Dr. Jaweed, Director of Research Training and Development of the Physician Research Network Inc., presented his session entitled The Guidelines for HIPAA (Health Insurance Portability and Accountability Act) Compliance at this year s Association of Clinical Research Professionals meeting. This annual meeting took place from April 7-9 in Philadelphia, Pennsylvania. In this interview, Dr. Jaweed discussed how the changing HIPAA guidelines would affect clinical research in the future years. In addition, he describes the role of the Physician Research Network, an organization composed of physician investigators, that offers services to expedite clinical trials and ensure data quality. This will be my third meeting. In ARCP, I belong to the Pharmacy Forum and am its representative for the National Planning Committee Meeting. The Association of Clinical Research Professionals (ACRP) includes all of the professionals conducting clinical research. Within this organization, they have made different forums with people s interest in mind. It is based on promotion of clinical area that they are involved in. The members are encouraged to write abstracts for presentations at the annual meetings. ACRP is a very good and premier organization with over 15,000 members around the world. Until recently, I was associated with the Baylor College of Medicine as Clinical Associate Professor so there are other national meetings I do attend. Also, I am a past member of the Academy of Neurophysiology, and used to do research in the field of electrophysiology. I do not believe I will be attending any other meetings on clinical research this year. However, I may attend a couple of Investigators Meetings. HIPAA is an acronym for "Health Insurance Portability and Accountability Act". The Congress passed it in 1996, with the main objective to make sure that the private medical information or the so-called protected health information (PHI) of the patient is protected. The government, specifically the Department of Health and Human Services, Office of Civil Rights (OCR), published the Privacy "final rule" in December of 2001. The compliance of this rule is due on April 14, 2003. The HIPAA regulation consists of 4 components. The first is the Privacy Rule, which basically deals with the issues related to privacy and confidentiality of protected health information. The second component is electronic health care transactions and electronic data interchanges (EDI), which is related to billing and payments; it requires that the identity of the patients not be revealed during EDI. The third component of HIPAA is the Security Rule, whose final rule was approved in February 2003 and will be published on April 21, 2003. The objective of the Security Rule is to develop means and methods to safeguard the PHI and individual "identifiers" of the covered entity. There are 18 identifying categories (name, telephone number, etc.), which should be de-identified for EDI. However, the government allows a limited data set with 4-5 identifiers (example: address without zip code, age, date of birth and the code number assigned by the physician s billing department, etc.,). Therefore, when one is transacting electronically, the data must be de-identified or a limited data set should be used. Also, one has to ensure that during the transfer of information from one covered entity to another (covered entity is defined as an individual or an organization such as the health care provider, health plan or clearing house etc., to whom the law applies and who performs at least 1 electronic transaction), only minimum necessary information can be communicated. The last component relates to establishing unique identifiers for the employers, namely "Employer Identification Number (EIN)". The EIN is the tax ID that is routinely used for tax purposes. Thus, at the moment, we have 2 compliances due: April 14, 2003 is the due date for the Privacy Rule; and October 16, 2003, is the due date for the final compliance for electronic health care transactions and electronic data interchanges. The compliance date for EIN is July 30, 2004; whereas the Security Rule compliance is due on April 21, 2005. Of the 4 components of HIPAA, the most important right now is that all eligible health care providers comply with the Privacy Rule. The main objective of this rule is to safeguard the identity of PHI; and to restrict the use and disclosure of PHI. The covered entities can use and disclose PHI for TPO (treatment, payment and health care operations), as well as for conditions related to emergency, law enforcement and public health. The non-TPO PHI can be used or disclosed to individuals or organizations only after receiving proper authorization from the patients (i.e., research). The physician must declare these policies in a "Notice of Privacy" to all patients. I overviewed the HIPAA regulation and described the application of Privacy Rule on use and disclosure of PHI for Research. The Privacy Rule guidelines are primarily focused on protecting the health information. However, the health care providers are permitted to use and disclose PHI for preparatory research (i.e. preparation of protocol, development of hypothesis or aid in patient recruitment) on 3 conditions: 1) the patient gives an authorization to use or disclose the data the best option; 2) an institution s independent review board (IRB) or privacy board (PB) approves or allows the investigator a waiver to use PHI for research purposes; or 3) an addendum is added to the informed consent form, that had been approved previously by the IRB, stating that the clinical research investigator and his research staff members ("Researchers") can use the patient medical information for a particular research project or protocol; and that the information will not be removed from the investigator s office. The Privacy Rule is applied after April 14, 2003 (or April 14, 2004 for small practices). However, we are currently conducting clinical research under the guidance of a rule