Some Phase I studies of healthy individuals — such as those done in a stand-alone, research-only environment — may escape the scope of HIPAA, but very little else does. HIPAA covers all research activities that use individually identifiable patient health information (PHI) about humans, as long as the information is collected in a setting related to the patient care process.
What makes information identifiable? Elements that make information individually identifiable include, but are not limited to the following:
It is important for researchers to understand the difference between "use" and "disclosure." A "use" happens within a healthcare organization or other covered entity, and is under direct control of that organization. A nurse in a clinical care setting is using PHI. "Disclosure" happens when information is given to someone who is not part of the organization's work force. For example, when you show your source documentation to a monitor, you are disclosing that information, even if the monitor does not physically remove any PHI from the research site.
All healthcare entities must obtain patients' permission before using their PHI for certain purposes other than treatment, payment, and routine operations. This means that you need to obtain permission before using the PHI of the patient for most clinical research. Some hospitals and other covered entities will use a separate authorization to do this. However, the Mount Carmel IRB has chosen the simpler route of folding the authorization information into the "consent for research" or "informed consent" document already in use.
Whether you use a separate authorization or combine it with the consent:
You will find all of this information built into the sample informed consent form.
When searching for likely subjects for a study, investigators and coordinators usually review such documents as medical records, appointment logs, rounding lists, or procedure posting boards. In these cases, you're examining - and thus using and disclosing — PHI for purposes other than treatment, payment, or operations, and you are doing so without the patient's authorization.
Under HIPAA, you are still able to perform most of your current pre-screening activities. However, you now need to obtain formal permission from the organization where you're holding the trial or the IRB responsible for overseeing the project.
There are two ways of doing this: Through a "waiver of authorization" (similar to the "waiver of consent for research" under current regulations), or through a "review preparatory to research." The waiver of authorization can be granted by the IRB.
Waivers are required for most trials in which you plan to send pre-screening logs to a sponsor as part of the research study. Waiver requests must be completed, submitted to, and accepted by the IRB before you conduct any pre-screening activities. Waivers can be incorporated into the main research protocol, but must satisfy all of the following criteria:
It also needs to satisfy two additional criteria, already required in current regulations:
Using a waiver of authorization, your initial contact with the potential subject may come in person, after the patient has left the institution, or by mail or phone. You can also send the PHI to the trial's sponsor.
However under a waiver of authorization, you must destroy the identifiers, including dates and medical record numbers, at your earliest convenience (unless retention is required by law or there is some other sufficient justification for their retention).
If you do not plan to send logs to a sponsor after a trial, you can choose to complete a "review preparatory to research."ù This review should include all of the following information:
With this method, you are not allowed to remove the pre-screening logs from the healthcare facility. You can still use them to contact the patient by mail or phone, since the disclosure is simply to the patient.
Limited data sets in conjunction with a data use agreement allow you to send at least some individually identifiable information to sponsors for research purposes. The limited data set opinion may only be used for three purposes: (1) research; (2) public health; and (3) healthcare operations. It cannot be used for marketing.
By using limited data sets in conjunction with the data use agreement, you are able to submit pre-screening logs with certain specific information to a sponsor (though the information in the logs is still subject to the privacy rule and might still be subject to the IRB). This mechanism also allows you to disclose information to disease registries or studies operated by private organizations. You must remove direct identifiers from the data, but could include useful information such as complete dates, 5-digit zip codes, and geographic information other than street addresses — and the link field, as an encrypted identifier.
Identifiers that must be removed from a limited data set include the following:
The minimal necessary rules do apply to limited data set information, so consider carefully what information to include.
To ensure that there is a small likelihood of re-identification, you will need to have the recipient sign a data use agreement. The agreement should specify the following: