45 CFR 164.501, 164.508, 164.512(i) (See also 45 CFR 164.514(e), 164.528, 164.532
The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” See 45 CFR 164.501. A covered entity may always use or disclose for research purposes health information which has been de-identified (in accordance with 45 CFR 164.502(d), and 164.514(a)-(c) of the Rule) without regard to the provisions below.
The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research, similar to, but separate from, the Privacy Rule's provisions for research.
More importantly, the Privacy Rule creates equal standards of privacy protection for research governed by the existing Federal human subject regulations and research that is not.
How the Rule Works
In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. Research Use/Disclosure Without Authorization. To use or disclose protected health information without authorization by the research participant, a covered entity must obtain one of the following:
- Documented Institutional Review Committee (IRB) or Privacy Committee Approval.Documentation that an alteration or waiver of research participants' authorization
for use/disclosure of information about them for research purposes has been approved
by an IRB or a Privacy Committee. See 45 CFR 164.512(i)(1)(i). This provision of the
Privacy Rule might be used, for example, to conduct records research, when researchers
are unable to use de-identified information, and the research could not practicably
be conducted if research participants' authorization were required. A covered entity
may use or disclose protected health information for research purposes pursuant to
a waiver of authorization by an IRB or Privacy Committee, provided it has obtained
documentation of all of the following:
- Identification of the IRB or Privacy Committee and the date on which the alteration or waiver of authorization was approved;
- A statement that the IRB or Privacy Committee has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
- A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Committee;
- A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
- The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Committee, as applicable.
The following three criteria must be satisfied for an IRB or Privacy Committee to approve a waiver of authorization under the Privacy Rule:
The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- an adequate plan to protect the identifiers from improper use and disclosure;
- an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
The research could not practicably be conducted without the waiver or alteration; and
The research could not practicably be conducted without access to and use of the protected health information.
- Research Use/Disclosure With Individual Authorization. The Privacy Rule also permits covered entities to use or disclose protected health
information for research purposes when a research participant authorizes the use or
disclosure of information about him or herself. Today, for example, a research participant's
authorization will typically be sought for most clinical trials and some records research.
In this case, documentation of IRB or Privacy Committee approval of a waiver of authorization
is not required for the use or disclosure of protected health information. To use
or disclose protected health information with authorization by the research participant,
the covered entity must obtain an authorization that satisfies the requirements of
45 CFR 164.508. The Privacy Rule has a general set of authorization requirements that
apply to all uses and disclosures, including those for research purposes. However,
several special provisions apply to research authorizations:
- Unlike other authorizations, an authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the “end of the research study;” and
- An authorization for the use or disclosure of protected health information for research may be combined with a consent to participate in the research, or with any other legal permission related to the research study.
- Accounting for Research Disclosures.In general, the Privacy Rule gives individuals the right to receive an accounting
of certain disclosures of protected health information made by a covered entity. See
45 CFR 164.528. This accounting must include disclosures of protected health information
that occurred during the six years prior to the individual's request for an accounting,
or since the applicable compliance date (whichever is sooner), and must include specified
information regarding each disclosure. A more general accounting is permitted for
subsequent multiple disclosures to the same person or entity for a single purpose.
See 45 CFR 164.528(b)(3). Among the types of disclosures that are exempt from this
accounting requirement are:
- Research disclosures made pursuant to an individual's authorization;
- Disclosures of the limited data set to researchers with a data use agreement under 45 CFR 164.514(e).
In addition, for disclosures of protected health information for research purposes without the individual's authorization pursuant to 45 CFR164.512(i), and that involve at least 50 records, the Privacy Rule allows for a simplified accounting of such disclosures by covered entities. Under this simplified accounting provision, covered entities may provide individuals with a list of all protocols for which the patient's protected health information may have been disclosed under 45 CFR 164.512(i), as well as the researcher's name and contact information. Other requirements related to this simplified accounting provision are found in 45 CFR 164.528(b)(4).
- Transition Provisions.Under the Privacy Rule, a covered entity may use and disclose protected health information
that was created or received for research, either before or after the compliance date,
if the covered entity obtained any one of the following prior to the compliance date
- An authorization or other express legal permission from an individual to use or disclose protected health information for the research;
- The informed consent of the individual to participate in the research; or
- A waiver of informed consent by an IRB in accordance with the Common Rule or an exception under FDA's human subject protection regulations at 21 CFR 50.24. However, if a waiver of informed consent was obtained prior to the compliance date, but informed consent is subsequently sought after the compliance date, the covered entity must obtain the individual's authorization as required at 45 CFR 164.508. For example, if there was a temporary waiver of informed consent for emergency research under the FDA's human subject protection regulations, and informed consent was later sought after the compliance date, individual authorization would be required before the covered entity could use or disclose protected health information for the research after the waiver of informed consent was no longer valid. The Privacy Rule allows covered entities to rely on such express legal permission, informed consent, or IRB-approved waiver of informed consent, which they create or receive before the applicable compliance date, to use and disclose protected health information for specific research studies, as well as for future unspecified research that may be included in such permission.
For additional information on HIPAA and research
- IRB Overview
- Review Process
- Categories of Review
- Consent Overview
- Informed Consent
- Minor Assent & Parental Permission
- Tips on Obtaining Consent
- International Research
- Guidelines for Internet Research