The privacy regulation prohibits covered entities from using or disclosing protected health information for research purposes without an individual's written authorization or a waiver of authorization in accord with the regulation. The regulation explicitly provides that using information for research is not one of the activities that is permitted under the arrangements for using and disclosing information for treatment, payment and health care operations.
''Authorization'' to use information for research is required—in addition to the requirements under the Federal Common Rule relating to ''Informed Consent'' of the subject to participate in the research protocol. Likewise, the criteria for waiver of authorization under the privacy regulation are different from and in addition to the criteria for waiver of informed consent under the Common Rule.
The privacy regulation specifies the required element for a valid authorization. To be effective, an authorization must include, among other elements:
• a specific description of the information to be used or disclosed;
• specific identification of the person or entity with whom or to whom the covered entity may make the requested use or disclosure;
• a specific description of the purpose of the use or disclosure;
• an explanation of how the individual may revoke the authorization;
• a statement that the information disclosed may be subject to redisclosure by the researcher and no longer protected by the federal regulation; and
• if the covered entity will receive either direct or indirect remuneration from a third party for making the disclosure, a statement to this effect.35
The authorization must contain all the elements specified in the privacy regulation, as well as any disclosures or elements required by any applicable state law, unless an IRB or privacy board grants a waiver of authorization or of the form of authorization with respect to one or more elements in accord with the regulation's waiver criteria.36
In lieu of asking individuals to authorize the disclosure of their protected health information, the covered entity may seek waiver of the authorization requirement from an IRB established in accordance with the Common Rule or from a specially constituted privacy board.37 Either entity may grant a waiver of authorization if the research protocol meets the privacy regulation's waiver criteria. These criteria resemble the Common Rule criteria for waiver of informed consent, although they specify that the reviewing board must determine whether the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the
35 See id. at 82 811-12 (codified at 45 C.F.R. § 164.508(c), (d)).
36 See id. at 82 816-17 (codified at 45 C.F.R. § 164.512(i)).
37 See id. at 82 816-17 (codified at 45 C.F.R. § 164.512(i)).
knowledge that may reasonably be expected to result from the research.38
Although the question to the Review Board is posed in the same way as under the Common Rule, the Board actually is being asked a very different philosophical question. As discussed above, the Common Rule question stems from our interest in protecting individuals from risks to their autonomy, life, and liberty in the name of science. The IRB identifies the potential risks and considers their probability in approving the research design. In the data context, however, the question as posed assumes that absolute protection of individuals' privacy from theoretical risks is what is desired. The risks to privacy, as discussed above, stem from violations of data security, not from the research itself. However, that is not the specific question before the Board in evaluating the research risk. Separately, the IRB considers whether there is an ''adequate'' plan to protect identifiers.
The medical privacy regulation became effective as of 14 April 2001. Hospitals, doctors, pharmacies, health plans, labs, and clinics have two years to bring their operations into full compliance. Because the regulation supplements but does not supersede the Common Rule, all data-only research that also is subject to the Common Rule potentially will need to consider both a waiver of Informed Consent to
38 To waive the authorization requirement, an IRB or privacy IRB must determine that: (1) the use or disclosure of the protected health information involves no more than minimal risk to the proposed research subjects; (2) waiver of the authorization requirement will not adversely affect the privacy rights and welfare of the subjects; (3) the proposed research could not practicably be conducted without the waiver; (4) the research could not practicably be conducted without access to and use of the health information; (5) the privacy risks to the proposed subjects are reasonable in relation to the anticipated benefits (if any) to those subjects; (6) an adequate plan exists to protect personal identifiers from improper use and disclosure;
(7) an adequate plan exists to destroy such identifiers at the earliest opportunity consistent with the conduct of the research (unless there is a health or research justification for retaining the identifiers, or if retention is otherwise required by law); and
(8) there are "adequate written assurances" that the identifiable health information will not be reused or disclosed to any third party except as required by law, for oversight of the research project, or for other research for which the use or disclosure would be permitted by the regulation. Id. (codified at 45 C.F.R. § 164.512(i)(2)(ii)).
participate in research and a waiver of authorization under the privacy regulation.39
Under the Common Rule, deceased individuals are not considered "human subjects''.40 Absent state laws or institutional policies to the contrary, research using the records of deceased persons does not require IRB approval or an IRB waiver of informed consent. The privacy regulation, in contrast, includes deceased persons as "individuals'' whose privacy is protected by the regulation. The regulation states that a covered entity can provide access to records of deceased individuals only if it obtains representations from the researcher that the information sought will be used only for research purposes and is in fact necessary for these purposes.41 In addition, the covered entity, at its discretion, may require the researcher to document the death of the individuals whose protected health information is sought.42 Of course, an IRB or privacy board could waive authorization with respect to deceased individuals under the regulation's criteria for waiver.43
Was this article helpful?