Transcript No Slide Title

The Impact of HIPAA on U.S. Biomedical
Research
Presented To The:
Dartmouth Hitchcock Medical Center
Regional IRB Meeting
Hanover, NH
March 24, 2003
Oliver Johnson, Esq.
Chief Privacy Officer
Merck & Co., Inc.
1
Overview
Merck Privacy
Office
• HIPAA Basics
– What is HIPAA?
– Who is covered?
– What is permitted?
• Recent Changes to HIPAA
• Impact of HIPAA on Biomedical Research
• Impact Management Strategies
2
“Biomedical Research”
Merck Privacy
Office
• Clinical Research
• Epidemiologic Research
• Outcomes Research
3
What is HIPAA?
Merck Privacy
Office
• The Health Insurance Portability and Accountability
Act of 1996; and
• Three sets of regulations issued by the Clinton
Department of Health and Human Services in 2000:
– Privacy Regulations - April 14, 2003 Compliance Deadline
– Transaction Standards - October 16,2002 Compliance Deadline
– Security Regulations - Pending
• Privacy rule revised by the Bush Department of
Health and Human Services on August 14, 2002
RED = August 14, 2002 Deletions
BLUE = August 14, 2002 Additions
GREEN = August 14, 2002 Reorganization
4
Merck Privacy
Office
Who is covered?
• HIPAA “Covered Entities”
– Health Care Providers that transmit health data
electronically in connection with 1 or more of 8
“HIPAA Transactions”
Physicians
Group Practices
Hospitals
Pharmacies
Clinics
– Health Care Plans
HMOs
PBMs
Health Insurers
Group Health Plans
Medicare
Medicaid
– Health Care Clearinghouses
Entities that transmit data into a HIPAA “standard” format from a
non-standard format or vice versa
• “Business Associates” of HIPAA Covered Entities
Entities that use protected health information (PHI) for or on behalf of
covered entities
5
What is permitted?
Merck Privacy
Office
• HIPAA Covered Entities must obtain one-time
patient consents and then may use “protected
health information” (PHI) only for TPO:
– Treatment of patients
– Payment for treatment
– Health Care Operations
NOTE: The August 14, 2002 revisions replace the requirement of
consent for TPO with an obligation to seek written verifications that
data subjects have been provided with a covered entity’s notice of
privacy practices.
6
HIPAA Impact On Biomedical Research
Merck Privacy
Office
• Pharmaceutical industry research sponsors generally are
not HIPAA Covered Entities or Business Associates of
such entities.
• Virtually all entities through which pharmaceutical
companies conduct human-subject biomedical research are
HIPAA Covered Entities.
• There may be multiple Covered Entities involved in a
clinical study (e.g., Study Site and Clinical Laboratory).
• Research is not included in TPO.
7
HIPAA Research Requirements
Merck Privacy
Office
Uses or disclosures of PHI for research require:
• Signed, HIPAA compliant “authorizations” from each study
participant, in addition to HIPAA consents and Common Rule
informed consents;
• IRB or “Privacy Board” waivers of some or all of the
authorization requirements; or
• “De-identification” of patient data via one of two methods:
– Removing each of 18 prescribed data elements; or
– Statistical Analysis and opinion
NOTE: The August 14, 2002 revisions allow the HIPAA authorization
to be combined with a Common Rule informed consent.
NOTE: The August 14, 2002 revisions create a limited identifiable data
set that will be very useful for epidemiologic and outcomes research.
Given restrictions on use, this data set would likely not be useful in
clinical research.
8
HIPAA Research Requirements - Cont.
Merck Privacy
Office
Covered Entities Must Also:
• Provide detailed notices of their privacy policies and
practices to all study participants;
• Provide physical, technical and administrative security;
• Allow data subjects to access and correct PHI about them.
• Disclose the minimum PHI necessary to achieve the
authorized purposes; and
• Document and provide, on request, an accounting of all
disclosures of PHI for research purposes.
NOTE: The August 14, 2002 revisions eliminate the minimum
necessary and accounting requirements for research conducted
under HIPAA Authorizations.
