Presenter Marilyn Windscheigl received many questions during her recent webinar “HIPAA Basics for Clinical Research.” Here, she responds to some of those questions and provides clarification on challenging compliance topics in clinical research.
Is a clinical study sponsor permitted to collect patient initials on any form (e.g., case report forms or any other document)?
To begin, patients’ initials are protected health information (PHI), so if the sponsor’s intent is to use only de-identified patient data, initials will not work. However, sponsors are not required by law to use de-identified data, so using initials is not a problem unless it contradicts the sponsor‘s promises to the researcher or Covered Entity about what it will use in the study.
If the sponsor is a pharmaceutical company/industry sponsor, its obligation under HIPAA is limited to what the Covered Entity permits for uses and disclosures as described in the clinical trial agreement. Most Covered Entities would expect a sponsor to limit use of PHI to what is needed to perform the study and ensure the study drug or device is safe and effective. Covered Entities should therefore add language to the clinical trial agreement that defines what the sponsor is permitted to do with the PHI.
If the sponsor is an employee of a Covered Entity (i.e. investigator-initiated), the collection of patient initials would mean the researcher is collecting PHI, which would have to be protected from further use or disclosure except as authorized by the patient, unless an IRB or Privacy Board alters or waives the requirement.
Are there any potential implications or causes for concern in sharing a limited data set under a data use agreement with a private company that is not a Covered Entity?
Covered Entities often share Limited Data Sets (LDS) pursuant to a Data Use Agreement (DUA) with private companies that are not a Covered Entity. However, the LDS can only be used for research, public health, or health care operations. Since the LDS is still PHI and still subject to HIPAA, the Covered Entity providing the LDS would want to be sure it is being shared for a permissible reason. (This requirement is captured in 45 CFR 164.514(e)).
If the private company is performing a function on behalf of a Covered Entity, a Business Associate Agreement is needed in addition to the DUA. Since the advent of the HITECH Act, Business Associates are directly liable for protecting PHI (although Business Associates are not required to comply with every aspect of HIPAA). If the private company is a Business Associate, it is hopefully aware of this legal obligation and following HIPAA appropriately.
As a covered entity, is it necessary that we take steps to address and contractually obligate the sponsor, or any other recipient of PHI pursuant to an authorization form, to limit their use of the PHI to the authorization’s uses?
*PFS Clinical has made reasonable efforts to ensure the accuracy of the information contained in this document; however, this document is provided “as is” without any express or implied warranty. This document does not constitute legal advice. If you require legal advice, please consult with your attorney.
Want to learn more about HIPAA compliance? Watch the free, on-demand webinar “HIPAA Basics in Clinical Research.”