|
 |
|
|
||||||
|
|
Collaboration among Multiple Hospitals HIPAA Case Study #4 Prepared by Don Steinwachs Research Design: A cross-sectional research study is undertaken by a researcher based in a private research center, funded through a grant from the federal government to compare treatment and outcomes for trauma patients between hospitals designated as trauma centers and community hospitals providing emergency medical services. Research Question: The establishment of regionalized systems for trauma care, including the designation of trauma hospitals to treat the most severe cases, varies widely across states and regions. Regionalized systems are expected to triage patients based on severity and transport the severely injured to specialized trauma centers. The research study seeks to evaluate the relative effectiveness of designated trauma centers in achieving improved patient outcomes, including increased survival and recovery. Research Design: The study will use statewide hospital discharge abstract data to describe the distribution and severity of hospitalized trauma cases and in-hospital mortality. For selected categories (e.g., lower extremity, head trauma), samples of cases will be drawn, stratified by hospital and type and severity of trauma. The sampled cases will have their medical records abstracted and a follow-up questionnaire will be sent to patients approximately one year following the injury to assess outcomes. Quality of care indicators will be compared between designated trauma center and community hospitals, as well as outcomes among survivors. Cooperation is sought from the state emergency medical services authority, sampled hospitals, and from trauma survivors. The university IRB reviews the protocol, as does the state agency which provides access to hospital discharge data, and so do IRBs in most of the hospitals. 1. Investigators want to have access to all hospital discharge data in a state or region with hospital identifiers and case numbers. The data are used to compare trauma case mix and estimate inpatient mortality by type and severity of trauma, comparing hospitals with designated trauma centers and community hospitals. The data are then used to sample cases, stratified by hospital, injury and severity, for medical record abstracting and one-year follow-up to assess outcomes. Q: Would state agency reviews of the protocol and approval of access to hospital discharge data with patient demographic information, dates of admission and discharge, diagnoses and procedures, unique case identifier that the hospital can use to match to a patient, and hospital identifier be allowed by the Privacy Rule? Under what conditions? If so, what would be the required safeguards? A: Unless otherwise required by law, individually identifiable health information can only be released by hospitals for research purposes with an individual authorization or IRB waiver of individual authorization. If the researchers want to access data from the state, it is also important to assess whether the data holder is a covered component of the state. If a waiver is sought, the researcher will have to convince an IRB or Privacy Board that the use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, the research could not practicably be conducted without the waiver or alteration, and the research could not practicably be conducted without access to and use of the protected health information. Q: If not allowed by the Privacy Rule, how would you suggest the research objective be accomplished? A: If an IRB waiver cannot be obtained, the researchers should consider to what extent a limited data set or de-identified data can be used. Q: What kinds of data can researcher pursue? A: Researchers can access any information that an IRB approves access to (pursuant to a waiver of HIPAA authorization and as required by the Common Rule and the institution's Assurance), and a covered entity agrees to provide. In this particular instance, the researcher is pursuing: 1) discharge databases (also includes quality of care indicators), 2) in-hospital mortality records, 3) medical records of sample patients that the researcher is requesting for the purpose of sending out questionnaires, and 4) patients' responses to questionnaires. Q: Where do the hospitals as covered entities come into play in this interaction? A: As covered entities, hospitals are liable for any misuse of protected health information. Hospitals are not required to release information for research purposes, even if an IRB has approved a waiver of authorization. The only times a hospital is required by the Privacy Rule to release information are: 1) if a patient asks for the information, pursuant to HIPAA's access provisions (an individual authorization is not required), and 2) when required by the Secretary of Health and Human Services to investigate or determine the covered entity's compliance with the Privacy Rule, and 3) pursuant to a state law requiring disclosure, usually to a state authority. This is permitted as an exception to the Privacy Rule, but is not required by the Privacy Rule. 2. Investigators have identified the study hospitals and a sample of trauma cases for medical record review and follow-up. They want the hospitals to provide names, addresses and other relevant information to a survey research firm which will be doing the follow-up interviews. Also, the investigators want access to the medical records to collect detailed information on the injuries and the treatments provided. Q: Would hospitals be less likely to agree to participate in this study now that the Privacy Rule is in effect? Less likely than before? If so, what could be done to increase participation? A: Some hospitals may be slightly more cautious about participating in medical records research in light of HIPAA, but there are a number of approaches a researcher can take in order to increase participation by covered entities. One is to form cooperative relationships with clinicians within the institution. Another is to consult directly with the privacy officer of the hospital regarding how the research protocols should be designed to meet their needs. Using an IRB the hospital has worked with before and trusts (if not a hospital-affiliated IRB) will also help. Q: What risks do hospitals assume in permitting access to this information? A: Hospitals are potentially liable under the regulation for improperly releasing protected health information. However, if they release information based upon an appropriately documented IRB waiver of authorization then the release should not be considered