INTERNATIONAL BIOPHARMACEUTICAL ASSOCIATION PUBLICATION

 

 

 

                        “ Health insurance portability and accountability act (HIPPA):

                   Who will benefit and how?

 

 

 

Dr Alok Miglani

M.D (A.M)

P.G.D.C.R 

M.B.A

alokmiglani@gmail.com   

 

 

ABSTRACT:

 

As we know that it is mentioned in the ICH GCP principles that right safety and confidentiality of subject is to be maintained throughout the trial. Moreover the protection of human subjects is of prime factor in every clinical trial along with safety. Thus two safeguards are: IRB and Informed consent document. But for protection of private information (to maintain confidentiality) of subjects, there must be some law. Thus health insurance portability and accountability act (HIPPA) was passed by congress in 1996 to maintain privacy of subjects. Thus this article deals with how it is beneficial to subjects involved in the trial along with introduction of HIPPA and its applicability,

 

INTRODUCTION:

 

After the enactment of the HIPPA, federal government proposed privacy rule in 2003 to ensure its implementation.

 

Purpose of privacy rule 2003: Is to protect the privacy of individually identifiable health information by establishing conditions for its use and disclosure by covered entities (health care provider, health plan, and health care clearing house.)

 

All clinical investigators must comply with HIPPA if they request protected health information (PHI)from covered entities .failure to comply with HIPPA can result in costly civil or even criminal ,sanctions against an institutional or investigational site .

 

Classes of data under privacy rule 2003:

 

q       Protected health information: It consists of health information and HIPPA identifiers

q       De identified data

q       Limited data sets.

 

q       Protected health information (PHI):

 

it is a subset of what is termed “individually identifiable health information ”. it is defined as information that identifies the individual .

 

Ø      Health information: The term health information means any information, whether oral/recorded in any form or medium (paper, images such as x-rays etc)

 

a)      Created or received by covered entities.

b)      Relates to past, present or future physical or mental health conditions of an individual.

 

Ø      Individually identifiers (HIPPA IDENTIFIERS) :

    

1.      Names

2.      Addresses

3.      All elements of dates (except for a year)

4.      Telephone no.

5.      Fax no

6.      Email no

7.      Social security no

8.      Medical record no

9.      Health plan beneficiary no

10.  Account no’s

11.  Certificate /or license no.

12.  Vehicle identifiers and serial no’s

13.  Device identifiers and serial no’s

14.  URLs

15.  Internet protocol (IP) address no

16.  Biometric identifiers including finger and voiceprints.

17.  Full-face photograph.

18.  Any other unique identifying no/characteristics or code.

 

 Privacy rule follows to only PHI but not to deidentified data.

 

 

 

q       Deidentified data:

 

Remove all the identifiers of HIIPPA from PHI and data so left is de-identified data Recipient of de-identified data would not be able to identify an individual on the basis of de-identified data .it has in last item non-identifying code.

 

 

q       Limited data sets:

This is a third type of data. This excludes direct identifiers except for address dates, and indirect identifiers. Identifiers that are allowed in the Limited Data Set are:

1. Admission, discharge and service dates
2. Birth date
3. Date of death
4. Age (including 90 and over)
5. Geographical subdivisions such as state, county, city, precinct and five digit zip code

 

HIPPA AUTHORISATION:

 

The HIPAA regulations use the term “authorization” to describe the process through which a patient allows researchers to access Protected Health Information. The authorization for disclosure and use of Protected Health Information may be combined with the consent form that a research subjects signs before agreeing to be in a study. It may also be a separate form. Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization. In either case, the information must include:

• A description of the information to be used for research purposes
• Who may use or disclose the information
• Who may receive the information
• Purpose of the use or disclosure
• Expiration date or event (if the information will be kept indefinitely, the authorization states that there is no expiration date)
• Individual’s signature
• Right to revoke authorization
• Right to refuse to sign authorization (if this happens the individual may be excluded from the research and any treatment associated with the research)
• If relevant, that the research subject’s access rights are to be suspended, while the clinical trial is in progress, and that the right to access PHI will be reinstated at the conclusion of the clinical trial

 

 

 

Waiver of authorization for research:

It includes

• The use or disclosure of Protected Health Information must involve no more than minimal risk to the privacy, safety and welfare of the individual
• The research could not practicably be conducted without the waiver or alteration, and
• The research could not practicably be conducted without access to the Protected Health Information

The Human Subjects Committees will also consider if the researcher has provided:

• An adequate plan to protect the identifiers from improper use or disclosure
• An adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law or is justified by research of health issues, and
• An adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject

All studies involving creation or use of Protected Health Information (PHI) must be reviewed and approved by IRB or PRIVACY BOARDS

Information which Researchers Provide to the IRB:

Researchers must provide detailed information about the types of information they will use in their research, how it will be used, who will have access to it, and when it will be destroyed. Specifically, they are asked:

• What risks are posed by the use of the data and how have they been minimized?
• What is the justification for access to the data and why are they necessary to conduct the research?
• What is the researcher’s plan to protect the identifiers from improper use or disclosure?
• What is the researcher’s plan to destroy the identifiers? If it is not possible to destroy the identifiers, what is the health, legal or scientific justification for not destroying the identifiers?
• Has the researcher provided adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject?

