NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Documentation of privacy board approval.


We considered several options for applying Common Rule principles to research not reviewed by Common Rule IRBs through imposing requirements on covered entities. We chose the use of the privacy board because it gives covered entities the maximum flexibility consistent with protecting research subjects. Under this approach, each covered entity that wants to use or disclose protected health information for research without individual authorization could obtain the required documentation directly from an existing privacy board, an internal privacy board created by the covered entity, or from a privacy board used by the researcher.

We considered prohibiting disclosure of protected health information for research unless covered entities enter into contracts, enforceable under law, which would require the researcher to meet the review criteria. Under this approach, the covered entity would be required to enter into a contract with the researcher in order to be permitted to disclose protected health information without individual authorization. In the contract, the researcher would agree to meet the criteria described below, as well as the additional restrictions on reuse and disclosure and the physical safeguards (also described below), in exchange for obtaining the information from the covered entity.

We did not adopt this approach because of the potentially burdensome administrative costs that could stem from the need to negotiate the contracts and ensure that they are legally enforceable under law. In addition, the covered entity may have little incentive to enforce these contracts. However, we seek comments on whether the benefits of this approach outweigh the burdens, whether we could expect the burdens to be eased by the development of model contracts by local universities or professional societies, and whether covered entities could be expected to enforce these contracts. We also seek comments on whether covered entities could be given a choice between the documentation approach proposed in this NPRM and a contract approach. We are particularly interested in comments on this approach, because it appears to be the only mechanism for including restrictions on reuse and disclosure by researchers in this proposed rule. iii. Use of boards that are not IRBs.

The Secretary’s Recommendations state that privacy protections for private sector records research should be modeled on the existing Common Rule principles. The cornerstone of the Common Rule approach to waiver of authorization is IRB approval. At the same time, we understand that Common Rule IRBs are not the only bodies capable of performing an appropriate review of records research protocols. In working with the Congress to develop comprehensive privacy legislation, we have explored the use of limited purpose privacy boards to review research involving use or disclosure of health information. If the review criteria and operating rules of the privacy board are sufficiently consistent with the principles stated in the Secretary’s Recommendations to afford the same level of protection, there would be no need to insist that the review board be a formal Common Rule IRB.

Among the Common Rule requirements for IRB membership, as stated in 45 CFR 46.107, are the following:

  • Each IRB must have members with varying backgrounds and appropriate professional competence as necessary to review research protocols.
  • Each IRB must include at least one member who is not affiliated with the institution or related to a person who is affiliated with the institution.
  • No IRB member may participate in review of any project in which the member has a conflict of interest.

We propose to require that a covered entity could not use or disclose protected health information for research without individual authorization if the board that approved the waiver of authorization does not meet these three criteria.

We considered applying the additional criteria for IRB membership stated in the Common Rule. However, many of the additional criteria are relevant to research generally, but less relevant for a board whose sole function is to review uses or disclosures of health information. In addition, the Common Rule IRB membership criteria are more detailed than the criteria for privacy board membership we propose here. Since our legislative authority reaches to covered entities, but not to the privacy board directly, we decided that imposing additional or more detailed requirements on privacy boards would impose added burdens on covered entities that did not clearly bring concomitant increases in patient protections. We continue to support more complete application of Common Rule criteria directly to these privacy boards through federal legislation. We believe the approach we propose here strikes the appropriate balancing between protecting individuals’ privacy interests and keeping burdens on covered entities to a minimum.