Skip to : [Content] [Navigation]

 

MX

 
 
Email article link Print article

Originally Published MX November/December 2003

GOVERNMENTAL & LEGAL AFFAIRS

Managing Clinical Research in the Post-HIPAA World

The privacy rule will permanently alter the dynamics of relationships among sponsors, investigators, IRBs, and human subjects.

Benjamin S. Hayes and Jodi Finder

Perhaps no previous statutory and regulatory scheme has garnered as much attention from—or incited as much anxiety within—the U.S. healthcare system as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (including the privacy rule) issued by the U.S. Department of Health and Human Services (HHS).1,2 The scope and complexity of HIPAA present compliance challenges that directly or indirectly affect virtually every aspect of the U.S. healthcare industry.

This article explores the specific impact that the privacy rule is likely to have in the area of clinical research. It focuses on the relationships among study sponsors, institutional review boards (IRBs), clinical investigators, and human subjects in that setting, and discusses how they are likely to be changed.

Traditional Roles of Clinical Research Participants

To understand the twist that the privacy rule adds to the interplay between sponsors, investigators, IRBs, and human subjects, consider first the traditional roles of these entities.

  • The sponsor—which can be a product manufacturer—is responsible for initiating, developing the protocol for, managing, and/or financing a clinical trial.
  • The investigator is the individual, such as a physician, who actually carries out the research protocol at the clinical trial site, which may be a hospital, clinic, or other healthcare institution.
  • The IRB is an independent body, comprising appropriately qualified medical and nonmedical professionals, that maintains an oversight role.
  • Human study subjects are the patients who receive treatment with the medical therapy, namely, the device or drug product that is being studied in the clinical trial.

Sponsor. The sponsor conceptualizes the clinical investigation; develops the clinical protocol and other pertinent written materials such as investigator brochures; selects qualified investigators to conduct the research under the protocol; submits required public filings, for example, to FDA; maintains research records; and takes any actions that may be necessary in response to safety risks. In conducting due diligence while choosing investigators, a sponsor must take into account each prospective investigator's level of education and professional experience, and also his or her familiarity with the proper use of the product under investigation. The sponsor should also look for historical evidence suggesting that the investigator will be able to recruit human research subjects who meet the criteria set forth in the protocol.

During due diligence, the sponsor traditionally might have demanded access to certain personal health information pertaining to potential human subjects, including demographic data and individual medical histories. That is a matter discussed later in this article. Although a sponsor may delegate its functions to a contract research organization (CRO), the sponsor retains ultimate responsibility for the quality and integrity of the patient data collected.3 This article does not address the possible implications of HIPAA for CROs.

Investigator. Investigators are responsible for soliciting human subjects to participate in clinical trials and for generating data through the ongoing treatment of those subjects. In order to qualify for inclusion in a particular study, human subjects must meet the demographic and medical characteristics specified in the study protocol. The investigator, who may have an established treatment relationship with the subjects or experience in working with certain types of patients in the pool from which subjects for the particular study would most appropriately be drawn, is in the best position to identify suitable candidates.

Institutional Review Board. The IRB's ultimate purpose is to ensure the protection of the human subjects' rights, safety, and well-being. This independent body is tasked with carrying out its mission by reviewing and approving the protocol, ensuring that legally effective informed consent is obtained from each participating subject, monitoring the way the study is conducted, and responding to any safety issues that may arise with the occurrence of adverse events.

Human Subjects. The study subjects obviously are the sine qua nons of a clinical trial. Their role is to be a source of data, inevitably by revealing individually identifiable and, therefore, personal information about themselves in order to contribute to the advancement of scientific knowledge and to enable sponsors to bring products to market. However, controlling the use and disclosure of personal data is the essence of HIPAA's privacy rule. Therefore, this legal scheme fundamentally alters the dynamic between the parties to clinical research.

The Post-HIPAA Environment

The privacy rule applies to clinical research because most such research involves the acquisition, use, and disclosure of protected personal health information (PHI). PHI, which includes essentially any individually identifiable information relating to a patient and generated in a healthcare context, can be seen as a regulated commodity under HIPAA. The privacy rule imposes strict limitations on how regulated entities may collect, use, and disclose PHI. These restrictions have broad implications in the clinical research world, particularly for the relationships among the parties to a clinical trial.