improper under the Privacy Rule by the government. However, bad publicity with patients and the surrounding community could result if the researcher misuses or inappropriately releases protected health information, and hospitals are vulnerable to lawsuits under state law. Hospitals also need to provide a record regarding the release of protected health information to any patient who asks. Tracking disclosures of this information as required by the Privacy Rule places quite a burden on the hospital (and all covered entities). It is important to address these concerns when designing research protocol, as well as when weighing the potential good versus the harm or burden that can occur through the investigation. Q: Who within a covered entity usually de-identifies data or removes certain unnecessary fields from medical records? A: In-house medical records staff could perform this function, or it could be performed by a contractor that has signed a business associate agreement with the covered entity. Q: Under what conditions would the Privacy Rule permit the hospitals to disclose the protected health information to the survey research firm and to the researcher? A: Hospitals are permitted to release protected health information if they receive proof of an individual authorization, if an IRB approves a waiver of authorization, via a limited data set with a data use agreement, or if it is data only about deceased subjects. This does not mean that the hospital will release the information. It is at their discretion as a covered entity whether to do so. 3. The hospital is asked to provide consent to access all sampled medical records for abstracting, including records for persons who died in the hospital and records for those who were discharged alive. This information will be used to make a final determination about eligibility for interview and will be linked to the discharge abstract data. Also, the hospital is asked to provide contact information for all those who were discharged and are eligible for a one-year follow-up interview to assess outcomes. Q: Would the hospital be allowed to contact discharged patients for an interview without patient consent or individual authorization? Under what conditions? A: Under the Privacy Rule, a hospital can contact a patient for these purposes only with previous individual authorization to do so, pursuant to an IRB waiver of HIPAA authorization, or if the contact is simply to ask the patient if he or she would be willing to sign an authorization to participate in the study. Q: How is authorization acquired for decedent's information? A: Either a waiver of authorization from a relevant IRB, or direct proof of the person's death, such as a death certificate, or an obituary, whatever the covered entity will accept. The covered entity might not request any proof of death, but the researcher needs to present it if asked by the hospital. Q: Is passive consent permissible (e.g., assuming authorization if no response to a letter)? A: This is permitted only by a waiver of authorization from an IRB. Q: Is it permissible to send the survey along with an individual authorization for use of the individual's protected health information? A: Yes, so long as no covered entity has already used or disclosed PHI for research purposes, unless pursuant to an IRB waiver of authorization. Note that if the individual's survey response is sent directly to a non-covered entity researcher or non-covered research firm, and the responses do not pass through a covered entity, HIPAA will not apply to the survey responses. Q: Can the authorization be in the form of a signature at the bottom of the survey? A: Only if the IRB permits an alteration to the individual authorization. This is more likely to be permitted if the perceived risk is minimal. 4. The investigators link complete hospital discharge data with medical record abstracts to interviews from those who could be located and agree to be interviewed. This allows investigators to test hypotheses on the universe of trauma cases and on the sample, and to use the discharge abstract data to adjust for non-response bias where people could not be interviewed or refused consent. Q: Under the Privacy Rule, could investigators be granted access to detailed, though de-identified medical information on all cases sampled, regardless of consent? Under what conditions? A: Yes, but only if the information is de-identified within the meaning of HIPAA (i.e., all the specified identifiers are removed). De-identified health information is not protected by HIPAA. Q: If so, what would be the required safeguards? A: None, if the information meets the definition of “de-identified” under the regulation, then that information is not protected by the regulation. However, since de-identified information is less useful for research, a limited data set might be used instead. The limited data set requires a higher level of protection than de-identified information, including a requirement that the researcher and the covered entity enter into a data use agreement spelling out how the information is to be used and protected before the covered entity can provide it. Q: If de-identified information is not sufficient, how would you suggest the research objective be accomplished? What strategies could be used to limit non-response bias? A: Obtaining the contact information from the hospital, via an IRB waiver of authorization would allow the researcher to mail a letter to potential interview subjects asking them to return a postcard if they do not wish to participate in the research study. The IRB should also be asked to grant access to the medical records of those not participating in order to determine sample bias. Q: What can the researcher do to convince hospitals to allow him or her access to patient contact information for the survey phase of the project? A: Survey research firms can help to approach this question. Giving the hospital incentive to participate is always a good strategy. Another strategy is to ask clinical staff to get individual authorization on-site when the patient is there for treatment. Q: What if the patient cannot sign an individual authorization due to the injuries received, and you will need to contact them many months after discharge? A: The subjects may later be contacted either pursuant to an IRB waiver or by a business associate of the hospital (as part of the hospital's “health care operations”) to ask the subject to sign an authorization. Or someone with the legal authority to act for the patient could sign an ayuthorization for the patient. |
|
|
|
|
|
|
|
 |
