HIPAA regulations still confuse and confound

If you don’t get it, you’re not alone

Just about a year ago, the Privacy Rule, which is a part of the Health Insurance Portability and Accountability Act (HIPAA) regulations, became enforceable. Already, complaints are coming in and investigations are being launched — some against mighty organizations such as Kaiser Permanente.

While there has been concern that HIPAA could have a dampening effect on research, the good news is there is no evidence of that happening. The bad news is that most people are still confused by what the regulations require and how that affects the work they do.

According to Mark Barnes, a partner at the New York City law firm of Ropes & Gray, one of the big things that makes HIPAA different from other federal regulations governing research is that this rule applies to virtually all clinical or interventional research that is done around the country. While most federal regulations relate only to federally funded research, this applies to it all.

"The other issue is that this is an overlay of the existing rules and regulations that was not designed to be consistent with those other rules," he says. The Common Rule for protection of human subjects and the rules and regulations of the FDA already are complex. "Now HIPAA comes along, and it has only one value, medical privacy. And even though it is only one thing, it gets complicated."

There are some basics that can help you get through the muddle, says Kim Gunter, JD, a partner in PricewaterhouseCoopers pharmaceutical and health sciences practice in Philadelphia:

1. It applies to everything and everyone — sort of. While most federal regulations only apply to federally supported or regulated research, this applies to all research. While most rules apply only to living individuals who are subjects, HIPAA relates to anyone who is the subject of information, living or dead.

But the National Institutes of Health (NIH) is quick to point out that HIPAA is about covered entities, not research. Covered entities are defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which the department of Health and Human Services (HHS) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage.

Researchers are covered entities if they also are health care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard.

Hybrid entities may be exempt. These are entities that have both covered and uncovered functions. For instance, if a university has a research laboratory that functions as a health care provider but does not engage in specified electronic transactions, the university, as a hybrid entity, has the option to include or exclude the research laboratory from its health care component. If the lab is excluded from the hybrid entity’s health care component, it is not subject to HIPAA.

2. When HIPAA doesn’t apply. HIPAA always doesn’t have to hamper you. If you are trying to determine whether a study is feasible or are preparing a protocol or if you are identifying prospective research participants, you may not have to follow HIPAA requirements. Keep in mind, however, that to make use of the preparatory to research clause, protected health information can’t be removed from the covered entity. That means that if the information is in a physicians’ office, there it must stay while it is being used in this fashion.

This is perhaps the biggest problem area that Gunter has seen. "For external researchers, not taking the information off-site is a huge problem," she says. "I have heard of this interfering with patient recruitment. If you do not know who the patient is, you can’t contact them for authorization. You can use the data, but you can’t use it off-site, and you can’t use them without removing them from the office. Sending information over the Internet or fax is no longer an option, and for many researchers, they just don’t ever go on-site."

Another exception is studies that get IRB or privacy board waivers. To get one, you must meet the following criteria:

  • Use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals because there is a plan to protect health information identifiers from improper use or disclosure, a plan to destroy identifiers at the earliest legally acceptable opportunity, and written assurances that the information will not be used or disclosed to a third party except as required by law.
  • Research could not be conducted practicably without the waiver or alteration.
  • Research could not be conducted practicably without access to and use of the protected health information.

The other way to get an exception to HIPAA requirements is to de-identify the information. That involves removing 18 separate pieces of information from the data.

You also can use statistical methods to establish de-identification instead of removing the 18 identifiers.

This involves getting certification from "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" that there is a very small risk the information could be used by the recipient to identify the individual who is the subject of the information. The person certifying statistical de-identification must document the methods used as well as the result of the analysis that justifies the determination.

3. Language is an issue. If none of those exceptions apply to your research, complying with HIPAA is not as simple as getting subjects to sign a HIPAA form along with their informed consent document. "Subjects already don’t like informed consent forms," says Barnes. "There are a lot of required statements that have to be included. It makes them nervous. And it’s well nigh impossible to convey that information at a sixth-grade reading level," Barnes says.

HIPAA has to be at that level, he says, but try saying the following so that a teenager will understand: The research team will collect data covered by HIPAA and only can use your medical information in the ways that are described and allowed by you in this form, but if this form allows them to give your information to people who aren’t covered by HIPAA, then those companies and their agents can do what they want with it without penalty. "How can you possibly convey that in a simple manner?"

Helen Hayes Hospital in West Haverstraw, NY, has developed HIPAA language written at an eighth-grade level. (See sample language, below.) Additional help is available from the NIH, which has sample authorization language available at http://privacyruleandresearch.nih.gov/authorization.asp#samplelang.

Sample HIPAA language

A. "Under current laws, you have control over who has access to your medical records. Any medical information about you that comes up as a result of this research study can be shared and discussed with all the members of the research team for the duration of this study. The research team may include, in addition to Helen Hayes Hospital staff, researchers from other hospitals, universities, drug companies, or government agencies. Some members of the research team may not be required to follow federal laws that protect the privacy of your health information.

B. Although you have a right to see and get copies of your medical records, medical research studies often require that research subjects not be able to see information collected for the research while the research is in progress. Health information about you that becomes available as a result of this study may not be available to you for as long as the research is in progress. You will, however, be made aware of all available information that may make this study dangerous to you, or that may make you want to reconsider your participation in this study.

C. Helen Hayes Hospital needs you to sign this consent form in order for you to participate in the research study. If you choose not to sign this consent form, you will not get the treatments that are part of this study, but you will in no way lose any of the benefits or privileges of any regular Helen Hayes Hospital patient.

D. Even if you sign this consent form you can take back at any time your permission to have your medical information shared by the research team, although some of this information may have been shared already. In order to take back your permission to share information, you have to give a written notice to a member of the research team."

Source: Helen Hayes Hospital, West Haverstraw, NY.

4. Find a privacy officer. You don’t have to hire one, but someone has to have the responsibilities of dealing with privacy issues and complaints. In addition, there has to be a privacy board at your institution. This can be a committee of an IRB, or the IRB sitting as a privacy board. The membership and record-keeping requirements of these boards are like IRBs — unaffiliated members are a must, no member may vote on issues or studies in which he or she has a conflict of interest, and privacy boards must include members of varying backgrounds.

5. Check your policies and procedures. Gunter says to check over anything in your current crop of policies and procedures that relates to confidentiality and make sure it complies with privacy laws. If you aren’t sure, do some reading, she says. The NIH web site has a section on how HIPAA relates to research. The document is thorough, and about as simple and understandable as this law can be made, "but you’ll have to read it through more than once, and it won’t give you guidance on all potentialities."

Your general counsel may also be able to help, but Gunter says that office is probably best qualified to tell you about how state laws compare; in cases where state privacy laws are more stringent than HIPAA, they take precedence.

6. Get training. You and your staff should be taking seminars on this topic regularly. There is provision in HIPAA for it to be modified annually, Gunter says. The next potential modification comes this summer. There is also technical assistance and guidance that is issued by the government regularly. If you opt not to follow the guidance but to follow the law as it is written for a particular issue — and Gunter says the choice is yours — be sure you cite the law or the guidance as appropriate, and document what you do.

Barnes says he doubts there will be any big changes in the near or medium term. There was a conference at the end of March that included a half-day devoted to how HIPAA has impacted research. In the long term, there may be some changes, but for now, only interpretation of the law is likely to change.

Although it is convoluted and confusing, Gunter contends HIPAA is a good thing.

"It brings us more in line with what is happening internationally," she says. "And since more research happens across boarders, then being more in line with what others are doing is probably a good thing."