What does the informed consent document say about sharing information?
Covered entities deal with many complex privacy and information security issues, but institutions that conduct research have an additional level of complexity. Key to understanding the implications of privacy obligations in research is understanding the multiple regulations that could apply to human subject research.
In addition to the federal privacy rules under HIPAA, for research activity one needs to be at least familiar with the rules and requirements around the conduct of research including human subject research. Federal regulations for research are governed by a set of rules known as the “Common Rule” and regulations promulgated by the Food and Drug Administration depending on the nature of the research. The FDA regulations only apply to research conducted on device or biologicals for which the FDA has oversight. The “Common Rule” is a set of regulations adopted by fifteen and followed by three federal agencies or departments and are applicable to human subject research.
Entities that perform research sponsored by any of these 18 agencies or departments must conduct the research following the “Common Rule”. The “Common Rule” only requires the organization conduct the research sponsored by those agencies under its requirements but most organizations conduct their research under want is known as a “Federal Wide Assurance” (FWA). If this is the case, the organization has agreed that any human subject research performed by that entity will be done meeting the “Common Rule” requirements regardless of the funding source.
The importance of understanding these additional rules is that the required documents under these regulations can contain language that might be impactful on the way the PHI is used and disclosed beyond the standard HIPAA documents. The federal agencies and departments falling under the “Common Rule” require the researcher to obtain informed consent from subjects or get a waiver of informed consent from the Institutional Review Board (IRB). The informed consent document outlines the discussion with the subject regarding the research and the subject’s participation in the research.
The language in this document can have implications regarding the expectations of the subject about how information about them will be shared with others. If the subject is informed that only a very small number of people will know the individual is a participant in the study through the informed consent process, yet the research authorization identifies multiple groups of individuals with whom the person’s information could be shared, this inconsistency might be problematic.
The informed consent process and supporting documentation is deemed by some courts to be equivalent to a contract with the subject. If the “contract” language states one thing but the HIPAA authorization permits use or disclosure of data in a more extensive manner which prevails? While the covered entity might be technically compliant with HIPAA, if the PHI is shared with parties identified in the research authorization, there may be a lack of informed consent for the subject to participate in the study. What legal risk does this create for the organization?
State and Other Federal Laws
Another important consideration is what the state and other federal laws say about looking at or acquiring health information such as HIV status, behavioral health information and substance abuse information for research purposes. This too can create inconsistencies if the informed consent addresses it but the HIPAA authorization does not.
This may be the need to look at such information or the need to get certain tests performed. For example, the study might exclude individuals with HIV and thus require that any potential subjects obtain or provide the results of a past HIV test. There may be language in the informed that addresses the need for an HIV test but the HIPAA authorization does not contain the necessary additional permissions to get the results. How can this be addressed?
It is not uncommon that multiple persons are involved in the development of the research documents. And even if it is just one person that individual is not always aware of the implications of having inconsistent language in the various documents. Someone familiar with the research study including its underlying documents such as any grant application, clinical trial agreement with the sponsor and the protocol should review any document intended for the subject to assure there are no inconsistencies. This will help avoid possible problems later that are the result of either a use or disclosure of information that is more than the subject expected, questions of whether the data was legally shared with certain parties and/or the need to report protocol deviations.
It is also helpful if the individuals in the organization’s IRB office know to look for these types of inconsistencies. If the research team did not catch any inconsistencies prior to submission this is a helpful point to review the collective documents and assure the documents signed by the subject accurately reflect the researcher’s intent regarding gathering and sharing information about the subject.
Again, this is just one of many challenging areas to assure compliance and appropriate privacy and information security issues in research. To learn more on this topic please plan to attend one of the upcoming educational workshops hosted by CynergisTek.