Clinical Researcher—March 2018 (Volume 32, Issue 3)
Marti Arvin, JD
Organizations engaged in clinical research have a number of complex regulations to follow to ensure compliance, with one particularly challenging area of regulations being privacy and information security. Key to understanding the implications of privacy and information security in research is knowing that concerns can arise in each phase of the research project. What happens during one phase of the project can have implications in later phases.
Breaking down the phases and discussing those implications will help clinical research professionals meet regulatory and contractual obligations. As a result, it will also reduce the risks to the organization conducting the research.
There are also multiple laws and regulations that can impact privacy and information security considerations in a research project, including the Health Insurance Portability and Accountability Act (HIPAA),1 on which this article will primarily focus.
Phases of the Research Study
For purposes of this article, the phases of a research project will be broken down into the following:
- Protocol development
- Grant submission or contracting with sponsors
- Institutional review board (IRB) submission
- Conducting the study
- Closing out the study
- Ongoing storage of data and data destruction
When developing a project, researchers must consider details like: What data do they need? What are the inclusion exclusion criteria? How and with whom will any collected data be shared? From where or whom will data be acquired? Will the data being collected be identifiable or de-identified? As the protocol is developed, each of these questions should be considered not only to explore the hypothesis, but also for the privacy and security implications.
When considering what data are needed, researchers must fully explore the hypothesis to determine what data elements might be included in the protocol. They must identify not only the primary types of clinical data (e.g., historical and physical records, laboratory results, operative reports, etc.), but what other data are necessary. Will the project be collating information from multiple sources? If so, what unique identifier(s) is needed to identify the subject’s data across those multiple sources? Further, if the research requires demographic data, that should be identified in the protocol and not merely assumed.
Establishing a protocol that appropriately identifies the right data for the study can have implications later in the study. For example, if the data being sought for review are not clearly articulated in the protocol when a researcher seeks approval for a waiver application under HIPAA, the IRB or privacy board may not authorize the application.
The approving body for the HIPAA waiver application must determine the necessity of the information being requested for the project.2 If the application lists more data elements than are delineated in the protocol, it could result in questions of why the researcher needs the additional information.
It’s also important to use consistent language to discuss how data will be collected, stored, retained, or destroyed. The language must be consistent across all study documents, starting with the protocol. Language that is in the protocol but not carried forward in all other documents can create confusion. It could also result in violations of regulatory obligations or contractual agreements. This lack of consistency across study documents will be discussed more in the sections ahead.
Grant Submission or Contracting with Sponsors
When research professionals complete documentation for grant proposals, they should follow the grantors’ requirements. Those requirements may contain language regarding the need to meet certain regulatory obligations. For example, it is becoming more common for federal regulators to require some level of compliance with the Federal Information Security Management Act (FISMA),3 meaning the individual completing the grant proposal must understand the varied obligations of compliance under FISMA. If the individual indicates his/her organization can and will meet the FISMA obligations, this involves taking on compliance risks.
Cost implications are another consideration; if a grant is awarded, the additional financial implications of agreeing to certain regulatory compliance obligations must be considered. If an organization accepts funding but is not meeting the obligations, it could result in a False Claims Act4 violation when the grant comes from a federal agency.
There can also be issues with sponsor contracts under the clinical trial agreement (CTA). If the office negotiating these agreements is not aware of the consequences of the agreed-upon terms, the study and the study team can be impacted. Sponsors may wish to include language about the informed consent document, the HIPAA authorization, record retention obligations, and use of the data once they are acquired.
If the sponsor proposes an informed consent document outlining how the subject’s information is protected or viewed, that language must be consistent with the language ultimately approved by the IRB. If it is not, this needs to be reconciled by communicating during the negotiations or ensuring modifications to the agreement.
The CTA may also have language about records retention that differs from the policies of the organization. This means the potential cost associated with the records retention must be factored into the budget, and there must also be communication with the study team to assure its members understand the retention obligation. This is particularly true if the retention language in the CTA differs from organizational policies that make the retention period longer.