Investigators as Covered Entities. Entities that are directly regulated under HIPAA are referred to as covered entities and fall into three primary categories: healthcare providers who engage in so-called standard transactions; health plans, including health maintenance organizations (HMOs) and employee benefit plans; and healthcare clearinghouses, that is, businesses that process claims or engage in certain types of healthcare-related data processing. The vast majority of potential clinical research investigators inevitably belong in the first of these categories.

In order for a particular investigator to be a covered entity, that investigator must meet two criteria. First, the person or entity must be a healthcare provider. From the perspective of HIPAA, a person need not carry any particular license, set of credentials, or job title to be considered a healthcare provider. Such an identity is a function of the activities in which the person engages. Virtually any activity that would typically be undertaken by a doctor or nurse, including things as simple as drawing blood or dispensing pills, can make a person or entity a healthcare provider for HIPAA purposes. There is no prerequisite that treatment be administered for the label healthcare provider to attach.

The second criterion—that a healthcare provider must engage in standard transactions—is deceptively simple at first blush. A standard transaction is an electronic exchange of health-related data coded and arranged in a particular format specified by HIPAA.

Many small healthcare providers may believe they can escape the reach of HIPAA by continuing to operate primarily through the exchange of paper files. Investigators may see the standard-transaction requirement and breathe a sigh of relief, citing their exchange of paper records with the study sponsor as a reason for HIPAA not to apply to them.

This comfort is illusory. For one thing, a healthcare provider who is a covered entity in one context is a covered entity in all contexts. Therefore, an argument that an investigator is a covered entity in a healthcare practice, but not in a clinical research setting, is doomed to fail. Second, HIPAA's standard-transaction regulations require many types of communication related to healthcare to be conducted as standard transactions. Most healthcare providers have focused primarily on the HIPAA privacy regulations and overlooked the communication requirements.

The inescapable conclusion is that the vast majority of clinical investigators are healthcare providers who already do, or will inevitably, engage in standard transactions. In other words, most investigators are covered entities.

The most obvious implication of this reality is that investigators are now subject to greater scrutiny regarding their use and disclosure of patient information. In the pre-HIPAA world, the IRB was the primary watchdog over both the investigator and the sponsor. HIPAA has introduced a new dynamic. Although the role of the IRB has not changed, investigators are now also subject to direct oversight by HHS as covered entities under HIPAA. This situation creates additional compliance burdens for investigators, along with associated stresses and risks.

Limits on Use and Disclosure of PHI. Being regulated as a covered entity has introduced to the investigator a broad range of new considerations. Under HIPAA, a human subject's personal—that is, individually identifiable—health information may not be used without that person's prior written authorization, except when used for treatment, in payment for medical services, or to conduct healthcare operations, such as administrative functions. This requirement imposes a significant limitation on the ability of investigators to collect, use, or disclose research-related patient information. Although HIPAA includes exceptions that permit on-site review of patient data preparatory to research (provided none of these data are copied or removed from any premises), the privacy rule is still likely to affect prestudy evaluations of patient data, thereby complicating the process of investigator selection by sponsors.

HIPAA's impact on IRBs is not entirely clear. The privacy rule allows an investigator to disclose PHI to a sponsor for research purposes without a prior written authorization in the event that an IRB waives this requirement. Aside from granting this power to waive the authorization requirement, however, HIPAA is quiet concerning the IRB's role. It does not, for instance, alter any preexisting requirement concerning informed consent or the role of IRBs in protecting human subjects.

In practice, many IRBs are confused about their role, scrambling to sort out whether they should act as the default HIPAA police by ensuring observance of HIPAA rules by all parties to each study, or should take a more hands-off approach. Many IRBs are, at a minimum, actively reviewing forms for patient authorizations and seeking changes where those forms are found to be deficient from a HIPAA standpoint.

The lack of clarity concerning the role of the IRB vis-à-vis HIPAA is itself turning out to be a complicating factor. IRBs are likely to be very cautious regarding any issue that turns on an interpretation of HIPAA, and this may, in turn, prolong the process of protocol approval or cause other administrative complications.

