Comments on Modifications to HIPAA Privacy Comments
September 13, 2010
The American Clinical Laboratory Association (ACLA) is pleased to have this opportunity to submit our comments on the Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule (the “Proposed Rule”) issued by the Office for Civil Rights (OCR). ACLA is an association representing clinical laboratories throughout the country, inclucg local, regional, and national laboratories.
As covered entities under the Health Insurance Portability and Accountability Act of 1996 (HTPAA), clinical laboratories will be directly affected by the proposed modifications to the HIPAA Privacy, Security, and Enforcement Rules (collectively referred to as the “HIPAA Rules”), many of which were mandated by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). While the Proposed Rule sets forth a number of proposed changes to the HIPAA Rules, ACLA’s comments will focus on the following provisions: (1) requested restrictions on certain disclosures of protected health information (PHI); (2) access of individuals to PHI; (3) liability of covered entities and business associates for acts and omissions of agents; (4) factors considered in determining the amount of civil money penalties; (5) certain exceptions to the prohibition on the sale of PHI; (6) notices of privacy practices (NPPs); and (7) authorizations relating to clinical research studies.
REQUESTED RESTRICTIONS ON CERTAIN DISCLOSURES OF PHI (SECTION l64.522(a))
Section 164.522(a) of the Privacy Rule requires covered entities to permit individuals to request restrictions on the use or disclosure of an individual’s PHI for purposes relating to treatment, payment, or health care operations, as well as certain disclosures to an individual’s family members. Until now, covered entities have been under no obligation to comply with an individual’s request, unless the covered entity agreed to such restriction. However, section 13405(a) of the HITECH Act requires that a covered entity comply with an individual’s request to restrict the disclosure of his or her PHI if (1) the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual, other than the health plan, has paid the covered entity in full. In implementing this section of the HITECH Act, OCR requests comments on several issues, which we have addressed in turn below.
First, OCR requests comment on whether a covered health care provider that knows of a restriction under this section should be obligated to inform other downstream health care providers of the restriction, or whether the restriction should no longer apply until the individual visits the new provider for treatment or services, requests a restriction, and pays out of pocket for the treatment or services.3 In response to OCR’s request, it is our view that a covered entity should have no obligation to inform downstream providers of any restriction that the individual has requested of the original provider. In enacting this provision of the HITECH Act, Congress did not impose any such obligation on the covered entity, and, therefore, it would be inappropriate for OCR to extend this provision in such a manner that would unduly burden the original covered entity provider. Congress clearly intended this right of restriction of PHI to be triggered by an individual’s request to the covered entity. To require that a covered entity inform downstream providers of the restriction would inappropriately shift the burden of complying with the provision from the individual to the covered entity. If individuals want to make downstream providers aware of any restrictions on disclosures of their PHI or to request restrictions on the disclosures of downstream providers, it should be the individual’s responsibility to notify the downstream provider.
Further, in many cases, it would be infeasible for a covered entity to inform downstream providers of such a restriction. This is particularly true for indirect providers of health care, such as clinical laboratories that have only limited contact with the treating physician and are even further removed from the individual’s other providers. Clearly, Congress did not intend covered entity providers to track down subsequent providers in order to notify them of an individual’s request to restrict the disclosure of the individual’s PHI.
Second, OCR requests comment on the extent to which covered entities must make “reasonable efforts” to secure payment from the individual prior to submitting PHI to the health plan for payment. OCR cites an example of an individual with a bounced check, and states that covered entities should “make some attempt to resolve the payment issue with the individual prior to sending the PHI to the health plan, such as by notifying the individual that his or her payment did not go through and to give the individual an opportunity to submit payment.”4 We submit, however, that covered entities should have no such obligation, and any expectation to the contrary would be inappropriate under OCR’s legal authority.
As noted above, section 13405(a)(2) of the HITECH Act clearly provides that the covered an individual only arises where the health care provider involved “hasbeen paid out of pocket in frill.”5 Based on the language of this provision, if the covered entity has not actually received payment at the time the request for the restriction is made, the covered entity has no obligation to withhold the disclosure to the health plan. A mere promise to pay is not sufficient to obligate the covered entity to observe the restriction, and it is unreasonable to require the covered entity to delay its receipt of payment until the individual fulfills his or her obligation to pay the covered entity in full. It is difficult to believe that Congress would have intended such a result because of an individuaPs failure to pay in full at the time of the request, as required by the statutory provision. Indeed, OCR notes that it does “not believe that the statutory intent [of Congress was to permit individuals to avoid payment to providers for the health care services they provide.”6 As such, we ask that OCR make clear that covered entities be under no obligation to resolve any payment issue with the individual prior to sending the pHI to the health plan, and that payment be made to the covered entity at the time the individual makes the request in order for the covered entity to be obligated to comply with the request.