called "Common Rule". Previously, the investigators had been using patients data from their medical records for recruitment, publications and a lot of other things without having any input from the patients. In 1991, seventeen federal agencies established the common rule to safeguard the safety of human subjects and to emphasize on obtaining willing consent from the patients. The Privacy Rule builds upon the common rule by protecting the safety of patients medical information. In regards to how the Privacy Rule works for research, first the "covered entity" must use or disclose the PHI, based on either the dated approval or waiver provided by the IRB or PB or by patient authorization. This means that the IRB or PB can give the Researcher a date or dates, at which time the PHI can be accessed. Second, for patient authorization, a legalized authorization form shall be given or sent to all new and previously seen patients of the practice. This would allow the investigator research staff to chart screen and examine the diagnostic and lab reports for patient recruitment. The investigator (or Researcher) must receive a completed and signed authorization form from the patient. This authorization can be for a limited period or it can be given with out a fixed date. Right well, that is what the government is trying to get done. So what we have done, from our point of view, is revise the standard operating procedures for healthcare professionals such as researchers, physicians, and coordinators to comply with the HIPAA guidelines. Routinely, we advise our physicians and other research professionals to document the following, since clinical research is all about documentation: First, we want to make sure that the physician (investigator) receives authorization of the patient before a particular protocol is initiated. It is not a carte blanche. The Researcher cannot use all the patient information that is available in patient medical records. Second, the physician s office should identify the individual, who is going to disclose the information (i.e. the physician, physician assistant, or the privacy officer of the practice). Third, it should be documented as to who will be receiving the information (a collaborating investigator, research nurse, clinical research coordinator, sponsor research monitors, or pharmacist). Finally, it should be clearly documented that the medical information is disclosed for the purpose of research, and will be effective until the end of the study, or a no date should be written. The signed authorization form should be kept in the medical chart of the patient. Also, the patient should have a copy of the authorization form. The patient has the right to amend or revoke the authorization at any time. In December of 2001, the federal government (DHHS-OCR) gave an extension due to the amendment of the Administrative Simplification Act. The original deadline for the compliance of Privacy Rule was scheduled on April 14, 2002. Now it is on April 14, 2003. Also, the Centers for Medicare and Medicaid Services (CMS) allowed the covered entities to extend the date for preparation of electronic health care transactions and EDI to October 16, 2003. As described above, the Security Rule and EIN compliance will be due on April 21, 2005 and July 30, 2004, respectively. Patient chart screening is an integral part of patient recruitment. The Privacy Rule exception for research allows access to PHI of patients for the purpose of preparatory research (45CFR 164.512). It means that the representation from the Researcher either oral or in writing should state that the PHI will be used to prepare a research protocol, build hypotheses or aid in patient recruitment. Also, it should be emphasized that this PHI is necessary for development of research. Currently, the sponsor of the clinical trial does most of the preparatory research. Chart screening by the investigator is done to examine patient s medical history to qualify for the trial. This can be done only under 3 conditions: 1) the patient should give an authorization to examine the charts; 2) the IRB should approve or give a waiver for screening the charts, this may be applied to the data of decedent (dead) patients as well; and 3) it should be included as an addendum in the informed consent form (ICF). Telephone screening of patient medical history is permitted if the patient s identity is confirmed and his/her statements are documented or recorded. Regarding HIPAA guidelines for Billing for Research, there are no specific guidelines. However, during billing proceedings, for a long time a lot of people had been getting all kinds of medical information whether they needed it or not. Under the "common rule" and the good clinical practice (GCP), most research patients are identified either with a number or initials. However, for billing and payment, the patient s names are routinely used. A contracted physician, when applying for compensation to the SMO or CRO, must identify the patient with his/her name. Similarly, when the patients are paid for research-related expenses or services, their names are identified. Since these come under the umbrella of TPO, no de-identification is necessary. However, there are differences in regards to payments by various health plans. For example, if I am living in Michigan, my health plan may charge me differently than if I were living in West Virginia or in Texas because of an economic index or cost of living. Therefore, to have a uniform and efficient payment system for all states, the government has proposed a uniform and electronic format for billing and payment. The Privacy rule does not address the differences in rates of compensation in different states. However, it does require all health care providers hospitals, physicians, chiropractors, physical therapy or mental health services and other covered entities, to modify their billing systems to adapt to new HIPAA standards. The HIPAA Privacy Rule Standards are to facilitate payment to providers, which