HHS
Regulation on Privacy of Individual Medical Records
To: Members of the American
College of Epidemiology
From: Policy Committee, American College of
Epidemiology
Date: January 18, 2001
On December 20, 2000, HHS Secretary Donna E. Shalala announced
the nation’s first-ever national standards to protect patients’ personal
medical records. The new standards "…limit the non-consensual
use and release of private health information; gi ve patients
new rights to access their medical records and to know who
else has accessed them; restrict most disclosure of health
information to the minimum needed for the intended purpose;
establish new criminal and civil sanctions for improper use
or d isclosure; and establish new requirements for access
to records by researchers and others." Providers, referred
to in the regulation as "covered entities" have two years
to implement procedures to comply with this regulation.
As you read the regulation, you will note that it appears
to include guidelines that will both protect individual privacy
and provide reasonable access to the individual medical record
for public health and research purposes. During the next
two years , as these rules are implemented and interpreted,
there are several issues that all of us should monitor as
they unfold. These are: 1—the need for further action and
regulation; 2—the ways in which the specific details of the
regulation will change as it is implemented and interpreted
over the next few years; 3—the ways in which the new administration
may change these national standards; 4—whether "covered entities" use
these standards to deny access to researchers or public health
professionals; 5—whet her "covered entities" will ask researchers
to share the costs of implementing these rules, as they apply
to a specific project; 6—whether IRBs of "covered entities" meet
the standard’s membership criteria; 7—whether "covered entities" will
require prior authorization from individual patients in most
or all situations, ignoring the waiver of authorization criteria;
8—whether "covered entities" will allow the researcher to
obtain individual authorization, or will contact the individual
patient themselves , without researcher involvement; 9—whether
academic or provider organizations will choose to form privacy
boards, in addition to the IRB; 10—when a waiver of individual
authorization is obtained, what will be the cost to the researcher
of notifying the individual—after the study is completed—that
the individual's information was used in a study (as the
rule mandates) and whether funding agencies will fund this
expense to the project;
11—how will the public react after learning that their records
were accessed through a waiver that they did not approve;
12—will the investigator's justification that a specific
project cannot be conducted without a waiver or without protected
data serve as the determining factor; 13—will the investigator's
justification of data needed for a specific project as the
minimum data needed serve as the determining factor?.
The following is an overview of the regulation and a summary
of sections of the regulation that apply to uses of concern
to epidemiologists: public health and research. For those
who want to read the full document (367 pages), see http://www.hhs.gov/ocr/hipaa/.
The HHS press release and fact sheet can be found on www.hhs.gov/news/press/2000pres/20001220.html and www.hhs.gov/news/press/2000pres/00fsprivacy.html,
respectively.
HHS, in its press release and fact
sheet, points out that there is a need for further
action. Areas not covered by existing federal law include
the regulation of entities such as life insurers and worker’s
compensation programs—thus allowing unlimited use and reuse
of information by such entities. In addition, HIPAA limits
the application of this rule to the covered entities. Further
action is needed to restrict how persons and businesses
that work for covered entities or receive health information
f rom them may use or re-disclose such information. They
further point out that federal legislation is needed to
fortify the penalties and to create a private right of
action so that citizens can hold health plans and providers
directly accountable for ina ppropriate and harmful disclosures
of information. HHS is clearly recommending further legislation
to protect the privacy of the individual medical record.
OVERVIEW
In 1996, President Clinton and Congress enacted the Health
Insurance Portability and Accountability Act of 1996 (HIPAA),
which gave Congress until August 21, 1999 to enact comprehensive
health privacy legislation. If Congress could not pass this
l aw, HHS was authorized to develop these regulations. HHS
provided draft regulations for comment in October of 1999
and received more than 52,000 comments on the proposed regulations.
In December, the final regulations were released.
