[Please label comments about this section with the subject: “Research”]
In § 164.510(j), we propose to permit covered entities to use and disclose protected health information for research without individual authorization, provided that the covered entity receives documentation that the research protocol has been reviewed by an Institutional Review Board or equivalent body – a privacy board – and that the board found that the research protocol meets specified criteria (regarding protected health information) designed to protect the subject. Absent such documentation, the subject’s protected health information could be disclosed for research only with the individual’s authorization, pursuant to the authorization requirements in proposed § 164.508.
Our proposed requirements for this disclosure build on the requirements for such disclosure under the Federal regulation that protects human subjects in research conducted or funded by the Federal government, the Federal Policy for the Protection of Human Subjects (often referred to as the "Common Rule"), first published for several agencies at 56 Fed. Reg. 28,002-028, 032 (1991), and codified for the Department of Health and Human Services at 45 CFR part 46.
Much important and sometimes lifesaving knowledge has come from studies that used individually identifiable health information, including biomedical and behavioral research, epidemiological studies, health services research, and statistical activities. This type of research has lead to dramatic improvements in the nation’s health. For example, the results of such research include the association of a reduction in the risk of heart disease with dietary and exercise habits, the association between the use of diethylstilbestrol (DES) by pregnant women and vaginal cancer in their daughters, and the value of beta-blocker therapy in reducing re-hospitalizations and in improving survival among elderly survivors of acute myocardial infarction.
Likewise, research on behavioral, social, and economic factors that affect health, and the effect of health on other aspects of life may require individually identifiable health information. Studies of this kind can yield important information about treatment outcomes and patterns of care, disease surveillance and trends, health care costs, risk factors for disease, functional ability, and service utilization – which may ultimately lead to improvements in the quality of patient care, the identification and eradication of public health threats, and the development of new devices and pharmaceutical products. For example, such research uncovered the fact that disease screening and treatment patterns vary with the race of the person, which in turn has lead to focused outreach programs to improve health. Such research showed that the results of certain highly invasive surgical treatments are better when the care is provided in hospitals that performed a high volume of these procedures.
It is not always possible for researchers to obtain the consent of every subject that a researcher may wish to include within a study. Thousands of records may be involved. Tracking down the subjects may entail costs that make the research impracticable. The requirement to obtain consent also may lead to biased study results, because those who refuse consent may be more or less likely than average to have a particular health problem or condition. This may be a particular concern where the research topic involves sensitive or potentially embarrassing information. At the same time, the privilege of using individually identifiable health information for research purposes without individual authorization requires that the information be used and disclosed under strict conditions that safeguard individuals’ confidentiality.
In proposed § 164.504, we would define “research” as a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. This is the definition of “research” in the Common Rule. This definition is well understood in the research community and elsewhere, and we propose to use it here to maintain consistency with other federal regulations that affect research.
For purposes of determining whether an activity is research under this proposed rule, it would not be relevant whether the information is given gratis, sold, bartered, rented, or otherwise provided for commercial gain. The purpose of this proposed rule regarding disclosure of protected health information for research is to protect the subjects of the information. Where the activity meets the definition of research and involves use or disclosure of protected health information, the rules in this section would apply. We request comments on any aspect of our proposed definition of research.
We understand that research and health care operations often look alike, and may overlap. We have provided definitions for these terms in § 164.504. We solicit comments on ways to further distinguish between research and operations, or otherwise clarify the application of this rule to such activities.
In § 154.510(j), we would require covered entities that wish to use or disclose protected health information for research without individual authorization to obtain documentation that a privacy board has reviewed the research protocol and has determined that specified criteria (described below) for waiver of authorization for use or disclosure of the information have been met. The board could be an IRB constituted under the Common Rule, or an equivalent privacy board that meets the requirements in this proposed rule. We propose to apply these requirements to uses and disclosures of protected health information by all covered entities, regardless of the source of funding of the research.
We propose no requirements for the location or sponsorship of the IRB or privacy board. The covered entity could create such a board, and could rely on it to review proposals for uses and disclosure of records. An outside researcher could come to the covered entity with the necessary documentation from his or her own university IRB. A covered entity could engage the services of an outside IRB or privacy board to obtain the necessary documentation. The documentation would have to be reviewed by the covered entity prior to a use or disclosure subject to this provision.
