It’s Complicated: Requests for Patient Information/Access for Research
With increasing frequency, practitioners and health professional students request patient information and/or access to patients or patients’ medical records for purposes of research. The requests are particularly difficult to address in small organizations without an Institutional Review Board (IRB). They can also be difficult to handle because they may be initiated by a wide variety of persons and directed to any number of people within the organization.
Requests for access to patients and patient information demands an analysis of three things: (1) Does the proposed use amount to research, triggering regulations governing the protection of human subjects? (2) If so, how is informed consent being obtained from potential subjects? And, (3) How is the subject’s authorization for use and disclosure of protected health information (PHI) under the Health Insurance Portability and Accountability Act (“HIPAA”) being obtained?
Federally-funded research is regulated by the Department of Health and Human Services (“DHHS”) and the Food and Drug Administration and is defined in regulations as involving human subjects and including “a systematic investigation, including research development, testing and evaluation, designed to contribute to generalizable knowledge.”1 The results do not necessarily have to be published to be research governed by regulations. All institutions performing research are encouraged to provide formal assurances that their research will comply with DHHS regulations regardless of the funding source.2 In contrast, the HIPAA Privacy Rule applies to all covered entities.
There are a number of urban (and perhaps rural) myths about the disclosure and use of PHI as well as the need for informed consent in research activities. This article addresses five “mythbusters” related to commonly occurring situations:
1. I’m a Member of the Medical Staff or a Student in a Clinical Rotation, So I Don’t Need Permission—Right?
Members (current or past) of a facility’s medical staff are not exempt from informed consent and HIPAA authorization requirements. The fact that a medical staff member previously treated a patient or is a member of a group practice that treated the patient does not provide unfettered access to patients’ records for research purposes.
Students in clinical practicums and rotations are not exempted from informed consent and HIPAA Privacy Rule requirements if they are conducting research. However, it can be difficult sometimes to discern between a class assignment and research. Often, it is necessary to request additional details about the project.
2. I’m Only Using De-identified Data.
“De-identified” does not mean merely that the patient’s name has been redacted or omitted. The HIPAA Privacy Rule sets out 18 identifiers that must be removed before the data is considered de-identified.3 Very little of the data said to be de-identified by researchers actually meets this requirement.
3. Please Just Waive the Consent and Authorization Requirements.
Waiver of informed consent and HIPAA authorization requirements is not automatic. Waiver of informed consent requirements and HIPAA authorization requirements is provided for in pertinent regulations if requested by the researcher; however, waiver requires certain factual findings by an IRB; in the case of waiver of informed consent; or, in the case of waiver of the HIPAA authorization requirement, a Privacy Board designated by the facility or an IRB acting as a Privacy Board.4 Waiver should not be granted merely for the convenience of the researcher.
4. The Medical Executive Committee will Approve Research.
A medical staff committee may not act as an IRB to approve federally-funded research without applying and meeting all Department of Health and Human Services requirements of registration and obtaining a Federal-wide Assurance Number. The organization may, however, appoint a Privacy Board if it meets certain requirements.5
5. Locating Subjects is Exempted Because it is an Activity Preparatory to Research.
Recruiting subjects is considered by DHHS to be research that triggers both informed consent and Privacy Rule requirements.6 Specifically, this means that facilities may not disclose PHI to researchers who then use that information to contact potential subjects and obtain informed consent. The facility (covered entity) under HIPAA must itself obtain the potential subject’s authorization to disclose his or her name to the researcher. Only when such authorization is obtained, may the facility disclose PHI unless a waiver has been granted by a Privacy Board or the IRB acting as a Privacy Board.
The exception for “activities preparatory to research” is designed to provide researchers with limited access to the minimum necessary amount of PHI required to determine whether or not the concept of the research project is viable. The exception is very narrow and does not include identification and/or recruiting of research subjects once the concept for a study is established.7
- Designate an individual in your facility to be the central contact point for research requests. Often, the appropriate person is the HIM manager or the Privacy Officer who already has substantial background in HIPAA requirements. Any request should be directed to that individual so that the three key elements of analysis (research, informed consent and HIPAA authorization) are consistently reviewed. This person should seek the advice of legal counsel as needed.
- Be sure that Medical Staff Bylaws, Rules and Regulations and organizational policies and procedures are up to date regarding disclosure and use of PHI and access to patients for research purposes and that they do not conflict with HIPAA regulations or DHHS rules where applicable.
- Consider developing a relationship with an IRB in a larger institution for technical assistance and possible review of research requests in cases where IRB approval of research and/or waiver is required.
- Use a standard format for requests for access to patients and records and require all such requests to be in writing. Use of a form helps to assure consistent and complete information.
- Recognize that not all requests for research can be granted and not all requests for waivers should be approved. The researcher may have to modify his or her research design or method of recruiting subjects or obtaining data to be able to carry out the study in your organization.
- Understand that the organization’s primary role is to protect potential subjects by making sure that applicable requirements for informed consent to participate in research and authorization for use and disclosure of PHI is properly obtained as required by current law.
145 C.F.R. § 46.102(e) and (f).
2Institutional Review Boards: A Primer, (American Health Lawyers Association: 2007) p. 8.
345 C.F.R.§§ 164.514(a) and (b).
445 C.F. R. § 46.116; 21 C.F.R.§ 50.27.
545 C.F.R.§ 164.512 (i)(B); 45 C.F.R.
§ 46.108(b); and 21 C.F.R.
667 Fed. Reg. 53230-31 (August 14, 2002).
745 C.F. R. § 164.512(i)(I)(ii).