Third, OCR requests comment on its proposal to permit a covered entity to send PHI to a health plan when payment for a non-restricted follow-up service is dependent upon the disclosure of PHI from an earlier encounter that was subject to a restriction. Specifically, OCR proposes that the lack of restriction with respect to the follow-up service extends to any PHI necessary to effect payment for such treatment, even if the PHi is related to a previously restricted disclosure.7 ACLA strongly supports OCR’s position to permit covered entities to disclose an individual’s PHI to health plans for purposes of payment where the information relating to the initial treatment or service is necessary to determine the medical appropriateness or medical necessity of the follow-up treatment or service. If OCR falls to adopt this approach, downstream providers that are not subject to a requested restriction could fmd themselves in the position of providing follow-up treatments or services for which they may not be able to obtain reimbursement because of the inability to demonstrate medical necessity of the follow-up care.
ACCESS OF INDIVIDUALS TO PHI (SECTION 164.424)
The Individual Right Of Access To PHI In Electronic Form Should Only Apply In Instances Where The Covered Entity Uses Or Maintains An “Electronic Health Record” With Respect To Such PHI.
The Privacy Rule currently provides individuals with a right to review or obtain copies of their PHI to the extent the information is maintained, in a designated record set, subject to certain limitations.8 Section 13405(e) of the HITECH Act strengthens this right of access. In relevant part, section 13405(e) of the HITECH Act provides the following:
“in the case that a covered entity uses or maintains an electronic health record [ERR] with respect to [PHI] of an individual — (1) the individual shall have a right to obtain from such covered entity a copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific Section 13405(e) also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity’s labor costs in responding to the request for the copy.”
In implementing section 13405(e) of the HITECH Act, OCR proposes to use its “broader authority” under section 264(c) of HIPAA to expand the right of access provision to “all PHI maintained in one or more designated records sets electronically, regardless of whether the designated record set is in an [EHR].”° However, in doing so, OCR significantly exceeds its authority under HIPAA, and ignores the clear language of Congress in the HTIECH Act, which directs that the right of access requirement only apply to PHI used and maintained by covered entities in EIWs. While OCR suggests that section 264(c) of HIPAA grants the agency broader authority to expand the right of access provision to include PHI that is maintained in one or more designated record sets electronically, that is, in fact, not the case.
In relevant part, section 264(c) provides the following:
(1) IN GENERAL.–If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with [certain covered HIPAA transactionsj is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act Such regulations shall address at least [the rights of individuals with respect to their PHI and authorized or required uses and disclosures of PHI).’1
Importantly, nothing in section 264(c) grants OCR the authority to ignore the clear language of the HITECH Act which requires that covered entities provide individuals with access to PHI in an electronic format jf the PHI is used or maintained in an EHR. Rather, section 264(c) of HIPAA granted the Secretary the authority to issue the initial final Privacy Rule within three and a half years after the enactment of HIPAA if Congress failed to enact more specific privacy standards within that time period. When Congress failed to act within the three and a half years, the Secretary met its obligation under section 264(c) by issuing the initial final Privacy Rule on December 28, 2000.12 Consequently, contrary to OCR’s assertions in the Proposed Rule, section 264(c) is not a blanket grant of authority for OCR to issue HIPAA Rules without the appropriate electronic access provision beyond PHI that is used and maintained by covered entities in EHRs. Further to this point, an “EHR” is a defined term in the HITECH Act, indicating that if Congress intended to apply the right of electronic access provision to include any designated record set in electronic form it could have done so. Instead, Congress defined an EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff”3 Congress defined an EHR in a manner clearly indicating that the term does not extend to all PHI maintained in one or more designated record sets electronically. Therefore, it is clear that Congress intended an individual’s access to PHI in electronic form to depend upon whether or not the PHI is maintained in an EHR, and it is not OCR’s role to substitute its own policies for the expressed intent of Congress without the statutory authority to do so.
As such, OCR should adhere to the language of section 13405(e) of the HITECH Act and apply the right of electronic access provision only where PHI is used or maintained by covered entities in EFIRs. Specifically, OCR should revise proposed section 164.524(c)(2)(ii) by replacing the phrase “maintained in ohe or more designated record sets electronically” with “maintained in an electronic health record.”
