While health care providers, academic medical centers, and research institutions well understand the fundamentals of the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations, these organizations often lack the resources and time to focus on the more complex and counterintuitive aspects of the law. This is particularly true in the area of clinical research. Although much has been written about the institutional review board (“IRB”) approval process and issues surrounding the requirement to obtain HIPAA-compliant authorizations from research subjects, the literature regarding the application of HIPAA to other components of clinical research is much less robust.
The goal of this article is to define, from a HIPAA perspective, the role of organizations that use patient information to perform functions supportive of research, including clinical functions and data management activities. More specifically, we will examine when such entities qualify as business associates under HIPAA and when their functions fall outside the bounds of the law.
I. HIPAA defines the circumstances in which a covered entity and a business associate must enter into a business associate agreement.
Individuals, organizations, and agencies that qualify as “covered entities” under HIPAA must protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information (see 45 C.F.R. §164.500). Under HIPAA, a covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction covered by HIPAA (see 45 C.F.R. §160.103). A business associate is an individual or entity, other than a member of a covered entity’s workforce, who creates, receives, maintains, or transmits protected health information (“PHI”) in order to perform “covered functions” on behalf of a covered entity. Id. In order for a business associate to provide services to a covered entity, the covered entity and the business associate must enter into (i) a written services agreement that describes the duties and responsibilities of both parties to the arrangement; and (ii) a “business associate agreement” or addendum that requires the business associate to safeguard PHI and to comply with the privacy and security provisions of HIPAA (the “HIPAA Rules”) as applicable to business associates (see 45 C.F.R. §§164.502(e); 164.504(e)).
A. Under the HIPAA Privacy Rule, a business associate agreement is only required in connection with the performance of a covered function or certain defined activities on behalf of a covered entity, excluding research.
Under the HIPAA Privacy Rule, a business associate agreement is only required where a person or entity (i) creates, receives, maintains, or transmits PHI in order to conduct a “covered function” on behalf of a covered entity; or (ii) performs one of the services listed in the definition of business associate (see 45 C.F.R. §164.103). Covered functions are defined as ‘‘those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.” Id. In other words, covered functions are activities integral to the identity of the entity. The Office for Civil Rights of the Department of Health and Human Services (“OCR”) has identified payment and health care operations as examples of activities that are integral to an entity’s identity as a health care provider, health plan or health care clearinghouse (see OCR Frequently Asked Question No. 239 (Dec. 19, 2002)).
In contrast, research is not a function that renders an entity a health care provider, health plan or health care clearinghouse. Instead, research is an additional activity, outside of the integral functions of a covered entity, in which a covered entity may elect to engage. Research is defined by the Privacy Rule as a “systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge” (see 45 C.F.R. §164.501). An entity need not engage in such systematic investigation to qualify as a health plan, health care provider or health care clearinghouse and, in fact, most health care providers, health plans, and health care clearinghouses do not perform research. Thus, research does not qualify as a covered function under HIPAA, and, thus, its performance by a third party on behalf of a covered entity does not render the third party a business associate of the covered entity under HIPAA.
In addition, research is not listed as one of the services performed by business associates in the definition of “business associate” under the HIPAA Privacy Rule. These services include claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; repricing; legal; actuarial; accounting; consulting; data aggregation; management accreditation; or financial services (see 45 C.F.R. §160.103). Research is notably absent from this list of business associate activities. Accordingly, under the language of the Privacy Rule, an entity that receives patient information pursuant to a permissible disclosure from a covered entity in order to perform research or assist a covered entity with the performance of research is not engaged in an activity recognized by the Privacy Rule as a business associate service. Such an entity is therefore not a business associate under HIPAA and need not enter into a business associate agreement with a covered entity in order to receive PHI from the covered entity and perform the agreed upon work.
B. The OCR has repeatedly indicated that disclosures of PHI for the purpose of research do not create a business associate relationship under HIPAA.
In the final version of an amendment to the HIPAA Standards for Privacy of Individually Identifiable Health Information, which was published on Aug. 14, 2002 (67 Fed. Reg. 53,181 at 53,252), the OCR directly addressed the question of whether research activities are covered functions under HIPAA, explicitly stating that “research is not a covered function or activity.” In the same rulemaking, the OCR clarified that “disclosures from a covered entity to a researcher for research purposes as permitted by the Rule do not require a business associate contract. This remains true even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf because research is not a covered function or activity.”
The OCR reiterated this position in the Omnibus Final Rule implementing the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and the Genetic Information Non-Discrimination Act of 2008 (“GINA”) (the “Omnibus Rule”), which was published on Jan. 25, 2013 (78 Fed. Reg. 5,566 at 5,575). In the Omnibus Rule, the OCR clarified that a “person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity, [and] [t]hus, an external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research.”
C. A third party that performs functions supportive of research on behalf of a covered entity is not a business associate even if those activities involve data management or the performance of clinical functions.
Patient Registries. Research institutions commonly use outside vendors to place data generated during the course of a clinical trial into databases or repositories, which are then used for a variety of purposes, including tracking patient outcomes. A vendor hosting a data repository in connection with clinical research may receive a request from a participating research institution to enter into a business associate agreement. However, even if the data elements in the registry are identifiable, if the registry is being maintained for the purposes of current or future research, the vendor does not qualify as a business associate of the research institution under HIPAA and the parties need not enter into a business associate agreement (see National Institutes of Health, “Research Repositories, Databases, and the HIPAA Privacy Rule” (Jan. 2004)). It is important for the parties to confirm that appropriate patient authorizations for disclosure have been obtained, and it is certainly reasonable for the research institution to confirm that the entity hosting the registry will maintain the data securely, but the vendor would not constitute a business associate of the research institution under HIPAA in hosting the data repository.
