Recently we were asked a question about Notice of Privacy Practices (NPP) and notification requirements for a third party who may administer research studies. The following is our response to the question asked by a client in Kansas:
Two of the physicians in our practice are very proactive in doing research studies. We are considering having a third party administer the studies; however, since our physicians would spearhead the projects, any of our patients have the potential to be contacted by this third party to participate in the research study, which would be conducted in-house. We would have a BAA with the third party.
Under HIPAA, what is our obligation to notify all of your patients that they "could" be contacted as part of one of the studies, or does your current NPP cover it?
Healthcare Compliance Pros Response:
The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity's obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices.
The Notice of Privacy Practices (NPP) is a statement from the provider to the patient on how the patient's PHI will be handled and protected by the provider's office. The NPP must be provided on or before the first delivery of service, except in emergency situations. Direct care providers are obligated to make a good faith attempt to obtain an individual's written acknowledgement that they have received a copy of the NPP. Even if the individual fails to return the acknowledgement to the provider, the provider will be deemed to have made the required "good faith" attempt to obtain the written acknowledgement. There are certain required elements that the NPP must contain.
Under the HIPAA Privacy Regulations, a business associate is a person or entity that receives protected health information (PHI) from a covered entity and performs certain functions or activities on behalf of the covered entity. The HIPAA Privacy Regulations require covered entities to enter into Business Associate Agreements with these entities. Although these entities are not covered entities themselves, they agree to treat the PHI they receive as if they were covered entities under HIPAA.
In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.
Based on the facts restated above in our opinion and this is by no means legal advice, your current NPP would cover it. Under HIPAA, there wouldn't be any issues having the third party contacting the patients who would be participating in the research study. In addition to the NPP, you have a BAA with the third party who will be performing certain functions or activities on your behalf, which means they agree to treat any PHI they receive as if they were covered entities under HIPAA.
If you have any additional questions or require further assistance, please do not hesitate to contact one of our professional consultants.
'Tis the season to Give Thanks! We'd love to Thank You with a cash credit on your account. We'll "Thank" you with these credits for every referral that signs up for HCP services.