Archives for February 2017

Human subject research: expert discusses recent privacy and security concerns

Recent privacy and security developments in human subject research were the topic of discussion during a recent Health Care Compliance Association (HCCA) webinar. The webinar presenter, William J. Roberts, a partner in Shipman & Goodwin LLP’s Health Law Practice Group and the Chair of its Privacy and Data Protection team, discussed: (1) the disclosure of substance use disorder records for research purposes; (2) the rights of a research subject to directly access their test results; and (3) electronic informed consent of research subjects.

Disclosure for research purposes

In discussing the disclosure of substance use disorder records of patients for research purposes, Roberts focused on the revised requirements for the research exception (42 C.F.R. sec. 2.52) set forth in the January 18, 2017 Final rule (82 FR 6052) issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), which are effective March 21, 2017.

First, under the revised research exception at 42 C.F.R. 2.52(a), Roberts noted that a federally-assisted program or other lawful holder of patient identifying information may disclose this information to qualified personnel for the purpose of conducting scientific research if the individual designated as director or managing director, or other individual with comparable authority determines that the researcher or recipient of the patient identifying information satisfies the following requirements:

  • has obtained and documented patient authorization or a waiver/alteration of authorization consistent with HIPAA; and
  • provides documentation that (1) the researcher is in compliance with the requirements of the HHS regulations regarding the protection of human subjects, including the informed consent/waiver of consent requirements or (2) the research qualifies for exemption under the HHS regulations or any successor regulations.

In addition, under revised 42 C.F.R 2.52(b), Roberts pointed out that the researcher who receives the information must: (1) not re-disclose patient identifying information except back to the individual or entity from whom the information was obtained; (2) maintain and destroypatient identifying information in accordance with the security policies and procedures under the Part 2 regulations; (3) retain records in compliance with applicable federal, state, and local record retention laws; and (4) if necessary, resist in judicial proceedings any efforts to obtain access to patient records containing Part 2 data.

Further, under 42 C.F.R. 2.52(c), Roberts pointed out that researchers may link to data from federal and non-federal data repositories holding patient identifying information, if the researcher: (1) has the request for data linkages reviewed and approved by an institutional review board (IRB) registered with the HHS Office for Human Research Protections; and (2) ensures that patient identifying information obtained is not provided to law enforcement agencies or officials.

Finally, under 42 C.F.R. 2.52(d), Roberts indicated that upon receipt of patient identifying information, data repositories are fully bound by Part 2 regulations and must: (1) after providing the researcher with the linked data, destroy or delete the linked data from its records (including sanitizing any associated hard copy or electronic media); and (2) ensure that patient identifying information is not provided to law enforcement agencies or officials.

Roberts believes that the key take-aways from the revised Part 2 regulations are that: (1) we can expect a more simplified process for obtaining patient information from Part 2 subject facilities and providers, which may open more doors to research collaborations and projects: (2) population health studies will benefit from linkages; and (3) future revisions to the regulations may be possible because SAMHSA has been soliciting additional comments and has expressed openness to future changes.

Rights of research subjects

In discussing the right of research subjects to directly access their test results, Roberts focused on some problems with the February 6, 2014 joint CMS and Office of Civil Rights (OCR) Final rule designed to harmonize the requirements of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act (HIPAA) rules (see Amended CLIA, HIPAA regulations provide patients direct access to lab test results, Health Law Daily, February 6, 2014).

According to Roberts, while the joint Final rule amended the CLIA requirements to permit laboratories to give completed test results directly to a patient or patient’s representative upon request, and the HIPAA rule to require HIPAA covered laboratories to provide access rights to patients, it also created a conflict. For example, CLIA prohibits non-CLIA certified research laboratories from returning results to individuals for the “diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients,” while HIPAA-covered laboratories have a legal responsibility to provide research results to research subjects upon request if the information is in the “designated record set.”

