research and hipaa privacy protections quizlet

Masks Strongly Recommended but Not Required in Maryland, Starting Immediately

Due to the downward trend in respiratory viruses in Maryland, masking is no longer required but remains strongly recommended in Johns Hopkins Medicine clinical locations in Maryland. Read more .

• Vaccines  
• Masking Guidelines
• Visitor Guidelines  

Institutional Review Board

Hipaa questions and answers relating to research.

February 2015

I.  The Basics

Question 1: As an employee of the JHM covered entity, how does the HIPAA Privacy Rule affect my research?

Answer:  Under the HIPAA Privacy Rule you must meet certain requirements before using or disclosing individually identifiable health information for research. (These HIPAA requirements are in addition to IRB requirements under federal regulations for the protection of human subjects.)

The HIPAA Privacy Rule defines “individually identifiable” broadly, to include information such as name, address, or SSN, as well as “indirect identifiers” such as zip codes or date of birth, when attached to any health information.

A covered entity and its employees may not use or disclose individually identifiable health information (called “protected health information,” or “PHI”) for research, except in one of the following circumstances:

i) The patient has signed a written Authorization containing all the elements specified in the Privacy Rule; ii) An IRB has waived or altered the requirement for HIPAA Authorization; iii)The covered entity has “de-identified” the data prior to its use or disclosure for research; or iv) The data are in the form of a “limited data set” containing no HIPAA “direct identifiers,” and” and the researcher has signed a HIPAA Data Use Agreement.

Question 2:  What is the difference between HIPAA “Authorization” and informed consent?

Answer:  Informed consent is required under federal research regulations for the protection of human subjects.  The HIPAA Privacy rule, a different regulation, separately requires that patients give written Authorization before a covered entity may use or disclose patients’ protected health information for research.  There are different requirements for the content of informed consent and HIPAA Authorization; however both may be combined in one form ( see templates on the HIPAA forms page ).  An IRB may waive both consent and Authorization if the research meets all of the waiver criteria established by each of the applicable regulations.

Question 3: I plan to use de-identified information in my research.  Do I still need to submit an eIRB application?

Answer: The answer depends upon whether the data already exist in de-identified form.  If your research involves only the analysis of pre-existing data that have been fully de-identified to the HIPAA standard, you do not need to submit an application in eIRB, because such research involves neither PHI nor an identifiable human subject.

If, however, you wish to extract de-identified data from medical records or other identifiable sources, for use in your research or to create a de-identified database for future research, you must submit an Exempt Research Application and an Application for Waiver of HIPAA Privacy Authorization in eIRB.  (See the JHM IRB guidance on Research Databases for additional information)

Question 4: Are outside parties involved in a research study "business associates" of Hopkins, and do we need a Business Associate Agreement with these parties?

Answer: No. Under the HIPAA Privacy Regulations, a business associate is a person or entity that receives protected health information ("PHI") from a covered entity and performs certain functions or activities on behalf of the covered entity. For example, The Johns Hopkins Hospital is a covered entity under HIPAA and its outside lawyers, consultants, and most contractors who receive PHI from JHH are business associates doing something on JHH's behalf. The HIPAA Privacy Regulations require Hopkins to enter into Business Associate Agreements with these entities. Although these entities are not covered entities themselves, they agree to treat the PHI they receive as if they were covered entities under HIPAA. Although this analysis might seem to apply to some parties in a research context, it now is widely accepted that persons and entities who receive PHI from research organizations in the course of an approved research project are not the business associates of the research organization. For example, if a Johns Hopkins protocol has two sponsors and an entity performing the lab work for the study, these parties are not deemed to be acting on Johns Hopkins' behalf and are not its business associates. Rather, these entities all are parties necessarily involved in the common enterprise of the research project. In a clinical trial, these parties must be listed on the HIPAA Privacy Authorization as parties to whom PHI may be disclosed in the course of the study. If the IRB waives Authorization, all these parties must be listed in the IRB waiver application so that the IRB is aware that these parties will receive PHI and can assure that a proper plan is in place to protect the privacy of the PHI. In either case, Hopkins does not need to have a Business Associate Agreement with these parties.

Question 5: When might I need a HIPAA Data Use Agreement in connection with my research?

Answer: A Data Use Agreement is needed when a researcher wants to share PHI in the form of a Limited Data Set (defined as a data set that contains no identifiers other than certain "indirect identifiers") with someone not otherwise involved in the research protocol (i.e., someone who is not mentioned as receiving PHI in the Authorization or in the waiver of Authorization approved by the IRB). If the person or entity at the other site is part of the trial and is included in the Authorization or waiver of Authorization approval for the trial, you do not need a Data Use Agreement. Rather, a Data Use Agreement is used when, for example, you want to share a Limited Data Set of research data with a colleague at another institution not involved in the trial, or with a private registry not involved in the study. The JHM IRB must be notified if you plan to share a limited data set with a person not named in the original IRB application.  If you disclose a Limited Data Set to another JHM researcher, that person must sign the one page Data Use Agreement on the JHM IRB website.  If you will disclose a Limited Data Set to a non-JHM researcher, the recipient must sign the full JHM Data Use Agreement before research data containing PHI are shared.

Question 5(a): What about sharing data with a researcher at JHBSPH, or including JHBSPH faculty or students as members of my research team?

Answer: The HIPAA Privacy Rule permits a covered entity to exclude from covered status any of its components that do not perform “covered functions” (e.g., billing for clinical services).  The SOM and JHBSPH have agreed that because JHSPH faculty do not perform covered functions for the JHBSPH, JHBSPH will be excluded from the JHM covered entity.  This means, however, that when JHM PHI is shared with someone from the JHBSPH, this sharing is a “disclosure” of PHI and must be treated as any other disclosure of PHI to an outside entity.  The SOM PI must track all disclosures of PHI to the JHBSPH to permit the SOM to account for these disclosures if required to do so under the Privacy Rule.

There is an exception to this general rule for disclosures to JHBSPH faculty or students who are formal members of a research team led by a SOM PI and have completed all required SOM HIPAA training.   For the purpose of performing their responsibilities as research team members, such JHBSPH faculty/students are considered to be members of the SOM HIPAA “workforce” if they are acting under the direct control of the PI.  SOM workforce members must abide by all JHM HIPAA policies, but the PI does not need to track disclosures of PHI to them.

Also, if the JHBSPH faculty and/or students are listed in the research authorization form as parties with whom the SOM PI will share PHI, the SOM PI does not need to track these disclosures.

Question 6: I am a researcher who has obtained a Certificate of Confidentiality for my study. Do I need a HIPAA Privacy Authorization when I already have a Certificate of Confidentiality?

Answer: Yes. Certificates of Confidentiality (CoCs) may protect the identities of research participants from compulsory disclosure in certain legal proceedings. However, COCs do not prevent voluntary disclosures of research information, nor do they negate the fact that researchers collect PHI from participants and that many persons both inside and outside of Hopkins will or may see the PHI (e.g., auditors, IRBs, investigators from governmental agencies, sponsors, etc.) Accordingly, the HIPAA Privacy Authorization must inform participants that, although JHM will keep their identifiable information confidential, there are certain people in and outside of Hopkins who will or may need to see the information, and that, because some of those people are not covered by the Privacy Rule, we cannot guarantee that they will all maintain the confidentiality of the information.

Question 7: How is the HIPAA Privacy Rule related to the HIPAA Security Rule?

Answer: Each is a separate regulation under the HIPAA statute. The Privacy Rule applies to all health information obtained or created by a covered entity, regardless of medium. The Security Rule applies to protected health information created or stored in an electronic form.  The Security Rule establishes standards for how covered entities store, transmit, and safeguard “ePHI.”  A researcher who fails to protect the security of PHI, by failing to follow JHM information security policies (e.g., password protection, encryption) may be violating both the Privacy Rule and the Security Rule. For more information about Security Rule requirements, contact the JH Information Security services.

[back to top]

II.  Recruitment

Question 1: At what point in recruitment may we gather information about a potential participant (i.e., a potential participant calls our office after seeing a flier, may we screen that person/ ask them about their history, or do we need him or her to complete a written privacy Authorization prior to screening)?

Answer: If the IRB has approved your recruitment plan, including a partial waiver of Authorization to permit you to collect PHI for screening without written Authorization, you may take the person’s contact and screening information.  You will need to advise the person that in order to evaluate whether he or she is a candidate for the research, you will need to share the caller’s information, and the caller may need to share information, with a limited number of others who staff the study.  If the person is deemed to be a qualified candidate, then he/she will be asked to come in to sign an informed consent/privacy Authorization. 

 If the person is not deemed to be qualified, their information should be destroyed and not used for any other purpose, unless the IRB has waived authorization to permit the research team to retain information required by the sponsor or by FDA regulations.  

Question 2: When a potential participant calls after seeing a flier, may we take a history from the participant to determine eligibility prior to receiving a written privacy Authorization if we do not record (either in a database or written form) the PHI given to us by the participant?

Answer: The answer is the same as in #1, above.  Receipt of PHI occurs whether the information is written, electronic or verbal.  The IRB must approve the recruitment plan to permit phone screening for eligibility. The PI or research team must receive the follow-up written Authorization before they may use the PHI for research.

Question 3: When the potential participant calls our office, may the staff member who took the call have another staff member (same research team) send materials to/contact the potential participant?

Answer: Yes. Anyone on the research team or staff may use the contact information to send materials to prospective subjects and to obtain the Authorization.

Question 4: If the clinician is also a researcher and he/she meets a potential participant for their study, can that clinician/researcher have one of his/her staff members screen the patient/potential participant’s chart?

Answer: Yes.

Question 5: Is it possible to get a waiver from the JHM-IRB to screen patient charts without having each patient first sign a privacy Authorization form?  If yes, what forms need to be filed with the JHM-IRB?

Answer: Yes. The form is HIPAA IRB Form 4, Application for IRB Waiver of HIPAA Privacy Authorization.  The waiver must be granted by the IRB before charts are screened.

III.  “Grandfathering” under HIPAA

Question 1:  I know that the HIPAA Privacy Rule grandfathers some studies in which participants enrolled prior to 4/14/03 (or for which the IRB granted a waiver of consent prior to that date).  Please define the term “enrolled” in reference to a participant being enrolled in a study prior to 4/14/2003.  Does this mean that the participant must have signed a consent form prior to that date? Or can it mean that the participant and family have been entered into the database by that date?

Answer: “Enroll” means to have the participant sign an informed consent within the meaning of the Common Rule. If a participant signed an informed consent prior to 4/14/03, the participant does not need to sign a HIPAA privacy Authorization for the same study.  However, after 4/14/03, a participant who is signing an informed consent (whether a new participant, or an old participant who is being re-consented) also must sign a privacy Authorization and/or an IRB approved new combined consent/HIPAA authorization document.

Question 2: Is the continuation of a study (i.e. new grant funding) using the same protocol number considered a “new” study under HIPAA guidelines?

Answer: No. HIPAA does not address what would make a study a new study.  If the study is a new study under JHM practices or the Common Rule, then both a new informed consent and privacy Authorization, or an IRB approved waiver of consent/privacy authorization, would be required. If the study is not a new study under these criteria, then no new informed consent/privacy Authorization would be required.

Question 3: If we have information in a database that was collected with the written consent of the participants in the database prior to 4/14/2003, do we need a HIPAA waiver to maintain the database?

Answer: No. Any form of written consent obtained prior to 4/14/2003 will “grandfather” the data accumulated in the research database prior to that date.  The consent does not need to meet the privacy Authorization criteria and no waiver by the IRB is needed.  If, however, a researcher wishes to add patients to the database who did not sign a consent form prior to 4/14/2003, those patients must sign both a consent form and a HIPAA Authorization (may be combined in a single form; see IRB website), unless the IRB grants a waiver of consent and HIPAA Authorization.

IV.  De-Identification and Re-Identification

Question 1: When does a unique identifying number become PHI?  Is it always considered PHI?

Answer: HIPAA permits the use of unique identifying numbers in a de-identified data set, provided that the recipient of the data (e.g., the researcher), has no access to the linking code and no means of re-identifying the data.  If a unique identifying number is kept to link otherwise de-identified data to the individuals in the study, the unique identifying number is and remains PHI with respect to anyone who can access the code key or re-identify the data subjects.  If the unique identifying number is destroyed, the health information would thereafter be de-identified for all purposes (assuming all other HIPAA identifiers and links to identifiers are removed).

Question 2: HIPAA has many identifiers that must be removed to “de-identify” health information.  Is any one of these identifiers, all by itself, PHI?

Answer: Not necessarily. PHI is information about the health of an individual, the health condition of an individual or the payment for health services rendered to an individual.  If we just had a DOB and that DOB was not linked to any other health information and could not be sourced to a provider (e.g., JHM), the DOB alone would not be PHI.  But if the DOB is coupled with other information, such as “was a patient at JHH,” or “was one of 15 enrollees in a particular study,” this combination would be PHI.  We have taken the position that if we gain any information linked to a person’s status as a patient or a participant in a study, that information is PHI.  (Note that if DOB is the only identifier coupled with health information or research data, the researcher could aggregate the DOBs into ranges, which would de-identify the information/data.)

V.  Accounting for Disclosures

Question 1:   As per the HIPAA regulations, we need to keep a log of all persons who have viewed PHI in our database in order to provide a list of disclosures, if and when a participant requests it.  Do we need to log a new entry each time a member of our research team views the data, or do we only need to enter a new entry in the log when someone outside of the team views the data?

