DHHS Issues New HIPAA Privacy Rule Guidance on Research
On January 12, 2004, the U.S. Department of Health and Human Services ("DHHS") issued guidance as to how the HIPAA Privacy Rule affects research activities (the "Guidance"). The Guidance discusses the application of the HIPAA Privacy Rule to the creation of research databases and repositories and the uses and disclosures of protected health information ("PHI") in research databases and repositories. The Guidance clarifies that:
Researchers themselves are not covered entities unless they also are health care providers who engage in covered electronic transactions. Researchers who are employees or other workforce members of a covered entity, nonetheless, may be required to comply with that entity's HIPAA privacy policies and procedures.
DHHS considers the creation of a research database or repository and the use or disclosure of PHI from such a database or repository as separate research activities under the HIPAA Privacy Rule. Thus, authorization, an institutional review board ("IRB") or Privacy Board waiver or an IRB or Privacy Board approval of an authorization alteration is required for each activity.
For each subsequent use or disclosure of PHI for research purposes from a repository or database maintained by a covered entity, the covered entity must comply with the HIPAA Privacy Rule for such use or disclosure (e.g., obtain an authorization or provide a limited data set and enter into a data use agreement).
Neither blood nor tissue itself is considered PHI, and research involving only the collection of blood or tissue is not be subject to the HIPAA Privacy Rule. The labeling of the blood or tissue that links the specimen to a particular individual, however, likely contains PHI that would be subject to the HIPAA Privacy Rule. Additionally, the results of a blood or tissue analysis, if associated with an individual, would be PHI.
Researchers are not business associates solely by virtue of their own research activities. A business associate agreement with a researcher who is not a member of a covered entity's workforce, however, may be required, depending upon the services, functions or activities the researcher provides to or for the covered entity.
The Guidance also includes informative responses to a number of frequently asked questions of interest to researchers. For example, it addresses the circumstances under which a covered entity may use or disclose PHI to locate a research participant who becomes "lost to follow-up" and special requirements that apply to research involving PHI from mental health providers.
If you have any questions about the Guidance, please contact any of the following members of HMSC's HIPAA Compliance Team:
Gregory R. Schermerhorn, 313-465-7638 gschermerhorn@Honigman.com