Under our proposal, we would require that the documentation provided by the IRB or privacy board state: (1) that the waiver of authorization has been approved by the IRB or privacy board; (2) that the board either is an IRB established in accordance with the HHS regulations (45 CFR 46.107) or equivalent regulations of another federal agency, or is a privacy board whose members (i) have appropriate expertise for review of records research protocols, (ii) do not have a conflict of interest with respect to the research protocol, and (iii) include at least one person not affiliated with the institution conducting the research; (3) that the eight criteria for waiver of authorization (described below) are met by the protocol; and (4) the date of board approval of the waiver of authorization. We would also require that the documentation be signed by the chair of the IRB or privacy board.
The Common Rule describes conditions under which research may be conducted when obtaining authorization is not possible. Those conditions are intended to ensure that research on human subjects, including research using their health records, is conducted in a manner that minimizes or eliminates the risk of harm to individuals. The Common Rule has been adopted by seventeen Federal agencies, (1) representing most of the federal agencies sponsoring human subjects research.
However, a significant amount of research involving protected health information is currently conducted in the absence of these federal protections. Pharmaceutical companies, health plans, and colleges and universities conduct research supported by private funds. Identifiable information currently is being disclosed and used by these entities without individual authorization without any assessment of risk or of whether individual privacy interests are being adequately protected.
The Secretary’s Recommendations call for the extension of the Common Rule principles for waiver of authorization for research uses and disclosures of identifiable health information to all research. The Recommendations also propose additional principles that directly address waiver of authorization for research use of such information. The Recommendations would require an external board to review proposals for research on health information under criteria designed to ensure that the need for waiver of authorization is real, that the public interest in the research outweighs the individual’s privacy interest, and that privacy will be protected as much as possible. In addition, the Secretary’s Recommendations proposed important restrictions on use and re- disclosure of information by researchers, and requirements for safeguarding protected information, that are not currently applied under the Common Rule.
Under the Secretary’s Recommendations, these requirements would apply to researchers who want to use or obtain identifiable information without first obtaining the authorization of the individual who is the subject of the information. However, under HIPAA, we do not have the authority to regulate researchers unless the researcher is also acting as a provider, as in a clinical trial. We can only directly regulate health care providers, health plans, and health care clearinghouses. This means that for most research-related disclosures of health information, we can directly regulate the entities that disclose the information, but not the recipients of the information. Therefore, in order to implement the principles in the Secretary’s Recommendations, we must impose any protections on the health plans and health care providers that use and disclose the information, rather than on the researcher seeking the information.
We understand that this approach involves imposing burdens on covered entities rather than on researchers. However, our jurisdiction under this statute leaves us the choice of taking this approach, or failing to provide any protection for individuals whose information is made the subject of research, or requiring individual authorization whenever a covered entity wants to disclose protected health information for research. The second approach would provide no protection for individuals, and the third approach would make much important research impossible. Therefore, we are proposing a mechanism that we believe imposes as little burden as possible on the covered entity while providing enhanced protection for individuals. This is not the approach we advocate for new federal privacy legislation, where we would propose that standards be applied directly to researchers, but it would be a useful and appropriate approach under the HIPAA legislative authority.
We considered a number of other approaches for protecting information from research subjects, particularly when covered entities use protected health information internally for research. We considered approaches that would apply fewer requirements for internal research uses of protected health information; for example, we considered permitting covered entities to use protected health information for research without any additional review. We also considered options for a more limited review, including requiring that internal uses for research using protected health information be reviewed by a designated privacy official or by an internal privacy committee. Another option that we considered would require covered entities to have an IRB or privacy board review their administrative procedures, either for research or more generally, but not to require such review for each research project. See the preamble section II.E.9.
