Lynn Meyer and Sandra Young
NOTE: The content below contains the first few paragraphs of the printed article and the titles of the sidebars and boxes, if applicable.
HIPAA’s Impact on Informed Consent
The first-ever federal privacy standards — Health Insurance Portability and Accountability Act (HIPAA) — to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers took effect April 14, 2003. Developed by the Department of Health and Human Services (HHS), these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. The standards represent a uniform, federal floor of privacy protections for consumers across the country. Before the compliance deadline, there was an overload of information regarding the requirements for compliance with HIPAA regulations concerning privacy. At first, many institutional review boards (IRBs) were cautious, and many IRBs overcompensated by erring on the side of conservatism. This was a natural reaction, as it was difficult to interpret laws when the governing entity had not provided answers to questions that the community was asking. Clearing the Air On April 15, 2003, the HHS released a letter clarifying HIPAA in relation to clinical trials and, specifically, informed consent. According to the HHS letter, federal regulations do not require IRB review or approval of stand-alone HIPAA authorizations. (The letter can be accessed at hhs.gov/ocr/ hipaa/privguideresearch.pdf.) With this letter, which would have answered so many questions before the compliance deadline, there is finally something in writing from a federal agency that clarifies the issue. In part, the letter states, “The HHS Protection of Human Subjects Regulations at 45 CFR Part 46 do not require that stand-alone HIPAA authorizations be reviewed or approved by the IRB. FDA advises that because IRB review and approval of a stand-alone HIPAA authorization is not required under the privacy rule, use of such authorization by another entity, such as an investigator or sponsor, is an acceptable alternative approach.” Overcoming the HIPAA Hassle This isn’t a new dance. But, now that we see the light at the end of the tunnel, why then are IRBs continuing to regulate areas that are not theirs to regulate? The Office for Human Research Protections goes so far as to advise that IRBs not undertake any compliance action with respect to activities that are not required by regulations of 45 CFR Part 46. Before attending an industry conference in April 2003, we were under the mistaken impression that most of the discussion and confusion regarding the regulations concerning privacy, especially with regard to clinical trials, had come to an end. During the conference, as representatives of an IRB, many attendees asked about policies regarding the inclusion of HIPAA language within the body of informed-consent documents. Upon receipt of the April 15 letter, the industry finally had something in writing from a federal agency that not only clarified the issue but also supported many IRBs’ policies, ours included. Another frequently voiced concern was whether a company was required to comply with the HIPAA regulations. Before determining if a site is required to comply with the HIPAA regulations, executives must first establish whether their company is a covered entity. Obviously, each site has to make this determination for itself. In spite of this, many IRBs are enforcing mandatory HIPAA authorization language in consent forms. One conference attendee reported that a particular IRB was requiring all sites to revise informed-consent documents even though some sites were not planning on enrolling any more study subjects. This obviously displeased the client, as it generated additional charges he felt were unnecessary. Of course, IRBs are required to review and approve HIPAA language if the text is integrated into the informed-consent document. The privacy rule, however, does not require IRBs to review HIPAA authorizations for compliance with the rule’s requirements. The Office for Civil Rights (OCR) is responsible for ensuring compliance and implementation of the privacy rule. While many sponsors and sites know either method is acceptable, they do not realize that, from the viewpoint of compliance and enforcement, the covered entity is solely responsible with respect to completeness, accuracy, and whether the required HIPAA statements are present. A Point of Contention As of April 14, 2003, covered entities also must obtain a “Request for Alteration or Waiver of Research Participants’ Authorization for Use/Disclosure of Protected Health Information without Patient/Subject Authorization.” A waiver of authorization may be appropriate in those instances when it is impractical or impossible to obtain a patient’s written authorization. If the subjects in the study will be required to give their informed consent to participate, it is unlikely that a request for a waiver of HIPAA authorization will be approved by an IRB. A request for an alteration of the HIPAA authorization may be possible, however. As long as the patient’s or subject’s records belong to the covered entity where the researcher is a member or employee, the researcher may use the preparatory research provision to look at these records, and a waiver of authorization is not necessary. A researcher who is not a part of the covered entity may not use the preparatory research provision to contact prospective research subjects, but could apply for a waiver of authorization to recruit these potential research subjects. There are other requirements for looking at records without a waiver. For example, records may not leave the physical facility of the covered entity. The one question that has not yet been answered by federal regulators is whether phone screening requires a waiver. The industry has several definitions of “phone screening.” Some physicians believe that if they call their own patients about a research study, they are phone screening. Of course, in the research community, the primary definition is an advertisement asking willing participants to call in and be “screened” for participation in a research study. This scenario probably falls under the privacy rule’s preparatory research provision because this effort does not yet create generalized knowledge, which is necessary in defining “research.” It would be great if the agency would only provide an answer to this aspect of the waiver. Lynn Meyer and Sandra Young Sandra Young, CIP, is a compliance specialist at IntegReview Inc. Ethical Review Board. Lynn Meyer, CIP, is president of IntegReview Ethical Review Board. IntegReview, Austin, Texas, is an independent institutional review board that protects the rights and welfare of human subjects while maximizing efficiency using state-of-the-art technology. For more information, visit integreview.com. PharmaVoice welcomes comments on this article. E-mail us at email@example.com.