Q & A - 

HIPAA BASICS FOR CLINICAL RESEARCH

By Marilyn Windschiegl, Contracts & Compliance Manager

Q: Is a clinical study sponsor permitted to collect patient initials on any form (e.g., case report forms or any other document)?

A: To begin, patients’ initials are PHI, so if the sponsor’s intent is to use only de-identified patient data, initials will not work. However, sponsors are not required by law to use de-identified data, so using initials is not a problem unless it contradicts the sponsor‘s promises to the researcher or Covered Entity about what it will use in the study. If the sponsor is a pharmaceutical company/industry sponsor, its obligation under HIPAA is limited to what the Covered Entity permits for uses and disclosures as described in the clinical trial agreement. Most Covered Entities would expect a sponsor to limit use of PHI to what is needed to perform the study and to ensure that the study drug or device is safe and effective. Covered Entities should therefore add language to the clinical trial agreement that defines what the sponsor is permitted to do with the PHI. If the sponsor is an employee of a Covered Entity (i.e., investigator-initiated), the collection of patient initials would mean that the researcher is collecting PHI, which would have to be protected from further use or disclosure except as authorized by the patient, unless an IRB or Privacy Board alters or waives the requirement.

Q: Are there any potential implications or causes for concern in sharing a limited data set under a data use agreement with a private company which is not a covered entity?

A: Covered Entities often share Limited Data Sets (LDS) pursuant to a Data Use Agreement (DUA) with private companies that are not a Covered Entity. However, the LDS can only be used for research, public health, or health care operations. Since the LDS is still PHI and still subject to HIPAA, the Covered Entity providing the LDS would want to be sure that it is being shared for a permissible reason. (This requirement is captured in 45 CFR 164.514(e)). If the private company is performing a function on behalf of a Covered Entity, a Business Associate Agreement is needed in addition to the DUA. Since the advent of the HITECH Act, Business Associates are directly liable for protecting PHI (although Business Associates are not required to comply with every aspect of HIPAA). If the private company is a Business Associate, it is hopefully aware of this legal obligation and following HIPAA appropriately.

Q: As a covered entity, is it necessary that we take steps to address and contractually obligate the sponsor, or any other recipient of PHI pursuant to an authorization form, to limit their use of the PHI to the authorization’s uses?

A: The patient’s HIPAA Authorization gives the Covered Entity permission to disclose PHI for use in the study but it does not carry forward to also bind the sponsor. The Covered Entity needs to contractually obligate the sponsor (or other recipient) via the clinical trial agreement and/or a data use agreement, to limit uses or disclosures as spelled out in the Authorization, unless the use/disclosure is otherwise required or permitted by law.

Disclaimer: PFS Clinical has made reasonable efforts to ensure the accuracy of the information contained in this document; however, this document is provided “as is” without any express or implied warranty. This document does not constitute legal advice. If you require legal advice, please consult with your attorney.