Ethnographic Research in a Medical Setting

HIPAA Case Study #3

Prepared by Daniel Dohan and Hal Luft

Printer-Friendly version

Summary: An ethnographic study is undertaken by a university-based researcher to examine how a public hospital emergency department (ED) manages the provision of care to indigent patients in everyday life.

Background: Hospital EDs are required by law to assess all patients who present at their doors, and to provide treatment to those patients determined to have an emergency medical condition. Previous studies show that this obligation can create problems for hospital EDs due to: a) social use: patients who present to the ED may be suffering from social rather than purely medical problems, and b) tenuous financing: patients who present to the ED may be poor and uninsured and thus unable to pay for services provided per legal mandate. While the problems of social use and tenuous financing are well documented, how ED care-providers actually manage them in everyday life is not well understood. This study seeks to examine these problems as they occur in the ED and to document how ED providers interpret and manage them in everyday life.

Research Design: This study will involve an ethnographic case study of a public hospital ED where the problems of social use and tenuous financing are known to be acute. Interactions between and among patients and providers in all areas of the ED will be observed by a trained ethnographer during all ED shifts and days. Field notes will be recorded in situ to document how the problems of social use and tenuous financing manifest themselves and are managed in everyday life. In-depth interviews will be conducted with providers in order to elicit their understandings of the problems of social use and tenuous financing and how they perceive they are managed in the hospital ED.

1. To conduct this ethnographic project, investigators need to have full access to all

areas of the ED while disturbing usual work routines as little as possible. This makes

it difficult, if not impossible, to obtain signed consent forms from subjects involved

in ethnographic research. In the past, some universities had taken the position that if

this research was not federally funded, an IRB review was not required.

Q: Will the Common Rule apply to this research project, and if so, how?

A: If the hospital receives federal funding for any research and has signed an Assurance with the government, the outcome should not depend on whether this particular study is federally funded. However, if the hospital has not signed an Assurance, and the study itself is not federally funded, it may be exempt from IRB review on that basis, subject to institutional policy. The Common Rule also generally exempts research involving the use of survey procedures, interview procedures, or observation of public behavior, unless the research data generated are potentially identifiable and sensitive. However, as mentioned above, many institutions that receive any federal research funds require that their IRBs or IRB staff make this determination. If the research is not exempt on either basis, it may qualify for expedited review and a waiver of informed consent.

Q: Has HIPAA changed this result?

A: Under the Privacy Rule, a hospital technically “discloses” PHI to any person who sees hospital members treat patients. In the ED setting, these disclosures will occur many times, because EDs are crowded and busy. For these and similar situations, the Privacy Rule contains a category of permissible disclosures called “incidental disclosures;” one example the government has given of a permissible incidental disclosure is when a hospital visitor overhears a provider's conversation with another provider or a patient. However, incidental disclosures are only permissible if they are consistent with the hospital's minimum necessary policies and safeguard procedures. It is unlikely that a hospital could, consistent with these policies and procedures, knowingly allow a researcher to observe its patients being treated without patient authorization or an IRB waiver. This is therefore an example of research that might be exempt under the Common Rule, but for which the Privacy Rule likely contains no exemption.

Q: What are the implications of HIPAA with respect to “authorization”, and are these implications dependent on the source of funding?

A: The application of HIPAA does not depend on funding source. The study will likely require either patient authorization or a waiver thereof, as described above.

Q: Will IRBs be able to continue to grant waivers of authorization for ethnographic projects conducted in clinical settings?

A: Yes, but they will grant waivers based on the principle that the risk of patient identification is minimal. An IRB might waive signed consent, but require that the subject be informed verbally, in plain language.

Q: What is the covered entity in this case and how does it enter into the process if it is not directly providing data?

A: Even though the covered entity is not giving the researcher access to medical records, their granting permission to make observations in the Emergency Department is, according to the rule, granting access to protected health information.

Q: Would authorization and IRB approval be required if the researcher were to undertake the study standing outside the ED, observing people as they entered and left?

A: The answer is unclear. Assuming the hospital controls the premises outside the ED, the hospital controls whether the researchers have access to information they obtain and may thus be viewed as “disclosing” this information. However, the amount of health information in these disclosures is significantly reduced or even eliminated, to the extent it is not plainly obvious that someone entering or leaving the ED will be or had been a patient at the hospital.

Q: Does individual consent need to be gathered if the subject is a doctor?

A: As long as the subject is not a patient, and the researcher does not obtain from the subject any individually identifiable health information about a patient, then the Privacy Rule does not apply to the researcher's interaction with the doctor. Whether consent to participate in the study (i.e., Common Rule informed consent) must be obtained from the doctor is up to the IRB.

