On July 14, 2010 the US Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) proposed significant changes to the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification rules (the Proposed Rule). A high-level summary of these changes was provided in part one of this three-part alert series.
A number of provisions in the Proposed Rule will impact the use and disclosure of protected health information (PHI) for clinical research purposes. HHS is specifically soliciting input on these proposals (with comments due by September 13, 2010), and interested health care providers, life science companies and other organizations involved in clinical research should consider whether to submit comments. If finalized, these proposals could improve the research consent and authorization process for both covered entities and research sponsors.
Note, however, that these changes will not impact more stringent requirements under existing state laws and regulations regarding consent and authorization for human subject research. For example, although HIPAA may permit combined authorizations for primary and secondary research purposes, state law may require separate forms. Therefore, before implementing changes under HIPAA, health care providers, life science companies and other research organizations will need to ensure that their consent and authorization procedures incorporate and comply with any state-specific requirements.
Use of Compound Authorizations
Permitting use of PHI is an integral part of a patient’s decision to receive treatment through a clinical trial. Current HIPAA regulations permit teaching hospitals and other covered entities to condition research-related treatment on the patient’s willingness to authorize use or disclosure of his or her PHI for such research. In addition, HIPAA regulations permit research institutions to combine a HIPAA authorization with another study-related permission form, such as the informed consent document.
However, under other circumstances, treatment or payment for health care services may not be conditioned on a patient’s authorization to participate in a research-related activity. For example, treatment generally cannot be conditioned on the patient’s willingness to permit his or her biological specimens (and associated PHI) to be included in a repository or databank for future or secondary research. Moreover, the Privacy Rule does not permit conditioned and unconditioned authorizations to be included in a single document. Researchers are therefore required to provide patients two authorization forms: one for the clinical trial and one for the related research database or repository.
HHS has proposed to eliminate this administrative burden and streamline the research consent process by permitting combination of the conditioned and unconditioned authorizations for research purposes, as long as the document clearly differentiates the two research activities and allows the patient to opt in to the unconditioned activity, e.g., the tissue bank or research database.
Notably, covered entities would have some flexibility in designing research authorizations to include these types of activities. For instance, a covered entity could use a check-box for the unconditioned activity, or it could use a separate signature line to indicate the patient has authorized the optional research that will not affect treatment related to the primary clinical trial. HHS has requested public comment on additional methods to differentiate conditioned and unconditioned research activities.
Future Research Uses and Disclosures
In addition to permitting combined research authorizations, HHS has proposed to specifically permit the use and disclosure of PHI for future research activities involving databases and biological specimens. Previously, the agency had interpreted the Privacy Rule to require that all research authorizations be study-specific. In other words, under HIPAA, researchers could not ask patients to include their information or biospecimens in repositories or databases that would be used to support future, unspecified research projects. This, however, diverges from current practices under the federal Common Rule and other research regulations permitting informed consent for secondary research activities.
HHS has proposed three options:
- Permit an authorization for use and disclosure of PHI for future research if, based on an adequate description of such activities, it would be reasonable for the individual to expect his or her PHI could be used or disclosed for future research;
- Permit an authorization for future research only to the extent the description of the future research includes certain elements or statements specified in the Privacy Rule; or
- Permit option 1 but require certain disclosure statements if the future research may involve sensitive research activities, such as genetic analyses or mental health research.
The Proposed Rule does not specify what elements or statements would be necessary in an authorization for future research. Instead, HHS has specifically requested public comment on these options.
Prohibition on Sale of PHI: Research Exception
The Health Information Technology for Economic and Clinical Health (HITECH) Act prohibits a covered entity from receiving remuneration in exchange for disclosure of PHI, unless the covered entity has received a valid patient authorization. There are, however, several important exceptions to this rule, including payment for disclosures of PHI for research purposes, as long as the price charged for the information reflects the costs of preparation and transmittal of data. This would permit, for example, payments made by a clinical trial sponsor to a teaching hospital in exchange for trial-related data. While HHS has included this exception in the Proposed Rule, it has not specified what types of costs should be permitted. Rather, the agency has specifically requested public comment on this issue, as well.
Squire Sanders lawyers have significant experience in clinical research and data privacy matters. We routinely advise clients in both academic medicine and the life science industries in matters pertaining to use of biospecimens and patient information. We continue to monitor the Proposed Rule and are available to assist clients in submitting comments to HHS, as well as structuring their privacy and security practices to comply with any subsequent changes to HIPAA regulations. For more information on how we can help you, please contact your principal Squire Sanders lawyer or one of the lawyers listed in this Alert.