Researching the Appropriateness of Care in the Complementary and Integrative Health Professions Part 2 : What Every Researcher and Practitioner Should Know about the Health Insurance Portability and Accountability Act and Practice-Based Research in the United States

Abstract

Objective:

This paper describes a process for ensuring and documenting Health Insurance Portability and Accountability Act (HIPAA) compliance in clinical practice based research.

Methods:

The Center of Excellence for Research in Complementary and Alternative Medicine was funded by National Center for Complementary and Integrative Health to develop the methods for researching the appropriateness of care in Complementary and Integrative Health (CIH), which is previously known as Complementary and Alternative Medicine or “CAM.” We recruited 125 participating chiropractic clinics for enrolling patients and gathering their data via the online surveys. Chiropractic clinics completed the following: 1) obtained the files of patients who provided prior consent (the prospective sample), 2) obtained the files of the patients selected randomly using specified randomization procedures (the retrospective sample), and 3) transferred all patient data to RAND via an encrypted file.

Results:

Most of the doctors of chiropractic from clinical practices had no concerns about obtaining and transferring the files of patients who provided informed consent. However, some doctors were uneasy about allowing the researchers to access the randomly selected files of patients who had not provided prior authorization. This led us to develop a set of forms to provide clinics about HIPAA compliance.

Conclusion:

For this study, we provided clinics with information about the rules under HIPAA, demonstrated how the study complied with those rules, explained the logic behind the necessity for collecting files from both the prospective and retrospective samples, and, if requested, provided clinics with a confidentiality agreement signed by the study PI and an organizational contracts representative. The process we developed may assist other CIH researchers and practitioners in future studies.

INTRODUCTION

As the landscape of healthcare delivery and data security in America become more complex, healthcare practitioners and their staff must be increasingly knowledgeable about which activities are allowable under the Health Insurance Portability and Accountability Act (HIPAA). Created by United States legislators in 1996, HIPAA outlines data privacy and security provisions for safeguarding medical information.¹ The Act balances two objectives: the safety and protection of patient health records, and the accessibility of such records as necessary to those providing care.

All healthcare providers and their clinic staff must be HIPAA compliant. Most state associations, including those of doctors of chiropractic and physical therapists, offer courses and presentations to educate their professions about their legal HIPAA responsibilities. Numerous outside organizations offer a variety of online and off-line education modules that are also accessible.² Because compliance is a legal obligation, many practitioners and their office managers and staff are rightly concerned about the protection of patient data. However, this can have a chilling effect on practice-based research. It is our experience that while the profession is literate about the HIPAA regulations, they are less educated about the rules regarding research under HIPAA. This lack of knowledge can severely hinder research studies, as it increases the difficulty of obtaining data needed to complete such endeavors.

The focus on practice-based primary data collection is beneficial to healthcare, including complementary and integrative health (CIH), (previously known as Complementary and Alternative Medicine or “CAM”), chiropractic, and other professions, for several reasons. First, it re-centers the role of the clinical practice in evidence-based research and increases the likelihood that research focuses more on actual holistic care, instead of just modalities such as manipulation or manual therapy. Further, this relationship is more likely to promote Comparative Effectiveness Research (CER), which has advantages for the professions when compared to traditional Random Controlled Trials (RCTs).³ Given these factors, practice-based primary data collection, which often occurs through the extraction of data from patient charts, will constitute an important source of research data for the chiropractic and physical therapy communities.

The purpose of this paper is to describe the processes we have developed during our research efforts to address these issues. In this paper, we draw on our research project on chiropractic manipulation and mobilization for chronic low back pain and chronic neck pain to explore this issue and to share the solutions we have used. We provide suggestions for other researchers in the US who want to collect data from chiropractic clinics and similar settings in the United States. Hopefully the information will also be helpful to practitioners and their staffs as they negotiate the landscape of HIPAA.

Research Under HIPAA in the US

Chiropractic and other manipulative and manual care is still largely conducted in independent clinical practices, and may not be covered in many insurance schemes. Also, the clinical practices are still a mixture of paper and electronic records. In this study^4,5 23% of the clinics had only electronic records, 32% only paper and 45% a combination. This limits the ability to use large pre-existing electronic and insurance data sets for research. Therefore, for the foreseeable future, much of manual and manipulative research will involve primary data collection from clinical practices with a mixture of record types.

