Linking Administrative Data to Chart Reviews

HIPAA Case Study #2

Prepared by Mitzi Dean and Hal Luft

Printer-Friendly version

Background: California law mandates hospitals to report data from routinely produced hospital discharge abstracts for the development of public reports comparing hospital outcomes for selected medical conditions for patients treated in California hospitals. As part of this mandate, the state agency responsible for the reports contracts with a California-based university to develop and validate a hospital-level risk adjustment model for community-acquired pneumonia (CAP). This validation study is designed to test whether it is wothwhile to produce and publish hospital-specific reports on outcomes of patients with CAP.

Research Design: A dataset comprised of information reported to the state about all patient discharges from eligible California acute care hospitals will be requested by the university researchers from the appropriate state agency. This patient-level dataset includes some of the 18 patient identifiers such as date of birth and exact admission and discharge dates defined by HIPAA as PHI and is, therefore, not a de-identified data set. Project staff will then extract information from this discharge data file for only those adult patients with a project-defined diagnosis of CAP. The patient characteristics or conditions reported as present at the time of admission of the CAP patients will then be used to develop a method for quantifying the risk of death within 30 days of CAP hospital admission. In the process of assessing the risk adjustment model, it will be necessary to estimate the potential for and to evaluate the impact of systematic error on the risk-adjustment model. This validation study will require asking a sample of 82 hospitals to submit, voluntarily, copies of 10 randomly selected patient charts. To make these chart requests requires that specific patient identifiers and admission dates be provided to the hospital. The hospital then will return copies of the patient charts by mail to the project director at the project headquarters at the university. Once the charts are received, a team of coding professionals, under contract to the project, will recode the ICD-9-CM principal and secondary diagnoses and procedures. Project Staff will then extract clinical information that is needed for the validation study from the same set of charts. The charts will then be destroyed.

While, in theory, hospitals could have abstracted the necessary information and passed on to the researchers only a file without identifiable information, this would have been so burdensome as to have reduced cooperation to nil. Furthermore, since a key part of the validation study was to determine whether abstracting by the hospitals resulted in systematic coding bias, relying on the hospitals to do the coding would have negated this part of the validation study.

1. This project was undertaken by the university under contract to the state agency.

Q: Will the Common Rule apply to this research project, and if so, how?

A: Whether the Common Rule or IRB review will apply to this activity depends on whether the activity is considered “research,” as opposed to quality assessment, public health, oversight, or a related activity. Universities and hospitals often require that their IRBs or IRB staff make that determination, rather than the researchers themselves, if there is any chance that the activity could be considered “research.” If the activity is considered “research” by these institutions, the Common Rule could apply even if the study is not funded by a federal grant. Institutions typically promise to the federal government, as a condition of receiving federal funding for any research, that they will apply the Common Rule to all of their research, even if that research would normally be exempted from the Common Rule. (This promise is made in a document called an “Assurance.”) Given that no new data will be collected from subjects, the activity would be considered by the IRB to be exempt research (and the Common Rule would not require further IRB intervention) if the researchers only record information in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects. However, if project staff extract identifying information from the records to provide to hospital staff or for other purposes, the project likely would not be exempt from the Common Rule. Even if the project is not exempt, it may qualify for expedited review by the IRB, and for a waiver of informed consent.

Q: Is the state acting as a covered entity?

A: If the state Medicaid program is acting as a health plan, such as via the Medicaid agency, it is a covered entity. If it is acting in its oversight capacity then it is not. In this instance, it is acting in its oversight capacity if it is not developing the risk adjustment model as part of a state health plan (e.g., Medicaid) quality improvement or pay-for-performance project.

Q: If the state were a covered entity and this study was undertaken as a quality assessment program, would it have to go through an IRB?

A: Perhaps. A covered entity may under certain circumstances disclose PHI for its own quality assessment purposes. However, g iven the state's role, this activity is not likely “quality assessment” as HIPAA uses that term in its definition of “health care operations.” The state is not assessing the quality of its own services as a covered entity; rather, it is assessing the quality of the hospitals it licenses. Moreover, because the activity bears some indicia of research, some institutional policies may require that it be submitted to an IRB to determine whether it is subject to the Common Rule. A written determination by an IRB that the study is either exempt or approved would be helpful if the researchers or the agency wished to publish the findings in a scholarly journal.

