Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Modification of the Common Rule


Comment: We received a number of comments that interpreted the proposed rule as having unnecessarily and inappropriately amended the Common Rule. Assuming that the Common Rule was being modified, these comments argued that the rule was legally deficient under the Administrative Procedures Act, the Regulatory Flexibility Act, and other controlling Executive orders or laws.

In addition, one research organization expressed concern that, by involving IRBs in the process of approving a waiver of authorization for disclosure purposes and establishing new criteria for such waiver approvals, the proposed rule would have subjected covered entities whose IRBs failed to comply with the requirements for reviewing and approving research to potential sanctions under HIPAA. The comment recommended that the rule be changed to eliminate such a punitive result. Specifically, the comment recommended that the existing Common Rule structure be preserved for IRB-approved research, and that the waiver of authorization criteria for privacy purposes be kept separate from the other the functions of the IRB.

Response: We disagree with the comments asserting the proposed rule attempted to change the Common Rule. It was not our intent to modify or amend the Common Rule or to regulate the activities of the IRBs with respect to the underlying research. We therefore reject the comments about legal deficiencies in the rule which are based on the mistaken perception that the Common Rule was being amended. The proposed rule established new requirements for covered entities before they could use or disclose protected health information for research without authorization. The proposed rule provided that one method by which a covered entity could obtain the necessary documentation was to receive it from an IRB. We did not mandate IRBs to perform such reviews, and we expressly provided for means other than through IRBs for covered entities to obtain the required documentation.

In the final rule, we also have clarified our intent not to interfere with existing requirements for IRBs by amending the language in the waiver criteria to make clear that these criteria relate to the privacy interests of the individual and are separate from the criteria that would be applied by an IRB to any evaluation of the underlying research. Moreover, we have restructured the final rule to also make clear that we are regulating only the content and conditions of the documentation upon which a covered entity may rely in making a disclosure of protected health information for research purposes.

We cannot and do not purport to regulate IRBs or modify the Common Rule through this regulation. We cannot under this rule penalize an IRB for failure to comply with the Common Rule, nor can we sanction an IRB based on the documentation requirements in the rule. Health plans and covered health care providers may rely on documentation from an IRB or privacy board concerning the alteration or waiver of authorization for the disclosure of protected health information for research purposes, provided the documentation, on its face, meets the requirements in the rule. Health plans and covered health care providers will not be penalized for relying on facially adequate documentation from an IRB. Health plans and covered health providers will only be penalized for their own errors or omissions in following the requirements of the rule, and not those of the IRB.