Answer:   A “disclosure” is providing PHI outside the Hopkins’ workforce ( NOTE: JH Bloomberg School of Public Health employees are not members of the Hopkins workforce unless they hold joint appointments and are conducting SOM research, or are faculty/students who are formal members of a research team led by an SOM PI (see Question 5a, above.  Workforce members must complete all required SOM HIPAA training. )  All Hopkins members of the research team may view the PHI without keeping a disclosure log.  If, however, a researcher from another institution (or JHSPH) will receive JH PHI, that person’s accessing or viewing of the PHI will generally be a disclosure.  This is not the case if the outside researcher meets criteria for a “workforce member” (contact the JH Privacy Office for more information).

HIPAA IRB Forms 8.1, 8.2, and 8.4 are required for disclosures of PHI outside of Hopkins’ workforce.  The applicable form must be completed and a disclosure log kept unless one of the following applies:  (1)  the recipient of the PHI is a member of the JHM workforce, as described above; (2) the subject(s) have signed a HIPAA Authorization (or combination consent/authorization) naming the outside researcher(s) as recipients of PHI;  or (3) the disclosure contains no identifiers other than the “indirect identifiers” permitted in a HIPAA Limited Data Set, and the recipient has signed the JHM Data Use Agreement with the outside researcher. 

VI. Subject Requests for Access to Research Data or Test Results

Question 1:  Do the HIPAA requirements allow for participants to request a copy of any structured interviews they completed/responded to as part of the study?  What about the results of research laboratory tests?

Answer:  Individuals have a right to a copy of their “designated record set”.  This is defined as

Designated record set means:

(1)   A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals

(2)   For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

We are taking the position that a research record is not part of the “designated record set” and that only information that is entered into an individual’s medical record during the course of the research would be part of the “designated record set”.  Of course, if the research involves treatment of a patient and there is only one “record”, the research and medical record could be the same.

This does not mean that the research record does not contain protected health information or PHI.  In your question, if the interview included questions about health status or history, this would be PHI.  But we do not believe it meets the above definition of “designated record set”, which requires providing a copy upon request by an individual.  Also, the HIPAA Privacy Rule recognizes that under CLIA, research laboratories that do not have CLIA certification may not disclose the results of laboratory research tests to patients or their providers (see Organization Policy No. 101.2 "Research Laboratory Testing Results" .

You should know that this is not a settled area of the law.  Different experts have different opinions.  But until there is further clarification, this is our position on this issue.  Consult OHSR about specific requests for provision of copies of research records or information to non-Hopkins entities.

VII. Access to PHI Created or Maintained by Non-JHM Providers

Question 1: I am enrolling subjects in a clinical study.  If adverse events occur and my subjects are treated by a non-JHM provider, how may I obtain information about the subjects’ treatment?

Answer:  A subject must sign an Authorization that allows the non-JHU provider to disclose PHI  to you for the purposes of research involving that subject.  It is helpful to obtain the subject’s express permission for such a disclosure in the Authorization form that the subject signs for your research study.  The non-JHM provider may rely upon such Authorization; alternatively, the provider may ask the patient to sign the provider’s own Authorization, or may disclose the records directly to the patient.

VIII. International Research

Question 1:  How does the HIPAA Privacy Rule affect international research?

Answer:  The extent to which HIPAA applies to international research is currently a matter of debate; however, once identifiable health information is received by a covered entity, that information becomes PHI (with a narrow exception for overseas foreign nationals receiving health care from US agencies). This means that when a researcher sends identified health information collected internationally across a JHM network or stores such information on a JHM computer or server, the information becomes PHI.

Because HIPAA concepts can be difficult to translate in international studies, researchers have several options.  The first is to ask the IRB to approve a simpler form of the required authorization language either within the body of the written consent itself or separately as the standalone form [ "HIPAA Statement for International Research” form ] and/or request approval to obtain Authorization in oral form.  Another option, where cultural barriers are significant, is to request permission to exclude HIPAA language from the consent form and process. This may be most appropriate where no data will be transferred to the U.S. and subject to HIPAA protection.

[back to top]  

Warning: The NCBI web site requires JavaScript to function. more...

An official website of the United States government

The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings
• Browse Titles

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

• Hardcopy Version at National Academies Press

Overview of Conclusions and Recommendations

Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care—and protecting individuals involved in research from harm and preserving their rights is essential to the conduct of ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level because it permits complex activities, including research and public health activities, to be carried out in ways that protect individuals’ dignity. It is also important to note that health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The U.S. Department of Health and Human Services (HHS) developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 1 The HIPAA Privacy Rule set forth detailed regulations regarding the types of uses and disclosures of individuals’ personally identifiable health information—called “protected health information”—permitted by “covered entities” (health plans, health care clearing houses, and health care providers who transmit information in electronic form in connection with transactions for which HHS has adopted standards under HIPAA). 2 A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of information needed to promote high-quality health care. The Privacy Rule also set out requirements for the conduct of health research.

The Institute of Medicine (IOM) Committee on Health Research and the Privacy of Health Information (the committee) was charged with two principal tasks 3 : (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly to include biomedical research, epidemiological studies, and health services research, as well as studies of behavioral, social, and economic factors that affect health; and (2) to propose recommendations to enable the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information ( Box O-1 ).

Committee Statement of Task. An Institute of Medicine committee will investigate the effects on health research of the Privacy Rule regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) section on Administrative (more...)

The committee’s conclusion is that the HIPAA Privacy Rule does not protect privacy as well as it should, and that, as currently implemented, the Privacy Rule impedes important health research. The committee found that the Privacy Rule (1) is not uniformly applicable to all health research, (2) overstates the ability of informed consent to protect privacy rather than incorporating comprehensive privacy protections, (3) conflicts with other federal regulations governing health research, (4) is interpreted differently across institutions, and (5) creates barriers to research and leads to biased research samples, which generate invalid conclusions. In addition, security breaches are a growing problem for health care databases. In this report, the committee presents its analysis and findings, along with several recommendations for accomplishing the dual goals of protecting health privacy while facilitating responsible and beneficial research.

• DEFINITIONS

Definition of Privacy and Why Privacy Is Important

The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and there is considerable confusion about the meaning, value, and scope of the concept. The focus of the HIPAA Privacy Rule and the IOM committee’s report are on the privacy of personal health information. In this context, privacy pertains to the collection, storage, and use of personal information and addresses the question of who has access to personal information and under what conditions. Issues of privacy include whether specific types of data about an individual can be collected at all, as well as the justifications, if any, under which data collected for one purpose can be used for another purpose. Another important issue in privacy analysis is whether an individual has authorized particular uses of his or her personal information.

Although privacy is often used interchangeably with the terms “confidentiality” and “security,” they have distinct meanings. Confidentiality , though closely related to privacy, refers to the obligations of those who receive information in the context of an intimate relationship to respect the privacy interests of those to whom the data relate and to safeguard that information. Confidentiality addresses the issue of whether to keep information exchanged in that relationship from being disclosed to third parties. Thus, for example, confidentiality requires physicians not to disclose information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are considered breaches of confidentiality.

Security , as defined by Turn and Ware in 1976, is “the procedural and technical measures required to (a) prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm.” 4 Currently existing, commonly deployed security measures help keep health records safe from unauthorized use, although no security measure can prevent an invasion of privacy by individuals who have authority to access a health record.

American society places a high value on a private sphere protected from intrusion, and the bioethics principle of nonmaleficence 5 requires safeguarding personal privacy. Breaches of an individual’s privacy and confidentiality may affect a person’s dignity and cause irreparable harm. When personally identifiable health information 6 is disclosed to an employer, insurer, or family member, for example, the disclosure can result in stigma, embarrassment, and discrimination. Safeguarding privacy and confidentiality are also important for both individuals and society. Individuals are less likely to participate in health research or other socially and individually beneficial activities, including candid and complete disclosures of sensitive information to their physicians, if they do not believe their privacy is being protected. However, it should also be noted that perceptions of privacy vary among individuals and groups. Information that is considered intensely private by one person may not be by others. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention, and cultural expectations.

The bioethics principle of respect for persons places importance on individual autonomy or self-determination, which allows individuals to make decisions for themselves about matters that are important to their own well-being. U.S. society also places a high value on individual autonomy, and one way to respect individuals is to ensure that they can make the choice about when, and whether, personal information (particularly sensitive information) can be shared with others.

Many statutory and regulatory protections of privacy have attempted to incorporate these values and concerns through emphasis on the principles of fair information practices, 7 which have been adopted in various forms at the international, federal, and state levels. The principles of fair information practices address issues such as data quality, limitations on collection and use, specification of purpose, security safeguards, openness of practices and policies, individual participation, and accountability. They reflect a broad consensus about the need for standards to protect individual privacy and to facilitate information flows in an increasingly technology-dependent, global society.

Definition of Health Research and Why Health Research Is Important

Under both the HIPAA Privacy Rule and a federal regulation known as the Common Rule , 8 “research” is defined as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.” This is a broad definition that may include biomedical research, epidemiological studies, 9 and health services research, 10 as well as studies of behavioral, social, and economic factors that affect health.

Perhaps the most familiar form of health research is the clinical trial in which patients volunteer to participate in studies to test the efficacy of new medical interventions. Today, though, an increasingly large portion of health research is information based. More and more research entails the analysis of data and biological samples that were initially collected for one purpose and are now being used for another purpose such as research. 11 In the fields of epidemiology, health services research, and public health research, the use of existing data to conduct research is common. Existing data are analyzed to identify patterns of occurrences, determinants, and the natural history of disease; to evaluate health care interventions and services; to perform drug safety surveillance; and to perform some genetic and social studies.

A prime example of the benefits of research using existing biological samples and patients’ records is the development of Herceptin ® (trastuzumab), a revolutionary new treatment for some kinds of breast cancer. In addition, many findings from research using patients’ medical records have changed the practice of medicine. Examples of how health research based on data from medical records has informed and influenced national and other policy decisions abound. Just to cite a few: Research based on data from medical records underlies the estimate that tens of thousands of Americans die each year from medical errors in the hospital and has provided valuable information for reducing these medical errors by implementing health information technology, such as e-prescribing. Medical records research has documented that disparities and lack of access to care in inner cities and rural areas results in poorer health outcomes, and has demonstrated that specific preventive services (e.g., mammography) substantially reduce mortality and morbidity at reasonable costs. Furthermore, such research has established a causal link between the nursing shortage and patient health outcomes by documenting that patients in hospitals with fewer registered nurses are hospitalized longer and are more likely to suffer complications, such as urinary tract infections and upper gastrointestinal bleeding. As the use of electronic medical records increases, the pace of medical records research is accelerating, and the opportunities to use these records to generate new knowledge about what works in health care are expanding.

The varying methods of health research provide complementary insights. Although clinical trials can provide important information about the efficacy and adverse effects of medical interventions by controlling the variables that could impact the results of the study, feedback from real-world clinical experience is also crucial for comparing and improving the use of drugs, vaccines, medical devices, and diagnostics. The Food and Drug Administration’s (FDA’s) approval of a drug for a particular indication, for example, is based on a series of controlled clinical trials, often with a few hundred to a few thousand patients. After a drug has received the FDA’s approval for marketing, however, it may be used by millions of people in many different contexts. Thus tracking clinical experience with the drug is important for identifying relatively rare adverse effects and for determining the effectiveness in different populations or circumstances.

Like privacy, all of these health-related activities provide high value to society. Collectively, these activities can provide important information about disease trends and risk factors, outcomes of treatment or public health interventions, functional abilities, patterns of care, and health care costs and utilization. They have led to significant discoveries, the development of new therapies, and a remarkable improvement in health care and public health. 12 Thus, they provide a sense of hope for people with chronic, life-threatening, or fatal conditions. If the health research enterprise is impeded, or if it is less robust, important societal interests are adversely affected.

• THE HIPAA PRIVACY RULE

The U.S. Congress passed HIPAA in 1996 with the primary goals of making health care delivery more efficient and increasing the number of Americans with health insurance coverage.

The HIPAA Privacy Rule was developed by HHS under HIPAA’s administrative simplification provisions, which mandated the creation of privacy standards for “protected health information” (PHI) in the absence of federal legislation. A major goal of the HIPAA Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of information needed to promote high-quality health care. Recognizing that patients’ health records also play an important role in health research, Congress wanted to ensure that the implementation of HIPAA would not impede health researchers’ continued access to data from health records. Responding to this objective, HHS attempted to create a system that mandates privacy protection for individually identifiable health information while allowing important uses of the information in health care and research.

The HIPAA Privacy Rule sets forth detailed regulations regarding the types of uses and disclosures of “protected health information,” defined as “individually identifiable health information” that is held or transmitted by a “covered entity.” Covered entities are health plans, health care clearing-houses, and health care providers who transmit information in electronic form in connection with a transaction for which HHS has developed a standard under HIPAA. 13 A covered entity may not use or disclose PHI except either (1) as the Privacy Rule permits, or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. The Privacy Rule applies not only to health information exchanged or stored electronically, but also to PHI held by a covered entity in any form or media, including electronic, paper, and oral communications. 14

Although the HIPAA Privacy Rule applies to information uses and transactions necessary for the provision of health care, it is also applicable to a great deal of information used in health research. As already explained, the data in individuals’ medical records may be important or essential to some types of health research. When obtaining PHI from a covered entity to use in their research, health researchers are required to follow the provisions of the HIPAA Privacy Rule. The Privacy Rule permits a covered entity to use and disclose PHI for research purposes without an individual’s authorization if the covered entity obtains either (1) documentation that an alteration or waiver of the individual’s authorization for the use or disclosure of the information has been approved by an IRB or Privacy Board , or (2) specified representations from the researchers that the PHI is being used or disclosed solely for purposes preparatory to research, or for research using only the PHI of decedents. A covered entity may also use or disclose PHI without an individual’s authorization if the PHI is contained as part of a “limited dataset” from which specified direct identifiers have been removed, and the researcher enters into a data use agreement with the covered entity.

