Standards for Privacy of Individually Identifiable Health Information

Guidance issued July 6, 2001

Background

The Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. A covered entity may always use or disclose for research purposes health information which has been de-identified (in accordance with §§ 164.502(d), 164.514(a)-(c) of the rule) without regard to the provisions below.

The Privacy Rule also defines the means by which individuals/human research subjects are informed of how medical information about themselves will be used or disclosed and their rights with regard to gaining access to information about themselves, when such information is held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to medical information necessary to conduct vital research. Currently, most research involving human subjects operates under the Common Rule (codified for the Department of Health and Human Services (HHS) at Title 45 Code of Federal Regulations Part 46) and/or the Food and Drug Administration's (FDA) human subjects protection regulations, which have some provisions that are similar to, but more stringent than and separate from, the Privacy Rule's provisions for research.

Using and Disclosing PHI for Research

In the course of conducting research, researchers may create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose PHI for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.

Research Use/Disclosure Without Authorization:

To use or disclose PHI without authorization by the research participant, a covered entity must obtain one of the following:

• Documentation that an alteration or waiver of research participants' authorization for use/disclosure of information about them for research purposes has been approved by an Institutional Review Board (IRB) or a Privacy Board. This provision of the Privacy Rule might be used, for example, to conduct records research, when researchers are unable to use de-identified information and it is not practicable to obtain research participants' authorization.

or

• Representations from the researcher, either in writing or orally, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and representation that PHI for which access is sought is necessary for the research purpose. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.

or

• Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

A covered entity may use or disclose PHI for research purposes pursuant to a waiver of authorization by an IRB or Privacy Board provided it has obtained documentation of all of the following:

• A statement that the alteration or waiver of authorization was approved by an IRB or Privacy Board that was composed as stipulated by the Privacy Rule;
• A statement identifying the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
• A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the following eight criteria:

- The use or disclosure of PHI involves no more than minimal risk to the individuals;

- The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

- The research could not practicably be conducted without the alteration or waiver;

- The research could not practicably be conducted without access to and use of the PHI;

- The privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

- There is an adequate plan to protect the identifiers from improper use and disclosure;

- There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

- There are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by this subpart.

• A brief description of the PHI for which use or access has been determined to be necessary by the IRB or Privacy Board;
• A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures as stipulated by the Privacy Rule; and
• The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.

Research Use/Disclosure With Individual Authorization:

The Privacy Rule also permits covered entities to use and disclose PHI for research purposes when a research participant authorizes the use or disclosure of information about him or herself. Today, for example, a research participant's authorization will typically be sought for most clinical trials and some records research. In this case, documentation of IRB or Privacy Board approval of a waiver of authorization is not required for the use or disclosure of PHI.

To use or disclose PHI created from a research study that includes treatment (e.g., a clinical trial), additional research-specific elements must be included in the authorization form required under § 164.508, which describe how PHI created for the research study will be used or disclosed. For example, if the covered entity/researcher intends to seek reimbursement from the research subject's health plan for the routine costs of care associated with the protocol, the authorization must describe types of information that will be provided to the health plan. This authorization may be combined with the traditional informed consent document used in research.

The Privacy Rule permits, but does not require, the disclosure of PHI for specified public policy purposes in § 164.512. With few exceptions, the covered entity/researcher may choose to limit its right to disclose information created for a research study that includes treatment to purposes narrower than those permitted by the rule, in accordance with his or her own professional standards.