HOME HELP FEEDBACK SUBSCRIPTIONS ARCHIVE SEARCH TABLE OF CONTENTS		QUICK SEARCH:   [advanced] Author: Keyword(s): Year:  Vol:  Page:

This Article Abstract Figures Only Full Text (PDF) Submit a response Alert me when this article is cited Alert me when eLetters are posted Alert me if a correction is posted Services Email this article to a friend Similar articles in this journal Similar articles in PubMed Alert me to new issues of the journal Download to citation manager Citing Articles Citing Articles via HighWire Citing Articles via Google Scholar Google Scholar Articles by Johnson, M. S. Articles by Bizila, S. Search for Related Content PubMed PubMed Citation Articles by Johnson, M. S. Articles by Bizila, S.

Responsible Conduct of Radiology Research Part V. The Health Insurance Portability and Accountability Act and Research¹

¹ From the Department of Radiology, Indiana University School of Medicine, Indiana University Hospital, Room 0279, 550 N University Blvd, Indianapolis, IN 46202-5253. Received June 30, 2004; revision requested September 2; revision received October 28; accepted December 21. Address correspondence to M.S.J. (e-mail: matjohns{at}iupui.edu).

	ABSTRACT

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 
For the past 5 years, the regulatory environment for research involving humans has been turbulent, with criticism coming from the federal government, the academic community, and the press. The purpose of this series of articles is to explain the ethical and legal bases for responsible conduct of radiology research and the rules that an investigator must follow. The purpose of this fifth part of the series is to explain the requirements of the Privacy Rule, which is a component of the Health Insurance Portability and Accountability Act (HIPAA), as they relate to human research. Under the HIPAA Privacy Rule, researchers within covered entities must follow appropriate methods as they use or disclose protected health information (PHI). Investigators should know the conditions under which PHI may be accessed for research purposes (ie, with authorization or waiver of authorization, when only a limited data set is evaluated, if data have been de-identified, or in reviews preparatory to research). Furthermore, researchers should know which information, such as the Notice of Privacy Practices and the Accounting of Disclosures, must be provided to potential subjects, when appropriate. At the conclusion of this article, several scenarios related to various types of radiology research and related regulatory requirements are presented.

© RSNA, 2005

	INTRODUCTION

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 
Physicians and others involved in clinical research should be familiar with the guidelines discussed in previous articles of this series (1–4) and with legislation regarding the access, use, and disclosure of confidential medical information (ie, the Privacy Rule of the Health Insurance Portability and Accountability Act [HIPAA]). The Hippocratic oath and the American Medical Association Code of Medical Ethics (5) have always expressed the spirit of these regulations, which guard information disclosed to a physician during the course of a patient-physician relationship. According to the American Medical Association Council of Ethical and Judicial Affairs, the purpose of a physician's ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full and frank disclosure of information to the physician, with full knowledge that the physician will protect the confidential nature of this information (6). While the American Medical Association guidelines are not legally binding, courts often refer to them as the cornerstone of the physician's obligation to protect patient information (6). In the past, there were no national standards regarding that obligation. Instead, the enforcement of any breach of confidentiality arose from state laws and case precedent often varying from jurisdiction to jurisdiction.

The variability of those laws has often confounded attempts by researchers and institutional review boards (IRBs) to comply with them. Concomitantly, continuing technologic advances in information systems have provided increasingly more efficient means to access health information. While these advances have continued and will continue to improve health care and facilitate research, existing statutes and case laws do not address new situations created by these advancing technologies. In a proactive measure intended to address the evolution of these advances, Congress called for steps to improve "the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information" (7). To achieve this, Congress required the Department of Health and Human Services to promulgate a set of interlocking regulations that would establish standards and protections for health information systems (8). The Privacy Rule of HIPAA seeks to balance the needs of the individual with the needs of society by creating a framework of protection that can be strengthened by both the federal government and the states as health information systems continue to develop (9). While HIPAA affects all health care providers practicing in the United States, it has specific implications for those involved in the conduct of human research. This article will focus on the effects of HIPAA on clinical researchers in radiology.

	HIPAA PRIVACY RULE REQUIREMENTS

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 
HIPAA is a very broad statute that covers areas such as portability and continuity of health insurance coverage, fraud and abuse in the health care industry, medical savings accounts, long-term care, and simplification and administration of health insurance (10). Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, the administrative simplification provisions, requires the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data (10).

In 1996, HIPAA created a floor of national protections for the privacy of what was deemed the "most sensitive information—health information" (11). The HIPAA Privacy Rule became final on December 28, 2000. On the basis of the tens of thousands of comments that were submitted to the Department of Health and Human Services, modifications were made, and the final modifications were released in August 2002. The HIPAA Privacy Rule went into effect on April 14, 2003.