Q: Can the IRB determine that the investigator cannot record certain identifiable information in the field notes? How should the investigator raise this issue with the IRB?

A: By the law of “small numbers” an IRB may determine that a researcher cannot record certain information on the basis that is identifies a certain person, (e.g., a description of the subject's behavior or appearance). A solution is to de-link the times and dates of observations with the interview portion of the investigation. Note that recording identifiable information, particularly if the IRB believes that some of the notes may be sensitive (e.g., about a patient treated for a drug overdose, suicide attempt, sexually transmitted disease, etc.), may jeopardize the study's exemption under the Common Rule.

Q: How should the investigator raise this issue with the IRB?

A: The researcher needs to outline the protocols that will be involved, how the observation will take place, how decisions will be made to determine who to interview, the approach, what type of oral consent the researcher plans to obtain, and what will be recorded in the notes.

2. While conducting ethnographic research in the ED, researchers will invite some patients to participate in the study and their oral authorization (and consent) will be obtained.

Q: Are oral authorizations allowed under HIPAA?

A: Oral authorization may be allowed by the IRB in the form of a waiver of signed consent if there is a sound reason why the research could not be conducted otherwise, and if it poses minimal risk to the patient. An example of when oral authorization may be permitted would be for telephone interviews.

Q: Can consent be gathered after the interview or observation?

A: Having the subject sign an individual authorization after the fact is permitted as a means of allowing any use or disclosure of PHI by a covered entity once the authorization is signed. There must then be some independent basis (e.g., waiver of authorization) under HIPAA that allowed the hospital to grant the researcher access to patients before the authorization was signed.

3. Investigators will inevitably be exposed to identifiable information related to other patients who are not participating in the research, for example, when providers discuss the medical condition of a non-subject patient in the presence of the investigator.

Q: How could this “collateral” information be used in research?

A: It is important to address how this will be handled with the IRB. In addition, if the researchers are not collecting this collateral information for research purposes and their exposure to this information is not intentional, then the disclosures might constitute permissible “incidental disclosures,” as described above.

Q: Does the IRB need to approve this protocol under the Privacy Rule?

A: If a waiver is sought for the researchers to collect these data, then IRB review would be required. The IRB would consider, among other things, the researcher's plan for protecting sensitive information. It is also a good idea to check with the IRB periodically (or as directed by the IRB) to maintain assurance that the agreed-upon protocols are being followed.

4. To record ethnographic data confidentially, investigators generally use a code system to record individual identities in field notes and use pseudonyms and disguise identifiable characteristics of participants or settings in publicly available research reports. Investigators and other key members of the research team maintain access to the original field notes containing all identifying information (except actual names). Access to raw data is restricted, field notes and interview data are kept in locked filing cabinets and password-protected computer files.

Q: Will these practices for maintaining subject confidentiality change because of HIPAA?

A: Probably not. The Privacy Rule requires only that covered entities have in place “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” The Security Rule, with which covered entities (except small health plans) must comply as of April 20, 2005, contains more detailed standards, but it applies only to electronic PHI. If researchers are interested in protecting the notes from legal process (such as a subpoena), they should consider seeking a Certificate of Confidentiality for their research from the National Institutes of Health, as a court could compel disclosure not only of the coded notes, but also of the linking information needed to identify the notes.

Q: What must the researchers disclose to the covered entity about how they will store and use the data?

A: Some of these details may be included in the waiver of authorization document supplied by the IRB to the covered entity. Even though the researcher is not required by HIPAA to supply additional information, hospital policies may require that other hospital personnel (i.e., individuals not on the IRB) receive the protocol or a summary of it.

Q: Do protocols for storage and maintenance need to be approved by the IRB?

A: Yes, if the study is subject to the Common Rule or if a HIPAA authorization waiver is sought.

5. During interviews, investigators tell providers that they, the investigators, are not interested in the details of any particular case, but they also encourage providers to speak freely about their experiences of providing care in the ED.

Q: Will the practice of using one's own discretion in discussing patient information be sufficient under the new Rule? If not, what standards will apply?

A: No. The standards laid out in the HIPAA privacy regulation apply and will be used by the IRB to examine all privacy protocols and provide oversight of the study.

Q: Who/what will determine these standards?

A: The IRB will determine the standards using the criteria laid out in the privacy regulation.

Q: How will it be determined if the standards are violated?

A: The IRB maintains oversight over the research project, and the hospital or (in some cases) the IRB may stop the research if the approved protocol is not followed. In addition, patients are given the ability to direct complaints to the Office of Civil Rights. While the researchers in this case likely are not directly covered by the privacy rule, one can assume that if covered entities receive complaints about providing information to certain investigators that covered entities will no longer release data to them.

Q: What will the researcher need to disclose to the relevant IRBs in order to have his or her interactions with providers approved?