Standards
for Privacy of Individually Identifiable Health Information
F. Section 164.512--Uses
and Disclosures for Which Authorization or Opportunity
To Agree or Object Is Not Required
2. Institutional Review Board (IRB) or Privacy Board Approval
of a Waiver of Authorization
December 2000 Privacy Rule
The Privacy Rule builds upon existing Federal regulations governing
the conduct of human subjects research. In particular, the Rule
at Sec. 164.512(i) establishes conditions under which covered entities
can use and disclose protected health information for research purposes
without individual authorization if the covered entity first obtains
either of the following:
- Documentation of approval of a waiver of authorization from
an Institutional Review Board (IRB) or a Privacy Board. The Privacy
Rule specifies requirements that must be documented, including
the Board's determination that eight defined waiver criteria had
been met.
- Where a review of protected health information is conducted
preparatory to research or where research is conducted solely
on decedents' information, certain representations from the researcher,
including that the use or disclosure is sought solely for such
a purpose and that the protected health information is necessary
for the purpose.
March 2002 NPRM
A number of commenters informed the Department that the eight waiver
criteria in the December 2000 Privacy Rule were confusing, redundant,
and internally inconsistent. These commenters urged the Department
to simplify these provisions, noting that they would be especially
burdensome and duplicative for research that was currently governed
by the Common Rule. In response to these comments, the Department
proposed the following modifications to the waiver criteria for
all research uses and disclosures of protected health information,
regardless of whether or not the research is subject to the Common
Rule:
- The Department proposed to delete the criterion that "the
alteration or waiver will not adversely affect the privacy rights
and the welfare of the individuals," because it may conflict
with the criterion regarding the assessment of minimal privacy
risk.
- In response to commenters' concerns about the overlap and potential
inconsistency among several of the Privacy Rule's criteria, the
Department proposed to turn the following three criteria into
factors that must be considered as part of the IRB's or Privacy
Board's assessment of minimal risk to privacy:
- There is an adequate plan to protect the identifiers from
improper use and disclosure;
- There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with the conduct of the research,
unless there is a health or research justification for retaining
the identifiers, or such retention is otherwise required by
law; and
- There are adequate written assurances that the protected health
information will not be reused or disclosed to any other person
or entity, except as required by law, for authorized oversight
of the research project, or for other research for which the
use or disclosure of protected health information would be permitted
by this subpart.
- In response to concerns that the following waiver criterion
was unnecessarily duplicative of other provisions to protect patients'
confidentiality interests, the Department proposed to eliminate
the criterion that: "the privacy risks to individuals whose
protected health information is to be used or disclosed are reasonable
in relation to the anticipated benefits, if any, to the individual,
and the importance of the knowledge that may reasonably be expected
to result from the research."
In sum, the NPRM proposed that the following waiver criteria replace
the waiver criteria in the December 2000 Privacy Rule at Sec. 164.512(i)(2)(ii):
- The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of individuals, based
on, at least, the presence of the following elements:
- (a) An adequate plan to protect the identifiers from improper
use and disclosure;
- (b) An adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless
there is a health or research justification for retaining the
identifiers or such retention is otherwise required by law;
and
- (c) Adequate written assurances that the protected health
information will not be reused or disclosed to any other person
or entity, except as required by law, for authorized oversight
of the research project, or for other research for which the
use or disclosure of protected health information would be permitted
by this subpart;
- The research could not practicably be conducted without the
waiver or alteration; and
- The research could not practicably be conducted without access
to and use of the protected health information.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The overwhelming majority of commenters were supportive of the
Department's proposed modifications to the Privacy Rule's waiver
criteria. These commenters found that the proposed revisions adequately
addressed earlier concerns that the waiver criteria in the December
2000 Rule were confusing, redundant, and internally inconsistent.
However, a few commenters argued that some of the proposed criteria
continued to be too subjective and urged that they be eliminated.
