Co-enrollment Prevention (CEP) HIPAA/Privacy Frequently Asked Questions

Also see our general Co-Enrollment Prevention Frequently Asked Questions

HIPAA Impact on Use of PII in Co-Enrollment Prevention

The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations [45 CFR Parts 160, 162, and 164] provide protections for the privacy and security of Protected Health Information ("PHI") and regulate the use and disclosure of this information.

45 CFR §160.103

Age, the fact of treatment, and other personal identifiers are part of this PHI. In order to disclose PHI to another site or institution for the purpose of co-enrollment prevention, the participant must either authorize such a disclosure, or the disclosure must fall under one of the exclusions provided in the HIPAA regulations. In the context of research, a HIPAA authorization may be included in the study’s informed consent form, or it may be a separate document. The requirements for a HIPAA authorization are provided in 45 CFR §164.508(c). Included are requirements for descriptions of who may use and disclose PHI, who may receive PHI, and the purpose of a disclosure. For example, "The Principal Investigator and research staff will share your PHI with other people and groups to help conduct the study or to provide oversight for the study" is a commonly used phrase in HIPAA authorizations. The regulation requires that such a description be provided, but it is not necessary for it to be specific – the persons can be a class of persons, and the description of the purpose can be very broad, as described above. It is also possible to add an item specifically stating that PHI will be disclosed to other clinical research sites (CRSs) to monitor co-enrollment.

A disclosure for the purpose of co-enrollment prevention falls under one of the exceptions permitted for the purposes of healthcare operations: a covered entity may disclose PHI to another covered entity for the purpose of ensuring compliance. 45 CFR §164.506(c)(4(ii). A disclosure made under this exception must be made according to the "minimum necessary" standard of HIPAA - "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." 45 CFR §164.502(b)(1)

The impact of HIPAA on age and identity verification will mostly be in the context of HIPAA security. Once this information has been collected in accordance with the requirements of the HIPAA Privacy regulations, it must then be protected in accordance with the requirements of the HIPAA Security regulations. These requirements are found in 45 CFR Part 164 Subpart C. In general, this section mandates that the confidentiality, integrity and availability of PHI must be protected. The particular safeguards will depend on the system an institution uses to collect, maintain, and transmit PHI. The safeguards, categorized as "Administrative", "Physical", and "Technical" include everything from locking papers in a file cabinet to managing passwords to encrypting data to having a plan in place in the event of a breach. Your institution should have policies and procedures in place to address these issues.

It is very important when determining the applicability of HIPAA to know the HIPAA Covered Entity structure of your institution. Typically, a health care facility will be a "Covered Entity", meaning that HIPAA applies to the activities of all the components of that facility. A university, on the other hand, is frequently a "Hybrid Covered Entity", and HIPAA will only apply to some of its components. A Hybrid Covered Entity is not required to include research as one of its Covered Components, and so, unless the research includes treatment and billing, HIPAA will not apply. What would otherwise be PHI is treated as personally identifiable information ("PII"). In most institutions, the HIPAA Security Rule applies to PII in the same way it applies to PHI.

The IRB, Compliance and IT websites for your institution will contain policies and procedures, guidance, and forms for addressing these issues at your institution, and members of those offices should be available to provide assistance. If you have further questions, contact your Compliance, IT security, and/or Office of General Counsel, as appropriate.

For further guidance on HIPAA issues, see the website of Office of Civil Rights for the Department of Health and Human Services:

"PHI" is health information created or received by a healthcare provider, health plan, or healthcare clearinghouse which relates to:

  • the past, present or future physical or mental health or condition of an individual,
  • the provision of health care to an individual,
  • the past, present or future payment for the provision of health care to an individual,
  • information that identifies the individual or creates a reasonable basis to believe that the information can be used to identify the individual, and
  • information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any form or media.

PII is generally described as any information that can be used to identify, contact, or locate an individual, either alone or combined with another source. It is not, however, subject to HIPAA, and is therefore not PHI. Even though the HIPAA Privacy Rule does not apply, most institutions will still protect this information in accordance with the HIPAA Security Rule.

