What is HIPAA?
HIPAA or to give it it’s proper name - the Health Insurance Portability and Accountability Act - is a federal law that provides privacy protection for people who receive any form of medical care from a medical provider, including doctors, dentists, insurance companies, hospitals, clinics, nursing homes, mental health facilities, county-provided medical services and any other body that has knowledge about an individual’s medical needs and conditions. The HIPAA Privacy Regulations establish a stringent and complex new regime that governs all uses and disclosures of “protected health information” (PHI). The HIPAA Privacy Regulations are intended to supplement and not replace existing privacy laws such as The Common Rule, State Laws, and FDA regulations.
When did all the fuss begin?
The Final Rule was issued August 14, 2002; with a one year transition period. All clinical studies that were approved and started subject enrollment after April 14, 2003 must comply with HIPAA in all respects.
What is protected health information?
When conducting clinical research, it is necessary to collect protected health information (PHI). PHI is any health information that is:
- Created by or received by a covered entity or an employer; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual; and
- Is electronically maintained or transmitted, or in oral or written form
Under HIPAA, a “covered entity” is described as a Health Plan, a Health Care Clearing House or a Health Care Provider. Generally, research studies being conducted by a pharmaceutical company will fall under the Health Care Provider category. However, this classification remains controversial and some continue to question whether pharmaceutical companies should fall under this description. To aid with the determination, covered entity decision tools are available at: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
If the above rules were to be applied under all circumstances, it would be impossible to conduct useful clinical trials. HIPAA therefore allows for some exceptions. PHI data can be used or disclosed when written patient authorization has been obtained. This authorization must specify what PHI may be used/disclosed, to whom the information may be disclosed, who can use and disclose the PHI, the purpose of the use/disclosure, and the duration of the authorization.
Authorization or consent?
One important distinction to be made is that obtaining patient authorization to collect and use PHI data for clinical research is not the same as obtaining patient informed consent to participate in a clinical study. Patient authorizations are solely for privacy issues and do not address any potential risks of the research treatment. Unlike informed consent, PHI data authorization forms must contain an expiration which may be satisfied by reference to an event.
So where are the new forms?
Other than standardized HIPAA transaction formats, there are no prescribed HIPAA forms. Every covered entity is required to develop its own set of forms. These include, the Notice of Privacy Practices, Authorization forms, and Business Associate Agreements. To aid in the development of these documents, sample HIPAA forms are available on the Centers for Medicare and Medicaid Services website at http://www.hhs.gov/ocr/hipaa/contractprov.html
Many consider that 2004 was the preparatory year for HIPAA compliance and predict that 2005 will be the year of HIPAA enforcement. But is that really a reality? Responsibility of enforcing HIPAA falls upon the Office of Civil Rights (OCR), in the Department of Health and Human Services' (DHHS). (In addition, the Centers for Medicare and Medicaid Services (CMS) established an Office of HIPAA Standards which acts as the enforcement agency for the standard transactions, identifiers and code sets. This office is responsible for the issuance and interpretation of all HIPAA non-privacy-related rules. It is also accountable for enforcement, outreach and education of all HIPAA non-privacy-related rules). However, the size of OCR will not enable staff members to go out in the field and conduct site visits for surveillance purposes. Rather, the enforcement of HIPAA is going to be a complaint-driven process and the violation penalties are high.
- Each wrongful disclosure carries a maximum fine of $50,000 and up to 1 year imprisonment
- Each disclosure made under false pretenses carries a maximum fine of $100,000 and up to 5 years imprisonment
- Any disclosure with the intent to sell carries a maximum fine of $250,000 and up to 10 years imprisonment
- Civil monetary penalties are $100 per violation with a maximum of $25,000 per year, per violation. Based on the possible violations of the EDI standards, the total penalties could amount to more than $1 million per year.
In theory, even an unintentional breach (such as accidentally allowing someone to view a patient record on a computer screen) can carry the $100 fine. The Department of Justice has the unenviable task of administering the penalties and levying fines associated with non-compliance.
When the HIPAA Privacy Rules, first went into affect, rumors circulated that attorneys nationwide were planning to deploy decoy patients to see if doctors, dentists, hospitals and insurance companies had the policies, procedures and protections in place to ensure patients' privacy. The talk was that trial lawyers were gearing up ready to make HIPAA “the next tobacco litigation”. Thankfully that hasn’t happened but for some covered entities, the risks of HIPAA non-compliance may outweigh the benefits, leading some to terminate their participation in clinical research or at the very least will not share their data with other researchers. Concern has been expressed that this refusal to share data is ultimately to the detriment of clinical research and is at odds with the patients often altruistic reasons for trial participation. Worries also exist that Institutional Review Boards (IRBs) will be overburdened with the additional responsibility of HIPAA leading to a further reduction in the amount of clinical research and a slowing down of the study approval process.
Increased privacy or wasted money?
So while HIPAA is presenting a challenge to the industry in the areas of patient recruitment, study monitoring visits and the informed consent procedure, HIPAA has presented a plethora of new business opportunities. Medical writers have benefiting with an increased need from pharmaceutical companies to produce or amend standard operating procedures (SOPs) and clinical trial documents to contain HIPAA guidance. Books and articles explaining HIPAA are also in demand. Conference and training organizers have also profited from the need by industry to understand the implications of HIPAA compliance. A new breed of consultant has also emerged -- the HIPAA Consultant. HIPAA Lawyers too have materialized, but rather than looking to litigate against covered entities they have taken the proactive role in assisting with HIPAA understanding and implementation.
HIPAA has also had a knock-on effect for the IT sector, which has developed HIPAA tracking and reporting tools which have expedited electronic processes for clinical research. Electronic data interchange (EDI) in particular has become an essential tool for conducting clinical studies in a post-HIPAA environment. The increase in EDI usage has provided opportunities to streamline business processes, remove paper, reduce administrative costs and hopefully increase overall profitability.
While this upsurge in economic activity is advantageous to some, it has come at a price. Government estimates put the cost of compliance with the HIPAA Privacy Rule at 17 billion dollars, and private estimates go much higher. One has to question whether these 17 billion dollars have been well-spent.
Back to basics
The problem of patient privacy is not a new one and a complex web of ethics, incentives, and laws protected privacy long before HIPAA. Perhaps in isolation, none of these processes were sufficient but combined they were a powerful force and now the future of some may be at risk. Perhaps we were too quick to abandon the old in search of the new and to mend a process that wasn’t broken. Possibly we should have looked to history to solve the problems of the present. As a Greek physician, born in 460 BC on the island of Cos, once said:
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”
In the pursuit of excellence we must exercise caution and be wary of reinventing the wheel.