Privacy Rule Overview

Home
Contacts
News/Announcements
Forms/Instructions
Policies/Guidance
Assurances
Education and Training
- CITI Program
- Education Events
Information for Study Participants and the Public

Federal Privacy Regulations
General Overview and Effects on Research

The final Privacy Rule published on August 14, 2002 included a number of changes in how the Rule applies to research. Some of these research-related changes require further interpretation, and, we have been told that additional guidance from the Department of Health and Human Services may be provided. The information presented here reflects the current interpretation of the Privacy Rule - but please be advised that changes may be necessary in response to new guidance.

I. General Overview

A general overview is provided elsewhere, but specific research-related elements of this regulation deserve emphasis.

This rule applies to health care providers, including researchers when they provide health care (e.g., in a clinical trial). Even if researchers do not themselves provide health care, they must abide by the rule, because Partners institutions that provide health care are required to protect the privacy of identifiable health care information, including information used or released for research.

The definition of "protected health information" includes information relevant to the provision of health care as well as information generated in the context of clinical research. Hence, although some research information may not have proven clinical validity or utility, the Privacy Rule considers it to be identifiable health care information that must be protected.
The regulation covers information - not tissue - except to the extent any identifiable medical information is attached to the tissue sample.
Genetic information is not provided a higher standard of privacy coverage under this federal regulation. Of note, there is a state genetics privacy law - but this does not apply to IRB-approved research activities.

The regulation covers individually identifiable information - this is referred to as protected health information (PHI)-in any form, including written, electronic, or oral. The regulation provides a stringent definition of "de-identified."

Of note, the Privacy Rule and the Common Rule (IRB requirements) do not agree on the issue of whether or not coded information is "identifiable."
The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified; however, the code itself is considered identifiable.
In contrast, the Common Rule considers coded information generally to be identifiable. Therefore, research using coded information might not be covered by the Privacy Rule as long as the researchers do not have access to the code - but - because this same research would be covered by the Common Rule, it would still require IRB review.
Further complicating the definition of identifiable is the Privacy Rule's new carve-out of "limited data set" for research, healthcare operations and public health purposes. Limited data sets can include dates, address except for street address, and other information that is not a direct identifier but could possibly be used to identify a person. Of note, the Privacy Rule places fewer requirements on the use and disclosure of limited data sets. Partners policy is that research using data in a limited data set must be submitted to the IRB for a review of whether the research is exempt from the Common Rule or requires review.
The Privacy Rule creates privacy standards and also gives individuals a number of rights - these standards and rights will also apply to their research information. These include:
- Only the minimum necessary information can be used or disclosed. There are two important exceptions: minimum necessary does not apply when PHI is being used or disclosed for treatment purposes, or if there is an authorization for use and disclosure. Hence for research, the minimum necessary requirement does apply to situations in which a waiver of informed consent/authorization has been obtained, or a limited data set is used or disclosed. Note that the minimum necessary standard does apply to limited data sets.
- Individuals must receive a notice of how their PHI will be used and protected. This notice informs individuals that their PHI may be used for research either with authorization or a waiver of authorization as determined by the IRB.
- Patients and subjects have the right to request a history of how and to whom their PHI has been disclosed over the previous 6 years. Tracking of disclosures is not required if the disclosure was made pursuant to a written authorization. Hence for research, any disclosures made after obtaining a waiver of consent and authorization will have to be tracked. Note that disclosure of a limited data set for research does not require tracking.
- Individuals have the right to request access to their PHI - access is limited to the designated record set (see below).
- Individuals have the right to request that their PHI be amended. Because access is limited to the designated record set, amendment will also be limited to the designated record set.

II. Effects of the Privacy Rule on Research [top]

The privacy rule affects research in two different ways: Accessing existing protected health information (PHI) - i.e., epidemiological studies
Handling PHI that is created during a research study -- i.e., clinical trials. (Of note, most clinical trials involve both the creation of new information as well as access to existing health information.)