Researchers requesting waivers of authorization will also need to document:

• That the use or disclosure poses no more than minimal risk to the subject
• That the research could not practicably be conducted without the waiver and
• That the research could not practicably be conducted without access to the Protected Health Information

Effect of HIPAA on recruitment of research subjects:

Recruitment of subjects for research is subject to the general authorization requirements. The Privacy Rule classifies recruitment as “research” rather than as health care operations or marketing. Because development or use of research databases falls within the definition of “research”, a covered entity may disclose PHI in a database to the researcher for subject recruitment only after an authorization from the research subject or a waiver has been obtained.

 

Neither an authorization nor a waiver is required to disclose PHI contained in a Limited Data Set or as de-identified data. Limited Data Sets will make it easier to create databases of potential subjects to see if it is feasible to conduct a clinical trial or to perform epidemiological research. There are a couple of important limitations on the use of PHI in a Limited Data Set for subject recruitment. The PHI may not be used to contact subjects, and because telephone numbers, Internet provider addresses and email addresses are not part of a Limited Data Set, researchers may not collect this information from potential subjects.

 

When researchers want to approach a potential subject to participate in a study whom they have identified using PHI under a waiver of authorization, they must use an approach method that has been approved in advance by the Human Subjects Protection Program. One example of an approach method includes using an intermediary such as the patient’s primary care provider or a member of the medical staff actually caring for that patient, or sending the potential subject a letter signed by the patient’s provider.

Researchers have to do to request a waiver of authorization?

• Explain how the use of PHI involves no more than minimal risk to individuals
• Explain why such a waiver will not adversely affect privacy rights or welfare of individuals in the study
• Explain why the study could not practicably be conducted without a waiver
• Explain why it is necessary to access and use PHI to conduct the research
• Explain how the risks to privacy posed by the use of PHI in this research are reasonable in relation to the anticipated benefits
• Explain the plan to protect identifiers from re-disclosure
• Explain the plan to destroy identifiers. Provide a date by which this will take place. If identifiers must be retained, provide the reason (scientific, health or other) why this is necessary
• Confirm that the PHI will not be reused or disclosed to anyone else

 

 

 

Research subject’s rights under HIPAA:

The subjects have the following rights:

 

Right to an accounting:

 

When a research subject signs an authorization to disclose PHI, the covered entity is not required to account for the authorized disclosure. Nor is an accounting required when the disclosed PHI was contained in a Limited Data Set or is released to the research as de-identified data. However, an accounting is required for research disclosures of identifiable information obtained under a waiver or exception of authorization. Research subjects may request an accounting of disclosures going back for up to six years

.

Right to revoke authorization:

 

A research subject has the right to revoke his or her authorization unless the researcher has already acted in reliance on the original authorization. Under the authorization revocation provision, covered entities may continue to use or disclose PHI collected prior to the revocation as necessary to maintain the integrity of the research study. Examples of permitted disclosures include submissions of marketing applications to the FDA, reporting of adverse events, accounting of the subject’s withdrawal form the study and investigation of scientific misconduct.

 

 

 

Research Authorization Templates

 

Researchers may either incorporate the required elements into a consent form used for research purposes, or may draft a separate authorization form. In either case, the form must be signed and dated by the research subject or the subject’s personal representative or legally authorized surrogate.

Information included in the authorization

The minimal information needed for an authorization is:

General Requirements

• The authorization must be written in plain language
• A copy of the authorization form (or consent document with authorization language) must be given to the individual.

 

 

Core Elements

1.      A description of the information (minimum necessary): “My medical record will be reviewed for information about diagnosis and treatment of my breast cancer”.

2.      Who may use or disclose the information: “The researcher and research team members will have access to this information”.

3.      Who may receive the information: “The sponsor of this research, the Food and Drug Administration, the laboratory and the Institutional Review Board will have access to this information”.

4.      Purpose of the use of disclosure: “My information will be used to make sure it is safe for me to be in this study” or “This information will be used to make sure I am eligible to be in this study”.

5.      Expiration Date: “This authorization will expire in 1 year. That means new information cannot be obtained about me after that time”.

6.      Individual’s signature and date: Subject or the subject’s legally authorized surrogate must receive a copy, and the researcher must retain a copy for at least 3 years or per applicable policy. Include a line for the subject’s printed name, signature and date.

7.      How long identifiable data will be retained: “My information will be linked to my name and kept until [INSERT DATE]”.

Conclusion:

Thus it is clear that person protection is maintained by PRIVACY BOARDS and

Person involved in the trial has full right:

Right to revoke authorization:

 

“I have the right to change my mind about allowing access to this information. If I change my mind, I must notify the Principle Investigator in writing. The address for the Principal Investigator is [INSERT ADDRESS]. If I do refuse…”

 

Right to refuse to sign authorization:

 

“I have the right to change my mind about allowing access to this information. Refusing to sign this document will not affect my medical care or treatment. If I do refuse…”

 

Loss of privacy protection once information is re-disclosed:

 

 “If information is disclosed about me to anyone outside this study, I will lose my privacy protections”.

 

Subjects enrolled prior to April 14, 2003 do not have to sign an authorization form. However, if the consent form is amended, they will need to sign an authorization form.

New subjects enrolled on or after April 14, 2003 will need to sign a separate authorization form.

Thus it is how the the GCP requirements are maintained

 

 

References:

 

Privacy rule at 45 CFR parts 160 and 164 and guidance

 

www.hhs.gov/ocr/hippa

 

Office for civil rights (OCR)

 

www.hhs.gov/hipaprivacy/research/

 

 www.centrewatch.com