The following hypothetical situations are presented as a basis for the discussion of the practical implications resulting from the different state laws and conditions imposed on the use of specimens for research. The state laws presented cover various research activities including collection, storage, analysis, and distribution of tissue specimens and associated patient data. HIPAA is not specifically addressed.
The ABC Repository has been accruing specimens for decades. The Repository has vast collections of archived tissue and data, most of which were collected using general surgical consent forms.
Surgical and diagnostic specimens are received, logged, and coded, with the following patient information retained: date of diagnosis, date of surgery, age of patient at diagnosis. ABC also collects specimens prospectively to meet the needs of researchers. Collection sites use general surgical consent forms for use of tissue and data following waiver of the need for specific informed consent by the IRBs. When specimens are sent to researchers, patient names are removed from the specimens and associated data to protect patient identity, a code is assigned, and a link is retained for quality control. The ABC Repository recently received samples of prostate tissue from medical centers in the following states: Washington, Minnesota, Texas, California, and Pennsylvania.
The ABC Repository adheres to federal policy for human subjects research. ABC’s IRB has reviewed and approved the Repository’s operating procedures that stipulate that requests to use ABC’s tissue samples and data must comply with the Common Rule. Since links to patient identity are retained by ABC (although not disclosed to researchers), ABC considers use of its specimens to be human subjects research.49 In order to obtain specimens from ABC, researchers must provide documentation of IRB review and approval.
Recently, ABC staff met with researchers at several collection sites and decided to review whether their procedures meet the requirements of state law with respect to privacy of medical information and informed consent. Since the Repository depends both on collection of samples and data from various sites and on distribution of samples and data to researchers in multiple states, the staff began with a review of the pertinent laws in the five states that provided the most recent specimens of prostate cancer.
Do ABC Repository activities comply with state laws?
State laws generally govern activities that take place within the geographic limits of a state or that affect the citizens of a state. In the case of tissue research, the laws of the state where a collection takes place must be followed with respect to confidentiality of the medical information and informed consent. Virtually all states protect the confidentiality of medical records, but the rules governing informed consent for uses of medical information differ from state to state. Since tissue samples and data will likely be included in the definition of medical “information,” restrictions on disclosures of “medical” or “health” information must be followed. Some state statutes have research exceptions permitting the use of medical information without explicit patient consent when patient identities are protected.
All collection sites should review their state laws to ensure that they are permitted to collect specimens and data and handle the data in a manner that protects confidentiality. They should also determine whether special conditions apply for “disclosure” of the data to the ABC Repository without explicit patient consent. For further information, see OHRP’s recent guidance document “Research Involving Coded Private Information or Biological Specimens.” The guidance document describes the circumstances where research using coded private information or biological specimens will not be considered human subjects research, and therefore not subject to HHS regulations for protection of human research subjects (see http://www.hhs.gov/ohrp/humansubjects/guidance/cdebiol.pdf).
ABC and the researchers in Washington State need to check whether the general surgical consents used by the collection sites comport with Washington State law that strictly protects disclosures of medical information.
Washington state permits releases of information to researchers without the specific consent of the individual when an IRB has determined that the research project “(i) is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure; (ii) Is impracticable without the use or disclosure of the health care information in individually identifiable form; (iii) Contains reasonable safeguards to protect the information from redisclosure; (iv) Contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project; and (v) Contains procedures to remove or destroy at the earliest opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for purposes of another research project.”50
Therefore, the research team in Washington may send the samples and data to the ABC Repository as long as an IRB has reviewed the research protocol and is satisfied that the collection site can comply with the rules. According to the statute, the researchers in Washington may not release any individually identifiable information since they are relying on permission obtained from general (surgical) consent forms, rather than express individual consent to the research.
Minnesota has one of the most restrictive laws on disclosures of medical information among the 50 states. Minnesota law permits the release of health information to researchers for medical or scientific research,51 but only under very limited circumstances. Health records generated prior to January 1, 1997, may be released if the patient has not objected.
For records created after January 1, 1997, providers must advise patients in writing that their records may be released, and if the patient objects, the records may not be released. Providers are required to use reasonable efforts to obtain a patient’s written general authorization for release of records. The authorization is not required to expire but may be revoked or limited by the patient at any time. Finally, upon the request of the patient, providers are required to provide information on how the patient may contact an external researcher to whom the health record was released and the date it was released.