9
Authorizations
Merck Privacy
Office
HIPAA Authorizations Must:
• Be written in plain language and signed by each study participant;
• Specify the data that will be collected and each use to which it will be
put;
• Specify the persons, or types of persons, who will have access to the
data;
• Specify a date or event after which the covered entity will no longer
collect, use or disclose the data, or state that the authorization will not
expire;
• State that the individual may refuse to sign or revoke the authorization
at any time and that data collected before revocation will continue to
be used;
• State that once the data are provided to the study sponsor, HIPAA will
no longer protect them; and
• Disclose any payments from the sponsor to the investigator for use or
disclosure of the data.
10
Merck Privacy
Office
De-identification (Two Methods)
HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Names
Geographic subdivisions smaller than a state
Zip codes
Dates (birth, admission, discharge, death)
Age, if over 89
Telephone numbers
Fax numbers
E-mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate and license numbers
Vehicle identification and serial numbers
License plate numbers
Device identifiers and serial numbers
URLs
Internet Protocol address numbers
Biometric identifiers (finger and voice prints)
Full face photos and comparable images
Any other unique identifiers
Statistical 45 CRF 164.514(b)(1)
•
•
•
A person with appropriate
knowledge of and experience
with generally accepted
statistical and scientific
principles and methods for
rendering information not
individually identifiable;
Determines that the risk of reidentification of the data, alone
or in combination with other
reasonably available data, is
very small; and
Documents the methods and
results.
11
“Limited Use” Data Set
Allowed
•
•
•
•
•
Admission Dates
Discharge Dates
Service Dates
Death Date
Age (in hours,
months or days)
• Age (for those
over 90)
• Five Digit Zip
Codes
Merck Privacy
Office
Not Allowed
• Names
• Street Addresses
• Telephone and Fax Numbers
• e-Mail Addresses
• Social Security Numbers
• Certificate or License Numbers
• Vehicle ID and Serial Numbers
• URLs and IP Addresses
• Full Face Photos and
Comparable Images
• Medical Record Numbers
12
Merck Privacy
Office
Waivers and Alterations (HIPAA vs. CR)
HIPAA 45 CFR 164.512(i)(2)(ii)
A. Use or disclosure involves no more than minimal risk to
the privacy of individuals, as indicated by F-H below;
B. Alteration or waiver will not adversely affect privacy
rights and welfare of individuals;
C. Research could not practicably be conducted without the
alteration or waiver;
D. Research could not practicably be conducted without
access to and use of PHI;
E. Privacy risks to individuals are reasonable in relation to
the anticipated benefits if any, to the individuals, and
the importance of the knowledge that may be reasonably
expected to result from the research;
F. Adequate plan to protect identifiers from improper use
and disclosure;
G. Adequate plan to destroy identifiers at the earliest
opportunity, unless there is a health or research
justification or legal requirement to retain them; and
H. Adequate written assurances that PHI will not be reused
or disclosed for other purposes.
Common Rule
45 CFR
46.116(d)
A. Research involves no
more than minimal risk
to subjects;
B. Waiver or alteration will
not adversely affect the
rights and welfare of
subjects;
C. Research could not
practicably be carried out
without the waiver or
alteration; and
D. Whenever appropriate,
subjects will be provided
with additional pertinent
information after
participation
13
Exceptions
Merck Privacy
Office
Covered entities may use and disclose PHI without
authorizations, waivers, or de-identification where:
• the disclosure is to a person who is subject to FDA
jurisdiction with respect to a product for which that person
has responsibility, and is required for the purpose of
activities related to the quality, safety or effectiveness of
the product, including to:
–
–
–
–
collect or report adverse events;
track products;
enable product recalls, repairs or replacements; or
conduct post-marketing surveillance.
• the information is used in preparation for research (e.g.,
protocol development), provided that it does not leave the
covered entity; or
• the information relates to deceased individuals.
14
HIPAA Transition Provisions
Merck Privacy
Office
Transition (Grandfather) Provisions for Research That
Includes Treatment:
• For patients who sign informed consents before April 14, 2003:
– data collected before April 14, 2003 may be used and disclosed for research
after April 14, 2003 without the need for authorizations; and
– data may be collected, used and disclosed for research after April 14, 2003
without the need for authorizations, provided that
– data are collected, used and disclosed in consistently with the Common Rule
informed consents.
• Research authorizations required for patients who sign Common Rule
informed consents on or after April 14, 2003.
Note: The August 14, 2002 revisions adopt this transition
provision for all research regardless of whether treatment is
involved, and for research conducted pursuant to an IRB
waiver of informed consent obtained prior to April 14, 2003.