The European Union Data Protection Regulation ("EU GDPR") applies to the personal data of individuals located in the European Union (actually the European Economic Area ("EEA") which consists of the European Union and Norway, Lichtenstein, and Iceland). It went into effect on May 25, 2018. The EU GDPR has very broad and very strict protections for all personal data, not just healthcare information. Personal data is defined as "…any information relating to an identified or identifiable natural person ('data subject')". Consequently, a "participant" in clinical research would be a "data subject" under the GDPR. The EU GDPR also applies to institutions located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. If the EU GDPR applies to participants, it will be necessary to obtain affirmative consent, to have EU GDPR policies and procedures in place, and to have an IT infrastructure that meets the requirements of the EU GDPR. In particular, be aware that, under the GDPR, participants have a wide range of rights to access their personal information under this regulation, including a "right to erasure" or the right to be forgotten. The Compliance and IT websites for your institution will contain policies and procedures, guidance, and forms for addressing these issues at your institution, and members of those offices should be available to provide assistance. If you have further questions, contact your Compliance, IT security, and/or Office of General Counsel, as appropriate.

References

  • EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Certificate of Confidentiality (CoC)

A Certificate of Confidentiality provides a heightened level of privacy to the participants of certain types of research. It prohibits the disclosure of identifiable, sensitive research information to anyone not connected with a study, including Federal, State, or local civil, criminal, administrative, legislative, or other proceedings except in the following circumstances:

  • Disclosure is required by Federal, State, or local law (for example, to comply with State laws requiring the disclosure of communicable diseases);
  • Disclosure is necessary for the medical treatment of the participant and the participant consents;
  • Disclosure is made with the consent of the participant; or
  • Disclosure is made for the purposes of other research that complies with Federal regulations governing the protection of human subjects in research.

Beginning in October 2017, NIH has issued Certificates of Confidentiality in connection with all research in which "identifiable, sensitive information" is collected or used. This includes the following categories of research:

  • Human subjects research as defined in 45 CFR 46, "The Common Rule", unless information is recorded in such a way that participants cannot be identified
  • Research involving the collection or use of biospecimens that are identifiable to an individual or may be combined with other information to identify an individual
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, or
  • Any other research that involves information about an individual for which there is at least a small risk that some combination of this and other data could be used to identify an individual

At this time, the best mechanism for adding identifying information to a co-enrollment system when there is a Certificate of Confidentiality in place is to obtain participant authorization.

The IRB website for your institution will contain policies and procedures, guidance, and forms for addressing these issues at your institution, and members of that group should be available to provide assistance. If you have further questions, contact your Compliance and/or Office of General Counsel, as appropriate.

For further guidance on Certificates of Confidentiality, see the following NIH websites:

Disclosing PHI/PII in Co-Enrollment Prevention

PHI must be disclosed in accordance with the requirements of HIPAA. The best approach is to obtain a HIPAA authorization from the participant. In that case, the disclosure is not limited to the minimum necessary, as it is with a disclosure under an exception. The disclosure is whatever information the participant authorized to be disclosed. PHI can also be disclosed under an exception permitting disclosure for the purposes of healthcare operations: a covered entity may disclose PHI to another covered entity for the purpose of ensuring compliance. 45 CFR §164.506(c)(4)(ii). In that case, only the minimum information necessary to achieve the purpose of the disclosure may be disclosed. In general, PII is not subject to HIPAA and may be disclosed without following the HIPAA requirements. However, it is very important when disclosing PII to know the policies and procedures of your institution – some institutions require compliance with HIPAA even though it is not applicable. It is equally important to check with your IRB, Compliance, General Counsel, or other appropriate office as there may be other Federal or state laws that are relevant.

The data elements to be shared should be the elements your site(s) and any involved business entity (ex. VCT, DMC) or non-covered entity (ex. DAIDS) have determined would identify, or help to identify, study participants that are enrolled in both sites. As previously discussed, if the study participants have authorized the disclosure, any information included in that authorization can be used. If the disclosure is under an exception, then only the minimum information necessary to achieve the purpose of the disclosure can be used.

The mechanism you use to disclose PHI for this purpose will really depend on how your institution handles disclosures of PHI when a data use agreement is not appropriate. There are other types of agreements that could be used, for instance, a Memorandum of Understanding with another institution. A Business Associate Agreement ("BAA") would most likely be appropriate if the information is being disclosed to a central registry. A BAA would require the central registry to comply with HIPAA just as a covered entity is required to comply with it. This is another one of the instances where it is important to check with your institution, as there should be standard agreements or established practices. A data use agreement would not be the best mechanism to use to disclose PHI outside of the institution for this purpose. A DUA is used to disclose either de-identified data, or a limited data set. De-identified data is PHI with 18 identifiers removed, as described in 45 CFR §164.514(b)(2)(i). A limited data set includes some of these identifiers, but others must be removed, as described in 45 CFR §164.514(e)(2). Even if an element could be used to identify a participant, the regulations specifically require that the recipient of the data set NOT identify or contact the individuals.

