Extract
This article is the report of a work group of the American Academy of
Orthopaedic Surgeons Council on Research, Quality Assessment, and Technology.
The task assigned to the group by the Chair, Joshua Jacobs, MD, was to review,
codify, and disseminate information for the Fellowship on the compliance
requirements for conducting clinical research under the Health Insurance
Portability and Accountability Act (HIPAA) Privacy Rule.
This article is the report of a work group of the American Academy of
Orthopaedic Surgeons Council on Research, Quality Assessment, and Technology.
The task assigned to the group by the Chair, Joshua Jacobs, MD, was to review,
codify, and disseminate information for the Fellowship on the compliance
requirements for conducting clinical research under the Health Insurance
Portability and Accountability Act (HIPAA) Privacy Rule.
The ethical conduct of clinical practice has an established precedent
extending to ancient times and the beginnings of the healing professions,
encoded in the Code of Hammurabi and the Hippocratic oath. These guides were
intended to regulate the conduct and ethics of the purveyors of medical
treatment in the ancient world. They also prescribed boundaries of behavior
and penalties for transgressions, including corporal punishment.
Comparatively, medical research does not have such a history and was largely
without published standards of conduct until the twentieth century. The Nazi
physician trials in 1946 exposed atrocities committed under the guise of
experimental human medical research, which resulted in the 1947 Nuremberg Code
for human research1.
Included in the ten precedents that it established were the important
requirements that subject participation be informed and voluntary and that
human research must be scientifically valid and conducted solely for the
benefit of society as a whole. The Nuremberg Code was accepted by the
fifty-one signatory nations of the Charter of the United Nations.
In 1953, the Clinical Center of the United States National Institutes of
Health produced the first federal policy to protect human research subjects.
The years after World War II saw an increase in scientific technology applied
to medical treatment protocols. The new policy was consistent with the
Nuremberg Code and gave special emphasis to the protection of healthy adult
research volunteers. This policy established the beginning of a research
review mechanism, the institutional review board, which became the fundamental
research accountability system in the United
States2.
In 1964, the World Health Organization recognized a need for more
definition on the subject of human participation in medical research, which
culminated in the production of the Declaration of
Helsinki3. This
document was adopted by the World Medical Society and was further revised and
expanded in 2000. On the basis of revelations concerning the human
experimentation in the Tuskegee Syphilis Study during the World War II
era4, Congress
passed the National Research Act in
19745. Further study
of human research practices from 1974 to 1978 strengthened the 1974
regulations6. In
1979, these changes were incorporated in The Belmont Report: Ethical
Principles and Guidelines for the Protection of Human Subjects of
Research, expanding the guidelines governing human medical
research7. It
established three fundamental ethical principles relevant to all research
involving human subjects: respect for persons, beneficence, and justice. In
1981, the United States Department of Health, Education, and Welfare, now the
Department of Health and Human Services, approved Title 45, Code of Federal
Regulations, Part 46, Protection of Human Subjects. Originally limited to
projects funded by the Department of Health and Human Services, these
guidelines were extended, in 1991, to cover all federally supported research
and were called the Common
Rule8. In 1996,
Congress passed the Health Insurance Portability and Accountability Act,
partly in response to the privacy concerns of individuals whose sensitive
health data could be compromised by the rapid expansion of electronic data
transmission. The Department of Health and Human Services then developed
standards for the protection of individually identifiable health information,
i.e., the Privacy Rule. The deadline for compliance was April 14, 2003. The
effect of this rule on clinical research was to bring any query using
protected health information, defined as any data that could be traced to an
individual, patient, or human subject, under the review requirements and
monitoring of the institutional review board. Additionally, the earlier
"Common Rule" was subsumed by the Privacy Rule and the scope of
coverage was expanded to all protected health information research, including
quality improvement endeavors. For further information and resources, see the
electronic Appendix.