Q: Can data collection count as a public health activity?

A: Hospitals can provide hospital discharge abstracts to the state if they are required by law to do so. Once the state receives the data, so long as it does not receive the data in its capacity as a covered entity, the Privacy Rule does not apply to the further use or redisclosure of the data by the state. If the state receives the data in its capacity as a covered entity (as determined by the state), then the state will need to: 1) determine whether the activity constitutes “research” under the Privacy Rule and the Common Rule (which use the same definitions of “research”) and, if so, 2) receive documentation of an IRB waiver of authorization (and perhaps informed consent) before disclosing or using identified data for the research. If the state receives the data in its capacity as a covered entity and concludes that the activity does not constitute research, it will need to determine under what other Privacy Rule exception (e.g., health care operations, or health oversight activities) it may disclose or use the data.

Q: If parts of the state are considered to be a covered entity, and other parts are not, is the part that is not a covered entity held to HIPAA Privacy Rule requirements?

A: No.

Q: What types of review are needed and by which bodies?

A. Assuming the project is “research” and if individual authorizations are not practicable (and they are not in this case), then a waiver of authorization is needed from an IRB or privacy board to meet the requirements of the HIPAA privacy rule. The university may have its own requirements for approval of any work undertaken by its employees. Likewise, the individual hospitals may require their own reviews, or they may in some cases decide to rely on the reviews of the state or university IRBs.

Q: Would these answers change if the project were initiated by the researchers and funded by a federal agency such as AHRQ, or a private group such as the California Healthcare Foundation?

A. In obtaining protected health information for research purposes from any covered entity regardless of source of funding, one of two things must happen to meet the privacy rule requirements. Researchers must either obtain individual authorizations to use the data from the subjects or they must obtain a waiver of authorization from an IRB or Privacy Board and present the required documentation to the covered entity. If the area of the state government receiving the data is not a covered entity under the public health or Privacy Rule exception, then the Privacy Rule does not apply to subsequent disclosures and uses of identifiable health information, unless the information is subsequently received by a covered entity. The receiving covered entity is then bound in its use and disclosures of the information, which has become protected health information again in its hands.

Q: What happens if neither your institution nor your state has an IRB?

A: There may be a state privacy board, even if the state does not have an IRB. In addition, any university or hospital that receives any federal funding for research either will have its own IRB or will have designated one or more external IRBs to review the institution's research. Another alternative that could be considered are commercial IRBs, but they can be quite costly. It is unlikely that physicians or other non-institutional providers will have an IRB.

2. The investigators need access to the identifiable Hospital Discharge Data (non-public format) in order to later request specific patient charts from reporting hospitals. (A public format converts the date of birth to age, the admission date to the day of the week, etc., and cannot be used to identify a specific patient chart). To assist the hospitals in locating the charts (because the state agency does not have medical record numbers), exact dates of admission and discharge, patient birth dates, and social security numbers are needed. Social Security numbers are available in the non-public data.

Q: Does the non-public version of the data needed for this project meet the criteria of a limited data set?

A: No. The Social Security number is needed, and it cannot be included in the limited data set. Since protected health information must be used, the researcher must go through the IRB/PB process to obtain the data from the state, if the state holds the data in its capacity as a covered entity.

Q: What are the advantages to the researcher if a limited data set could be used?

A: The information can be released through a data use agreement, avoiding individual authorizations and/or IRB waivers and accounting for the disclosure of their protected health information. However, if the data disclosures to the researchers are “required by law,” the protected health information needed to comply with the law may be released, with covered entity permission, without the covered entity's parsing the data further or negotiating a data use agreement.

Q: What would be needed to obtain approval from the relevant IRB(s) to obtain a limited data set?

A. Under the privacy rule IRB review is not required to approve access to the limited data set. The only approval necessary is the valid data use agreement signed between the researcher and the covered entity. There may be separate obligations to obtain IRB approval under the Common Rule, as described above.

