Nurses Need to Stay Attuned to Clinical Research Compliance

When nurses embark upon a research project, they must be guided by more than an idea, their curiosity and a plan of action. They also need to abide by applicable federal, state and local regulations and laws related to research. At Cleveland Clinic’s 12th Annual Nursing Research Conference in May, Peggy Beat, Esq., RN, discussed the importance of research compliance in a session entitled “Research Dos and Don’ts: Stories from a Corporate Compliance Perspective.”

“Within research, we are guided by a ton of principles,” says Beat, a registered nurse and Senior Director of Research Compliance at Cleveland Clinic. “We have so many masters that sometimes we’re not sure what rules we have to follow, who we have to listen to and what regulations and laws we have to be careful of.”

What does compliance have to do with research?

Peggy Beat, Esq., RN

Healthcare organizations set up compliance programs to ensure that their employees are aware of and take steps to comply with relevant laws and regulations. Corporate compliance affects nearly every facet of a hospital, from licensing of healthcare professionals to billing protocols and safeguarding medical records. “We provide the stop signs along the road that help prevent chaos and help us do the right thing from both an ethical and business standpoint,” says Beat, who specializes in research compliance.

Just as in other areas, compliance is critical to research. “Compliance with laws, regulations, policies and study protocols breeds quality,” Beat explains. Her team helps ensure that researchers don’t inadvertently run afoul of the law – and unfortunately there are many ways to do so. Researchers may get in hot water for not obtaining informed consent from research subjects, deviating from protocols approved by the Institutional Review Board (IRB), not maintaining adequate medical records for each study subject, improperly billing study sponsors and more.

Beat cites three major laws or regulations that affect human subject research in a healthcare setting:

• The Federal Policy for the Protection of Human Subjects – Also known as the “Common Rule,” this extensive policy is dictated by the U.S. Department of Health & Human Services.
• FDA Regulation – The FDA has many rules related to both clinical practice and clinical trials.
• The HIPAA Privacy Rule – This rule establishes conditions under which protected health information can be used or disclosed for research purposes.

How do privacy issues affect research compliance?

During her presentation at the Nursing Research Conference, Beat focused on privacy in research. She reminded the audience that although privacy rules can seem onerous to researchers, “it really is about putting patients first.” Privacy laws are an individual right to keep personally sensitive information private and secret.

The Privacy Rules state that a hospital must protect the privacy of patients. In order for a hospital to provide patient information to someone else, the patient must give approval. There are three exceptions where information may be released without patient approval:

1. Treatment of a medical condition
2. Payment of a bill
3. The hospital’s business purposes (such as quality improvement)

To protect study subjects, researchers have to protect the following identifiers linked with health information:

• Names
• Geographic information (including city, state and ZIP code)
• Elements of dates
• Telephone numbers, fax numbers and email addresses
• Social security numbers
• Medical records, prescriptions, account and healthcare beneficiary numbers
• Certificate and license numbers
• VIN and serial numbers; license plate numbers
• Device identifiers, serial numbers
• Web addresses and IP address numbers
• Biometric identifiers, such as fingerprints
• Full face and comparable photo images
• Unique identifying numbers, characteristics or codes

“Any one of those identifiers linked with health information has to be protected,” Beat explains. “For a covered entity to release protected information outside their walls for purposes of research, there has to be written permission in place.” There are occasions when researchers can release limited data sets, including dates; city, state and ZIP codes; and unique identifying numbers, characteristics and codes. This requires IRB approval and an executed data use agreement. The other option for sharing data is to remove all identifiers.

How can you safeguard protected information?

Privacy in research is paramount. In 2015, there were 255 recorded data breaches, according to the Office of Civil Rights (OCR). Perhaps the most well publicized breach was when Anthem Health Insurance became the victim of hacking, putting the privacy of 78.8 million individuals at risk. Beat offers these four tips for safeguarding data:

• Maintain data without protected health information. The best way to ensure that protected health information remains safe is to simply not use it when sharing your research findings. “If you don’t need protected health information, remove it all,” says Beat. “Just put on what you absolutely need or keep a key code, so 0001 is John Smith, 0002 is Sally Joe and so on.”
• Encrypt the data. “Think about credit cards, the deed to your house and your will. Where do you keep them? In a safe,” says Beat. “Encryption is like a safe.” The law basically says that if you lose an encrypted thumb drive or laptop computer, your patients’ data is considered safeguarded. Electronic protected health information, as specified in the HIPAA Security Rule, includes “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
• Destroy the data. “When you are finished with a project and the record retention requirements have past, you should destroy it,” says Beat. Paper, film and other hard copy media should be shredded or destroyed so the protected health information can’t be read or reconstructed. Electronic media should be cleared or purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.
• Only use work computers. Don’t use home or personal computers to store protected health information. Maintain the data on a central drive with restricted access at work.

“Because we deal with data all the time in research, privacy is such an important aspect,” concludes Beat. “Safeguarding data, along with ensuring the integrity of the data, are critical.”