HIPAA changes retro data research rules
HIPAA changes retro data research rules
By Paul W. Goebel Jr.
Vice president
Chesapeake Research Review
Columbia, MD
Question: Is informed consent needed for retrospective data research? Under what circumstances can informed consent be waived?
Answer: Retrospective data include stored physical samples or data, resulting from either earlier studies or nonresearch activities such as the practice of medicine. There are two sets of regulations to consider, the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The Common Rule generally applies only when the project is federally funded, although its requirements are often extended to cover all applicable research. HIPAA generally applies only when the research site is a covered entity.
The two rules provide protections for two different activities: 1) The purpose of the Common Rule is protection of the rights and welfare of the human subjects of research. 2) The purpose of HIPAA is to prevent inappropriate use or disclosure of protected health information (PHI). PHI is information through which the individual patient can be identified.
Much low-risk or no-risk research involving interviews or surveys is exempt from the Common Rule. A nonexempt retrospective review project is eligible for waiver of the Common Rule informed consent requirement if it involves no more than minimal risk to the subjects.
A project is exempt from HIPAA if the information is de-identified, with all 18 identifiers removed, that is the information is recorded so that the subjects cannot be identified, either directly or through identifiers linked to the subjects.
Although the HIPAA Privacy Rule applies only to covered entities, its authorization agreement elements are rapidly becoming the standard for all research projects.
• Informed consent vs. authorization agreement. Under HIPAA, the PHI now belongs to the individuals and the hospitals and researchers are its custodians. The medical staff have unrestricted access to the information for treatment, payment for health care, or for health-related operations (TPO). Research is not included in TPO, so the use or disclosure of the PHI for the specific research activity must follow specific procedures, usually either an authorization or a waiver of authorization. Before HIPAA, sponsors and investigators often collected and stored specimens without revealing to the study subjects the intended future uses for these samples. HIPAA now requires the uses to be specifically outlined in the authorization agreement. Although they can be combined into one document, the authorization agreement and the informed consent document serve different purposes and both may be required.
• Consent at the time of collection. Many biomedical studies include in the consent document permission to collect tissue or blood to be stored for future research. The intended use of this human biological material (HBM), the length of time it will be stored and whether it will be stored as identifiable should be outlined in the consent. The current guidance is that consent should be obtained for all HBM at the time the material is collected. HIPAA requires a research subject to sign an authorization agreement for all prospective uses or disclosures of PHI including unspecified future research, unless it is not practicable to do so.
• Use of stored samples for which consent was not obtained. Many of the stored samples and data sets were either collected without explicit written permission of the study subject to use them for research or else the consents have been lost. Still others were collected with general consents that do not address research as one of the purposes for which the samples may be used. HIPAA allows data/samples to be de-identified and re-identified with a code before the repository provides them to the researcher.
The confidentiality can be maintained while still providing the researcher with donor-specific medical information by having a gatekeeper at the repository hold the identifiers. The gatekeeper would forward samples and relevant medical data in a form that is anonymous to the researcher. If the researcher needs additional medical data, they could be obtained from the gatekeeper, which would maintain the anonymity of the donors.
With respect to the oversight of genetic tests, the Secretary’s Advisory Committee for Genetic Testing has stated that informed consent must be obtained from all subjects participating in such research.1
Reference
1. Enhancing the Oversight of Genetic Tests: Recommendations of the SACGT: http://www4.od.nih.gov/oba/sacgt/reports/oversight_report.htm.
Physicians, nurses, and others participate in this continuing education program by reading the article, using the provided references for further research, and studying the questions at the end of the issue. Participants should select what they believe to be the correct answers, then refer to the list of correct answers to test their knowledge.
To clarify confusion surrounding any questions answered incorrectly, please consult the source material. After completing this activity at the end of each semester, you must complete the evaluation form provided and return it in the reply envelope provided in order to receive a certificate of completion. When your evaluation is received, a certificate will be mailed to you.
Question: Is informed consent needed for retrospective data research? Under what circumstances can informed consent be waived?Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.