For further guidance on DUAs, see the following:

For further guidance on BAAs, see the following:

The type of system used to disclose this information will depend on your institution’s policies and procedures, and on its IT infrastructure. Almost any type of system can be used, so long as the system complies with the HIPAA Privacy and Security regulations, and any other applicable laws and regulations.

References

  • 45 CFR Part 164 Subparts A, C, D, E

Paper/Phone

When using paper systems and communicating by phone, it is of course necessary to comply with the HIPAA Privacy regulations and the HIPAA security regulations – administrative, physical, and technical requirements, but you will need to pay particular attention to the physical (45 CFR §164.310) and technical (45 CFR §164.312) requirements.  These describe processes and procedures for physically protecting PHI (locks, workstation controls, facility security) and for the technical aspects of protecting PHI, such as access control, passwords, preventing alteration or destruction of PHI).  This section also contains a requirement for authenticating the identity of a recipient of PHI before it is disclosed.  Most institutions include these in their own policies and procedures, so be aware of them.   For further guidance, check with your Compliance and/or IT Security office.

References

  • 45 CFR §164.308
  • 45 CFR §164.310
  • 45 CFR §164.312

Spreadsheets or databases

The methods used to protect spreadsheets will depend on how you maintain and transmit them.   If they are printed out and maintained and transmitted as paper, then the procedures described above, the “physical” safeguards must be followed.     If the spreadsheet is maintained and transmitted electronically, then the “technical” safeguards must be closely followed, especially the requirement of encryption.   Encryption cannot be emphasized enough.   There have been many potential breaches that never happened because the data and/or equipment was encrypted.  The same would apply to databases.   As always, check your institution’s policies and procedures, and obtain guidance from your Compliance and IT offices when needed.

References

  • 45 CFR §164.308
  • 45 CFR §164.310
  • 45 CFR §164.312

Automated electronic system

An automated electronic system is also subject to the HIPAA Security Rule, with particular attention paid to the “technical” safeguards.   Again, there should be an emphasis on encryption, for data at rest (stored or maintained) and in motion (being transmitted).   At most institutions, the IT department will be much more involved in this type of system and presumably well aware of the HIPAA implications.  Note, an automated electronic co-enrollment system may also be subject to FDA’s regulations for Electronic Records, Electronic Signatures.  As always, check your institution’s policies and procedures, and obtain guidance from your Compliance and IT offices when needed.

References

  • 45 CFR §164.308
  • 45 CFR §164.310
  • 45 CFR §164.312
  • 21 CFR 11

Biometric systems

Biometric data is one of the 18 HIPAA identifiers, and any data collected in this manner is subject to both the HIPAA Privacy Rule and the HIPAA Security Rule.  Such data should be maintained (stored) and transmitted in accordance with the provisions of the HIPAA Security Rule. Note, an electronic co-enrollment system that uses biometrics may also be subject to FDA’s regulations for Electronic Records; Electronic Signatures.  As this is a relatively new technology, it is important to seek guidance from the Compliance office, the IT department, and any other offices or groups that might be relevant.  As of this date, three states have passed specific legislation protecting biometric data (Illinois, Washington, and Texas).  Another six states, plus New York City, have pending legislation, and many states have amended their data breach laws to include biometric data.  It is extremely important to be aware of the laws in your state.

References

  • 45 CFR §164.308
  • 45 CFR §164.310
  • 45 CFR §164.312
  • 21 CFR 11

An honest broker is a neutral third party, either an individual or an organization, who is not in any way part of a research team, who collects and de-identifies information or samples to provide to the research team. Information may be considered de-identified if it is totally de-identified, meaning stripped of the 18 HIPAA identifiers [45 CFR §164.514(b)(2)(i)], or if it is a limited data set, meaning that it has been stripped of 16 of the 18 identifiers [45 CFR §164.514(e)(2)]. The honest broker will maintain a link or a code, so that the participant can be re-identified if/when necessary. An honest broker must comply with the requirements of HIPAA and the Common Rule (45 CFR 46.116(d)). Additionally, if the study is covered by a Certificate of Confidentiality, the participant’s consent must be obtained before disclosing any information to the Honest Broker, and the Honest Broker must agree to comply with the requirements of the Certificate of Confidentiality. Many institutions have an internal honest broker program, providing training and requiring certain certifications for honest brokers, and in turn providing access to these services.