The process of using patient files for research is not an issue when the patient provides informed consent for such access. This consent is distinct from their consent to treat which they must give. The difficulty arises when the researchers wish to access patient files without first obtaining informed consent.

One may ask why the researchers do not just obtain the patients’ consent to use their files. In many cases this is simply not possible, not practical, or not cost effective. In these instances, insisting on patient consent might in fact mean the study cannot be done. The task of obtaining the random sample and then approaching all the patients who are included is quite costly, as it may require multiple visits to a clinic and considerable time to obtain the consent. When it is not possible, not practical, or not cost effective to obtain patient consent, conducting research on randomly selected patient files without their prior authorization is difficult. Another example of the logistical problems is if a researcher wanted to access a random sample of all the treatments that doctors of chiropractic have submitted under Medicare.⁴ It would be logistically impossible to obtain patient consent because of the magnitude of the task. Furthermore, given that the files in the sample are randomly selected, the research cannot pre-determine which files are to be included and thus cannot consent patients prior to drawing the sample. However, because such research is imperative to understanding various aspects of patient care, a set of rules has been devised to allow it.

There are rules that allow researchers to obtain patient files without informed consent and without violating HIPAA. The following section will describe the study currently in progress at the RAND Corporation that collected patient files from chiropractic clinics in a manner adherent to these regulations.

THE STUDY

In 2014 RAND was funded by the National Center for Complementary and Integrative Health (NCCIH) to create a Center of Excellence for Research in Complementary and Alternative Medicine (CERC). It was not a clinical trial, but was registered as an observational study on ClinicalTrials.gov ID: NCT03162952. The study has been previously described in the literature.^4,5 Specifically, we were to investigate the appropriateness of manipulation and mobilization for chronic low back and neck pain. At over $8 million, this is one of the largest studies ever funded by the National Institutes of Health to study chiropractic care.

Given the huge concern about the opioid epidemic in the United States, ^6,7 the execution of this project is quite timely. There is currently a huge interest in the US in non-pharmacological alternatives for pain treatment, and chronic back and neck pain are two of the most prevalent forms of pain. As such, the chiropractic profession may be strategically placed to provide such care. However, to do so may require the profession to produce data to answer following questions:

• 1)How much chronic low back and neck pain do chiropractors treat?
• 2)What are the treatments delivered?
• 3)How much of said treatment is appropriate?
• 4)What outcomes do patients derive from this care?
• 5)What are the costs of the treatment to the patients or insurance companies?

To date, there exists very little information and even less data to answer these questions. The RAND Choosing Chiropractic Care for Chronic Pain study was designed to provide the answers. Although a full description of the study is beyond this article ⁵ addressing these questions required that we recruit chiropractic clinics across the US using a systematic stratified cluster sample (New York; Minnesota; Oregon; Texas; Florida; California), and in those clinics, we did two things. We enrolled a prospective sample of chronic back and neck pain patients and followed them over three months to record their outcomes, preferences, and costs associated with chiropractic care. All patients in this prospective sample were recruited in chiropractic clinics using web-enabled tablets, then consented, enrolled, and followed in the study via online surveys. Using this method, we recruited 2024 patients, 83% of whom completed the final three-month survey. Of those recruited, 92% signed a consent to also release their patient files to the research team so that we could abstract information from those files. For the second part of the study, we drew a random sample of files from each clinic’s chronic back and neck pain patient population to examine the care received by these individuals. Combined, obtaining the files of the patients that completed the online surveys (prospective sample) and the files of the randomly selected patients (retrospective sample), was termed the “chart pull” portion of the study. In total around 80% of the clinics participated in the chart pulls. From those we had 1,477 charts from patients who participated in the study and 2,116 carts obtained randomly.

THE PROBLEM

Most of the 125 participating chiropractic clinics had no problem with our methods for enrolling patients and gathering their data via the online surveys. For the chart pull portion of the study, which occurred after the web survey data collection period ended, participating chiropractic clinics had to do the following: 1) obtain the files of patients who provided prior consent (the prospective sample), 2) obtain the files of the patients randomly selected using specified randomization procedures (the retrospective sample), and 3) transfer all patient data to RAND via an encrypted file. To assist with this process, we offered to either send a RAND study team to the clinic and work with staff to obtain and transfer all requested patient files, or train clinic staff (via either in-person visit or telephone call) and provide all necessary equipment for them to obtain and transfer the requested patient files.