Final Modifications
The Department agrees with the majority of commenters that supported
the proposed waiver criteria, and adopts the modifications as proposed
in the NPRM. The criteria safeguard patient privacy, require attention
to issues sometimes currently overlooked by IRBs, and are compatible
with the Common Rule. Though IRBs and Privacy Boards may initially
struggle to interpret the criteria, as a few commenters mentioned,
the Department intends to issue guidance documents to address this
concern. Furthermore, the Department notes that experience and guidance
have enabled IRBs to successfully implement the Common Rule's waiver
criteria, which also require subjective determinations.
This final Rule also contains a conforming modification in Sec.
164.512(i)(2)(iii) to replace "(i)(2)(ii)(D)" with "(i)(2)(ii)(C)."
Response to Other Public Comments
Comment: It was suggested that the Department eliminate
the March 2002 NPRM waiver criterion that requires IRBs or Privacy
Boards to determine if there is an "adequate plan to protect
identifiers from improper use and disclosure," in order to
avoid the IRB having to make subjective decisions.
Response: The Department disagrees with the commenter that
the waiver criterion adopted in this final Rule is too subjective
for an IRB or a Privacy Board to use. First, the consideration of
whether there is an adequate plan to protect identifiers from improper
use and disclosure is one of three factors that an IRB or Privacy
Board must weigh in determining that the use or disclosure of protected
health information for the research proposal involves no more than
a minimal risk to the privacy of the individual. The Department
does not believe that the minimal risk determination, which is based
upon a similar waiver criterion in the Common Rule, is made unduly
subjective by requiring the IRB to take into account the researcher's
plans for maintaining the confidentiality of the information.
Second, as noted in the discussion of these provisions in the proposal,
the Privacy Rule is intended to supplement and build upon the human
subject protections already afforded by the Common Rule and the
Food and Drug Administration's human subject protection regulations.
One provision already in effect under these authorities is that,
to approve a study, an IRB must determine that "when appropriate,
there are adequate provisions to protect the privacy of subjects
and to maintain the confidentiality of data." (Common Rule
Sec. __.111(a)(7), 21 CFR 56.111(a)(7).) The Department, therefore,
believes that IRBs and Privacy Boards are accustomed to making the
type of determinations required under the Privacy Rule.
Nonetheless, as stated above, the Department is prepared to respond
to actual issues that may arise during the implementation of these
provisions and to provide the guidance necessary to address concerns
of IRBs, Privacy Boards, and researchers in this area.
Comment: A few commenters requested elimination of the waiver
element at Sec. 164.512(i)(2)(ii)(A)(2) that would require the IRB
or Privacy Board to determine that "there is an adequate plan
to destroy identifiers at the earliest opportunity consistent with
the conduct of the research, unless there is a health or research
justification for their retention or such retention is required
by law." These commenters argued that this requirement may
lead to premature destruction of the data, which may hinder investigations
of defective data analysis or research misconduct.
Response: The waiver element at Sec. 164.512(i)(2)(ii)(A)(2)
accounts for these concerns by permitting the retention of identifiers
if there is a health or research justification, or if such retention
is required by law. It is expected that IRBs and Privacy Boards
will consider the need for continued analysis of the data, research,
and possible investigations of research misconduct when considering
whether this waiver element has been met. In addition, destroying
identifiers at the earliest opportunity helps to ensure that the
use or disclosure of protected health information will indeed pose
no more than "minimal risk to the privacy of individuals."
Requiring the researcher to justify the need to retain patient identifiers
provides needed flexibility for research, while maintaining the
goal of protecting individuals' privacy interests. If additional
issues arise after implementation, the Department can most appropriately
address them through guidance.
Comment: Commenters also requested clarification of the
proposed waiver element at Sec. 164.512(i)(2)(ii)(A)(3), that will
require an IRB or Privacy Board to determine that there are "adequate
written assurances that the protected health information would not
be reused or disclosed to any other person or entity, except as
required by law, for authorized oversight of the research project,
or for other research for which the use or disclosure of protected
health information would be permitted by this subpart." Specifically,
the commenter's concern centered on what effect this criterion could
have on retrospective studies involving data re-analysis.