A. Accessing existing PHI:

Researchers may continue to access existing health information for research. But the Privacy Rule will require a few changes.

Privacy Notice: The Privacy Rule requires health care providers who have a direct treatment relationship with an individual to give the individual a Notice of Privacy Practices at least by the first time care is delivered after April 14, 2003. The Notice must specify that in accordance with federal regulations, while some research will require an individual's permission, some research can be done without obtaining permission (waived consent/authorization). A best faith effort must be made to obtain written acknowledgement of receipt of the Notice.
- Researchers must be certain that their institutional Privacy Notice accurately describes how an individual's protected health information may be used for research. While the Partners' notice is appropriately worded to include access to medical records for research purposes, any researcher who also works outside of the Partners' system should carefully review the Privacy Notice of their other institutions.
How to access PHI for research:
It is important first to note that the Common Rule requires that research using identifiable information must be reviewed and approved by the IRB. The IRB will determine if informed consent is required or if a waiver of the informed consent can be approved. The Privacy Rule requirements are in addition to those of the Common Rule.

The Privacy Rule allows access to existing PHI in three possible ways:

1. The researcher obtains individuals' permission. The permission must address both the Common Rule and the Privacy Rule.

The Privacy Rule requires an authorization.

The Common Rule requires an informed consent.

The required elements of the authorization and informed consent are not identical.

A single document that includes all required elements of both the Common and Privacy Rules can be used.

2. Researchers can apply for IRB approval of a waiver of informed consent/authorization. The Privacy Rule and the Common Rule each have slightly different criteria that must be met in order to waive the requirement for an authorization or an informed consent. For consistency, the IRB policy on waiver will include all elements required by both the Common Rule and the Privacy Rule.

3. Researchers can use or disclose a limited data set if the covered entity enters into a data use agreement with the recipient of the data. A data use agreement includes statements that the recipient of the data set will NOT identify the individuals. The limited data set is only available for research, public health and health care operations. The Privacy Rule does not require an authorization or a waiver for accessing this information, but it should be noted that because this information may be considered identifiable by the Common Rule, it may require IRB review. It will be Partners policy that any use or disclosure of a limited data set must be submitted to the IRB for determination of whether or not the protocol is exempt from the Common Rule or if it needs IRB review.

Please note: the Privacy Rule also requires additional information for research on medical records of decedents
For research using PHI from deceased persons, as is current practice, the IRB will review the protocol. The investigator will be asked to document in the application that

These records are needed for research and

That the records will be used solely for research.

In addition, the Privacy Rule also states that entities (i.e., Partners) may request documentation of deaths. Therefore, investigators should be prepared to provide, upon request, such documentation.

Privacy standards and individuals' rights:

If a waiver has been approved, the following requirements must be met:

Only the minimum necessary PHI can be used or disclosed. The investigator will be asked to justify what PHI is necessary.

All disclosures made without an authorization/informed consent must be tracked for six years. (Please note that disclosures of Limited Data Sets do NOT need to be tracked.) The tracking must include the following information:

Date of the disclosure

Name of the entity or person (and if known address) who received the PHI

Brief description of the PHI disclosed and

Brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure

An alternative tracking approach may be available for research involving more than 50 people.

B. Research in which PHI is created: [top]

The classic example of this type of research is the clinical trial. Such research will continue to undergo IRB review as required by the Common Rule, but the HIPAA-Privacy Rule adds some new requirements.

Accessing existing PHI as part of a clinical trial: Many clinical research protocols also require access to existing PHI. If this is the case, the requirements described in the section above on accessing existing PHI must also be met. The elements required for informed consent/authorization for access to records can be included as a part of the consent form for the trial.

Privacy Notice: Any participant in a clinical research study must have received, and acknowledged in writing, a copy of the institution's Privacy Notice. If an individual has already received the notice during another health care encounter, that is adequate. But, if an individual has not received a Privacy Notice, then it is the responsibility of the investigator to provide such notice. And the researcher must ask the subject to sign a document stating that the notice was received.

