The US Department of Health and Human Services (DHHS) has released a long-anticipated final rule modifying its regulations regarding the Health Insurance Portability and Accountability Act, more commonly known by its acronym, HIPAA.
HIPAA contains a number of data privacy protections, most notably the "privacy rule," which closely regulates how protected health information (PHI)-any health-related information about a person that can personally identify them-may be used by an entity covered by the law. Most disclosures outside of ones intended to facilitate payments or treatment directly require authorization from the patient in order to proceed. The rule is overseen by the Department of Health and Human Services' Office for Civil Rights (OCR).
The rule, released on 18 January 2013, is substantial both in length and effect. At 563 pages, it's one of the longer rules put out recently by the agency, which has issued no shortage of rules related to the implementation of the 2010 Patient Protection and Affordable Care Act.
But the rule-actually four distinct rules combined into one for the sake of efficiency-affects a huge number of industries, including companies conducting clinical trials.
Companies will be further restricted from using some of the information they obtain from patients, for example, and can no longer sell PHI or use it for marketing or fundraising purposes.
Patients would also have the right to receive electronic copies of their health information and be permitted to restrict insurance companies from finding out about healthcare received but paid for out of pocket in full. The latter could be construed as a potential incentive for some clinical trials, as some patients now are wary of participating if it has the potential to increase their premiums.
It would also become easier to release information to the family of deceased patients-a potential benefit (or liability) to those testing products on patients who die in the midst of treatment.
Other parts of the rule focus more on compliance. Those found to have violated HIPAA provisions, for instance, will be subject to tiered and increased civil monetary penalties. Entities will also be bound by an objective definition of what constitutes a leak of information that could negatively impact a patient.
Impact on Clinical Trials
Clinical trial sites will also be exempted from certain requirements, such as those limiting the use of single authorizations ("compound authorizations") for the release of PHI. (Page 175 of the rule)
"Permitting the use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials are able to condition research-related treatment on the individual's willingness to authorize the use or disclosure of protected health information for research associated with the trial," DHHS explained in its rule.
These exemptions could prove crucial to companies hoping to use collected data for "corollary research activity," such as for research databases or repositories used to find common genetic markers or other information used to generate new information on therapies. However, trial sites will still be prohibited from using compound authorizations for tissue banking purposes, though they can ask for such samples in a separate authorization form or in the same package so long as it is unconditional. DHHS suggested the use of separate check boxes and authorization signature lines for entities that wish to simplify the enrollment process.
Many of the remaining provisions of the final rule, if not already in effect, will come into effect on 26 March 2013, and require full compliance 180 days after that date.