Standards
for Privacy of Individually Identifiable Health Information
E. Uses and Disclosures for Which Authorization
Is Required
2. Research Authorizations
December 2000 Privacy Rule
The Privacy Rule requires covered entities to obtain an individual's
voluntary and informed authorization before using or disclosing
protected health information for any purpose that is not otherwise
permitted or required under the Rule. Uses and disclosures of protected
health information for research purposes are subject to the same
authorization requirements as uses and disclosures for other purposes.
However, for research that includes treatment of the individual,
the December 2000 Privacy Rule prescribed special authorization
requirements at Sec. 164.508(f). The December 2000 Privacy Rule,
at Sec. 164.508(b)(5), also permitted individuals to revoke their
authorization at any time, with limited exceptions. Further, the
December 2000 Privacy Rule prohibited the combining of the authorization
for the use or disclosure of existing protected health information
with any other legal permission related to the research study.
March 2002 NPRM
Several of those who commented on the December 2000 Privacy Rule
argued that certain authorization requirements in Sec. 164.508 were
unduly complex and burdensome as applied to research uses and disclosures.
In particular, several commenters favored eliminating the Rule's
specific provisions at Sec. 164.508(f) for authorizations for uses
and disclosures of protected health information for research that
includes treatment of the individual. The Department also heard
from several provider groups who argued in favor of permitting covered
entities to combine all of the research authorizations required
by the Privacy Rule with the informed consent to participate in
the research. Commenters also noted that the Rule's requirement
for an "expiration date or event that relates to the individual
or the purpose of the use or disclosure" runs counter to the
needs of research databases and repositories that are often retained
indefinitely.
In response to these concerns, the Department proposed to a number
of modifications to simplify the authorization requirements both
generally, and in certain circumstances, as they specifically applied
to uses and disclosures of protected health information for research.
In particular, the Department proposed a single set of authorization
requirements for all uses and disclosures, including those for research
purposes. This proposal would eliminate the additional authorization
requirements for the use and disclosure of protected health information
created for research that includes treatment of the individual.
Consistent with this proposed change, the Department further proposed
to modify the requirements prohibiting the conditioning of authorizations
at Sec. 164.508(b)(4)(i) to remove the reference to Sec. 164.508(f).
In addition, the Department proposed that the Privacy Rule permit
an authorization for the use or disclosure of protected health information
to be combined with any other legal permission related to the research
study, including another authorization or consent to participate
in the research.
Finally, the Department proposed to provide explicitly that the
statement, "end of a research study," or similar language
be sufficient to meet the requirement for an expiration date in
Sec. 164.508(c)(1)(v). Additionally, the Department proposed that
the statement "none" or similar language be sufficient
to meet this provision if the authorization was for a covered entity
to use or disclose protected health information for the creation
or maintenance of a research database or repository.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The vast majority of commenters were very supportive of the proposed
revisions to the Rule's provisions for research authorizations.
However, the Department did hear from several commenters that the
Privacy Rule's requirement for an expiration date or event should
be eliminated for all research uses and disclosures of protected
health information, not just for uses and disclosures for the creation
or maintenance of a research database or repository, as was proposed
in the NPRM. These commenters were concerned that the Privacy Rule
would prohibit important uses and disclosures of protected health
information after the termination of a research project, such as
the reporting of research results to the Food and Drug Administration
(FDA) for an FDA investigational new drug application, unless the
covered entity obtained another patient authorization. In addition,
several of these commenters cited confusion in defining repositories
and databases. Some of these commenters stated that an individual
who authorizes information to be used for an indeterminate time
most likely expects and intends for the information to be used and
disclosed if needed well into the future, regardless of whether
or not the research involves the use or disclosure of protected
health information for the creation or maintenance of a database
or repository.
Several commenters responded to the Department's request for comments
on how to appropriately limit uses and disclosures following revocation
of an authorization, while preserving the integrity of the research.
The NPRM attempted to clarify that "even though a revocation
will prevent a covered entity from further disclosing protected
health information for research purposes, the exception to this
requirement is intended to allow for certain continued uses of information
as appropriate to preserve the integrity of the research study."
However, the NPRM further stated that "if covered entities
were permitted to continue using or disclosing protected health
information for the research project even after an individual had
revoked his or her authorization, this would undermine the primary
objective of the authorization requirements to be a voluntary, informed
choice of the individual." Several commenters were concerned
and confused by the NPRM's statements. In particular, the Department
received comments urging that the regulation permit covered entities
to use and disclose research data already obtained, even after an
individual has withdrawn his or her authorization. These commenters
suggested that once a subject has authorized the use and disclosure
of protected health information for research and the covered entity
has relied on the authorization, the covered entity must retain
the ability to use or disclose the subject's pre-withdrawal information
for purposes consistent with the overall research. One commenter
argued that it would be inadequate for the reliance exception at
Sec. 164.508(b)(5) to be interpreted to permit continued uses of
the individual's information as appropriate only to account for
an individual's withdrawal from the study. In this commenter's opinion,
most research would call for the continued use of protected health
information obtained prior to an individual's revocation of their
authorization to safeguard statistical validity and truly to preserve
the integrity of human research.
