• E-mail
• Print
• RSS

How do proposed changes affect research?

HIPAA Weekly Advisor, July 28, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: How would the proposed privacy changes affect how our facility conducts research?

A: If your facility conducts research or shares patients' protected health information (PHI) with other organizations for research, the proposed changes would affect your related policies and procedures in the following ways:

1. Authorization
The proposed changes would eliminate the need for researchers to use multiple consent forms. Under the privacy rule, facilities must use one form for informed consent to the research and a separate one or more for information privacy rights. Under the proposed changes, researchers could use a single combined form for both purposes.

2. Transition periods
Under the current rule, there's a distinction between research that involves treatment and research that doesn't. For research that does not include treatment, you can't rely on preexisting legal permission. You can only use data you've received up to the compliance date. You'll have to get a HIPAA authorization after that.

For a conventional clinical trial that involves treatment, you can continue to use PHI obtained before the compliance date, as long as you already obtained some kind of expressed, legal permission from the patient. That way, you don't have to stop in the middle of ongoing research to try to get another authorization.

The proposed changes, on the other hand, treat both types of research the same. Facilities conducting any research prior to the compliance date will be able to continue after the compliance date without obtaining additional consent.

Under the proposed changes, facilities can specify the end of the research study as the expiration date on the authorization or offer no expiration. But researchers can only provide no expiration date when building a permanent database.

3. Waiver of authorization
HHS tried to make the role of the institutional review board (IRB) or privacy board more seamless with the proposed changes because there were complaints about inconsistencies.

Under the proposed changes, an IRB can waive the need for authorization when the board determines both that

• the use or disclosure of PHI involves no more than a minimal risk to individuals
• the research could not practically be conducted without the waiver

4. De-identification
In the proposed changes, HHS asked for comments on establishing a limited data set that does not include directly identifiable information but in which certain identifiers, such as important dates, remain.

Editor's note: Adapted from an article in the upcoming July 2002 issue of Briefings on HIPAA and answered by Bernadette Broccolo, JD, partner and chair of the HIPAA task force at Gardner, Carton, and Douglas, in Chicago, and Demetrios Kouzoukas, JD, an attorney for Gardner, Carton, and Douglas and a member of their HIPAA task force.

Go to http://www.hipaapro.com/news/hipaa_downloads.cfm to download a PDF file of the proposed privacy changes.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive