click here for printable version

Making Disclosures to Public and Private Registries for Research Purposes

Reproduced with permission from Medical Research Law & Policy Report, Vol. 2, No. 1, pp. 37-38 (Jan. 1, 2003).
Copyright 2003 by The Bureau of National Affairs, Inc. (800-372-1033)

The HIPAA Privacy Rule, as modified in August 2002, permits covered entities to disclose protected health information (PHI) to both public and private registries for research purposes, without written authorization of the individuals to whom the PHI pertains.

1. Disclosure to Public Registries.

In general, disclosure to public registries is permitted under § 164.512(b)(i). The registry must be authorized by law to collect or receive the information for the purpose of controlling disease, injury or disability.

Minimum Necessary. Although individual authorization is not required, the disclosure is subject to the standard that only the "minimum necessary" information be disclosed; however, the covered entity may rely on a public authority's determination of the minimum necessary information needed for the purpose for which the authority is seeking information. Where disclosure is routine and recurring, a covered entity may establish standard protocols for what may be disclosed as part of its policies and procedures to implement the minimum necessary standards.

Accounting. In addition, the covered entity must be able to account for all disclosures for a period of six (6) years from the date of disclosure, upon the request of any individual whose PHI has been disclosed. Not all such disclosures have to be approved by an institutional review board (IRB) because they do not all necessarily involve research, but usually involve reporting of vital events like birth or death, or communicable diseases. Whether or not such disclosures are monitored or approved by the IRB, the covered entity must implement some mechanism to track its public registry reporting. Under some state confidentiality laws, public health officials to whom the information is disclosed are not authorized to further disclose or use the information

2. Disclosures to Private Registries.

Prior to the August 2002 modification, the HIPAA Privacy Rule would have stopped disclosures by covered entities to private registries for research purposes, unless individual authorizations were obtained, or the data was de-identified pursuant to the strict rules of §164.514(b). The research community expressed concern that the de-identification standards would render data useless, especially for epidemiological research and longitudinal studies. Clearly, obtaining an individual authorization for these types of studies would have hindered public health research of many kinds.

Fortunately, under the modifications of the Privacy Rule published this past summer, covered entities may now disclose limited data sets to third parties (including private registries) for research purposes without written authorization of the individual, if the recipient of the data enters into a Data Use Agreement with the covered entity that meets the standards of the regulation. See §164.514(e).

Limited Data Sets and the Minimum Necessary Standard. A limited data set is not a subset of de-identified data. Whereas de-identifying data removes such information from the definition of PHI, a limited data set is still PHI, except that specified "direct" identifiers have been removed.¹ Unlike de-identified data, which is not subject to the "minimum necessary" standard, once the direct identifiers are removed to create a limited data set, the covered entity must still comply with the minimum necessary standard, and release only that much of the data that is necessary to achieve the research purposes of the recipient. The final resulting "limited data set" (what is removed and what is not) will driven by the purposes of the research.

Data Use Agreements. Because a limited data set is still PHI, the Privacy Rule contemplates that the privacy of individuals will be protected by requiring covered entities to enter into Data Use Agreements with recipients of limited data sets. The Data Use Agreements must meet standards specified in the regulations, namely, the agreements must:

• Establish the permitted uses and disclosures of the limited data set;
  
• Identify who may use or receive the information;
  
• Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as required by law;
  
• Require the recipient to use appropriate safeguards to prevent a use or disclosure which is not permitted by the agreement;
  
• Require the recipient to report any such unauthorized use or disclosure to the covered entity of which it becomes aware;
  
• Require the recipient to ensure that any agents (including a subcontractor), to whom it provides the information will agree to the same restrictions as provided in the agreement; and,
  
• Prohibit the recipient from identifying the information or contacting the individuals.

Like the requirements for business associates of covered entities, the limited data set regulation requires covered entities to take reasonable steps to cure any breach by a recipient of the Data Use Agreement, and, if such steps are unsuccessful, to discontinue disclosure under the Data Use Agreement and report the problem to the Department of Health and Human Services (HHS).

Creating the Limited Data Set. HHS has indicated that a covered entity may allow a researcher requesting a limited data set to create the limited data set, so long as the researcher is acting as a business associate of the covered entity and the covered entity complies with the business associate provisions of the regulation in granting the researcher access to PHI in order to create the limited data set. See 67 Fed. Reg. 53182 at 53237 (August 14, 2002). A covered entity proposing to disclose PHI to an individual or entity for the purpose of creating a limited data set to be released to that same person or entity should ensure that the requirements for both the data use agreement and business associate agreements are met.