Final Modifications
The Department agrees with the commenters that supported the NPRM's
proposed simplification of authorizations for research uses and
disclosures of protected health information and, therefore, adopts
the modifications to these provisions as proposed in the NPRM. The
final Rule requires a single set of authorization requirements for
all uses and disclosures, including those for research purposes,
and permits an authorization for the use or disclosure of protected
health information to be combined with any other legal permission
related to the research study, including another authorization or
consent to participate in the research.
In addition, in response to commenters' concerns that the Rule
would prohibit important uses and disclosures of protected health
information after the termination of a research project, the final
Rule eliminates the requirement for an expiration date for all uses
and disclosures of protected health information for research purposes,
not only for the creation and maintenance of a research database
or repository. The Department agrees that the line between research
repositories and databases in particular, and research data collection
in general, is sometimes arbitrary and unclear. If the authorization
for research uses and disclosures of protected health information
does not have an expiration date, the final Rule at Sec. 164.508(c)(1)(v),
requires that this fact be stated on the authorization form. Patients
continue to control whether protected health information about them
may be used or disclosed for research, since the authorization must
include an expiration date or event, or a statement that the authorization
will have no expiration date. In addition, patients will be permitted
to revoke their authorization at any time during the research project,
except as specified under Sec. 164.508(b)(5). However, the Department
notes that researchers may choose to include, and covered entities
may choose to require, an expiration date when appropriate.
Although the final Rule does not modify the revocation provision
at Sec. 164.508(b)(5), in response to commenters' concerns, the
Department clarifies that this provision permits covered entities
to continue using and disclosing protected health information that
was obtained prior to the time the individual revoked his or her
authorization, as necessary to maintain the integrity of the research
study. An individual may not revoke an authorization to the extent
the covered entity has acted in reliance on the authorization. For
research uses and disclosures, this reliance exception at Sec. 164.508(b)(5)(i)
permits the continued use and disclosure of protected health information
already obtained pursuant to a valid authorization to the extent
necessary to preserve the integrity of the research study. For example,
the reliance exception would permit the continued use and disclosure
of protected health information to account for a subject's withdrawal
from the research study, as necessary to incorporate the information
as part of a marketing application submitted to the FDA, to conduct
investigations of scientific misconduct, or to report adverse events.
However, the reliance exception would not permit a covered entity
to continue disclosing additional protected health information to
a researcher or to use for its own research purposes information
not already gathered at the time an individual withdraws his or
her authorization. The Department believes that this clarification
of the Rule will minimize the negative effects on research caused
by participant withdrawal and will allow for important continued
uses and disclosures to occur, while maintaining privacy protections
for research subjects.
Response to Other Public Comments
Comment: In opposition to the March 2002 NPRM, one commenter
suggested prohibiting the combining of authorization forms with
an informed consent when the covered entity disclosing the protected
health information is not otherwise participating in research. The
commenter argued that the NPRM would allow covered entities to receive
more information than necessary to fulfill a patient's authorization
request, such as information about the particular type or purpose
of the study itself, and could, thereby, violate the patient's privacy.
Response: The Department acknowledges the concern raised
by these commenters; however, prohibiting the combination of authorization
forms with an informed consent reduces the flexibility proposed
in the March 2002 NPRM. Since the final modifications permit--but
do not require-- such combining of forms, the Department has decided
to leave it to the discretion of researchers or the IRBs to determine
whether the combining of authorization forms and consent forms for
research would be appropriate for a particular research study.
Comment: Some commenters supported retaining the December
2000 Privacy Rule requirement that a description of the extent to
which protected health information will be used or disclosed for
treatment, payment, or health care operations be included in an
authorization to use or disclose protected health information for
a research study that includes treatment of individuals. These commenters
argued that an individual's ability to make informed decisions requires
that he or she know how research information will and will not be
used and disclosed.
Response: The Department agrees with the majority of the
commenters who were in support of the March 2002 NPRM proposal to
eliminate the additional authorization requirements for research
that includes treatment, and has adopted these proposed modifications
in the final Rule. Retaining the distinction between research that
involves treatment and research that does not would require overly
subjective decisions without providing commensurate privacy protections
for individuals. However, the Department notes that it may sometimes
be advisable for authorization forms to include a statement regarding
how protected health information obtained for a research study will
be used and disclosed for treatment, payment, and health care operations,
if such information would assist individuals in making informed
decisions about whether or not to provide their authorization for
a research study.
Comment: One commenter argued that expiration dates should
be included on authorizations and that extensions should be required
for all research uses and disclosures made after the expiration
date or event has passed.