Most of the participating clinical practices had no concerns about obtaining and transferring the files of patients who provided informed consent, but many were uneasy about allowing the study to access the randomly selected files of patient who had not provided any prior authorization. For some of the clinics it caused some concern about the legality of obtaining the files. This was often raised by the officer manager or in some instances, the legal advisor to the clinic. This then made us revisit the question of what do we need to provide to clinics to deal with this concern. But it also raised in our minds that this should perhaps be a standard process for all clinics we approached in future studies. The following section outlines the method used to allay concerns.

THE SOLUTION

Our approach to addressing concerns about sharing patient files focused on providing a review of the HIPAA rules, noting why sharing the data in these files was important, and how the study complied with the rules. We also provided, if requested, a confidentiality agreement between the clinic and the study team which was signed by both the study’s Principal Investigator and RAND’s contracts office.

The Rules of HIPAA and Research

Under the HIPAA Privacy Rule, researchers can obtain and use individually identifiable health information given they follow the stipulations set forth in the legislation. Individually identifiable data is “information, including demographic data, that relates to: (1) the individual’s past, present or future physical or mental health or condition, (2) the provision of health care to the individual, or (3) the past, present, or future payment for the provision of health care to the individual” (Office for Civil Rights, 2013). Individually identifiable information is called protected health information (PHI) when is it created or received by a “covered entity.”

“Covered entities” are defined as health care providers (such as doctors of chiropractic), healthcare plans, or healthcare clearinghouses are permitted to disclose PHI, either with or without patient authorization, under a limited set of circumstances described in the HIPAA Privacy Rule (Office for Civil Rights, 2017a). To use or obtain protected health information without prior authorization from the research participant, researchers must provide covered entities with “Documented Institutional Review Board (IRB) or Privacy Board Approval” (Office for Civil Rights, 2017b). Regulatory IRBs can grant approval for a waiver of participants’ authorization if the researchers were to “conduct records research, when researchers are unable to use de-identified information, and the research could not be practically conducted if research participants’ authorization were required” (Office for Civil Rights, 2017b). For the RAND Chiropractic Study for Chronic Pain, researchers first demonstrated to our organizational IRB that the work we planned to undertake for the chart pull portion of the study met each of these three criteria, and then documented how we planned to satisfy the requirements necessary to obtain a waiver of patient authorization.

In Figure 1, we provide details about how our study complied with each of those points.

Figure 1.

Satisfying requirements for IRB Approval of a Waiver of Patient Authorization

Getting IRB Approval

We obtained approval from RAND’s IRB, the Human Subjects Protection Committee (HSPC), for all aspects of data collection for this project, including collecting data from patient files at the chiropractic clinics. The approval for the overall project was an iterative process that involved submitting many amendments to the committee as we moved forward with the various components of our study and occasionally revising our protocols in response to feedback from our reviewers. However, we did receive full approval and the HSPC provided the study team a signed letter on institutional letterhead to confirm this and to explain why the committee decided that a waiver of HIPAA patient informed consent authorization for the retrospective random sample was appropriate.

For the IRB or Privacy Board to approve a waiver of authorization under the privacy rules, three criteria must be satisfied:

1. “The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

   • an adequate plan to protect the identifiers from improper use and disclosure:
   • an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
   • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

2. The research could not practicably be conducted without the waiver or alteration; and

3. The research could not practicably be conducted without access to and use of the protected health information” (Office for Civil Rights, 2017b).

To release patient information without patient authorization, the covered entity (in the CERC study, chiropractic clinics) must obtain documentation of the study’s approval from the organizational IRB. The documentation must contain the following five elements:

• “Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;

• The statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;

• A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board,

• A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, and

• The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable” (Office for Civil Rights, 2017b).

We provided a copy of the HSPC approval letter to participating clinics. For clinics that expressed concern about HIPAA compliance, we also provided a document that explained, using clear and non-legal language, our justification for not obtaining informed consent from the randomly sampled patients (See Appendix).