THE COMMITTEE’S CHARGE AND THE OVERARCHING GOALS OF THE RECOMMENDATIONS

The sponsors of this study asked the IOM to assess whether the HIPAA Privacy Rule implemented by HHS is impacting the conduct of health research, and requested that the IOM committee propose recommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information. To undertake this task, the IOM appointed a 15-member committee (Committee on Health Research and the Privacy of Health Information ) with a broad range of expertise and experience covering various fields of health research; privacy of health information; health law, regulation, and ethics; human research protections; health center administration; use and protection of electronic health information; and patient advocacy.

As the study progressed and committee members began thinking about potential recommendations, they identified three general methods for improving the current system for safeguarding health information privacy: (1) the provision of guidance from HHS and its Office for Civil Rights to Institutional Review Boards (IRBs), Privacy Boards , institutions, and other participants and stakeholders, which is the easiest way to achieve changes; (2) regulatory changes to the HIPAA Privacy Rule provisions, which can be done via HHS, but is more difficult than providing new guidance; and (3) statutory changes in HIPAA or other legislation at the federal or state level, which is the most difficult to accomplish, but may be necessary. The committee members decided to be as modest as possible in proposing recommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information, with the goal of making it easier to effect change if policy makers agree with the proposals.

Ultimately, committee members agreed to make two sets of recommendations. First, the committee proposes a bold, innovative, and more uniform approach to the dual challenge of protecting privacy while supporting beneficial and responsible research. 15 Although a totally new approach may be harder to implement in the short term than more incremental changes, it might help to stimulate fresh ideas about the best ways to protect privacy and improve health research as the nation seeks the best way to support these two interconnected values over the next several years. Second, in the event that policy makers decide that HIPAA was—and continues to be—the most useful model for how to safeguard privacy in health research, the committee proposes a series of detailed proposals to improve the HIPAA Privacy Rule and associated guidance.

There is no question that the goals of safeguarding privacy and enhancing health research are sometimes in tension. Stringent measures to safeguard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to privacy. Yet the committee believes that there is a synergy between the two, that promoting both is desirable, and that it is possible to strengthen certain privacy protections while still facilitating important health research.

For that reason, the committee’s intent in developing its recommendations was to advance both privacy and health research interests to the extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, our recommendations are aimed at strengthening health research regulations and practices that effectively safeguard personally identifiable health information, while changing provisions of the HIPAA Privacy Rule or its interpretations that the committee found to be mostly formalistic or ineffective. They also aim to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health.

To facilitate beneficial health research while still ensuring adequate protection of patient privacy, the committee grounded its recommendations in three fundamental goals: (1) improve the privacy and data security of health information; (2) improve the effectiveness of health research; and (3) improve the application of privacy protections for health research ( Box O-2 ). These three basic goals are discussed further below.

Three Goals Underlying the Committee’s Recommendations. Improve the privacy and data security of health information. Improve the effectiveness of health research.

Improve the Privacy and Data Security of Health Information

In the context of health research, the privacy goal is the commitment to handle personal information of patients and research participants in accordance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (accountability). This commitment extends to everyone who collects, uses, or has access to personal information of patients and research participants.

Practices of security, transparency, and accountability take on extraordinary importance in the health research setting. Researchers and other data users should disclose clearly how and why personal information is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personal information is used appropriately and securely. In this manner, privacy protection will help to ensure research participant and public trust and confidence in medical research.

Improve the Effectiveness of Health Research

Research discoveries are central to achieving the goal of extending the quality of healthy lives. Research into causes of disease, methods for prevention, techniques for diagnosis, and new approaches to treatment has increased life expectancy, reduced infant mortality, limited the toll of infectious diseases, and improved outcomes for patients with heart disease, cancer, diabetes, and other diseases. Patient-oriented clinical research that tests new ideas makes medical and public health progress possible.

Today the rate of discovery is accelerating, and science is at the precipice of a remarkable period of investigative promise made possible by new knowledge about the genetic underpinnings of disease. Genomic research is opening new possibilities for preventing illness and for developing safer, more effective medical care that may eventually be tailored for specific individuals. Further advances in relating genetic information to predispositions to disease and responses to treatments will require use of large amounts of existing health-related information and stored biological specimens. The increasing use of electronic medical records will further facilitate the generation of new knowledge through research and accelerate the pace of discovery. These efforts will require broad participation of patients in research and broad data sharing to ensure that the results are valid and applicable to different segments of the population. Collaborative partnerships among communities of patients, their physicians, and teams of researchers to gain new scientific knowledge will bring tangible benefits for people in this country and around the world.

Improve the Application of Privacy Protections for Health Research

The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protection of human subjects (the Common Rule ), FDA regulations pertaining to human subjects protections, 16 and other applicable federal or state laws.

For example, inconsistencies in federal regulations governing the deidentification of personal health information, obtaining individual consent for future research, and the recruitment of research volunteers make it challenging for health researchers to undertake important research activities while seeking to comply with all these regulations. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule. For example, the way in which IRBs and Privacy Boards interpret the provisions when making decisions about authorization requirements varies across institutions, and often is quite conservative. Especially for multisite research and studies that are reviewed by both IRBs and Privacy Boards, the inconsistent interpretation and application of the HIPAA Privacy Rule’s provisions pertaining to research can create barriers to research and even lead to the discontinuation of ongoing research studies, which squanders the contributions of research participants. Adding yet another layer of complexity and variability for health researchers is a lack of clarity in the way the HIPAA Privacy Rule applies to various types of health research or closely related health care practices. Moreover, there are significant gaps in who and what is covered by current federal research regulations. Whether a research activity is subject to the provisions of the Privacy Rule or the Common Rule depends on a number of factors, including the source of funding, the source of the data, and whether the researcher meets the definition of a covered entity.

The situation in the United States is in stark contrast to the situation in most other countries, where uniform regulations apply to all research conducted in the country. The committee believes a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research. Improved clarity, harmonization, and uniform application of regulations governing health research are needed to align the interests and understandings of the research community, the custodians of PHI, and other stakeholders such as patients, so that implementation of the privacy protections in health research can be achieved with acceptability to all.

THE COMMITTEE’S RECOMMENDATIONS

The IOM Committee on Health Research and the Privacy of Health Information developed several recommendations with the intent of strengthening the privacy protections of personally identifiable health information and facilitating the efficient and effective conduct of beneficial health research. A summary of the committee’s recommendations is presented in Box O-3 .

Summary of the Committee’s Recommendations. The committee’s foremost recommendation is the following: Congress should authorize HHS and other relevant federal agencies to develop a new approach to protecting (more...)

The committee’s first and foremost recommendation (Recommendation I) is that Congress should authorize HHS and other relevant federal agencies to develop a new approach to ensuring privacy that would apply uniformly to all health research in the United States. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. This new approach, separate from the HIPAA Privacy Rule, should ensure privacy in health research by emphasizing security, accountability, and transparency while also allowing important health research to be undertaken with appropriate oversight. If national policy makers decide that the HIPAA Privacy Rule has been, and continues to be, a useful model for safeguarding privacy in health research, the committee also proposes as an alternative that HHS revise the current HIPAA Privacy Rule and the associated guidance. These revisions, which could also be implemented in the interim while a new, comprehensive approach is being developed, would address many of the problems uncovered during the course of this study. HHS should develop guidance materials to reduce variability among IRBs and Privacy Boards in their interpretation of the HIPAA Privacy Rule as applied to research (Recommendation II.A); develop guidance materials to facilitate more effective use of existing data and materials for health research and public health purposes (Recommendation II.B); and revise some provisions of the HIPAA Privacy Rule that currently hinder research but that do not provide meaningful privacy protections (Recommendation II.C). The committee’s last set of recommendations, though not directly related to the HIPAA Privacy Rule, should be adopted in order to achieve the committee’s overarching goals. The committee recommends that all health research institutions improve the security of personally identifiable health information (Recommendation III.A), that HHS—or, as necessary, Congress—provide reasonable protection to IRB and Privacy Board members for good faith decisions to encourage service on IRBs (III.B), and that HHS and researchers take steps to disseminate health research results more broadly, and to inform the public about the nature of health research and its value to individuals and society as a whole (Recommendation III.C). Adopting this set of recommendations will be important regardless of whether Option I or II is implemented.

In the remaining pages of this overview, the abbreviated recommendations of the IOM committee, shown in Box O-3 , are presented in fuller detail.

I. Develop a New Approach to Protecting Privacy in All Health Research

The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy protections in health research under the Common Rule , but the HIPAA Privacy Rule has numerous limitations of its own. In proposing the Privacy Rule, HHS acknowledged that, ideally, it would have preferred to regulate health researchers directly by extending the protections of the Common Rule to research that is not federally supported and by imposing additional criteria for the waiver of patient authorization for the use of personally identifiable health information in research. 17 But HHS recognized that it did not have the authority to do this. For that reason, HHS attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing restrictions on information disclosures by covered entities. The National Committee on Vital and Health Statistics (NCVHS) and others have noted the limitations of the HIPAA Privacy Rule and have called for stronger protections of health privacy—notably, by expanding the purview of the Privacy Rule beyond the current covered entities.

The IOM committee believes an even bolder change is needed. The number of studies using medical records to address important questions about health and disease is likely to increase with the growing availability of electronic records. As the volume and importance of digital personal health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect personally identifiable health information in the health research setting. Thus, the IOM committee recommends developing a new framework to both protect individuals’ privacy and facilitate responsible and beneficial health research.

Recommendation I: Congress should authorize HHS and other relevant federal agencies to develop a new approach to protecting privacy in health research that would apply uniformly to all health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach should enhance privacy protections through improved data security, increased transparency of activities and policies, and greater accountability while also allowing important health research to be undertaken with appropriate oversight. The new approach should do all of the following: Apply to any person, institution, or organization conducting health research in the United States, regardless of the source of data or funding. Entail clear, goal-oriented, rather than prescriptive, regulations. Require researchers, institutions, and organizations that store health data to establish strong data security safeguards. Make a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based. Facilitate greater use of data with direct identifiers removed in health research, and implement legal sanctions to prohibit unauthor ized reidentification of information that has had direct identifiers removed. Require ethical oversight of research when personally identifiable health information is used without informed consent. HHS should develop best practices for oversight that should consider: Measures taken to protect the privacy, security, and confiden tiality of the data; Potential harms that could result from disclosure of the data; and Potential public benefits of the research. Certify institutions that have policies and practices in place to pro tect data privacy and security in order to facilitate important large- scale information-based research for clearly defined and approved purposes, without individual consent. Include federal oversight and enforcement to ensure regulatory compliance.

The committee concluded that the HIPAA Privacy Rule impedes important health research and does not protect privacy as well as it should. Rather than offering an effective and comprehensive approach to solving the real problems of protecting privacy while ensuring the vitality of the national research agenda, the Privacy Rule often focuses on formalistic issues. A new approach to protecting the privacy of personally identifiable information used in health research should both provide strong and effective protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the public’s health. It should do so in a way that does not burden individuals with a flurry of health privacy notices and consent forms, or burden our health care system with a new level of bureaucracy and expense.

A new framework developed by HHS and other relevant agencies that emphasizes privacy, security, accountability, and transparency and is applicable to all health research in the United States would eliminate confusion, reduce variability, facilitate responsible research, and enhance trust in the research enterprise. Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research.

The committee favors an approach in which both ethical health research and privacy protections are supported. Informative examples for such an approach include Ontario’s Personal Health Information Protection Act (PHIPA) 18 and a similar model recently proposed in the United Kingdom. 19 Ontario’s PHIPA shares a number of similarities with the HIPAA Privacy Rule. In general, both rules require the holder of personally identifiable health data to obtain informed consent (referred to as authorization in the Privacy Rule) before using those data for a purpose other than providing services directly related to the health care of the patient. If a researcher wishes to use personally identifiable health data without obtaining informed consent, both rules require the researcher to obtain a waiver of informed consent approved by an independent ethics board before the study begins.

However, the HIPAA Privacy Rule and PHIPA do have some key differences. One major difference is that unlike the HIPAA Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA applies to health information custodians (HICs; e.g., providers, hospitals, and pharmacies) that collect, use, and disclose personally identifiable health information, as well as to non-HICs that receive personally identifiable health information from a HIC. Thus, the privacy protections follow the data.

Another important difference is that PHIPA permits HICs to disclose personally identifiable health information without consent to “prescribed persons or entities,” who must have in place practices, policies, and procedures approved by Ontario’s Information and Privacy Commissioner to protect the privacy and confidentiality of personally identifiable health information it receives and maintains. The prescribed persons or entities may then disclose information to researchers either in deidentified form, or in identifiable form with approval of a Research Ethics Board (Canadian equivalent of an IRB or Privacy Board ). Consistent with the principle of transparency, a prescribed entity must also make public a description of its functions and a summary of its practices, policies, and procedures. A similar approach to prescribed entities was recommended in a report commissioned by the United Kingdom’s Prime Minister on secondary uses of personal information. This report suggested the creation of “safe harbors,” which have three defining characteristics: (1) they provide a secure environment for processing personally identifiable health data, (2) they are restricted to “approved researchers” who meet relevant criteria, and (3) they implement penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data. The committee believes that such an approach, combined with strong security measures, offers adequate privacy protections for personally identifiable health information in information-based health research, while greatly expanding research opportunities.