Response: The Department disagrees. We have determined that
an expiration date or event would not always be feasible or desirable
for some research uses and disclosures of protected health information.
By allowing for no expiration date, the final Rule permits without
separate patient authorization important disclosures even after
the "termination of the research project" that might otherwise
be prohibited. However, the final Rule contains the requirement
that the patient authorization specify if the authorization would
not have an expiration date or event. Therefore, patients will have
this information to make an informed decision about whether to sign
the authorization.
Comment: Another commenter suggested permitting covered
entities/ researchers to continue using or disclosing protected
health information even after a revocation of the initial authorization
but only if an IRB or Privacy Board approved the continuation. This
commenter argued that such review by an IRB or Privacy Board would
protect privacy, while permitting continued uses and disclosures
of protected health information for important purposes.
Response: As stated above, the Department agrees that it
may sometimes be necessary to continue using and disclosing protected
health information even after an individual has revoked his or her
authorization in order to preserve the integrity of a research study.
Therefore, the Department has clarified that the reliance exception
at Sec. 164.508(b)(5)(i) would permit the continued use and disclosure
of protected health information already obtained pursuant to a valid
authorization to the extent necessary to preserve the integrity
of the research study. A requirement for documentation of IRB or
Privacy Board review and approval of the continued use or disclosure
of protected health information after an individual's authorization
had been revoked could protect patient privacy. However, the Department
believes that the additional burden on the IRB or Privacy Board
could be substantial, and is not warranted at this time.
Comment: A commenter requested clarification that the "reliance
exception" does not permit covered entities as researchers
to continue analyzing data once an individual has revoked his or
her authorization.
Response: As discussed above, the Department disagrees with
this comment. Patient privacy must be balanced against other public
goods, such as research and the risk of compromising such research
projects if researchers could not continue to use such data. The
Department determined that permitting continued uses and disclosures
of protected health information already obtained to protect the
integrity of research, even after an individual's authorization
has been revoked, would pose minimal privacy risk to individuals
without compromising research.
Comment: Several commenters suggested permitting the proposed
authorization requirement for a "description of each purpose
of the requested use or disclosure" at Sec. 164.508 to be sufficiently
broad to encompass future unspecified research. These commenters
argued that this option would reduce the burden for covered entities
and researchers by permitting covered entities to use or disclose
protected health information for re-analysis without having to obtain
an additional authorization from the individual. Some discussed
the possibility that burden for patients would also be reduced because
they would not have to provide additional authorizations. These
commenters also argued that such a provision would more directly
align the Rule with the Common Rule, which permits broad informed
consent for secondary studies if the IRB deems the original informed
consent to be adequate.
Response: The Department disagrees with broadening the required
"description of the purpose of the use or disclosure"
because of the concern that patients would lack necessary information
to make an informed decision. In addition, unlike the Common Rule,
the Privacy Rule does not require IRB or Privacy Board review of
research uses and disclosures made with individual authorization.
Therefore, instead of IRBs or Privacy Boards reviewing the adequacy
of existing patient authorizations, covered entities would be left
to decide whether or not the initial authorization was broad enough
to cover subsequent research analyses. Furthermore, it should be
noted that patient authorization would not be required for such
re-analysis if, with respect to the re- analysis, the covered entity
obtains IRB or Privacy Board waiver of such authorization as required
by Sec. 164.512(i). For these reasons, the Department has decided
to retain the requirement that each purpose of the requested use
or disclosure described in the authorization form be research study
specific. However, the Department understands that, in the past,
some express legal permissions and informed consents have not been
study-specific and sometimes authorize the use or disclosure of
information for future unspecified research. Furthermore, some IRB-
approved waivers of informed consent have been for future unspecified
research. Therefore, the final Rule at Sec. 164.532 permits covered
entities to rely on an express legal permission, informed consent,
or IRB-approved waiver of informed consent for future unspecified
research, provided the legal permission, informed consent or IRB-
approved waiver was obtained prior to the compliance date.
Comment: Several commenters suggested retaining the authorization
element requiring a statement regarding "the potential for
information disclosed pursuant to the authorization to be subject
to redisclosure by the recipient and no longer protected by this
Rule" but with one addition. This addition would state that
"researchers could only use or disclose the protected health
information for purposes approved by the IRB or as required by law
or regulation." These commenters argued that this would be
clearer to participants and would prevent the misconception that
their information would not be protected by any confidentiality
standards.
Response: The Department recognizes the concern of the commenters
seeking to supplement the requirement, but points out
that, although the final Rule will not require this
addition, it is permissible to include such a statement
in the authorization. In addition, since the Privacy
Rule does not require IRB or Privacy Board review of
research uses and disclosures made with patient authorization,
the Department determined that adding the commenters'
suggestion to the final Rule would be inappropriate.
Section III.E.1. above provides further discussion of
this provision.
|
