Does anybody really know what HIPAA is?

The Privacy Rule is not as restrictive as anticipated

The Health Information Portability and Accountability Act (HIPAA) of 1996 contained a provision for protecting patients’ privacy by protecting their health information. The final rule was published in August, and though most health care professionals have heard of HIPAA, most have only a vague notion of what it is and how it will impact day-to-day interactions with patients.

On the IRB Forum web site (www.irbforum. org), those talking about HIPAA are asking for clarification. "How does the revision affect the functioning of IRBs?" asked Susan C. Gusy, AS, executive administrative support staff for the Eastern Connecticut Health Network Institu-tional Review Committee in Manchester. "I am currently struggling with the HIPAA issue and have not received any real clarifications at this time," she told IRB Advisor.

The questions posed on the Forum included the role of Privacy Boards, the impact the provision will have on informed consent, and how information can be used in reporting results.

"To the extent that there is confusion, it likely involves areas where HIPAA and the Common Rule contain similar, but not identical, concepts, such as de-identified or anonymous data and the HIPAA authorization waiver criteria vs. the Common Rule’s considerations for waiver of informed consent," says Clinton D. Hermes, JD, a lawyer with the Boston firm of Ropes & Gray.

A layman’s version of the rule appearing on the Department of Health and Human Services’ (HHS) Office of Civil Rights web site explains the rule thusly, "Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to medical information necessary to conduct vital research. In the course of conducting research, researchers may create, use, and/or disclose individually identifiable health information with individual authorization, or without individual authorization under limited circumstances."

Those limited circumstances include:

• "Documentation that an alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes has been approved by an Institutional Review Board or a Privacy Board. This provision of the Privacy Rule might be used, for example, to conduct records research, when researchers are unable to use de-identified information and it is not practicable to obtain research participants’ authorization.

• "Representations from the researcher, either in writing or orally, that the use or disclosure of the personal health information is solely to prepare a research protocol. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.

• "Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the personal health information of decedents, that information being sought is necessary for the research and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought."

When an authorization waiver is requested, the IRB or Privacy board will have to determine the following, explains Ralph L. Glover II, JD, an attorney with the Chicago law firm Michael Best and Friedrich:

• whether the use or disclosure of protected health information for the research study involves no more than a minimal risk to the privacy of the participants;

• that the research could not practicably be performed without the waver or alteration;

• that the research could not practicably be con-ducted without the protected health information.

"IRBs need to be aware of the authorization and waiver requirements and of the limited data set requirements," Glover says. "The limited data set is protected health information stripped of 16 identifiers about the individual, their relatives, household members, and their employers." Data sets can be used for research, public health or health care operations, he explains, but before a limited data set is disclosed, a data-use agreement must be in place with the recipient of the limited data set."

Records reviews or disclosure of personal health information can be used for subject recruiting, however, IRBs should be aware that HHS has guidelines regarding this practice. According to Glover, "The Privacy Rule permits a hospital to disclose personal health information to a researcher at the hospital’s premises if the researcher states, either in writing or orally, that 1) the use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; 2) no protected health information is to be removed from the hospital by the researcher in the course of the review; and 3) the protected health information for which use or access is sought is necessary for the research purposes. If the researcher intends on removing protected health information from the hospital, the hospital must obtain an authorization for this disclosure. "

"The Privacy Rule is not going to significantly change the way hospitals use or disclose protected health information because presumably, they already comply with applicable federal laws relating to privacy of medical information, including the Common Rule," he says. "Most uses and disclosures of an individual’s protected health information for research will be conducted with the authorization of the individual. In these cases, the research authorization can be attached to the informed consent document."