Response: The Department clarifies that the Privacy Rule
permits the use or disclosure of protected health information for
retrospective research studies involving data re-analysis only if
such use or disclosure is made either with patient authorization
or a waiver of patient authorization as permitted by Sec. 164.508
or Sec. 164.512(i), respectively. If issues develop in the course
of implementation, the Department intends to provide the guidance
necessary to address these questions.
Comment: A few commenters suggested clarifying that recruitment
for clinical trials by a covered entity using protected health information
in the covered entity's possession is a health care operation function,
not a marketing function. These commenters argued that a partial
IRB or Privacy Board waiver of authorization for recruitment purposes
would be too burdensome for the covered entity, and would prevent
covered health care providers from communicating with their patients
about the availability of clinical trials.
Response: Research recruitment is neither a marketing nor
a health care operations activity. Under the Rule, a covered entity
is permitted to disclose protected health information to the individual
who is the subject of the information, regardless of the purpose
of the disclosure. See Sec. 164.502(a)(1)(i). Therefore, covered
health care providers and patients may continue to discuss the option
of enrolling in a clinical trial without patient authorization,
and without an IRB or Privacy Board waiver of patient authorization.
However, where a covered entity wants to disclose an individual's
information to a third party for purposes of recruitment in a research
study, the covered entity first must obtain either authorization
from that individual as required at Sec. 164.508, or a waiver of
authorization as permitted at Sec. 164.512(i).
Comment: It was suggested that the Rule should permit covered
health care providers to obtain an authorization allowing the use
of protected health information for recruitment into clinical trials
without specifying the person to whom the information would be disclosed
and the exact information to be disclosed, but retaining the authorization
requirements of specified duration and purpose, and adding a requirement
for the minimum necessary use or disclosure.
Response: The Department understands that the Privacy Rule
will alter some research recruitment but disagrees with the commenter's
proposal to permit broad authorizations for recruitment into clinical
trials. The Department decided not to adopt this suggestion because
such a blanket authorization would not provide individuals with
sufficient information to make an informed choice about whether
to sign the authorization. In addition, adopting this change also
would be inconsistent with Department's decision to eliminate the
distinction in the Rule between research that includes treatment
and research that does not.
Comment: It was suggested that the Department exempt from
the Privacy Rule research that is already covered by the Common
Rule and/or FDA's human subject protection regulations. Commenters
stated that this would reduce the burden of complying with the Rule
for covered entities and researchers already governed by human subject
protection regulations, while requiring those not previously subject
to compliance with human subject protection regulations to protect
individuals' privacy.
Response: Many who commented on the December 2000 Privacy
Rule argued for this option as well. The Department had previously
considered, but chose not to adopt, this approach. Since the Common
Rule and the FDA's human subject protection regulations contain
only two requirements that specifically address confidentiality
protections, the Privacy Rule will strengthen existing human subject
privacy protections for research. More importantly, the Privacy
Rule creates equal standards of privacy protection for research
governed by the existing regulations and research that is not.
Comment: It was argued that the waiver provision should
be eliminated. The commenter argued that IRBs or Privacy Boards
should not have the right to waive a person's privacy rights, and
that individuals should have the right to authorize all uses and
disclosures of protected health information about themselves.
Response: The Department disagrees that safeguarding individuals'
privacy interests requires that individuals be permitted to authorize
all uses and disclosures of protected health information about themselves.
In developing the Privacy Rule, the Department carefully weighed
individuals' privacy interests with the need for identifiable health
information for certain public policy and national priority purposes.
The Department believes that the Privacy Rule reflects an appropriate
balance. For example, the Rule appropriately allows for the reporting
of information necessary to ensure public health, such as information
about a contagious disease that may be indicative of a bioterrorism
event, without individual authorization. With respect to research,
the Department strongly believes that continued improvements in
our nation's health require that researchers be permitted access
to protected health information without individual authorization
in certain limited circumstances. However, we do believe that researchers'
ability to use protected health information without a patient's
authorization is a privilege that requires strong confidentiality
protections to ensure that the information is not misused. The Department
believes that the safeguards required by the final Rule achieve
the appropriate balance between protecting individuals' privacy
interests, while permitting researchers to access protected health
information for important, and potentially life-saving, studies.
