September 17, 2007

The Privacy Board — Protectors of Patient Rights
By Selena Chavis
For The Record
Vol. 19 No. 19 P. 36

When researchers request personal health information, it’s up to a select group of individuals to decide whether it could be a violation of HIPAA’s privacy rule.

When Utah-based Intermountain Healthcare was approached earlier this year about releasing patient data for a study on child abuse, the organization’s fine-tuned privacy and disclosure procedures were called into play. According to senior compliance consultant Mary Thomason, there was little question about how to measure the request against HIPAA criteria or patient privacy rights because the organization has a well-oiled machine in place to address research issues affecting information privacy: the hospital privacy board.

A large, integrated, not-for-profit healthcare system serving Utah and Idaho, Intermountain Healthcare consists of 21 hospitals, 186 clinics, homecare services, a physician’s group, and a health plan. The organization receives many research requests each year, ranging from studies covering a particular medication’s effectiveness to precursors leading to the utilization of healthcare services within its network. As of mid-July, Thomason notes that close to 50 orders for authorization had been approved by the privacy board.

“It’s the intermediary that provides authorization when patient consent is not available,” she says, adding that the board’s role is to weigh the need for research against HIPAA criteria and patient rights. HIPAA dictates that authorization must be obtained directly from a patient for research on protected health information (PHI) unless certain conditions and criteria are met.

And in the case of the child abuse study, which was being conducted in conjunction with the state of Utah, research lost out as the Intermountain Privacy Board made it the one exception at the mid-point of the year, refusing the request. “We decided it didn’t fit our mission,” recalls Thomason. “Not that we weren’t interested in helping combat child abuse, but you have to consider how your members would feel about it. It just didn’t feel quite right … we take the privacy of our patients very seriously.”

The concept of the privacy board was created in conjunction with the implementation of the HIPAA privacy rule as an entity that waives the need for contacting patients directly for authorizations. For example, if a study involves the use of PHI pertaining to numerous individuals whose contact information is unknown and it would be impractical to conduct the research if authorization were required, a privacy board could waive the authorization requirement if certain criteria are met.

With HIPAA’s privacy rule now in effect for more than four years, healthcare attorney Roger Jansson of Seattle-based Davis Wright Tremaine believes most healthcare organizations have already entertained whether they need some type of privacy board. “At this point, I think hospitals have become much more sophisticated in terms of HIPAA,” he says. “If they needed a privacy board, they have probably already established one or figured out how to use their institutional review board (IRB).”

Recent research trends may make some institutions reconsider the need, however, as the overall movement suggests more studies are being conducted in small communities and physician practices. “[Healthcare organizations] don’t want to have to obtain authorization from every person they want to use in research,” Jansson says. “That’s cumbersome.”

Noting that, up until this point, most organizations that would have had an identified need for a privacy board were large research hospitals or healthcare networks, he emphasizes that further development of the privacy board concept will be “driven by the research moving into smaller communities.”

Waiving the Need for Consent
Before HIPAA, IRBs were the sole entity used in healthcare organizations to approve research projects. And, according to Thomason, the requirements and restrictions were limited when compared with expanded HIPAA criteria. “The Common Rule said no ‘identifiable’ items,” she notes, regarding Health and Human Services’ (HHS) policy governing federally funded or sponsored research. “Researchers tend to think in those terms, but HIPAA made a lot more information identifiable.”

Specifically, Thomason says that before HIPAA, deidentified data were considered data without obvious identifiers, such as names. Now, deidentified data must have certain identifiers removed—such as dates and zip codes—in addition to obvious ones.

Other changes enacted by the privacy rule include the need for health plans to obtain approvals for research as an identified covered entity, as well as the need to obtain approvals for research on deceased patients. Additional agreements may now be required to protect confidentiality, and if patient authorization is waived, the research project information must be made available in an accounting of disclosures.

According to Jansson, the need to obtain authorizations from patients can be eliminated if research revolves around a deidentified data set or a limited data set (LDS) with a data-use agreement. An LDS, which is an exception to the rule that requires 16 of the 18 identifiers laid out by the privacy rule, may contain data such as dates of birth, death, and service, town or city, state, and zip code.

Suggesting that some research organizations will opt to avoid the need for authorizations altogether by “anonomizing” the information or working from an LDS, Jansson notes that most research requests lend to the need for authorizations. “[Research] loses some of its depth and impact otherwise,” he says. “Researchers often don’t like to do that. … They like to link their research to demographics.”

Other HIPAA-approved criteria that allow for the waiver of authorizations include disclosure activity preparatory to research, meeting preapproved criteria for data on deceased patients, the availability of documented consent waivers granted prior to HIPAA, and the waiver of authorizations by an IRB or privacy board. For many organizations delving into research, the availability of an IRB or privacy board presents the most viable option when issues surrounding information privacy surface.

