Recent privacy and security developments in human subject research were the topic of discussion during a recent Health Care Compliance Association (HCCA) webinar. The webinar presenter, William J. Roberts, a partner in Shipman & Goodwin LLP’s Health Law Practice Group and the Chair of its Privacy and Data Protection team, discussed: (1) the disclosure of substance use disorder records for research purposes; (2) the rights of a research subject to directly access their test results; and (3) electronic informed consent of research subjects.
Disclosure for research purposes
In discussing the disclosure of substance use disorder records of patients for research purposes, Roberts focused on the revised requirements for the research exception (42 C.F.R. sec. 2.52) set forth in the January 18, 2017 Final rule (82 FR 6052) issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), which are effective March 21, 2017.
First, under the revised research exception at 42 C.F.R. 2.52(a), Roberts noted that a federally-assisted program or other lawful holder of patient identifying information may disclose this information to qualified personnel for the purpose of conducting scientific research if the individual designated as director or managing director, or other individual with comparable authority determines that the researcher or recipient of the patient identifying information satisfies the following requirements:
- has obtained and documented patient authorization or a waiver/alteration of authorization consistent with HIPAA; and
- provides documentation that (1) the researcher is in compliance with the requirements of the HHS regulations regarding the protection of human subjects, including the informed consent/waiver of consent requirements or (2) the research qualifies for exemption under the HHS regulations or any successor regulations.
In addition, under revised 42 C.F.R 2.52(b), Roberts pointed out that the researcher who receives the information must: (1) not re-disclose patient identifying information except back to the individual or entity from whom the information was obtained; (2) maintain and destroypatient identifying information in accordance with the security policies and procedures under the Part 2 regulations; (3) retain records in compliance with applicable federal, state, and local record retention laws; and (4) if necessary, resist in judicial proceedings any efforts to obtain access to patient records containing Part 2 data.
Further, under 42 C.F.R. 2.52(c), Roberts pointed out that researchers may link to data from federal and non-federal data repositories holding patient identifying information, if the researcher: (1) has the request for data linkages reviewed and approved by an institutional review board (IRB) registered with the HHS Office for Human Research Protections; and (2) ensures that patient identifying information obtained is not provided to law enforcement agencies or officials.
Finally, under 42 C.F.R. 2.52(d), Roberts indicated that upon receipt of patient identifying information, data repositories are fully bound by Part 2 regulations and must: (1) after providing the researcher with the linked data, destroy or delete the linked data from its records (including sanitizing any associated hard copy or electronic media); and (2) ensure that patient identifying information is not provided to law enforcement agencies or officials.
Roberts believes that the key take-aways from the revised Part 2 regulations are that: (1) we can expect a more simplified process for obtaining patient information from Part 2 subject facilities and providers, which may open more doors to research collaborations and projects: (2) population health studies will benefit from linkages; and (3) future revisions to the regulations may be possible because SAMHSA has been soliciting additional comments and has expressed openness to future changes.
Rights of research subjects
In discussing the right of research subjects to directly access their test results, Roberts focused on some problems with the February 6, 2014 joint CMS and Office of Civil Rights (OCR) Final rule designed to harmonize the requirements of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act (HIPAA) rules (see Amended CLIA, HIPAA regulations provide patients direct access to lab test results, Health Law Daily, February 6, 2014).
According to Roberts, while the joint Final rule amended the CLIA requirements to permit laboratories to give completed test results directly to a patient or patient’s representative upon request, and the HIPAA rule to require HIPAA covered laboratories to provide access rights to patients, it also created a conflict. For example, CLIA prohibits non-CLIA certified research laboratories from returning results to individuals for the “diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients,” while HIPAA-covered laboratories have a legal responsibility to provide research results to research subjects upon request if the information is in the “designated record set.”
Roberts explained that the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has made three recommendations to resolve the CLIA/HIPAA conflict:
- HHS (including OCR, FDA, CMS) should clarify and ratify necessary regulatory interpretations or amendments so that researchers in a non-CLIA-certified laboratory are able to refer, without penalty, a research subject to a CLIA-certified laboratory for additional testing after identifying clinically actionable information.
- HHS should clarify the duties of HIPAA covered entities to provide results to individuals, upon their request, from non-CLIA-certified laboratories.
- OCR should provide guidance on how to interpret the “designated record set” in the context of access to test results from non-CLIA research laboratories.
Until there is closure on these recommendations, Roberts recommended that covered entities: (1) review existing practices of researchers with respect to participants’ access to test results; (2) review the standard for determining what test results are part of the “designated record set”; and (3) consult the IRB or counsel about responding to requests.
Electronic informed consent
Roberts’ discussion of electronic informed consent (eIC) included the examination of: (1) a joint FDA/Office for Human Research Protections (OHRP) frequently asked questions guidance; (2) paper v. eIC; (3) electronic signatures; and (4) verification of the research subject’s identity.
The upshot of the joint guidance, according to Roberts, is that: (1) if the research is conducted or supported by HHS and involves a FDA-regulated product, it is subject to both the FDA and HHS regulations; and (2) in the event the regulations differ, the regulations that offer the greater protection to human subjects should be followed.
Roberts explained that both OHRP and FDA regulations allow for the use of eIC and paper informed consent, independently or in combination with each other, and for electronic signatures to be used in lieu of traditional signatures.
Roberts suggested that an eIC should: (1) be easy to navigate, (2) allow the user to proceed forward and backward and to stop and continue at a later time, (3) use hyperlinks where helpful, (4) give patients options to use paper or electronic; and (5) ask: Do research subjects need assistance in completing the eIC? Roberts also suggested that research subjects be given a copy of the written informed consent form, preferably with the subject’s signature and the date the form was executed.
Finally, Roberts cautioned that before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization must verify the identity of the individual.
Overall, with regard to eIC, Roberts recommends checking with the IRB about the use of eIC to ensure that the IRB agrees that the format may be used for the particular research. Examples of possible formats include: encrypted digital signature, electronic signature pad, voice print, and digital fingerprint.
Roberts also recommended: (1) reviewing and revising privacy policies and procedures with respect to any eIC data stored in “the cloud” to ensure compliance with applicable laws; (2) ensuring that eIC materials are easy for the research subject to navigate; and (3) ensuring eIC technology allows an easy way for subjects to ask questions and get answers.