Skip to main content

Hospital system and IRBs: Get started on HIPAA regs

June 1, 2002

Hospital system and IRBs: Get started on HIPAA regs

It’s time to take first steps

Although the privacy regulations still are being changed and may be significantly altered by 2003, it’s not too early for an IRB and health care/research institution to begin to prepare for implementing the rules. The Department of Health and Human Services (HHS) has proposed some modifications to the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act (HIPAA).

For example, The Children’s Hospital of Philadelphia has hired a consultant to examine all processes involved in the areas of data security and data transactions, says Robert M. Nelson, MD, PhD, an associate professor of anesthesia and pediatrics. "Part of the difficulty is we won’t know until next fall what the regulations will be, and if you wait until next fall, you’ll be way behind the curve," Nelson says.

For this reason, The Children’s Hospital already has begun the process of developing guidelines and monitoring processes that clinicians, investigators, IRBs, and all other health care personnel will be required to follow. The institution has a HIPAA oversight committee and 14 working groups that each has chairs, co-chairs, and multiple members. One of the working groups oversees the privacy rule as it applies to research and another working group will develop training guidelines. Nelson is on the oversight and research committees.

With about 20 members, the research-working group consists of the chair of the IRB, the vice president of research, administrators, the deputy director of an affiliated research institute, and representatives from a clinical trials office, finance, investigators, and others. The groups meet monthly and divide the tasks to develop policies and procedures. "Our plan is to get everything in place by the time the final regulations come out," Nelson says. "We should have a work plan developed within the next couple of months, and I would hope that in the fall we’re looking at training and implementation."

The institution’s IRB will serve as the privacy board, and there may be the addition of another full-time position to help with the extra workload, Nelson says. While it may be optimistic to expect that every single investigator and protocol will be brought up to full compliance with privacy regulations by next April, there at least will be a process put into place that will help identify problem areas. "We will have a survey tool we’ll use to sample a range of research with respect to how they’re handling data," Nelson adds.

The tool will ask questions about these topics:

  • How is storage and security of databases being handled?
  • What are the different types of electronic transactions that are being conducted?
  • Who has access to electronic transactions and databases?
  • Are people sharing information external to the institution?

"We plan to use that survey response to make an assessment and to begin to guide [policy]," Nelson says.

The survey method will be modeled after the hospital’s continuous quality improvement process, focusing primarily on high-volume, low-risk data and low-volume, high-risk data. Surveyors will select studies in sensitive areas and sample them, probably looking at 40-50 investigators/protocols out of the institution’s 800-900 total number of open protocols, Nelson explains. "This is just meant to be a guide for us in getting an action plan formulated," Nelson says. "We have a consultant helping with that, and we have a set of external attorneys helping to guide the entire process within the facility."

Most of the education will be for investigators who, unlike IRB members, may not give data security and access much thought, Nelson says. "There will be a significant cultural change that takes place." For instance, when the IRB reviews research data sheets, there already is a policy of not allowing identifiers, Nelson says. "If we see anything on the sheet that is identifiable piece of information, we tell them to remove it and place it on a separate data sheet so it will be all collected in one area," Nelson says. This way no individual can be identified from the data sheet.

The next step is to educate investigators about how to de-identify these data sheets and how to store them securely in their offices. "Education of investigators will be crucial, and they’ll need specific guidelines on how to handle data, confidentiality, security, exemptions, and how that data [are] shared," Nelson says.

Researchers will need to learn to be more attentive to what information is displayed on their Excel spreadsheets, which are electronically transmitted. "I would envision we’ll have concrete guidance about the different ways one could secure the data so that unauthorized access is not permitted, and that ranges from the simple Keep your door locked’ to a way to protect data all day," Nelson says.