Clinical trials in the medical field primarily rely on patient data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. The enactment of this federal law by the Unites States department of health and human services (HHS) required the creation of national standards to protect sensitive patient information falling into unauthorized hands .
The standards were meant to protect patients’ sensitive health information from getting disclosed. So the HHS issued the HIPAA privacy rule to implement the requirements of HIPAA. HIPAA security rule is meant to protect a subset of information covered by the privacy rule.
Initially, there was a misunderstanding that the HIPAA rule was meant to hinder clinical research. These concerns were, however, proven to be unfounded. That’s because the HIPAA rule was only meant to ensure that ethical practices are upheld during clinical trials.
Generally, a patient and the health plan members need to authorize the disclosure of healthcare information (PHI).
During the clinical trials, the HIPAA rule applies if you will get access to the PHI and facilitate the study. If you intend to create PHI during the study, you’ll have to ensure compliance with the HIPAA rule.
HIPAA Privacy Rule
The privacy rule standard is about the use and disclosure of patients’ health information by institutions subject to the privacy rule. These patients and institutions are referred to as covered entities.
The HIPAA privacy rules consists of the standards for patients’ right to know and control how their health information is used. The main objective of the privacy rule is to ensure that patients’ health information is protected. It also allows for the flow of the health information required to provide and promote high-quality healthcare and protect the public’s well-being.
The privacy rule permits the use of important data while protecting the privacy of the people seeking care and healing.
HIPAA Security Rule
While the HIPAA privacy rule takes care of safeguarding PHI, the security rule safeguards a subset of the information covered by the privacy rule.
The subset contains individually identifiable health information that the covered entity creates, receives, maintains, or transmits electronically. The health information is referred to as electronic protected health information or ePHI.
The HIPAA security rule does not apply to the PHI transmitted orally or in writing. To comply with the HIPAA security rules, the covered entities have to:
- Validate conformity by their workforce.
- Guarantee confidentiality, integrity, and the availability of ePHI.
- Detects and protects against possible threats to the security of the information.
- Safeguard against potential impermissible uses or disclosures that aren’t allowed by the security rule.
Covered entities are required to rely on professional ethics and the best judgment when considering requests for permissive uses and disclosures. The HHS office for civil rights implements HIPAA values and it’s also here that all the complaints must be reported. Note that violations to the HIPAA rule can result in civil, monetary or criminal penalties.
Compliance with HIPAA means staying within the regulations stated in the privacy and security rules. If an organization fails to meet these standards to stay compliant, they are considered to be in violation of HIPAA. Here are some of the violations:
- Unlawful exposure of ePHI to unlawful parties
- Failure to meet administrative or training protocols
- Failures to update, upgrade, or address compliance gaps
- Failure to notify the affected parties and public officials about the relevant data breaches
- Failure to follow the right security protocols as outlined by the HIPAA security rule
With that in mind, HIPAA breaks the violations into civil and criminal violations.
1. Civil violations are non-compliance incidents. These are situations where non-compliance was accidental or without malicious intent. Such situations include neglect or lack of awareness. The penalties below tend to be less for civil violations:
- People with reasonable cause without neglect are fined at least $1000.
- People who were unaware of the violations are fined $100 per incident.
- People who carry out willful neglect are fined a minimum of $10,000 per incident.
- Willful neglect that’s followed by the immediate rectification of the violation attracts a fine of $50,000 per violation.
2. Criminal violations are usually committed with malicious intent. The penalties in this case include:
- Knowingly disclosing ePHI attracts a fine of up to $ 50,000 and a one year jail term.
- Committing fraud as part of the violations will get you fined $100,000 and a 5 year jail term.
- Committing violations with intent to profit from it will get you fined $250,000 and a 10 year jail term.
The Required Authorization Before Taking Part in Clinical Trials
Contrary to what people may think, the HIPAA rule doesn’t prevent researchers from conditioning participation in clinical trials. The rule does not outline the conditions necessary for enrollment and participation in clinical trials. Rather, it addresses the issue of authorization in the use of individuals’ health information.
Before beginning the clinical trials, participants must review the necessary documents. This ensures that you fully understand what the trial is about. The use of PHI in the trials will only be considered legal if the authorization is obtained from the patient. Here are the required elements for authorization:
- The expiry date of the authorization
- A statement to show that the patient can annul the authorization
- A detailed description of the purpose of authorization, including the information that will be utilized during the clinical trials.
- Personal information such as the names of the individuals that are authorized to create, use, or disclose the PHI
Keep in mind that participants can decide to revoke an authorization. However, researchers can still use and disclose the PHI obtained before the cancellation of the authorization. After the revocation, a researcher is only allowed to use and disclose participants’ new PHI as a necessity. This is meant to ensure the clinical trial’s integrity.
You don’t have to obtain a separate authorization for every PHI use or disclosure. You only need authorization from a subject. However, every use or disclosure of PHI must be part of a specific research activity. Likewise, the authorization must describe the type of disclosure that will result from the research.
Note that the HIPAA privacy rule does not mention who should draft the authorization form. This means that a researcher can also draft it. Moreover, an authorization form is only deemed compliant with the privacy rule when written in a plain language. It must also have the required statements and the core elements outlined in section 164.508 of the HIPAA privacy rule.
Successful clinical studies are dependent on patients’ data. But before getting this information, study participants must be clear on what they are signing up for. The U.S government takes personal health information seriously. That’s why HIPAA was created to safeguard and ensure the confidentiality of every person using the healthcare system.