The HIPAA Privacy Rule applies to "covered entities," (ie, health care providers who submit claims electronically, directly, or indirectly; health care plans; health care clearinghouses) (12). Legally separate covered entities may designate themselves as a single affiliated covered entity if all of the covered entities designated are commonly owned or controlled (12).

Under the HIPAA Privacy Rule, covered entities are required to implement reasonable safeguards for the use and disclosure of protected health information (PHI). PHI is defined in the HIPAA Privacy Rule as individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and that (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse and (b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and (i) identifies the individual or (ii) could be used to identify the individual (12). Covered entities, such as physician practices, may release PHI without authorization for treatment, payment, or health care operations; however, research does not fall into any of those categories. The HIPAA Privacy Rule provides other methods for obtaining or using PHI for research purposes; these methods will be described in this article.

	IMPLICATIONS OF HIPAA ON RESEARCH

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 
Covered Entities: Use versus Disclosure of PHI
The restrictions that apply to researcher access to PHI are dependent on whether the researcher is considered part of the covered entity that is holding the data needed for the research study. In other words, is the researcher a member of the workforce of the covered entity? The HIPAA Privacy Rule defines workforce as "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity" (12).

When a researcher is a member of the workforce of the covered entity that is holding PHI, his or her access to PHI for research purposes is referred to as a use (13). If a researcher is not a workforce member of the covered entity that is holding the PHI necessary for the study, access to this PHI by the researcher is referred to as a disclosure. In other words, disclosure occurs when the PHI leaves the covered entity (13). This distinction is important because the disclosure of PHI for research recruitment purposes would require authorization or waiver of authorization for access and recruitment purposes. If the researcher is a workforce member of a covered entity, however, the researcher (or the covered entity business associate) may contact the potential study participant, as part of the health care operations of the covered entity, for the purpose of seeking authorization (14).

Role of the IRB under HIPAA
Many of the comments received by the Department of Health and Human Services involved the role of the IRB and/or the privacy board, which will be discussed later. The IRB is an administrative body charged with oversight of the protection of the rights and welfare of human research subjects recruited to participate in research activities conducted within its affiliated institution. The IRB has the authority to approve, require modifications to, or disapprove all research activities that fall within its jurisdiction, as specified by federal regulations and local institutional policy.

As a result of HIPAA, a new research-related authoritative body called the privacy board was created. The privacy board is a review body that can act on requests for a waiver or an alteration of the research authorization requirement (hereafter, authorization) for use and disclosure of PHI for research. Privacy boards, however, do not exercise any of the other powers or authority granted to IRBs under federal regulations relating to federally conducted or supported human subjects research (generally referred to as the Common Rule [15]) and research involving products regulated by the U.S. Food and Drug Administration (16). The IRB can be designated as the entity with the authority to approve a waiver or an alteration of the authorization in lieu of creating a separate privacy board.

Access to PHI for Research Purposes
Access to patient records for research performed after April 14, 2003, may be obtained if (a) the researcher has obtained authorization to perform the research (17), (b) the researcher has obtained a waiver of authorization from a privacy board or an IRB (18), (c) only a limited data set will be obtained (19), (d) only de-identified health information is obtained (19), (e) information is obtained only for review preparatory to research (18), or (f) only decedent information is obtained (18).

In continuing studies, if informed consent was obtained from subjects or waiver of informed consent was granted by an IRB prior to April 14, 2003, the Department of Health and Human Services decided that those permissions may be "grandfathered in"; therefore, it was unnecessary to obtain HIPAA authorization and/or waiver of authorization (20).

Authorization
As noted previously, one of the many requirements of the Privacy Rule is that authorization be obtained by a covered entity before PHI can be used or disclosed for research purposes. The authorization must be in writing, and it must include the following core elements and required statements (17): (a) a specific description of what PHI will be used or disclosed, (b) the names of persons or organizations that may use or disclose PHI, (c) the names of persons or organizations to which PHI will be disclosed, (d) the purpose of the use or disclosure of PHI, (e) a description of how long the authorization will be valid (The HIPAA Privacy Rule allows researchers to specify that the authorization has no expiration date, provided this is specifically stated in the authorization form. Justification should be noted in the protocol.), (f) a statement that authorization may be revoked and how to communicate this decision, (g) a statement regarding the potential for re-disclosure to others not subject to the HIPAA Privacy Rule, (h) a notice that the covered entity may or may not condition treatment or payment on the individual's signature, and (i) the individual's signature and date.

