How HIPAA Affects Research Efforts
By Juliann Schaeffer
For The Record
Vol. 29 No. 7 P. 18
Revisions to the Common Rule have complicated matters.
As health care organizations and research entities strive to make the best use of newly available data from EHRs and other digital technologies, key questions are being asked about how to define digital data. Specifically, are the data being used for research purposes or quality improvement efforts?
Because regulatory burdens currently distinguish between these two types of "learning" efforts, the distinction is crucial. How do privacy regulations such as HIPAA affect research efforts? What ethical boundaries are such activities allowed under the current regulations?
Quality Improvement vs Research
Most health care organizations are familiar with the Common Rule, an ethics regulation that oversees research involving human subjects, largely by Institutional Review Boards. Currently, the rule, adopted by Health and Human Services (HHS), makes a distinction between the oversight necessary for quality improvement activities vs clinical trials.
To summarize, less oversight is required for initiatives deemed to fall under quality improvement (which may involve improving a health system's internal operations more than patient care) than clinical trials. However, some experts say this distinction isn't clear-cut—in particular as it relates to health data gleaned from HIT—and can cause regulatory confusion, possibly even ethical uncertainties.
According to Twila Brase, RN, PHN, president and cofounder of the nonprofit organization Citizens' Council for Health Freedom, the regulatory complexities that currently exist allow for variations in oversight. "I believe it is possible that research is being done in a variety of ways under a variety of rules and various Institutional Review Board oversight—and perhaps no oversight at all, particularly with 'quality improvement activities' that may include experimentation on patients at the bedside without the patient's consent," she says.
Brase notes that commenters on the rule "emphasized the need, in particular, for greater harmonization between the Common Rule and FDA requirements, and between the Common Rule and the requirements of HIPAA."
She points to HHS' response to public comments: "The departments and agencies that oversee the protection of human subjects have a variety of missions and functions, including regulatory agencies and agencies that conduct and support research. In addition, in some cases, statutory differences among the departments and agencies have resulted in different regulatory requirements and guidance. They also oversee very different types and phases of research and thus may have reasonable justifications for differences in guidance."
According to HHS's website, the department doesn't consider most quality improvement efforts as research subject to protection under human subjects regulations. It makes an exception, however, for cases in which "quality improvement activities are designed to accomplish a research purpose as well as the purpose of improving the quality of care." In such cases, it says the regulations for protecting human research subjects may apply.
Judging by the comments found on the Quality Improvement section of the HHS website, many are still unsure of when the regulations apply. For example, this question was posed: "Do quality improvement activities fall under the HHS regulations for the protection of human subjects in research (45 CFR part 46) if their purposes are limited to: (a) delivering health care, and (b) measuring and reporting provider performance data for clinical, practical, or administrative uses?"
HHS' response was succinct: "No, such quality improvement activities do not satisfy the definition of 'research' under 45 CFR 46.102(d), which is 'a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.' Therefore, the HHS regulations for the protection of human subjects do not apply to such quality improvement activities, and there is no requirement under these regulations for such activities to undergo review by an IRB [Institutional Review Board], or for these activities to be conducted with provider or patient informed consent."
What It Means for Health Care
"HIPAA permits covered entities to analyze digital health data that is individually identifiable for a wide variety of health care operations and without the written permission of the individuals," explains Lucia Savage, JD, chief privacy and regulatory officer at Omada Health and former chief privacy officer at the Office of the National Coordinator for Health Information Technology. "The way these data are analyzed can be methodologically similar to the way researchers analyze data—for example, using statistical methods to identify patterns."
Some academic medical research institutions also are covered entities and therefore can take advantage of this HIPAA rule for those activities, Savage says. In contrast, organizations not covered by HIPAA can only use identifiable data for analysis per the Common Rule in the following instances:
• they have the individual's permission through a consent for research; or
• they receive approval from an Institutional Review Board to waive consent.
"Where an academic research organization cannot take advantage of the HIPAA rule, confusion amongst researchers arises," Savage says.
According to Jeff Smith, MPP, vice president of public policy for AMIA, HIPAA and the Common Rule broadly cover different kinds of activities fairly well: using patient data for activities that are clearly for delivering patient care and activities that are clearly for clinical research, respectively.