We are not recommending these approaches because we are concerned about applying fewer protections to subjects of private sector research than are applied to subjects of federally-funded research subject to Common Rule protections, where IRB review is required for internal research uses of protected health information. At the same time, we recognize that the proposed rule would place new requirements on research uses and disclosures for research projects not federally-funded. We solicit comment on the approach that we are proposing, including on whether the benefits of the IRB or privacy board reviews would outweigh the burdens associated with the proposed requirements. We also solicit comment on whether alternative approaches could adequately protect the privacy interests of research subjects. We are interested in the extent to which the proposed rule could affect the amount and quality of research undertaken by covered entities or by researchers receiving information from covered entities. People commenting on the proposed rule also may wish to address the appropriateness of applying different procedures or different levels of protection to federally and nonfederally-funded research. We would note that, as discussed below, privacy boards or IRBs could adopt procedures for “expedited review” similar to those provided in the Common Rule (Common Rule §___.110) for review of records research that involves no more than minimal risk. The availability of expedited review may affect the burden associated with the proposed approach.
We considered several options for applying Common Rule principles to research not reviewed by Common Rule IRBs through imposing requirements on covered entities. We chose the use of the privacy board because it gives covered entities the maximum flexibility consistent with protecting research subjects. Under this approach, each covered entity that wants to use or disclose protected health information for research without individual authorization could obtain the required documentation directly from an existing privacy board, an internal privacy board created by the covered entity, or from a privacy board used by the researcher.
We considered prohibiting disclosure of protected health information for research unless covered entities enter into contracts, enforceable under law, which would require the researcher to meet the review criteria. Under this approach, the covered entity would be required to enter into a contract with the researcher in order to be permitted to disclose protected health information without individual authorization. In the contract, the researcher would agree to meet the criteria described below, as well as the additional restrictions on reuse and disclosure and the physical safeguards (also described below), in exchange for obtaining the information from the covered entity.
We did not adopt this approach because of the potentially burdensome administrative costs that could stem from the need to negotiate the contracts and ensure that they are legally enforceable under law. In addition, the covered entity may have little incentive to enforce these contracts. However, we seek comments on whether the benefits of this approach outweigh the burdens, whether we could expect the burdens to be eased by the development of model contracts by local universities or professional societies, and whether covered entities could be expected to enforce these contracts. We also seek comments on whether covered entities could be given a choice between the documentation approach proposed in this NPRM and a contract approach. We are particularly interested in comments on this approach, because it appears to be the only mechanism for including restrictions on reuse and disclosure by researchers in this proposed rule. iii. Use of boards that are not IRBs.
The Secretary’s Recommendations state that privacy protections for private sector records research should be modeled on the existing Common Rule principles. The cornerstone of the Common Rule approach to waiver of authorization is IRB approval. At the same time, we understand that Common Rule IRBs are not the only bodies capable of performing an appropriate review of records research protocols. In working with the Congress to develop comprehensive privacy legislation, we have explored the use of limited purpose privacy boards to review research involving use or disclosure of health information. If the review criteria and operating rules of the privacy board are sufficiently consistent with the principles stated in the Secretary’s Recommendations to afford the same level of protection, there would be no need to insist that the review board be a formal Common Rule IRB.
Among the Common Rule requirements for IRB membership, as stated in 45 CFR 46.107, are the following:
We propose to require that a covered entity could not use or disclose protected health information for research without individual authorization if the board that approved the waiver of authorization does not meet these three criteria.
We considered applying the additional criteria for IRB membership stated in the Common Rule. However, many of the additional criteria are relevant to research generally, but less relevant for a board whose sole function is to review uses or disclosures of health information. In addition, the Common Rule IRB membership criteria are more detailed than the criteria for privacy board membership we propose here. Since our legislative authority reaches to covered entities, but not to the privacy board directly, we decided that imposing additional or more detailed requirements on privacy boards would impose added burdens on covered entities that did not clearly bring concomitant increases in patient protections. We continue to support more complete application of Common Rule criteria directly to these privacy boards through federal legislation. We believe the approach we propose here strikes the appropriate balancing between protecting individuals’ privacy interests and keeping burdens on covered entities to a minimum.
In § 164.510(j)(2)(iii), we propose to prohibit the use or disclosure of protected health information for research without individual authorization unless the covered entity has documentation indicating that the following criteria are met:
The first four criteria are in the Common Rule. (The Common Rule §___.116(d)). (2) These criteria were designed for research generally, and not specifically to protect individuals’ privacy interests regarding medical records research. For this reason, the Secretary’s Recommendations include the last four criteria, which were developed specifically for research on medical records.