Health research increasingly relies on the review of information about patients’ actual experiences with treatments to determine the risks and benefits of drugs and other therapies, in addition to traditional interventional and comparative clinical trials with patients. Regulations under a new approach to ensuring privacy in health should acknowledge the fact that research based exclusively on information (e.g., using medical records or stored biological samples) is not the same as direct, interventional human subjects research. For that reason, applying the same human subjects protections in these two different scenarios is neither appropriate nor justifiable. Promoting individual autonomy is essential when a person’s health care or participation in clinical research is considered. The purpose of informed consent in this type of research is mainly to protect research participants from physical harm by providing a description of the potential risks and benefits of the study. In contrast, in information-based research that relies solely on medical records and stored biospecimens, the research participant faces no risk of direct physical harm. In this context, informed consent (authorization) is intended to ensure that individuals are able to exercise control over their personal information that is held by third parties, and to give individuals the right to determine whether their personal information can be used in a particular research project (or a series of such projects, if consent for future research is permitted).

Because of these fundamental differences between information-based research and direct, interventional human subjects research, the committee suggests a two-part practical approach to protecting health information privacy. First, all interventional research, regardless of funding source and support, should be required to comply with the Common Rule and all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures. Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent.

Second, a new approach to uniform, goal-oriented oversight of information-based research should be developed by HHS and other relevant federal agencies, with a focus on best practices in privacy, security, and transparency as in PHIPA and the proposed United Kingdom model. This new approach should include a mechanism by which some programs or institutions could be certified by HHS or another accrediting body, similar to a prescribed entity as in PHIPA or a safe harbor as in the United Kingdom model. Such entities could then collect and analyze personally identifiable health information for clearly defined and approved purposes, without individual consent. Because of the administrative requirements in becoming certified, this option is most appropriate for disease registries and other very large scale research databases. Certified entities could also aggregate personally identifiable data from multiple sources, and then provide data to researchers with direct identifiers removed, under strict security requirements. This would facilitate greater use of data with direct identifiers removed in research because the aggregated datasets would be more complete and thus would lead to more accurate conclusions. To further protect privacy, unauthorized reidentification of information that has had direct identifiers removed should be prohibited by law, and violators should face legal sanctions.

In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics oversight board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This oversight board could perhaps entail a new body specifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research. If researchers seek a waiver of patient consent, an ethics oversight board should consider the measures to be taken to protect the privacy and confidentiality of the data, the potential harms that could result from disclosure of the data, and the potential public benefits of the proposed research study. In order to facilitate consistent application of this option, HHS will need to develop clear guidance and best practices on how to assess the potential harm, the proposed measures to protect privacy and confidentiality, and the potential public benefits of a research study, as has been done under PHIPA.

There is a great deal of variability in whether and how IRBs and other ethical oversight boards consider the public benefit and scientific merit of research proposals. But the first rule of ethical research is that the research must have scientific value—meaning that it addresses an important question of human health and is designed and conducted using methodology that is appropriate and rigorous. The scientific merit of research varies by project, just as the potential risk to privacy of research varies across different protocols. The committee believes that when making decisions about whether a research protocol that entails the disclosure of personally identifiable information should go forward, ethical oversight boards should take all of these factors—potential risks/harms to research participants’ privacy as well as scientific merit and potential public benefit of the research proposal—into consideration.

A previous IOM committee on Assessing the System for Protecting Human Research Subjects recommended that “human research participant protection programs” use distinct mechanisms for initial reviews of scientific merit and that these reviews should precede and inform the comprehensive ethical review of research studies. Ethical oversight board members themselves may not have the expertise to assess the merit of diverse research studies, but they should have access to evaluations by scientific review committees or funder peer review panels, which would help them assess the anticipated benefits of a proposed research project.

Although expectations regarding privacy vary among different demographic groups, public opinion polls suggest that a significant portion of the American public would like to control all access to their medical records for research via an individual consent mechanism. However, obligations to implement comprehensive privacy protections—such as security, transparency, and accountability—are independent of patient consent. Moreover, the committee concluded, based on considerable testimony and other evidence, that a universal requirement for informed consent can lead to invalid results because of significant differences between patients who do or do not grant consent, and to missed opportunities to advance medical science because it can be prohibitively costly and difficult to obtain consent for studies that require analysis of very large datasets. As a result, the committee’s new framework includes two alternatives to consent that can be used in certain circumstances (e.g., disclosure to a certified entity and waiver of informed consent by an ethics review board), which are intended to facilitate research that is socially beneficial and to protect privacy through increased security, transparency, and accountability.

If society seeks to derive the benefits of medical research in the form of improved health and health care, information should be shared to achieve that greater good, and governing regulations should support the use of such information, with appropriate oversight. In the committee’s proposed new framework, the greater emphasis on ensuring the security protections of personally identifiable health information, facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research in the new framework should help to foster its acceptability. Nonetheless, effective communication with the public about how health research is done and the value it provides (the committee’s Recommendation III.C below) will be important to address concerns and gain acceptance.

The committee’s proposal for a new approach to ensuring privacy in health research that is uniformly applicable to all health research in the United States is especially timely because Congress has shown considerable interest in producing new legislation to facilitate the implementation of a nationwide health information technology system. Such a system has been hailed as a means of addressing rising health care costs and improving the quality and efficiency of health care, but privacy concerns are emerging as a primary obstacle to the implementation of such a nationwide system. Some legislative proposals would follow the HIPAA model of privacy protections, while others would require different or additional approaches to ensure the privacy of electronic health records. A nationwide health information technology system has the potential to accelerate health research by making large amounts of health data available to study and thus could lead to major advances in medicine. Nevertheless, caution is warranted in developing new regulations because the adoption of new, restrictive regulations might actually impede health research, to the great detriment of patients and society.

If Recommendation I is not implemented and the nation continues to rely on the HIPAA Privacy Rule for protecting privacy in health research, the committee proposes an alternative set of recommendations (Recommendations II.A–C) that could address some of the problems uncovered during the course of this study, by improving the HIPAA Privacy Rule and associated guidance.

II. Revise the Privacy Rule and Associated Guidance

Recommendation II.A: HHS should reduce variability in interpreta tions of the HIPAA Privacy Rule in health research by covered entities, IRBs, and Privacy Boards through revised and expanded guidance and harmonization.

One of the weaknesses in the current privacy protection system is that there is extreme variability in the regulatory interpretations and approval decisions among IRBs and Privacy Boards . Regulatory language often is not easily understandable and is subject to wide interpretation. Thus local IRBs and Privacy Boards interpret state and federal regulations independently, resulting in a great deal of variation in how the regulations are implemented. For example, projects that are similar in design and intent may be granted a waiver of individual authorization by some IRBs and Privacy Boards, but not others, on the basis of differing interpretations of the Privacy Rule’s waiver criteria. In addition, some IRBs and Privacy Boards may conflate the Common Rule and Privacy Rule, or apply the research provisions of the Privacy Rule to activities for which they are not applicable, such as public health practice or the operation of cancer registries.

Furthermore, in the case of the HIPAA Privacy Rule, covered entities that disclose PHI are regulated, not the health researchers who receive the information. As a result, covered entities, as well as IRBs and Privacy Boards , may be reluctant to permit disclosures of PHI that would allow health research to go forward, even in situations where it is ethically and legally justified. Lacking sufficient guidance from HHS, IRBs and Privacy Boards sometimes interpret the HIPAA Privacy Rule too conservatively out of concern that a particular health research activity might result in institutional noncompliance with the Privacy Rule.

HHS intended to allow IRBs and Privacy Boards to have some local control in implementing and interpreting the HIPAA Privacy Rule as it applies to the use and disclosure of PHI for research. The committee’s recommendations below are intended not to reduce the decision-making powers and flexibility of local IRBs and Privacy Boards, but rather to make it easier for IRBs and Privacy Boards to review research proposals fairly and quickly. Additional guidance and clarification from HHS on the specific points listed below, along with specific case examples to help delineate what is or is not permissible under the Privacy Rule, would make it easier for IRBs and Privacy Boards to make the appropriate review decisions.

Recommendation II.A.1: HHS should develop a dynamic, ongoing process to increase empirical knowledge about current “best practices” for privacy protection in responsible research using PHI, and promote use of those best practices. HHS should regularly convene consensus development conferences in collaboration with health research stakeholders to collect and evaluate current practices in privacy protection in order to identify and disseminate best practices. Stakeholders can then enable and encourage researchers to use these best practices in designing and conducting research involving the use of PHI.

There are many diverse approaches to health research. The broad array of methods and data sources for such research presents a challenge to IRBs and Privacy Boards that must determine how various state and federal regulations apply to each research protocol. Uncertainty about how the various regulations apply to a given protocol can lead to overly conservative decisions by these boards, making it more difficult for some important health research to go forward. For example, some covered entities misinterpret the Privacy Rule by requiring researchers to obtain authorization from next of kin in order to access the PHI of decedents, which is not required under the provisions. Such factors contribute to the tremendous variability in the decisions made by IRBs and Privacy Boards.

Current guidance from HHS addresses only what is permissible under the HIPAA Privacy Rule; the guidance does not identify best practices. A dynamic, ongoing process for the identification and dissemination of best practices in privacy protection for various types of health research by HHS would facilitate reviews by IRBs and Privacy Boards and lead to more consistent and appropriate decisions. HHS guidance materials with best practices and models or templates for things such as the patient authorization form, waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. Such guidance materials should be written as clearly and simply as possible, using an inclusive, dynamic, and transparent development process, and should override all prior guidance documents.

The committee believes that a proactive role by HHS in disseminating guidance changes to IRBs and Privacy Boards is essential. This endeavor could perhaps be accomplished as an activity of the National Institutes of Health Roadmap for Medical Research under the direction of the HHS Office for Civil Rights. An informative precedent for the dissemination efforts might be the Health Resources and Services Administration’s development of the National Practitioner Data Bank (NPDB) Guidebook , 20 an activity established through Title IV of the Healthcare Quality Improvement Act of 1986. The NPDB Guidebook , which is frequently updated, provides many case examples of what should be done in various situations.

Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards ; sponsors of research; public health practitioners and agencies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified, so they could help to make privacy protections and IRB/Privacy Board decisions more uniform. For example, Requests for Proposals and other funding mechanisms could be more instructive on the requirements for the protection of privacy.

Many academic researchers depend on their ability to procure funding from a source external to their institutions, and research sponsors have obligations to protect research participants. Thus, major nonfederal funders of health research could be a powerful force for adherence to ethical guidelines even in the absence of strong federal regulations and enforcement. Organizations whose primary missions are focused on promoting responsible and ethical research—such as PRIM&R ( Public Responsibility in Medicine and Research ) and the Association for the Accreditation of Human Research Protection Programs, Inc. , which serve as primary educational vehicles for IRB professionals and offer certification programs—could also contribute much to this dynamic and ongoing process. Increased participation in these organizations by research investigators in particular could extend understanding of regulatory requirements and foster national discourse about issues of interpretation and application of the HIPAA Privacy Rule.

Recommendation II.A.2: HHS should encourage greater use of partially deidentified data called “limited datasets” and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identifiers removed.

The HIPAA Privacy Rule and the Common Rule both exempt from their provisions research using health data from which personal identifiers have been removed. Because the two rules define personally identifiable information and deidentification differently, however, there is a discrepancy between what research involving existing data is exempt from the Common Rule and what research is exempt from the Privacy Rule.

The standard for deidentification as defined in the Common Rule is that the identity of the subject may not be readily ascertained by the health researcher (e.g., “anonymized” datasets with no direct identifiers included). 21 Thus, health research using information recorded in such a manner that subjects cannot be readily identified is exempt from the Common Rule. 22

Under the HIPAA Privacy Rule, there are two ways to deidentify health information so that it is exempt from the Privacy Rule. One is to remove 18 specified identifiers that identify or could provide a reasonable basis to identify an individual, including both direct identifiers (e.g., name, address, medical records number, Social Security number, health plan beneficiary number) and indirect identifiers (e.g., dates of service and geographic subdivisions smaller than a state). 23 The second way is to have a qualified statistician determine that the risk is very small that any identifiers present on a given data file could be used alone, or in combination with other available information, to identify an individual. 24

This discrepancy between deidentification standards under the two rules can give rise to situations in which research with anonymized data that is exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individuals’ authorization of disclosure for the use of their information for research purposes is appropriate under the Privacy Rule. However, IRBs have not had to review these protocols in the past, and they may have difficulty in making appropriate decisions about waivers.

The HIPAA Privacy Rule’s restrictions put greater emphasis on the possibility that deidentified health data could be reidentified using publicly available databases. Record linkage technology has advanced rapidly in the past 10 years, making reidentification of data easier now than when the Common Rule was implemented. Yet many researchers maintain that removing all 18 data categories required by the HIPAA Privacy Rule can render a dataset unusable for research. Several organizations—including the Secretary’s Advisory Committee on Human Research Protections (SACHRP), NCVHS, and the Association of American Medical Colleges—have recommended changing the HIPAA Privacy Rule to reduce the number of identifiers that must be removed for a dataset to be considered deidentified and thus exempt from IRB and Privacy Board oversight if used in health research. Some elements of the 18 identifiers (e.g., ZIP Codes, geographic subdivisions, and dates of service or tissue collection) do not directly identify individuals, and are essential for some types of health research, such as epidemiology or studies of disease incidence.

