The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 in the US to establish national standards that protect patient health information (PHI), as well as set limits on the conditions of its use.
PHI includes details such as the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual, and the past, present, or future payment for the provision of health care to the individual, and that identifies the individual.
There are different rules within HIPAA, including the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.
This blog will discuss the HIPAA Privacy Rule in more detail.
What Does the HIPAA Privacy Rule Cover?
The HIPAA Privacy Rule, which came into effect on April 14, 2003, regulates the disclosure of protected health information. This rules also extends to Covered Entities and Business Associates who handle PHI. Covered Entities are defined as any organization that collects, creates, or transmits PHI electronically, while business associates refer to any organization that encounters PHI through the work it has been contracted to carry out on behalf of a covered entity.
A covered entity is only allowed to disclose protected health information in accordance with the requirements of the Privacy Rule or when the individual who is the subject of the information provides authorization in writing. Entities covered under the Privacy Rule are also obliged to disclose PHI to the individual upon request or to law enforcement officials. They must also obtain written authorization from the individual for disclosing the PHI within a clinical trial context.
Under the HIPAA Privacy Rule, an individual has the right to:
- Request the correction of inaccurate PHI
- Have their data handled confidentially
- Know how their data is being used
- Have their data handled only by properly trained individuals.
A Privacy Official and a contact person must be appointed to provide individuals with a method for communicating with HIPPA about any issues they encounter. Additionally, individuals have the right to file a complaint with the Office of Civil Rights, US Department of Health and Human Services, if their issues are not addressed by the entity involved.
Does the Privacy Rule Apply to a Sponsor or an EDC Vendor in a Clinical Trial?
According to the Centers for Medicare & Medicaid Services, the sponsor and EDC vendor are not classified as Covered Entities. However, the researcher collecting data for a sponsor is bound by HIPAA due to the nature of their roles as doctors and researchers as they deal with PHI in both scenarios. An example of this is when ePRO data is collected and included as part of the patient’s file. This activity results in the sponsor becoming the de facto a Covered Entity and the EDC vendor, a Business Associate, in relationship to the researcher.
It is the responsibility of the investigator or the center to ensure that PHI is processed in a regulatory compliant manner. The trial sponsor should also provide confirmation of this to the investigator or clinical trial center. The sponsor must confirm that their business associates – including the EDC software vendor – are compliant.
Today, only a few researchers and clinical trial centers are making inquiries about HIPAA compliance. Because of the serious nature and high penalties of non-compliance, we believe that this will change in the near future.
What Needs to Be Done?
As the researcher and clinical trial center have to comply with the Privacy Rule when entering patient data into a study system, sponsor confirmation needs to be provided. In many cases, investigators and clinical trial centers already have Good Clinical Practice (GCP) assessments and General Data Privacy Regulation evaluations in place. These practices cover many of the requirements of the Privacy Rule and it is likely that these would also cover applicable HIPPA requirements. Investigators should still seek explicit confirmation of compliance from the sponsor before entering data into any clinical study system.
To ensure all parties involved in a clinical trial are compliant, sponsors should complete HIPAA assessments for all their Business Associates, including researchers and clinical trial centers.
HIPAA compliance is becoming an increasingly important part of the collection of electronic clinical trial data. Continued understanding of how HIPAA applies to your clinical trial site can only benefit you, your patients and the study in the long term.