Study Sponsors as Business Associates. HIPAA does not directly regulate many of the parties with which a healthcare provider may share or exchange PHI. Instead, it imposes a broad set of requirements on healthcare providers themselves, which are designed to limit or regulate how PHI may be shared by threatening consequences for providers who do not thoroughly monitor or actively control the uses and disclosures of PHI.

One key concept related to these limitations is that of the business associate. Healthcare providers covered by HIPAA may share PHI with business associates only if the business associate agrees contractually—that is, through a business associate agreement—to a number of restrictions and obligations imposed by regulation on the business associate's use of PHI. Unfortunately, ambiguities in the HIPAA definition and the privacy rule's explanation of the term business associate leave sponsors of medtech research studies in an uncomfortably hesitant position.

HIPAA defines business associate as an entity that, on behalf of a covered entity, accesses or uses PHI that is obtained from the covered entity. Although study sponsors clearly access and use PHI that comes from covered entities (that is, investigators), it is much less clear that sponsors are performing their clinical trial–related activities—namely, designing trial protocols, selecting investigators, and analyzing study data—on behalf of the entities that are conducting the research. Traditionally, the clinical research construct establishes investigators as providing their services on behalf of sponsors rather than the other way around.

The absence of HHS guidance on this point necessarily raises the question as to whether sponsors might be the business associates of their investigators. The agency has issued interpretive guidance on HIPAA in the form of several dozen frequently asked questions (FAQs) documents, but has been reluctant to address the issue of whether a study sponsor is, in fact, the business associate of an investigator.

The implications of a sponsor being deemed the business associate of each of its investigators are significant from a transactional and cost standpoint. Each investigator would have a legal obligation to refrain from sharing PHI with the sponsor until the sponsor executed a business associate agreement. This agreement is required by the privacy rule to contain certain terms.

Sponsors that had to sign business associate agreements would be obligated, at a minimum, to agree to:

  • Take appropriate measures to safeguard PHI and ensure that any agents or contractors do the same.
  • Implement procedures to detect violations of the agreement and the privacy rule and to report them to the investigator, as well as to mitigate the adverse effects of any improper use or disclosure of PHI.
  • Implement procedures to respond to requests for access to a patient's PHI and to requests for the opportunity to obtain an accounting of uses or disclosures.
  • Make its records and policies available to HHS.
  • Maintain a disclosure log.
  • Implement procedures to ensure that agents and subcontractors abide by the terms of the agreement.

In addition, where individual patients' personal information would ultimately be used for marketing purposes—for example, to develop marketing strategies or evaluate the potential customer base—the sponsor would have to implement procedures to strip PHI of 19 categories of identifiers, such as name, address, social security number, and birth date, to convert it into deidentified information.

The requirement that sponsors sign business associate agreements would be a significant change to the traditional research construct. But perhaps even more significant is the potential inequity that this seeming role reversal begets.

Because each investigator is a covered entity and, therefore, is the only one of the two associated parties that is under an explicit legal obligation to comply with HIPAA, the onus is on the investigator to ensure that a business associate agreement is executed. Yet, in the traditional model, the sponsor set all contractual terms regarding the role of the investigator in the study because the sponsor generally retained most of the bargaining leverage. Potential investigators now may have to present sponsors with contracts that the sponsors do not wish to sign. And if a sponsor refuses to sign, it may have to forgo participation in the study.

Mitigating the Impact of HIPAA

Sponsors of clinical research trials face several specific risks that stem directly or indirectly from the HIPAA privacy rule, chiefly:

  • Attrition of potential clinical investigators and study sites.
  • Execution of inconsistent contracts with investigators and sites.
  • Increased costs associated with coordinating HIPAA compliance with investigators.

These problems can be managed through good-faith efforts on the part of sponsors to provide investigators with HIPAA-compliant tools that can make the investigators' own compliance with HIPAA easier.

