Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Requirements on Use and Disclosure for Research


The final regulation places certain requirements on covered entities that supply individually identifiable health information to researchers. As a result of these requirements, researchers who seek such health information and the Institutional Review Boards (IRBs) that review research projects will have additional responsibilities. Moreover, a covered entity doing research, or another entity requesting disclosure of protected health information for research that is not currently subject to IRB review (research that is 100 percent privately funded and which takes place in institutions which do not have "multiple project assurances") may need to seek IRB or privacy board approval if they want to avoid the requirement to obtain authorization for use or disclosure of protected health information for research, thereby creating the need for additional IRBs and privacy boards that do not currently exist.

To estimate the additional requirements placed on existing IRBs, the Department relied on a survey of IRBs conducted by James Bell Associates on behalf of NIH and on estimates of the total number of existing IRBs provided by NIH staff. Based on this information, the Department concluded that of the estimated 4,000 IRBs in existence, the median number of initial current research project reviews is 133 per IRB, of which only ten percent do not receive direct consent for the use of protected health information. (Obtaining consent nullifies the need for IRB privacy scrutiny.) Therefore, in the first year of implementation, there will be 76,609 initial reviews affected by the regulation, and the Department assumes that the requirement to consider the privacy protections in the research protocols under review will add an average of 1 hour to each review. The cost to researchers for having to develop protocols which protect protected health information is difficult to estimate, but the Department assumes that each of the affected 76,609 studies will require an average of an additional 8 hours of time for protocol development and implementation. At the average medical scientist hourly wage of $46.61, the initial cost is $32.1 million; the total ten-year cost of these requirements is $468 million over ten years.

As stated above, some privately funded research not subject to any IRB review currently may need to obtain IRB or privacy board approval under the final rule. Estimating how much research exists which does not currently go through any IRB review is highly speculative, because the experts consulted by the Department all agree that there is no data on the volume of privately funded research. Likewise, public comments on this subject provided no useful data. However, the Department assumed that most research that takes place today is subject to IRB review, given that so much research has some government funding and many large research institutions have multiple project assurances. As a result, the Department assumed that the total volume of non-IRB reviewed research is equal to 25 percent of all IRB-reviewed research, leading to 19,152 new IRB or privacy board reviews in the first year of the regulation. Using the same assumptions as used above for wages, time spent developing privacy protection protocols for researchers, and time spent by IRB and privacy board members, the total one-year cost for new IRB and privacy board reviews is $8 million.

For estimating total ten-year costs, the Department used the Bell study, which showed an average annual growth rate of 3.7 percent in the number of studies reviewed by IRBs. Using this growth rate, the total ten-year cost for the new research requirements is $117 million.