The New HIPAA/HITECH Rules and Medical Research: “Buying” Patient Data for Medical Research

When conducting medical research, a researcher may want to obtain health information to use as data in a study.  For observational studies, clinical data and treatment information can be especially useful, particularly when large amounts of clinical data are aggregated together. The Health Insurance Portability and Accountability Act, also known as “HIPAA,” governs the use of such information. In 2010, the HITECH Act, which amended HIPAA, provided certain exceptions for the sale of certain patient data. 42 U.S.C. § 17935(d). The scope of this exception was recently clarified by regulations issued on January 25, 2013 (the “new rules”).
HIPAA and HITECH protect “any information, whether oral or recorded in any form or medium” that (i) “[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse”; and  (ii) “[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” 42 U.S.C. § 1320d(4). When such data is individually identifiable, it is referred to as “Protected Health Information” or “PHI,” and it receives special protections under HIPAA and HITECH.
To obtain PHI, a researcher will often have to “buy” the data from a health care provider. The HIPAA Privacy Rule prevents the “sale of protected health information” for “remuneration,” unless the entity is first given authorization by the individual. 42 U.S.C. § 17935(d). A “sale of protected health information” occurs where there is “a disclosure of protected health information by a covered entity or business associate […] where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient…in exchange for the protected health information.” 45 CFR 164.502(a)(5)(ii)(B)(1). The definition of “sale of protected health information” is not limited to transfers in ownership but also includes leases, licenses, and other access agreements.
Luckily for researchers, the HITECH Act made a specific exception for medical research where the “price charged reflects the costs of preparation and transmittal of the data for such purpose.” 42 U.S.C. § 17935(d)(2)(B).  The new rules clarify HITECH by specifying what costs would be included as “costs of preparation and transmittal” and what would constitute “remuneration”.
Under the new rules, a covered entity is allowed to receive “a reasonable, cost based fee” to cover the cost of preparing and transmitting the information. These costs may include both direct and indirect costs to prepare and transmit the data, such as labor, materials, and supplies for generating, storing, retrieving or transmitting the data; labor and supplies to ensure PHI is disclosed in a permissible manner; and any “related capital and overhead costs.” In other words, HIPAA does not prevent a researcher from buying PHI for use in a medical study, but it does prevent a covered entity from making any profit from the sale.
For example, let’s say a research institution gives a hospital several computers in exchange for PHI. Whether this would run afoul of the sale prohibition depends on the reasons and scope of the gift. If the computers were given solely for the purpose of transmitting the PHI and were returned when such disclosure was complete, then this would be acceptable. If, on the other hand, the covered entity is allowed to keep the computers or use them for other purposes, then this would run afoul of HIPAA/HITECH.
In addition, the new rules make clear that “remuneration” includes both financial payments and “nonfinancial” benefits. Even so, the new rules provide an additional exception for payments received by a covered entity in the form of grants, contracts, or other arrangements to perform programs or activities such as research studies. This is due to the fact that the “provision of protected health information to the payer is a byproduct of the service being performed.” As a result, a researcher would be allowed to pay a covered entity to conduct research without running afoul of the rules even if the research would result in disclosing protected health information to the researcher during the course of the study. A covered entity would also be allowed to receive a grant or funding from a government agency to conduct a program even if the covered entity is required to report PHI to the agency as a condition of funding.
In sum, the new rules clarify the extent to which the “research exception” applies to the sale of PHI. In cases where it does apply, a researcher does not need to obtain individual authorization from each patient. If the exception does not apply, however, the researcher would need each and every patient to authorize the use of their PHI.