Using Abstracted Data from Medical Records

HIPAA Case Study #1

Prepared by Don Steinwachs

Printer-Friendly version

Background: A longitudinal study is undertaken by academic researchers to assess the impact of changes in organization and financing of mental health and medical care on persons with severe mental illnesses enrolled in a state's Medicaid program. The study is supported by a National Institutes of Health (NIH) grant.

Research Question: Introduction of Medicaid managed care is expected to reduce inpatient utilization with improved access through a telephone system and an expanded scope of services through changes in coverage and payment. The study will seek to assess the impact of changes on the quality of mental health care, patient-reported outcomes, and Medicaid costs among disabled persons with severe and persistent mental illness.

Research Design: The study will identify all Medicaid eligibles with a claims-based diagnosis of a severe mental illness (e.g., schizophrenia, major depression) who meet continuous Medicaid enrollment criteria. The claims and enrollment data are provided to the research team after removing any data items not needed for the study and after replacing Medicaid identifiers, names, and addresses with a study identifier. From this group, a representative sample of persons will be drawn and approached for in-person interviews, asking for informed consent and individual authorization for the interview and individual authorization to use their Medicaid claims and to abstract their medical records. A research data set is to be created for all eligible for the study, using Medicaid enrollment and claims data over multiple years. For the representative sample, Medicaid enrollment and medical and mental health claims are linked to in-person interviews at three points in time plus an abstract of medical and psychiatric chart data. The data set on the sample will be used to more precisely measure treatment and outcome variables. Cooperation is sought from the state Medicaid Administration to do this study. State and university Institutional Review Boards/Privacy Boards (IRBs/PBs) review the protocol. The university IRB has legal responsibility for the research and the state IRB seeks to further assure that the study meets the state's requirements to protect human subjects.

1. University researchers want to have access to Medicaid enrollment and claims data to identify the subset of the universe of Medicaid enrollees who meet diagnostic, utilization, disability, and enrollment criteria. Since these criteria [to distinguish them from “continuous enrollment criteria”] could be applied in different ways and yield somewhat different populations, the investigators want access to inpatient and ambulatory claims for all Medicaid enrollees with continuous enrollment over a two-year period. The investigators will obtain the data from the state Medicaid agency.

Q: Will the Common Rule apply to this research project, and if so, how?

A: The Common Rule will apply to this study because it is supported by an NIH grant. The research would not fall under Common Rule exemption category 4 (45 C.F.R. § 46.101(b)(4)) because some new data will be collected. Many IRBs would not consider the research to fall under exemption category 2 (45 C.F.R. § 46.101(b)(2)) because sensitive data may be linked with identifying information. The research would only fall under exemption category 5 (45 C.F.R. § 46.101(b)(5)) if it were conducted by or subject to the approval of HHS or CMS, and if it were deemed to be designed to study, evaluate, or otherwise examine the Medicaid program. If the state and university IRBs determined that the study was not exempt, it would be subject to the Common Rule. The IRBs may review the research using an expedited review procedure if they determine that the study presents no more than minimal risk to human subjects, although an expedited review procedure may not be used where identification of the subjects or their responses could be stigmatizing to the subjects, unless reasonable and appropriate protections will be implemented so that risks related to invasion of privacy and breach of confidentiality are no greater than minimal. Informed consent may be waived with respect some subjects, particularly for those who will not be approached for in-person interviews.

Q: Is the agency a covered entity?

A: Yes, in this instance the state by acting as an insurer is a health plan that is covered by the Privacy Rule.

Q: Can the agency provide the data as a public health entity? What if the project were conducted by state Medicaid researchers?

A: While the Privacy Rule allows covered entities to disclose PHI for certain public health activities, those disclosures usually may be made only to public health authorities, for FDA reporting, or for exposure notification or employee health purposes. The fact that the agency itself may be a public health authority under the Privacy Rule does not affect its ability to make data available for research projects.

