220 likes | 282 Vues
SACHRP HIPAA Recommendations: September 2004. Mark Barnes Huron Consulting Group mbarnes@huronconsultinggroup.com March 3, 2009. Accounting Requirement. Disclosures of PHI for research purposes should be exempted from HIPAA accounting requirements. IOM Analog.
E N D
SACHRP HIPAA Recommendations: September 2004 Mark Barnes Huron Consulting Group mbarnes@huronconsultinggroup.com March 3, 2009
Accounting Requirement Disclosures of PHI for research purposes should be exempted from HIPAA accounting requirements.
IOM Analog • HHS should reform the requirements for the accounting of disclosures of PHI for research.
De-identification Requirements • HHS should reduce the number of data categories that must be eliminated for data to be regarded as de-identified. Among those data categories that should be strongly considered for deletion are zip codes, geographic subdivisions, and dates. • While the specific addresses of persons should not be included in de-identified information, more general areas of residence, work or origin, may, in fact, be essential to epidemiologic and other studies of, for example, disease incidence. Additionally, most dates, including admission and discharge dates, provide essential endpoints for much research without directly identifying the individual.
IOM Analog • HHS should encourage greater use of partially deidentified data called “limited datasets” and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identifiers removed.
Additional IOM Analog • HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security.
Standards for Recruitment Contact with Potential Research Subjects • HIPAA distinguishes between, on the one hand, all researchers who are affiliated with the Covered Entity through membership in the Covered Entity’s “workforce,” making them “internal” to the Covered Entity, and on the other hand, those who otherwise are subject to the Covered Entity’s policies and procedures (for example, by virtue of being a member of the Covered Entity’s faculty or medical staff) but who are not employed by the Covered Entity, making then “external.” • Rather than focusing on the distinction between “internal” and “external” researchers, HHS should key any distinction in the ability of researchers to use PHI to contact potential subjects without the additional requirement of Institutional Review Board (IRB) waiver or a business associate agreement around whether the Covered Entity exercises effective control over the researcher through application of its policies and procedures.
IOM Analog • HHS guidance documents should simplify the HIPAA Privacy Rule’s provisions regarding the use of PHI in activities preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.
Authorization for “Future Research Uses” of PHI • When an IRB has considered and approved a research consent form that permits consent to certain future uses under the Common Rule standard, the Final Privacy Rule should likewise permit subjects to authorize the use and disclosure of their PHI for the same future uses. • Any subsequent research using the PHI that goes beyond the scope of the authorization to future uses or disclosures would require IRB or Privacy Board waiver of the Privacy Rule’s Authorization requirements, or subsequent authorization from each subject.
IOM Analog • HHS should develop guidance that clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB/PrivacyBoard oversight, as is allowed under the Common Rule, in order to facilitate use of repositories for health research.
Additional Related IOM Recommendation • HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research.
“Compound” Authorizations • HHS should revise HIPAA’s compound authorization rules to permit the combining of research authorizations into one form when researchers seek to bank data and materials collected as part of an underlying clinical trial. • In order to promote subject choice, the rules should require that subjects be given the ability to “opt into” the banking portion of the authorization.
IOM Analog • HHS should develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their biospecimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities.
Making HIPAA Authorization Exemptions Consistent with Common Rule Exemptions • HHS should revise the categories of research for which authorization is not required, so that those categories are consistent with research determined by an IRB or other appropriate institutional authority to be exempt from the requirements of the Common Rule.
IOM Analog • HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research.
Does HIPAA Apply to Non-U.S.-Based Research? • HHS should clarify that PHI collected from foreign nationals outside the United States by researchers engaged in international research who are affiliated with Covered Entities is not subject to HIPAA’s requirements solely as a result of the researchers’ affiliation with the Covered Entity. • Alternatively, SACHRP recommends that there be guidance as to how research conducted outside the United States can be insulated from HIPAA’s applicability so that Covered Entities and their affiliated researchers can continue to participate in this important research without triggering HIPAA’s requirements.
IOM Charge • Examine the potential impact of the Rule on public health research, on the recruitment of research subjects for studies, on carrying out research internationally, and on research using data and biomaterials in databases and tissue repositories.
Related IOM Finding • A report by Dutch researchers suggests that the Privacy Rule, or its interpretation, has made it more difficult for international researchers to collaborate with U.S. research centers (Kompanje and Maas, 2006). The authors recorded their experiences operating under the Privacy Rule in an international, multicenter, Phase III trial on the safety and efficacy of a neuroprotective agent in traumatic brain injury. The researchers compared the completion of screening logs between research centers in the United States and Europe. Because of the Privacy Rule, many of the U.S. screening logs had a large amount of missing data. All the European sites reported the actual age of the research participants on their screening logs, but only 5 of the 15 U.S. sites reported the age. The remaining 10 U.S. sites only reported whether the patient met the inclusion criteria for the study. Also, all the European sites reported the date and time of the injury, while only 10 U.S. sites provided this information. Information on secondary insults and the Glasgow Coma Scale were often omitted from the screening logs of U.S. sites. Overly conservative or variable interpretations of the Privacy Rule prevented many U.S. sites from providing the requisite data to the researchers and made it difficult for the researchers to monitor their study for selection bias and quality (Kompanje and Maas, 2006). In many situations, having international data is important to study a health problem. How often the Privacy Rule, or its interpretation, hinders U.S. collaboration in international research is unclear. But it is very conceivable that other international researchers have experienced frustrations similar to the Dutch researchers over collecting data from U.S. sites, or have even abandoned attempts to work with U.S. research centers due to the restrictions of the Privacy Rule.
Public Health Activities under HIPAA • HHS should revisit both the definition of public health authority as well as the exception for uses and disclosures for public health activities. • Revisions should broaden them sufficiently to ensure that federal and state agencies whose primary purpose is the prevention or control of disease, injury, or disability or the analysis of data in alliance with public health and public benefits agencies fall under this exception, even if the legal authority establishing such agencies does not explicitly authorize them to “compel the collection of PHI” in the course of their duties.
IOM Analog • HHS should clarify the distinctions between “research” and “practice” to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities.
Transition Provisions: No Longer Topical • HHS should revise the transition Rules to grandfather not only research that received IRB waiver of informed consent under the Common Rule prior to HIPAA’s compliance date but also research that did not receive IRB review or oversight as a result of having met an exemption under the Common Rule.
SACHRP HIPAA Recommendations: September 2004 Mark Barnes Huron Consulting Group mbarnes@huronconsultinggroup.com March 3, 2009