"Using patient data to understand what drugs have been prescribed by a specialist to inform treatment options is clearly a HIPAA-covered activity," he says. "The clinicians involved need to see and use those data to make an informed decision. Likewise, researchers who want to test a new drug for diabetes management must abide by Common Rule requirements to do so with live patients."
Smith says challenges crop up when activities that no one envisioned 15 or 20 years ago—when these regulations were first introduced—emerge. Many of the activities leverage patient data generated by EHRs and other HIT.
For example, take an initiative that queries an EHR to find patients who received a hip implant from two different device manufacturers. "This would be something that a hospital might do for quality improvement purposes, and it would be an activity that is not subject to the Common Rule because it's not considered research," Smith says.
As Smith explains, such a quality improvement activity would be permissible under HIPAA without much red tape because it's a retrospective review of treatment already received and the patient data could be anonymized. "However, if one hip implant was found to have lower complication rates over the other and the hospital wanted to publish this information in a peer-reviewed journal so others could learn about it, it would be considered research—and subsequently be subject to Common Rule regulations," he says.
According to Smith, the issue boils down to allowing new kinds of questions to be asked without hindering the ability to ask those questions while also making sure patients' rights are not violated.
Savage believes the regulatory confusion stems in part from the health care system's foray into digitization. "The policy reason for the HIPAA rule is that when the federal government required the health care system to start billing electronically, it enabled the use of the digital data for other goals important to the health care system, such as care coordination, training medical personnel, and identifying and improving quality," she explains. "At the same time, however, Congress required strict regulations of the privacy and security of the individual data so collected and used. In contrast, the Common Rule applies to many kinds of research that are not health specific: transit research, education research, environmental research, military research."
In effect, a rule that was designed only with health care in mind may not necessarily fit within the broad scope of the Common Rule.
Whatever the intent of the regulatory language, Brase believes patients get the short end of the stick. "The stated intent of both HIPAA and the Common Rule is to protect individuals or to protect human subjects," she says. "But given how little power is granted to individuals to protect themselves or subjects of research to decline participation, I think the intent is often otherwise."
Concurrent Realities and Unintended Consequences
How are health care organizations handling this regulatory ambiguity? According to Smith, it's currently akin to living in two concurrent realities. "Late in the Obama administration, HHS finalized revisions to the Common Rule, which affirmed an exemption for activities considered quality improvement," he explains. "The new revisions also created an exemption for certain low-level research activities performed by HIPAA-covered entities, which should smooth the path for the type of research similar to the hip implant example I described previously.
"I say two concurrent realities because these revisions are not effective until January 2018," Smith continues. "So while I anticipate hospitals will be able to publish quality improvement studies they feel could be beneficial for others to learn about, they can't do it until next year."
The Common Rule calls quality improvement "minimal risk," notes Brase, adding that the language in the most recent revisions "took pains to make sure [quality improvement] was not hampered by the final version of the rule, lest the rule 'inadvertently' create 'inappropriate obstacles to those quality assurance/quality improvement activities that should not fall under the rule.'"
However, Brase worries about the potential impact of that language on patients' privacy. "The rule discussed commenters who advocated for a 'learning health system' and the use of the EHR for quality improvement and quality assurance, and the use of data to 'analyze how they deliver care, improve outcomes, and modify processes to achieve health care reform goals.'
"We remain concerned with institutions that look at the health care system as a place to achieve health care reform goals. What goals are they, and might they provide patients with fewer choices at a higher cost? We believe 'learning health system' is a euphemism for outsiders using private data without patient consent to control treatment decisions without patient consent," Brase says.
Quality improvement doesn't always address quality of patient care, Brase adds. "With the perfusion of managed care and government programs, quality is often defined by those paying the bills, not by those providing or receiving the care," she says. "Thus, quality assurance/quality improvement often appear as administrative directives outside the control of the physician and the patient using protocols and treatment options placed within the EHR, and hospital/clinic system procedural requirements on physicians and staff.