What was the rationale for the establishment of the Privacy Rule? If one
peruses the early medical literature, the use of protected health information
by researchers was commonplace. The identity of subjects, including full-face
photographs, was often openly used. There was no guidance to protect
confidentiality, and there were no institutional mechanisms to ensure the
privacy of health information. It was commonly accepted that the public had
limited access to medical research and the presentation of results. The
electronic age and, particularly, the transmission of personal and private
health data over the Internet marked a substantial change in practice and left
the data vulnerable to discovery by unauthorized parties. Heightened public
awareness and access to scientific materials in an age of enlightened
consumerism raised concerns about the privacy of personal health information.
Thus, the Privacy Rule was designed to prevent unauthorized access to
protected health information in this new paradigm. It also expanded the rights
of human clinical research subjects in requiring their prior written
authorization, with use of plain language, to participate in clinical studies.
This has occurred at a time when the veracity, as well as the ethical tenets,
of some clinical research activities has been
questioned9. There
has been increased scrutiny by consumer groups, government agencies, and other
interested parties concerning the reporting of clinical research findings and
the protections offered to participants in human research projects. The
economics of research and development has changed the relationships between
researchers and commercial interests, which some believe have brought into
question the reliability of research outcomes and driven the costs of health
care higher10.
The Privacy Rule specifies who is covered by creating a class called
"Covered Entities," which was defined as all entities that
electronically transmit any protected health information. This captures
health-care clearinghouses, health plans, and health care providers
(hospitals, clinics, and medical practices). Nonclinical researchers who have
an employment relationship with universities, medical centers, clinics, or
practice groups are also included. Some electronic transmissions of protected
health information are exempt from the Privacy Rule's prior authorization
provisions. These include treatment outside the boundaries of clinical trials,
e.g., medical consultations, medical referrals, and communication with
referring providers. Billing and payment collection functions are exempt as
are routine hospital activities such as administrative oversight and quality
assurance activities.
HIPAA requires that all "covered entities" (institutions,
practices, or offices that bill electronically) establish a privacy board for
research to monitor any research activities. Most large institutions have
existing institutional review boards that may also serve as the privacy board.
An institutional privacy official may be established to monitor these
activities and participate on the institutional review board. The role of the
institutional review board is to review and ensure compliance with the Privacy
Rule in all cases of human research. The role of the privacy board is to
ensure the privacy of human research subjects and protect the confidentiality
of health records. A typical institutional review board consists of a minimum
of five members: one scientist, one nonscientist, one lay person, and two
medical professionals of different specialties. The composition of the
institutional review board and/or privacy board must ensure diversity and may
include other local institutional members.
The Privacy Rule impacts any research that proposes to access the protected
health information of any deceased or living subject. It requires certain
steps to protect the confidentiality of data collected and delineates criteria
necessary for compliance with the tenets of the law. This requirement covers
bench human tissue research, record reviews, and clinical trial research;
essentially all clinical research is covered by the Privacy Rule. These new
rules have been incorporated into the institutional review board process of
most institutions in a seamless fashion. As such, protected health information
may include medical records, imaging studies, diagnostic studies, blood or
urine samples, tissue for DNA, pathology specimens, surgical tissues, and the
emerging research area of cell lines. In addition, a subject's individual
privacy is also protected by the Privacy Rule, which precludes the use of
individual identifiable data without prior written authorization. These data
include a wide variety of information that could be linked to or used to
identify an individual (Table
I). One only has to peruse past orthopaedic journals to see
examples of the publication of such data.
In the special case of multicenter clinical studies, the complexity of the
process to comply may seem daunting. The institutional review board process is
inherently local. Each institutional review board will have its own culture
and modus operandi since there are no uniform operational guidelines. The
coordination of multiple centers can present the opportunity for substantial
delays, costs, and duplication of effort. To help the process, the United
States Food and Drug Administration distributed a draft of a document entitled
"Guidance for Industry. Using a Centralized IRB Review Process in
Multicenter Clinical Trials," published in March
200511. Suggestions
include the coordination of responsibilities between a central institutional
review board and the separate institutional review boards beforehand with
written protocols and communication channels. Agreements may span the
continuum from the central institutional review board having total control to
a shared responsibility for monitoring and authorization between the local and
the central institutional review board. Ultimately, local institutional review
boards do not have to accept this advice and may still require complete
review.