Once the protocol is done, and often while the funding is being finalized, the researcher will submit the study to the IRB for approval. The IRB has traditionally been tasked with evaluating studies with the protection of the human subjects as its primary focus.
Not only is the IRB responsible for evaluating the merits of the study in the context of the Common Rule,5 it is often also the body that approves waivers of authorizations under HIPAA. Some institutions may also choose to approve HIPAA authorizations needed in the study, even though there is no regulatory obligation to do so.
Issues with HIPAA Waiver Application
To review protected health information (PHI) held by a HIPAA-covered entity without subject permission, the researcher will need to submit a waiver application. This is where it is important for the researcher to understand the difference between HIPAA and the Common Rule. HIPAA is applicable to even look at identifiable data; the Common Rule is applicable when there is a desire to record identifiable data. HIPAA is implicated even for non-human subject research if the researcher needs to see PHI.
When a researcher applies to the IRB or an institution’s privacy board for a waiver of the HIPAA Privacy Rule authorization requirement, at least three things should happen:
- Assure that the data being requested in the waiver application are all of the data that need to be looked at and/or recorded. If the study needs 20 data elements but the application only identifies 15, the researcher cannot legally acquire the remaining five data elements.
- If the data being requested go beyond what the protocol delineates as necessary for the study, the reviewing body (IRB or privacy board) should question the researcher regarding why the additional data are being requested. If the researcher identifies the additional data as needed for the study, then consideration should be given to modifying the protocol. If it is not justified, the waiver application should be adjusted.
- The reviewing body should assess the provisions in the waiver for how data will be protected. IRB or privacy board members may not wish to assess the adequacy of the security protections for the data; however, the HIPAA rule states approval of a waiver requires the researcher to demonstrate “an adequate plan to protect the identifiers from improper use or disclosure.”6
A possible win-win is to have the researcher agree or attest in the application that he/she will follow the organization’s information security policies and standards. This allows the approving body to determine if an adequate plan exists, without requiring them to assess specific criteria around data protection. This also allows an auditable standard for any oversight office to test against.
Issues with HIPAA Authorizations
If the study in question is a clinical trial involving the need to access PHI from an entity covered by HIPAA, the researcher will need valid authorization to get the data. In some organizations, the IRB has elected to review the authorization. With or without an IRB review, there are some key areas to assess in an authorization:
- Does the authorization meet all the criteria identified in the HIPAA Privacy Rule for a valid authorization? If all of the criteria are not included, the authorization is not valid and the data cannot be legally looked at or acquired.
- Has the document captured all of the data elements the researcher may desire access to from the covered entity? For example, if the document does not include access to diagnostic test results but that is necessary for the study, the researcher may not review or obtain such information.
- If the study will include sensitive data requiring explicit permission to access (such as HIV status, behavioral health, or substance abuse data), is that specified in the document? For example, the study inclusion criteria require a negative HIV test; however, if the authorization does not provide an option to obtain explicit permission from the subject, the research team will not be able to access the test results. If the blood draw is performed and sent to a HIPAA-covered entity for analysis, the analysis could be performed, but the results could not be provided to the study team.
- Is the required expiration date appropriate for the nature of the study? If the authorization has an expiration date of one year from signature, but the study participation is anticipated to be two years with an additional four years of follow-up, this would require a new authorization each year of participation and follow-up.
Many research organizations have produced a template HIPAA authorization document for use in research. These templates help ensure all of the required data elements are included for a valid authorization under the regulations. However, having a template does not ensure compliance because the templates must be customized to each study. The study team is still responsible for ensuring the document is completed to reflect its specific study.
Conducting the Study
While the study is ongoing, the research team must assure it is meeting any regulatory or other obligations regarding protecting the privacy and security of the data being collected. The research team should have a clear understanding of what was approved by the IRB, what is included in the HIPAA authorization, and what is in the informed consent. The study documents should be in alignment.