If the study is conducted by or on behalf of the state Medicaid agency as part of a quality assessment initiative and not primarily to obtain generalizable knowledge, then the project could potentially be considered “health care operations” under the Privacy Rule instead of research, and an authorization or waiver of authorization would not be needed; however, this characterization is unlikely if there is already IRB oversight of the project and informed consent will be obtained. One factor used to determine if an activity is designed to develop or contribute to generalizable knowledge is whether the results will be published or otherwise placed in the public domain. Because it may be more difficult to publish the results of the evaluation if IRB approval is not secured at the outset of the activity, a researcher should apply to an IRB for approval (and for consent and authorization waivers, if appropriate) if he or she may at some point wish to publish the results.

Q: Are there different approaches to getting de-identified information and the limited data set?

A: Yes, the limited data set provides some identifying information and can only be released for public health, quality and other health care operations where the covered entity requesting the information does not have a relationship with the individual, and research. To obtain a limited data set, researchers must sign a data use agreement with the covered entity. No such agreement is necessary for de-identified data since all identifying information has been removed.

Q: Are there any special concerns related to the investigators reviewing mental health data?

A: The researcher will need to consider the potential stress of the patients being contacted based on a diagnosis such as schizophrenia. The IRBs will want to know what the surveyor will say when he or she contacts these subjects for an interview. The sensitivity of the data is also likely to influence the IRB's assessment of the study, including the privacy protections the IRBs will expect, the risks associated with the study, and whether the study can qualify for an exemption from the Common Rule or for expedited review. Moreover, the researcher will need to consider whether the potential subjects are competent to consent to participate in the study, or whether consent from a legally authorized representative must instead be obtained. Finally, state laws often create special protections for mental health information, and researchers may be required to take additional steps in order to access this information.

Q: Behavioral health information of individuals is being treated differently from other forms of protected health information; covered entities are not releasing it. What is the legal ruling behind this?

A: The only special protection for mental health information under the Privacy Rule is for psychotherapy notes. Psychotherapy notes are notes documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Under the Privacy Rule, an individual authorization is required to gain access to psychotherapy notes for research purposes for studies begun after April 14, 2003 ; neither obtaining an IRB waiver nor creating a limited data set is sufficient. State law may impose further restrictions on disclosure of mental health information for research purposes. Of course, covered entities (CEs) do not have to release protected health information (PHI) to researchers, but we hope they will continue to do so whenever allowed by state and federal law.

Q: Are dates in individually identifiable health information considered protected health information?

A: Yes, that is why they are removed. A limited data set may contain dates and as such would be preferable for research.

Q: In this scenario, is a limited data set a viable option?

A: No, a claim number is needed, and that is not a permissible variable within a limited data set.

Q: In soliciting for interviewees, which is preferable: an opt-out or an opt-in approach?

A: On first glance, it makes sense that more subjects will be available by having them return the card if they choose to opt out. IRBs are permitted to grant a waiver of consent and authorization under either approach, although some IRBs prefer opt-ins for subject recruitment to minimize coercion or unwanted contacts.

2. Investigators have identified the state Medicaid population with severe mental illness and continuous enrollment that they would like to have participate in this study from the data obtained from the state Medicaid agency and have drawn a representative sample to be approached for interviews. The investigators want the names, addresses, and other relevant information sent to the survey research firm which will be doing the interviewing.

Q: How will the information be developed to establish interview candidate information?

A: It may be best for initial contact of eligibles to come from the state Medicaid Agency, with the option to reply going directly to the survey firms. In this way, Medicaid does not know who responded, and the interviewees will not receive a cold call.

Q: In the past, IRBs permitted this protocol, having potential subjects send a reply card. Is this allowed under HIPAA?

A: HIPAA touches on this issue in another way. A waiver of authorization from an IRB/PB will be needed in order to get the potential interviewees' addresses in the first place. This waiver should identify the person and/or organization making the contact.

Q: How does the survey research firm relate to the state Medicaid agency? Do they need to be a business associate of the agency, or be part of the research team under subcontract to the researcher.

A: To contact the potential subjects and ask them to sign an authorization, the survey firm will be working with protected health information on behalf of the covered entity. The covered entity will therefore need to have either a business associate agreement with the survey research firm or receive an IRB/PB waiver of authorization so that the survey firm can access PHI to contact subjects. When applying for the waiver of authorization, the covered entity will have to spell out what activities the survey firm will be undertaking. The covered entity may disclose PHI for the research itself only with an authorization or waiver of authorization.