The Right Of Access Of Designated Individuals To PHI Should Only Apply In Instances Where The Covered Entity Uses Or Maintains An “Electronic Health Record” With Respect To Such PHI.
OCR further proposes to expand the right of acàess provision to provide that, if requested by an individual, a covered entity must transmit the copy of PHI directly to another person designated by the individual, without regard to whether the PHI is in electronic or paper form.’4 In doing so, OCR states that it is relying on section 13405(e)(l) of the HITECH Act and its authority under section 264(c) of Again, however, neither of the cited authorities grants OCR the authority to implement this proposal. While section 13405(e)(1) of the HITECH Act does provide an individual the right to direct the covered entity to transmit a copy of PHI directly to an entity or person designated by the individual, that right only applies in the case that a covered entity uses or maintains an EHR with respect to such PHI. Further, as explained above, section 264(c) of HIPAA does not grant OCR the authority to ignore the expressed will of Congress.
Therefore, OCR should amend proposed section l64.524(c)(3)(ii) to provide that an individual’s right to direct the transmittal of PHI to a designated person only applies when the covered entity uses or maintains an EHR (as defined in the HITECH Act) with respect to such PHI.
OCR Should Maintain The Current Timeliness Standard Of 30 Days.
ACLA encourages OCR to maintain the existing standard, which generally requires the provision of access within 30 days of the request.’7 While there may be, as the agency states, “an increasing expectation and capacity to provide individuals with almost instantaneous electronic access to Pill through personal health records or siniilar electronic means,” this is often times not the reality.’8 In fact, as noted by OCR, not all electronic systems would be able to comply with a timeliness standard based on the various electronic personal health record capabilities.
Further, the process of authentication to ensure that the individual requesting the PHI is the individual entitled to receive the information can often be quite time consuming, as can the retrieval of the data itself at the covered entity’s facility or off-site with respect to historical data. This is particularly true for clinical laboratories where records are typically not organized by patient, and where each time a test is performed on a patient the results are stored in a separate and distinct record not connected with other records of that patient. Lastly, some determinations, such as whether the granting of access would endanger the individual, can also take a significant amount of time to evaluate to ensure that the information is provided in a secure and confidential manner.
Given these considerations, in addition to the fact that Congress elected not to make any changes to the current timeliness standard in the HITECH Act, we urge OCR to maintain the existing timeliness standard of 30 days.
Laboratory Information Systems Are Not “EHR.s.”
Finally, in applying the right of electronic access provision, OCR should set forth a clear regulatory definition of an EHR that is consistent with the definition of an EHR in section 13400(5) of the HITECH Act.20 As we raised with OCR in our response to the agency’s Request for Information relating to the forthcoming accounting of disclosures requirements, this definition should not in any way include a clinical laboratory information system (LIS) because by defmition, alone, an US is not an ERR.
First, unlike an ERR, an UN is an electronic solution for receiving, processing, and storing information used solely by the clinical laboratory in the performance of laboratory testing, for reimbursement purposes, and for other informaties as required by our customers. Wbile the definition of an “EHR” in the HITECH Act is seemingly broad in its inclusion of an “electronic record of health-related information,” we do not believe Congress intended the definition of an “EHR” to include an US based on the most critical component of its definition. Specifically, an LIS is “created, gathered, managed, and consulted by authorized health care clinicians and staff” It is clear from the definition of an “ERR” that Congress could not have clinicians (e.g., ordering physicians) and their staffs. Thus, because an LIS is used and maintained solely by the clinical laboratory, and not by clinicians and their staff, an US does not constitute an “EHR,” as defined in the HITECH Act.