In 2002, in response to the concerns that had been raised, HHS modified the HIPAA Privacy Rule to create a category of partially deidentified data called the “limited dataset,” in which health information that is stripped of the 16 most direct identifiers can be used and disclosed for research without obtaining individuals’ authorization or an IRB/ Privacy Board waiver if the covered entity enters into a data use agreement (DUA) with the recipient of the data. 25 Geographic subdivisions (other than street addresses) and dates and other numbers, characteristics, or codes not listed as direct identifiers in the regulation can be included in a limited dataset, making it more useful for research.

Currently, however, there is pervasive confusion regarding the conditions of DUAs and how recipients may meet those conditions. As a result, in some health care settings, the burden of establishing a DUA prevents research from going forward. However, at the other extreme, some covered entities sign DUAs as a matter of course, providing little meaningful privacy protection to the patient. The committee recommends that HHS ameliorate this situation by issuing clear guidance on how to set up and comply with data use agreements more efficiently and effectively, with a goal-oriented focus on the safeguards that researchers should use to protect individuals’ privacy.

Recommendation II.A.3: HHS should clarify the distinctions between “research” and “practice” to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities. HHS should consult with relevant stakeholders to develop standard criteria for IRBs and Privacy Boards to use when making distinctions between health research and related endeavors such as public health practice and quality improvement practices. These criteria should be evaluated regularly by HHS to ensure that the criteria are helpful and producing the desired outcomes.

The HIPAA Privacy Rule makes a somewhat artificial distinction between health research and some closely related activities, such as public health and quality improvement activities, which also may involve collection and analysis of PHI. Under the Privacy Rule (as well as the Common Rule ), these activities, which aim to protect the public’s health and improve the quality of patient care, are considered health care “practice” rather than health research.

HHS considered public health and quality improvement activities important enough to give them special status under federal regulations by permitting them to be undertaken without authorization or an IRB/ Privacy Board waiver of authorization. Yet it can be a challenge for IRBs and Privacy Boards, researchers, health care practitioners, and research participants to distinguish among activities that are or are not subject to the various provisions of the Privacy Rule (and the Common Rule ). Inappropriate decisions may prevent important activities from being undertaken or could potentially allow disclosures of PHI that are not permitted under the regulations.

A number of models outlining the criteria IRBs and Privacy Boards should use to distinguish practice and research have been proposed to address these difficulties. One recent model, for example, provides a detailed checklist for IRBs and Privacy Boards to use in determining whether an activity is (1) public health “research” that must comply with the research provisions of the Privacy Rule, or (2) public health “practice” that does not need IRB or Privacy Board review. 26

The committee believes that standardizing the criteria is essential to support the conduct of these important health care activities. For that reason, the committee recommends that HHS convene the relevant stakeholders to develop standard criteria for IRBs and Privacy Boards to use when making decisions about whether protocols entail research or prac tice, using the available models above as examples. The regulation should have enough flexibility to allow important activities to go forward with appropriate levels of oversight. In addition, it will be important to evaluate whether these criteria are effective in aiding IRB/Privacy Board reviews of proposed protocols and whether they lead to appropriate IRB/Privacy Board decisions.

Recommendation II.A.4: HHS guidance documents should simplify the HIPAA Privacy Rule’s provisions regarding the use of PHI in activi ties preparatory to research and harmonize those provisions with the Common Rule , in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.

Many research studies, especially those focused on rare conditions with limited eligible patient populations, rely on large-scale medical chart reviews and searches of patient databases to identify patients who might be eligible for and might benefit from a particular study. Sufficient patient enrollment in a timely fashion is essential to ensure the meaningfulness and reliability of the research results. Researchers may also need to examine medical records in order to develop useful and appropriate research designs and protocols.

The HIPAA Privacy Rule has some specific provisions that allow a covered entity to use or disclose PHI without an individual’s authorization if the information is to be used for research. One provision allows a covered entity to use and disclose PHI without an individual’s authorization if the covered entity obtains the following representations from the researcher: (1) the use or disclosure of the information is solely to prepare a research protocol or is otherwise preparatory to research; (2) the researcher will not remove any PHI from the covered entity; and (3) the PHI for which access is sought is necessary for the research. 27 However, there is widespread confusion regarding what is permitted under this provision of the Privacy Rule. Surveys and studies also indicate that recruiting patients for research has become more difficult and costly under the HIPAA Privacy Rule.

HHS has issued multiple guidance statements to help address this confusion, but these guidance statements, some of which have been contradictory, have failed to solve the problem.

According to current HHS guidance on the Privacy Rule, researchers (both internal and external to a covered entity) may conduct a review of medical records under the Privacy Rule’s exception that allows the use and disclosure of PHI without an individual’s authorization if the information is being used by a researcher for activities preparatory to research. However, HHS guidance also specifies that only internal researchers (an employee or member of the covered entity’s workforce) may contact potential research participants about the possibility of enrolling in a study under this provision of the Privacy Rule. External researchers are not allowed to record or remove patient contact information from a covered entity. They must get a partial waiver from an IRB or Privacy Board to perform any recruitment activities. This interpretation of the Privacy Rule creates an artificial distinction between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rule , which requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB. Thus, the HIPAA Privacy Rule permits conduct that is prohibited by the Common Rule.

According to SACHRP, HHS statements regarding these provisions for activities preparatory to research have led to “enormous confusion,” and many “institutions are hesitant to permit many recruitment activities critical to the continuation of the research enterprise, out of fear that they are in some way misinterpreting the government’s current positions on research recruitment.” In 2004 SACHRP indicated that it was “very concerned that the bureaucratic complexities here undermine, rather than enhance, the attention that needs to be paid to the welfare and interests of subjects in the research recruitment process.”

To address these issues, the committee recommends that all researchers (including those internal to the covered entity) be required to obtain IRB approval (as required under the Common Rule ) prior to contacting potential research participants. When making a decision about whether to approve research projects, the IRB should review and consider the investigator’s plans for contacting patients, and ensure that the information will be used only for research projects approved by the IRB and will not be disclosed elsewhere. The committee believes that IRBs can protect research participants, including their privacy and confidentiality interests, but as noted in Recommendation II.A.1, educational outreach by HHS is needed to address misunderstandings of these provisions.

Recommendation II.B: HHS should develop guidance materials to facilitate effective use of existing data and materials for health research and public health purposes.

Many institutions create and maintain databases with patient health information or repositories with biological materials collected from patients. These databases and biospecimen banks are used for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments.

Current interpretations of provisions of the HIPAA Privacy Rule sometimes make it difficult to effectively use these valuable resources for health research. Currently, for example, HHS interprets the Privacy Rule as prohibiting patient authorization for future research use of PHI associated with the individuals’ biospecimens collected in the course of a clinical trial or treatment by covered entities.

Such interpretations of the HIPAA Privacy Rule create confusion and unnecessary burdens for patients and researchers alike and lead to lost opportunity by impeding important health research. Furthermore, because such interpretations are inconsistent with the Common Rule , they lead to inequities between covered entities and non-covered entities that hold databases and biospecimen banks.

The committee’s four specific recommendations below are intended to facilitate important health research by maximizing the usefulness of patient data associated with biospecimen banks and in research databases, thereby allowing novel hypotheses to be tested with existing data and materials as knowledge and technology improve. The recommendations would align interpretation of the HIPAA Privacy Rule with the Common Rule on several points, simplify or clarify the relevant processes in research, and develop new tools for data aggregation.

Recommendation II.B.1: HHS should develop guidance that clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB oversight, as is allowed under the Common Rule , to facilitate use of repositories for health research. Future uses should be described in sufficient detail to allow individuals to give informed consent. IRBs should determine that the new research is not incompatible with the initial consent.

Databases and biospecimen banks, once created, offer a cost-effective resource of information for rapidly addressing new health research ques tions as technologies and knowledge advance. Collecting the data and biospecimens necessary to address each new research question as it arises would take years, or even decades, at great expense. Thus, the pace and efficiency of medical progress is enhanced significantly by using established resources whenever feasible. When new potential prognostic markers of disease are identified, for example, they must be validated by studying the markers in many patients over the course of the disease. Examining samples stored in biobanks, where disease progression has already been recorded over many years, is a fast and relatively inexpensive way of determining whether the marker has promise for clinical use and warrants further investigation.

The provisions of the HIPAA Privacy Rule, as interpreted by HHS, may impede research with established biospecimen banks and databases. The Privacy Rule requires an individual’s authorization for the use or disclosure of protected information to describe, with specificity, the purpose of the proposed use or disclosure of such information. 28 HHS regards all future uses of PHI as nonspecific—and therefore ineligible for inclusion in an authorization for the collection and storage of biological materials and data. In contrast, the Common Rule makes it possible to obtain individuals’ consent to future use or disclosure of their health information for health research, with IRB oversight, as long as any intended future use is described in sufficient detail to allow informed consent.

HHS has maintained that allowing individuals to authorize future uses of their PHI could leave decisions about future research projects at the discretion of covered entities, because the HIPAA Privacy Rule, unlike the Common Rule , does not require IRB or Privacy Board review of research uses and disclosures made with individual authorization. 29 For that reason, HHS requires that individuals be recontacted to obtain their authorization for the use or disclosure of their existing data and biospecimens for any additional research studies undertaken unless the researchers obtain a waiver or alteration of individual authorization. Recontacting individuals to obtain their additional authorization is very impractical. Even when another contact is possible, the process can be intrusive and burdensome for patients and their families.

As long as an IRB is overseeing the research, obtaining individuals’ authorization for future use of their information in existing databases and biospecimen banks in health research should be adequate for protecting privacy. One way to overcome the discordance between the Privacy Rule and the Common Rule would be for HHS to issue guidance explicitly stating that future research may go forward if the following conditions are met: (1) the individual’s authorization describes the types or categories of research that may be conducted with the PHI stored in the database or biobank; and (2) an IRB determines that the proposed new research is not incompatible with the initial consent and authorization, and poses no more than a minimal risk.

Because science is evolving quickly, one cannot adequately anticipate what knowledge will be gained in the future. Significant opportunities for beneficial research could be lost without some revisions in the current interpretation of this portion of the HIPAA Privacy Rule. Databases and biospecimen banks created and maintained with federal funds, in particular, should be used for multiple studies as often as feasible, especially given the high cost of developing such repositories and the high value of investigating and comparing multiple scientific questions from the same pool of data.

Recommendation II.B.2: HHS should develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their biospecimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities.

Informed consent and authorization are essential for the protection of individuals who volunteer to participate in clinical trials. Thus, it is imperative that the informed consent and authorization documents are easily understood and meaningful to the individuals involved. Ideally, all relevant information should be integrated into one simple document.

The HIPAA Privacy Rule’s complex provisions have generated misperceptions about restrictions on individuals’ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation. Such misperceptions can diminish the informed nature of consent and authorization because they can lead to patient confusion and misunderstanding. HHS has stated that if a covered entity plans to collect and store biospecimens in a research repository in conjunction with a clinical trial, individuals’ authorization for storage of the PHI associated with the repository must be separate from authorization for disclosure of the PHI associated with participation in the clinical trial.

HHS arrived at this interpretation through a series of steps. First, it is generally not permissible to condition treatment on an individual’s authorization for the use of PHI, although the HIPAA Privacy Rule does permit a covered entity to condition treatment in a clinical trial on sign ing an authorization. 30 Second, although the HIPAA Privacy Rule generally permits researchers to combine an authorization form with any other type of written permission (including another authorization), it prohibits researchers from combining authorizations where the covered entity conditions the provision of treatment on signing only one of the authorizations, but not the other. 31 Because HHS has concluded that collection of PHI for a clinical trial and for a repository are separate research activities, researchers cannot condition participation in the clinical trial on signing authorization to include PHI in a repository. 32

Currently, therefore, the two authorizations cannot be combined in one form unless (1) the form has separate signature lines for each authorization, and (2) the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository in order to receive treatment in a clinical trial.

There is much confusion about these provisions of the HIPAA Privacy Rule, and some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. The excess paperwork that results is burdensome for patients; can reduce the informed nature of authorization by confusing patients; and may reduce patient participation in research. Guidance from HHS to clearly indicate that a single authorization form with two signature lines is permissible in such circumstances would reduce variability and increase the informed nature of authorization.

Recommendation II.B.3: HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research.

With recent technological advances in biomedical research, it is now possible to learn a great deal about disease processes and individual variations in treatment effectiveness or susceptibility to disease from genetic analyses because the DNA sequences that make up a person’s genome strongly influence a person’s health. In this genomic age of health research, patient blood and tissue samples stored in biospecimen banks can provide a wealth of information for addressing long-standing questions about health and disease.

But HHS has not yet issued clear guidance on how the HIPAA Privacy Rule applies to DNA samples or sequences. HHS guidance documents indicate that blood or tissue samples themselves are not protected under HIPAA unless they contain or are associated with the 18 personal identifiers specified by the HIPAA Privacy Rule. In addition, HHS has stated that the results of an analysis of blood or tissue, if containing or associated with individually identifiable information, would be PHI. Yet the research community remains uncertain about whether genetic information accompanying biospecimens is protected under the HIPAA Privacy Rule because the list of HIPAA identifiers includes vague terms such as “biometric identifiers” and “unique identifying characteristics.” 33

Genetic information does not itself identify an individual in the absence of other identifying information. Even the European Union, which has a more restrictive privacy regime than the United States, does not consider DNA in and of itself to be a direct identifier. 34 In some circumstances, however, a person’s genetic code could be construed as a unique identifier in that it could be used to match sequence in another biospecimen bank or databank that does include identifiers. As genetic information becomes more prevalent in research and health care, the latter scenario is more likely to occur. As health care enters the era of personalized medicine, for example, genetic information is more likely to be included in a person’s health records. But at the same time, realization of the promises of personalized medicine will require research on DNA from a great many diverse individuals whose medical history is well documented.