As part of the IRB or privacy board’s review of the use of protected health information under the research protocol, we assume that in case of a clinical trial, it would also review whether any waiver of authorization could also include waiver of the subject’s right of access to such information during the course of the trial. See § 164.514(b)(iv).
We recognize that the fourth criterion may create awkward situations for some researchers. Where authorization has been waived, it may be difficult to later approach individuals to give them information about the research project. However, in some cases the research could uncover information that would be important to provide to the individual (e.g., the possibility that they are ill and should seek further examination or treatment). For this reason, we are including this criterion in the proposed rule.
We also recognize that the fifth criterion, which would ask the board to weigh the importance of the research against the intrusion of privacy, would require the board to make a more subjective judgment than that required by the other criteria. This balancing, we feel, goes to the heart of the privacy interest of the individual. We understand, however, that some may view this criterion as a potential impediment to certain types of research. We solicit comment on the appropriateness of the criterion, the burden it would place on privacy boards and IRBs, and its potential effects on the ability of researchers to obtain information for research.
The Secretary’s Recommendations propose that a researcher who obtains protected health information this way should be prohibited from further using or disclosing it except when necessary to lessen a serious and imminent threat to the health or safety of an individual or to the public health, or for oversight of the research project, or for a new research project approved by an IRB or similar board. In addition the Recommendations propose an obligation on researchers to destroy the identifiers unless an IRB or similar board determines that there is a research or health justification for retaining them and an adequate plan to protect them from improper disclosure.
We do not have the authority under HIPAA to place such requirements directly on researchers. While criteria to be met in advance can be certified in documentation through board review of a research protocol, a board would have no way to assess or certify a researcher’s behavior after completion of the protocol (e.g., whether the researcher was engaging in improper reuse or disclosure of the information, or whether the researcher had actually destroyed identifiers). We instead propose to require the researcher to show a plan for safeguarding the information and destroying the identifiers, which the privacy board or IRB can review and evaluate in determining whether the requested disclosure is proper. We solicit comment on how to include ongoing protections for information so disclosed under this legislative authority without placing excessive burdens on covered entities.
We note that privacy boards or IRBs could adopt procedures for “expedited review” similar to those provided in the Common Rule (Common Rule §___.110) Under the Common Rule’s expedited review procedure, review of research that involves no more than minimal risk, and involves only individuals’ medical records may be carried out by the IRB chairperson or by one or more reviewers designated by the chairperson from among the members of the IRB. The principle of expedited review could be extended to other privacy boards for disclosures for records-based research. Like expedited review under the Common Rule, a privacy board could choose to have one or more members review the proposed research.
To the extent that the researcher studying protected health information is also providing treatment as defined in proposed § 164.504, such as in a clinical trial, the researcher would be a covered health care provider for purposes of that treatment, and would be required to comply with all the provisions of this rule applicable to health care providers.
The provisions of § 164.514 of this proposed rule, regarding individual access to records, would also apply where the research includes the delivery of health care. We are proposing an exception for clinical trials where the information was obtained by a covered provider in the course of a clinical trial, the individual has agreed to the denial of access when consenting to participate in the trial (if the individual’s consent to participate was obtained), and the trial is in still in progress.
In § 164.506(f), we propose that, unlike the protections provided by the remainder of this rule, the protections of this proposed rule will end at the death of the subject for the purpose of disclosure of the subject’s information for research purposes. In general, this proposed rule would apply to the protected health information of an individual for two years after the individual’s death. However, requiring IRB or privacy board review of research studies that use only health information from deceased persons would be a significant change from the requirements of the Common Rule, which apply to individually identifiable information about living individuals only. In addition, some of the Common Rule criteria for waiver of authorization are not readily applicable to deceased persons. To avoid a conflict between Common Rule requirements and the requirements of this proposed rule, we are proposing that the protections of this proposed rule end at the death of the subject for the purpose of disclosure of the subject’s information for research purposes.
In § 164.518(c), we propose to require covered entities to verify the identity of most persons making requests for protected health information and, in some cases, the legal authority behind that request. For disclosures of protected health information for research purposes under this subsection, the required documentation of IRB or privacy board approval would constitute sufficient verification. No additional verification would be necessary under § 164.518(c).