In addition, we offered to make the Data Safeguarding Plan referenced in Figure 1 available to participating clinics who wished to view it. The extensive Data Safeguarding Plan (DSP) details how we protected hardcopy and electronic data for all components of the study. Beyond the sections that are commonly included in DSPs at RAND, such as a description of the study, which study team members are responsible for safeguarding the data, and the level of sensitivity of the data, our plan also includes a table with rows for every data collection component (e.g., hardcopy consent forms from pilot study, digital audio recordings of exploratory interviews, electronic survey data, electronic scans of chiropractic records), and columns where we specified whether or not that component of data contained personal identifiers, how the data will be collected and transferred to our office, how data will be stored, and when and how data will be destroyed at the end of the study. The DSP also included appendices for other relevant documents, such as a non-disclosure agreement signed by a subcontractor institution who implemented the national surveys.

We should also note that any violations of our data safeguarding protocols, whether they were committed by our own staff or by clinic staff in the process of transferring files to us, were reported to our Human Subjects Protection Committee.

Prior to obtaining charts from clinics, we conducted a thorough orientation call with doctors of chiropractic and their clinic staff during which we explained the process and assessed which would be the best chart pull technique to use with their clinic based on how they stored their charts and their schedule. We provided the clinic staff written instructions on how to select and transfer patient charts for the study. Further, we provided the memo (see Appendix) to ensure that clinics abided by our data safeguarding protocols when transferring patient names or chart information to us.

DISCUSSION

By using this comprehensive approach to address the HIPAA concerns associated with collecting patient files, we have been largely successful. Using these protocols, 90 of the 125 study clinics provided patient files for the study. Of the 90 clinics, only three refused to provide patient files for the random sample. This highlights that the majority of those who gave patient chart data at all also gave us patient chart data for the random sample.

It is imperative to the profession that practitioners who employ manipulation and mobilization, as well as the individuals leading the professions’ educational programs and advising clinics on HIPAA regulations, are well-versed on the rules for conducting research that involves patient data collection. All practitioners must understand that adhering to HIPAA regulations is not a barrier to research participation; if fact, these laws allow for the collection of such patient data provided certain safeguards are in place. With this paper, we have explained the stipulations under which the HIPAA Privacy Rule allows for use of identified patient information without prior patient authorization, and demonstrated the steps taken in our current study, to comply with these regulations. It is our hope that in providing this information, practitioners will continue to participate in studies that require the release of protected patient information, as they may ultimately benefit both the patients and the professions. We must add that HIPAA does not replace, or in any way diminish the obligations of going through, a full IRB review. All the protocols shared here and described here were also reviewed by the Human Protection Committee at RAND. HIPAA adds another layer of protection to subjects that must be followed by those conducting research albeit that they do allow the research to occur. Charts cannot be obtained for research without having an IRB review. It meets the two requirements for all IRB reviews: it is research and it is on humans. There is an expanding literature base on HIPAA that deals with the rules and regulations, what is covered, what is not. ^11-13

For further detail about the HIPAA and a waiver of patient authorization for identifiable patient health information, ^8-10 please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html?language=es

LIMITATIONS

Information about HIPAA applies in the United States, although other countries do have similar rules regarding protection of the patient’s privacy. The approach adopted here was developed specifically for RAND and for this particular research project, so may be limited in other applications. Other projects should adapt this method or use other methods to confront different problems, but the general principles should be the same.

CONCLUSION

For this study, we provided clinics with information about what the rules are under HIPAA, demonstrated how the study complied with those rules, explained the logic behind the necessity for collecting files from both the prospective and retrospective samples, and, if requested, provided clinics with a confidentiality agreement signed by the study PI and an organizational contracts representative. We hope that the process we developed will assist other CIH researchers and practitioners in future studies.

Appendix A. Blank Confidentiality Statement

The federal Health Insurance Portability and Accountability Act (“HIPAA”) and its regulations, the California Confidentiality of Medical Information Act and other federal and state laws and regulations were established to protect the confidentiality of medical and personal information, and provide, generally, that patient information may not be disclosed except as permitted or required by law or unless authorized by the patient. In certain circumstances, HIPAA allows the disclosure of limited patient information in order to carry out treatment, education, research, public health or healthcare operations and activities without obtaining the patient or subject’s authorization.