Q: If covered entities are not required to release data, are there actions researchers can take to increase the response rate?

A: While there is no way to compel the release of data for this project absent a law requiring disclosure, researchers can help increase the response rate by understanding the Privacy Rule themselves. That way, they can initiate discussions with relevant personnel at the state (when obtaining data from the state) and at the hospitals about the relevant legal requirements. Having discussions with hospital chains before initiating the approval process, or working with their associations (American Hospital Association, Catholic Hospital Association, etc.), is also helpful. Data use agreements are another way of making a covered entity more comfortable with the proposal. Another idea is to include something in the study that would be useful to the hospital.

Q: What if I have an individual authorization and hospitals still refuse to send records citing HIPAA as their rationale?

A: Under the Privacy Rule, patients have a right to receive a copy of their protected health information. Patients can request the record and then forward it on to you. Note that the risk of accidental disclosure is higher in this instance. If researchers are having trouble collecting data from covered entities they should go to http://services.aamc.org/easurvey/survey/login.cfm to make their advocates aware of any problems.

Q: Can the state compel the hospitals to release data?

A: This depends on its specific state law. If there is a law mandating disclosure, then yes.

Q: During research preparation, when a researcher may have legitimate access to records in order to determine the protocols of the investigation under the Privacy Rule, can the researcher copy the records, black out identifiers, and then come back for the copied charts with the protected health information removed?

A: It is unlikely that a regulator would allow a researcher to do this when they are supposed to be reviewing records to determine if there is enough information available to warrant a study. One valid approach would be to sign a business associate agreement with the covered entity, remove the identifiers as part of the covered entity's health operations and then come back as a researcher and request the information.

Q: What if the researcher were able to obtain individual authorizations?

A: With individual authorizations, the Privacy Rule does not require IRB/PB review. Other aspects of the study may need IRB review, depending on the researcher's and data sources' institutional policies with regard to human subject protection and applicability of the Common Rule.

3. The investigators need data extracted from the clinical chart in order to validate the diagnoses and other clinical characteristics used in the risk adjustment model. Hospitals copied the requested charts and sent them to project headquarters. To assess the coding bias issues, the project does not require sensitive PHI to the analysis, but information such as the names and addresses is likely to be on each page in the medical record.

Q: Does obtaining a copy of the full record violate the “minimum necessary” provision of HIPAA?

A: It may. It is up to the IRB/PB to determine whether the protocol, which contemplates disclosure of the full record, meets the authorization waiver criteria set forth in the Privacy Rule. One criterion that must be met is that research could not practicably be conducted without access to and use of the PHI for which a waiver is requested. If a researcher can convince the IRB/PB that the entire record is needed, or it is impractical to request that the hospital remove all the non-necessary PHI from each page, and the IRB/PB grants a waiver of authorization stating that the entire record may be utilized, then the covered entity is specifically permitted by the Privacy Rule to rely on an appropriately-documented waiver in making its minimum necessary determination.

Q: Does this mean that the unnecessary information needs to be blacked out?

A: While this is up to the individual IRB/PB, the IRB/PB might tell the researcher that it does not believe it is unduly burdensome for the hospital to remove the unnecessary information.

Q: If the project is to obtain copies of the charts, who are the covered entities?

A: The covered entities are the hospitals that have the charts.

Q: Which IRBs have to approve the protocol?

A: While under the Privacy Rule only one IRB needs to approve the protocol to grant a waiver of authorization, many covered entities will not accept a waiver of authorization from every IRB; instead, some covered entities will accept waivers only from certain IRBs (or only from their own affiliated IRBs). The covered entities may also require that their own IRBs review the project for Common Rule purposes. Depending on how many want to perform their own reviews, in this instance, the researcher may have to go through as few as one IRB/PB or as many as 83 (82 hospitals plus the university's IRB).

Q: If the university IRB approves, must the IRB/PBs of all 82 hospitals agree to accept that approval as binding? But,if this is not a requirement of the 82 hospitals and the hospitals agree nonetheless to provide their records, what should they do to be compliant under HIPAA ?

