Any institution that conducts clinical trials collects identifiable health information about participants—information that must be protected. In fact, under HIPAA/HITECH, institutions that conduct research without measures to ensure patients' privacy and the security of information can face significant civil and criminal penalties. Therefore, it is critical that hospitals and health care facilities involved in clinical trials be versed adequately in federal regulations governing researchers' conduct.
In the Beginning
The 1996 Health Insurance Portability and Accountability Act required the government to develop standards for the use and disclosure of protected health information. The HIPAA rules contained two components: privacy (overseen by the Health & Human Services Office of Civil Rights) and security (overseen by the Centers for Medicare & Medicaid Services). While the privacy and security rules contained sanctions for noncompliance, they were hard to enforce because of unclear reporting requirements and oversight by more than one government agency.
To strengthen enforcement of HIPAA and address the expansion of electronic medical records, the Health Information Technology for Economic and Clinical Health Act was introduced in 2009 to protect the electronic transmission of protected health information. HITECH also outlined specific reporting requirements as well as ramifications when organizations allow a breach of privacy or security to occur.
Today, there are three circumstances in which hospitals and health care facilities engaged in research should consider HIPAA/HITECH: the training of research personnel; patients' informed consent and authorization forms; and oversight by the Institutional Review Board.
Staff Training Is the First Step
Health care leaders often wonder which research staff should be trained in HIPAA and HITECH. When the question is posed to Cynthia L. Hahn, administrator of research compliance at North Shore-Long Island (N.Y.) Jewish Health System, her answer is simple: "Anyone who touches a human subject."
Hahn elaborates: "When we were first developing training of HIPAA/HITECH for our research staff, we counted the number of principal investigators and study coordinators—thinking these are the ones we needed to train—and calculated 288 personnel. However, when we changed the criteria to determine which staff, regardless of their title, interface with research subjects, the answer shocked us. We found that more than 2,000 of our employees regularly come in contact with study subjects in person, electronically or by virtue of seeing their medical records."
North Shore-LIJ immediately incorporated research-specific language and processes into the general HIPAA/HITECH institutional policies. The organization also wove them into its new employee orientation and annual corporate compliance learning modules, which are mandatory for the entire staff, rather than creating separate policies and training for research personnel. By ensuring that all employees are appropriately trained, North Shore-LIJ is able to maintain the integrity of its research program. "With more than 700 active, enrolling studies and another 600 studies ongoing at any one time," says Hahn, "it is critical that we take a comprehensive approach."
By incorporating HIPAA/HITECH into the training of all its employees, an organization can ensure that the regulations will be part of the fabric of the institution, resulting in a culture of compliance. The organization also can verify easily that facilitywide adherence is achieved if training is standardized. Finally, staff transfers and turnover are an inevitable part of any organization and, by training everyone the burden of tracking down individual research personnel is eliminated.
Protecting Patients' Health Information
The informed-consent document provides information about a specific clinical trial so research participants can make an informed decision about their participation. Accordingly, subjects must authorize the use or disclosure of their health information that typically would be deemed protected. The HIPAA guidelines outline 18 personal health information identifiers that make a person readily identifiable, such as name, social security number or contact information.
Authorization can be a part of the research informed-consent form, or can be provided in a separate document. HIPAA-required elements include: description of information to be used or disclosed; persons authorized to use or disclose and receive the information; the purpose of using or disclosing the personal health information; and the expiration date of the authorization.
Ensuring the Rights of Human Subjects
Institutional review boards also play a role in HIPAA/HITECH oversight. IRBs are mandated to protect the rights and welfare of human subjects by ensuring that privacy and security provisions are in place. Most IRBs will ask how privacy and confidentiality will be maintained. Also, given the increased use of electronic medical records and the transmission of data to the study sponsor, an IRB likely will ask the following types of questions:
- Who will have access to the electronic personal-health information?
- Is there an audit trail to track access and changes to the data?
- Will electronic personal-health information be stored or accessed on a portable device (iPad, laptop, thumb drive, etc.), and is the device encrypted?
Study sponsors should be able to provide answers to those questions relatively easily, usually via the research protocol or their company's standard operating procedures. The institution-based and investigator-initiated trials may require additional review and guidance, particularly regarding auditable data trails and encrypted devices for electronic information. Having the right policies in place impacts how the organization manages clinical trials and contracts as well as HIPAA/HITECH breach reviews and notifications.
Some hospitals may enjoy the convenience of an in-house IRB. Other institutions may use an external IRB (also known as an independent or central IRB), which can offer the benefit of greater efficiencies and economies of scale. Organizations using an external IRB generally will establish guidelines as to whether the IRB also will function as a privacy board. (A privacy board reviews requests for waivers or alterations of the HIPAA authorization requirement.) Regardless, it is critical that the IRB identified by the organization is fluent in HIPAA/HITECH policies.
In the complex world of clinical trials, organizations that seek external research funding find it is a competitive advantage to offer facilitywide adherence to HIPAA/HITECH. This can be assured through institutional training, proper informed consent and authorization forms, and oversight by an IRB. For industry sponsors of clinical trials, compliance with security and privacy regulations and the protection of human subjects are critical components of their own commitment to the Food and Drug Administration, and they will seek out research sites that are compliant. These facilities, and the research subjects they are protecting, will come out ahead.
Kimberly Irvine, C.I.P., C.I.M., is the executive vice president of operations at the Biomedical Research Alliance of New York in Lake Success, N.Y.