HIPAA Compliance Clinical Trials: How Does it Apply?
When conducting HIPAA clinical trials, there are certain measures that need to be in place to ensure HIPAA compliance. Requirements for HIPAA compliance clinical trials are discussed below.
HIPAA Compliance Clinical Trials: Patient Authorization
Clinical trials are permitted by the HIPAA Privacy Rule, however, under most circumstances, researchers need both written authorization and an informed consent form from patients before commencing HIPAA clinical trials. These forms ensure that the patient understands what the HIPAA clinical trial will entail.
The authorization form should contain the following statements:
- Your health information will be disclosed when it is required by law
- Your health information will be shared when required by law, to prevent or control injury or the spread of disease
- No publication or public presentation about the study will reveal your identity
- To maintain the integrity of the study, you may not have access to your PHI until the study is complete
An informed consent form should provide details on:
- The study’s methodology
- A timeline for the clinical trial
- Potential risks
- Participant confidentiality
- The healthcare coverage the participant will receive during the course of the clinical trial
HIPAA Compliance Clinical Trials: Patient Authorization
Clinical trials are permitted by the HIPAA Privacy Rule, however, under most circumstances, researchers need both written authorization and an informed consent form from patients before commencing HIPAA clinical trials. These forms ensure that the patient understands what the HIPAA clinical trial will entail.
The authorization form should contain the following statements:
- Your health information will be disclosed when it is required by law
- Your health information will be shared when required by law, to prevent or control injury or the spread of disease
- No publication or public presentation about the study will reveal your identity
- To maintain the integrity of the study, you may not have access to your PHI until the study is complete
An informed consent form should provide details on:
-
- The study’s methodology
- A timeline for the clinical trial
- Potential risks
- Participant confidentiality
- The healthcare coverage the participant will receive during the course of the clinical trial
HIPAA Compliance Clinical Trials: When is Authorization Not Required
There are certain circumstances in which patient authorization is not required for HIPAA clinical trials.
For HIPAA compliance clinical trials, researchers must obtain one of the following to use and disclose protected health information without authorization:
- Documented Institutional Review Board (IRB) or Privacy Board Approval. Documentation that an alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes has been approved by an IRB or a Privacy Board. See 45 CFR 164.512(i)(1)(i). As such, clinical trials are permitted by the HIPAA Privacy Rule. This provision of the Privacy Rule might be used, for example, to conduct records research, when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants’ authorization were required. A covered entity may use or disclose protected health information for research purposes pursuant to a waiver of authorization by an IRB or Privacy Board, provided it has obtained documentation of all of the following:
- Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
- A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
- A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
- A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
- The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.
The following three criteria must be satisfied for an IRB or Privacy Board to approve a waiver of authorization under the Privacy Rule:
-
- The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
-
-
- an adequate plan to protect the identifiers from improper use and disclosure;
- an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
-
-
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the protected health information.
- Preparatory to Research. Representations from the researcher, either in writing or orally, that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any protected health information from the covered entity, and representation that protected health information for which access is sought is necessary for the research purpose. See 45 CFR 164.512(i)(1)(ii). This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study. The Privacy Rule does not prohibit a covered entity’s granting remote access to PHI to a researcher for activities that qualify as reviews preparatory to research, provided reasonable and appropriate safeguards are in place, as described in OCR’s guidance, Remote Access to PHI for Activities Preparatory to Research – PDF.
- Research on Protected Health Information of Decedents. Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. See 45 CFR 164.512(i)(1)(iii).
- Limited Data Sets with a Data Use Agreement. A data use agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. See 45 CFR 164.514(e). A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual. The data use agreement must:
-
- Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Rule if done by the covered entity;
- Limit who can use or receive the data; and
- Require the recipient to agree to the following:
-
-
- Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law;
- Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
- Report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware;
- Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
- Not to identify the information or contact the individual.
-