One of the major principles of the Privacy Rule is that the human research
subject must grant prior written authorization to participate. The written
authorization must detail the use of the protected health information
collected. It also mandates that the investigator may not reuse the protected
health information or the tissue collected without prior written
authorization. Authorization for a specific study does not permit use of the
same information for any subsequent studies. While several new layers of
documentation have been added to the institutional review board process, the
mechanism is in place to support clinical research. The institutional review
boards are in a position to assist investigators to meet the requirements of
the Privacy Rule while facilitating the ability to conduct research in their
respective institutions. Especially in clinical studies, it is necessary to
identify the feasibility of the proposed study by canvassing the data
available in the given institution. To accomplish this without the subject's
prior authorization requires a written preliminary data review waiver from the
institutional review board. This is done by written application to the
institutional review board with assurances that: (1) the protected health
information is sought only to assess the feasibility of the proposed study,
(2) that no protected health information will be removed from the institution,
and (3) the protected health information sought is necessary for the proposed
project.
The institutional review board has the authority to grant waivers from the
Privacy Rule's requirements for prior written authorizations in special
circumstances, such as when subjects are deceased, while still protecting the
privacy of the information. This always requires prior consultation with the
institutional review board and the granting of a written waiver. This can be
done by de-identifying the data in accordance with the standards set by the
Privacy Rule such that the data are no longer classified as protected health
information. This may also apply in special circumstances when there is a
compelling need for the study but obtaining the data may be impossible under
the requirement for written authorization. To obtain such a waiver, the
institutional review board may require that certain criteria are met. The
investigator must certify and demonstrate that (1) the project poses a minimal
risk to the privacy of the individuals, (2) there is an adequate plan to
protect identifiers, (3) the identifiers will be destroyed at the earliest
opportunity, (4) the project cannot be practically conducted without the
specified protected health information, and (5) the project could not be
conducted without a waiver. The investigator must provide written assurance
that the data will not be reused for another study or disclosed to another
party. A special waiver can also be sought if all of the individuals in the
study are deceased.
What are the rights of human subjects to know who has access to the data
collected? The subjects of medical research studies are entitled to request an
accounting of those with whom the investigator has shared collected
information in the prior six years, effective as of April 2003 and going
forward. This information must be provided in writing and must include a
description of the disclosure, its purpose, who received the data, the
addresses of the parties receiving the data, and the dates of disclosure.
The Department of Health and Human Services has charged its Office of Civil
Rights with the responsibility of ensuring compliance and enforcing the
Privacy Rule. It has also delegated responsibility and authority to the local
institutional review board and/or privacy board to monitor and apply the
Privacy Rule locally. As a consequence, the local institutional review board
has great latitude to interpret its mandate. At this time, the stated
philosophy of the Office of Civil Rights is to provide a cooperative approach
toward compliance. Compliance issues or complaints will come to the attention
of the Office of Civil rights through two different means: (1) complaints
filed by anyone about possible violations of the Privacy Rule, i.e., a
whistle-blower, or (2) employing their authority to conduct compliance reviews
of the procedures of covered entities.
The penalties for noncompliance with the Privacy Rule fall into two broad
categories: civil and criminal. Civil violations are essentially
administrative errors and can incur fines of $100 to a maximum of $25,000 per
year for each violation. On the other hand, criminal violations defined as
knowing, wrongful disclosure of protected health information can incur
escalated fines to a maximum of $250,000 per year for each violation. The
Privacy Rule sets a minimum federal standard for the protection of private
health information for all citizens; it preempts or overrides state laws that
are below the standard. However, if state laws are more restrictive than the
federal standard, the Department of Health and Human Services requires that
the state law be fully addressed in that jurisdiction.
The local entity that must be addressed is the institutional review board.
