5 Ways Clinical Researchers Can Avoid Being HIPAA Business Associates
One of the challenges often faced by clinical researchers and the businesses that work with them is how to structure and conduct research activities without creating HIPAA Business Associate relationships. As health care industry businesses know well, a HIPAA Business Associate is a person or entity that has access to protected health information (PHI) in order to perform certain functions or activities on behalf of a Covered Entity (including downstream Business Associates of Business Associates).
To protect individually identifiable health information that will be accessible for one of these purposes, HIPAA typically requires that Covered Entities and Business Associates enter into a lengthy contract (“Business Associate Agreement” or “BAA”) that will govern the access, use and disclosure of the information by the Business Associate.
Introducing a BAA into the business relationships necessary for a research project to proceed with all its innovative components can be problematic because the burdens placed on sharing information under a BAA often do not mesh with the research goals and project plan. Frequently, the standard BAA format places restrictions that are out of sync with the permissions established by one or more of the HIPAA authorization, Institutional Review Board (IRB) research protocol, and informed consent documents. Here are five ways clinical researchers and their organizations can approach research business relationships to avoid the reach of a HIPAA BAA.
1. Structure contractual relationships as collaborations where each party equally contributes to the research activities, process, and outcomes. There can never be enough emphasis placed on the HIPAA Business Associate standard of “on behalf of” a Covered Entity. Activities performed in furtherance of clinical research that are not performed on behalf of a Covered Entity (or on behalf of a downstream Business Associate and thus ultimately on behalf of a Covered Entity), are not Business Associate functions requiring a BAA. Evaluating and applying this standard correctly requires a true understanding of the research activities and workflow. Strategically planning each party’s obligations and contributions to ensure that neither party performs activities on behalf of the other or on behalf of any Covered Entity, but instead on the collaborating party’s own behalf, is an option. Each party contributes and benefits equally, furthering its own interests and work in the research area and sharing in the products.
2. Make sure the research protocol doesn’t describe a service for a health care provider, health plan, or healthcare clearinghouse (i.e., likely to be a Covered Entity). Further, researchers writing protocols and project plans should pay careful attention to the details of workflows they are establishing. The all-important research protocol is the ultimate guide to any research activity. Thus, ensuring that work which would otherwise be performed by a health care provider/plan is not delegated via the protocol to be performed by another party, avoids the inadvertent creation of a service “on behalf of” a Covered Entity. Does the Covered Entity already perform the activity on its own behalf? Where the goal is avoiding a BAA, have the Covered Entity continue to do the activity even if it means contracting with the Covered Entity for a service to the research effort, rather than vice-versa. Researchers are often frustrated after drafting a brilliant protocol and negotiating contracts only to be told a BAA is needed before crucial research activities such as data or financial analysis can be undertaken. In order to avoid delays in work, be sure to work out all these details before IRB review, and in open communication with any Covered Entity providing access to its PHI for research purposes.
3. Don’t allow the IRB or a clinical site to require a BAA without obtaining legal advice. Perhaps surprisingly, many IRBs do not regularly consider the nuances of HIPAA beyond authorization/waiver issues and are therefore overly protective of the Covered Entity. On the other hand, IRBs that have a distant relationship from the clinical site may fail to raise HIPAA concerns created by the protocol, possibly due to lack of familiarity with the Covered Entity’s processes or a narrow approach to IRB scope of review. Some researchers mistakenly expect a more robust IRB service and may not be aware that IRB approval does not equate to a full regulatory compliance review. As a result, we see a variety of issues including misplaced IRB requests or recommendations for a BAA and the clinical site’s compliance or research offices likewise relying on this. Clinical research sites are nearly always Covered Entities, and typically have well-established HIPAA policies. However, poorly written protocols or administrative quagmire at the site again may result in misplaced requests for BAAs where no Business Associate relationship exists. Researchers who will bear the additional regulatory and resource-consuming burdens of HIPAA, including negotiating and complying with a BAA, shouldn’t rely on the IRB or clinical site to identify and advise on HIPAA Business Associate standards.
4. Don’t commingle research data with clinical data. Keeping workflows and data repositories separate or segregable allows for easier destruction or return of research data with minimal risk of inadvertent disclosure of PHI. When research data becomes commingled in a non-segregable format in storage or software workflows with clinical data, it cannot be segregated for the purpose of return or destruction. The entity working with that research data then takes on an ongoing privacy and security obligation on behalf of any Covered Entity that provided the research data. This is true even when the research data has been de-identified, if it is processed and stored with clinical data (which by its nature is individually identifiable), because all of the commingled data will then be maintained with the same degree of care as the clinical data. The secure storage of research data at this higher level of privacy and security can be construed as a service being performed on behalf of the Covered Entity original source of the data, requiring a BAA. This inadvertent BA service issue arises most often for entities that have both research and clinical services activities. Commonly these entities are processing research data from multiple sources and clinical data from multiple sources. To complicate matters, the entity providing the secure storage of commingled research data may be removed a few contracts downstream from the original data source, resulting in creation of multiple layers of Business Associate relationships. It is quite inconvenient and expensive to identify the need for one or more BAAs at the end of a study or even once it is well underway.
5. Work only with de-identified information and samples. If segregation of data workflows and storage is readily achievable, and it should be worth the time and investment for any entity that is actively engaged in clinical research, the fail-safe for avoiding becoming a HIPAA Business Associate is to work only with de-identified information and samples. This strategy may never be more than wishful thinking for some human subjects researchers, but warrants consideration here and in particular in the field of genetics where re-identification is a largely unsettled issue. Structuring research business relationships and study protocols to require that health care providers and health plans undertake the task of de-identification (per the HIPAA standard) of data and samples before sharing/transferring for research activities can be done. Where the research budget has built in the cost of this effort and the researcher is prepared to have the Covered Entity perform de-identification as a service, this ask will encounter less resistance. The viability of this approach is important because de-identification ensures the research data is not PHI and thus no activities using PHI are performed on behalf of a Covered Entity. As such, no Business Associate relationship would arise under the regulation.
Thoughtful and compliant strategic planning to avoid the reach of HIPAA Business Associate requirements is a difficult process best tackled with expert guidance. Partnering with an experienced attorney early in business and research development efforts will remove barriers to efficiency and innovation. At minimum, researchers should obtain an independent legal review from a healthcare attorney before agreeing to a misplaced BAA request.