The committee believes that establishing consistent standards for the use and protection of genetic information is important. The committee advocates a focus on strong security measures and recommends the adoption of strict prohibitions on the unauthorized reidentification of individuals from DNA sequences, by anyone.

Regardless of how genetic information is regulated under the HIPAA Privacy Rule, a federal prohibition of genetic discrimination is necessary to allay privacy concerns and diminish potential negative consequences of unintended disclosure of genetic information. Many people are concerned about genetic discrimination—the misuse of genetic information by insurance companies, employers, and others to make decisions based on a person’s DNA. Thus, in addition to protecting the privacy of individuals’ genetic information, it is important to protect people against genetic discrimination. The hope is that the Genetic Information Nondiscrimination Act of 2008, recently signed into law, will begin to address some of these concerns.

Recommendation II.B.4: HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security.

Because a single database may not provide a complete picture of a patient’s condition or health history, it is often necessary to combine information about a patient from multiple sources. However, the way in which the HIPAA Privacy Rule has been interpreted and implemented has made linking data from diverse sources for research purposes more difficult. Thus, the Privacy Rule impedes health research and compromises the value and reliability of research that is undertaken.

Under the HIPAA Privacy Rule, it is possible in principle for a researcher to aggregate PHI from multiple covered entities with individual authorization or with an IRB or Privacy Board ’s waiver of such authorization. Obtaining individuals’ authorization for research that entails the review of thousands of medical records is unrealistic, though, and even with a waiver of authorization, covered entities with large datasets are now often reluctant to allow researchers access to PHI. More commonly, covered entities provide data to researchers with direct identifiers removed. Because datasets from multiple sources cannot be linked to generate a more complete record of a patient’s health history without a unique identifier, though, datasets with direct identifiers removed are often of minimal value to researchers and are not frequently used. A third party may collect PHI from covered entities and aggregate the data for research by establishing business associate agreements with the various data sources, but in practice, such agreements are used infrequently for this purpose because they are complicated and impractical to set up for individual research projects.

The committee believes a better approach would be to establish secure, trusted intermediaries that could develop a protocol, or key, for routinely linking health data from different sources, and then provide more complete and useful datasets with the identifiers removed to researchers. One way this could be accomplished, for example, might be through data warehouses that are certified for the purpose of linking data from different sources. The organizations responsible for such linking would be required to use strong security measures and would maintain the details about how the linkage was done, should another research team need to recreate the linked dataset. Using such intermediaries would facilitate greater use of health data with direct identifiers removed for research and lead to more meaningful study results while also increasing patient privacy protections and allaying concerns of covered entities.

Some federal agencies are already developing mechanisms for linking information from different sources. The Centers for Medicare & Medicaid Services (CMS), for example, provides a linking service for Medicare and Medicaid data via contractors that create standardized data files tailored for research. CMS also has begun pilot projects to aggregate Medicare claims data with data from commercial health plans and, in some cases, Medicaid, in order to calculate and report quality measures for physician groups.

A broader effort to link data from diverse sources, called the National Health Data Stewardship Entity, has been initiated by the federal Agency for Healthcare Research and Quality (AHRQ). AHRQ is also involved in implementing the Patient Safety and Quality Improvement Act of 2005, which encourages creation of Patient Safety Organizations to receive information from hospitals, doctors, and health care providers on a privileged and confidential basis, for analysis and aggregation. Even though the purpose of these two AHRQ initiatives is to monitor health care quality, 35 , 36 they could provide a model for data aggregation that is potentially applicable to health research.

The administrative simplification provisions of HIPAA specifically provided for the creation of a unique individual identifier that would permit the linking of data from different sources, but work on developing such an identifier has been halted because there is a great deal of controversy regarding how it could be implemented without compromising individual privacy. In addition, federal agencies are under pressure from the Office of Budget and Management to reduce the use of Social Security numbers as unique identifiers. Nevertheless, it is clear that the development of some type of linking key (not based on Social Security numbers) would make linkages among databases more efficient, standardized, and reliable, and less costly. Moreover, this type of linkage could greatly facilitate many types of information research and improve quality of care.

Recommendation II.C. HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede research without providing substantive improvements in patient privacy.

For some provisions of the HIPAA Privacy Rule, the burdens are heavy and the privacy protections are small. Such provisions may need to be reconsidered if society is to derive maximal benefits from health research. The committee recommends revising two components of the HIPAA Privacy Rule that are very burdensome with respect to the level of privacy protection they afford.

Recommendation II.C.1: HHS should reform the requirements for the accounting of disclosures (AOD) of PHI for research. The HIPAA Privacy Rule should permit covered entities to inform patients in advance that PHI might be used for health research with IRB/ Privacy Board oversight or for public health purposes. Accordingly, the Privacy Rule should be revised to exempt disclosures of PHI made for research and public health purposes from the Privacy Rule’s accounting of disclosures requirements. As an alternative to AOD, to ensure transparency, institutions should maintain a list, accessible to the public, of all studies approved by an IRB/Privacy Board.

Under the HIPAA Privacy Rule, individuals have a right to receive an accounting of disclosures, a list of all disclosures of their PHI by a covered entity or the covered entity’s business associates in the past 6 years. According to HHS, the AOD provision of the HIPAA Privacy Rule was intended “as a means for the individual to find out the nonroutine purposes for which his or her PHI was disclosed by the covered entity, so as to increase the individual’s awareness of persons or entities other than the individual’s health care provider or health plan in possession of this information.” The AOD requirement does not constitute an audit trail, though, because the provision has numerous exceptions—including disclosures of PHI for health care operations, pursuant to an authorization, as part of a limited dataset, for national security or intelligence purposes, and to correctional institutions or law enforcement officials.

Disclosures of PHI by covered entities for research purposes under a waiver of individual authorization approved by an IRB or a Privacy Board , or for public health purposes as required by law, must be included in an AOD report. Furthermore, HHS has noted that “making a set of records available for review by a third party constitutes a disclosure of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record.” The AOD provision of the HIPAA Privacy Rule provides an exception for research involving groups of 50 or more subjects by allowing the covered entity to develop a general list of all protocols for which a person’s PHI may have been disclosed. Even then, however, there is a considerable administrative obligation to generate such a list. Furthermore, in many medical facilities, a general list of protocols is extensive and thus relatively meaningless to a particular patient.

The AOD provision of the HIPAA Privacy Rule places a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. Moreover, HHS has provided no guidance to covered entities about practical ways to fulfill this requirement in an efficient manner. On the basis of testimony in 2004, the Secretary’s Advisory Committee on Human Research Protections concluded that the cost and burden of compliance with the HIPAA Privacy Rule’s AOD requirements were so high that institutions were likely to accept the risk of noncompliance rather than incur the cost of compliance.

Annual surveys of health care privacy officers undertaken by the American Health Information Management Association (AHIMA) since 2004 have similarly found that many facilities report difficulties with the AOD requirement. Such surveys have also found that the demand for AOD reports by individuals is extremely low. Two thirds of health care privacy officers participating in the survey reported receiving no requests at all. Nearly one third of respondents indicated that they would like to see a change to the AOD provision of the HIPAA Privacy Rule—the most frequently cited provision among all respondents and the most frequently cited provision by far among respondents with more than 20,000 admissions/discharges per year. On the basis of these results, AHIMA concluded that “for many, this [AOD] provision is not only burdensome but also significantly inefficient.” 37

Robust safeguards are already in place to protect the privacy of PHI disclosures in health research via IRBs and Privacy Boards . As the health care system moves toward broader implementation of electronic health records, however, automatic tracking of audit trails will be important to incorporate. Technology advances will likely make automatic AOD tracking feasible, affordable, and widely available in the future. Until then, the committee recommends that disclosures of PHI made for health research and public health purposes be exempted from the HIPAA Privacy Rule’s AOD requirement.

Recommendation II.C.2: HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research. If HHS decides to retain the current waiver criteria, HHS should provide clear and reasonable definitions of terms used in those criteria, such as “minimal risk” to the privacy of individuals (in the first criterion) and “impracticable” (in the second and third criteria). HHS should also provide specific case examples of what should or should not be considered impracticable or of minimal risk.

Under the HIPAA Privacy Rule, researchers seeking to use PHI in medical records for research must obtain authorization from each patient unless an IRB or a Privacy Board makes a determination that a waiver of individual authorization is warranted. For many types of research with medical records, making that determination is a challenge for IRBs and Privacy Boards. Many studies involve thousands of records, making individual authorization unrealistic. But the criteria in the HIPAA Privacy Rule that IRBs and Privacy Boards apply in making these decisions are complex and very subjective.

Currently, IRBs and Privacy Boards must use three criteria in considering whether to approve a waiver of individual authorization for the use of PHI in research. 38 The first criterion is that the use or disclosure of PHI in the research involves no more than a “minimal risk” to the privacy of individuals. The Privacy Rule lists three elements that must be present in making this determination: (1) “an adequate plan to protect the identifiers from improper use and disclosure;” (2) “an adequate plan to destroy the identifiers;” and (3) “adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI is otherwise permissible.” However, the decision about what is “adequate” is highly subjective, and thus different institutions are likely to set varying thresholds for “minimal risk.”

The other two criteria that IRBs or Privacy Boards currently must use in considering whether to approve a waiver of individual authorization are (1) that “the research could not practicably be conducted without the waiver;” and (2) that the “research could not practicably be conducted without access to and use of PHI” 39 (as opposed to deidentified data or a limited dataset). The concept of practicability is used in both the Common Rule and in the HIPAA authorization criteria, but what is “practicable” or “impracticable” has never been adequately defined by the HHS Office for Human Research Protections or the HHS Office for Civil Rights (e.g., with regard to cost/feasibility). Not surprisingly, therefore, institutions apply varying definitions independently, often too conservatively to allow even low-risk research to proceed. Some institutions interpret the term impracticable to mean not at all possible and even require researchers to demonstrate that a study will fail without a waiver of authorization. The lack of clarity leads to a great deal of variability across institutions and impedes research. Patients have also questioned the meaning of the term.

Simplification or clarification by HHS of the criteria that IRBs or Privacy Boards must use in deciding whether to approve a waiver of individual authorization would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards. Covered entities are permitted to rely on a waiver of authorization approved by a single IRB or Privacy Board with jurisdiction. Currently, however, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regardless of whether another IRB or Privacy Board already granted a waiver of authorization. This practice leads to delays and variability in the protocol at different sites.

Simplification of the criteria for approval of waivers by IRBs and Privacy Boards would also be helpful for smaller or community-based institutions that do not have internal counsel or regulatory affairs specialists, and thus are more likely to opt out of research that requires decisions about authorizations. With better guidance, all covered entities would have more confidence in their decisions and might be more willing to rely on a lead IRB or Privacy Board’s decision in the case of multi-institutional studies.

If HHS decides to retain the three criteria that IRBs or Privacy Boards currently use in deciding whether to approve a waiver of individual authorization, however, the committee recommends that HHS provide clear and reasonable definitions of the vague terms used in those criteria. Specifically, HHS should define what constitutes “minimal risk” to the privacy of individuals (in the first criterion) and define what constitutes “impracticable” (in the second and third criteria). HHS should also provide specific case examples of what should or should not be considered impracticable or of minimal risk to reduce variability and overly conservative interpretations.

III. Implement Changes Necessary for Both Policy Options Above (Recommendations I and II)

Regardless of whether Recommendation I or II is implemented, the following recommendations, which are independent of the Privacy Rule, should be adopted. Strong security measures are essential to effective privacy protection, willingness to serve in IRBs is important for ensuring appropriate oversight of research, and the public should be provided with more information about health research.

Recommendation III.A: All institutions (both covered entities and non- covered entities) in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information should take strong measures to safeguard the security of health data. For example, institutions could: Appoint a security officer responsible for assessing data protection needs and implementing solutions and staff training. Make greater use of encryption and other techniques for data security. Include data security experts on IRBs. Implement a breach notification requirement, so that patients may take steps to protect their identity in the event of a breach. Implement layers of security protection to eliminate single points of vulnerability to security breaches. In addition, the federal government should support the development and use of: Genuine privacy-enhancing techniques that minimize or eliminate the collection of personally identifiable data. Standardized self-evaluations and security audits and certification programs to help institutions achieve the goal of safeguarding the security of personal health data.

Effective health privacy protections require effective data security measures. Protecting the privacy of research participants and maintaining the confidentiality of their data have always been imperative to most researchers and a fundamental tenet of clinical research. Recently, however, several highly publicized examples of stolen or misplaced computers containing health data have heightened the public’s concerns about privacy. Such events pose problems not only for patient privacy, but also for health research, because public trust is essential for patients to be willing to participate in research. Moreover, data security is a key component of comprehensive privacy protections. Thus, the committee recommends improving the security of personally identifiable health information.

The HIPAA Security Rule (which entails a set of regulatory provisions separate from the Privacy Rule) already sets a floor for data security standards within covered entities, but not all institutions that conduct health research are subject to HIPAA regulations. Moreover, the security protections intended by the HIPAA Security Rule may not be sufficient to prevent breaches.

The committee recommends that all institutions conducting health research undertake measures to strengthen data protections. Given the recent spate of lost or stolen laptops containing patient health information, for example, encryption should be required for all laptops and removable media containing such data. There are differences among the missions and activities of institutions in the health research community, however, so some flexibility in the implementation of specific security measures will be necessary.