Confidential Patient Information includes: any individual identifiable information in possession or derived from a provider of health care regarding a patient’s medical history, mental or physical condition or treatment, as well as the patient’s and/or their family members’ records, test results, conversations, research records and financial information. (Note this information is defined in the Privacy Rule as “protected health information.”) Examples include but are not limited to:

• Physical, medical, and psychiatric records including paper, photo, video, diagnostic and therapeutic records, laboratory and pathology samples;

• Patient insurance and billing records;

• Computerized patient data;

• Visual observation of patients receiving medical care or accessing services; and

• Verbal information provided by or about a patient.

I understand and agree that this document establishes a Confidentiality Agreement between me, Dr. Ian Coulter, Ph.D., a representative of RAND Corporation, and [Chiropractor Name, D.C.], a representative of [clinic name] located at [clinic address, city, state, zip code], and sets for the understanding regarding the protection of any confidential information that Individual may have access to while performing services at [clinic name] with the following purpose:

RAND Chiropractic Study

• 1.
  I understand that I will be granted access to, or otherwise become acquainted with the following information (“Information”) relating to [Chiropractor’s] patients:

  • Clinical/medical information
  • Insurance and billing information
  • Scheduling information
  • Demographic information (like age, gender)
    It is understood and agreed that except as required by law, I will use and hold all Information in strict trust and confidence, and will use such information only for the research purposes contemplated herein, and not for any other purpose.
• 2.I acknowledge that it is my responsibility to respect the privacy and confidentiality of Information received from [clinic name]. All information obtained will be de-identified and located in an encrypted file for protection.
• 3.I will not access, use, or disclose patient or other confidential information unless I am authorized or permitted to do so by law or as authorized by the patient. I further understand that I am required to immediately report any information about unauthorized access, use, or disclosure of confidential patient information to [clinic name] ([chiropractor name, D.C.]).
• 4.I agree to not disclose the Information to any other individuals who are not part of the RAND research team.
• 5.Neither the release of any Information hereunder or the act of disclosure shall constitute a grant of any license under a trademark, patent, or copyright of application of the same.
• 6.I understand and acknowledge that, should I breach any provision of this Confidentiality Statement, I may be subject to civil or criminal liability.

______________________________________

Signature – Principal Investigator

______________________________________

Date

______________________________________

Print

______________________________________

Signature – Contracts Representative

______________________________________

Date

______________________________________

Print

Appendix B. Data Protection Memo

RAND Corporation

M E M O R A N D U M

TO: Clinics in the RAND Chiropractic Study

FROM: Chair of the RAND Human Subjects Protection Committee

SUBJECT: Join Us in Protecting Confidentiality of Research Participants

Thanks for being a research collaborator with RAND! We value your support and assistance in our research endeavors. I’m writing to ask for your help in protecting the confidentiality of information from or about individuals who are part of RAND research studies.

RAND researchers often partner with other organizations to help identify individuals to be included in RAND studies and to obtain information about them. For this study, we are collecting information about patients seen in your clinic for chiropractic care. This information is needed to provide evidence for the importance of chiropractic as a non-pharmaceutical mechanism for managing chronic pain.

Maintaining the privacy of people who participate in RAND studies is very important to us. The Human Subjects Protection Committee was established at RAND to review projects with the specific responsibility of protection the rights and wellbeing of people who participate in RAND projects. One aspect of that is protecting the privacy of information about them. We do that through Data Safeguarding Plans that specify each type of information we are collecting and how it must be safely transferred and stored.

What We Are Asking You To Do

Here’s how you can help. If you are providing information to us we ask that you carefully follow the procedures that have been agreed to with RAND staff members. In this case, that means following procedures for transferring files and patient information. Please only send patient data (e.g. patient names, records, or other information) via Kiteworks or the encrypted hard drive. Do NOT send any patient data via email or fax. These procedures are designed to protect data privacy and they are important. Please make sure that all individuals at your organization, including any other staff sending data, to RAND are familiar with these procedures and let us know about any problems.

If you have any questions about privacy procedures, please ask the RAND Chiropractic Study staff you are working with for answers. You can also contact RAND's Human Subjects Protection Committee toll- free at (866) 697–5620 or by emailing hspcinfo@rand.org. If possible, when you contact the Committee, please reference Study #2013–0763.

Project Name: RAND Chiropractic Study

Principle Investigators: Ian Coulter, Ph.D. and Patricia Herman, Ph.D.

