Current EHR rules present dilemma

How much access should investigators be given?

Some of the latest versions of electronic health records have created logistical dilemmas for research institutions as they find that providing access to information is more difficult for research monitors, researchers browsing for information about potential subject pools, and other activities.

"It is a very hot topic," says Jennifer Niemeyer, clinical research manager for Ohio State University Center for Clinical and Translational Science in Columbus.

The OSU facility uses EPIC for its electronic records, and Niemeyer has fielded calls from different institutions about how to handle its security and privacy features.

"We're struggling with the issue of using electronic medical records for screening for studies," Niemeyer says. "We take this very seriously, and before we grant access to the medical record for research, we make sure there are several components checked off."

Human subjects protection offices are developing new procedures and guidelines for how the records can be accessed. In other cases, such as using EHR databases for assessing potential study feasibility, some institutions are taking a wait and see stand, restricting access to identifiable information until there are clearer guidelines from the federal government on how such data should be handled.

The U.S. Department of Health and Human Services' proposed rule changes to the research Common Rule would add specified data security protections to research. These would be calibrated to the level of identifiability of the collected information, according to the Advanced Notice of Proposed Rulemaking (ANPRM) for Revisions to the Common Rule, published in the Federal Register on July 25, 2011. The final rule and precise changes have not yet been announced.

According to an ANPRM fact sheet, the rationale for the change from having no specific data security protections for IRB-reviewed research to having specific protections is because IRBs were not designed to evaluate risks to privacy and confidentiality.

"Setting uniform specific standards will help to assure appropriate privacy and confidentiality protections to all subjects, without administrative burden of needing a specific committee review of each study," the ANPRM fact sheet states.

HIPAA requires an opportunity for individuals to agree or to object to proposed uses and disclosures of protected health information, according to section 164.510, pages 62-63 of the HIPAA Administrative Simplification Regulation Text, published March 2006.

This requirement includes this wording: "Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research."

The same section also lists IRB waiver criteria, saying it must satisfy criteria that includes the use of the protected health information involving no more than a minimal risk to the privacy of individuals, an adequate plan to protect the identifiers from improper use and disclosure, an adequate plan to destroy the identifiers at the earliest opportunity, adequate written assurances that the information will not be reused or disclosed to any other person or entity and that there is a brief description of the protected health information for which use or access has been determined necessary by the IRB or privacy board.

"There is no need for the IRB to issue a waiver to permit reviews of EHR for work preparatory to research," says Mark Schreiner, MD, chair of the committees for the protection of human subjects at The Children's Hospital of Philadelphia. Schreiner also is an associate professor of anesthesia and critical care and an associate professor of pediatrics at the University of Pennsylvania School of Medicine in Philadelphia.

"The investigator is permitted under HIPAA to retain subject's PHI — the minimum necessary — for later recruitment," Schreiner adds.

Privacy issues arise when hospital physicians are asked by sponsors whether they're interested in a particular study, and the doctors need to check medical records to see how many patients might be eligible, explains Cindi Zech, IRB specialist at Lakeland Health Care in St. Joseph, MI.

"The sponsor might say, 'I have a study if you're interested, and we're looking for sites with females between 40 and 50 who are treated with Metformin,'" she adds. "The physician looks in the electronic records and types up a report saying there are 100 in the system."

Then the sponsor might name the hospital as one of its study sites, and privacy troubles begin: "How do you contact those patients?" Zech says. "Investigators can do the feasibility part of it, but they can't contact patients; the feasibility part is all de-identified."

Physicians can contact their own patients, but they are not entitled to access to the health system's patients, she adds.

"Our hospital is going to be looking at that," Zech says. "We're waiting for OHRP [Office for Human Research Protections] to say if this is okay or to say that this is what you can do and can't do. Then we'll look at our policy and see if it needs revisions."

Lakeland Health Care's current policy does not permit physician researchers to contact patients who are not their own. They can find out how many of these patients are available, but they're not permitted to invite them to volunteer for the study, Zech says.

At OSU, investigators can view reports on their own pool of patients, but not on the university health system's entire pool of patients. They also can ask other physicians to inquire of their patients about the study, but they cannot approach that doctor's patients directly, Niemeyer says.

"We're very concerned about the idea of patients being approached by people they do not know," she adds.

These EHR issues involving privacy also can create conflicts when study monitors and others outside an institution need to check records.

"Things are getting stricter all the time with the way electronic health records work," says Renee Hendrickson, RN, a study coordinator with Altru Health System Research Department in Grand Forks, ND.

"We've had some monitors who are afraid to access records even though they're in read-only format," she says. "They want to sit with us and have us log in and out of the record for them."

While that doesn't happen often, it has occurred since the health system moved to full electronic records, she notes.

Altru Health System has been proactive in developing policies and procedures for accessing electronic health records. Employees, monitors, accreditation surveyors, and any other people who need to view the records first have to look at the system's policies and sign a log book to show they are aware of the policies and procedures, Hendrickson says.

"The more that facilities use electronic health records, the more standard it is becoming to have policies and procedures in place," she adds.