HIPAA’s effect on clinical trial info causes worry for researchers
HIPAA’s effect on clinical trial info causes worry for researchers
Some ask HHS for an amendment to privacy rule
If the government gets its way, your IRB could be forced into making value judgments on what patient identification data can be disclosed as part of research. Fourteen professional health care organizations and various representatives of hospital- and university-based research facilities say the new privacy regulations could impair clinical trials, place onerous burdens on IRBs, and restrict the number of health research studies conducted in the United States.
Organizations that oppose the Health Insurance Portability and Accountability Act (HIPAA) of 1996 voiced concern in a letter written to Tommy G. Thompson, secretary of the U.S. Department of Health and Human Services (HHS). The group is calling for substantial amendments to the proposed rules published in the Aug. 14, 2001 Federal Register.
"Our concern with HIPAA is it creates a parallel regulatory structure with much greater liability associated with any breach of the very complicated privacy rules," says Jennifer Kulynych, JD, PhD, director of the division of biomedical and health sciences research for the American Association of Medical Colleges in Washington, DC. Breaches of the privacy rule could result in civil fines and criminal penalties for researchers, medical schools, hospitals, and others directly involved in maintaining patient health data, Kulynych says.
The portion of HIPAA that is of specific concern to IRBs and researchers is Section 164.514, which discusses requirements relating to uses and disclosures of protected health information. (See "HIPAA requirements in a nutshell," in this issue.) This section explains the definition of "de-identification of protected health information," which relates to information that does not identify an individual and cannot reasonably be used to identify an individual.
There are only two methods for determining that health information is de-identified. The first method requires a statistician to determine that the risk of identification is very small and to document the methods and results of that conclusion. The second method requires that 18 pieces of information be entirely removed from the health care data. (See "Privacy rule lists these 18 research identifiers," in this issue.)
"We believe the two methods are unworkable," states Melissa Bartlett, JD, legislative counsel for the American Medical Group Association in Alexandria, VA. "First, a safe harbor of relying on a statistical expert would be very difficult to rely upon," she says. The second method contains too many identifying characteristics for medical facilities to remove, Bartlett adds. "There are four of the 18 characteristics that we believe would properly put into place privacy protections but would still allow for meaningful research."
Some personal data on charts should remain
Bartlett says these four characteristics should be allowed to remain in the research data because some research will be meaningless if these are entirely removed:
- zip codes;
- dates;
- unique identifying number characteristic or code;
- serial numbers.
Serial numbers, for example, might be used to identify a patient who used a particular medical device. When a physician reports to a medical device company that there was a defect involved with a particular pacemaker, the manufacturer will be unable to investigate whether similar pacemakers also had a problem unless that serial number was included, Bartlett explains.
Bartlett and others opposed to HIPAA’s final rule say that research entities already are subject to the common rule, and that research that is subject to an IRB review should be exempt from additional privacy rule requirements. And that’s where another chief concern about HIPAA resides. The rule contains so much ambiguity and complexity that it’s unclear how medical facilities, researchers, and IRBs may adhere to them, Kulynych says.
The regulation provides for IRBs or a privacy board to conduct a waiver analysis to see if a particular research project may be exempted from the de-identification standard or from the requirement for specific patient consents for research. However, to be eligible for a waiver of authorization, the research has to be of minimal risk and the privacy board or IRB must look at it and decide whether the risk of losing privacy is outweighed by the importance of the potential research, Kulynych explains. "And it’s not clear how this is intended to function," she says.
Kathleen Kline, IRB coordinator at the University Medical Center of Southern Nevada in Las Vegas, says the new privacy rule could result in the IRB or a privacy board having to meet on a weekly rather than monthly basis to review research projects proposed by medical and pharmacy students. The teaching hospital typically has about 10 students working on any given day. "They’re only here for six weeks and can’t be waiting a month for all the paperwork to go through," Kline says.
Resident, student projects face same scrutiny
These resident and student research projects typically have involved retrospective studies that are approved by medical faculty and hospital physicians. Now these same small projects will have to be reviewed by the IRB to make certain they meet all of the HIPAA requirements, Kline explains.
"It’s going to take a lot of staff time," Kline adds. "And our medical staff donate their time for research committee work, and all they get is a free lunch or a donut and cup of coffee."
HIPAA imposes more requirements on IRBs to review protocols and other investigator documentation in order to make value judgments on whether certain patient health information is needed for the research, says Lisa Murtha, JD, chief audit and compliance officer for The Children’s Hospital of Philadelphia. "It’s a huge culture shift for academic medicine," Murtha notes. "Academic freedom gives researchers the opportunity to do what they need to do within the auspices of their academic pursuits, one of which is clearly research, so for an institution to place controls and requirements on how researchers use their data will create a rippling effect on institutions."
IRBs have burden of deciding privacy issues
While its a good idea to have a privacy standard that applies to research, HIPAA places a burden on IRBs to make ad hoc decisions on a case by case basis of which information is appropriate to release under various circumstances, says Robert M. Nelson, MD, PhD, associate professor of anesthesia and pediatrics for The Children’s Hospital of Philadelphia.
Medical facilities and universities involved in research could become victims of unintended consequences of HIPAA, suggests Clyde Evans, PhD, vice president of the Association of Academic Health Centers in Washington, DC. "We would be much happier if we could find a way to safeguard the right of patients to protect their privacy and to give permission when they’re willing to, but to balance that against circumstances in which the usefulness of the data could be compromised," Evans says.
Not everyone agrees with HIPAA criticism and concerns regarding research. "I don’t think HIPAA will change things substantially," says Jon Merz, MBA, JD, PhD, assistant professor at the University of Pennsylvania Center for Bioethics in Philadelphia. "It altered standards for waiver and consent, but I think it’s filled in some gaps in the common rule with ethical considerations of what should be done," Merz says.
The Center for Bioethics conducted a survey a few years ago asking the admissions departments of 202 large U.S. hospitals in the what kind of forms or consent papers were given to patients discussing the release of information for research purposes, Merz says. Most hospitals reported only obtaining general patient consent forms when patients were admitted. Out of the 202 hospitals, only 33 had forms that mentioned research uses of the medical record, Merz adds. "That is pretty absurd," Merz says. "We’re doing a large interview study of patients and doctors, looking at confidentiality concerns, and we’re finding that patients have very vague ideas about who has access and who should have access to their health information."
Merz says that every single study that uses a medical database should obtain a new waiver from the IRB, and if anything he’d make HIPAA tougher than it is. For example, he would have IRBs decide against a waiver in research cases where it’s unreasonable to expect that patients would not be concerned about their privacy. "Drug abuse researchers did a study of alcoholics and talked about a waiver of consent because they knew the alcoholics were suspicious of physicians and hospitals," Merz says. "The IRB said they could waive consent from these people because they’d say No’ if they were asked to sign a consent form."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.