The statute includes further obligations that the provider make reasonable efforts to determine (1) that the use or disclosure does not violate any limitations under which the record was collected; (2) that the use or disclosure in individually identifiable form is necessary to accomplish the research or statistical purpose for which the use or disclosure is to be made; (3) that the recipient has established and maintains adequate safeguards to protect the records from unauthorized disclosure, including a procedure for removal or destruction of information that identifies the patient; and (4) that further use or release of the records in individually identifiable form to anyone (other than the patient) without the patient’s consent is prohibited.
In the facts presented in this Case Study, the samples and data may be transferred freely if they were collected prior to January 1, 1997, and if the patient has not objected (or does not object). For samples and data that were accrued after January 1, 1997, the researchers in Minnesota must ensure that they have complied with the rules set out above. Only samples of patients that have received proper notification and an opportunity to object may be used. The authorizations for release of patient medical information must include the required elements under state law and should be checked to ensure that they have not expired.
Texas Medical Records Privacy Act requires written authorization for disclosures of medical information unless an exception applies. For research purposes, disclosures of patient health information by hospitals are permitted without written authorization if the research is conducted according to federal regulations for the conduct of human subjects research (45 C.F.R. 46 or 21 C.F.R. 50/56), where an IRB has approved the research.52 If the research is not subject to the federal rules, then researchers must obtain the express written authorization of the individual.
The privacy Texas law (similar to HIPAA) requires documentation of the waiver of informed consent prior to releases of information where there is no express written authorization.
If the research activity that takes place in Texas (in this scenario, the collection of specimens is a research activity) is conducted in accordance with the federal regulations governing human subjects research, and an IRB approves, the research team at the collection site may obtain a waiver of the requirement of individual informed consent in order to send the data and samples to the ABC Repository.
In order to comply with Medical Records Privacy law, the researchers in Texas must document the waiver given by the IRB. If so, then there is no need for individual consent prior to sending the samples and data to the Repository. If the research is not subject to the federal regulations, then the researchers must obtain the express consent of the individual participants for the use of their samples and data.
California’s “Confidentiality of Medical Information Act” regulates disclosures of medical information and genetic information. The Act mandates the confidentiality of medical records when acquired, stored, and used and includes specific criteria for a valid authorization. Medical information is defined as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. ‘Individually identifiable’ means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”53 The Act includes a research exception permitting disclosures without patient authorization for “bona fide” research where the identity of participants is protected.54
California has also enacted a law called the Protection of Human Subjects in Medical Experimentation Act.55 The Act requires that informed consent of participants be obtained for all medical experiments, defined as:
“… (a) the severance or penetration or damaging of tissues of a human subject or the use of a drug or device, as defined in Section 109920 or 109925, electromagnetic radiation, heat or cold, or a biological substance or organism, in or upon a human subject in the practice or research of medicine in a manner not reasonably related to maintaining or improving the health of the subject or otherwise directly benefiting the subject. (b) The investigational use of a drug or device as provided in Sections 111590 and 111595. (c) Withholding medical treatment from a human subject for any purpose other than maintenance or improvement of the health of the subject.”
The Medical Experimentation law exempts research at institutions that hold a valid Assurance of Compliance56 pursuant to Part 46 of Title 45 of the Code of Federal Regulations and that obtain informed consent in the method and manner required by such regulations.
The research team in California may release the specimens and data to ABC under the following conditions: (1) in order to comply with the Confidentiality of Medical Information Act, if the research is “bona fide” research (presumably, bona fide research is conducted by an institution holding an Assurance of Compliance) and participant identities are protected; and (2) in order to comply with the Medical Experimentation Law, if the recipient institutions are operating according to the terms of an Assurance of Compliance with federal regulations; or (3) if the consent/authorization of the individual is obtained.
Under facts presented in Case Study #1, since the ABC Repository operates according to the federal regulations, research activities will qualify as “bona fide” research. If patient identities are not disclosed to the Repository (even if links are retained), the samples and data may be sent to ABC without individual consent.
Pennsylvania law has no specific provision allowing the release of information from medical records for research purposes. Therefore, if the institutions collecting the information consider general consent forms adequate to protect patient information, and do not require consent to specific uses by patients, the site may release the information to ABC Repository.