Why Keep HIPAA Separate from the Informed Consent Form
The research informed consent form (ICF) is designed to provide prospective participants with the necessary information to make an informed decision about whether to participate in a clinical trial.
Frequently included in the informed consent is an institution’s Health Insurance Portability and Accountability Act (HIPAA) statement, which informs participants of how their protected health information (PHI) may be used or disclosed by covered entities for research purposes.
HIPAA statements are typically provided to participants in one of two ways:
- Standalone document in addition to the ICF
- Embedded content within the ICF itself
In this blog, we’ll explore why HIPAA is important to the informed consent process and why a standalone document is often the most beneficial approach, both for informing participants and for simplifying the institutional review board (IRB) review process.
Why HIPAA in Research?
The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, was issued in 1996 in response to public concern over potential abuses of the privacy of health information.
The Privacy Rule establishes a category of health information, known as protected health information (PHI). This may only be used or disclosed to others in certain circumstances or under certain conditions. PHI is a subset of what is termed “individually identifiable health information.” With certain exceptions, individually identifiable health information becomes PHI when it is created or received by a covered entity.
Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries. Organizations classified as “business associates” of covered entities may also be obligated to follow HIPAA requirements.
Clinical trial protocols often seek to access patients’ personal health information, like medical charts and test results. This helps identify potential participants, confirm whether someone meets the trial’s eligibility requirements, or establish baseline medical information for trial participants.
Informing participants about their HIPAA rights as part of the informed consent process helps ensure they understand how their information will and won’t be used to make an informed decision about participating.
A HIPAA Authorization allows a covered entity to use or disclose the patient’s PHI in a way not otherwise allowed by the HIPAA Privacy Rule. For clinical research, this may include local researchers sharing the information with a third party, or, in the case of a partial waiver of Authorization, reviewing PHI for recruitment purposes. HIPAA Authorizations must contain numerous required elements, including details about who may use the PHI and for what purposes.
HIPAA and IRB Review
For certain clinical trials, it may be beneficial for recruitment purposes for researchers to request a waiver or alteration (sometimes called a partial waiver) of research participants’ HIPAA Authorization for use/disclosure of their information. Or as NIH explains, “[f]or some types of research, it is impracticable for researchers to obtain written Authorization from research participants.”
By waiving some or all of the Authorization requirements, researchers may more easily access information necessary for activities “preparatory to research,” such as preparing a research protocol or developing a research hypothesis, or for identifying prospective participants who would meet the study’s eligibility criteria for enrollment.
The regulations at 45 CFR Part 164.512 indicate a privacy board or an IRB may waive or alter, in whole or in part, Authorization requirements for use and disclosure of PHI connected with a particular research project.
It’s important to note: “IRB” is not synonymous with “privacy board,” as each board has its own unique membership requirements. To put it another way, a privacy board meeting the Privacy Rule’s membership requirements does not necessarily satisfy the IRB membership requirements laid out in HHS and FDA regulations or other federal laws and requirements applicable to research.
Covered entities may reasonably rely upon documentation from an IRB (whose membership satisfies the requirements of HHS or FDA regulations) in order to use or disclose PHI without Authorization, as permitted by the Privacy Rule at 45 CFR 164.512(i)(1)(i). The Privacy Rule permits a covered entity to accept documentation of such an approval from any qualified IRB or privacy board – this permission does not necessarily need to come from the IRB overseeing the institution’s research.
Why Keep HIPAA Separate from the ICF?
Determining whether an organization is a HIPAA “covered entity” must be made at the individual site level. So including HIPAA in a multisite study-wide ICF doesn’t make sense – HIPAA typically includes unique choices made by the site or institution.
Also worth noting is the IRB’s role under the Privacy Rule is “limited to acting on requests for a waiver or an alteration of the Privacy Rule’s Authorization requirement. IRBs are, thus, not required to review and approve Authorizations under the Privacy Rule…[and] are not required to approve standalone Authorizations” (NIH, Institutional Review Boards and the HIPAA Privacy Rule).
However, when HIPAA language is incorporated into the ICF itself, it becomes part of the IRB’s responsibility to review the HIPAA language in the ICF for required consent elements. Covered entities may want to consider whether such review is necessary.
HIPAA can be particularly troublesome for IRBs serving as the single IRB (sIRB) for a given study. When research sites incorporate their HIPAA content into the ICF language specific to their location, it can require a lot more work for the sIRB to keep the ICF up to date.
For example, any time a study-wide amendment requires site-specific revisions, the sIRB must ensure site-specific HIPAA language is properly incorporated into the revised ICF – adding an additional administrative step to a process usually requiring very timely action. Already managing multiple site-specific ICF requirements, an sIRB may find the HIPAA aspect an additional complication potentially impacting the efficiencies inherent in sIRB oversight.
Ultimately, it is better for all stakeholders to keep HIPAA language separate from the research informed consent:
- Participants are sure to always have the latest HIPAA information from their institution, since the institution controls that documentation
- External IRBs can review and process changes to research more efficiently, minimizing delays associated with site-specific ICF requirements
- Research sponsors can rely on individual research sites’ HIPAA documentation and avoid getting tangled in “covered entity” considerations not applicable to sponsors
Since HIPAA considerations are unique to the individual covered entity, it’s important to consult with your Privacy Officer or another responsible official to understand your local policies and requirements.