Authorization Exceptions
In response to additional comments from the research community, the Department of Health and Human Services recognized that, provided other safeguards are in place, there are instances when authorization is not required.

Waiver of authorization.—The Privacy Rule does not dictate the process in which the waiver or alteration of the authorization is obtained. Many institutions that have authorized their IRBs to grant these exceptions have modified their IRB application forms to include references to the Privacy Rule safeguard requirements, and they have provided a template of a research authorization that meets the requirements of the Privacy Rule. When the protocol is presented to the IRB for approval, the IRB determines whether a waiver or alteration of the authorization should be granted.

The IRB or privacy board may approve a waiver or an alteration of the authorization requirement in whole or in part (18). A complete waiver would be granted if the board determines that no authorization is required for a covered entity to use and disclose PHI for a particular research project (18). An alteration of the authorization might be granted if the IRB or privacy board finds that one or more of the core elements of the authorization described previously are not necessary. Consistent with the Common Rule, these waivers or alterations state that (a) there must be no more than minimal risk to the privacy of the individual and (b) the research could not be practicably performed without waiver or alteration and without access to and use of the PHI (18).

Limited data set.—Research with use of PHI can also be conducted with the use of a limited data set. This data set excludes identifiable information (eg, name, e-mail and street addresses, telephone and fax numbers, social security number, certificate or license number, vehicle identifiers and serial numbers, uniform resource locators, Internet protocol addresses, full face photographs, and other comparable images) but can include some identifiable information, such as admission, discharge, and service dates; date of death; age (including age 90 years); and five-digit zip code (19). As a result, the data are still considered identifiable, but they may be used for limited purposes, including research, provided there is a data use agreement between the provider of the limited data set (a member of a covered entity) and the recipient of this data set. A data use agreement (19) between the covered entity and the data set recipient must meet the following requirements: (a) It must establish the permitted uses and disclosures of such information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to further use or disclose the information in a manner that would violate the HIPAA Privacy Rule, if performed by the covered entity. (b) It must establish who is permitted to use or receive the limited data set. (c) It must provide that the limited data set recipient will (i) not further use or disclose the information, other than as permitted by the data use agreement or as otherwise required by law; (ii) use appropriate safeguards to prevent further use or disclosure of the information, other than as provided for by the data use agreement; (iii) report to the covered entity any use or disclosure of information not provided for by its data use agreement of which it becomes aware; (iv) ensure that any agents, including a subcontractor, to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient, with respect to such information; and (v) not identify the information or contact the individuals.

De-identification.—The Privacy Rule allows data to be used for research purposes in accordance with the Safe Harbor method (21), which requires that the covered entity document that 18 identifiers have been removed. These identifiers concern the individual, his or her employer, and his or her relatives and household members. These identifiers include names, geographic subdivisions smaller than a state, zip codes, dates directly related to an individual, telephone and fax numbers, e-mail addresses, social security numbers, medical record numbers, health plan beneficiary identifiers, account numbers, certificate and/or license numbers, vehicle identifiers and serial numbers (including license plate numbers), device identifiers and serial numbers, universal resource locators, Internet protocol address numbers, biometric identifiers (including finger and voice prints), full facial photographs, and any other number, characteristic, or code that could be used to identify the individual.

The following demographic information may be used: (a) age, with dates limited to the year (patients aged 90 years and older must be aggregated to prevent identification of these individuals), (b) aggregated zip codes in the form of the initial three digit zip codes to include at least 20000 people, (c) race, (d) ethnicity, and (e) marital status.

De-identification may also be accomplished by statistical means (19). This is performed by a statistical expert who determines that the risk that information could be used by itself or in combination with other available information by anticipated recipients to identify a subject is very small.

Reviews preparatory to research.—This type of review allows the researcher to access the PHI, provided that the review of the information is necessary to assist in formulating a hypothesis, determining the feasibility of conducting the study, determining the availability of a sample size, or other similar uses that precede the development of an actual protocol. For a covered entity to allow access to this information, the researcher must document to the covered entity (ie, the holder of the PHI) that the following criteria are satisfied: (a) Use or disclosure of identifiable health information is solely to prepare a research protocol or for similar purposes that are preparatory to research. (b) The researcher shall not record or remove the information from the covered entity (ie, the provider's facility or office). Researchers may access PHI electronically to review the information, but they may not record, store, or otherwise retain the information after the review. (c) The information sought is necessary for the purposes of research (eg, feasibility analysis that is conducted to determine the number of potential subjects with a certain disease for submission in a grant proposal). (d) This review does not include identification of specific individuals for recruitment purposes but, rather, identification of the number of individuals with a specific disease to determine or demonstrate a researcher's ability to recruit successfully (18).

