advanced hipaa issues for biotech and life sciences companies
Skip this Video
Download Presentation
Advanced HIPAA Issues for Biotech and Life Sciences Companies:

Loading in 2 Seconds...

play fullscreen
1 / 13

Advanced HIPAA Issues for Biotech and Life Sciences Companies: - PowerPoint PPT Presentation

  • Uploaded on

Advanced HIPAA Issues for Biotech and Life Sciences Companies:. On the Frontier of Science and On the Edge of HIPAA. Mark E. Schreiber Palmer & Dodge LLP 111 Huntington Avenue Boston, MA 02199 617-239-0585 [email protected] April 8, 2005.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Advanced HIPAA Issues for Biotech and Life Sciences Companies:' - lani

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
advanced hipaa issues for biotech and life sciences companies

Advanced HIPAA Issues for Biotech and Life Sciences Companies:

On the Frontier of Science and On the Edge of HIPAA

Mark E. SchreiberPalmer & Dodge LLP111 Huntington AvenueBoston, MA [email protected]

April 8, 2005

hipaa provisions under which biotech life sciences issues arise
HIPAA Provisions under which Biotech / Life Sciences Issues Arise
  • HIPAA provider coverage?
  • Business Associate applicability?
  • Authorizations – unspecified research
  • Research data bases
  • Accounting for research disclosures
  • Clinical studies in E.U. – HIPAA interface
medical device testing companies covered entities
Medical Device / Testing Companies – Covered Entities?
  • May be “health care provider” under broad HIPAA definition
  • Most don’t engage in electronic standard transactions
  • Some may unwittingly send claims, insurance or related e-mails
  • If so, possible HIPAA coverage
  • Not all ask right questions of right people
    • To properly determine status

If covered, then what?

  • Privacy notices, etc.
  • To whom?
are clinical researchers sponsors or cro s business associates
Are Clinical Researchers / Sponsors or CRO’s Business Associates?
  • Generally “research” not a BA function performed for covered entities
  • “We’re not a BA” letter
  • BA’s often negotiated
    • Business clout
  • If researcher / sponsor also provides
    • Quality assurance, or
    • Data processing services for covered entity
      • De-identifying records, or
      • Creating limited data sets
    • Then researcher / sponsor is BA
  • Researcher / sponsor – document in CTA that no BA-triggering services provided
sponsors generally not covered entity or ba
Sponsors Generally Not Covered Entity or BA

No HIPAA concerns, then, right? Not so fast . . .

  • Sites will and should impose handling restrictions in CTA’s
  • Some sites impose informed consent confidentiality limitations
    • Blending with HIPAA standards, on researchers / sponsors and “downstream”
    • Restricts marketing use
sponsors generally not covered entity or ba6
Sponsors Generally Not Covered Entity or BA
  • Confidentiality agreement OK, but modify agreements
    • To specifically allow
      • For monitoring services, and
      • Other purposes in HIPAA-compliant patient authorization
  • Other agreement “pass-throughs”
    • Reps and warrantees, indemnity language
  • Researchers / sponsors – rigorous privacy policies / practices that approximate those of HIPAA
    • HIPAA treated as de facto standard of care
      • State law invasion of privacy claims
authorizations future unspecified research
Authorizations – Future Unspecified Research
  • HIPAA authorizations for research
    • Can broadly cover patient’s entire medical record
    • Can broadly cover classes or persons to whom and by whom PHI can be used / disclosed
    • Under “purpose” element,
      • “Each purpose” must be specified
      • Valid authorization for unspecified studies
        • Virtually impossible under HIPAA
        • Registry or database for unspecified future research – OK
research databases under hipaa
Research Databases under HIPAA
  • Database – separate purpose from primary protocol
  • Must be specifically authorized
    • In protocol authorization or
    • In separate subsequent authorization
  • If database maintained by covered entity
    • Future disclosures must be pursuant to new authorization
  • If database disclosed to sponsor
    • Generally outside HIPAA
irb waivers and future researcher follow up with participants
IRB Waivers and Future Researcher Follow Up with Participants

If IRB Waiver

  • Researcher free to use PHI for current research
  • New, specific waiver necessary
    • Before researcher can contact study participants about new study
accounting for research disclosures
Accounting for Research Disclosures
  • NEED NOT be accounted for where
    • Disclosed under authorization
    • Disclosed in limited data set form
      • Needs data use agreement
  • MUST be accounted for upon individual request where disclosed pursuant to IRB waiver
  • Less detailed accounting:
    • Where covered entity discloses records of c 50 individuals under IRB waiver during requested accounting period
coming hipaa attractions clinical studies abroad and outsourcing
Coming HIPAA Attractions: Clinical Studies Abroad and Outsourcing

E.U. Model different – no HIPAA statute but broader

data laws

  • E.U. Data Protection laws
    • Each E.U. country
  • Consent necessary for medical data use (sensitive data)
    • Specific use, purpose, etc.
    • English or in local language?
  • Data transfer out of E.U. country to U.S.
    • Consent to transfer – different from consent to use / collect
    • Data protection model clauses / agreements
    • U.S. Safe Harbor
who follows up on e u branch office or e u consents
Who Follows Up on E.U. Branch Office or E.U. Consents?
  • Some companies not aware of or abide by these laws
  • Risk to studies?
  • Sometimes requires explanation of importance
  • E.U. clinical directive

Is foreign medical PHI subject to HIPAA when

transferred to U.S. HIPAA covered entity?

  • Telemedicine
  • Medical records of E.U. resident sent to U.S.
outsourcing of hipaa data processing overseas
Outsourcing of HIPAA Data Processing Overseas
  • Canada, India, Pakistan, Philippines
  • Medical transcription services
  • Pakistan case – multiple contractors to HIPAA covered entity
  • Rep. Markey letter to HHS
  • Possible outsourcing amendments to HIPAA