Key Battlegrounds: Research, Marketing and
Fund-Raising

Joanne Pollak, general counsel

When a first draft of the HIPAA privacy regulations was released in December 2000, Joanne Pollak spent days absorbing the provisions and subprovisions laid out in the three-inch-thick document. What alarmed her most was that, as written, the regulations would make it nearly impossible for Hopkins and other academic medical centers to conduct clinical trials or to ask for contributions.

At a standing-room-only meeting for researchers on HIPAA in early February, Pollak, vice president and general counsel and vice president for compliance for Johns Hopkins Medicine and for The Johns Hopkins University and Health System, said matter-of-factly, "Johns Hopkins was very active between 2000 and 2002 in seeking changes to eliminate the burdensome aspects of HIPAA."

But, in fact, it was thanks to Pollak and others who took the lead in presenting their case to the federal government that changes were made in some of the major provisions of the rules.

Some important victories occurred in the area of research. First, the government agreed to permit one privacy authorization to cover all uses of patient information for research and clinical trials and combine it with the informed consent already in use for research after institutional review board (IRB) approval.

Also, it met research institutions halfway in their concerns about demands to keep track of every disclosure of information during the course of research. Health and Human Services (HHS) said "if we get a signed authorization that states whom this information might be disclosed to-in a multi-center clinical trial, for example-we don't have to keep track of every disclosure," Pollak explains. "That would have been almost impossible to undertake."

Lastly, the agency revised the complex privacy criteria which the IRB must apply when granting a waiver of authorization for protocols where it is impractical for investigators to obtain a subject's authorization.

Another victory occurred in marketing. Now medical centers may contact patients about their own services without an authorization. Hopkins, for example, can mail information about a new low-vision product to a patient who has been treated for a severe eye problem without having first obtained the patient's permission.

But it was in fund-raising, "the area that will affect us most," according to Pollak, that the Hopkins general counsel was most dogged in her lobbying efforts.

As originally written, the regulations prevented medical centers from contacting patients for donations for a disease for which they'd been treated unless they had agreed to this at the time of admission. Although demographic information like name, age and address could be used to contact grateful patients, the regulations did not allow specific information such as clinical department or physician to be used without obtaining a complex authorization. "It's the service or the physician that patients are grateful to," Pollak says. "This is how Hopkins raises almost all of its funds to support important research."

The regulations concerning philanthropy still stand, but the government has left some wiggle room. A physician now can at least broach the subject of a gift with a patient before asking for a written authorization to send that information to development officers.

Still, the battle isn't over for Pollak. "HHS can't amend these regulations for another year," she says, "but we'll go back in and push hard for more changes."

Rights and Requirements

Beginning April 14, HIPAA creates new privacy rights for patients. These include, among other things:

• The right to receive a Notice of Privacy Practices about how Hopkins will use and disclose* protected health information (PHI). The notice sets forth HIPAA requirements, state law requirements and Hopkins' specific policies.
  
• The right to see their protected health information and get a copy of their PHI.
  
• The right to request that their PHI be changed if they believe Hopkins has recorded it incorrectly.
  

Under certain circumstances, however, such as if Hopkins did not create the PHI or if it finds the PHI is, indeed, accurate and complete, Hopkins does not have to agree to the change.

HIPAA also requires Hopkins to do things to protect patient privacy, including:

• Make sure patients receive the Privacy Notice.
  
• Make sure the workforce uses only the "minimum necessary" PHI to get the job done.
  
• Get special authorizations from patients for uses or disclosures of PHI that involve research, fund-
  raising or marketing.
  
• Keep records of disclosures of PHI that are made to public authorities, health authorities and others in connection with some research activities-and give patients a list of those disclosures when asked.
  

Have policies and procedures that include these responsibilities, and train the workforce about them and enforce them.

* Generally, "use" means the sharing of PHI within the Hopkins family, and "disclosure" is the sharing of PHI with any person or entity not within the Hopkins family.