Q: Is an IRB waiver of authorization needed to obtain the contact information?

A: If the survey research firm will contact subjects, either a business associate agreement must be in place between the survey research firm and the covered entity, or the covered entity must obtain a waiver of authorization for study recruitment. The IRB will want to review the researcher's protocol on how the subjects will be contacted before granting a waiver of authorization.

Q: Since the researcher will obtain individual authorization for the interview and use of the data obtained from the interview, is it necessary to have the IRB review the process beyond the initial contact stage?

A: Unless the activity is considered by the IRBs to be exempt from the Common Rule, the IRB must have continued oversight of the study. This includes a continuing review of the study at least annually and ongoing contact with the IRB in the event of any proposed changes to the study or any unanticipated problems involving risks to subjects or others ( e.g., identifiable study files are lost or accidentally disclosed). If the study is not exempt, the IRBs will ask for the entire protocol of the research before it has begun. They may grant a waiver of authorization with certain preconditions such as IRB reapproval of the waiver after one year, or periodic compliance checks by the IRB.

3. The informed consent procedure requires evidence that the person with mental illness can give consent (is not too symptomatic to understand what is being asked). If a person cannot be interviewed due to mental status, permission is asked to interview a proxy but this requires informed consent, too, as well as individual authorization to use PHI if for research. The result is few proxy interviews yielding a lower than desired overall response rate. Consent and individual authorization are also given at the time of the interview to link claims data and abstract of medical records to Medicaid claims. Interviewer training is required to avoid any suggestion that the desired respondent is mentally ill when efforts are made to locate for the interview. Also, training is given to assess the ability of a person to provide informed consent and to react appropriately if person is suicidal.

Q: Can the mentally ill give informed consent?

A: Yes, if they are considered legally competent. Researchers may need to evaluate a subject's capacity. A good policy may be to have a legally qualified mental health professional evaluate a subject's ability to give consent. IRBs will likely want some reassurance that the interviewer is well-trained for the task. In general, it is safe to proceed with a subject when they have been deemed competent both to participate and to consent to participation, have agreed to enroll, and have given consent.

Q: Can consent be obtained at the time of the interview?

A: In practice it may be a good idea to have a separate session on whether the subject is competent, and obtain consent at that time, then schedule a follow-up appointment to conduct the interview itself.

Q: Can an IRB approve a study without individual consent?

A: Yes, through a waiver of authorization and consent, but it may be more difficult to obtain such a waiver for a study of sensitive populations such as this one. IRBs grant authorization waivers on the grounds that: 1) it is impracticable to get an authorization, 2) there is minimum risk to individuals' privacy (not likely here), and 3) the study would be impossible to conduct without a waiver.

Q: If a person is upset after being contacted, do they have the right to sue?

A: Neither the Privacy Rule nor the HIPAA statute grants private parties the right to sue for alleged violations; individuals may only make a complaint to the government. If a waiver of authorization was granted by a relevant IRB and the waiver documentation meets the relevant requirements, the researcher would not likely be penalized for a Privacy Rule violation. Depending on how the person claims to have been wronged, the person may be able to sue under state law.

4. The investigators receive complete claims data, mental and medical, for the entire universe of eligible Medicaid enrollees (identity numbers scrambled) and for the sample, whether or not, they consented. This allows investigators to test hypotheses on the universe and on the sample, using enrollment and utilization data to adjust for non-response bias. The Medicaid agency provides only the specific data items requested and approved by the IRB, not the complete enrollment and claims history files.

Q: Are scrambled identifiers considered protected health information?

A: The government interprets scrambled identifiers to be identifying information because they are derived from identifying information. Thus, a scrambled health plan beneficiary number is considered to be an identifier, even though the individual digits have been re-arranged. A truly random code, on the other hand, usually will not be considered an identifier; however, if the researcher has the key to the code in order to link the data back to the subject's identity, the researcher is considered to have PHI.

Q: What happens to the records of those who decided not to participate in the study?