Examples of security standards and guidelines already exist in some sectors, but they are not widely applied in academic settings. The National Institute of Standards and Technology (NIST), for example, has developed standards and guidance for the implementation of the Federal Information Security Management Act of 2002, which was meant to bolster computer and network security within the federal government and affiliated parties (e.g., government contractors). The NIST standards include minimum security requirements for information and information systems, as well as guidance for assessing and selecting appropriate security controls for information systems, for determining security control effectiveness, and for certifying and accrediting information systems. 40

HHS, working through its Office of the National Coordinator for Health Information Technology, 41 could play an important role in developing or adapting standards for health research applications, then encourage and facilitate broader use of such standards in the health research commu nity. The issue of the security of health data will continue to grow in importance as the health care industry moves toward widespread implementation of electronic health records, and Congress has already proposed numerous bills to facilitate and regulate that transition. As noted in the committee’s recommendation about the requirements for the accounting of disclosures of PHI for research above (Recommendation II.C.1), advances in information technology will likely make it easier to implement measures such as audit trails and access controls in the future.

Enhancing security could reduce the risk of data theft and reinforce the public’s trust in the research community by diminishing anxiety about the potential for unintentional disclosure of information. The publication of best practices and outreach to all stakeholders by HHS, combined with a cooperative approach to compliance with security standards such as self-evaluation and audit programs, would promote progress in this area. As noted in Recommendation II.A.1, research sponsors could also play a role in fostering the adoption of best practices in data security.

Recommendation III.B: HHS—or, as necessary, Congress—should provide reasonable protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule , in order to encourage service on Institutional Review Boards and Privacy Boards. The limitation on liability for members of IRBs and Privacy Boards should not include protection for willful and wanton misconduct in reviewing the research, but should instead be reserved for good-faith decisions, backed by minutes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule.

IRBs, Privacy Boards , and institutions have enormous responsibility in determining whether health research projects are planned and conducted in a way that minimizes or eliminates the potential risk to human research participants, including both direct physical harms and nonphysical harms (e.g., breach of privacy). The workload of IRBs and the complexity of their work have been steadily increasing as a result of new and evolving requirements for research regulation and documentation, including the HIPAA Privacy Rule. Surveys and studies indicate that the IRB review process has become more lengthy and difficult since implementation of the Privacy Rule, which may increase opportunity costs due to delayed or undiscovered research findings that might improve health.

Effective oversight of health research depends on the recruitment of qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards . But the increasing workload and complexity of IRB and Privacy Board service have made it difficult to recruit and retain knowledgeable IRB and Privacy Board members and to ensure time for the ethical reflection necessary to make appropriate decisions about human research projects. Moreover, because of the growth over the past decade of lawsuits naming individual IRB members as defendants, fear of penalties and civil suits can be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards. Such fears could also lead IRB and Privacy Board members to be overly conservative in their decisions about research proposals brought before them.

Members of IRBs and Privacy Boards are generally indemnified by their institutions, but they are not immune from being named in a suit. Therefore, they might still have to devote time and resources to defending themselves for decisions made by an IRB or Privacy Board on which they served. Members of IRBs or Privacy Boards who receive limited protection against lawsuits may be less likely to interpret the HIPAA Privacy Rule too conservatively.

Providing this type of limitation on liability for IRB and Privacy Board members would be similar to the precedent of protection for peer review members under state laws and under the Health Care Quality Improvement Act of 1986. A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of ethical boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances. In addition to reducing over interpretation of the HIPAA Privacy Rule in health research, such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards, as they should be more willing to accept the decision of a lead IRB or Privacy Board. Indeed, moving in the direction of national IRBs/Privacy Boards, as is encouraged by the National Cancer Institute for cancer clinical trials, might further reduce overly conservative interpretation of the HIPAA Privacy Rule.

Finally, it should be noted that HHS policy is to seek compliance with the HIPAA Privacy Rule first, rather than penalties, when a concern is brought to its attention. Institutions might be less inclined to interpret the HIPAA Privacy Rule too conservatively if this policy were stated more clearly in guidance materials provided by HHS. Thus, even without the enactment of a new protective statute for IRB and Privacy Board members, simple clarification and clear communication of the way HHS will enforce the HIPAA Privacy Rule and seek penalties would be helpful.

Recommendation III.C: HHS and researchers should take steps to provide the public with more information about health research.

Surveys indicate that the vast majority of Americans believe health research is important, and are interested in the findings of research studies. The majority of patients also appear to be willing to participate in health research, either by volunteering for a study to test a medical intervention or by allowing access to their medical records or stored biospecimens, under certain conditions. Their willingness to participate in research is dependent on trust in researchers to safeguard the rights and well-being of patients, including assurance of privacy and confidentiality, and the belief that the research is a worthwhile endeavor that warrants their involvement. Yet patients often lack information about how health research is conducted and are rarely informed about research results that may have a direct impact on their health. The committee’s two recommendations below address the public’s desire for more information about health research and are important components in fulfilling two of the committee’s overarching goals of the report: (1) improving the privacy and data security of health information, and (2) improving the effectiveness of health research. Both recommendations could be accomplished by HHS and the health research community without any changes to HIPAA or the Privacy Rule by making them a condition of funding from HHS and other research sponsors and by providing additional funds to cover the cost.

Recommendation III.C.1: Health researchers should make greater efforts to inform study participants and the public about the results of research and the relevance and importance of those results. Researchers should inform interested research participants (who granted authorization for a particular study) with a simplified summary of the results at the conclusion of a research study. HHS should encourage registration of trials and other studies in public databases, particularly when research is conducted with a waiver of authorization.

Empirical evidence indicates that people want to be informed about research results, and ethicists have long recommended this kind of feedback and community involvement. In addition, the IOM committee identified transparency—the responsibility to disclose clearly how and why personally identifiable information is being collected—as an important component of comprehensive privacy protections. An IOM report in 2002 titled Respon sible Research : A Systems Approach to Protecting Research Participants recommended improved communication with the public and research participants to ensure that the protection process is open and accessible to all interested parties, noting that transparency is best achieved by providing graded levels of information and guidance to interested parties.

Effective communication could also build the public’s trust in the research community, which is important because trust is necessary for the public’s continued participation in research under both the HIPAA Privacy Rule and the committee’s new framework. Learning about clinically relevant findings from a study in which a patient has participated could make patients feel more integrated into the process and could encourage more patients to participate in future studies. Moreover, if the study results indicate that an altered course of care is warranted, direct feedback about these results could lead to improved health care for study participants.

Thus, the committee recommends that when patients grant authorization for their medical records to be used in a particular study, health researchers should make greater efforts at the conclusion of the study to inform study participants about the results, and the relevance and importance of those results. Broader adoption of electronic medical records may be helpful in accomplishing this goal, but multiple impediments, beyond cost and technology, may prevent delivery of meaningful feedback to participants. Although some guidelines for providing and explaining study results to research participants have been proposed, they differ in details because limited data are available on this subject, and thus standards are lacking. A summary of the results alone, while necessary and reasonable, can be seen as a token, and also raises questions about issues such as how best to write summaries and how to present research with uninformative outcomes.

HHS should also encourage registration of trials and other studies in public databases, particularly when research is conducted with a waiver of authorization as a way to make information about research studies more broadly available to the public. Numerous clinical trial registries already exist, and registration has increased in recent years. The National Library of Medicine established a clinical trials registry 42 in 2000, which has expanded to serve as the FDA’s required site for submissions about clinical trials subject to the FDA databank requirement and now also includes information from several other trial registries. The FDA Amendments Act of 2007 expanded the scope of required registrations and provided the first federally funded trials results database. In fall 2005, the International Committee of Medical Journal Editors adopted a policy requiring prospective trial registration as a precondition for publication.

The development of clinical trial registries is an important first step toward providing high-quality clinical trial information to the public. Cur rently, however, there is no centralized system for disseminating information about clinical trials of drugs or other interventions. Thus, patients and their health care providers have difficulty identifying ongoing studies. Moreover, some trials are still exempt from registration and data reporting. An additional limitation of clinical trial databases is that noninterventional studies (including observational studies that play an increasingly critical role in biomedical research) are not generally included. Because many non-interventional studies are conducted with a waiver of authorization, including those studies in a registry could be an important method for increasing public knowledge of those studies.

Recommendation III.C.2: HHS and the health research community should work to educate the public about how health research is done, and what value it provides.

Health research provides a community benefit by determining the most effective treatments and by developing new therapies. Interventional clinical trials are the most visible of the various types of health research, but a great deal of informative health research entails analysis of thousands of patient records to better understand human diseases, to determine treatment effectiveness, and to identify adverse side effects of therapies. This form of research is likely to increase in frequency as the availability of electronic health records continues to expand. As medicine moves toward the goal of personalized medicine, research results will be even more likely to be directly relevant to patients, but more study participants will be needed to derive meaningful results.

However, many patients probably are not aware that their medical records are being used in database research. Moreover, surveys show that many patients desire not only notice, but also the opportunity to decide about whether to consent to such research with medical records. As noted in Recommendation III.A, strengthening security protections of health data should reduce the risk of security breaches and their potential negative consequences, and thus should help to alleviate patient concerns in this regard. But educating patients about how health research is conducted, monitored, and reported could also help to increase patients trust in the research community, which is important for the public’s continued participation under both the HIPAA Privacy Rule and the committee’s new framework.

In addition, an educated public could also decrease the potential for biased research samples. A universal requirement to obtain authorization for medical records research can lead to a biased study sample, and thus inaccurate conclusions, because those who decline to participate may be more or less likely than average to have a particular health problem. A study sample may also be biased if certain members are underrepresented or overrepresented relative to others in the population. A biased sample is problematic, because any statistic computed from that sample has the potential to be consistently erroneous, and thus, conclusions drawn from a biased sample are likely to be invalid. Conveying to the public the importance of health care improvements derived from medical records research and stressing the negative impact of incomplete datasets on research findings may increase the public’s participation in research and their willingness to support information-based research that is conducted with IRB or Privacy Board oversight and a waiver of patient authorization.

There are numerous examples of important research findings from medical records research that would not have been possible if direct patient consent and authorization were always required, including the finding that infants exposed to diethylstilbestrol (DES) during the first trimester of pregnancy had an increased risk of breast, vaginal, and cervical cancer and reproductive anomalies as adults. Studies of medical records also led to the discovery that folic acid supplementation during pregnancy can prevent neural tube defects.

Thus, HHS and the health research community should work to educate the public about how research is done, and what value it provides. All stakeholders, including professional organizations, nonprofit funders, and patient organizations, have different interests and responsibilities to make sure their constituencies are well informed, but coordination and identification of best practices by HHS would be helpful. For example, the American Society of Clinical Oncology and the American Heart Association already have some online resources to help patients gather information about research that may be relevant to their conditions. Research is needed to identify which segments of the population would be receptive to and benefit from various types of information about how research is done and its value in order to create and implement an effective education plan.

Greater use of community-based participatory research, in which community-based organizations or groups bring community members into the research process as partners to help design studies and disseminate the knowledge gained, 43 would also help achieve this goal. These groups help researchers to design activities that the community is likely to value and to recruit research participants, by using the knowledge of the community to understand health problems. They also inform community members about how the research is done and what comes out of it, with the goal of providing immediate community benefits from the results when possible.

The HIPAA Privacy Rule can be found at 45 Code of Federal Regulations (C.F.R.) parts 160 and 164 (2006).

45 C.F.R. § 160.103 (2006).

The study was funded by the National Institutes of Health, the National Cancer Institute, the Robert Wood Johnson Foundation, the American Cancer Society, the American Heart Association/American Stroke Association, the American Society for Clinical Oncology, the Burroughs Wellcome Fund, and C-Change.

Turn, R., and W. H. Ware. 1976. Privacy and security issues in information systems. The RAND Paper Series. Santa Monica, CA: The RAND Corporation.

The ethical principle of doing no harm, based on the Hippocratic maxim, primum non nocere, first do no harm.

This term may encompass a broad range of information, including personal and family health history, physician notes and orders, test results, medication and immunization records, and documentation of surgeries or hospitalizations.

The concept of fair information practices originated with the 1973 report of the Secretary’s Advisory Committee on Automated Personal Data Systems, reporting to the Secretary of the U.S. Department of Health, Education, and Welfare, titled Records, Computers and the Rights of Citizens , http://epic ​.org/privacy/hew1973report/ (accessed August 3, 2008).

The Common Rule is a federal policy for the protection of human subjects adopted by 18 federal agencies and offices. 45 C.F.R. part 46, http://www ​.hhs.gov/ohrp/policy/common ​.html (accessed August 3, 2008).

Epidemiology is the study of the occurrence, distribution, and control of diseases in populations.

Health services research has been defined as a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations.

The National Committee on Vital and Health Statistics has noted that the term “secondary uses” of health data is ill defined and therefore urged abandoning it in favor of precise description of each use. Consequently, the IOM committee has chosen to minimize use of the term in this report.

See Standards for Privacy of Individually Identifiable Health Information : Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) for a discussion on the benefits of health records research.

Under the HIPAA Privacy Rule protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232(g), records described at 20 U.S.C. 1232(g)(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

Responsible health research is methodologically sound, is scientifically valid, protects the rights and interests of study subjects, and addresses a question or problem relevant to improving human health.

21 C.F.R. parts 50 and 56 (1988).

U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59968 (1999).

Personal Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04.

In a report commissioned by the United Kingdom’s Prime Minister on secondary uses of personal information.

