” Health insurance portability and accountability act (HIPPA):Who will
benefit and how?
Dr Alok Miglani
As we know that it is mentioned in the ICH GCP principles that right safety
and confidentiality of subject is to be maintained throughout the trial.
Moreover the protection of human subjects is of prime factor in every
clinical trial along with safety. Thus two safeguards are: IRB and Informed
consent document. But for protection of private information (to maintain
confidentiality) of subjects, there must be some law. Thus health insurance
portability and accountability act (HIPPA) was passed by congress in 1996 to
maintain privacy of subjects. Thus this article deals with how it is
beneficial to subjects involved in the trial along with introduction of
HIPPA and its applicability,
After the enactment of the HIPPA, federal government proposed privacy rule
in 2003 to ensure its implementation.
Purpose of privacy rule 2003: Is to protect the privacy of individually
identifiable health information by establishing conditions for its use and
disclosure by covered entities (health care provider, health plan, and
health care clearing house.)
All clinical investigators must comply with HIPPA if they request protected
health information (PHI)from covered entities .failure to comply with HIPPA
can result in costly civil or even criminal ,sanctions against an
institutional or investigational site .
Classes of data under privacy rule 2003:
q Protected health information: It consists of health information and
q De identified data
q Limited data sets.
q Protected health information (PHI):
it is a subset of what is termed “individually identifiable health
information “. it is defined as information that identifies the individual .
Ã~ Health information: The term health information means any
information, whether oral/recorded in any form or medium (paper, images such
as x-rays etc)
a) Created or received by covered entities.
b) Relates to past, present or future physical or mental health
conditions of an individual.
Ã~ Individually identifiers (HIPPA IDENTIFIERS) :
3. All elements of dates (except for a year)
4. Telephone no.
5. Fax no
6. Email no
7. Social security no
8. Medical record no
9. Health plan beneficiary no
10. Account no’s
11. Certificate /or license no.
12. Vehicle identifiers and serial no’s
13. Device identifiers and serial no’s
15. Internet protocol (IP) address no
16. Biometric identifiers including finger and voiceprints.
17. Full-face photograph.
18. Any other unique identifying no/characteristics or code.
Privacy rule follows to only PHI but not to deidentified data.
q Deidentified data:
Remove all the identifiers of HIIPPA from PHI and data so left is
de-identified data Recipient of de-identified data would not be able to
identify an individual on the basis of de-identified data .it has in last
item non-identifying code.
q Limited data sets:
This is a third type of data. This excludes direct identifiers except for
address dates, and indirect identifiers. Identifiers that are allowed in the
Limited Data Set are:
Admission, discharge and service dates
Date of death
Age (including 90 and over)
Geographical subdivisions such as state, county, city, precinct and five
digit zip code
The HIPAA regulations use the term “authorization” to describe the process
through which a patient allows researchers to access Protected Health
Information. The authorization for disclosure and use of Protected Health
Information may be combined with the consent form that a research subjects
signs before agreeing to be in a study. It may also be a separate form.
Blanket authorizations for research to be conducted in the future are not
permitted. Each new use requires a specific authorization. In either case,
the information must include:
A description of the information to be used for research purposes
Who may use or disclose the information
Who may receive the information
Purpose of the use or disclosure
Expiration date or event (if the information will be kept indefinitely, the
authorization states that there is no expiration date)
Right to revoke authorization
Right to refuse to sign authorization (if this happens the individual may be
excluded from the research and any treatment associated with the research)
If relevant, that the research subject’s access rights are to be suspended,
while the clinical trial is in progress, and that the right to access PHI
will be reinstated at the conclusion of the clinical trial
Waiver of authorization for research:
The use or disclosure of Protected Health Information must involve no more
than minimal risk to the privacy, safety and welfare of the individual
The research could not practicably be conducted without the waiver or
The research could not practicably be conducted without access to the
Protected Health Information
The Human Subjects Committees will also consider if the researcher has
An adequate plan to protect the identifiers from improper use or disclosure
An adequate plan to destroy the identifiers at the earliest opportunity,
unless retention of identifiers is required by law or is justified by
research of health issues, and
An adequate written assurance that the PHI will not be used or disclosed to
a third party except as required by law or permitted by an authorization
signed by the research subject
All studies involving creation or use of Protected Health Information (PHI)
must be reviewed and approved by IRB or PRIVACY BOARDS
Information which Researchers Provide to the IRB:
Researchers must provide detailed information about the types of information
they will use in their research, how it will be used, who will have access
to it, and when it will be destroyed. Specifically, they are asked:
What risks are posed by the use of the data and how have they been
What is the justification for access to the data and why are they necessary
to conduct the research?
What is the researcher’s plan to protect the identifiers from improper use
What is the researcher’s plan to destroy the identifiers? If it is not
possible to destroy the identifiers, what is the health, legal or scientific
justification for not destroying the identifiers?
Has the researcher provided adequate written assurance that the PHI will not
be used or disclosed to a third party except as required by law or permitted
by an authorization signed by the research subject?