15
HIPAA Transition Provisions
Merck Privacy
Office
Transition Provisions for Research That Does Not
Include Treatment:
• If informed consents are obtained before April 14, 2003,
researchers may rely on such consents to use and disclose
data created or received before April 14, 2003, but not after.
• Research authorizations are required for patients who sign
informed consents on or after April 14, 2003.
• Research authorizations are required where patients did not
sign informed consents to participate in research.
NOTE: The August 14, 2002 revisions eliminate this
provision and adopt the transition provisions set forth on
the preceding slide for all research.
16
HIPAA Liability
Merck Privacy
Office
Violations of HIPAA can result in:
• Civil sanctions on covered entities
• Criminal sanctions
• Interruption of data collection, use and disclosure by
covered entities
17
Impact On Clinical Research
Merck Privacy
Office
As a practical matter, each of the following will be required to
conduct CLINICAL studies under HIPAA:
– Common Rule Informed Consent to participate in the study
– HIPAA Consent for treatment, payment and health care operations
– HIPAA Authorization to allow use of existing medical records for
research
– HIPAA Authorization to allow the study site to collect, use and disclose
PHI to the sponsor for research purposes
– HIPAA Notice of Privacy Practices detailing covered entities’ HIPAA
compliant policies and procedures.
NOTE: The August 14, 2002 revisions replace the HIPAA Consent
requirement with an obligation to seek verifications that data subjects
have been provided with a covered entity’s notice of privacy practices.
NOTE: The August 14, 2002 revisions allow an authorization to be
combined with a Common Rule consent.
18
Impact On Public Health Research
Merck Privacy
Office
As a practical matter, the following will be required to
conduct non-clinical EPIDEMIOLOGIC and
OUTCOMES research under HIPAA:
– HIPAA Authorization to allow use of existing medical
records for research; or
– IRB Waiver of some or all of the Authorization
requirements.
OR
– Use of partially identifiable data under an agreement with
the providing Covered Entity that binds the researcher to
use and disclose the data only for research and public
health purposes, and to not re-identify or contact any data
subject.
19
Assessing HIPAA Readiness
Merck Privacy
Office
Before engaging a U.S. study site, research sponsors
should verify that the site:
• Posts its notice of privacy practices and seeks
written acknowledgement from patients that they
have received copies;
• Maintains HIPAA policies and procedures;
• Has a privacy officer and a contact person to
receive complaints;
• Has implemented technical, physical and
administrative security for patient information; and
• Has provided and documented HIPAA training for
its employees.
20
Monitoring HIPAA Compliance
Merck Privacy
Office
Once a decision is made to engage a U.S. study site,
sponsor monitors should verify that:
• Consent forms used at the site meet the HIPAA authorization
requirements;
• Final CRFs, workbooks, and other documents provided to the
sponsor contain only the identifiable patient information that
is to be disclosed to the sponsor in accordance with the
consents/authorizations and protocol;
• Hard copy patient information is maintained securely,
electronic systems are password protected, and access to
records is given on a need-to-know basis;
• The site has documented and responded to any study
participant requests for access; and
• Any confidentiality breaches are addressed and resolved.
21
Practical Implications
Merck Privacy
Office
• August 14, 2002 revisions are practical and appropriate and
will reduce HIPAA’s negative impact on research;
• More conservative IRB scrutiny of research protocols,
consent forms, authorizations and waiver requests;
• Attempts by some research institutions to contractually
impose HIPAA Business Associate requirements on
pharmaceutical company research sponsors;
• Increased paperwork, expense, time and difficulty in
enrolling patients and administering studies;
• Need for pre-contract consideration by research sponsors of
research partner HIPAA compliance; and
• Greater reluctance amongst U.S. physicians to provide AE
and pregnancy registry information to pharmaceutical
companies.
22
HIPAA Impact Management Strategy
Merck Privacy
Office
Update Merck Consent Templates to address HIPAA.
Educate internally regarding HIPAA’s impact on Merck
research.
Establish criteria for evaluating the HIPAA readiness of
U.S. research sites.
Engage pharmaceutical industry research sponsors, leading
research institutions, IRBs and trade associations in
discussions regarding the practical impact of HIPAA on
research and build consensus regarding key issues and
appropriate solutions.
Monitor and respond to emergence of “tougher” U.S. state
laws.
23
Questions?
24