Medical Records and the Law

522 CHAPTER 14: HEALTH INFORMATION IN MEDICAL RESEARCHemployee, who performs a function involving the use of PHI—suchas billing, claims processing, quality assurance, utilization review, orpractice management—or who provides legal, actuarial, accounting,consulting, data aggregation, management, administrative, accreditation,or financial services to or for the covered entity where the provisionof services involves PHI. 24As a general rule, HIPAA prohibits use and disclosure of PHI by acovered entity without a specific, written authorization from the individualsinvolved, unless an exception applies. HIPAA provides manyexceptions to this general rule. For example, healthcare providers mayfreely exchange an individual’s identifiable health information in thecourse of treating the individual or as necessary to bill and collect forsuch treatment.Applicability to Medical ResearchPursuant to the Privacy Rule, a covered entity may access, use, and disclosePHI in connection with research only if it (a) has obtained a validauthorization from the subject of the PHI, (b) has a valid waiver to theauthorization requirement from an IRB or a privacy board, 25 or (c) ifthe use or disclosure falls within one of several specified exceptions thatare described further in the section “Research Exceptions to Authorizationor Waiver Requirements.” 26Because HIPAA does not apply directly to other than “covered entities,”the act does not directly apply to medical researchers or toother stakeholders in clinical trials, such as industry sponsors. The acthas indirect application, however, in various respects. First, before a24Ibid.25A privacy board is a special review body that the Privacy Rule allows to be established toreview requests for a waiver or alteration of the Privacy Rule’s written authorization requirementin connection with a particular research study. Privacy boards do not exerciseany other powers or authority granted to IRBs under other federal laws, such as theCommon Rule or the aforementioned FDA regulations. In addition, the Privacy Ruledoes not grant privacy boards the authority to approve authorization forms or to monitoruses and disclosures of PHI made pursuant to an authorization. See National Institutes ofHealth (NIH), “Privacy Boards and the HIPAA Privacy Rule” (posted Sept. 25, 2003),available at http://privacyruleandresearch.nih.gov/privacy_boards_hipaa_privacy_rul.asp (accessed Sept. 14, 2004).26SeeNIH,“Privacy Boards”; 45 C.F.R. § 164.508.