NRPM: Standards for Privacy of Individually Identifiable Health Information. d. Criteria.


In § 164.510(j)(2)(iii), we propose to prohibit the use or disclosure of protected health information for research without individual authorization unless the covered entity has documentation indicating that the following criteria are met:

  • the use or disclosure of protected health information involves no more than minimal risk to the subjects;
  • the waiver or alteration will not adversely affect the rights and welfare of the subjects;
  • the research could not practicably be carried out without the waiver or alteration;
  • whenever appropriate, the subjects will be provided with additional pertinent information after participation;
  • the research would be impracticable to conduct without the protected health information;
  • the research project is of sufficient importance to outweigh the intrusion into the privacy of the individual whose information would be disclosed;
  • there is an adequate plan to protect the identifiers from improper use and disclosure; and
  • there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers.

The first four criteria are in the Common Rule. (The Common Rule §___.116(d)). 2 These criteria were designed for research generally, and not specifically to protect individuals’ privacy interests regarding medical records research. For this reason, the Secretary’s Recommendations include the last four criteria, which were developed specifically for research on medical records.

As part of the IRB or privacy board’s review of the use of protected health information under the research protocol, we assume that in case of a clinical trial, it would also review whether any waiver of authorization could also include waiver of the subject’s right of access to such information during the course of the trial. See § 164.514(b)(iv).

We recognize that the fourth criterion may create awkward situations for some researchers. Where authorization has been waived, it may be difficult to later approach individuals to give them information about the research project. However, in some cases the research could uncover information that would be important to provide to the individual (e.g., the possibility that they are ill and should seek further examination or treatment). For this reason, we are including this criterion in the proposed rule.

We also recognize that the fifth criterion, which would ask the board to weigh the importance of the research against the intrusion of privacy, would require the board to make a more subjective judgment than that required by the other criteria. This balancing, we feel, goes to the heart of the privacy interest of the individual. We understand, however, that some may view this criterion as a potential impediment to certain types of research. We solicit comment on the appropriateness of the criterion, the burden it would place on privacy boards and IRBs, and its potential effects on the ability of researchers to obtain information for research.

The Secretary’s Recommendations propose that a researcher who obtains protected health information this way should be prohibited from further using or disclosing it except when necessary to lessen a serious and imminent threat to the health or safety of an individual or to the public health, or for oversight of the research project, or for a new research project approved by an IRB or similar board. In addition the Recommendations propose an obligation on researchers to destroy the identifiers unless an IRB or similar board determines that there is a research or health justification for retaining them and an adequate plan to protect them from improper disclosure.

We do not have the authority under HIPAA to place such requirements directly on researchers. While criteria to be met in advance can be certified in documentation through board review of a research protocol, a board would have no way to assess or certify a researcher’s behavior after completion of the protocol (e.g., whether the researcher was engaging in improper reuse or disclosure of the information, or whether the researcher had actually destroyed identifiers). We instead propose to require the researcher to show a plan for safeguarding the information and destroying the identifiers, which the privacy board or IRB can review and evaluate in determining whether the requested disclosure is proper. We solicit comment on how to include ongoing protections for information so disclosed under this legislative authority without placing excessive burdens on covered entities.

We note that privacy boards or IRBs could adopt procedures for “expedited review” similar to those provided in the Common Rule (Common Rule §___.110) Under the Common Rule’s expedited review procedure, review of research that involves no more than minimal risk, and involves only individuals’ medical records may be carried out by the IRB chairperson or by one or more reviewers designated by the chairperson from among the members of the IRB. The principle of expedited review could be extended to other privacy boards for disclosures for records-based research. Like expedited review under the Common Rule, a privacy board could choose to have one or more members review the proposed research.