The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a guidance 21st Century Cures Act Guidance: Remote Access to PHI for Activities Preparatory to Research in December 2017 to clarify how protected health information (PHI) may be used via remote electronic access for research preparation activities.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule found in 45 CFR Part 160 and Subparts A and E of Part 164 describe how PHI may be used for research by a covered entity.
- According to 45 CFR 160.103, a covered entity is “a health plan, healthcare clearinghouse, or healthcare provider who transmits any health information in electronic form.” Some covered entities are also clinical research sites.
- Additionally, the HIPAA Security Rule also located in 45 CFR 160 describes technical specifications for protection of PHI.
- Section 2063 of the Cures Act required HHS OCR to release a guidance to clarify remote access to PHI for research purposes.
- For research this could be at two stages: preparatory to research and also during the time the patient is on the study. The guidance from OCR is related to the first: the covered entity doing remote review of PHI during the recruitment stage for preparation for potential participation. In the case of remote review, there needs to be the same conditions in place as onsite review. The Privacy Rule allows the covered entity researchers to use PHI with authorization, or if certain conditions are met without authorization.
- The following is a link to review the conditions where authorization is not required: conditions where authorization is not required. In the case where authorization is not required, a waiver of authorization is commonly obtained by the covered entities’ IRB or Privacy Board.
- An exception to the need for a waiver of authorization is Review Preparation for Research (RPR), such as during study protocol design or patient identification for scheduling consent and screening visits, as long as:
- PHI is not removed from the covered entity and
- The researcher provides assurances that the PHI is necessary and only for research preparations.
- To read more about RPR go to: www.hhs.gov/hipaa/for-professionals/faq/RPR
Q. Can a researcher review PHI through remote access as preparation for research under HIPAA rules?
- Yes, under the right circumstances this still meets the HIPAA Privacy Rule and Security Rule.
- Specifically, the researcher must not remove any PHI from the covered entity.
- Downloading, copying, or saving any PHI would be considered removal, e.g., company laptop taken home and patient PHI accessed and printed.
- But, accessing electronic information to view would not be considered removal.
- Technological specifications for electronic records also apply, including access control, data integrity, authentication, and secure transmissions, including encryption.
Q: Can a covered entity rely on the assurance from a researcher that they will not remove PHI?
- The HIPAA Privacy Rule allows the covered entity to use judgement about the level of risk a researcher would present by accessing PHI remotely. Covered entities do a risk assessment each year determining potential risk for breeches of PHI. This would be one area of consideration. If the risk is accepted, risk mitigation is expected and risk monitoring as well.
- If the covered entity employs measures to ensure the researcher’s use of PHI properly, the request could be considered reasonable.
Q. What about situations when the researcher is not an employee of a covered entity, for example a recruitment consultant?
- Situations where there is no relationship between the researcher and the covered entity are considered greater risk scenarios where covered entities should adopt additional measures to protect PHI.
Q. What circumstances are considered removal of PHI?
- Copying, printing, saving, faxing, and downloading are considered removal of PHI.
- Automatic downloads or temporary storage during the process of viewing the PHI is considered removal of PHI unless there is a process to prevent outside access to the temporary files.
- In greater risk scenarios, the covered entity should implement technological solutions to prevent the removal of PHI.
Q. Is the covered entity liable if PHI is removed without HIPAA authorization?
- Determination of liability depends on the circumstances of the particular case.
- If the covered entity did not follow the HIPAA rules, it would be in violation and this would be considered a breech and subject to the enforcement regulation part of HIPAA
- Examples of scenarios where the covered entity would be in violation are: The covered entity
- did not request proper assurances from the researcher that they would not remove PHI.
- did not provide or ensure adequate safeguards of the PHI was in place.
- unreasonably considered the researcher to be a lower risk.
Although patients have not signed a HIPAA authorization, researchers may use PHI in preparation for research as long as the Privacy Rule and Security Rule are followed, the researcher provides assurances the PHI is required for research preparation activities, and no PHI are removed. The OCR guidance clarifies how removal of PHI from the covered entity is defined in terms of remote access and what role the covered entity plays in ensuring HIPAA rules are followed during remote access for research preparation activities.
The other scenario where PHI can be accessed remotely is more complicated and likely riskier: sponsor monitoring PHI remotely. We will blog about this soon.
-The Clinical Pathways Team
Enjoy this blog? Please like, comment, and share with your contacts.