New HIPAA rules clarify authorizations
Compound authorizations now permitted
In March 2013, the Department of Health and Human Services (HHS) issued a final omnibus rule modifying various aspects of the Health Insurance Portability and Accountability Act (HIPAA) to implement provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH). These rules include a few notable changes that affect research programs, including provisions related to compound authorizations and authorizations for future research use and disclosure of protected health information (PHI).
"It was a pretty big shift that had been anticipated in the proposed rule, and it addressed unnecessary obstacles in getting authorization to the use of protected health information in research work," says Kate Heffernan, JD, counsel and chair of the Academic and Clinical Research Group at Verrill Dana, LLP, in Boston.
One of the most notable changes for IRBs is the way in which authorizations can be combined. The previous HIPAA rule prohibited compound authorizations on a single form — an authorization for research-related interventions could not be combined with an authorization for the use and disclosure of PHI for other unconditioned activities. For example, an authorization for future blood or tissue banking (an unconditioned authorization) could not be combined with a consent for participation in a clinical trial in which an experimental treatment would be provided (a conditioned authorization). This created additional paperwork for researchers, as they had to obtain multiple authorization forms depending on the requirements of the study. This rule was also inconsistent with the Common Rule, which does not prevent an informed consent form from combining authorizations.
"The problem was that if you had a conditioned authorization combined with an unconditioned one, you couldn't have them on the same form even if they both related to the same research study," says Robyn Shapiro, partner, Drinker Biddle & Reath, LLC, in Milwaukee. "It was awkward — you needed two consent documents because that's how you had to break it apart."
The modified rule allows for compound authorizations on the same form, as long as the authorization clearly differentiates between the conditioned and unconditioned components and there is a clear way for participants to opt in to the unconditioned research activities. Commentary to the final rule notes that an "opt in" check box can be used on the form for the unconditioned component, but an "opt out" box cannot be used because it does not provide a clear way to authorize the optional research activity — something that IRBs could find confusing, Shapiro says. "IRBs were used to looking at two separate consents in the hypothetical [involving research-related treatment and an optional tissue and data banking component]. Now they're seeing one consent, but they need to be sure there's clear difference between the two, and clear, affirmative authorization of the unconditional, optional research activities."
"It has to be clear that there are distinct activities in play," Heffernan adds.
Clearing up future use
Future use authorizations have been a headache for IRBs, Shapiro says. Under HHS's prior interpretation of the Privacy Rule, research authorization had to be study specific, even though researchers themselves were often not sure what the PHI would be used for down the line. The Common Rule, however, does not prohibit compound authorizations. The HIPAA rule was seen as encumbering future research, she says. "The government hasn't issued a new rule about this, but in interpreting the rule, it has changed its mind about the specificity required to have a valid authorization for future use of PHI," she adds
Under HHS's modified interpretation in the Final Rule, an authorization for use or disclosure of PHI for future research purposes does not have to be study specific. Instead, the authorization must describe the purposes so that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research. For instance, an oncology trial consent form may ask participants to authorize PHI for use in future cancer studies. "Would it then be OK for a future researcher to use the PHI for an Alzheimer's study? My interpretation would be no — in that set of circumstances, it would not be reasonable for the subject to determine the PHI would be used for Alzheimer's research," Shapiro says. "It all depends on how that future use is described and if you can say it would be reasonable for the person to expect that the first permission would cover the future use."
"The IRB can review that future downstream use to see if the original consent was sufficiently broad to cover it, or if the secondary use is too far afield to allow for that," Heffernan says. "Assuming the secondary use warrants IRB review, there's still an analysis that occurs at the future point in time to see whether the individual would have understood the consent and authorization to cover the future activity."
Although the effective date of the Omnibus Rule was almost a year ago, IRBs may still be facing some confusion when developing or approving consent forms, Shapiro says. "It's supposed to make it easier, but could be confusing," she says. "I think it will put more burden on the IRBs to make judgment calls. IRBs already have full plates with all sorts of things, and with additional judgment calls with all of this, it's a lot to handle."
"It's silly that there are multiple forms, but it can also be very difficult to address these different activities — one required, one not — in one form without it becoming two authorizations in one document," Heffernan adds. "The fundamental challenge institutions face is how to implement the change in a way that promotes efficiency and is not confusing."
Shapiro and Heffernan offer these tips to IRBs for navigating the Omnibus Rule:
- Hold training sessions for staff. "There are so many things they [IRBs] are responsible for — having a discussion about this rule and how it relates to what they do would be a good idea," Shapiro says.
- Create templates for compound authorization forms. "The important thing to think about is that certain things are now allowed, but there are requirements attached," Heffernan says. "Those requirements can be met through proper templating, and through reviewing documents in real time."
- Have a "cheat sheet" for IRB members. The cheat sheet can include examples of acceptable compound authorizations, and what will and will not work according to HIPAA rules. "They might be able to do the same thing with a template guidance document on how they will evaluate compound authorizations for future use, and those that they would be comfortable approving," Shapiro says. She also suggests offering these tips to study coordinators and other staff who may handle consent and authorization documents.
Other notable changes for IRBs include:
Clarification to business associate relationships and agreements. HHS clarified that third-party or central IRBs do not count as business associates of the covered entity research institution. "That had been a point of confusion over the existing rules," Heffernan says. Institutions can still use privacy contract requirements they feel are appropriate, she says. "[Institutions] should still be thoughtful about privacy agreements — nothing in HIPAA precludes them from contract terms they feel are appropriate," Heffernan says.
Business associates now include patient organizations, health record vendors, and health information services.
Breach notification rules. The Omnibus Rule now defines a breach as disclosure, access, use, or acquisition of PHI without permission. Notification isn't required if it is shown that there is low risk of data compromise, or if the PHI is properly encrypted.
"The breach piece doesn't fall to [the IRB] so much because that is usually handled by the privacy office or officer, but I do think it's important for IRBs to be educated on these requirements and be aware of them and be part of the process of facilitating the compliance," Heffernan says.