"Data on claims forms and EHRs do not properly or completely explain the quality of the patient-doctor interaction, the multitude of variable characteristics of the patient that led to certain outcomes," she continues, noting that the final rule includes a comment that "the current Common Rule provides insufficient guidance to distinguish research and improvement in care delivery in a consistent manner."
"That's because it's often indistinguishable," Brase says. "Patients have become subjects of research conducted at the bedside."
Savage considers the situation more balanced. "My own view is that HIPAA enables wide and deep research about health care and is well balanced with privacy and security on an individual basis," she says. "I would say learning about health care is not generally impeded by the HIPAA rules, especially as there are additional rules within HIPAA that support interinstitutional collaboration for all the health care operations, including to quality improvement, and additional rules [in specific, the rule on limited data sets] within HIPAA designed to enable use of some types of PHI [protected health information] for research without a written authorization relative to the individual's privacy in those data."
Savage also sees a boost to quality improvement as a whole. "The analytic methods used for quality improvement analysis are typically done retrospectively, even if they yield information helpful to present care," she says. "A classic and early example is using claims data to evaluate whether women who should have received a mammogram for breast cancer screening in fact received it. The data can identify the instances where a mammogram was expected but not ordered or billed. That, in turn, can yield a reminder, a mammogram, and a chance to detect breast cancer earlier.
"As you can imagine, getting a notice of a missed mammogram might seem intrusive to some women. For others, the reminder could save their life."
Savage also points that when the Office for Human Research Protections first proposed an update to the Common Rule, it was patients' advocacy for an overhaul that in part motivated the action. "Patients complained that research was going too slow and was too cumbersome to commence, was too slow to find cures, under rules first drafted 30 years earlier," she says. "HHS specifically sought to update the Common Rule to create pathways for faster research, to save more lives. I think the Common Rule continues to strike the right balance because it still requires an individual participant to consent to be in the research project when that research might have a significant health impact."
Smith believes HIPAA, when properly applied, does have a role to play in research and can give patients the control to participate—or not—as they see fit. "The challenge, though, is in establishing clear internal processes to articulate the reasons why patients may want to make their data available for research and building a technical infrastructure to comply with patient wishes," he says. "For instance, HIPAA gives patients the right to electronic copies of their health information. This right was part of the HITECH Act updates to HIPAA in 2009. To date, it's not clear that many patients have exercised this right, but when they do, it could be a sea change for how patients engage with researchers by donating their clinical data for narrowly defined research, or more broadly for big data research."
The Way Forward
Does regulatory language require another shake-up to better address this issue? According to Brase, patients may be best served if the issue was left to states to handle. "State privacy laws should require patient consent for performance measurement, outcomes tracking, and all other such quality improvement initiatives that today routinely access private medical records without patient consent," she says.
For the time being, she hopes health care organizations will see patients as human beings, not human subjects. "Get their informed consent for all research," Brase says, emphasizing that such consent forms should be communicated in a manner that's clear to patients.
"I would encourage health care organizations to discuss these changes with their chief privacy officer or HIPAA compliance team and seek to understand ways to leverage the new policies to do more and better quality improvement," Smith says. "They should closely monitor the Office for Human Research Protections at HHS and seek input from other HIPAA and Common Rule experts, including Institutional Review Board officials, if possible."
Smith remains hopeful that HHS will lead a public dialogue in the coming months on what the new revisions of the Common Rule mean, in particular as they relate to how hospitals and other covered entities can best leverage the data-rich environments created by EHRs and other HIT. "To date, HHS has not been actively trying to communicate what is in the final version of the Common Rule revisions or helping regulated industry to understand the potential opportunities and challenges associated with the new revisions," he says.
According to Smith, the revisions to the Common Rule have the potential to be tremendously impactful for research and quality improvement efforts "by making it easier to conduct secondary research and by enabling successful quality improvement efforts to be more widely communicated.
"Ultimately, I hope that these changes will help the research enterprise and the quality improvement side of care delivery to work more closely together to conduct research that can directly impact patient care while delivering care in a way that can be more readily impacted by research," he says.
— Juliann Schaeffer is a freelance writer and editor based in Alburtis, Pennsylvania.