Roberts explained that the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has made three recommendations to resolve the CLIA/HIPAA conflict:

  • HHS (including OCR, FDA, CMS) should clarify and ratify necessary regulatory interpretations or amendments so that researchers in a non-CLIA-certified laboratory are able to refer, without penalty, a research subject to a CLIA-certified laboratory for additional testing after identifying clinically actionable information.
  • HHS should clarify the duties of HIPAA covered entities to provide results to individuals, upon their request, from non-CLIA-certified laboratories.
  • OCR should provide guidance on how to interpret the “designated record set” in the context of access to test results from non-CLIA research laboratories.

Until there is closure on these recommendations, Roberts recommended that covered entities: (1) review existing practices of researchers with respect to participants’ access to test results; (2) review the standard for determining what test results are part of the “designated record set”; and (3) consult the IRB or counsel about responding to requests.

Electronic informed consent

Roberts’ discussion of electronic informed consent (eIC) included the examination of: (1) a joint FDA/Office for Human Research Protections (OHRP) frequently asked questions guidance; (2) paper v. eIC; (3) electronic signatures; and (4) verification of the research subject’s identity.

The upshot of the joint guidance, according to Roberts, is that: (1) if the research is conducted or supported by HHS and involves a FDA-regulated product, it is subject to both the FDA and HHS regulations; and (2) in the event the regulations differ, the regulations that offer the greater protection to human subjects should be followed.

Roberts explained that both OHRP and FDA regulations allow for the use of eIC and paper informed consent, independently or in combination with each other, and for electronic signatures to be used in lieu of traditional signatures.

Roberts suggested that an eIC should: (1) be easy to navigate, (2) allow the user to proceed forward and backward and to stop and continue at a later time, (3) use hyperlinks where helpful, (4) give patients options to use paper or electronic; and (5) ask: Do research subjects need assistance in completing the eIC? Roberts also suggested that research subjects be given a copy of the written informed consent form, preferably with the subject’s signature and the date the form was executed.

Finally, Roberts cautioned that before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization must verify the identity of the individual.

Overall, with regard to eIC, Roberts recommends checking with the IRB about the use of eIC to ensure that the IRB agrees that the format may be used for the particular research. Examples of possible formats include: encrypted digital signature, electronic signature pad, voice print, and digital fingerprint.

Roberts also recommended: (1) reviewing and revising privacy policies and procedures with respect to any eIC data stored in “the cloud” to ensure compliance with applicable laws; (2) ensuring that eIC materials are easy for the research subject to navigate; and (3) ensuring eIC technology allows an easy way for subjects to ask questions and get answers.

Bloodstream infection detection test approved for marketing

In a first of its kind, the FDA has approved the marketing of the PhenoTest BC Kit, which is the first test to identify organisms that cause bloodstream infections. The test kit, manufactured by Accelerate Diagnostics Inc., can provide information to health professionals about which antibiotics the organism is sensitive to and potentially reduce the amount of time to provide this information. As a result, antibiotic treatment recommendations can be formulated much quicker. Unlike traditional identification and antibiotic susceptibility tests that may take 24 to 48 hours after detection in a positive blood culture to provide test results, the PhenoTest BC Kit can identify bacteria or yeast from a positive blood culture in approximately 1.5 hours. The test can identify 14 different species of bacteria and two species of yeast that cause bloodstream infections, while also providing antibiotic sensitivity information on 18 selected antibiotics for a subset of the identified organisms as appropriate.

Bacterial or yeast blood infections can occur in individuals of all ages, but are particularly severe in infants, the elderly, and those with weakened immune systems. If not treated rapidly, such bloodstream infections can lead to severe complications, such as septic shock and death. The PhenoTest BC Kit can also provide treatment recommendations within 6.5 hours of organism detection in blood cultuers.