As the research progresses, or members of the team change, there must be good communication regarding privacy and information security requirements. For example, if a new team member is added to the study but the individual has not read the study documents, there may be compliance issues. If the individual begins collecting data from sites that are not covered by the waiver of authorization, the data collected would not be legally obtained.
Failure to obtain an authorization is another possible issue. Research professionals have had the idea of “obtaining informed consent” drilled in to their brains for years, but since the advent of the HIPAA regulations, a valid authorization may also be required. Without the valid authorization, any data about the subject obtained from a HIPAA-covered entity would not be legally obtained.
Researchers may still confuse the intent of the HIPAA authorization and the informed consent. Even if there is language about how data will be used and shared in the informed consent, the document must include all of the required criteria for a valid authorization in order to meet HIPAA compliance.
Organizations must consider proper protocol if a researcher fails to get a valid authorization prior to acquiring data; this will raise HIPAA compliance issues for the research organization and the covered entity. It will possibly implicate compliance with the grant or contract for the study. It could also have implications for study integrity if the data cannot be re-acquired in a compliant manner.
Another common area of concern while conducting the study is informed consent. If the person obtaining informed consent is not clear on what any privacy or information security language in the document really means, there could be a misunderstanding by the subject that sets a higher level of expectation than intended.
Closing the Study
Privacy and security issues must also be considered when a study is ready to close. The same care must be taken at this stage to assess any regulatory or contracted obligations.
If the researcher indicated he/she will eliminate any identifiers for a retrospective records review once the study findings are published, then someone must assure this is done. If the clinical trial phase of the study is done but there will be ongoing follow-up for a number of years, does the authorization cover this long-term collection of data? This can be an issue if the expiration date of an authorization is three years from the date of signature, for example, but the follow-up data collection is intended for 10 years.
Records Retention and Destruction
Researchers generally have a primary interest in assessing the data and publishing their findings. Once that is completed, they are ready to move on to the next project. However, the records retention requirements to meet regulatory obligations and/or contractual agreements may go well beyond the date of publication.
The research team needs to be aware of the records retention obligations under any applicable regulations, any contractual agreement, and any institutional policy. Each of these may differ. The obligation to continue to protect the data is usually an institutional policy, but often it is the principal investigator and members of the study team who are actually carrying this out.
Study records can hold a wealth of information, some of which might be quite sensitive. Improper maintenance of data can lead to system vulnerabilities and compromised data privacy and integrity. This could lead to the need to notify subjects if their data are acquired by a third party. It could also lead to breach of contract or the inability to produce the data, should a regulatory body wish to conduct an audit.
Thinking about data privacy and security from the very beginning of the research project is critical. Failure to consider these issues in the beginning can exacerbate matters as the project proceeds. Much more work may be required by the research team to fix issues at a later date that could have been avoided.
Thinking of privacy and information security at every phase of the study will help minimize any noncompliance, reduce regulatory risk, and help ensure that subjects clearly understand what will happen with their data as result of agreeing to participate in the study.
- U.S. Department of Health and Human Services. HIPAA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html
- Code of Federal Regulations. 45 CFR 164.512(i)(2)(iii). https://www.law.cornell.edu/cfr/text/45/164.512
- U.S. Department of Homeland Security. Federal Information Security Modernization Act. https://www.dhs.gov/fisma
- U.S. Department of Justice. False Claims Act. https://www.justice.gov/sites/default/files/civil/legacy/2011/04/22/C-FRAUDS_FCA_Primer.pdf
- U.S. Department of Health and Human Services. Federal Policy for the Protection of Human Subjects (‘Common Rule’). https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html
- Code of Federal Regulations. 45 CFR 164.512(i)(2)(ii). https://www.law.cornell.edu/cfr/text/45/164.512
Marti Arvin, JD, (firstname.lastname@example.org) is Vice President of Audit Strategy for CynergisTek.