Division of Quality Assurance, Health Resources and Services Administration, National Practitioner Data Bank Guidebook , Rockville, MD, http://www ​.npdb-hipdb ​.hrsa.gov/npdbguidebook.html (accessed August 1, 2008).

45 C.F.R. § 46.102(f)(2) (2006).

45 C.F.R. § 46.101(b)(4) (2006).

45 C.F.R. § 164.514(b) (2006). There are no restrictions on the use or disclosure of deidentified health information.

45 C.F.R. § 164.514(e)(3)(i) (2006).

See Chapter 3 for a complete discussion of this model.

45 C.F.R. § 164.512(i)(1)(ii) (2006).

45 C.F.R. § 164.508 (2006).

45 C.F.R. § 164.508(b)(4)(i) (2006).

45 C.F.R. § 164.508(b)(3) (2006).

National Institutes of Health, Research Repositories, Databases, and the HIPAA Privacy Rule , January 2004, http: ​//privacyruleandresearch ​.nih.gov/pdf ​/research_repositories_final.pdf (accessed August 1, 2008).

45 C.F.R. § 164.514 (2006).

Article 29 Data Protection Working Party, European Union, “Opinion 4/2007 on the Concept of Personal Data,” WP 136, adopted June 27, 2007, http://ec ​.europa.eu/justice_home ​/fsj/privacy ​/docs/wpdocs/2007/wp136_en.pdf (accessed August 1, 2008).

National Health Data Stewardship, Request for Information, 72 Fed. Reg. 30803 (June 4, 2007).

Agency for Healthcare Research and Quality, U.S. Department of Health and Human Services, Patient Safety Organizations Website, http://www ​.pso.ahrq.gov (accessed August 1, 2008); Patient Safety and Quality Improvement Act, Notice of Proposed Rulemaking, 73 Fed. Reg. 8112 (February 12, 2008).

American Health Information Management Association, 2006, The State of HIPAA Privacy and Security Compliance , http://www ​.ahima.org ​/emerging_issues/2006StateofHIPAACompliance.pdf (accessed April 20, 2008).

45 C.F.R. § 164.512(i)(2)(ii) (2006).

National Institute of Standards and Technology (NIST), Federal Information Security Management Act Implementation Project Website, updated November 1, 2007, http://csrc ​.nist.gov ​/groups/SMA/fisma/index.html (accessed August 1, 2008).

Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, Office of the National Coordinator: Mission, http://www ​.hhs.gov/healthit/onc/mission/ (accessed August 1, 2008).

See http: ​//clinicaltrials.gov (accessed August 6, 2008).

Agency for Healthcare Research and Quality, U.S. Department of Health and Human Services, Creating Partnerships, Improving Health: The Role of Community-Based Participatory Research , June 2003, http://www ​.ahrq.gov/research/cbprrole ​.htm (accessed August 1, 2008).

• Cite this Page Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. Overview of Conclusions and Recommendations.
• PDF version of this title (1.6M)
• Disable Glossary Links

In this Page

• THE COMMITTEE’S CHARGE AND THE OVERARCHING GOALS OF THE RECOMMENDATIONS
• THE COMMITTEE’S RECOMMENDATIONS

Other titles in this collection

• The National Academies Collection: Reports funded by National Institutes of Health

Recent Activity

• Overview of Conclusions and Recommendations - Beyond the HIPAA Privacy Rule Overview of Conclusions and Recommendations - Beyond the HIPAA Privacy Rule

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

Connect with NLM

National Library of Medicine 8600 Rockville Pike Bethesda, MD 20894

Web Policies FOIA HHS Vulnerability Disclosure

Help Accessibility Careers

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Research Uses and Disclosures

217-may a covered entity accept documentation of an irb waiver of authorization.

Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher’s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information requested is the minimum necessary for the research purpose. See 45 CFR 164.514(d)(3)(iii).

302-Will HIPAA hinder medical research

We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected.

303-Are some criteria so subjective that IRB and privacy boards may makeinconsistent determinations

Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied.

304-Does HIPAA prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing information

No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.

305-Does HIPAA permit creating a database for research purposes through an IRB or Privacy Board waiver

Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied.

306-Can researchers access existing databanks or repositories created prior to the compliance date without permission

Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).

307-How does the Rule help IRBs handle the additional responsibilities imposed by the HIPAA Privacy Rule

Recognizing that some institutions may not have IRBs, or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board–which could have fewer members, and members with different expertise than IRBs.

308-By establishing new waiver criteria and authorization requirements, hasn't HIPAA modified the Common Rule

No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.

309-Is documentation of IRB and Privacy Board approval required by the HIPAA

No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

310-Does HIPAA require a covered entity to create an IRB or Privacy Board before using or disclosing protected health information for research

The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board.

311-What does HIPAA say about a research participant's right of access to research records or results

With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a “designated record set.”

313-Do HIPAA's requirements for authorization and the Common Rule's requirements for informed consent differ?

Yes. Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information.

314-When is a researcher considered to be a covered health care provider under HIPAA

A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule.

315-When can a covered determine whether a research component of the entity is part of their covered functions

A covered entity that qualifies as a hybrid entity, meaning that the entity is a single legal entity that performs both covered and non-covered functions, may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. Therefore, if a researcher is an employee or workforce member of a covered entity that has decided not to be a hybrid entity, the researcher is part of the covered entity and is, therefore, subject to the Privacy Rule.

316-If a research subject revokes authorization to disclose information can a researcher continue using the information already obtained

Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study.

317-Can the preparatory research provision of the HIPAA Privacy Rule be used to recruit individuals into a research study

The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity’s site.

318-Does HIPAA require documentation of IRB approval of an alteration or waiver of individual authorization

No. Documentation of IRB or Privacy Board approval of an alteration or waiver of individual authorization is only needed before a covered entity may use or disclose protected health information under 45 CFR 164.512(i)(1)(i).

319-If consent was obtained before the compliance date but the IRB modifies the document is authorization required

If informed consent or reconsent (ie., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research.

320-Can covered entities continue to disclose adverse event reports that contain information

Yes. The Office for Human Research Protections is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the Office for Human Research Protections either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b).

321-Can covered entities continue to disclose information to the HHS Office for Human Research Protections

Yes. The Office for Human Research Protections is a health oversight agency under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to the Office for Human Research Protections for such compliance investigations either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for health oversight activities as permitted at 45 CFR 164.512(d).

• HRP Staff Directory
• Office Hours
• Quality Improvement Project vs. Research
• Self Exempt & UROP
• Case Reports
• Commercial IRB Reliance Agreements
• National Cancer Institute Central IRB (CIRB) Independent Review Process
• UCI as the Reviewing IRB
• Submitting the Application
• Lead Researcher Eligibility
• Training & Education
• Ethical Guidelines, Regulations and Statutes
• Other Institutional Requirements
• Department of Defense Research Requirements
• Levels of Review
• Artificial Intelligence and Human Subject Research
• Data Security

Protected Health Information (HIPAA)

• European Union General Data Protection Regulation (EU GDPR)
• China’s Personal Information Protection Law
• Required Elements of Informed Consent
• Drafting the Informed Consent Form
• Consent and Non-English or Disabled Subjects
• Use Of Surrogate Consent In Research
• Vulnerable Populations
• Data and Safety Monitoring for Clinical Research
• Placebo-Controlled Studies
• Expanded Access to Unapproved Drugs or Biologics
• Right to Try: Unapproved Drugs or Biologics
• Use of Controlled Substances
• Expanded Access to Unapproved Medical Devices
• Humanitarian Use Devices
• Human Gene Transfer Research
• How To Register and Update Your Study
• Post-Review Responsibilities

HIPAA and Human Subject Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains provisions to protect the confidentiality and security of personally-identifiable information that arises in the course of providing health care. The intention of HIPAA is to protect patients from inappropriate disclosures of Protected Health Information (PHI) that can cause harm to a person's insurability, employability, etc.  In order to understand how HIPAA affects research, there are a few important terms that are defined by the law.

• A covered entity is the organization that has to comply with HIPAA. The University of California is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities, it also has other organizational activities such as education and research.
• The HIPAA Privacy Rule governs PHI which is defined as information that can be linked to a particular person (ie., is person-identifiable) that arises in the course of providing a health care service.

When PHI is communicated inside of a covered entity, this is called a use of the information. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure . HIPAA allows both use and disclosure of PHI for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).

HIPAA Forms

• HIPAA Research Authorization
• HIPAA Research Authorization Template (Relying Institutions)
• UC HIPAA Research Authorization Cancellation Form

When the research protocol requires creation, use or disclosure of PHI, Researchers must indicate whether subjects will sign a written HIPAA research authorization for release of PHI for research, formally titled, “ UC Permission to Use Personal Health Information for Research” form , or request a waiver of authorization from the IRB. In addition, if a study involves PHI, all members of the research protocol team engaged in human subject research must complete the HIPAA Research tutorial.

There are 18 PHI identifiers as follows:

• Telephone Number(s)
• Social Security Number
• Account Number(s)
• Device Identifiers or Serial Numbers
• Finger or Voice Prints
• Address (all geographic subdivisions smaller than state, including street address, city, county, ZIP code)
• Medical Record Number
• Certificate/License Number(s)
• Photographic Images
• All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
• Email Address(es)
• Health Plan Beneficiary Number
• Any Vehicle of Other Device Serial Number
• Internet Protocol (IP) Address Numbers
• Any other characteristic that could uniquely identify the individual

The Privacy Rule and Research

As noted above, HIPAA affects only that research which uses, creates, or discloses PHI. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research. In general, there are two types of human research that would involve PHI:

• Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history.
• Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI.

The IRB's Role

The IRB acts as a Privacy Board (required by HIPAA) to review the use/disclosure of PHI and to determine whether the subjects should sign an authorization (an addendum to the consent to participate in research) or if a waiver of consent (roughly analogous to a Waiver of Consent under the Common Rule ) may be granted.

When the IRB determines that subjects should sign a HIPAA research authorization in order to use or disclose PHI for research, subjects are to sign the UC HIPAA research authorization as a part of the informed consent process for participation in the study.

Requesting a Waiver of HIPAA Authorization

Although it is always preferred to get permission / authorization to use an individual's PHI, HIPAA permits research using PHI without obtaining authorization.  This is a referred to as a waiver of HIPAA research authorization, which is granted by the UCI IRB.

In order to waive HIPAA Authorization, the IRB must determine that the study meets all of the following criteria:

• The use or disclosure of PHI involves no more than minimal risk
• Granting of the waiver will not adversely affect privacy rights and welfare of the individuals whose records will be used
• The project could not practicably be conducted without a waiver
• The project could not practicably be conducted without use of PHI
• The privacy risks are reasonable relative to the anticipated benefits of research
• An adequate plan to protect identifiers from improper use and disclosure is included in the research proposal
• An adequate plan to destroy the identifiers at the earliest opportunity, or justification for retaining identifiers, is included in the research proposal
• The project plan includes written assurances that PHI will not be re-used or disclosed for other purposes
• Whenever appropriate, the subjects will be provided with additional pertinent information after participation

Clinical Activities as Research: When IRB Review, Consent, Research HIPAA and California Bill of Rights Apply

The University of California, Office of the President has advised when IRB Review, Consent, Research HIPAA and the California Bill of Rights apply to clinical activities that are treated as research. The following table illustrates this advisory and practice at UCI.

Please contact  HRP Staff  for any questions.

[1]   REQUIRED FOR  “medical experiments.”  HSC 24174

[2]   REQUIRED IF  IRB has access to PHI (unusual at UCI)

[3]   REQUIRED IF  non-UCI covered components will access protected health information (PHI)

Definitions

Authorization: Under HIPAA, the granting of rights to access PHI. Authorization is required by HIPAA for disclosures or uses other than for Treatment Payment Operations (TPO), which are covered in the Notice of Privacy Practices. Treatment cannot be conditioned on granting of an authorization. An authorization is a specific, detailed document requesting patient-subject permission for the use of covered PHI.

Covered Entity: A covered entity is a health plan, a health care clearinghouse, or a health care provider transmitting health information, and is, therefore, subject to the HIPAA regulations.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information. Disclosure of PHI requires a specific authorization under HIPAA except if disclosure is related to the provision of TPO (Treatment, Payment, Operations) of the entity responsible for the PHI or under a limited set of other circumstances, such as public health purposes.

Health Information: Any information, whether oral or recorded in any form or medium, that:

• Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
• Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Hybrid Entity: A single legal covered entity with health care and non-health care functions, where the former are covered functions but are not its primary functions. The University of California is a hybrid entity.

Individually Identifiable Health Information is any information created, used, or received by a health care provider that relates to:

• The past, present, or future physical or mental heath or condition of an individual,
• The provision of health care to an individual, or
• The past, present, or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual. The collection of individually-identifiable health information for research constitutes human subjects research.

Minimum Necessary Standard: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.

Notice of Privacy Practices: The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides clear explanations of these rights and practices. The Notice of Privacy Practices is intended to focus individual on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.

Personal Health Information is used on the University of California HIPAA Authorization form in order to (1) capture the meaning of both protected health information (HIPAA term) and medical information (California Health & Safety Code: California Confidentiality of Medical Information term), (2) communicate to the research subject that information is "personal", and (3) convey information at an eighth-grade reading level.

Research Health Information (RHI) is defined as data used in research that would be personally identifiable but not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between RHI and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. RHI is covered by other state and federal laws for privacy and confidentiality of research health information.

Protected Health Information (PHI) is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.PHI is information that can be linked to a particular person and that is created, used, or disclosed in the course of providing a health care service (i.e., diagnosis or treatment).