It has the mandate and authority to apply the Privacy Rule, and any research
with use of protected health information or individual identifiable data must
have its prior written approval. It is important for the clinical faculty of
universities to understand the individual institutional rules concerning the
publication or presentation of study results. If the results of personal
projects, such as case reports, personal practice series, or reports on
protocols or treatment results, are to be published or presented and the
faculty member identifies himself or herself as being university-affiliated in
authorship, the university's institutional review board may require its prior
written approval for the study. In working with one's local privacy board
and/or institutional review board, it is important to establish a cooperative
relationship. It is also important to note that a growing number of
peer-reviewed journals require documentation of institutional review board
approval as a condition of publication. One can avoid conflicts with the
institutional review board by seeking guidance in the project's planning
stages to ensure that the tenets of the Privacy Rule are met. Finally, one
should not try to circumvent the established process as, in the final
analysis, the goal is to protect the privacy and confidentiality of the health
information of the patient or subject.
In planning a clinical project, one should consult early with the
institutional privacy official to identify what data will be subject to the
Privacy Rule and to determine whether the data can be de-identified without
impacting statistical management of the results. If this is possible, then one
can apply to the institutional review board for confirmation of the
de-identified status of the data set. If this is not possible, then a specific
set of requirements will have to be met to gain institutional review board
approval for the project. One should be prepared to describe the specific
plans for protecting the protected health information that is collected. An
initial step would be to petition the institutional review board for a written
waiver of authorization to canvass medical information relevant to the
proposed study to determine whether there is sufficient material to satisfy
the project design.
The authorization is an important document and is at the heart of the
protection of the rights of the medical research subject. The authorization is
a license for a single, specified use only. That is, the use of the data
collected must be identified, e.g., scientific presentation, published report,
or entry into a database. It is a single-use license. The data cannot be
reused again for another project without another signed authorization by the
human subject. It must be in written form and signed by the proposed subject.
The core elements of the authorization must include a description of the
protected health information to be used or disclosed. It must contain the
names of the persons authorized to disclose the protected health information
and a description of each purpose of the disclosure. The authorization must
have an expiration date and contain the date and signature of the individual
subject or his or her legal representative. The subject's right to revoke
authorization must also be addressed with instructions regarding how to do so.
Individual institutional requirements may also be imposed, and one should ask
the institutional review board about them before beginning the process. The
institutional review board is the institutional facilitator for the
performance of clinical research. It should be viewed as the local source of
knowledge and assistance in helping the investigator to conduct important
research and, at the same time, meet the requirements of the Privacy Rule.
The special circumstances of clinical trials for drugs and/or devices are
conducted under the Investigational Device Exemption rules of the Food and
Drug Administration. They incorporate the policies of the Privacy Rule in
their documentation requirements and for the data collected by the sponsor of
the study to document the safety and efficacy of the device or drug. Such
studies also require institutional review board approval locally. However,
surgical technique or nonsurgical comparative treatment trials are not
regulated by the Food and Drug Administration. HIPAA addresses recruitment
strategies for such research trials. The subject recruitment plan needs to be
detailed in the study proposal submitted to the institutional review board and
should include a list of inclusion and exclusion criteria, identifying the
source of potential subjects, identifying who will screen the protected health
information, and identifying who will approach and recruit subjects. It must
state whether treatment is conditional on signing the authorization and the
potential consequences of not signing. The authorization, again, must describe
the protected health information that could be disclosed and be written in
plain language, and a signed copy must be provided to the individual. The
signed authorization must be maintained for six years after it was last in
effect. All elements of the strategy must be preapproved by the institutional
review board. Most clinical trials are conducted in coordination with a
commercial sponsor, often a pharmaceutical firm or device manufacturer with
its own resources, which may be a useful adjunct in developing the
institutional review board package for an individual institution.
All agree that maintaining patient and human subject privacy is a laudable
goal. However, as with all legislative efforts to engineer social behavior,
one must anticipate having to deal with the unintended consequences of the
application of such regulations on reality. There is concern that the Privacy
Rule may create a substantial bureaucratic burden and discourage valuable
research.