An honest broker is considered to be one of the most effective ways to protect PHI. The issue with using an honest broker is that the data is supposed to be de-identified enough so that no participant can be identified.

An informed consent and a HIPAA authorization serve different purposes. In order to address the disclosure of PHI, the informed consent form should include a HIPAA authorization, or there should be a separate HIPAA authorization document. Under the HIPAA Privacy Rule, a covered entity is permitted, but not required, to obtain patient consent for the uses and disclosures of PHI for medical treatment, payment, and health care operations. However, a HIPAA authorization is required in order to use PHI for other purposes. The requirements for a HIPAA authorization are listed at 45 CFR §164.508(c). A valid authorization must include:

  • A description of the PHI
  • A statement of the purpose of the use of the PHI
  • A description of those who can use the PHI
  • A list of those who can receive the PHI, including re-disclosure
  • Information about an expiration date
  • Information about the right to revoke the authorization

For further guidance, consult your IRB and IRB website.

Assuming that the data is being maintained according to the HIPAA requirements, it will be important to ensure that the data is encrypted while being transmitted, and to have a Business Associate Agreement in place to ensure that the external co-enrollment system is HIPAA-compliant and is bound by HIPAA as a "Business Associate".

References

  • 45 CFR §164.504(e) (requirements of a Business Associate Agreement)
  • 45 CFR §308 (security requirements)

Before data is transmitted to the external site, a Business Associate Agreement should be in place. That agreement will bind the external site to the requirements of HIPAA and establish the ways in which the external site will use and safeguard the data. It will also contain provisions for addressing disclosures and potential breaches.

References

A Business Associate is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity, that involves access by the Business Associate to PHI of the covered entity.

References

  • 45 CFR §160.103

The potential consequences of these three are basically the same, although there are most likely differences at the institution level. There are 3 main issues that have been receiving the most attention: Participant safety, invalidation of study data, and financial loss to an institution. There is also the potential for damage to the reputation of the researcher and the institution, and investigation by a sponsor and/or government agency.

Participant safety concerns include the following:

  • Mixing drugs from more than one study
  • Providing drugs to a person who is too young
  • Providing drugs to a person who is not who they say they are
  • Participant undergoing too many procedures, for example blood draws, which can be unsafe
  • Participant participating in studies in unrelated areas, for example, AIDS and Ebola

Researchers’ concern about the validity of the data collected, which may include the following:

  • Having to eliminate data collected from someone participating in more than one study
  • Having to invalidate the data from the entire study
  • Being unable to draw meaningful conclusions from the data collected
  • Possible investigation by sponsor and/or government agency
  • Financial loss and potential damage to reputation

Institution concerns may include the following:

  • Regulatory compliance violations
  • Possible investigation by government agency
  • Financial loss
  • Potential damage to reputation

Finally, many of these can reflect unfavorably on the IRB/EC as well.

Within each institution, tall to study teams, researchers, the Office of Clinical Research, and any other group that may be knowledgeable about these issues and have opinions to offer.

If the IRB/EC has further concerns, a useful approach might be to provide more specific data. How many times have each of these issues arisen in your – institution? Geographic area? Topic of particular study? As these issues have become more common, more information has become easily available. Within each institution, talk to study teams, researchers, the Office of Clinical Research, and any other group that may be knowledgeable about these issues and have opinions to offer.

Making a Co-Enrollment Prevention System HIPAA Compliant

For an electronic Co-Enrollment Prevention system to be HIPAA compliant, all the requirements and controls mandated by HIPAA must be followed. These are described in 45 CFR Part 164 Subpart C. It is also necessary to comply with the requirements of the HIPAA Privacy Rule, 45 CFR Part 164 Subpart E, which addresses uses and disclosures of PHI, access by individuals to PHI, rights of individuals regarding their PHI, and administrative requirements. (Subpart A contains General Provisions, and Subpart D contains the requirements for handling breaches.) If the Co-Enrollment Prevention System is external to the institution, then a Business Associate Agreement should be in place.
Content last reviewed on