entails the submission of electronic transactions with de-identified health information (DHI) along with the new HIPAA standards. The CMS has issued 12 HIPAA standards for health care providers and clearing houses to figure out the category of patient eligibility based upon the ICD-9 (for diagnosis) and CPT-4 codes (for treatment). Presently, it appears to be confusing. However, the HIPAA standards basically serve as codes or labels for proper payment. For example, if a patient has diabetes (Type I or Type II), the health plan attaches a specific code (ASCX12N835) for payment and remittance advice. This facilitates the payment cycle by Medicare. Some of the clearinghouses, such as Medi-Soft or C-Soft, have already developed these programs and are assisting the health care providers. Re-imbursement is affected the same way. Everyone knows about the basic mechanism of re-imbursement. For example, when you go to a hospital, they will examine your insurance plan and see if you are qualified or not. Then your health plan approves the necessary services and expenditures, say for $3,000 instead of the $5,000 proposed by the hospital. If that or a similar amount is agreed upon by both entities, the health care provider bills the health plan; and the billed amount is paid to the health plan. The Role of IRB in research is critical. Originally, the issues of privacy were supposed to be handled by the PB. Now, it seems most of the IRBs will take an added responsibility of serving as PB, as well. Thus, in the future, the informed consent of all protocols will contain a section on HIPAA compliance. In the ongoing studies, the enrolled patients will be "Grand fathered-in" (i.e. an addendum will be added to their consent form); whereas the new patients will sign an updated consent form. I am a Clinical Pharmacologist, and have researched in the field of clinical research for about 20 years. In addition, I was consultant to the FDA-Drug Biology Group for about 8 years. I was Manager of Neuromuscular Research Program at NASA-JSC for over 3 years, and a clinical research faculty member (Clinical Associate Professor) at the Baylor College of Medicine for about 9 years. At all these institutions, I have been working with compliance-related issues, along with biomedical research. Since 1983, one of my main duties has been to ascertain that the clinical research is conducted according to the good clinical practice guidelines of the FDA. Thus, I have been reactive to the job of monitoring clinical research. Currently, I am Director of Research Training and Development at PRN to make sure that the GCP and ICH guidelines are properly implemented, and that at all of our 120-plus clinical sites are HIPAA compliant. In regards to the other question, Physician Research Network Inc. is an organization that primarily deals with clinical site management We receive clinical studies grants from the pharmaceutical companies or their contract research organizations (CROs) they bring us the clinical research trials, and we manage the trials with our network physicians. For example, there may be a study on diabetes that needs to be initiated. We look into our network we have about 700 physicians, and a select required number of family practitioners or endocrinologists. We then send an exploratory survey to them if they would be interested in participating in that trial. If they are interested and have experience, facilities and are approved by the sponsor, they would qualify to become investigators on the study by signing the FDA Form 1572. PRN is for-profit organization. We have been in business for about 5 years. To date, we have conducted more than 35 Phase II, III and IV clinical trials. However, we focus mainly on Phase II and Phase III, because they are the most extensive studies and require a large number of patients. Whenever you are conducting a clinical trial, you need to get 2 permissions from the FDA: 1) before the phase I study, by submitting the so-called "Investigational New Drug or IND" application; and 2) at the end of Phase III studies by submitting the new drug application (NDA). After NDA, the drug or device is ready for marketing. The Phase IV trials are conducted when the FDA requires more testing surveillance of long-term side effects, or the sponsor needs to conduct bio-economics or marketing studies. Generally, it takes about 5-7 years and about $100 million to get a new drug or device ready for marketing. I believe it is important that all clinical investigators appreciate the compliance issues. The GCP-ICH guidelines have been accepted by industrialized world to have a uniform conduct of clinical trials. Where HIPAA is one of many laws to have uniform standards for the protection of private medical information or PHI for the U.S.; the clinical investigators in European Union and Japan operate under the local privacy regulations. In the future, we need to have further definition and clarification concerning the international trials for protecting the confidentiality of patients data. I think HIPAA is a good law, although for some, it might be difficult and costly to implement. However, in the long run, all health care providers and especially the clinical investigators will recognize that we will be conducting clinical trials and managing the privacy of patients data under a set of uniform standards through out the world. The main source for acquiring information on HIPAA guidelines will be the DHHS website and its links: www.DHHS.gov with links to OCR and CMS and HIPAA. The PRN website has an online course and current information on HIPAA Privacy Rule: www.prni.org. Also, a "HIPAA Privacy Rule: Reference Guide and FAQs" a 15-chapter, 134-page monograph is available for health care providers at: email@example.com. It describes all the standards of Privacy Rule, and contains a detailed implementation plan with samples of mandatory documents (Privacy Notice, Authorization Forms and Business Associate Contract) required for compliance of Privacy Rule.