One possible consequence may include an inability to obtain all potential
subject consents, which could result in reducing the scientific value of
registries. As the level of participation in a registry decreases, its value
as a tool for research or monitoring of clinical outcomes also decreases. This
could impact the ability to perform the highest level of research, the
randomized clinical trial. The data may be skewed if the group of potential
subjects who refuse to participate creates a bias that affects the true nature
of the comparison. Such an outcome may thwart strategies for the improvement
of patient care by not identifying superior treatment on the basis of a
demonstration of the significance of the outcome comparison. Also, the
bureaucracy that is created has the potential to increase the cost of
performing research, which may in itself be prohibitive. Armstrong et al.
calculated the costs associated with HIPAA compliance for a project they
reported on in
200512. They
suggested that the cost for the initial year was over $8500 and the cost for
the following years was over $4500 annually.
Not all past important medical contributions have occurred in large
institutions with substantial financial resources. The role of the single
innovative individual researcher has been noted over time. The exclusion of
such a resource of potential new information, insight, and technological
development due to bureaucratic and financial imposition may be an important
loss to the future. As the concepts put forth in the Privacy Rule have begun
to be applied, a number of publications have appeared and identified problems.
These include the increased costs of performing
research12 and the
difficulties in obtaining consents, especially for
registries13-21.
Only future monitoring of the quality and amount of research conducted will
highlight the consequences of this legislation and its regulations, for better
or worse, to further protect privacy and the use of health information.
The HIPAA Privacy Rule has the potential to enhance the existing
protections of the rights and privacy of research subjects. Human subjects may
be granted further protections from unethical practice; they may be better
informed and have better remedies for any harm created as an unintended
consequence of their participation as research subjects. With better oversight
and monitoring of the process of developing research protocols, the scientific
quality of outcomes may well be enhanced. If this is true, then an improvement
in the societal value of public and private research dollars spent will be
realized. Improving the quality and validity of published results will enhance
the practitioner's ability to identify the treatments and procedures that are
really of value. This may provide more relevant models to steer clinical
practice toward a more scientific basis.
On the other hand, there are potential negative consequences that must also
be considered. The bureaucracy itself, as well as the increased costs both in
dollars and in time required to successfully negotiate the process of securing
institutional review board approval for potential research projects, may
discourage research efforts. Increased resource requirements could move
clinical research and research and development efforts out of the United
States. The potential effect on the quality of research, when conducted in
less regulated environments, is yet to be realized. The impact of such changes
could reduce the role of the United States as a world leader in medical
innovation, and technological growth and treatment advances for patients in
this country may be compromised. The potential consequence to the recruitment
efforts to assemble the new generations of medical researchers is of
significant concern. In an era of shrinking reimbursement for services and
increased competition for fewer federal research dollars, additional burdens
on time and resources will greatly challenge medical teaching hospitals and
institutions to recruit and retain full-time teaching faculty. Only time will
reveal the positive and negative consequences and the changes that may require
further legislative or regulatory remedy.
It is important to recognize that most research is carried out at the local
level rather than regionally or nationally. As such, it will come under the
review of the local institutional review board whose authority to monitor and
interpret the application of the Privacy Rule has been discussed. A number of
preliminary steps to avoid administrative delays in gaining institutional
review board approval are recommended prior to actually submitting a proposed
project to the institutional review board and are outlined in
Table II. Finally, the
completed study package should be submitted to the institutional review board
with or without a request for waivers and their justification as
necessary.
The HIPAA legislation has continued to refine the long-developing process
of how privacy and the confidentiality of health information are protected in
the research environment. These new regulations have been seamlessly
integrated into the existing institutional review board process. Certainly,
this has added additional bureaucracy to the process of gaining institutional
review board approval for clinical research, and probably additional expense.
However, the tradeoff may be that the added costs are justified by improved
protections for human research subjects. It is important that we recognize
that changes in the process have occurred and that our local institutional
review board is an important resource to assist us in successfully gaining
approval for our research efforts. Learning more about the process and working
cooperatively within the system will be the most efficient way of receiving
the required approvals for clinical studies.
A table listing additional resources consulted and numerous electronic
resource documents is available with the electronic versions of this article,
on the web site at
(go to
the article citation and click on Supplementary Material) and on the quarterly
CD-ROM (call our subscription department, at 781-449-9780, to order the
CD-ROM).
Trials of war criminals before the Nuremberg Military Tribunals
under Control Council Law No 10. Nuremberg, October 1946-April 1949.
