The Common Rule and HIPAA authorization apply in specific circumstances related to research and the use of patient data. This requires HIPAA compliant communication when receiving or discussing aspects of consent and authorization with patients.
The HHS provides the following differentiation between HIPAA’s Authorizations, “Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is consent to participate in the research study as a whole, not simply consent for the research use or disclosure of protected health information.”
There are still areas where these intersect:
When a research study involves the collection, use, or disclosure of protected health information (PHI), such as medical records, lab results, or health information, both HIPAA and Common Rule regulations, may apply. This often occurs in clinical research settings or when researchers need access to individuals' health data.
Researchers must obtain HIPAA authorization from participants to access their PHI for research purposes. HIPAA authorization ensures that participants are informed about and consent to the use of their health information beyond the scope of treatment, payment, or healthcare operations as allowed by the HIPAA Privacy Rule.
In addition to HIPAA authorization, researchers must obtain informed consent from participants following the Common Rule's regulations. Common Rule consent ensures that participants understand the research, its purpose, risks, benefits, and their rights as research subjects.
Researchers often align their HIPAA authorization process with the informed consent process to meet both requirements. This integration allows participants to provide a single consent that covers both the use of their PHI and their participation in the research study. Consent forms may include sections addressing both HIPAA and Common Rule requirements.
The dual requirement for HIPAA authorization and Common Rule informed consent ensures that participants are well informed about how their health information will be used in research.
See also: HIPAA authorization vs. Common Rule informed consent
Choose a HIPAA compliant email service provider that offers compliance features. Ensure that the provider signs a business associate agreement (BAA) with your organization, as this is required by HIPAA.
Utilize secure email protocols such as Transport Layer Security (TLS) for encrypting email transmissions. TLS ensures that email data is encrypted during transit between email servers.
Require strong user authentication methods to access email accounts. This may include multi factor authentication (MFA) to ensure that only authorized individuals can access PHI.
Implement access controls to restrict access to PHI within the email system. Only authorized personnel should have access to patient authorization and informed consent forms sent via email.
If staff members access email on mobile devices, ensure that these devices are also secured and compliant with HIPAA regulations. Mobile email apps should provide encryption and require user authentication.
Establish email archiving and retention policies to ensure that patient authorization and informed consent emails are retained for the required period as per HIPAA regulations. This helps with compliance and audit trails.
When sending patient authorization and informed consent forms as email attachments, ensure that these attachments are encrypted and password protected if necessary. Provide the password separately to the recipient.
See also: What is transport layer security (TLS)?
Failing to implement HIPAA compliant communication for authorization and informed consent can have niche consequences that directly impact patient care and research. Firstly, it can lead to miscommunication or delays in obtaining necessary consent, potentially hindering patient participation in clinical trials or research studies. This can slow down medical advancements and limit treatment options.
This lack of secure communication can result in the inadvertent exposure of patient's sensitive health information, violating their privacy rights and eroding trust in healthcare providers. When patients and research participants perceive inadequate protection of their data, they may be less willing to engage with healthcare providers or participate in research, hindering the progress of medical research and innovation.
See also: The risks of shared email inboxes in healthcare practices
The Common Rule governs the ethical conduct and oversight of research involving human subjects in the United States.
The Common Rule focuses on protecting human subjects in research, while HIPAA primarily addresses the privacy and security of individuals' health information.
Email is often considered the best way to get patient consent because it provides a written record, allows for clear communication, and is convenient for both patients and healthcare providers.