Privacy Rules Plague Clinical Research

As the 14 April 2003 date to implement the federal policy for maintaining confidentiality of individual patient medical information nears, the research community is discovering more pitfalls and perils likely to affect study operations. The Bush administration made a few helpful changes in the final privacy regulations, which were required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but study sponsors, investigators, and oversight bodies see considerable trouble ahead.

The final rule was published 14 August 2002, and all affected organizations must comply with the policy next month or face stiff civil penaltieseven criminal charges for intentional violations that cause patient harm. By criminalizing a whole new area of health care practice, says attorney Mark Barnes (Ropes & Gray), the regulation has generated widespread fear that clinical researchers will be liable for any data misuse. Barnes contends that the HIPAA regulations take a Stalinesque approach by establishing a stringent and complex new regime that prohibits every use and disclosure of protected health information (PHI) unless specifically permitted or required by the regs.

Authorization required
These important rules affect the activities of all parties involved in clinical researchsponsors, investigators, contract research organizations (CROs), institutional review boards (IRBs), study monitors, and study participants. Covered entitieshealth plans and insurerscan access protected health information to carry out treatment, payment and health care operations (see the Health & Human Services Fact Sheet at www.hhs.gov/news/press/2002pres/hipaa.html).

Parties involved in research also may use and disclose PHI for biomedical research purposes, provided that the subject gives express written authorization for researchers to collect and use their medical information. The authorization process, therefore, is critical for carrying out clinical trials and for obtaining data for regulatory applications. Although authorization to access PHI is similar to informed consent, and generally will be obtained during the consent process, it has different purposes and requirements. Sponsors and researchers need to carefully construct authorization documents, explained the experts at a January meeting on privacy issues sponsored by the Food and Drug Law Institute (FDLI). They also need to inform and train study monitors and investigators on the proper implementation and oversight of privacy authorization. Key factors to consider when asking for authorization follow.

List all parties to the research who might need to access or review study data, including the Food and Drug Administration, data analysis firms, IRBs, data safety monitoring boards (DSMBs), and investigators. For large, multicenter trials, the list may be long. Participants should also be asked to authorize access to PHI from other health care providers who have provided treatment.

Be specific. An authorization should clearly define the protocol covered rather than trying to cover a range of clinical studies. An IRB may challenge a consent form or a privacy authorization form that requires a subject to sign away too many rights for too long.

Address revocation. HIPAA policy initially permitted study participants to revoke authorization when withdrawing from a trial. Researchers pointed out that this would create a serious problem, because FDA is particularly interested in drop-out data and requires that sponsors submit results for all trial participants. The final rule permits sponsors to use revoked data while a study is in progress.

Clarify limits on subject access to PHI. A prime right under HIPAA is that patients may access and review their personal medical records. Because this would compromise blinded, placebo-controlled trials, the final rule permits sponsors to ask individuals to waive the right to access personal records while a trial is being conducted.

Seek uniformity. Sponsors of multicenter trials may want to offer model authorization forms to investigators and contractors to gain uniformity in trial conduct and procedures. Academic medical centers (AMCs) and CROs may prefer their own versions. Finding a format agreeable to all parties may require negotiation.

Ensuring compliance
To ensure uniform compliance with HIPAA policies, all parties participating in research will need to revise and clarify contractual arrangements. Sponsors need to bind all contractorsCROs, DSMBs, and investigatorsto use trial data only for specified purposes in order to ensure legal access to needed information.

Similarly, plans and providers that are covered entities or business partners to such entities will want to ensure that trial sponsors and investigators abide by privacy regulations to prevent HIPAA violations. AMCs may require that sponsors agree to use study data only for research purposes and not for marketing or health economics analysis. Such limitations may create problems for sponsors, particularly biotech companies, that generally want to explore study data as new discoveries alter previous assumptions.

To ensure compliance, sponsors and CROs should train clinical trial monitors to look for appropriate research authorization forms when reviewing clinical sites. Privacy training should be offered to monitors and investigators, and privacy authorization policies should be included in protocol descriptions and investigator brochures.

Limited loopholes
HIPAA permits sponsors to use or disclose PHI without authorization when they have obtained a waiver from an IRB or privacy board. But dont count on going this route, advised Paul Curtin (Purdue Pharma) at the FDLI conference. The waiver rules are complex, and IRBs are expected to go slowly in granting them. Observers expect that waivers are most likely to be requested for retrospective medical record reviews and chart surveys to identify potential subjects for a study or for ongoing epidemiological research.