Washington, DC: US Government Printing Office; 1949-53. Vol
2. p 181-2.2181
1949-53
Faden RR, Beauchamp TL, King, NMP.
A history and theory of informed consent. New York: Oxford
University Press; 1986. p
201-2.201
1986
World Medical Association.
"Declaration of Helsinki." Reprinted in Law,
Medicine and Health Care. 1991;3-4:
264-5.3-4264
1991
Jones JH. Bad blood: the Tuskegee
syphilis experiment. New York: Free Press;
1993.
1993
National Research Act, Public Law 93-348,
1974.
1974
Appendix (vol. I and II) to The Belmont report: ethical
principles and guidelines for the protection of human subjects of
research. Washington, DC: US Government Printing Office;
1978. DHEW Publication No. (OS) 78-0013 and (OS)
78-0014.
1978
The Belmont report: ethical principles and guidelines for
the protection of human subjects of research. Washington, DC: US
Government Printing Office; 1978. DHEW Publication No. (OS)
78-0012.
1978
Department of Health and Human Services.
Policy for the protection of human subjects; Title 45, Code of
Federal Regulations, Part 46.
Bhandari M, Kocher MS, Okike KM.
Conflict of interest and positive clinical research findings in
orthopaedic surgery. Read at the Annual Meeting of the American
Academy of Orthopaedic Surgeons; 2005Feb23-27; Washington, DC. p 494.494
2005
Food and Drug Administration. Guidance
for industry. Using a centralized IRB review process in multicenter clinical
trials. March 2005.
.
Accessed 2006 Oct 16.
www.fda.gov/cder/guidance/OC2005201fnl
Armstrong D, Kline-Rogers E, Jani SM,
Goldman EB, Fang J, Mukherjee D, Nallamothu BK, Eagle KA. Potential impact of
the HIPAA privacy rule on data collection in a registry of patients with acute
coronary syndrome. Arch Intern Med.
2005;165:
1125-9.1651125
2005
[PubMed][CrossRef]
Tu JV, Willison DJ, Silver FL, Fang J,
Richards JA, Laupacis A, Kapral MK; Investigators in the Registry of the
Canadian Stroke Network. Impracticality of informed consent in the Registry of
the Canadian Stroke Network. N Engl J Med.
2004;350:
1414-21.3501414
2004
[PubMed][CrossRef]
Inglefinger JR, Drazen JM. Registry
research and medical privacy. N Engl J Med.
2004;350:
1452-3.3501452
2004
[PubMed][CrossRef]
Leet AI, Chorney GS. The effect
of HIPAA regulations on research. Read at the Annual Meeting of the
American Academy of Orthopaedic Surgeons; 2005Feb23-27; Washington, DC. p 494.494
2005
Dudeck J. Informed consent for cancer
registration. Lancet Oncol.
2001;2:
8-9.28
2001
[PubMed][CrossRef]
Chertow GM, Pascual MT, Soroko S, Savage
BR, Himmelfarb J, Ikizler TA, Paganini EP, Mehta RL; PICARD. Reasons for
non-enrollment in a cohort study of ARF: the Program to Improve Care in Acute
Renal Disease (PICARD) experience and implications for a clinical trials
network. Am J Kidney Dis.
2003;42:
507-12.42507
2003
[PubMed][CrossRef]
Kulynych J, Korn D. The new HIPAA
(Health Insurance Portability and Accountability Act of 1996) Medical Privacy
Rule: help or hindrance for clinical research? Circulation.
2003;108:
912-4.108912
2003
[PubMed][CrossRef]
Durham ML. How research will adapt to
HIPAA: a view from within the healthcare delivery system. Am J Law
Med. 2002;28:
491-502.28491
2002
Califf RM, Muhlbaier LH. Health
Insurance Portability and Accountability Act (HIPAA): must there be a
trade-off between privacy and quality of health care, or can we advance both?
Circulation. 2003; 108:
915-8.108915
2003
[PubMed][CrossRef]
Annas GJ. Medical privacy and medical
research—judging the new federal regulations. N Engl J
Med. 2002;346:
216-20.346216
2002
[CrossRef]