A: Under the Privacy Rule, the hospitals may accept the university IRB's waiver of authorization (if the form of waiver complies with applicable requirements) and release the information accordingly. However, they are not required by the regulation to accept the waiver. If it wishes, the hospital can require the researcher to go through its own internal IRB before releasing any information. Hospitals typically have policies and procedures that address which external IRBs can grant waivers on which the hospital will rely.

Under guidance issued by the Office for Human Research Protections (OHRP), an institution is typically considered “engaged in research” if it releases individually identifiable private information for research purposes without subjects' explicit written permissions. So, the hospitals will also be bound by the terms of their Assurances with respect to their abilities to rely on an external IRB's review of the research under the Common Rule.

Q: Besides being liable for improperly releasing data, what other issues are facing covered entities?

A: Covered entities must maintain a detailed record of all disclosures of information made pursuant to an IRB waiver. While there are simplified procedures for maintaining these records when the disclosure involves 50 or more individuals, this so-called “accounting” requirement can be burdensome for covered entities.

5. Suppose project staff received authorization from each individual to request charts from the appropriate state agency and from the administrator of each affected hospital. Participation was voluntary. The request for specific patient charts was done through registered mail. Chart copies were received through registered mail. Charts were stored in locked cabinets inside a research suite that was locked at night. All charts were destroyed at the end of the project and an affidavit affirmed their destruction.

Q: Would anything need to be different in this process under the HIPAA Privacy Rule?

A: Probably not. The Privacy Rule requires only that covered entities have in place “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” The Security Rule, with which covered entities (except small health plans) must comply as of April 20, 2005, contains more detailed standards, but it applies only to electronic PHI.

6. The risk adjustment system cannot be validated effectively from administrative data alone. It is necessary to check the coding of each risk factor. The highly skilled professionals needed for recoding of ICD-9-CM codes would need to be supervised by the research team in order to assure consistency. Clinical abstractors were hired as part of the project staff. Contractors agreed in writing to meet all confidentiality standards. In addition, contractors were given in-service training that included the university's confidentiality requirements.

Q: Post HIPAA, would this be allowed? If so, what would be the required safeguards? If not, how would you suggest the research objective be accomplished?

A: The Privacy Rule should allow this, provided that the IRB has reviewed the protocols for how the coders were to receive the data and how they would handle it. Note that the Privacy Rule does not directly govern the relationship between the researchers and the contractors because the researchers presumably are not in the university's “health care component” and thus are not covered by HIPAA.

Q: Does it matter if the abstractors are employees of the university, independent contractors, or working for another firm?

A: It should not matter as long as an IRB/PB has had a chance to review the data handling protocols, which are relevant to its decision to grant a waiver.

7. Suppose that the project was undertaken as a service to the state in compliance with state law, rather than with the intent of publishing findings. Once completed, however, it is decided that the results warrant publication.

Q: Would any of the decisions made previously be modified if the intent is to publish, or would the ability to publish be affected by any of the decisions that might have been made if the original intent was not to publish?

A: Assuming that the university researchers obtained the data needed for the project in a legitimate way, the Privacy Rule will not affect their desire to publish the results of the study. Instead, their ability to publish will be governed by university policy and by the willingness of journals to accept for publication the results of a project initiated without IRB review. If the intent to publish or otherwise to develop or contribute to generalizable knowledge (e.g., to add to the knowledge base of the field, or to develop outcomes or principles with predictive value) was genuinely absent at the outset of the project, but later arises, the researchers should promptly notify the appropriate university IRB. While IRBs do not have the power retrospectively to approve past data collection and analysis, some IRBs will approve or exempt a proposal to use the data going forward as analysis of existing (i.e., already collected) data, and some IRBs might provide a letter to that effect. It is important that the researchers be upfront and honest with the IRB and other officials at the university, as an IRB's willingness to take this approach will depend on whether it believes that research intent truly developed after the project was underway, or whether it instead believes that the researchers conducted “research” without IRB oversight.