Decedent information.—The Privacy Rule has jurisdiction over at least one area of research where the Common Rule does not apply (ie, research involving a decedent's PHI). A request for a decedent's prior medical history for an outcome study is not covered by the Common Rule because the decedent does not meet the definition of a human subject; however, this information is considered PHI and is covered by the Privacy Rule. This disclosure from the covered entity is permitted for research purposes, without authorization from a representative of the decedent. It should be noted, however, that certain criteria must be met: (a) This information must be used solely for research on the identifiable health information of decedents. In other words, the decedent's PHI cannot be used to obtain information about a decedent's living relative(s) or other individuals. (b) The PHI sought is necessary for research purposes. (c) If requested, the covered entity disclosing the data may require the researcher to provide documentation of the death of the individual about whom information is being sought (18).

Notice of Privacy Practices
While the Privacy Rule contains many new requirements, there are two items that warrant brief discussion: the notice of privacy practices and the accounting of disclosures. Covered entities are required to provide individuals with a notice of privacy practices that describes how the covered entity will use and disclose the individual's PHI for treatment, payment, and health care operations, as well as other purposes, including research (22). Thus, health care facilities or providers that conduct research must include a statement in the notice of privacy practices to let the patient know that his or her information may be accessed and disclosed for research purposes. This statement must be included, even if the research does not identify the patient in any way. While patients will normally be given the notice of privacy practices during a visit to the covered entity for treatment purposes, if the person's first encounter with the covered entity is for research purposes, the researcher must present the potential subject with the notice of privacy practices. If a covered entity fails to include research in its notice of privacy practices, adequate notice of this use has not been provided, and the researcher may be prohibited from accessing records. The Privacy Rule does not grant the privacy board the authority to waive this notice requirement. The preamble to the proposed Privacy Rule, which was published in December 2000, states in section 164.530i, that a covered entity "that wishes to change its practices over time without segregating its records according to the notice in effect at the time the records were created must reserve the right to do so in its notice" (23). The preamble provides the following example:

A covered hospital that states in its notice that it will only make public health disclosures required by law, and that it does not reserve the right to change this practice, is prohibited from making any discretionary public health disclosures of protected health information created or received during the effective period of that notice. If the covered hospital wishes at some point in the future to make discretionary disclosures for public health purposes, must revise its notice to so state, and it must segregate its records so that protected health information created or received under the prior notice is not disclosed for discretionary public health purposes. This hospital may then make discretionary public health disclosures of protected health information created or received after the effective date of the revised notice (24).

Similarly, if the hospital or radiology practice did not include research in its notice of privacy practices, it must revise the notice of privacy practices to include this use, and it would be prohibited from using the records of individuals who were not notified under the notice of privacy practices of the research use or disclosure.

Accounting of Disclosures
The Privacy Rule also requires that individuals be given the right to receive an accounting of certain disclosures of PHI (25). Health care providers are not required to keep track of disclosures made for treatment, payment, or health care operations (25). This exception does not apply to disclosures of PHI for research purposes, unless the disclosures were made pursuant to an authorization. Thus, if a health care provider discloses PHI to a researcher, the health care provider must document the date of release, the entity or individual to whom the PHI was provided, and the purpose of the release. This accounting, however, applies only to disclosure, not the use of information. As a result, if a health care provider provides PHI to a researcher who is a workforce member of the health care provider's covered entity, no accounting is required because, according to HIPAA, this is a use of PHI (14). This accounting is not required if the disclosure for research purposes is made pursuant to an authorization, pursuant to a data use agreement, to the subject, or prior to the effective date of the Privacy Rule (16). Accounting is necessary, however, if the disclosure was based on a waiver of authorization, for purposes of reviews preparatory to research, or for research that used records of decedents. The Department of Health and Human Services received comments that the accounting of disclosure requirements could "have the undesired effect of causing covered entities to halt disclosures of protected health information for research," especially in cases involving numerous medical records (26). To alleviate this administrative burden, the Privacy Rule was modified to allow for a summary accounting of disclosures. For research studies involving 50 or more records, the accounting must state that the individual's records may have been accessed in these larger studies. The accounting of disclosure documentation must include the following information: (a) The name of the protocol or other research activity; (b) a description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; (c) a brief description of the type of PHI that was disclosed; (d) the date or period of time during which such disclosures occurred or may have occurred, including the date of the last such disclosure during the accounting period; (e) the name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and (f) a statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity (18).