Allocating or Coordinating Responsibilities for Data Use Agreements. Limited data sets and Data Use Agreements are not required to be reviewed by IRB under HIPAA. However, in many covered entities, requests from private registries or for research on PHI have normally flowed through the IRB process, often under the minimum or expedited review standards of the Food & Drug Administration (FDA) or the Health & Human Services (HHS) regulations governing IRBs. The IRB rules are significantly less stringent than HIPAA, with regards to the specificity of uses and limitations on further disclosures and the requirement to report potential breach of permitted uses and disclosures. The advantage of having the requests from private registries continue to flow through the IRB is that the IRB may be in a better position than other internal departments or divisions within a covered entity to determine what would be "minimally necessary" data for the research purpose in question. On the other hand, if the covered entity continues to process private registry requests through the IRB, IRB members and staff must be trained on the stricter requirements of HIPAA and not rely on the FDA/HHS IRB standards for minimal risk. Finally, consideration must be made of whether the IRB has adequate legal, human and organizational resources to review, execute or monitor compliance with a Data Use Agreement, or the business associate requirements, if the researcher is being allowed to create the limited data set.

Accounting. Unlike disclosures to public registries permitted under the public health activity exception to the authorization rules, disclosures of a limited data set are not subject to the accounting requirements, the rationale being that the marginal increase in privacy protections that such an accounting would provide is outweighed by its burdens. HHS has taken the position that the privacy of individuals with respect to PHI disclosed in a limited data set can be adequately protected through a signed Data Use Agreement.

3. Other Concerns.

IRB Approval is Required to Disclose any Direct Identifier. There may be instances in which the creation of a limited data set and the execution of a Data Use Agreement may not be sufficient for the research purposes needed by a registry. For example, one private state-wide mammography registry conducting longitudinal studies on the efficacy of such procedures collects actual names and other demographic data of patients who have had mammograms at community facilities, the dates of such procedures, and the interpretations. Generally this has been is done by downloading the on-line patient data base of free-standing and hospital based mammography centers to the registry's data base. The registry regularly compares publicly available death records with its data base. When a death due to breast cancer is reported, it is able to review whether the decedent had mammograms prior to death, the intervals between the tests, and whether mammograms led to early detection and treatment. Without the identifiers, the registry would not be able to link the specific mammogram histories with the decedent's treatment and outcome records. Removal of the names of patients and social security numbers under the limited data set rules would render this alternative to individual authorization unworkable. Consequently, such research must be approved by the IRB, which may waive or alter individual authorization in accordance with the rules set forth in the Privacy Regulations, or the covered entity might actually have to obtain written authorization from individual women at the time they take mammograms, with the specificity set forth in the regulations.

What is the Role of the IRB? Disclosure of PHI for research purposes may be accomplished in a variety of ways, some with IRB approval and others, not. Covered entities need to determine whether the IRB should be involved in all or just some of these decisions to disclose. On the one hand, concentrating expertise and experience within the IRB on the release of PHI for research under all circumstances, may lead to long term organizational efficiencies. On the other hand, the IRB may not have the human, organizational and legal resources to fully take on the privacy requirements of HIPAA, including developing and monitoring Data Use Agreements and accounting for disclosures. Coordination between the IRB and other operational units of a covered entity to may be required, or covered entities may need to substantially increase the flow of funding and resources to IRBs to ensure compliance. Where IRB is involved in the release of PHI for research purposes without authorization, the accounting provisions generally kick in. Currently many IRBs require retention of records for three years, which is clearly not sufficient if the IRB must be able to account for disclosures of up to six years.

FOOTNOTES:

1Specifically, as it relates to the individual or of his or her relatives, employers, or household members, all the following identifiers must be removed:

• names;
  
• street addresses (other than town, city, state and zip code);
  
• telephone numbers;
  
• fax numbers;
  
• e-mail addresses;
  
• social security numbers;
  
• medical record numbers;
  
• health plan beneficiary numbers;
  
• account numbers;
  
• certificate license numbers;
  
• vehicle identifiers and serial numbers, including license plates;
  
• device identifiers and serial numbers;
  
• URLs;
  
• IP address numbers;
  
• biometric identifiers (including finger and voice prints); and
  
• full face photos (or comparable images).
  

Reproduced with permission from Medical Research Law & Policy Report, Vol. 2, No. 1, pp. 37-38 (Jan. 1, 2003).
Copyright 2003 by The Bureau of National Affairs, Inc. (800-372-1033)

Our purpose in publishing this article is to inform our clients and friends of recent developments in HIPAA. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

return to Publications main page