HIPAA Omnibus Final Rule Research Changes to the Privacy Rule and GINA Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs February 20, 2013
Research-Related Topics Research Authorizations Future Research Sale of PHI Decedents PHI 2
Conditional and Compound Authorizations Generally: HIPAA has prevented conditioning treatment on the provision of authorization for the use or disclosure of PHI An exception allows for research-related treatment to be conditioned on authorization for use or disclosure of PHI for the research 3
Conditional and Compound Authorizations Generally: HIPAA prohibits combining authorization for use and disclosure of PHI with any other legal permission ( compound authorizations ) An exception allows an authorization ti for research to be combined with informed consent for the same research study Could NOT combine conditioned with unconditioned authorizations Narrow exceptions have resulted in multiple forms for related studies, lack of integration 4
5 Conditional and Compound Authorizations
Compound Authorizations In the Final Rule: A covered entity may combine conditioned and unconditioned authorizations Must clearly identify, differentiate between the two types of components Must allow for opt-in (not opt-out) t) of unconditioned components This approach: Better aligns with practices related to informed consent under the Common Rule Clarifies and simplifies requirements related to biobanking Provides institutions and IRBs with flexibility in streamlining consent and authorization as appropriate 6
Authorization for Future Research Previous Interpretation: HHS had interpreted HIPAA to prohibit authorization for use and disclosure of PHI for unspecified future research Limited individuals ability to participate in future research Created substantial barriers for secondary research Inconsistent with the Common Rule 7
Authorization for Future Research A New Interpretation: Modified interpretation of purpose p of the study to allow future research Through description, it would be reasonable for an individual to expect PHI would be used or disclosed for future research No changes to the language of Privacy Rule Provides flexibility to researchers, IRBs 8
Other Important Points Confirmation that external researchers are not considered business associates Not BA by virtue of performing research Researcher may performing other duties that would be defined as health care operations (such as creating a deidentified limited data set for the covered entity) IRB is not a BA by virtue of reviewing and overseeing research 9
10 Sale of PHI General Rule: Sale of PHI is prohibited absent individual authorization New definition of sale of protected health information Includes direct or indirect remuneration in exchange for PHI Numerous Exceptions Research exception If the only remuneration is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI Finalized as proposed in the NPRM
Sale of PHI Research Impact Not Considered a Sale of PHI: Grants or contracts to perform research, even if PHI disclosure is a byproduct of the activity Payments by research sponsors Federal grant to conduct a program even if reporting of PHI is required to be reported Reasonable Cost-Based Fee Includes direct and indirect costs labor, materials, supplies for generating, storing, retrieving, transmitting; ensuring permissible disclosure; capital and overhead Does not include profit margin Additional guidance from OCR is forthcoming 11
Sale of PHI Research Impact Transition Provisions Apply Covered entities may rely on authorizations received before compliance date, even without required statement Covered entities may rely on IRB waiver of authorization received before compliance date, even if remuneration exceeds new requirements Terms of existing data use agreements may govern use or disclosure of limited it data sets until earliest of renewal, modification, or one year from compliance ce date, even e if disclosure would constitute a sale of PHI 12
Use of Decedents Information Final Rule limits protections of PHI to 50 years after date of death Modifies previous rule, under which decedents had the same protections as living individuals Research exception: research is allowed with certain assurances Final Rule does not impact permitted disclosures under the Privacy Rule 13
Genetic Information Nondiscrimination Act 14
GINA Changes Under HITECH Title I generally prohibits discrimination based on genetic information Applies to health coverage and employment Health coverage context includes limits on: Setting premiums or contributions for group coverage or Medigap Determining eligibility Collecting genetic information Requiring genetic et testing Disclosing genetic information 15
GINA Changes Under HITECH Title I Section 105 requires revisions to the privacy rule Clarifies that genetic information is health information Prohibits group health plans, health insurance issuers, and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes 16