Research Obstacles Resulting from HIPAA
Collaboration.—HIPAA has had a substantial effect on the collaborative environment involving research. Ironically, the product of the efforts of the Department of Health and Human Services to safeguard PHI has resulted in an atmosphere that is in direct contravention of one of the main goals of the National Institutes of Health. The National Institutes of Health made the following statement:

The scale and complexity of today's biomedical research problems increasingly demands that scientists move beyond the confines of their own discipline and explore new organizational models for team science. Many scientists will continue to pursue individual research projects; however, they will be encouraged to make changes in the way they approach the scientific enterprise (27).

In contrast, the focus of the Privacy Rule on where PHI is held versus how PHI is protected discourages this model for team science. HIPAA does not protect all individually identifiable health information, which is otherwise known as PHI. Rather, its protections extend only to PHI that is created or held by a covered entity. The focus of the Privacy Rule on where PHI is held versus how it is protected is shown in the following flow charts (Figs 1, 2). In these scenarios, because authorization will be required for the majority of clinical trials, the assumption is made that the research data required did not meet any of the previously discussed authorization exceptions. Authorization will be a requirement for the majority of clinical trials.

View larger version (28K): [in this window] [in a new window] [Download PPT slide]   Figure 1. Flow chart shows what is required for the treatment provider to disclose his or her clinical data to researchers who are not part of the same covered entity for research recruitment purposes.

View larger version (28K): [in this window] [in a new window] [Download PPT slide]   Figure 2. Flow chart shows what is required for the treatment provider to disclose his or her clinical data to researchers who are part of the same covered entity for research recruitment purposes.

Dr X at radiology group A receives a request for medical information from two different researchers who are part of two separate organizations for the purposes of recruitment. Neither researcher is part of Dr X's physician practice at group A. One researcher is part of an independent research institute that is not a covered entity. The other researcher is a physician at radiology group B, but this researcher is not a treating provider. Group B and the research institute may have the most comprehensive set of privacy policies and procedures in place; however, the authorizations or waivers of authorizations still are required before the researchers may access the patient information for recruitment purposes. Because the PHI would be leaving the covered entity, in HIPAA terms, this is viewed as a disclosure. The number of safeguards in place to protect the privacy of the patient that have been implemented by the research institution or group B is not taken into consideration. A noncovered entity is not obligated to comply with the HIPAA Privacy Rule; therefore, any individual identifiable health information provided by Dr X to the research institute or group B is not considered PHI. This information is not subject to the regulatory requirements that it would be if it was held by a covered entity. An authorization or waiver of authorization is still required before either entity can access patient information for recruitment purposes.

In contrast, Figure 2 shows a slightly different scenario. In Figure 2, two researchers from two different organizations are requesting the same medical information for research recruitment purposes. The first researcher is part of physician group B, and the other researcher is part of a research organization. In this scenario, the treating provider, Dr X, and each of the researchers are part of the same covered entity. Each organization may be considered separate legal entities, but under the Privacy Rule, they are considered one covered entity because the academic institution has common control and/or ownership interest in groups A and B and in the research organization. Because of this element of common control or common ownership, access to the medical information shown in Figure 2 is considered a use; therefore, authorization would not be required to allow either researcher to access Dr X's patient information for recruitment purposes. Again, this does not take into consideration the number of safeguards that may be in place.

New responsibilities for IRBs.—As stated previously, the Privacy Rule allows IRBs to act as privacy boards. Privacy boards are responsible for review and approval of waivers of authorizations. Waivers of this nature are often requested for retrospective research studies.

Technically, the IRB is not required to review the content of the authorization to determine if the terms in the authorization meet the Privacy Rule requirements. However, the final modifications to the Privacy Rule allow for the use of a combined informed consent and authorization form (28). In these instances, the IRBs would be indirectly reviewing and approving the terms of the authorization as well because it could be difficult to separate the requirements of authorization and informed consent. For administrative purposes, some institutions have chosen to keep informed consent separate from authorization. While a typical research authorization form may be limited to one or two pages, a typical informed consent form will be much longer. If combined, these documents may be provided to personnel who handle medical records and/or physician practices unaccustomed to seeing a research informed consent form as an authorization for the release of medical records. To simplify the process and address these situations, the decision to refer to a two-page document demonstrating the authorization from the research subject may be more reasonable.