Comment: A few commenters stated that, if the Rule permits
covered entities to release protected health information to sponsor-initiated
registries related to quality, safety, or effectiveness of FDA-
regulated products, then this permission should apply to academic
institutes and non-profit organizations as well. Otherwise, the
commenters argued, the Rule establishes a double standard for research
registries created by FDA-regulated entities versus registries created
by academic or non-profit sponsored entities.
Response: The provisions under Sec. 164.512(b)(iii) are
intended to allow the disclosure of information to FDA-regulated
entities for the limited purpose of conducting public health activities
to ensure the qualify, safety, or effectiveness of FDA-regulated
products, including drugs, medical devices, biological products,
and food. Thus, the Department does not believe a modification to
the research provisions is appropriate. The Privacy Rule permits
covered entities to disclose protected health information to a registry
for research purposes, including those sponsored by academic and
non-profit organizations, if such disclosure: is required by law
under Sec. 164.512(a), is made pursuant to an IRB or Privacy Board
waiver of authorization under Sec. 164.512(i), is made pursuant
to the individual's authorization as provided by Sec. 164.508, or
consists only of a limited data set as provided by Sec. 164.514(e).
Comment: It was suggested that the Department modify the
Rule's definition of "research" or the provision for preparatory
research to explicitly permit the building and maintenance of research
databases and repositories. The commenter further asserted that,
under the Common Rule, "research" signifies an actual
research protocol, and would not include a data or tissue compilation
that is undertaken to facilitate future protocols. Therefore, since
the Privacy Rule and the Common Rule have the same definition of
"research," this commenter was concerned that the Privacy
Rule would not permit a pre-research practice in which a covered
entity compiles protected health information in a systematic way
to either assist researchers in their reviews that are preparatory
to research, or to conduct future research.
Response: The Department does not believe such a modification
is necessary. Under the Common Rule, the Office for Human Research
Protections (OHRP) has interpreted the definition of "research"
to include the development of a repository or database for future
research purposes. In fact, OHRP has issued guidance on this issue,
which can be found at the following URL: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://ohrp.osophs.dhhs.gov/humansubjects/guidance/reposit.htm.
The Department interprets the definition of "research"
in the Privacy Rule to be consistent with what is considered research
under the Common Rule. Thus, the development of research repositories
and databases for future research are considered research for the
purposes of the Privacy Rule.
Comment: A commenter suggested eliminating the minimum necessary
requirement for uses and disclosures made pursuant to a waiver of
authorization by an IRB or Privacy Board. The commenter argued that
this proposal would lessen covered entities' concern that they would
be held responsible for an IRB or Privacy Board's inappropriate
determination and would, thus, increase the likelihood that covered
entities would rely on the requesting researcher's IRB or Privacy
Board documentation that patient authorization could be waived as
permitted at Sec. 164.512(i). This commenter further argued that
this proposal would discourage covered entities from imposing duplicate
review by the covered entities' own IRB or Privacy Board, thereby
decreasing burden for covered entities, researchers, IRBs, and Privacy
Boards.
Response: Although the Secretary acknowledges the concern
of these commenters, the Rule at Sec. 164.514(d)(3)(iii)(D)
already permits covered entities to reasonably rely
on documentation from an external IRB or Privacy Board
as meeting the minimum necessary requirement, provided
the documentation complies with the applicable requirements
of Sec. 164.512(i). The Department understands that
covered entities may elect to require duplicate IRB
or Privacy Board reviews before disclosing protected
health information to requesting researchers, but has
determined that eliminating the minimum necessary requirement
would pose inappropriate and unnecessary risk to individuals'
privacy. For example, if the covered entity has knowledge
that the documentation of IRB or Privacy Board approval
was fraudulent with respect to the protected health
information needed for a research study, the covered
entity should not be permitted to rely on the IRB or
Privacy Board's documentation as fulfilling the minimum
necessary requirement. Therefore, in the revised Final
Rule, the Department has retained the minimum necessary
requirement for research uses and disclosures made pursuant
to Sec. 164.512(i).
|
