NRPM: Standards for Privacy of Individually Identifiable Health Information. f. Application to research covered by the Common Rule.


Some research projects would be covered by both the Common Rule and the HIPAA regulation. This proposed rule would not override the Common Rule. Thus, where both the HIPAA regulation and the Common Rule would apply to research conducted by a covered entity, both sets of regulations would need to be followed. Because only half of the substantive criteria for board approval proposed in this rule are applied by IRBs today, this would entail new responsibilities for IRBs in these situations. However, we believe that the additional burden would be minimal, since the IRBs will already be reviewing the research protocol, and will be asked only to assess the protocol against some additional criteria. This burden is justified by the enhancement of privacy protections gained by applying rules specifically designed to protect the subjects of medical records research.

We considered excluding research covered by the Common Rule from the provisions of this proposed rule. We rejected this approach for two reasons. First, the additional proposed requirements applied through HIPAA are specifically designed to protect the privacy interests of the research subjects, and the small additional burden on IRBs would be outweighed by the improved protections for individuals. Second, such an approach would allow federally-funded research to proceed under fewer restrictions than privately funded research. We believe that the source of funding of the research should not determine the level of protection afforded to the individual.

We note that the definition of “identifiable” information proposed in § 164.504 of this rule differs from the interpretation of the term under the Common Rule. In particular, if a covered entity encodes identifiers as required under § 164.506(d) before undertaking a disclosure of health information for research purposes, the requirements of this section would not apply. However, the encoded information would still be considered “identifiable” under the Common Rule and therefore may fall under the human subjects regulations.