Some research projects would be covered by both the Common Rule and the HIPAA regulation. This proposed rule would not override the Common Rule. Thus, where both the HIPAA regulation and the Common Rule would apply to research conducted by a covered entity, both sets of regulations would need to be followed. Because only half of the substantive criteria for board approval proposed in this rule are applied by IRBs today, this would entail new responsibilities for IRBs in these situations. However, we believe that the additional burden would be minimal, since the IRBs will already be reviewing the research protocol, and will be asked only to assess the protocol against some additional criteria. This burden is justified by the enhancement of privacy protections gained by applying rules specifically designed to protect the subjects of medical records research.
We considered excluding research covered by the Common Rule from the provisions of this proposed rule. We rejected this approach for two reasons. First, the additional proposed requirements applied through HIPAA are specifically designed to protect the privacy interests of the research subjects, and the small additional burden on IRBs would be outweighed by the improved protections for individuals. Second, such an approach would allow federally-funded research to proceed under fewer restrictions than privately funded research. We believe that the source of funding of the research should not determine the level of protection afforded to the individual.
We note that the definition of “identifiable” information proposed in § 164.504 of this rule differs from the interpretation of the term under the Common Rule. In particular, if a covered entity encodes identifiers as required under § 164.506(d) before undertaking a disclosure of health information for research purposes, the requirements of this section would not apply. However, the encoded information would still be considered “identifiable” under the Common Rule and therefore may fall under the human subjects regulations.
If a covered entity chooses to obtain individual authorization for use or disclosure of information for research, the requirements applicable to individual authorizations for release of protected health information would apply. These protections are described in § 164.508.
For research projects to which both the Common Rule and this proposed rule would apply, both sets of requirements for obtaining the authorization of the subject for research would apply. As with criteria for waiver of authorization, this proposed rule would impose requirements for obtaining authorization that are different from Common Rule requirements for obtaining consent. In particular, the regulation would require more information to be given to individuals regarding who could see their information and how it would be used. For the reasons explained above, we are proposing that both sets of requirements apply, rather than allow federally-funded research to operate with fewer privacy protections than privately-funded research.
In general, the Common Rule was designed to protect human subjects participating in research projects from physical harm. It was not specifically designed to protect an individual’s medical records when used for research. For research in which only the medical information of the human subject is used, i.e., records research, there are several ways in which the Common Rule protections could be enhanced.
In developing these proposed regulations, and in reviewing the comprehensive medical privacy legislation pending before Congress, it has become clear that the Department’s human subject regulations (45 CFR part 46, 21 CFR part 50, and 21 CFR part 56) may not contain all of the safeguards necessary to protect the privacy of research participants. Because the source of research funding should not dictate the level of privacy protection afforded to a research subject, the Secretary of HHS will immediately initiate plans to review the confidentiality provisions of the Common Rule.
To further that process, we solicit comments here on how Common Rule protections for the subjects of records review should be enhanced. For example, we will consider the adequacy of the Common Rule’s provisions regarding conflict of interest, expedited review, exemptions (such as the exemption for certain research on federal benefits programs), deceased subjects, and whether IRB’s should place greater emphasis on confidentiality issues when reviewing research protocols. We also seek comment on whether the Common Rule requirements for obtaining consent for records research should be modified to reflect the specific risks entailed in such research.
In addition, because seventeen other Departments and Agencies are signatories to the Common Rule and each has its own human subject regulations, the Secretary of HHS will consult with these Departments and Agencies regarding potential changes to the Common Rule.
(1) The following 17 Departments and Agencies have adopted the Common Rule: (1) Department of Agriculture; (2) Department of Commerce; (3) Department of Defense; (4) Department of Education; (5) Department of Energy; (6) Department of Health and Human Services; (7) Department of Housing and Urban Development; (8) Department of Justice; (9) Department of Transportation; (10) Department of Veterans Affairs; (11) International Development Cooperative Agency: Agency for International Development; (12) Consumer Product Safety Commission; (13) Environmental Protection Agency; (14) National Aeronautics and Space Administration; (15) National Science Foundation; (16) Social Security Administration; (17) Central Intelligence Agency. In addition, the White House Office of Science and Technology Policy is a signatory to the Common Rule, but its policy is not codified in the Code of Federal Regulations.