NRPM: Standards for Privacy of Individually Identifiable Health Information. i. Application to disclosures and uses regardless of funding source.


The Common Rule describes conditions under which research may be conducted when obtaining authorization is not possible. Those conditions are intended to ensure that research on human subjects, including research using their health records, is conducted in a manner that minimizes or eliminates the risk of harm to individuals. The Common Rule has been adopted by seventeen Federal agencies, 1 representing most of the federal agencies sponsoring human subjects research.

However, a significant amount of research involving protected health information is currently conducted in the absence of these federal protections. Pharmaceutical companies, health plans, and colleges and universities conduct research supported by private funds. Identifiable information currently is being disclosed and used by these entities without individual authorization without any assessment of risk or of whether individual privacy interests are being adequately protected.

The Secretary’s Recommendations call for the extension of the Common Rule principles for waiver of authorization for research uses and disclosures of identifiable health information to all research. The Recommendations also propose additional principles that directly address waiver of authorization for research use of such information. The Recommendations would require an external board to review proposals for research on health information under criteria designed to ensure that the need for waiver of authorization is real, that the public interest in the research outweighs the individual’s privacy interest, and that privacy will be protected as much as possible. In addition, the Secretary’s Recommendations proposed important restrictions on use and re- disclosure of information by researchers, and requirements for safeguarding protected information, that are not currently applied under the Common Rule.

Under the Secretary’s Recommendations, these requirements would apply to researchers who want to use or obtain identifiable information without first obtaining the authorization of the individual who is the subject of the information. However, under HIPAA, we do not have the authority to regulate researchers unless the researcher is also acting as a provider, as in a clinical trial. We can only directly regulate health care providers, health plans, and health care clearinghouses. This means that for most research-related disclosures of health information, we can directly regulate the entities that disclose the information, but not the recipients of the information. Therefore, in order to implement the principles in the Secretary’s Recommendations, we must impose any protections on the health plans and health care providers that use and disclose the information, rather than on the researcher seeking the information.

We understand that this approach involves imposing burdens on covered entities rather than on researchers. However, our jurisdiction under this statute leaves us the choice of taking this approach, or failing to provide any protection for individuals whose information is made the subject of research, or requiring individual authorization whenever a covered entity wants to disclose protected health information for research. The second approach would provide no protection for individuals, and the third approach would make much important research impossible. Therefore, we are proposing a mechanism that we believe imposes as little burden as possible on the covered entity while providing enhanced protection for individuals. This is not the approach we advocate for new federal privacy legislation, where we would propose that standards be applied directly to researchers, but it would be a useful and appropriate approach under the HIPAA legislative authority.

We considered a number of other approaches for protecting information from research subjects, particularly when covered entities use protected health information internally for research. We considered approaches that would apply fewer requirements for internal research uses of protected health information; for example, we considered permitting covered entities to use protected health information for research without any additional review. We also considered options for a more limited review, including requiring that internal uses for research using protected health information be reviewed by a designated privacy official or by an internal privacy committee. Another option that we considered would require covered entities to have an IRB or privacy board review their administrative procedures, either for research or more generally, but not to require such review for each research project. See the preamble section II.E.9.

We are not recommending these approaches because we are concerned about applying fewer protections to subjects of private sector research than are applied to subjects of federally-funded research subject to Common Rule protections, where IRB review is required for internal research uses of protected health information. At the same time, we recognize that the proposed rule would place new requirements on research uses and disclosures for research projects not federally-funded. We solicit comment on the approach that we are proposing, including on whether the benefits of the IRB or privacy board reviews would outweigh the burdens associated with the proposed requirements. We also solicit comment on whether alternative approaches could adequately protect the privacy interests of research subjects. We are interested in the extent to which the proposed rule could affect the amount and quality of research undertaken by covered entities or by researchers receiving information from covered entities. People commenting on the proposed rule also may wish to address the appropriateness of applying different procedures or different levels of protection to federally and nonfederally-funded research. We would note that, as discussed below, privacy boards or IRBs could adopt procedures for “expedited review” similar to those provided in the Common Rule (Common Rule §___.110) for review of records research that involves no more than minimal risk. The availability of expedited review may affect the burden associated with the proposed approach.