Ensuring the Privacy of Protected Health Information in Research

Article Outline

An issue of mounting importance for health-care providers and researchers in the United States is that of ensuring the privacy of health information of patients involved in research. Laws and statutes dealing with this issue may be germane in other countries. What do authors and research centers need to know about privacy? How can readers be assured that private information is protected and that patients' civil rights are respected? This editorial provides an overview of this developing area of responsibility for health-care providers and researchers.

The topic of confidentiality in health care is not new. However, US federal law and various rules pertaining to protecting health information are fairly new topics for authors, editors, and publishers since the Health Insurance Portability and Accountability Act (HIPAA) of 1996, also known as the Privacy Rule, went into effect on April 14, 2003.1 Most health-care providers in clinical practice in the United States are aware of HIPAA from the perspective of protecting health information in the clinical setting. However, the Privacy Rule also applies to research efforts, and there are regulations to follow as manuscripts make their way to publication. The Journal of Manipulative and Physiological Therapeutics (JMPT) is not alone in addressing HIPAA issues; editors of other biomedical journals are dealing with these concerns.2, 3, 4, 5

The question pertaining to HIPAA that an author needs to answer is, “Am I allowed to conduct this research without the authorization of the patient?” This involves determining whether the patient was cared for by a “covered entity”6 and also the dates of when the care was provided. A covered entity is one or more of the following: (1) a health-care provider that conducts certain transactions in electronic form, (2) a health-care clearinghouse, or (3) a health plan. Readers can determine if they are a covered entity by using the online decision-making tools available from the Centers for Medicare and Medicaid Services (www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp).

Because there are several caveats to answering this question, it is best for authors from institutions, hospitals, and health-care groups to submit a proposed research project (regardless of research design) to either an institutional review board (IRB)/ethics review board or privacy officer for guidance. Institutional review board/ethics boards reviewing clinical trials for approval usually ensure the protection of information through appropriate data safety and monitoring processes. Therefore, manuscripts derived from such research are usually in compliance with HIPAA, assuming that the IRB/ethics board has compliance measures in place.7

Projects performed at institutions (eg, colleges, universities, hospitals) that receive expedited review or exemption from an IRB/ethics board (eg, case reports, case series, and quality improvement studies) also need to be HIPAA compliant. When obtaining patient authorization is not practical, an IRB/ethics board or privacy board may be able to waive or alter the authorization requirement. The Privacy Rule also provides alternatives to obtaining an authorization or a waiver or an alteration of this requirement, such as limited data sets or with representations provided for certain research activities. HIPAA contains a provision that “grandfathers” research that is ongoing before the compliance date to facilitate compliance with the Privacy Rule.8 Summarily, researchers and clinicians at institutions should have projects approved by the HIPAA or privacy officer before initiating the project and certainly before submission of a manuscript to a journal.8

Authors submitting works from individual private practices may also be covered entities and can explore the online decision-making tools described previously to determine this. The simplest way to ensure that patient privacy is respected is to have patients (whose care was rendered on or after April 15, 2003) reported in a study provide written authorization to have information pertaining to their case published in a public medium (www.wame.org/hipaa.htm). Information is available in the JMPT instructions for authors (www.mosby.com/jmpt).

In compliance with the Privacy Rule, the JMPT now requires all authors to obtain IRB/ethics board or privacy officer approval of the project and/or the written authorization of patient(s), and to include such a statement in the methods section of the submitted manuscript. As is customary, protected health information (eg, name, social security number, medical record number, address, and others) should never be included in a manuscript or visible on figures submitted with the manuscript.9, 10 A complete list of protected health information is available in the booklet Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule.11 If a photograph of the patient is included with the manuscript, the author should protect the identity of the patient or the author should also acquire written permission from the patient to publish the photograph if the identity of the patient cannot be preserved.12