The FDA reviewed the data for the PhenoTest BC Kit through its de novo premarket review pathway, a regulatory pathway for devices of a new type with low-to-moderate-risk that are not substantially equivalent to an already legally marketed device and for which special controls can be developed, in addition to general controls, to provide a reasonable assurance of safety and effectiveness of the devices. Although some risks with the kit included false positive findings, the FDA’s decision was based on Accerlerate’s clinical study of 1,850 positive blood cultures.  In the study, bacteria or yeast in positive blood culture was identified correctly more than 95 percent of the time.

CogniPrin and FlexiPrin supplement marketers charged by FTC and Maine AG

The Federal Trade Commission (FTC) and the Attorney General (AG) of Maine have filed a complaint against nine dietary supplement marketers, including three corporations and six individuals, for their roles in a deceptive campaign to sell a joint health supplement (FlexiPrin) and a cognitive health supplement (CogniPrin) in violation of state and federal laws. The FTC and Maine AG have also jointly announced that six of the marketers (two corporations and four individuals) have agreed to settlements, in the form of proposed stipulated orders, with the state and federal governments.

Complaint

The FTC and the Maine AG allege that XXL Impressions LLC, Jeffrey R. Powlowsky, J2 Response LLP, Justin Bumann, Justin Steinle, Synergixx, LLC, Charlie Fusco, Ronald Jahner, and Brazos Minshew made false and misleading claims that the supplement CogniPrin:

  • reverses mental decline by 12 years;
  • improves memory by 44 percent; and
  • improves memory in as little as three weeks and is clinically proven to improve memory.

And that the supplement FlexiPrin:

  • reduces joint and back pain, inflammation, and stiffness in as little as two hours;
  • rebuilds damaged joints and cartilage; and
  • has been clinically proven to reduce the need for medication in 80 percent of users and to reduce morning joint stiffness in all users.

The complaint alleges that the marketers employed unfair or deceptive acts or practices in the advertising, marketing, distribution, and sale of FlexiPrin and CogniPrin. The marketers also allegedly sold these products directly to consumers, primarily through radio and print advertising nationwide and in Canada, which garnered in excess of $6.5 million in gross sales from January 1, 2012 through April 30, 2015. The complaint specifically alleges that the defendants:

  • made false claims about the efficacy and testing of their products;
  • deceptively enrolled consumers in continuity plans, or automatic monthly shipments for which consumers’ credit and debit cards were automatically charged;
  • when consumers attempted to halt shipments or obtain a refund, they were then told of additional, undisclosed requirements they could almost never abide by;
  • would use stage names and claim medical credentials to promote the products and claim clinical testing that never actually occurred; and
  • deceptively induced consumers to purchase other services such as discount buying clubs or health savings plans which were also difficult to cancel.

Proposed stipulated orders

Marketers Powlowsky, XXL Impressions, J2Response, Bumann, and Steinle have agreed in two proposed court orders to substantial injunctions against making unsubstantiated health efficacy claims. A stipulated order against J2Response, Bumann, and Steinle and a second stipulated order against Powlowsky and XXL Impressions LLC both bar these marketers from making the false or unsubstantiated heath claims challenged in the complaint and require them to have competent and reliable scientific evidence when making health-related claims. The orders also requires these marketers to preserve all scientific evidence supporting claims they make, and bar them from failing to disclose a material connection to a paid endorser. The orders further bar these marketers from misrepresenting the terms of any negative-option, continuity plans, or free trial offers, and require them to get consumers’ express consent before charging them.

In addition, the stipulated order against Powlowsky and XXL Impressions LLC bans them from direct response marketing of foods, dietary supplements, or drugs for 20 years, while allowing the former to continue his manufacturing brokering business.

The stipulated order against Minshew bars him from acting as an “expert endorser” unless he has the expertise he claims to have, and requires him to have scientific evidence to support the product claims he makes.

The stipulated orders impose a $6.57 million judgment against the marketers, with all but $556,000 suspended due to their inability to pay. The stipulated final orders will have the force of law if and when approved and signed by a district court judge upon deciding the case.

The litigation continues as to Fusco, Synergixx, LLC, and Jahner.

Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).