 | | | | | | | | | | |
 |  |  |  |  |  |  | | |||
 |  |  | | |||||||
 |  |  | | |||||||
 | | |||||||||
 |  |  |  |  | | |||||
 |  |  |  | | ||||||
|
FYI Research: |
The Health Insurance Portability and Accountability Act (HIPAA), which regulates the exchange of health information that is often critical to research, became law in 1996. But according to Associate University Counsel David Parker, on April 14 HIPAA's privacy rule finally will affect us "here in the trenches" on the Carolina campus. This leaves researchers a scant few weeks to familiarize themselves with HIPAA's requirements. HIPAA privacy regulations do not replace existing human research participant protections. Rather, according to Parker, "HIPAA presents additional requirements." The new regulations apply to personal, health and demographic information in the records of health care providers, health plans and health care clearinghouses -- so-called "covered entities," which include the UNC Health Care System, the School of Medicine and other health care providers such as private clinics and hospitals. These entities will refuse to share health records without demonstrated HIPAA conformity, such as a patient's signed authorization or a waiver of authorization from the researcher's Institutional Review Board (IRB). Researchers whose work involves clinical trials, patient surveys, retrospective chart reviews, patient database mergers or other information from medical records should therefore know the HIPAA regulations or face an unwelcome surprise when requests for data go unheeded. Penalties for improper disclosures by covered entities can be severe, with fines per violation of up to $250,000 and imprisonment of up to 10 years. Understandably, in the future covered entities will be guarding "protected health information" (PHI) more closely than ever. (PHI might be the patient's name, date of birth, date of admission or treatment or discharge -- even a rare diagnosis -- or other individually identifiable data.) In addition, when research involves PHI, IRBs will require more information, and informed-consent documentation will be more complex. Even so, HIPAA needn't give rise to panic. The law permits a covered entity to share PHI for use in research in several ways. (See box at right.) All that is required is the proper paperwork, and standard forms are available online. As with all things new, HIPAA inspires many questions. At a HIPAA training forum on March 14, one faculty member said hospitals have begun refusing data intended for use, not in research, but in research-training programs. Mary Lynn, an associate professor of nursing who helped lead the training session, said, "It's going to take several weeks or months for institutions not at the forefront of understanding HIPAA to get it all figured out." Both she and Parker counsel patience as new procedures come to be implemented throughout the health care system. Adrian Shelton, research compliance coordinator with the Office of University Counsel, concurred. "We know there will be an adjustment period, and people have a lot of concerns," Shelton said. "They don't always know whether what they've heard is accurate or rumor." Shelton said that University planners have prepared a web site detailing HIPAA regulations and avenues for compliance: www.unc.edu/ hipaa/. The site includes required forms, a FAQ and a campus contacts list. Also posted on the site is a memo from the campus privacy officer, Glenn George, to other covered entities providing reassurance about HIPAA-compliant release of PHI to University researchers. Campus researchers may want to print this memo to share with non-University sources of PHI data. Shelton advises anyone seeking answers to questions not covered by materials posted on the website to e-mail hipaainfo@unc.edu. "We will triage inquiries to the appropriate people," she said, adding, "This is going to be manageable." Options for gaining access to PHI * The signed authorization of the patient whose individually identifiable protected health information (PHI) is sought; or waiver by an IRB or a privacy board, consistent with specified criteria, of the authorization requirement for use of individually identifiable PHI; or * Review of PHI solely in preparation for research (such as review to determine adequacy of patient base for a study) without collecting the PHI for research use; or * Complete de-identification of the PHI -- that is, deletion of any data that could render the patient's identity discernable; or * Conversion of the PHI to a "limited data set" devoid of specified facial identifiers together with execution of a data-use agreement with specified provisions covering use and disclosure of the limited data set; or * Use of PHI solely of persons who are deceased. |