The Privacy Rule provides ways to access vital information needed for research and publication in a manner that protects the privacy of the research subject. Many researchers are accustomed to complying with federal and state regulations that protect participants from research risks, although some may find these new policies yet another obstruction on to the road to publication. Yet, it is our responsibility to be compliant with federal regulations and to protect the identity and privacy of our patients.13 Failure to do so may result in a patient filing a health information privacy complaint with the Office of Civil Rights.14 The Department of Health and Human Services is currently developing rules for the imposition of monetary penalties for those who violate HIPAA and is seeking public commentary on these rules.15 Authors may find the US Department of Health and Human Services question and answer Web site valuable for answering specific questions related to this topic (http://answers.hhs.gov). For a complete discussion of how HIPAA applies to research, acquire the free booklet Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule from the Department of Health and Human Services.11

How HIPAA and privacy rules in other countries apply to research, scientific writing, and journalism is a developing conversation.13 As time passes, the uncertainties surrounding this topic will hopefully become clearer through discussion and public interaction with federal agencies. The JMPT supports ensuring the privacy of health information in publication and requires appropriate documentation of such assurance as outlined in this editorial. Readers are encouraged to investigate the resources cited in this article.

References

1. 1Health Insurance Portability and Accountability Act of 1996. Pub. L. 104-191, 110 Stat. 1936, 1996

2. 2Schachat AP. What is HIPAA and what effect may it have on our journal?. Ophthalmology. 2003;110:1074–1075. Full Text | Full-Text PDF (29 KB) | CrossRef

3. 3Harris GJ. The privacy rule and the ophthalmic plastic surgeon as author. Ophthal Plast Reconstr Surg. 2005;21:85–86. MEDLINE | CrossRef

4. 4Reed ME. The HIPAA Privacy Rule: what it means for submissions to the journal. Plast Reconstr Surg. 2003;111:1751–1752. MEDLINE | CrossRef

5. 5Levine SB, Stagno SJ. Informed consent for case reports: the ethical dilemma of right to privacy versus pedagogical freedom. J Psychother Pract Res. 2001;10:193–201.

6. 6Pace WD, Staton EW, Holcomb S. Practice-based research network studies in the age of HIPAA. Ann Fam Med. 2005;3(Suppl 1):S38–S45. CrossRef

7. 7National Institutes of Health. Institutional review boards and the HIPAA Privacy Rule—NIH fact sheet. Washington (DC): National Institutes of Health; 2003;NIH Publication Number 03-5428. [cited 2005 Jun 20]. Available from: http://privacyruleandresearch.nih.gov/irbandprivacyrule.asp.

8. 8National Institutes of Health. Privacy boards and the HIPAA Privacy Rule. Washington (DC): National Institutes of Health; 2004;NIH Publication Number 03-5448. [cited 2005 Jun 20]. Available from: http://privacyruleandresearch.nih.gov/privacy_boards_hipaa_privacy_rule.asp.

9. 9International Committee of Medical Journal Editors. Uniform requirements for manuscripts submitted to biomedical journals: writing and editing for biomedical publication. 2004;[cited 2005 Jul 2]. Available from http://www.icmje.org/index.html#top.

10. 10International Committee of Medical Journal Editors. Style matters: protection of patients' right to privacy. BMJ. 1995;311:1272.

11. 11National Institutes of Health . Protecting personal health information in research: understanding the HIPAA Privacy Rule. Washington (DC): National Institutes of Health; 2004;NIH Publication Number 03-5388. [cited 2005 Jun 20]. Available from: http://privacyruleandresearch.nih.gov/pr_02.asp.

12. 12Smith R. Publishing information about patients. BMJ. 1995;311:1240–1241.

13. 13Bauchner H. Protecting research participants. Pediatrics. 2002;110:402–404.

14. 14US Department of Health and Human Services Office for Civil Rights. How to file a health information privacy complaint with the Office of Civil Rights fact sheet. 2000;[cited 2005 Jun 20]. Available from: http://www.hhs.gov/ocr/privacyhowtofile.htm.

15. 15US Department of Health and Human Services, Office of the Secretary. 45 CFR Parts 160 and 164. HIPAA administrative simplification; enforcement; proposed rule. Fed Regist. 2005;70:20224–20258Available from: http://www.gpoaccess.gov/fr/index.html.

PII: S0161-4754(05)00179-X

doi:10.1016/j.jmpt.2005.07.001

4 of 22