Future uses of research data.—While the does not prohibit future use of data collected for a previous study if appropriate IRB approvals are in place, such use is prohibited by the HIPAA Privacy Rule if the data contain PHI. Among the comments received by the Department of Health and Human Services regarding this requirement was a suggestion to permit the authorization to include language that is "sufficiently broad to encompass future unspecified research" (29). However, the Department of Health and Human Services decided that "each purpose of the requested use or disclosure described in the authorization form be research study specific" (29). For example, let us assume that a principal investigator desires to perform a new analysis of data containing PHI collected for a previous study. For example, the principal investigator may want to research blood samples labeled with patients' names that were collected previously for a different research purpose. With regard to the Privacy Rule, this reanalysis constitutes a new research study. The only common denominator between the two studies is the source of study information. In the original study, the principal investigator obtained authorization from the subject for use of PHI for that specific study. Under the Privacy Rule, the previously signed study-specific authorization would not be sufficient. A new authorization or waiver of such authorization would be required to use the same data for reanalysis.

	RADIOLOGY RESEARCH AND HIPAA

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 
Clinical radiology research is most often directed toward evaluation of methods or modalities used in the diagnosis or treatment of disease. The nature of this research leads to accrual and evaluation of images of patients or healthy volunteers obtained with one modality or another. The following scenarios address issues specific to acquiring, storing, and sharing images for research purposes.

HIPAA is an exceedingly complex law that is often difficult to interpret. The following examples demonstrate our analysis of common research scenarios and how HIPAA might affect the implementation of such studies. The understandable lack of specificity of some aspects of HIPAA may lead to disparate interpretations and subsequent implementation at other institutions.

In our first example, a principal investigator wants to perform a retrospective study involving the review of 50 or more computed tomographic (CT) scans that were used for treatment purposes. The CT scans are not de-identified, as they include the patient's name, medical record number, date of birth, and sex, as well as the condition diagnosed. No research authorization for HIPAA purposes was obtained from any patient.

In this case, waiver of informed consent and authorization are required because obtaining authorization may prove difficult, the CT scans are not de-identified, and they are in the form of a limited data set. The principal investigator must track disclosures and provide an accounting of disclosures, in summary form, to any patient who requests it. Had the CT scans been appropriately de-identified, the research described previously would have been exempt from the Common Rule; however, such exemptions are not granted by HIPAA.

In our second example, a principal investigator has a quality assurance database, and he or she believes there are enough patients (n 50) with a particular disease, therapeutic outcome, or both, to write a paper. The investigator will want to submit this paper to a journal for publication. Patient names will be associated with the disease, outcome, or both, and kept in a secure database. The submitted paper will not list patient names, and the published data will not be linked to the patients; however, the principal investigator will still maintain the database.

In this case, waiver of informed consent and authorization are required because obtaining authorization may be difficult, the CT scans are not de-identified, and they are not in the form of a limited data set. The principal investigator must also track disclosures and provide an accounting of disclosures, in summary form, to any patient who requests it.

In our third example, a principal investigator wants to perform a retrospective study involving review of 50 or more CT scans that were used for treatment purposes. The CT scans are not de-identified, as they include the patient's name, medical record number, date of birth, and sex, as well as the condition diagnosed. The principal investigator wishes to send the CT scans to collaborators via the Internet. No research authorizations for HIPAA purposes were obtained from any patients.

Waiver of informed consent and authorization are required because obtaining authorization may be difficult, the scans are not de-identified, and they are in the form of a limited data set. The principal investigator must also track disclosures and provide an accounting of disclosures, in summary form, to any patient who requests it.

Appropriate safeguards need to be in place to ensure the transfer of PHI via the Internet is secure.

In our fourth example, a principal investigator wants to conduct a clinical trial with use of positron emission tomographic scans. The principal investigator needs to recruit oncology patients but does not have access to oncology patient data. The principal investigator contacts an oncologist in another practice and asks the oncologist for patient names and contact information.

What is required in this case? The answer could be authorization, waiver of authorization, or nothing. The patients could be contacted by the oncology practice and asked to provide authorization for their names and contact information to be sent to the principal investigator for recruitment purposes. The principal investigator could ask for waiver of authorization from the IRB and/or privacy board to allow the names and contact information to be sent to him or her from the oncology practice. This would require the oncology practice to account for the disclosures. Finally, the oncology practice could ask patients to contact the principal investigator on their own.

A separate authorization and informed consent form must be signed before patients are enrolled in the study.

In our fifth example, a principal investigator wants to perform a prospective study involving the evaluation of CT scans that will be used for treatment purposes. Patients will be examined with CT, treated according to the CT findings, and followed up for outcome. CT findings are correlated with outcomes. CT scans are not de-identified, as they include the patient's name, medical record number, date of birth, and sex, as well as the condition diagnosed.

Informed consent and authorization are required, regardless of where the information is obtained, because face-to-face consultation will be necessary, and the researcher already knows he or she wants to use the CT scans for research and treatment purposes.

