In the medical field, clinical trials primarily rely on patients’ data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to ensure the confidentiality and privacy of patients’ healthcare information. It was enacted in response to concerns over the use of patients’ healthcare information (PHI).
Initially, there were concerns that the HIPAA rule is meant to hinder clinical research. However, these concerns have since been proven to be unfounded because the HIPAA rule wasn’t enacted to hinder clinical research. Instead, it’s meant to ensure that ethical practices are upheld during clinical trials. Generally, patients and health plan members are likely to be more willing to authorize the disclosure of their PHI if they know the information is protected.
During clinical trials, the HIPAA rule applies if you will access PHI to initiate or facilitate the study. Similarly, if you will create PHI during the study, you should ensure compliance with the HIPAA rule. Here’s what you need to know about HIPAA and clinical trials.
What Does PHI Constitute?
PHI could be patients’ health information or any other identifying elements such as
- Patients’ contact addresses
- Dates (admission, procedure, discharge dates, etc.)
- Medical record and health plan numbers
- Social security numbers
- Photographic images
Authorizations Needed Before Participating in Clinical Trials
Contrary to what you may think, the HIPAA rule doesn’t bar researchers from conditioning participation in clinical trials. It doesn’t outline conditions necessary for enrollment and participation in clinical trials. Instead, it only addresses the issue of authorization in the use of patients’ health information in clinical trials.
Before starting a clinical trial, participants need to review the necessary documents to ensure that they fully understand what the trial is all about. The use of PHI in clinical trials will only be deemed to be legal if authorization is obtained from the patient. The required elements for authorization include:
- A detailed description of the purpose of authorization and the information that will be used and disclosed during the clinical trials.
- Names and details of individuals who are authorized to create, use, or disclose the PHI.
- The authorization’s expiry date
- A statement that the patient has the right to annul the authorization
Although participants can revoke the authorization, the researcher can still use and disclose PHI obtained before the cancellation of authorization. After a revocation, a researcher can only use and disclose participants’ new PHI only as a necessity to ensure the clinical trial’s integrity.
A separate authorization doesn’t need to be obtained for each PHI use or disclosure. Only one authorization is required from a subject. However, each use or disclosure of PHI should be part of a specified research activity. Likewise, the authorization should describe the types of uses/disclosures that will result from that research activity.
The HIPAA privacy rule also doesn’t specify who should draft the authorization form. Therefore, a researcher can draft it. Nevertheless, an authorization form will only be deemed compliant with the privacy rule if written in plain language. It should also contain the required statements and core elements outlined in section 164.508 of the HIPAA Privacy Rule.
HIPAA Authorization vs. Informed Consent: What’s the Difference?
Before a human subject participates in a clinical trial, informed consent is required from that individual. Under federal research guidelines, informed consent is needed to protect human subjects during a clinical trial. On the other hand, the HIPAA privacy rule requires that study participants provide authorization before covered entities use or disclose their PHI for research purposes. An Institutional Review Board (IRB) can waive both authorization and consent if a clinical trial meets all the waiver criteria applicable to each regulation.
Publication/Presentation of Results
The HIPAA rule applies even during the presentation or publication of clinical trial results. Bar, when undertaking activities related to internal medicine education, practitioners must obtain HIPAA authorization before making presentations or publishing papers containing PHI. In this case, IRBs may not waive HIPAA authorization for the presentation or publication of research findings.
Physicians whose presentation or publications contain patients’ individual-level data must first establish whether the 18 HIPAA identifiers have been expunged. Likewise, they must determine whether the remaining information can be combined with any other publicly-available information to unearth the identity of participants. For instance, materials involving rare diseases, photographs, and publicized cases must first be reviewed before making the presentations/publications.
The HIPAA rule is meant to protect the disclosure or use of patients’ health information without their consent and authorization. HIPAA non-compliance is expensive. Generally, penalties are based on a covered entity’s extent of negligence and range between $100 and $50,000 per violation. The maximum non-compliance penalty is $1.5 million per year. Some violations can also come with criminal charges that result in jail time. This highlights the need to adhere to all HIPAA guidelines before conducting a clinical trial.
Image by mcmurryjulie from Pixabay