Appendix C. Justification of Waiver of Patient Authorization for Random Chart Pull – Clinic Document

Justification of Waiver of Patient Authorization for Random Chart Pull

In addition to pulling the charts of patients who participated in our web surveys and consented to have their charts pulled, we will also pull a random sample of retrospective charts from each clinic. Because it is not legally required to gain informed consent for the random chart pull, nor would it be feasible for our study, we will not do an informed consent process for people whose charts are pulled at random. Therefore we are requesting a waiver of the patient authorization/consent process for those individuals. In this document we provide further justification for this decision. Our removal of identifiers and our data safeguarding procedures comply with relevant HIPAA and OHRP (Office of Human Research Protections) stipulations. Our protocols have been approved by the Information Security management at RAND Corporation.

The RAND Human Subjects Protection Committee (HSPC) will grant studies a waiver of patient authorization under the following conditions:

1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

   • an adequate plan to protect the identifiers from improper use and disclosure:
   • an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
   • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

2. The research could not practicably be conducted without the waiver or alteration; and

3. The research could not practicably be conducted without access to and use of the protected health information.”

This study has been granted a Waiver of Patient Authorization. Please see details here about how our study protocols comply with each of those points:

Condition for waiving patient authorization	How our study meets this condition
1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:    a. an adequate plan to protect the identifiers from improper use and disclosure:	Our Data Safeguarding Plan (DSP) details how we will protect identifiers in the chart from improper use and disclosure. We have a formal confidentiality statement that our PI and a RAND Procurement/Contracts official will sign, and this will be provided to participating study clinics. To adequately protect identifiers from improper use and discosure, we will do the following: For transfer of electronic files: -Use of a secure server (Accellion or Kiteworks) for transfer of all chart data -If there is no internet access in a clinic, we will use an encrypted hard drive that is transferred (sent) to the clinic using continuously secured methods. Encryption password will be shared with clinic staff via phone or Kiteworks only. A master file of encryption passwords will be stored at RAND using PGP encryption. For data storage: Data files will be uploaded onto a RAND cold room computer, and then they will be stored in accordance with standard for Highly Sensitive data on RAND devices. These protocols have been approved by the Information Security management at RAND. Please see the Data Safeguarding Plan for more details.
1b. An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and	As specified in our Data Safeguarding Plan: “RAND will destroy the files, also using secure file delete software, three years after the study ends (12/31/2020).”
1c. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;	Our formal Confidentiality Statement that will be signed and provided to all clinics participating in the National Study includes the following provisions: It is understood and agreed that except as required by law, I will use and hold all Information in strict trust and confidence, and will use such information only for the research purposes contemplated herein, and not for any other purpose. 3. I will not access, use or disclose patient or other confidential information unless I am authorized or permitted to do so by law or as authorized by the patient. I further understand that I am required to immediately report any information about unauthorized access, use or disclosure of confidential patient information to the___[clinic name]___ 4. I agree to not disclose the Information to any other individuals who are not part of the RAND research team. 5. Neither the release of any Information hereunder or the act of disclosure shall constitute a grant of any license under a trademark, patent, or copyright or application of the same. 6. I understand and acknowledge that, should I breach any provision of this Confidentially Statement, I may be subject to civil or criminal liability. You, the clinic, have been provided with the signed RAND HIPAA confidentiality agreement.
2. The research could not practicably be conducted without the waiver or alteration; and	Obtaining a random sample of charts from clinics is essential to address our Center’s key research questions, such as estimating the amount of chronic low back and neck pain being treated at these clinics, and the amount of appropriate and inappropriate care. While we have obtained patient authorization to pull charts for the patient survey participants, it is not feasible to obtain such authorization from patients whose charts will be pulled at random. We have a complex random sampling procedure wherein charts are pulled and then screened to determine if they meet the qualifications for chronic pain. This process will be repeated until we meet our target number of chronic pain charts from each clinic, and then chart data is abstracted at a later date. It would not be feasible to contact each patient within this process. Without reviewing their chart data to answer our screening questions, we cannot know if the chart will be included and therefore would not know how many charts to review total or how many patients to contact.
3. The research could not practicably be conducted without access to and use of the protected health information.	Protected Health Information about patients’ pain history and treatment is essential to answering key research questions about the amount of chronic low back and neck pain being treated at these clinics and the amount of appropriate and inappropriate care.