifiable Health Information". In announcing the proposed rule last November, DHHS outlined a number of proposed changes in the ways research information will be reviewed, handled and disposed of.

The new rule will apply only to health care providers, health care payers, and health care clearinghouses. For this reason, most of the onus of complying with the rule will fall on the sources of health-related information, not on the researcher recipients of it, if different. It also only applies to individually identifiable information that is or has been maintained or transmitted electronically, including information maintained on personal computers and in research databases. The proposed rule also makes a distinction between information that is related to an individual's health care, and information that is gathered purely for research purposes.

Much of the proposed rule explicitly related to research revolves around what authorization, if any, must be given by a patient before his/her information can be used for research purposes. The proposed rule will prohibit the use or disclosure of protected health information for research without individual authorization unless there is documentation that all of the following criteria have been met:

• the use or disclosure of protected health information involves no more than minimal risk to the subjects;

• the waiver or alteration will not adversely affect the rights and welfare of the subjects;

• the research could not practicably be carried out without the waiver alteration;

• whenever appropriate, the subjects will be provided with additional pertinent information after participation;

• the research would be impracticable to conduct without the protected health information;

• the research project is of sufficient importance to outweigh the intrusion into the privacy of the individual whose information would be disclosed;

• there is an adequate plan to protect the identifiers from improper use and disclosure;

• there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers.

The body which will judge whether the criteria have been met will be either an IRB or a "privacy board", a new type of board formed to review and approve the privacy protections contained in proposes research. Where IRB's already exist they will be permitted to take on the role of the privacy board by adding to their review the new privacy criteria.

When carrying out research with patient's consent and authorization to use his/her personal information, there will be additional privacy-related requirements. A notice of privacy protections will be given to research participants which spell out their control of and access to their personal information. If a researcher wants to withhold information from subjects until the end of the study an IRB must review and approve such withholding, and the need to withhold information must be clearly stated in the consent form.

• In general, patient/participants must be given access to all their information, including that gathered specifically for research, unless:

• inspection could be reasonably likely to endanger the life of physical safety of the patient or another person;

• information identifies another individual and inspection is reasonably likely to cause substantial harm to that other individual;

• disclosure is likely to reveal the source of information provided under a promise of confidentiality;

• while the research study is in progress, and an IRB has approved denial of access and the participant has agreed to the denial when consenting to participate in the study;

• information was compiled for a legal proceeding.

In addition to documenting the participant's explicit authorization to use private health information, and/or the participant's consent not to have access to information while the study is in progress, health care institutions will be required to document the release of private information for research purposes. Before releasing personal health information, the institution will have to document the date of the disclosure, the name and address of the person receiving the information; a description of the information disclosed; a copy of the patient's authorization, and the documented approval of the IRB or privacy board.

Clearly, the new rules will place new restrictions and burdens on both researchers and health care organizations. The consent process will be expanded to include more explicit discussion of who will have access to the information to be generated in research, IRB's will expand the scope of their reviews somewhat, and new procedures for documenting the use of private information for research will have to be instituted.

The new rule discussed here
is one of seven to be issued under the HIPAA legislation. The first, which established standards for electronic health information, was issued in August. It is not known how soon the Standards for Privacy of Individually Identifiable Health Information will be finalized, but researchers are well advised to be prepared for changes in how they do business.

The portion of the proposed standards applicable to research can be found at:
http://aspe.os.dhhs.gov/admnsimp/nprm/pvc27.htm

Back to top