Clinical Researcher—February 2025 (Volume 39, Issue 1)

GOOD MANAGEMENT PRACTICE

Lindsay Dymowski Constantino

 

 

 

The U.S. Department of Health and Human Services (HHS) ended 2024 by announcing a proposed rule that would adjust the data privacy and security requirements issued under the Health Insurance Portability and Accountability Act (HIPAA). According to the HHS, the proposal was triggered by the “increasing frequency and sophistication of cyber attacks in the healthcare sector” and primarily focuses on revising existing standards to “better protect the confidentiality, integrity, and availability of electronic protected health information.”

The changes suggested by the proposed rule could take many years to implement, and any number of substantive changes could occur before it is finalized. However, the press release announcing the proposal offers some helpful guidance in the interim for clinical researchers and others who face compliance duties under HIPAA. It says the proposal responds to a number of common compliance deficiencies regularly encountered by HHS investigators, suggesting that organizations can prepare for the new rules by taking steps to ensure they are properly complying with the current ones.

The following provides an overview of HIPAA’s key data privacy and security measures, along with some steps organizations engaged in clinical research can take to ensure they are in compliance.

Securing Protected Health Information

Safeguarding protected health information (PHI) is the focus of HIPAA’s data security controls. PHI is defined as the type of data typically collected from customers in every industry, including their name, address, phone number, and social security number. However, it also includes data specific to relationships between healthcare providers and their patients, such as medical record numbers, health plan beneficiary numbers, and the dates patients were admitted to or discharged from care.

Clinical research facilities are among those covered by HIPAA’s PHI rules. Generally, HIPAA prohibits disclosure of PHI unless the individual providing the information is informed in advance and given the opportunity to prohibit or restrict that disclosure. HIPAA provides exceptions to that requirement for research purposes, but only when certain conditions are met.

One exception involves the approval of the disclosure by a certified institutional review board (IRB). Privacy boards that meet certain standards detailed in the rules can also approve disclosures for research. In either case, researchers must affirm that the disclosure is necessary “to prepare a research protocol or for similar purposes preparatory to research” and that PHI will not be “removed from the covered entity by the researcher during the course of the review.”

Protecting Against “Reasonably Anticipated Threats”

HIPAA’s required controls are defined as those that ensure confidentiality, integrity, and availability of PHI by protecting against any “reasonably anticipated threats or hazards” and any “reasonably anticipated uses or disclosures” not permitted or required by law. By focusing controls on “reasonably anticipated” issues, HHS intended to make the rules scalable, rather than “one-size-fits-all.”

HHS says data security threats can vary based on several factors, with the most effective controls focused on an organization’s unique threat landscape. To comply with the reasonability requirement, it recommends that organizations consider the size of their operations, their complexity, and their capabilities for safeguarding data, among other factors. It also says the “probability and criticality of potential risks” should play a role in developing a compliant security response.

To enhance the controls that cybersecurity software might provide, HIPAA also requires physical safeguards related to the security of PHI, including facility access controls that limit physical access to “electronic information systems” and the facilities in which they are housed. The physical security controls also apply to workstation use and access to devices and media.

HIPAA requires security training as part of its compliance requirements to ensure controls are appropriately deployed. Covered entities must also take steps to encourage compliance among their “workforce.” When members of the workforce fail to comply with security policies and procedures, HIPAA requires organizations to apply “appropriate sanctions.”

Bringing Data Security Up to Standards

Standard data security controls aimed at detecting and preventing cyberattacks will provide a solid foundation for HIPAA compliance. However, HIPAA rules also mandate some controls the average research facilities organization may deprioritize or skip altogether for the sake of efficiency or cost savings. The following are some controls required by HIPAA that standardized security systems might not include.

First, HIPAA data security compliance begins with a thorough risk analysis. The rules state that covered entities must conduct “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” The security measures that HIPAA requires focus on reducing the risks identified in an organization’s risk analysis.

HIPAA also requires regular reviews of data activity, stating that organizations should have procedures that facilitate regular reviews of information system records. It specifically mentions audit logs, access reports, and security incident tracking reports as records that should be considered during reviews.

With clinical research facilities, IRBs can play a key role in ensuring data protocols are compliant. They can evaluate proposals to ensure researchers have outlined adequate security measures for storing and accessing PHI, including physical safeguards that anticipate and address reasonable threats. They can also monitor projects to ensure all involved are following the established security protocols.

HIPAA seeks to safeguard the integrity of the U.S. healthcare system in a way that promotes trust between patients and providers. Its data security provisions support that effort by ensuring PHI is not misused or abused. By staying compliant with HIPAA, clinical research settings can help to ensure the law’s data security measures achieve their goals.

Lindsay Dymowski Constantino is President of Centennial Pharmacy Services, a leading medication-at-home pharmacy, and co-founder of LTC@Home Pharmacy Companies, which supports the pharmacy and broader healthcare industries in providing long-term care pharmacy services in the home setting. With more than 15 years of experience in the pharmacy field and a strong entrepreneurial spirit, she enables better health outcomes through patient-centric care and has a deep understanding of what drives successful pharmacies beyond medication dispensing. She is passionate about the future of pharmacy in healthcare and actively advances pharmacy practice through national conference presentations, media appearances, continuing education programs, and board memberships.