Second, although not expressly stated in the HITECH Act defmition, an “EHR” is intended to describe an individual’s èomplete medical record, which an US does not. This understanding is well-recognized in the vendor and laboratory industries and is consistent with the Healthcare Information and Management Systems Society’s (HIMSS’s) definition of an EHR. HIMSS defines an “EHR” as a “longitudinal electronic record of patient health infonnation generated by one or more encounters in any care delivery setting.”22 In other words, an EHR is a compilation of health-related information across multiple care delivery settings that is ultimately used and maintained by the treating practitioner. According to HIMSS, an EHR. includes information, such as patient demographics, progress notes, problems, medications, vital signs, past medical history, inununizations, laboratory data, and radiology reports. The EHR permits the clinician to automate and streamline his or her work±low. Importantly, as noted by HIMSS in its definition, an EHR has the ability to generate a complete record of a clinical patient encounter, which may include evidence-based decision support, quality management, and outcomes reporting, as well as supporting other care-related activities directly or indirectly via an interface.23
By contrast US systems maintain only an electronic record of patient health information necessary to facilitate the provision of clinical laboratory services for individuals. This irifonnation is essentially limited to the name of the patient (or simply a patient identification number), the ordering physician, the test to be ordered, and the results of the test performed. Additionally, information is not captured in an US in the format of a medical folder or record for a patient and testing over a period of time for each patient is not linked within the LIS. Instead, as noted earlier, each time a test is performed on a patient the results are stored in a separate, distinct record and are not connected with other records of that patient, contrary to the way a patient’s medical record would occur in an EHR. Finally, again, an US is used and maintained by the laboratory itself, and not by health care clinicians or their staffs. As such, an US is clearly not the type of system that should be considered to be an “EHR.”
Accordingly, we again ask that OCR make a clear distinction between US systems and EHRs in its implementation of the HITECH Act’s definition of an EHR. Moreover, and perhaps most importantly, we ask that OCR make clear that any HIPAA requirement relating to ERRs clearly exclude covered entities that use or maintain PHI in non-EHRs, such as LIS systems.
LIABILITY OF COVERED ENTITIES AND BUSINESS ASSOCIATES FOR ACTS AND OMISSIONS OF AGENTS (SECTION 160.402(c))
Currently, section 160.402(c) of the HIPAA Enforcement Rule holds a covered entity violation based upon the act or omission of any agent of the covered entity acting within the scope of the agency, unless the following requirements are satisfied (1) the agent is a business associate; (2) the relevant contract requirements have been met; (3) the covered entity did not know of a pattern or practice of the business associate in violation of the contract; and (4) the covered entity did not fail to act as required by the Privacy or Security Rule with respect to such violations. In the Proposed Rule, OCR is proposing to eliminate this existing exception to covered, entity liability for acts and omissions of its agents, and further proposes the addition of a new, parallel provision (section 160.402(c)(2)), which would treat business associates the same way with respect to subcontractors acting as their agents.24 ACLA, however, urges OCR to maintain the existing liability exception for covered entities and to extend the exception to business associates who would otherwise be held liable for acts and omissions of their subcontractor agents.
According to OCR, the rationale for removing this exception is that the “change is necessary to ensure, where the covered entity has contracted out one of its obligations under the HIPAA Rules, such as the requirement to provide individuals with a NPP, that the covered entity remains liable for the failure of its business associate to perform that obligation on the covered entity’s behalf.”25 However, the liability imposed on covered entities for violations by business associate agents as a result of the elimination of this exception would not be limited to instances where the covered entity has contracted out a particular obligation under the HIPAA Rules. Rather, it would also include liability resulting from any violation of the HIPAA Rules by the business associate agent in the process of carrying out a contractual obligation under the business associate agreement that was never intended to be an obligation of the covered entity under the HIPAA Rules.
For example, as proposed, if a covered entity contracts with a business associate to prepare an analysis of PHI for another covered entity to whom disclosure of the analysis is permitted, and in doing so the business associate uses more than the minimum necessary amount of PHI for the use and disclosure, the covered entity would be held liable for the violation of the minimum necessary standard by its business associate agent, even though the covered entity was under no obligation under HWAA to prepare the analysis of the PHI and send it to the other covered entity. Although OCR states that it does “not believe this proposed change would place any undue burden on covered entities, since covered entities are customarily liable for the acts of theft agents under agency common law,” this example, alone, illustrates, that covered entities would be subject to new burdens and obligations that do not currently exist under HIPAA by virtue of the exception.26 It is unfair and unreasonable to hold covered entities accountable for any and every action, or inaction, of their business associate agents when the obligation was not that of the covered entity and the covered entity has taken the appropriate steps to ensure that the business associate agent is in compliance with its requirements under the HIPAA Rules and the business associate agreement.