Researchers requesting waivers of authorization will also need to document:
That the use or disclosure poses no more than minimal risk to the subject
That the research could not practicably be conducted without the waiver and
That the research could not practicably be conducted without access to the
Protected Health Information
Effect of HIPAA on recruitment of research subjects:
Recruitment of subjects for research is subject to the general authorization
requirements. The Privacy Rule classifies recruitment as “research” rather
than as health care operations or marketing. Because development or use of
research databases falls within the definition of “research”, a covered
entity may disclose PHI in a database to the researcher for subject
recruitment only after an authorization from the research subject or a
waiver has been obtained.
Neither an authorization nor a waiver is required to disclose PHI contained
in a Limited Data Set or as de-identified data. Limited Data Sets will make
it easier to create databases of potential subjects to see if it is feasible
to conduct a clinical trial or to perform epidemiological research. There
are a couple of important limitations on the use of PHI in a Limited Data
Set for subject recruitment. The PHI may not be used to contact subjects,
and because telephone numbers, Internet provider addresses and email
addresses are not part of a Limited Data Set, researchers may not collect
this information from potential subjects.
When researchers want to approach a potential subject to participate in a
study whom they have identified using PHI under a waiver of authorization,
they must use an approach method that has been approved in advance by the
Human Subjects Protection Program. One example of an approach method
includes using an intermediary such as the patient’s primary care provider
or a member of the medical staff actually caring for that patient, or
sending the potential subject a letter signed by the patient’s provider.
Researchers have to do to request a waiver of authorization?
Explain how the use of PHI involves no more than minimal risk to individuals
Explain why such a waiver will not adversely affect privacy rights or
welfare of individuals in the study
Explain why the study could not practicably be conducted without a waiver
Explain why it is necessary to access and use PHI to conduct the research
Explain how the risks to privacy posed by the use of PHI in this research
are reasonable in relation to the anticipated benefits
Explain the plan to protect identifiers from re-disclosure
Explain the plan to destroy identifiers. Provide a date by which this will
take place. If identifiers must be retained, provide the reason (scientific,
health or other) why this is necessary
Confirm that the PHI will not be reused or disclosed to anyone else
Research subject’s rights under HIPAA:
The subjects have the following rights:
Right to an accounting:
When a research subject signs an authorization to disclose PHI, the covered
entity is not required to account for the authorized disclosure. Nor is an
accounting required when the disclosed PHI was contained in a Limited Data
Set or is released to the research as de-identified data. However, an
accounting is required for research disclosures of identifiable information
obtained under a waiver or exception of authorization. Research subjects may
request an accounting of disclosures going back for up to six years
Right to revoke authorization:
A research subject has the right to revoke his or her authorization unless
the researcher has already acted in reliance on the original authorization.
Under the authorization revocation provision, covered entities may continue
to use or disclose PHI collected prior to the revocation as necessary to
maintain the integrity of the research study. Examples of permitted
disclosures include submissions of marketing applications to the FDA,
reporting of adverse events, accounting of the subject’s withdrawal form the
study and investigation of scientific misconduct.
Research Authorization Templates
Researchers may either incorporate the required elements into a consent form
used for research purposes, or may draft a separate authorization form. In
either case, the form must be signed and dated by the research subject or
the subject’s personal representative or legally authorized surrogate.
Information included in the authorization
The minimal information needed for an authorization is:
The authorization must be written in plain language
A copy of the authorization form (or consent document with authorization
language) must be given to the individual.
1. A description of the information (minimum necessary): “My medical
record will be reviewed for information about diagnosis and treatment of my
2. Who may use or disclose the information: “The researcher and
research team members will have access to this information”.
3. Who may receive the information: “The sponsor of this research, the
Food and Drug Administration, the laboratory and the Institutional Review
Board will have access to this information”.
4. Purpose of the use of disclosure: “My information will be used to
make sure it is safe for me to be in this study” or “This information will
be used to make sure I am eligible to be in this study”.
5. Expiration Date: “This authorization will expire in 1 year. That
means new information cannot be obtained about me after that time”.
6. Individual’s signature and date: Subject or the subject’s legally
authorized surrogate must receive a copy, and the researcher must retain a
copy for at least 3 years or per applicable policy. Include a line for the
subject’s printed name, signature and date.
7. How long identifiable data will be retained: “My information will be
linked to my name and kept until [INSERT DATE]”.
Thus it is clear that person protection is maintained by PRIVACY BOARDS and
Person involved in the trial has full right:
Right to revoke authorization:
“I have the right to change my mind about allowing access to this
information. If I change my mind, I must notify the Principle Investigator
in writing. The address for the Principal Investigator is [INSERT ADDRESS].
If I do refuse.”
Right to refuse to sign authorization:
“I have the right to change my mind about allowing access to this
information. Refusing to sign this document will not affect my medical care
or treatment. If I do refuse.”
Loss of privacy protection once information is re-disclosed:
“If information is disclosed about me to anyone outside this study, I will
lose my privacy protections”.
Subjects enrolled prior to April 14, 2003 do not have to sign an
authorization form. However, if the consent form is amended, they will need
to sign an authorization form.
New subjects enrolled on or after April 14, 2003 will need to sign a
separate authorization form.
Thus it is how the the GCP requirements are maintained
Privacy rule at 45 CFR parts 160 and 164 and guidance
Office for civil rights (OCR)