Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Research.

12/28/2000

Comment: We received many comments from supporting the proposed definition of "research." These commenters agreed that the definition of "research" should be the same as the definition in the Common Rule. These commenters argued that it was important that the definition of "research" be consistent with the Common Rule's definition to ensure the coherent oversight of medical research. In addition, some of these commenters also supported this definition because they believed it was already well-understood by researchers and provided reasonably clear guidance needed to distinguish between research and health care operations.

Some commenters, believed that the NPRM's definition was too narrow. Several of these commenters agreed that the Common Rule's definition should be adopted in the final rule, but argued that the proposed definition of "generalizable knowledge" within the definition of "research," which limited generalizable knowledge to knowledge that is "related to health," was too narrow. For example, one commenter stated that gun shot wound, spousal abuse, and other kinds of information from emergency room statistics are often used to conduct research with ramifications for social policy, but may not be "related to health." Several of these commenters recommended that the definition of research be revised to delete the words "related to health." Additional commenters who argued that the definition was too narrow raised the following concerns: the difference between "research" and "health care operations" is irrelevant from the patients' perspective, and therefore, the proposed rule should have required documentation of approval by an IRB or privacy board before protected health information could be used or disclosed for either of these purposes, and the proposed definition was too limited because it did not capture research conducted by non-profit entities to ensure public health goals, such as disease-specific registries.

Commenters who argued that the definition was too broad recommended that certain activities should be explicitly excluded from the definition. In general, these commenters were concerned that if certain activities were considered to be "research" the rule's research requirements would represent a problematic level of regulation on industry initiatives. Some activities that these commenters recommended be explicitly excluded from the definition of "research" included: marketing research, health and productivity management, quality assessment and improvement activities, and internal research conducted to improve health.

Response: We agree that the final rule's definition of "research" should be consistent with the Common Rule's definition of this term. We also agree that our proposal to limit "generalizable knowledge" to knowledge that is "related to health," and "knowledge that could be applied to populations outside of the population served by the covered entity," was too narrow. Therefore, in the final rule, we retain the Common Rule's definition of "research"and eliminate the further elaboration of "generalizable knowledge." We understand knowledge to be generalizable when it can be applied to either a population inside or outside of the population served by the covered entity. Therefore, knowledge may be "generalizable" even if a research study uses only the protected health information held within a covered entity, and the results are generalizable only to the population served by the covered entity. For example, generalizable knowledge could be generated from a study conducted by the HCFA, using only Medicare data held by HCFA, even if the knowledge gained from the research study is applicable only to Medicare beneficiaries.

We rejected the other arguments claiming that the definition of "research"was either too narrow or too broad. While we agree that it is sometimes difficult to distinguish between "research" and "health care operations," we disagree that the difference between these activities is irrelevant from the patients' perspective. We believe, based on many of the comments, that individuals expect that individually identifiable health information about themselves will be used for health care operations such as reviewing the competence or qualifications of health care professionals, evaluating provider and plan performance, and improving the quality of care. A large number of commenters, however, indicated that they did not expect that individually identifiable health information about themselves would be used for research purposes without their authorization. Therefore, we retain more stringent protections for research disclosures without patient authorization.

We also disagree with the commenters who were concerned that the proposed definition was too limited because it did not capture research conducted by non-profit entities to ensure public health goals, such as disease-specific registries. Such activities conducted by either non-profit or for-profit entities could meet the rule's definition of research, and therefore are not necessarily excluded from this definition.

We also disagree with many of the commenters who argued that certain activities should be explicitly excluded from the definition of research. We found no persuasive evidence that, when particular activities are also systematic investigations designed to contribute to generalizable knowledge, they should be treated any different from other such activities.

We are aware that the National Bioethics Advisory Commission (NBAC) is currently assessing the Common Rule's definition of "research" as part of a report they are developing on the implementation and adequacy of the Common Rule. Since we agree that a consistent definition is important to the conduct and oversight of research, if the Common Rule's definition of "research" is modified in the future, the Department of Health and Human Services will consider whether the definition should also be modified for this subpart.

Comment: Some commenters urged the Department to establish precise definitions for "health care operations" and "research" to provide clear guidance to covered entities and adequate privacy protections for the subjects of the information whose information is disclosed for these purposes. One commenter supported the definition of "research" proposed in the NPRM, but was concerned about the "crossover" from data analyses that begin as health care operations but later become "research" because the analytical results are of such importance that they should be shared through publication, thereby contributing to generalizable knowledge. To distinguish between the definitions of "health care operations" and "research," a few commenters recommended that the rule make this distinction based upon whether the activity is a "use" or a "disclosure." These commenters recommend that the "use" of protected health information for research without patient authorization should be exempt from the proposed research provisions provided that protected health information was not disclosed in the final analysis, report, or publication.

Response: We agree with commenters that at times it may be difficult to distinguish projects that are health operations and projects that are research. We note that this ambiguity exists today, and disagree that we can address this issue with more precise definitions of research and health care operations. Today, the issue is largely one of intent. Under the Common Rule, the ethical and regulatory obligations of the researcher stem from the intent of the activity. We follow that approach here. If such a project is a systematic investigation that designed to develop or contribute to generalizable knowledge, it is considered to be "research," not "health care operations."

In some instances, the primary purpose of the activity may change as preliminary results are analyzed. An activity that was initiated as an internal outcomes evaluation may produce information that could be generalized. If the purpose of a study changes and the covered entity does intend to generalize the results, the covered entity should document the fact as evidence that the activity was not subject to § 164.512(i) of this rule.

We understand that for research that is subject to the Common Rule, this is not the case. The Office for Human Research Protection interprets 45 CFR 46 to require IRB review as soon as an activity meets the definition of research, regardless of whether the activity began as "health care operations" or "public health," for example. The final rule does not affect the Office of Human Research Protection's interpretation of the Common Rule.

We were not persuaded that an individual's privacy interest is of less concern when covered entities use protected health information for research purposes than when covered entities disclose protected health information for research purposes. We do not agree generally that internal activities of covered entities do not potentially compromise the privacy interests of individuals. Many persons within a covered entity may have access to protected health information. When the activity is a systematic investigation, the number of persons who may be involved in the records review and analysis may be substantial. We believe that IRB or privacy board approval of the waiver of authorization will provide important privacy protections to individuals about whom protected health information is used or disclosed for research. If a covered entity wishes to use protected health information about its enrollees for research purposes, documentation of an IRBs' or privacy board's assessment of the privacy impact of such a use is as important as if the same research study required the disclosure of protected health information. This conclusion is consistent with the Common Rule's requirement for IRB review of all human subjects research.