Further, the justification for the exception to covered entity liability for acts and omissions of its agents is stronger now than it was when the exception was first established, covered entity meets the requirements of the exception, the business associate will now be held directly responsible for any violation of the HIPAA Rules arising from its own act or omission. Thus, there is no justifiable rationale for holding the covered entity liable in light of the new obligations on the business associate and, therefore, OCR should maintain the exception to covered entity liability. Likewise, an exception to business associate liability for acts and omissions of its subcontractor agents that is parallel to the existing exception for covered entities would be appropriate since subcontractor agents of business associates will now be directly subject to liability under the HIPAA Rules as business associates themselves. Removing the existing exception for covered entities, and failing to adopt a parallel exception for business associates, will simply duplicate liability without regard to fault.
FACTORS CONSIDERED IN DETERMINING THE AMOUNT OF CIVIL MONEY PENALTIES (SECTIONS 160.408 (c)(1) AND (c)(2))
Section 160.408 implements section 1176(a)(2) of the Social Security Act, which requires the Secretary, when imposing a civil money penalty, to apply the provisions of section 1128A of the Social Security Act in the same manner as such provisions apply to the imposition of a civil money penalty under section 1128A. Section Il28A requires the Secretary to take into account, among other things, the “history of prior offenses.” While OCR acknowledges that “[tjbe HITECH Act did not modiê section 1176(a)(2) (requiring application of section 1128A),” OCR is proposing to revise section 160.408(c)(l) and (c)(2), by replacing the phrase “prior violations” with the phrase “indications of noncompliance.”27
ACLA is concerned that this proposed change by OCR would greatly expand the agency’s discretion in determining the amount of civil money penalties that could be imposed on covered entities, without any appropriate rationale. OCR explains that it is seeking this change because “a covered entity’s general history of HIPAA compliance is relevant in determining the amount of a civil money penalty,” and that the term “violation’t is generally reserved for “circumstances in which the Department has made a formal finding of a violation through a notice of proposed determination.”28 Based on this explanation, it appears that OCR intends the phrase “indications of noncompliance” to refer not only to actual violations of the HIPAA Rules, but also to mere allegations of noncompliance that have not been fmally determined. Since a mere allegation of noncompliance could not reasonably be considered to be within the “history of prior offensest’ contemplated by section 1128A, we believe the proposed change in tenninology from “prior violations” to “indications of noncompliance” exceeds the scope of factors to be considered by OCR in detennining the amount of a civil money penalty. As such, ACLA urges OCR to maintain the existing language of “prior violations” and refrain from amending sections 160.408(c)(l) and (c)(2) as proposed.
EXCEPTIONS TO THE PROHIBITION ON THE SALE OF PHI (SECTION 164.508(a)(4)(ii))
A covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI unless the covered entity has obtained a valid authorization from the individual or one of the enumerated exceptions applies.29 OCR requests comments on several of the exceptions to the general prohibition against the sale of PHI, to which we respond below.
Public Health Purposes (Section 164.508fa)(4)(ii)(A))
OCR requests comment on whether the public health exception to the prohibition against the sale of PHI without authorization should be restricted by requiring that the price charged for the data reflects only the costs of preparation and transmittal of the data.3° ACLA objects to the imposition of such a restriction. The generation, storage, and retrieval of data that may be useful for public health purposes is not generated, stored, or retrieved without expense to the provider furnishing the data. As such, these expenses, in addition to the costs of preparation and transmission, should be recoverable by the provider.
Required by Law (Section 164.508(a)(4Xii)(GD
OCR requests comment on its proposed exception to the prohibition against the sale of PHI without authorization for disclosures that are required by law as permitted under section 164.512(a).3’ ACLA supports this proposed exception to ensure that a covered entity can continue to disclose PHI where required by law even if the covered entity receives remuneration for the disclosure.
Any Other Purpose (Section 164.508(a)(4Xii)(H))
OCR requests comment on its proposed exception to the prohibition against the sale of PHI without authorization for disclosures for any other purpose permitted by and in accordance with the applicable requirements of the Privacy Rule, as long as the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or is a fee otherwise expressly permitted by other law.32 ACLA agrees with OCR that this proposed exception is necessary and appropriate to ensure that the Proposed Rule does not deter covered entities from disclosing PHI for permissible purposes under the Privacy Rule simply because covered entities routinely receive payment equal to the cost of preparing and/or transmitting the PHI. In addition, as discussed above, with respect to the exception for public health purposes, ACLA encourages OCR to permit covered entities to also receive remuneration for generating, storing, or retrieving the PHI in finalizing this exception.
NOTICES OF PRIVACY PRACTICES (SECTION 164.520)
As a general matter, section 164.524 of the Privacy Rule sets forth the requirements for covered entities to have, and to distribute to individuals, a NPP. (liven some of the new obligations under the HITECH Act OCR is proposing certain changes to the NPP requirements.)