The researcher will need to describe to the IRB and/or privacy board how the CT scans will be transmitted and stored and demonstrate that appropriate safeguards are in place.

In our sixth example, a principal investigator wants to perform a prospective study. CT scans will be obtained for research purposes, not treatment purposes (eg, they will be compared with a reference standard to determine whether CT could have been used to guide therapy). CT scans will be obtained in patients seen by the principal investigator; these patients are also research subjects.

Informed consent and authorization are required because face-to-face consultation will be necessary. As such, waiver of consent and authorization would be difficult to justify.

In our seventh example, a principal investigator wants to determine if there are enough patients in whom a specific condition is diagnosed to justify conducting a research study while preparing a grant application. This investigator needs to review CT scans at another practice.

In this case, the principal investigator may review these records to obtain aggregate data for feasibility purposes, provided the PHI does not leave the covered entity and the principal investigator does not record any PHI for recruitment purposes. This review is considered preparatory to research and is not subject to the HIPAA Common Rule.

In our eighth example, a principal investigator wants to conduct a retrospective study involving the review of CT scans that were used for treatment purposes. These CT scans were obtained in patients of physicians who are not part of the same practice. For our purposes, assume that the information on the CT scans does not include any identifiable information, but it does include admission, discharge, and service dates; the condition diagnosed; and patient sex.

A data use agreement should be obtained from the provider supplying the CT scans because the data are in the form of a limited data set. Depending on the details of the research, informed consent, waiver of informed consent, or an exemption determination will be required.

In our ninth example, a principal investigator wants to perform a retrospective study involving review of CT scans. Principal investigators retrospectively identify subjects by reviewing a hospital database and using a diagnosis keyword (eg, lung cancer). All identifying information is removed from CT scans, and these de-identified images are copied electronically from a picture archiving and communication system to a secure database. Subjects are identified by study number (eg, first patient entered, patient 1; second patient entered, patient 2), with a link to patient names available to only the principal investigator. These images will be sent to a collaborator at a different institution for analysis. It would be possible for the principal investigator to link images to patients because he or she will keep the code.

In this case, researchers must obtain a data use agreement from the provider supplying the CT scans because the images can be linked to patients; therefore, data are considered a limited data set and are not de-identified. Depending on the details of the research, informed consent or waiver of informed consent will be required.

In our 10th example, a principal investigator wants to perform a retrospective study involving review of CT scans. The principal investigator identifies subjects retrospectively by reviewing the hospital database and using a diagnosis keyword (eg, lung cancer). All identifying information is removed from images, and those de-identified images are copied electronically from a picture archiving and communication system to a secure database. Subjects are identified by study number, with a link to patient names available to only the principal investigator (eg, first patient entered, patient 1; second patient entered, patient 2). These images are sent to a collaborator at a different institution for analysis. The principal investigator then destroys the link.

What is required in this case? Nothing. The data are de-identified and, as such, they are no longer covered by HIPAA.

In our 11th example, a principal investigator wants to create a data repository of images that include diagnostic data and medical record numbers for future unspecified research purposes. He or she wants to allow investigators at other institutions to access this repository for their future research.

Informed consent and authorization are required for the creation of this repository. In addition, the authorization must be specific, so the investigator should be cautioned to limit the scope of the research to a specific research topic (ie, future cancer imaging research). Each use of data in the repository will require an assessment as to whether or not authorization or waiver of authorization to access the images will be required; authorization will depend on the type of information needed, and it will also require informed consent or waiver of informed consent for each subsequent use.

	CONCLUSION

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 
When the HIPAA Privacy Rule went into effect in 2003, it addressed a real need: the need to protect the privacy of people who disclose information to their health care providers. HIPAA has codified requirements to health care providers in their positions as members of covered entities. Through the Privacy Rule, an attempt was made to streamline approaches to privacy protection; however, at this time, it is unclear if that goal will be accomplished. Although compliance with HIPAA presents additional hurdles to those performing clinical research, there have been benefits resulting from the protection that compliance affords to research subjects. Perhaps most important, the Privacy Rule has created a national awareness of the need to safeguard health data. The complexity of HIPAA continues to allow some variability in its interpretation, but we hope this article will provide assistance in that interpretation.

