HIPAA challenges can be overcome, experts say

Should authorization form be a stand-alone?

Making changes under the Health Insurance Portability and Accountability Act (HIPAA) has not been easy for many research institutions and their IRBs. IRBs have considered several major decisions, including whether to combine the human subjects informed consent form with the HIPAA privacy authorization and whether to have the IRB handle HIPAA issues or create a separate privacy board.

Although it’s still early in the implementation of such changes, HIPAA experts at two universities say that the transition to a HIPAA-compliant research institution can go smoothly if approached carefully and with attention to details.

It helps if the institution has had a history of paying close attention to privacy issues, says Diane Clemens, DC, CIP, HIPAA compliance manager of research at the Washington University School of Medicine in St. Louis.

"Our institution has always been quite conservative, and so many IRB policies already in place were more stringent than HIPAA requires," she says. "[HIPAA] compliance was mainly a matter of documenting what has always been the practice."

And that’s where it pays to have a detail-oriented person in charge because the documentation is one of the major changes for IRBs and research institutions.

For example, at the University of Washington in Seattle the biggest impact of HIPAA has been the requirement that covered entities have to account for disclosures made without authorization, says Helen McGough, director of human subjects division.

"That’s an enormous burden on researchers and entities," she says. "For example, the University of Washington Medical Center is requiring each researcher to keep a detailed record each time a case is accessed for research purposes, because now patients have a right to come to the hospital to see all disclosures made without authorization."

Each hospital or entity is handling the documentation issue in its own way, McGough says.

"At the University of Washington Medical Center the expectation is that researchers will pay for their own staff to keep accounting for those disclosures," she says. "We have set it up so that researchers download lists of disclosures they have made in a separate database, and any patient who comes to the hospital to request the data can go to a centralized database and receive a list of information."

The state of Washington had passed a bill that provided privacy protection years before HIPAA. The Uniform Health Information Act of 1996 forced the state’s research institutions to educate investigators and clinicians about privacy and rules regarding using patient records for research, McGough says.

"So when HIPAA came down they were already thinking in those ways," she explains.

The institution educated IRB members, researchers, clinicians, and others about privacy regulations through its web site, newsletters, e-mail newsletters, and tutorials, McGough says.

"Since 1996, we’ve been developing a varied educational effort to encourage attention to issues of privacy and confidentiality," she adds.

Ongoing education needed

For most of the nation’s research institutions, however, educating investigators, IRBs, staff, and especially health care gatekeepers to patient information about privacy rules will be one of the major challenges.

One group of investigators at Washington University has had trouble obtaining health information from hospitals that are not affiliated with the university because the hospitals’ staff are afraid of releasing anything for research, Clemens notes.

Staff at hospitals where research is less common are unfamiliar with some of HIPAA’s provisions for conducting research, and so they are overly cautious in working with investigators, she adds.

Probably the biggest decision that IRBs face is whether to combine the human subjects informed consent document with the HIPAA authorization, Clemens says.

"We talked with several institutions to find out how they were handling it and then talked with our investigators to learn their preference," she says. "The final decision was to combine the HIPAA authorization and the consent form, which means the IRB has to review the privacy information."

This was a critical decision because it meant that the IRB would have to take on a great deal of extra work, Clemens says.

"Several institutions had to go with separate authorizations because they didn’t have the staff to review a combined document," she adds. "We are fortunate to have the resources and support to carry out such a task."

The authorization template that was inserted in the consent form has to be tailored for each study, and on average it adds one-half to one page to the consent document, Clemens says.

For several months, Clemens and a staff of six reviewed all open and enrolling studies, assessing HIPAA compliance. Now the staff are looking at new submissions as well as taking on other duties, she says.

"One thing that caught us off guard was the role pharmaceutical sponsors would play in HIPAA," Clemens says.

"We were under the impression that since sponsors are not covered entities, they wouldn’t have much involvement with HIPAA compliance," she says. "As it turned out, many sponsors had authorization language for investigators to include in the consent form."

That became a struggle between the IRB’s template language and the pharmaceutical company language at a time when time was short to get everything completed, Clemens adds.

The HIPAA staff found it difficult to review the pharmaceutical company forms as quickly as they could review the template HIPAA forms, she notes.

So the IRB decided to ask investigators to include the IRB’s HIPAA template in the consent form, and if the pharmaceutical company had its own authorization language, this could be included as a separate addendum with a disclaimer that the form was required by the sponsor and not reviewed by the IRB, Clemens says.

The IRB’s role is to make certain that research protocols have integrated privacy in the process, and there are no additional IRB employees to handle the extra workload, she says.

"In addition, each hospital has its own privacy officer, and the privacy officer does monitoring, gives advice, and works very closely with the IRB on the educational effort and compliance effort," McGough explains. "We’ve been having meetings for years in preparation for this, and a large part of the effort was on education because we knew this would be a big change."

Another issue that IRBs will face is how to handle the privacy requirements when dealing with research that is conducted in a foreign country and/or is conducted by a foreign investigator, Clemens says.

"Our institution initially decided to treat all research the same, subject to regulations and authorization under HIPAA," she says. "The policies were written, and we failed to consider all the repercussions."

For example, the policies made survey studies and international research difficult to handle, Clemens explains. Now the institution is reviewing these policies and considering some changes, she adds.

Also, for retrospective studies that involve database searches, the IRB has combined the waiver of consent with the waiver of authorization form, and there are database custodians who are trained to know when to release protected health information (PHI), Clemens says.

"All approved studies receive an approval letter showing what the HIPAA compliance status is and what level of PHI may be accessed," she explains.

"Investigators provide this letter to the data custodians when requesting PHI, and the custodians then act as an audit system, tracking the flow of PHI," Clemens notes. "It seems to be working very well."