Breach Notification Obligations
OCR is requesting comment on whether the Privacy Rule should require a specific statement in the NPP regarding the new breach notification requirements for covered entities with respect to their notification obligations following a breach of unsecured PHI, and what particular aspects of this new duty would be important for individuals to be notified of in the NPP.
In response to OCR’s request for comment, ACLA does not believe any statement regarding breach notification obligations should be required in the NPP. The existing mandatory content for the NPP is already so lengthy that it deters most individuals from reading it, which is completely contrary to the purpose and importance of the document. The inclusion of any reference to the breach notification obligations will only make the NPP longer and even less likely to be read by individuals. Further, the obligation to notify others in the event of a breach of unsecured PHI relates to security practices, not privacy practices, which are the subject matter of the NPP, and any mention of breach notification obligations in the NPP could introduce confusion for individuals where federal and state breach notification laws differ. As such, we encourage OCR to not amend the NPP requirements to include any mention of the new breach notification requirements, and include only those changes in the Proposed Rule that are more directly tied to privacy practices.
Notifications of a Material Change
OCR is requesting comment on whether it should replace the current 60-day requirement for health plans to provide a modified NPP to its members after a material change with a requirement to revise the NPP and distribute it (or notify members of the change and how to obtain a revised NPP) in the next annual mailing to members, such as at the beginning of the next plan year or during an open enrollment period.34 In addition to this proposal, OCR suggests other alternatives to the curent 60-day requirement.
Given the options being considered by OCR, ACLA supports the above proposal of permitting health plans to provide modified NPPs to its members after a material change through the next annual mailing as it is the most flexible and least burdensome approach for health plans. The flexibility that this proposal would afford is particularly important for self-insured health plans, which are often operated by covered entities, such as clinical laboratories.
AUTHORIZATIONS RELATING TO RESEARCH (SECTIONS 164.508(b)(3) (c)(1))
Section 164.508(b)(3) of the Privacy Rule generally prohibits the combining of authorizations where an authorization for the use and disclosure of PHI is combined with any other legal permission. As noted by OCR, the Secretary’s Advisory Committee for Human Research Protections (SACHRP) and the Institute of Medicine (IOM) have raised theft concerns regarding this prohibition.35 Namely, it has been brought to OCR’s attention that the prohibition requires covered entities to provide individuals with multiple authorization forms, which can be confusing to individuals, and compels covered entities to store twice as many authorizations as necessary.
As such, OCR is proposing to amend sections 164.508(b)(3)(i) and (iii) to allow covered entities to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities.36 ACLA supports OCR’s proposal to permit compound authorizations. OCR’s proposed changes would be beneficial to both individuals participating in research studies and covered entities alike by streamlining the authorization process and significantly reducing the documentation obligations of covered entities.
In addition, section 164.508(c)(l)(iv) of the Privacy Rule requires an authorization to include a description of each purpose of the requested use or disclosure, which has been interpreted by the agency to mean that authorizations for research be “study specific.”37 As noted in the Proposed Rule, OCR has heard concerns from SACRRP and IOM regarding the barriers to secondary research presented by this interpretation of the regulation. Given these concerns, OCR is considering whether to modify its interpretation in one of the following ways:
(I) the Privacy Rule should permit an authorization for uses and disclosures of PHI for future research purposes to the extent such purposes are adequately described in the authorization such that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research; (2) the Privacy Rule should permit an authorization for future research only to the extent the description of the future research included certain elements or statements specified by the Privacy Rule, and if so what those elements should be; and (3) the Privacy Rule should permit option (1) as a general rule, but require certain disclosure statements on the authorization in cases where the future research may encompass certain types of sensitive research activities, such as research involving genetic analyses or mental health research, that may alter an individual’s willingness to participate in the research.
ACLA agrees with SACHRP and TOM with respect to the barriers that the “study specific” authorization requirement presents for secondary research, which often involves transferring inforniation and specimens collected during clinical trials to research databases or repositories for future research. Specifically, of the three proposals, ACLA member companies support OCR’s first proposal where the Privacy Rule would permit an authorization for uses and disclosures of PHI for future research purposes to the extent such purposes are adequately described in the authorization. This proposed policy would protect the interests of individual participants, while allowing the flexibility necessary to conduct future research. As such, we urge OCR to modify its interpretation of section l64.508(c)(1)(iv) accordingly.