	FOOTNOTES

 

Abbreviations: HIPAA = Health Insurance Portability and Accountability Act • IRB = internal review board • PHI = protected health information

	References

TOP ABSTRACT INTRODUCTION HIPAA PRIVACY RULE REQUIREMENTS IMPLICATIONS OF HIPAA ON... RADIOLOGY RESEARCH AND HIPAA CONCLUSION References

 

1. Cooper JA. Responsible conduct of radiology research. I. The regulatory framework for human research. Radiology 2005;236:379–381.
2. Cooper JA. Responsible conduct of radiology research. II. Regulatory requirements for human research. Radiology 2005;236:748–752.
3. Cooper JA. Responsible conduct of radiology research. III. Exemptions from the regulatory requirements for human research. Radiology 2005;237:3–7.
4. Cooper JA. Responsible conduct of radiology research. IV. The boundary of research and practice. Radiology 2005;237:383–384.
5. American Medical Association House of Delegates. Principles of medical ethics. Chicago, Ill: American Medical Association, 2001.
6. American Medical Association Office of General Counsel Division of Health Law. Patient confidentiality. Chicago, Ill: American Medical Association, 1998.
7. Standards for Privacy of Individually Identifiable Health Information. 65 Federal Register 82463 (2000) (codified at 45 CFR 160 and 164).
8. Standards for Privacy of Individually Identifiable Health Information. 65 Federal Register 82464 (2000) (codified at 45 CFR 160 and 164).
9. Standards for Privacy of Individually Identifiable Health Information. 65 Federal Register 82462 (2000) (codified at 45 CFR 160 and 164).
10. U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services. HIPAA Web site. http://www.cms.hhs.gov/hipaa/. Accessed September 27, 2005.
11. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53182 (2002) (codified at 45 CFR 160 and 164).
12. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53182 (2002) (codified at 45 CFR 160.103).
13. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53182 (2002) (codified at 45 CFR 164.501.
14. National Institutes of Health. Clinical research and the HIPAA Privacy Rule. Department of Health and Human Services publication no. 04–5495. Washington, DC: National Institutes of Health, 2004; 4.
15. US Department of Health and Human Services. Protection of Human Subjects, 45 CFR 46 (2005).
16. National Institutes of Health. Protecting personal health information in research: understanding the HIPAA privacy rule. Department of Health and Human Services publication no. 03-5388. Washington, DC: National Institutes of Health, 2004; 11.
17. Standards for Privacy of Individually Identifiable Health Information, 45 CFR 164.508 et seq (2002).
18. Standards for Privacy of Individually Identifiable Health Information, 45 CFR 164.512 et seq (2002).
19. Standards for Privacy of Individually Identifiable Health Information, 45 CFR 164.514 et seq (2002).
20. Standards for Privacy of Individually Identifiable Health Information, 45 CFR 164.532 (2002).
21. National Institutes of Health. Research repositories, databases, and the HIPAA privacy rule. Department of Health and Human Services publication no. 04–5489. Washington, DC: National Institutes of Health, 2004; 3.
22. Standards for Privacy of Individually Identifiable Health Information, 45 CFR 164.520 (2002).
23. Standards for Privacy of Individually Identifiable Health Information. 65 Federal Register 82550 (2000) (codified at 45 CFR 164.528).
24. Standards for Privacy of Individually Identifiable Health Information. 65 Federal Register 82551 (2000) (codified at 45 CFR 164.528).
25. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53225 (2002) (codified at 45 CFR 164.528 et seq).
26. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53245 (2002) (codified at 45 CFR 164.528).
27. National Institutes of Health. U.S. Department of Health and Human Services Roadmap. Washington, DC: National Institutes of Health, 2003.
28. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53225 (2002) (codified at 45 CFR 160 and 164).
29. Standards for Privacy of Individually Identifiable Health Information. 67 Federal Register 53226 (2002) (codified at 45 CFR 160 and 164).

This article has been cited by other articles:

				B. F. Branstetter IV, S. D. Uttecht, D. M. Lionetti, and P. J. Chang Informatics in Radiology: SimpleDICOM Suite: Personal Productivity Tools for Managing DICOM Objects RadioGraphics, September 1, 2007; 27(5): 1523 - 1530. [Abstract] [Full Text] [PDF]

				A. B. Wolbarst and W. R. Hendee The National Institute of Biomedical Imaging and Bioengineering and NIH Grant Process: An Overview Radiology, January 1, 2007; 242(1): 32 - 55. [Abstract] [Full Text] [PDF]

This Article Abstract Figures Only Full Text (PDF) Submit a response Alert me when this article is cited Alert me when eLetters are posted Alert me if a correction is posted Services Email this article to a friend Similar articles in this journal Similar articles in PubMed Alert me to new issues of the journal Download to citation manager Citing Articles Citing Articles via HighWire Citing Articles via Google Scholar Google Scholar Articles by Johnson, M. S. Articles by Bizila, S. Search for Related Content PubMed PubMed Citation Articles by Johnson, M. S. Articles by Bizila, S.