Biobanks and HIPAA

Biobanks are facilities that collect, store, and manage biological samples (like blood, tissue, or DNA) and often operate in healthcare institutions or research organizations that handle identifiable health data. Its role in the healthcare sector means that these organizations fall under the jurisdiction of HIPAA and must comply with the regulations. 

How are biobanks classified under HIPAA? 

Biobanks are classified under HIPAA as covered entities primarily because they handle protected health information (PHI) in biomedical research. A Mayo Clinic research document on the topic notes, “The details Biobank participants share about their family members are given to Biobank personnel, who are clinic employees; thus the information is received by a health care provider, satisfying above. If and when that information relates to the past, present, or future medical status of a specific person, and contains information sufficient to identify that person, it is protected health information regulated by HIPAA.”

The classification arises from their role in the collection, storage, and use of biological samples and associated health data. According to HIPAA, a covered entity is any healthcare provider, health plan, or healthcare clearinghouse that transits health information electronically. Since many biobanks operate in healthcare institutions or are associated with research organizations that provide health services, they meet this definition. 

The basics of HIPAA

The Privacy Rule

The HIPAA Privacy Rule requires that biobanks obtain informed consent from participants before collecting their samples and health information. The consent should clearly outline how the data will be used and shared so that participants understand their rights regarding their genetic information. 

The Privacy Rule also requires biobanks to implement policies that restrict access to PHI to authorized personnel only. Any use or disclosure of PHI for research purposes must comply with specific authorization requirements unless a waiver is granted by an Institutional Review Board (IRB) or Privacy Board.  

The Security Rule

The Security Rule complements the Privacy Rule by establishing standards for the protection of electronic PHI (ePHI). Biobanks need to implement administrative, physical and technical safeguards to prevent breaches or unauthorized access. It includes ensuring secure storage systems, using HIPAA compliant email and text messaging for data transmission, and conducting regular risk assessments to identify vulnerabilities. 

The Breach Notification Rule

In the event of a breach involving PHI, the Breach Notification Rule requires biobanks to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. The notification has to occur within a specified timeframe after the breach is discovered. The rule relies on transparency and accountability, allowing individuals to take necessary precautions if their information has been compromised. 

Handling family member information

Biobanks collect health-related data about the donor's relatives which can be relevant to the understanding of hereditary conditions and the improvement of research quality. The sharing of this information raises questions about consent and privacy. Generally, biobanks can share family member information if the donor provides it voluntarily and without disclosing identifiable details. 

In many cases, donors may not seek explicit consent from their relatives before sharing health information. Ethical guidelines suggest that researchers should ideally inform family members about the potential sharing of their health data, especially if it concerns major health findings that could affect them. HIPAA allows for exceptions under which sharing the information of family members is permissible.

These include: 

• If the donor provides informed consent that includes the sharing of family health information, it can be shared.
• Donors may share information about their relatives voluntarily, especially if they believe it is relevant to their own health or research.
• Family member information can be shared in an anonymized form, where no identifying details are included, thus protecting the privacy of relatives.
• If the information about family members is pertinent to understanding hereditary conditions or risks that affect the donor, it may be shared for research purposes.
• If the donor does not perceive any objection from their relatives regarding the sharing of their health information, it may be shared.
• In some cases, if the research requires understanding familial health patterns and the donor has not explicitly restricted such sharing, it may be permissible.
  
  

What are research exemptions? 

1. Nine-month analysis: Samples analyzed within nine months of collection and destroyed immediately afterward are exempt from certain regulations.
2. Non-biobank purposes: Samples collected for transfusion, transplantation, insemination, or fertilization outside the body are not covered by biobank regulations.
3. Substantial modification: Samples that have been substantially modified during research are exempt if the donor was informed and consented to this modification.
4. Anonymized samples: Samples that have been anonymized, meaning they cannot be traced back to an individual, do not require consent for use.
5. Ethical review requirement: Even when exemptions apply, research involving these samples must still undergo ethical review before being conducted.

FAQs

What are the types of genetic tests?

There are several types of genetic tests:

• Diagnostic tests
• Predictive tests
• Carrier tests
• Pharmacogenomic tests
  
  

Can genetic information be shared with insurance companies?

No, under laws such as the Genetic Information Nondiscrimination Act, insurance companies cannot require or use genetic test results to discriminate against applicants.

How is genetic data used in research?

Genetic data is utilized in various research fields, including cancer studies, pharmacogenomics, and population genetics, to understand disease mechanisms and develop targeted therapies.