Jansson believes that while many large organizations will piggyback on their established IRB for privacy board functions, smaller entities entertaining the need for a research-oriented approval body will likely go the privacy board route. “IRBs are costly and complicated to set up,” he says. “It’s more cumbersome to set up an IRB rather than just implement what HIPAA covers.”

IRB vs. Privacy Board
While many healthcare organizations choose to use their existing IRB for the functions of a privacy board, Thomason says organizations will need to have a clear picture of how each federally mandated privacy rule affects the other.

Three rules currently come into play: the FDA rules governing new drugs, biologics, and devices; the Common Rule, which applies primarily to research protection of human subjects; and the privacy rule covering PHI disclosures, or information-related privacy.

Thomason points out that the privacy rule applies solely to covered entities, emphasizing that any covered entity must meet these requirements for data research no matter who is funding the initiative. HHS defines a covered entity as a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information in connection with certain defined HIPAA transactions. Researchers are not themselves covered entities but may be indirectly affected by the privacy rule if they are seeking data from a covered entity for research.

Thomason also notes that the privacy rule does not replace the other rules but is enforced “in addition to the privacy protections of these regulations.”

Created decades ago to address the needs of the Common Rule, IRBs created a platform for HIPAA to expand the function of protecting patient rights, according to Jansson. “They are taking advantage of the fact that IRBs already exist,” he says regarding the provision that allows existing IRBs to assume the responsibilities of the privacy board.

With that provision in mind, he also explains that “IRBs have a much broader responsibility. It’s more about physical harms. The privacy board is more about informational harms.”

Thomason suggests healthcare entities take several approaches to forming a privacy board. As noted by Jansson, the internal IRB can assume the expanded functions. Organizations can also form a privacy board as an internal independent body or a subset of the IRB.

Another available option is the utilization of an external IRB or privacy board. While this option eliminates the headaches associated with forming an additional committee and managing more paperwork, Thomason says it also means trusting an external group with patient information and privacy and may be cost-prohibitive if an organization is doing any real volume of projects.

In the case of Intermountain Healthcare, the initial decision was made to form a privacy board as a separate entity from its IRB. “We chose not to use our IRB. Because we were early adopters of electronic medical records (EMRs), our IRB was already swamped,” Thomason recalls, adding that it later made sense to make the privacy board a subset of the IRB because there was considerable duplication.

Thomason notes that an internal privacy board operating independently will also have limitations to the types of research requests it can approve. While the data requests funneled to this group are focused solely on information privacy and do not have to undergo an IRB review, the studies in question cannot be federally funded, FDA-oversight related, or subject to the requirements of the Common Rule.

Thomason says that Intermountain found the IRB subset option as the best answer because the privacy board could focus on information privacy issues and still have integration and communication with the IRB. A more time-consuming application process for researchers and finding a community member to serve on more than one group have proven to be this approach’s primary obstacles.

Defining the “Who”
The criteria defining the makeup of a privacy board is much looser than that of an IRB. In fact, according to Thomason, the crux of the policy is that members should have varying backgrounds and appropriate professional competencies to assess privacy concerns. It is also required that one member is not affiliated with the covered entity or researchers.

In comparison, IRBs must have at least five diverse members of varying backgrounds appropriate to the types of research being reviewed. One member should be representative of the scientific community, and one member should not. It is also required that an IRB be comprised of at least one member who is not otherwise affiliated with the institution and is not part of the immediate family of a person affiliated with the institution.

Thomason, who has a background in HIM and IT, currently serves on both Intermountain’s Privacy Board (as chair) and its IRB. The Intermountain Privacy Board is comprised of the organization’s corporate director of HIM, the primary staff liaison working in data warehousing, a pharmacist, a volunteer outside of the institution, experts with research backgrounds, and an attorney.

“Sometimes it comes up that we may need a statistician,” Thomason notes, adding that such a professional could help identify whether there is anything in a record that could possibly determine the patient. “We have gotten into a lot more detail than the privacy rule.”

The Intermountain Privacy Board has also given Thomason the ability to expedite reviews—a protocol laid out in the privacy rule—whereby a member can be named to speak for the privacy board when decisions are deemed obvious.

Factoring in the EHR
As Intermountain becomes more electronic, Thomason believes the process of waiving authorizations and providing access to data will become more complicated.

In line with Thomason’s belief, Jansson notes that “in many ways, I think HIPAA was set up to deal with the future of EHRs [electronic health records]” as it presents fine-tuned parameters for how much access researchers should have to information.

“We generally discourage researchers from pulling up information in our EMR,” Thomason says, emphasizing that the organization’s current system does not limit access to preidentified records. “It’s hard to communicate and make [researchers] understand the conflict, especially when the researcher is a treatment provider.”

Independent physician groups that may be involved in research and also have access to the Intermountain EMR is currently one of the greatest challenges. “We can’t figure out how to monitor that,” Thomason says, noting that if a physician pulls up a record, it will likely be assumed that it’s for a treatment reason. “Upon approval, we would give them a download of information requested. We’re not sure how much access to give to the EMR.”

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to healthcare and travel.