Information protected under this regulation includes all
medical records and other individually identifiable health
information held or disclosed by a covered entity in any
form—electronic, paper, or oral. A covered entity includes
health plans, healt h care clearinghouses, and those health
care providers who conduct certain financial and administrative
transactions, such as billing. HHS states that the rule "…reflects
a balance between accommodating practical uses of individually
identifiable health information and rendering maximum privacy
protection of that information."
The regulation gives patients control over their health
information, including patient education on privacy protections,
ensuring patient access to their medical records, receiving
patient consent before information is released, ensuring
that consent is not coerced, and providing recourse if privacy
protections are violated.
The regulation provides boundaries on medical record use
and release. With few exceptions, an individual’s health
information can be used for health purposes only (which includes
some research and public health activities as described below).
It canno t be used for non-health purposes, such as by employers
to make personnel decisions, without prior authorization
from the individual. Disclosure of information is limited
to the minimum necessary for the purpose of
any non-treatment related disclosure. Consent of the patient
must meet standards that ensure the authorization is truly
informed and voluntary.
Within certain guidelines, covered entities may disclose
information for oversight of the health care system, including
quality assurance activities; public health; research, generally
limited to when a waiver of authorization is independently
approve d by a privacy board or Institutional Review Board;
judicial and administrative proceedings; limited law enforcement
activities; emergency circumstances; for identification of
the body of a deceased person, or the cause of death; for
facility patient dir ectories; and for activities related
to national defense and security. The summary below is concerned
with public health and research disclosures. For ACE members
who conduct research using psychotherapy records, please
note that psychotherapy notes are held to a higher standard
because they are not part of the medical record and never
intended to be shared with anyone other than the psychotherapist.
PUBLIC HEALTH DISCLOSURES
The rule permits disclosure of protected health information
without individual authorization to: 1—a U.S. public health
authority authorized by law to collect or receive such information
for the purpose of public health surveillance or for prevent
ing or controlling disease, injury or disability. This use
can include a foreign government official or agency if this
agency or individual is acting in collaboration with a U.S.
public health authority. This use also can include a covered
entity that is acting as a public
health authority, e.g., a public hospital conducting infectious
disease surveillance. 2—a public health or other appropriate
authority authorized by law to receive reports of child abuse
or neglect; 3—a non-governmental entity or person subject
to FDA jurisdiction, including activities related to determining
the safety or effectiveness of a product after it has been
approved and is in commercial distribution. (e.g., to report
adverse event s with respect to food or dietary supplements;
to report product defects; to enable recalls); 4—an employer
to disclose information regarding work-related injuries or
illnesses or workplace medical surveillance in situations
where the employer has a duty under the Occupational Safety
and Health Act or the Federal Mine Safety and Health Act
to keep such records and act on that information.
In situations in which disclosure of
protected health information is necessary to prevent or
lessen serious and imminent threats to health and safety,
covered entities may use or disclose protected health information
without an authorization on their own initiative, consistent
with other applicable ethical or legal standards. Further,
a covered entity is permitted, but not required, to use
or disclose protected health information, consistent with
applicable law and standards of ethical conduct, which
the covered entity believes is necessary to permit law
enforcement authorities to apprehend an individual.
To make a disclosure that is not for
one of these purposes, the covered entity must first obtain
authorization from the individual or meet the requirement
of another provision of this rule, such as research.
RESEARCH
The rule defines research as: a systematic
investigation, including research development, testing
and evaluation, designed to develop or contribute to generalizable
knowledge.
Disclosure of protected health information
for research purposes without individual authorization
is permitted, provided that the covered entity obtains
documentation of:
-
IRB and Privacy Board Membership.
Documentation must indicate that the privacy board
or IRB has members with varying backgrounds and appropriate
professional competency as necessary to review the
effect
of the research protocol on the individu al’s privacy
rights and related interests. Further, the privacy
board or IRB must include at least one member who was
not affiliated
with the covered entity, not affiliated with the entity
conducting the research, and not related to any person
who is aff iliated with such entities.
-
Waiver of authorization criteria.
