Testimony by Marcia Gonzales for the November 20, 2003 NCVHS Subcommittee on Privacy and Confidentiality Hearings

Testimony Summary Indiana University School of Medicine (IUSM) & Indiana University Purdue University Indianapolis (IUPUI) Research Community November 20th, 2003

While HIPAA training did indeed result in heightened awareness and the implementation of additional layers of safeguards, barriers now exist in Indiana University’s (IU) ability to effectively and efficiently conduct research.

A. Barriers to Collaboration for Research Purposes

One of the goals of the National Institutes of Health (NIH) includes the “expansion of the knowledge base in medical and associated sciences in order to . . . ensure a continued high return on the public investment in research.” Each year, millions of dollars are invested by public and private resources to further research at academic institutions like the IU Medical Center. In order to maximize these research investments, the NIH has strongly encouraged collaborative approaches to research. Support for this approach is exemplified in the NIH’s Roadmap. Specifically, the NIH states:

“The scale and complexity of today’s biomedical research problems increasingly demands that scientists move beyond the confines of their own discipline and explore new organizational models for team science. Many scientists will continue to pursue individual research projects; however, they will be encouraged to make changes in the way they approach the scientific enterprise.”

In contrast, the Privacy Rule’s focus on structure versus safeguards discourages this “model for team science” by creating administrative barriers that prevent researchers from collaborating and sharing information that will advance research and further health care. We will discuss three specific examples.

Recruitment issues between separate covered entities

1. Recruitment problems arise when members of a Research Team are not considered part of the same Covered Entity. Because PHI relevant to the research protocol must cross this imaginary covered entity line from one Team Member to another, additional administrative requirements apply. However, this distinction is neither consistent with patient perception nor the manner in which research is conducted. Consistent with the “model of team science” approach, human disease is approached in a multi-disciplinary fashion. For example, our lung cancer clinic may include a pulmonologist, an oncologist, a radiation oncologist, and a cardiothoracic surgeon and sometimes a nurse educator from School of Nursing; however, not all of these specialists are treating providers and may be part of at least three covered entities. To a patient with lung cancer who is interested in a clinical trial about a new surgery, chemotherapy regimen, or radiation therapy, these providers are part of the “team” of doctors at the clinic. The patient only sees one provider team, one entity. These providers may have collaborative discussions regarding treatment, may even share a research coordinator, but neither a research coordinator nor a non-treating provider can review patient records to identify or contact potential candidates for research purposes without an authorization or waiver of authorization regardless of the number of safeguards that may be present.

Furthermore, treating providers are also reticent to send out information to Principal Investigators regarding potential candidates for research or treatment alternatives because they are concerned about violating HIPAA.

Recruitment issues between non-covered and covered entities

2. On campus, we have an NIH-funded General Clinical Research Center (GCRC) that is not a part of any covered entity but is funded for the specific purpose of aiding Principal Investigators with research related tasks such as identifying and contacting potential research participants. Without this assistance, the Principal Investigator would be unable to conduct the study. A common scenario is when a Principal Investigator is a member of a covered entity, but the research coordinator assisting the Principal Investigator with recruitment is not. In order to allow the GCRC research coordinator to provide recruitment assistance to the Principal Investigator, at least two waivers and/or authorizations must be obtained – one to access the data and one to enroll the subjects. The Principal Investigator would be required to track disclosures made to the research coordinator – a person he or she would consider as a member of their workforce. If a research coordinator is not utilized, the Principal Investigator must personally perform the recruitment process. While alternatives exist through the IRB waiver process, this process only delays the research process unnecessarily. However, if the Research Team members were permitted to collaborate with one another, as intended by the NIH, these delays would not occur.

3. Barriers to collaboration also are present with multi-center trials. For example, a multi-center genetics study involving a number of research centers from around the country recently met to discuss how recruitment and data collection would occur. Each center presented different interpretations for how recruitment and data collection would be done based on their institution’s structure and interpretation of the Privacy Rule. Even if each entity had a similar set of safeguards, recruitment and data collection would still be inconsistent simply because the Privacy Rule is driven by the structure of the organizations and not on how PHI is protected.

Possible Solutions

1. Third party research personnel being considered part of the Covered Entity’s workforce.

Allowing research team members to be considered workforce members of the Principal Investigator’s covered entity will alleviate both the IRB and the Principal Investigator from the authorization and/or waiver process as well as having to account for disclosures. The Principal Investigator and the research staff are already subject to internal HIPAA policies and Research Standard Operating Procedures (SOPs).

2. IRB approval of written assurances for access and recruitment purposes

Research incorporates more layers of safeguards than those required for treatment, payment, or healthcare operations. The IRB should be provided the discretion to determine if the appropriate safeguards are in place when a Principal Investigator utilizes a third party for research-specific support. Criteria to determine the existence of these safeguards could be based on the criteria established for Business Associate agreements. This process would alleviate the need for waivers of authorization for disclosures among Research Team members affiliated and working in the same academic and research community and the accounting of these disclosures.

3. Recruitment assistance with approved members of the Research Team could be considered part of treatment and/or healthcare operations.

Research at academic medical institutions involves treatment, quality assessment and population based activities. When a patient enters an academic institution, it is recognized that research is a primary mission. A patient comes to the institution with the hope and understanding that they will have access to the latest innovations in health care due to that institution’s research endeavors. If adequate safeguards are present, and institutional privacy requirements are met as approved by the IRB, recruitment should be permitted by approved members of the Research Team without an authorization or waiver of authorization.

B. Barriers to Future uses of Protected Health Information

The Final Modifications to the Privacy Rule recognized the importance of using existing research data for future uses. Specifically, the comments state:

“The final rule permits covered entities to rely on an express legal permission, informed consent, or IRB-approved waiver of informed consent for future unspecified research provided the legal permission, informed consent or IRB-approved waiver was obtained prior to the compliance date.” Access to the data for future research is beneficial in performing a similar or related study and is extremely valuable for population based studies and genetic research. Two specific examples include:

1) In reference to the multi-center example previously discussed, there was no consensus among the IRBs at the research centers as to whether future uses for existing genetic data collected for research purposes is allowed under HIPAA if subjects consent and authorize such use. Since uniformity cannot be reached, data collection could differ at each center and could materially affect study results.

2) HIPAA doesn’t apply to all research related entities that access PHI. Use of research data for future uses is currently permissible for non-covered entities such as pharmaceutical companies, CROs, other sponsors, etc. Research institutions like IUSM are often pressed by these non-covered entities to include future uses in the informed consent or authorization form. IRBs are reluctant to allow these types of uses because it is inconsistent with the Privacy Rule’s requirements. Although both parties recognize that the future use of existing research data is beneficial to new developments and healthcare, no consensus has been reached.

Possible Solutions

1) Covered entities should be permitted to include future uses in the consent and/or authorization as determined by the IRB. This will help create consistency with research sponsors who are already permitted to use research data for future studies.

2) If future uses cannot be included in the consent and/or authorization, we request clarification and guidance regarding the use of existing research data for related future studies.

Conclusion

Ultimately, the Privacy Rule should emphasize whether the PHI is safeguarded, rather than where the PHI is held. Although it is recognized that Congress has the ultimate authority, we believe that the focus of protection of health information should be on how the data itself is safeguarded. IUSM has demonstrated a significant commitment to compliance and we will continue to work diligently to protect the confidentiality and security of PHI used for research purposes. We believe that if HHS provides some additional focused guidance and addresses some complexities presented by the Rule, the Privacy Rule can be workable for research.