Advanced hipaa issues for biotech and life sciences companies
Download
1 / 13

Advanced HIPAA Issues for Biotech and Life Sciences Companies: - PowerPoint PPT Presentation


  • 182 Views
  • Uploaded on

Advanced HIPAA Issues for Biotech and Life Sciences Companies:. On the Frontier of Science and On the Edge of HIPAA. Mark E. Schreiber Palmer & Dodge LLP 111 Huntington Avenue Boston, MA 02199 617-239-0585 [email protected] April 8, 2005.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Advanced HIPAA Issues for Biotech and Life Sciences Companies:' - lani


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Advanced hipaa issues for biotech and life sciences companies l.jpg

Advanced HIPAA Issues for Biotech and Life Sciences Companies:

On the Frontier of Science and On the Edge of HIPAA

Mark E. SchreiberPalmer & Dodge LLP111 Huntington AvenueBoston, MA [email protected]

April 8, 2005


Hipaa provisions under which biotech life sciences issues arise l.jpg
HIPAA Provisions under which Biotech / Life Sciences Issues Arise

  • HIPAA provider coverage?

  • Business Associate applicability?

  • Authorizations – unspecified research

  • Research data bases

  • Accounting for research disclosures

  • Clinical studies in E.U. – HIPAA interface


Medical device testing companies covered entities l.jpg
Medical Device / Testing Companies – Covered Entities? Arise

  • May be “health care provider” under broad HIPAA definition

  • Most don’t engage in electronic standard transactions

  • Some may unwittingly send claims, insurance or related e-mails

  • If so, possible HIPAA coverage

  • Not all ask right questions of right people

    • To properly determine status

      If covered, then what?

  • Privacy notices, etc.

  • To whom?


Are clinical researchers sponsors or cro s business associates l.jpg
Are Clinical Researchers / Sponsors or CRO’s Business Associates?

  • Generally “research” not a BA function performed for covered entities

  • “We’re not a BA” letter

  • BA’s often negotiated

    • Business clout

  • If researcher / sponsor also provides

    • Quality assurance, or

    • Data processing services for covered entity

      • De-identifying records, or

      • Creating limited data sets

    • Then researcher / sponsor is BA

  • Researcher / sponsor – document in CTA that no BA-triggering services provided


Sponsors generally not covered entity or ba l.jpg
Sponsors Generally Not Covered Entity or BA Associates?

No HIPAA concerns, then, right? Not so fast . . .

  • Sites will and should impose handling restrictions in CTA’s

  • Some sites impose informed consent confidentiality limitations

    • Blending with HIPAA standards, on researchers / sponsors and “downstream”

    • Restricts marketing use


Sponsors generally not covered entity or ba6 l.jpg
Sponsors Generally Not Covered Entity or BA Associates?

  • Confidentiality agreement OK, but modify agreements

    • To specifically allow

      • For monitoring services, and

      • Other purposes in HIPAA-compliant patient authorization

  • Other agreement “pass-throughs”

    • Reps and warrantees, indemnity language

  • Researchers / sponsors – rigorous privacy policies / practices that approximate those of HIPAA

    • HIPAA treated as de facto standard of care

      • State law invasion of privacy claims


Authorizations future unspecified research l.jpg
Authorizations – Future Unspecified Research Associates?

  • HIPAA authorizations for research

    • Can broadly cover patient’s entire medical record

    • Can broadly cover classes or persons to whom and by whom PHI can be used / disclosed

    • Under “purpose” element,

      • “Each purpose” must be specified

      • Valid authorization for unspecified studies

        • Virtually impossible under HIPAA

        • Registry or database for unspecified future research – OK


Research databases under hipaa l.jpg
Research Databases under HIPAA Associates?

  • Database – separate purpose from primary protocol

  • Must be specifically authorized

    • In protocol authorization or

    • In separate subsequent authorization

  • If database maintained by covered entity

    • Future disclosures must be pursuant to new authorization

  • If database disclosed to sponsor

    • Generally outside HIPAA


Irb waivers and future researcher follow up with participants l.jpg
IRB Waivers and Future Researcher Follow Up with Participants

If IRB Waiver

  • Researcher free to use PHI for current research

  • New, specific waiver necessary

    • Before researcher can contact study participants about new study


Accounting for research disclosures l.jpg
Accounting for Research Disclosures Participants

  • NEED NOT be accounted for where

    • Disclosed under authorization

    • Disclosed in limited data set form

      • Needs data use agreement

  • MUST be accounted for upon individual request where disclosed pursuant to IRB waiver

  • Less detailed accounting:

    • Where covered entity discloses records of c 50 individuals under IRB waiver during requested accounting period


Coming hipaa attractions clinical studies abroad and outsourcing l.jpg
Coming HIPAA Attractions: ParticipantsClinical Studies Abroad and Outsourcing

E.U. Model different – no HIPAA statute but broader

data laws

  • E.U. Data Protection laws

    • Each E.U. country

  • Consent necessary for medical data use (sensitive data)

    • Specific use, purpose, etc.

    • English or in local language?

  • Data transfer out of E.U. country to U.S.

    • Consent to transfer – different from consent to use / collect

    • Data protection model clauses / agreements

    • U.S. Safe Harbor


Who follows up on e u branch office or e u consents l.jpg
Who Follows Up on E.U. Branch Office or E.U. Consents? Participants

  • Some companies not aware of or abide by these laws

  • Risk to studies?

  • Sometimes requires explanation of importance

  • E.U. clinical directive

    Is foreign medical PHI subject to HIPAA when

    transferred to U.S. HIPAA covered entity?

  • Telemedicine

  • Medical records of E.U. resident sent to U.S.


Outsourcing of hipaa data processing overseas l.jpg
Outsourcing of HIPAA Data Processing Overseas Participants

  • Canada, India, Pakistan, Philippines

  • Medical transcription services

  • Pakistan case – multiple contractors to HIPAA covered entity

  • Rep. Markey letter to HHS

  • Possible outsourcing amendments to HIPAA


ad