Use of protected health information for research without
individual authorization is permitted only when the IRB
or privacy board determines that the following waiver
criteria have been met or that some of the authorization
requirements have been waived or that the authorization
requirements have been altered: 1—the use or disclosure
of protected health information involves no more than
minimal risk to the subjects; 2—the alteration or waiver
will not adverse ly affect the rights and welfare of
the subjects; 3—the research could not practicably be
conducted without alteration or waiver; 4—whenever appropriate,
the subjects will be provided with additional pertinent
information after participation; 5—the resea rch could
not be practicably conducted without access to and use
of the protected health information; 6—the privacy risks
to individuals whose protected health information is
to be used or disclosed are reasonable in relation to
anticipated benefits if a ny to individuals, and the
importance of the knowledge that may reasonably be expected
to result from the research; 7—there is an adequate plan
to protect the identifiers from improper use and disclosure;
and 8—there is an adequate plan to destroy the id entifiers
at the earliest opportunity consistent with the conduct
of the research, unless there is a health or research
justification for retaining the identifiers or such retention
is otherwise required by law; 9—the covered entity must
obtain written a greement from the person or entity receiving
protected health information not to re-use or disclose
protected health information to any other person or entity,
except as required by law or for authorized oversight
of the research project or for other res earch for which
the use of disclosure of protected health information
would be permitted. IRBs and privacy boards are encouraged
to obtain adequate assurances that the protected health
information will not be disclosed to an individual’s
employer for emp loyment decisions without the individual’s
authorization.
-
Required signature. The documentation
of the alteration or waiver of authorization must be
signed by one of the following: 1—the chair of the IRB
or privacy board, or 2—a member of the IRB or privacy
board who is authorized by the chair to sig n the documentation.
-
Identification of the IRB or
privacy board. The name of the IRB or privacy board
must be included in the documentation (not the names
of individual members of the board).
-
Description of protected health
information approved for use or disclosure. The
approval of the alteration or waiver of authorization
must describe the protected health information for
which use or access has been determined to be necessary
fo r the research by the IRB or privacy board.
-
Review and approval procedures. The
documentation of the approval of the alteration or waiver
of authorization must state that the IRB has followed
the voting requirements stipulated in the Common Rule
or the expedited review procedures as sti pulated or
that a privacy board has reviewed the proposed research
at convened meetings at which a majority of the privacy
board members are present, including the one member who
is not affiliated with the covered entity, the research
entity or any perso n affiliated with such entities.
Reviews Preparatory to Research
The rule permits the use and disclosure
of protected health information for research without requiring
authorization of documentation of the alteration or waiver
of authorization, if the research is conducted in such
a manner that only de-identifi ed protected health information
is not removed from the premises of the covered entity.
The covered entity must obtain from the researcher representations
that use or disclosure is sought solely to review protected
health information as necessary to prep are a research
protocol or for similar purposes preparatory to research,
that no protected health information is to be removed from
the covered entity by the researcher in the course of the
review, and that the protected health information for which
use or access is sought is necessary for the research purposes. The
intent of this provision is to permit covered entities
to use and disclose protected health information to assist
in the development of a research hypothesis and aid in
the recruitment of research participants.
Research on Protected Information
of the Deceased
The rule requires that the covered
entity obtain representation that the use or disclosure
is sought solely for research on the protected health information
of the decedent and that the protected health information
for which use or disclosur e is sought is necessary for
the research purposes. Further, the rule allows covered
entities to request from the researcher documentation of
the death of individuals about whom the protected health
information is being sought.
Clinical Trials and Other
Research Including Treatment
When a researcher provides
treatment to persons as part of a research study, the provisions
of the rule that apply to health care providers are in
force.
The rule provides an exception to the
individuals’ right to access to protected health information
for clinical trials: 1—when the covered entity obtained
protected health information in the course of a clinical
trial; 2—when the individual agreed to the denial of access
when consenting to participate in the trial, and 3—when
the trial is still in progress. Further, participants in
such research must be informed that they have right of
access to protected health information about them from
a clinical trial once the research is complete
|