A. When establishing protocols with an IRB, the researcher should let the IRB know what will happen to information collected on those who decide not to participate. Will the data be returned, destroyed, or kept to determine sample bias? The IRB will then have the opportunity to determine if the protocols are acceptable given the study.

Q: Is it possible to obtain some data on those who do not want to participate to determine the type of bias in the sample?

A: Protocols would have to be submitted to the IRB and a waiver of consent and authorization granted in order to receive any PHI. Non-response bias can be assessed by requesting the overall demographics of the eligibles from the survey firm, and comparing those with their own sample.

Q: What happens if a waiver of authorization is granted and the covered entity still refuses to release the data?

A: HIPAA states that a covered entity may rely upon the judgment of an IRB/PB, but that it is not required to do so. If a covered entity says no, then the researcher might want to talk to the covered entity's privacy officer directly, but otherwise there are few other avenues to pursue. If researchers are having trouble collecting data from covered entities, they should go to http://services.aamc.org/easurvey/survey/login.cfm to participate in the survey.

Q: How long can the researcher keep data for things like publication, verification, or checking scientific validity?

A: When the researcher applies for IRB approval and fills out the waiver request, it is important to specify how long the data will be needed (e.g. one year, until end of research project). It is also important to explain how the data will be protected until the time at which it can actually be returned or destroyed.

5. The investigators contracted with a firm to abstract records in the primary care and mental health specialty provider offices. The contractor received patient-identifying information from the Medicaid agency through a contract. The investigators received the abstracted information with the scrambled Medicaid number.

Q: What is the relationship between the abstracting firm and the researcher?

A: The contractor is the agent of the researcher. A health services researcher is usually not a covered entity in his or her own right, but if the researcher is employed by or a business association of a covered entity and the research is being conducted under the auspices of that covered entity, the researcher should check with that covered entity to determine whether the contractor should enter into a business associate agreement with the covered entity. For the contractor to obtain PHI directly from Medicaid or from HIPAA-covered primary care and mental health specialty provider offices, a waiver of authorization must be in place and must permit this activity, unless all subjects have signed authorizations allowing access. The IRB should be aware of any contractors and steps that will be taken to protect the data while under its control.

Q: Would this process need to be explained to the IRB before undertaking the project?

A: An IRB will want to see how the researcher will pass data to the contractor, and how the contractor will protect the data before they will grant a waiver of authorization. The waiver request will need to describe to whom the researcher, Medicaid, and the providers will release information.

6. In order to conduct the interview surveys, the state Medicaid agency formally contracts with a survey research firm to work as an agent of the state to undertake the survey and guarantee to safeguard confidentiality of patient-identifying data. Money to cover survey costs comes through separate contract with the university.

Q: What is the relationship between the state and the survey research firm? Between the firm and the researcher?

A: The firm may be considered a business associate of the Medicaid agency, but likely is not a business associate of the researcher. The Department of Health and Human Services has said that whether a business associate contract is required depends on the services, functions, or activities that a researcher is providing to, or performing for, the covered entity. Firms that conduct research are not business associates solely by virtue of their own research activities (although they may become business associates in some other capacity, e.g., if de-identifying PHI on behalf of a covered entity). If the survey is considered research and not a quality assessment activity, then a business associate contract may not be required with the Medicaid agency as the researcher will not be performing services for the covered entity. Moreover, the university-based researcher likely is not covered by HIPAA in his or her capacity as a researcher; thus, no business associate agreement with the researcher or the university would be required, regardless of the services provided by the firm. However, a contract limited data use may be a good idea.

Q: Since the firm is acting as an agent of the state, does this process have to be approved by the IRB?

A. Yes. Unless the project is being conducted as “quality assessment” and will not be published, then it falls under the Common Rule and the research provisions of the Privacy Rule and must go before an IRB in order for the covered entity to release any data.

Q: What if the protocol calls for data from dozens, or hundreds, of small practices?

A: Those small practices covered by the Privacy Rule may disclose PHI in reliance on subjects' authorizations or on a properly documented waiver of authorization, so long as the authorization or waiver contemplates disclosure of data by these small practices. The practices need not require the researchers to sign business associate agreements.