Clinical Activities. Perhaps the most significant source of confusion stems from the fact that certain entities that conduct activities supportive of research on behalf of covered entities actually perform clinical functions. For example, an academic medical center or other research institution participating in a drug study may hire a third party company to perform certain phlebotomy activities in connection with required laboratory testing. In these cases, the third party vendor may receive or gather individually identifiable health information regarding the research subjects. Although the vendor is receiving or collecting such patient information, as applicable, those activities are integral to the research and derived from its requirements (see Johns Hopkins Medicine, “HIPAA Questions and Answers Relating to Research” (2015)). Thus, such activities are part of the research enterprise. They do not constitute the performance of a covered function or other activity that would render the vendor a business associate, and, accordingly, they do not require the covered entity and the vendor to enter into a business associate agreement.
II. A researcher or clinical vendor may, in some circumstances, be considered a business associate of a covered entity.
A person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity (see 78 Fed. Reg. 5,566 at 5,575). As explained above, research is not a covered function, and, accordingly, a vendor that provides services solely in support of research activities is not a business associate. However, the business associate provisions of HIPAA may be triggered if the vendor performs a function, activity, or service for a covered entity that does constitute a covered function or otherwise qualifies as a service provided by a business associate under the definition of business associate set forth in the Privacy Rule.
For instance, a clinical vendor may fall within the definition of business associate if it creates a de-identified data set for a covered entity. The HIPAA Privacy Rule regulates the creation of de-identified information. Id. Specifically, de-identification falls within the scope of a covered entity’s “health care operations” (see 45 C.F.R. §§164.501, 164.514). Accordingly, the process of de-identifying PHI constitutes the performance of a covered function or activity that is regulated by the HIPAA Rules. If a covered entity uses a clinical vendor to de-identify PHI on the covered entity’s behalf, even if the covered entity intends to use the de-identified data for research purposes, then a business associate relationship is created, as the act of de-identifying PHI is a covered function under HIPAA (see 78 Fed. Reg. 5,566 at 5,575).
III. The question of whether an authorization is required to disclose PHI is distinct from the question of whether the use of PHI to perform services on behalf of a covered entity necessitates the execution of a business associate agreement.
Under HIPAA, a covered entity must obtain an authorization from a patient in order to disclose PHI for any purpose except: (i) treatment, payment, or health care operations; and (ii) disclosures made in accordance with one of the specific regulatory exceptions to the authorization requirement set forth in the Privacy Rule (see 45 C.F.R. §164.512). In order to disclose PHI for the purposes of research, a covered entity must obtain a HIPAA-compliant authorization from each research subject (see 45 C.F.R. §164.508.). Obtaining these authorizations is a standard component of any clinical research protocol involving human subjects. Thus, even though research is not a covered function under HIPAA, patient authorization must be obtained in order for a covered entity to disclose PHI for the purposes of research.
It is important to remember, however, that the determination of whether an authorization is needed by a covered entity to disclose PHI for research (or any other purpose) is separate and apart from the determination of whether the person or entity to whom the patient information will be disclosed is a business associate of a covered entity under HIPAA. If a covered entity intends to disclose patient information to a support organization so that the support organization can create a patient registry to be used for future research, the covered entity must have a valid authorization from each patient to disclose the patient’s information, even though the support organization is performing functions integral to research and is not a business associate of the covered entity under HIPAA.
On the other hand, if an academic medical center wishes to disclose PHI to a data analytics firm so that the data analytics firm may de-identify the data, and the academic medical center intends to use the de-identified data to assess patient outcomes or for some other operational purpose, the academic medical center and the data analytics firm must enter into a business associate agreement. However, under HIPAA, patient authorization is not required for the disclosure because the academic medical center is disclosing PHI to the data analytics firm for de-identification, an activity that qualifies as health care operations and is thus exempt from the authorization requirement under HIPAA.
A vendor who performs research or functions supportive of research and receives PHI from a research institution to perform those functions is not, by virtue of those activities alone, a business associate of the research institution. The business associate provisions of HIPAA are only triggered where a person or entity creates, receives, maintains, or transmits PHI in order to conduct a “covered function” on behalf of a covered entity, or performs one of the services listed in the definition of “business associate” in the HIPAA Privacy Rule. Research is not a covered function under HIPAA and research is not listed under the definition of business associate as one of the functions that a business associate may perform. Accordingly, a vendor that receives PHI from a covered entity to perform research or functions supportive of research, but has no other relationship with the covered entity, is not a business associate of the covered entity, and the covered entity and the vendor are not required to enter into a business associate agreement in order for the vendor to perform the work.
Nonetheless, a researcher or clinical vendor may, in some circumstances, be considered a business associate of a covered entity if the researcher or vendor performs a function, activity, or service for a covered entity that constitutes a “covered function” or otherwise qualifies as a service provided by a business associate under the definition of business associate set forth in the Privacy Rule, such as de-identifying PHI. As a vendor’s performance of certain types of services on behalf of a covered entity may give rise to a business associate relationship, open and continuous dialogue between sponsors, research institutions, and vendors is critical. This will ensure that participants in clinical research activities correctly characterize their relationships, execute business associate agreements where required, and, most importantly, appropriately safeguard patient data.
This article has been prepared for informational purposes only and does not constitute legal advice. This article and the information contained herein is not intended to create, and receipt of it does not in any way establish, a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.