The impact of HIPAA on clinical trial recruiting is a serious concern. A preparatory to research provision permits researchers at a hospital or other covered entity to access that organizations health databases and tissue banks to identify likely study participants. However, outside researchers need a waiver or authorization to obtain patient contact information. Any data use under the waiver must be recorded so that patients can be informed of PHI disclosures if so requesteda cumbersome process that may prompt health care organizations to curb outside access to data altogether.

Researchers can skirt authorization and limits on using PHI by accessing only de-identified data. Unfortunately, this data set has so little information after all the de-identification that most parties consider it useless for many research purposes.

Multiple HIPAAs?
Compliance with federal privacy policy presents many challenges to researchersand action at the state level may complicate the situation more. More than 400 privacy laws have been introduced in state legislatures, and a new Texas law goes into effect 1 September 2003. Health care providers, as well as researchers, are mounting a campaign to amend this giant HIPAA law this spring when the Texas legislature is in session. Without key changes, sponsors say they will be unable to conduct clinical research in the state.

The Texas problem arises because the federal HIPAA law does not preempt state privacy laws that are more rigorous or more comprehensive, which certainly applies to the Texas policy. It expands the definition of covered entity to include all parties that use, store, transmit, or obtain PHI, which includes pharma companies, CROs, and just about everyone. What happens in Texas is important because other states, such as California and New York, are watching the situation to see if they should adopt similarly stringent privacy laws.

Privacy policies also have emerged around the world. The European Unions health data directive adds to the complexity of global trials by prohibiting overseas transmission of individual medical data. And HIPAA raises questions about how U.S. researchers should obtain authorization from study participants in Canada or other countries to allow use of study data involving foreign subjects.

Transition tricky
Studies underway before 14 April have leeway in complying with HIPAA. Authorization requirements apply to studies accruing subjects at the compliance date, and sponsors do not have to go back and seek privacy authorization from already enrolled participants who have signed appropriate consent forms. Sponsors may want to obtain authorization from already enrolled participants, though, to avoid creating a dual system for privacy protection of study participants.

In any case, sponsors, CROs, and research organizations will need to amend internal compliance policies to demonstrate a serious effort to incorporate privacy policies into corporate programs. While there is much concern over the possibility of stiff fines and jail terms for intentional disclosure of PHI for profit, the bigger risk from violations is bad PR and civil penalties, points out attorney Barnes. Companies also might be subject to breach of contract claims for using data for marketing or other purposes.

We have an ethical obligation to treat this information differently, commented Stanley Crosley, director for global privacy at Eli Lilly, which is still smarting from a highly publicized though inadvertent email disclosure of patients prescribed Prozac. Crosley is working with a consortium of pharmaceutical companies to sort through compliance issues and ensure that they use PHI in a secure manner.

One issue for pharmaceutical companies and research organizations is their status under HIPAA. A researcher may be a covered entity if he or she furnishes health care services to individuals and transmits health information electronically. Manufacturers are receiving a flurry of contracts from hospitals, AMCs, and state Medicaid agencies that describe them as business associates. Privacy experts advise manufacturers and researchers to avoid such designations or face added disclosure and compliance requirements.

One approach for sponsors may be to hire third parties to conduct research and manage data. While HIPAA imposes additional burdens on CROs, the very complexity of the policy may encourage smaller manufacturers to contract out more clinical research activities to these organizations.

SIDEBAR: Feds Want Standard Ethnic Clinical Trial Data
FDA is seeking comments on a proposal that calls for sponsors of clinical trials to follow federal government categories for presenting data on ethnic and racial demographic groups (Guidance for Industry, Collection of Race and Ethnicity Data in Clinical Trials, January 2003, www.fda.gov/cder/guidance/index.htm). The change reflects increased emphasis on identifying differences in how trial subjects react to medical products, as seen in racial variations in metabolizing antidepressants and beta blockers.

The new policy requires sponsors to adopt categories formulated by the Office of Management and Budget in 1997 to ensure consistency in demographic subset analysis across studies. This approach aims to promote early identification of different physiological responses among racial subgroups and to reduce adverse events. For example, GlaxoSmithKline recently halted a safety study on its asthma drug Serevent (salmeterol xinafoate) after interim analysis revealed too many life-threatening events, particularly among black subjects. The company is consulting with FDA on how to design a larger study to examine the causes of these events more thoroughly.