Can you use patient Electronic Health Records to identify and recruit subjects?

Question:

Can a company’s electronic health record (EHR) database be mined to identify potential subjects for a clinical trial? Can the information be used to contact them via phone, email, or text to recruit subjects?
– CEO, Pharma

Answer:

Note that the answer to this question presumes that the company in question is a covered entity under the HIPAA Privacy Rule.

The US Department of Health and Human Services has directly addressed this issue in an FAQ related to use of patient data protected by the HIPAA Privacy Rule. (Can the preparatory research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) be used to recruit individuals into a research study? | HHS.gov).

Mining of patient data from EHR’s to both screen and recruit subjects for research is a tool frequently used in many research studies.  The requirements to obtain and use patient data from an EHR will depend on whether the researchers are employees of the company or not.

Under the preparatory to research provision, if the researcher is an employee of the company, data from the EHR may be mined to identify and contact patients who may qualify for the research. However, protected health information may not be disclosed outside the covered entity.

If the researcher is not an employee of the company or, if the researcher is an employee, but wants to transfer or disclose the patient’s protected health information outside the company, approval of a partial waiver of authorization by an IRB or Privacy Board is required.

If the recruitment activity falls within the preparatory to research provision or a partial waiver of authorization is approved, the researcher may contact prospective subjects through the indicated recruitment methods. However, prior to communicating with subjects, the researcher should work with the IRB to determine if the phone script, text script or template email requires IRB review and approval.