By Deb Borfitz
January 4, 2010 | A new set of federal privacy and security requirements, introduced by legislation promoting the adoption of electronic health records (EHRs), “may make the investigator-CRO interface more complicated for some time,” says Doug Peddicord, executive director of the Association of Clinical Research Organizations. The new data use restrictions “go well beyond the privacy rules established by HIPAA [Health Insurance Portability and Accountability Act] in 1996 and constitute a de facto transition to HIPAA 2.”
It took physicians and hospitals several years to adjust to “HIPAA 1,” Peddicord notes, and nerves are unlikely to calm any faster on this go-round—especially for worry-prone academic organizations. “Criminal penalties can be enforced against individuals, not just covered entities [CEs] and their employees.” In cases of willful neglect, civil monetary penalties have shot up from $100 per violation with an annual maximum of $25,000 to as much as $50,000 per violation with a $1.5 million annual cap.
The sentinel event was President Obama’s signing of the American Recovery and Reinvestment Act on February 17, 2009, which provides over $19 billion in incentives for physicians and hospitals to use EHRs and makes dozens of alterations to HIPAA 1, says Peddicord. Some privacy and security requirements have been extended to companies, such as Microsoft and Google, which offer personal health records (PHRs). Potentially, the definition of PHR could expand to capture patient registries, clinical trial portals, disease group databases, and a multitude of websites where consumers go and voluntarily fill out a personal health survey.
The stiff financial penalties for non-compliance reflect congressional response to lackluster enforcement of the original HIPAA despite tens of thousands of complaints filed with the U.S. Department of Health and Human Services (HHS), Peddicord says.
Unlike HIPAA 1, HIPAA 2 makes business associates (BAs) that work for CEs “directly subject to the security rule and relevant provisions of the privacy rule,” says Peddicord. That specifically includes entities that transmit or process data on behalf of CEs, like regional health information organizations and e-prescribing gateways.
This new body of entities addressed by HIPAA 2 may have their newfound obligations regulated by the Federal Trade Commission rather than HHS, “presaging a much stronger emphasis on enforcement,” says Peddicord.
Language in HIPAA 2 intended to prohibit doctors and hospitals from selling private health information (PHI) could be construed as barring CEs from remuneration for constructing databases containing a limited set of “anonymized” patient information, says Peddicord. If CEs have no financial incentive to do the work, public health activities and research could be negatively affected.
The central concern is that even when information qualifies as de-identified, and thus falls outside HIPAA privacy rules, it could possibly be re-identified by “computer geeks” once it gets posted on the Internet, says Peddicord. HHS is thus likely to issue guidance encouraging more rigorous de-identification of PHI within the year that “may render data more expensive and/or less useful.”
CEs may have trouble enough coping with potential liabilities introduced by their new “breach notification” obligations under HIPAA 2, says Peddicord, which obliges them to inform individuals whenever any piece of their PHI gets lost or stolen. BAs are similarly obliged to report such breaches to CEs.
The breach notification requirement took effect September 23, says Peddicord, but almost all other HIPAA 2 changes are scheduled to become effective February 17, 2010. Review of data security policies and procedures by clinical investigators is “highly advisable.” Sponsors and CROs take privacy and confidentiality issues “very seriously” and will likely be talking more with sites about the matter in the weeks ahead.