Subject Recruitment:
As noted at the beginning of this document, the information presented here reflects the current interpretation of the Privacy Rule - but changes may be necessary in response to new guidance from DHHS. The topic of subject recruitment has been identified as one area on which DHHS may provide additional guidance.

Researchers may recruit study participants in a number of ways. Privacy protections must be considered for each.
As background, research in which an individual is contacted or recruited for enrollment must be reviewed and approved by an IRB. The Common Rule requires an IRB to consider the process for subject recruitment as part of its review. (Please see existing Partners policies and forms on recruitment ).

The Privacy Rule adds a new privacy focus to this review, as explained below. By way of overview:

(i) an individual may contact a researcher about a study with no new Privacy Rule requirements;
(ii) a treating physician may share deidentified information with a researcher (also within the Partners system) to determine a patient's eligibility for a study with no new Privacy Rule requirements;
(iii) as is current practice, if approved by the IRB, a treating physician and researcher within Partners may co-sign a recruitment letter to patients with no new Privacy Rule requirements; but
(iv) if a treating physician shares identifiable health information with a researcher to discuss potential enrollment in research, the Privacy Rule requires that either the patient's authorization must be obtained or the IRB must be asked to approve this sharing with waived authorization; and
(v) if a researcher wants to review medical records to identify potential subjects, then as is current practice, the researcher must apply for a waiver to the IRB, and the waiver determination will now include Privacy Rule criteria as well as the Common Rule criteria.

Informed consent/authorization:
A single document will be used. This document must include required elements of informed consent under the Common Rule as well as authorization under the Privacy Rule.

The primary differences and new requirements include:

Specific authorization for the use and disclosure of any information generated during the research. The authorization must include a description of how PHI created during the research will be used and/or disclosed, among other requirements.

The right to withdraw from the research study - AND to withdraw any identifiable information - of note, if the information has already been used to perform an analysis or other evaluation, the results of that analysis can be retained. But the individual's PHI generally cannot be used or disclosed in new ways after the revocation.

Individuals' Rights:

Subjects' access to their information:

The Privacy Rule gives individuals the right to access their information, but this access is limited to the "designated record set." The designated record set is that information used for treatment and/or billing decisions. Information that is generated in research and lacks clinical validity or clinical utility generally will be outside of the designated record set, and thus the Privacy Rule's right of access generally will not apply to this information.

Subjects' right to amend their PHI:

The Privacy Rule gives individuals the right to request that their PHI be amended. A system for handling requests for such amendments will be in place for the entire institution. Researchers will utilize the institutional system for amending PHI.

C. Transition Period

Research requiring informed consent/authorization
Any subject enrolled in a study on or after April 14, 2003 will have to sign a consent/authorization form that is compliant with the Common Rule and the Privacy Rule. Subjects who were enrolled before April 14, 2003 and have signed a Common Rule-compliant consent form do not have to sign an authorization. Even if subjects enrolled before April 14th have follow-up visits after that date, at this time new authorization will not be required.

Therefore, if all of your subjects were enrolled prior to April 14, 2003, you do not need a new consent form. But, if you plan to enroll any new subjects after April 14, 2003, you will need a new HIPAA-compliant consent/authorization document.

Research conducted with a Waiver of Informed Consent/Authorization
You should continue protecting the privacy of subjects' information, but you do not need to re-apply to the IRB. Ongoing studies for which the IRB approved a waiver of informed consent before April 14, 2003 are grand-fathered under the Privacy Rule. HHS specifically rejected the need for an IRB to reconsider these studies, given the undue burden it would impose.
But although a new waiver is not required, it is important to note that the individual rights provide by the Privacy Rule go into effect on April 14, 2003. As a result, any disclosure of PHI made pursuant to a waiver of authorization must be tracked as noted above.