Optimizing the Business Associate Agreement. Although a sponsor that is not itself a covered entity is not directly subject to any HIPAA requirements, that sponsor nonetheless retains a compelling interest in coordinating compliance efforts among its investigators. A sponsor deemed to be a business associate is required to execute a business associate agreement with each investigator. The sponsor will likely prefer the administrative efficiency and legal predictability of signing the same form of agreement with each investigator to the transaction costs and the chaos of signing numerous—possibly inconsistent or conflicting— agreements generated by multiple investigators.

In performing a cost-benefit analysis to decide which contracting approach is most viable, the trial sponsor should bear in mind that, while a business associate agreement must contain certain terms, it may also contain many additional terms upon which the parties agree. Each investigator may seek to customize its agreement, thereby forcing the sponsor into numerous review and negotiation processes.

Even when multiple investigators follow the basic business associate guidelines appearing in the privacy rule, the sponsor cannot prudently assume that the terms of the contracts are consistent and therefore impose consistent legal obligations on the sponsor. A specific review of each contract presented is necessary. Therefore, sponsors are well advised to create a standard business associate agreement for each study, to be executed by each investigator associated with the study.

A sponsor may find itself forced to balance conflicting interests when crafting its standard business associate agreement. For instance, although the HIPAA privacy rule does not require that these documents contain indemnity language, risk-averse contracting parties often wish to address indemnity. Sponsors, on one hand, have an interest in ensuring that investigators will indemnify them for any losses occasioned by the investigator sending data to the sponsor that have not been collected or disclosed in accordance with HIPAA (which could result in disruption of the study).

On the other hand, investigators may refuse to sign business associate agreements with this type of additional indemnity language, or they may seek to substitute language more favorable to themselves.

The matter of indemnity terms can develop into a highly contested and much-negotiated issue that will cause the sponsor to struggle to obtain a suitable body of investigators.

Optimizing the Patient Data Release Authorization. A second approach to HIPAA compliance coordination is the creation of a standard patient authorization for the release of PHI for research purposes. All patients participating in a clinical study must sign an authorization form, and it is the investigators who must obtain these authorizations.

Rather than burden investigators with the compliance challenge of crafting an appropriate authorization form—a challenge that could be a disincentive for many to participate in a study—sponsors should create a uniform authorization to be used at each site.

In addition, it is likely to comfort investigators further if a sponsor has its patient authorization form reviewed or approved by the IRB that approves the study protocol. IRBs are not required to review or approve HIPAA-required patient authorizations. However, many are being asked to do so by sponsors and are considering patient authorizations to be like other informed-consent documents under review.

Each of these steps is calculated to achieve one end—to maintain the pool of investigators available to the sponsor. If potential investigators begin to perceive HIPAA as a cost-prohibitive barrier to participation in clinical research, they are less likely to participate. If sponsors are insensitive to the legal obligations of their investigators, investigators may well consider the risks of participation in a study to outweigh the benefits. Sponsors ignore HIPAA at their long-term peril.

Conclusion

The challenges involved in integrating HIPAA compliance into the clinical research setting are not insurmountable. Indeed, the sky-is-falling cries of many consultants and affected organizations should be regarded with a grain of salt. It is certainly true, however, that HIPAA will permanently alter the dynamics among sponsors, investigators, IRBs, and human subjects. This has become a fact of life.

Managing HIPAA requirements well, sponsors can minimize their potential impact, facilitate smooth transitions for investigators into the new way of doing things, and otherwise carry on as usual. Study sponsors that approach HIPAA from a position of intransigence, however, may find their available pool of investigators shrinking and their long-term goals more difficult to achieve.

References

1. Health Insurance Portability and Accountability Act of 1996, Public Law 191, 104th Cong., 2nd sess. (21 August 1996).

2. "45 CFR Parts 160 and 162: Standards for Privacy of Individually Identifiable Health Information, Final Rule," Federal Register, 65 FR:53181–53273 (August 14, 2002).

3. Guideline for Good Clinical Practice, ICH Harmonised Tripartite Guideline (Geneva: Committee E6 on Good Clinical Practice, International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use, 1996).

Benjamin S. Hayes is an attorney in the law firm of Kirkpatrick & Lockhart LLP (Washington, DC). Jodi Finder is an attorney in the firm of Buchanan Ingersoll (Washington, DC).

Illustration by EYEWIRE

Copyright ©2003 MX