THE PRIVACY RULE (HIPAA) AS IT RELATES TO CLINICAL RESEARCH
John M. Harrelson, MD and John M. Falletta, MD
Duke University Health System, Durham, NC, USA
1. INTRODUCTION
The U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect a worker's health insurance coverage as the worker changes employment, to reduce fraud, and to establish national standards for electronic healthcare transactions. Also reflected in HIPAA is a concern for the privacy of a person and the confidentiality of hislher health information. The increase in computerized medical records and electronic transfer of information by e-mail, fax and the Internet has led to a heightened concern that the confidentiality of health information could be compromised. Federal privacy regulations implemented as a result of HIPAA (Title 45 CFR parts 160 & 164, referred to as the Privacy ~ u l e ) ' apply to "covered entities", which are defined as health plans, health care clearinghouses or health care providers who transmit any health information electronically. Individual investigators involved in research with human subjects must comply with the regulations if they are also health care providers who electronically transmit health information or if they are employees or members of a covered entity.
With the implementation of the Privacy Rule, research involving humans as research subjects must be conducted according to three sets of regulations.
Investigators doing research involving a product regulated by the Food and
Drug Administration (FDA) are required to meet all relevant FDA
regulations. Such research ordinarily involves the use of a drug, device or
200 Chapter 10 biological product, whether the regulated product has received FDA approval for marketing or remains an investigational product. If the investigator receives U.S. federal funds to support hisker research, or if the investigator is a faculty or staff member of an academic institution that has made a commitment to the U.S. Department of Health and Human Services (DHHS) to follow all federal regulations governing research involving humans subjects, the investigator is required to comply with regulations found at 45 CFR 46, including subparts A - D . ~ Subpart A, titled "Federal Policy for the Protections of Human Subjects," is referred to as the Common Rule. These regulations, while very similar to the FDA regulations, differ in part because their scope includes research not involving a drug, device or biological product, such as behavioral research, epidemiological research and educational research. A description of how the FDA regulations and 45 CFR 46 differ is available.
Both the Common Rule and the FDA regulations require that research involving human subjects be reviewed and approved by an Institutional Review Board (IRB) that is duly constituted and registered with the Office for Human Research Protections (OHRP) (for the Common Rule) and with the FDA. The criteria for IRB approval of such research are found at 45 CFR 46.1 11 (Common Rule) and 21 CFR 56.11 1 (FDA regulations).4 The criteria are essentially the same.
These regulations are unchanged by the Privacy Rule. While they provide for protection of the research subject's privacy and for the confidentiality of hislher research data, such protections are enhanced by the Privacy Rule. It adds a layer of privacy protections for subjects by defining the ways in which individually identifiable health information may be used in research. This chapter will explore the ways in which these three sets of regulations must be combined while the investigator is conducting clinical research.
WHAT NEW CONSIDERATIONS DOES THE PRIVACY RULE ADD TO RESEARCH?
PHI:
The Privacy Rule defines individually identifiable health information
transmitted or maintained by a covered entity in any form (electronic,
written or oral) as "protected health information" (PHI) and establishes the
conditions under which investigators may access and use this information in
the conduct of research. PHI is any information that relates to the past,
present or future physical or mental health or condition of an individual who
can be identified by any of eighteen specific identifiers [name, geographic
location smaller than a State or the first three digits of a zip code, dates except year, telephone number, fax number, e-mail address, social security number, medical record number, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, URLs, Internet protocol (IP) address numbers, biometric identifiers, full face photographs, any other unique identifying number, characteristic or code (45 CFR 164.5 14(b)(2)(i)].
Health information in this context includes biological specimens if they can be individually identified.
Authorization:
Except as otherwise permitted, the Privacy Rule requires that a research subject "authorize" the use or disclosure of the PHI to be utilized in the research. This authorization is distinct from the subject's consent to participate in research, which is required under the Common Rule and FDA regulations. Just as a valid consent under Common Rule and FDA regulations must meet certain requirements, a valid authorization must contain certain core elements [45 CFR 164.508(c)(l-2)]. The subject must specifically authorize what research information may be shared by whom, and who may receive the information, must acknowledge the expiration of the authorization and have the right to revoke the authorization, and must be informed that further disclosure by recipients of the information may not be covered by the federal privacy rules. This authorization may be incorporated in the informed consent document or be a stand-alone document.
Privacy Board:
The Privacy Rule [45 CFR 164.5 12)(i)(l)(i)(B)] describes a new board, constituted in a manner similar to an IRB, that has authority to implement the Rule as it relates to alteration of authorization or waiver of auth~rization.~ Those alterationlwaiver criteria are described below. Note that the Privacy Board has no authority to implement either the Common Rule or FDA regulations.
Review Preparatory to Research:
The Privacy Rule makes clear that some action to satisfy the Rule is required by the investigator if helshe wants to use PHI for research purposes.
This action may be as simple as notifying the relevant covered entity of the
research plan, or as complex as obtaining IRB or Privacy Board approval for
waiving authorization to use PHI for research. If an investigator wishes to
review PHI in order to determine the feasibility of a research project, helshe
may do so by notifying the covered entity, usually through the IRB or
Privacy Board, of a planned "Review Preparatory to Research" [45 CFR
202 Chapter 10 164.512(i)(l)(ii)]. By this notification the investigator declares that helshe will use the PHI solely as needed to prepare a research protocol or for similar purposes preparatory to research, that the PHI will not be reused or re-disclosed for another purpose or leave the investigator's institution (covered entity), and that the PHI is necessary in order to develop the protocol. Note that a Review Preparatory to Research may be used by an investigator, prior to IRB approval of the entire research protocol, in order to review the PHI of potential research subjects; however, the investigator may not contact potential subjects to ask for their participation in the research without first obtaining IRB approval of the research. Likewise, the investigator may wish to record PHI or other identifiable private information obtained from a Review Preparatory to Research; however, the investigator may not do so without first obtaining IRB approval of the research and either consent of the research subject or IRB-approved waiver of consent.
Decedent Research:
The Common Rule defines a human research subject as a living individual. The Privacy Rule recognizes both living and deceased humans as individuals whose privacy must be protected. If an investigator wishes to do a research project using PHI of deceased individuals, he/she may do so without concern for Common Rule considerations. But since Privacy Rule considerations must also be met, first the covered entity must be notified, usually by notifying the IRB or Privacy Board, in order for the investigator to attest that the use of PHI is solely for research using the PHI of decedents, and that the PHI sought is necessary in order to perform the research. The covered entity (IRB or Privacy Board) may request documentation of death
[45 CFR 164.5 12(i)(l)(iii)].
Databases and Repositories:
The Privacy Rule recognizes the creation of a research database or a specimen repository to be a research activity if the data stored contain PHI.^
Similarly, each use or disclosure of PHI from a database or repository for
research purposes is considered a separate research activity. The Privacy
Rule does not permit authorization to be given for unspecified future
Thus the authorization to include PHI in a database andlor
specimen repository must specify the research purpose for which the use or
disclosure will occur. As with any authorization, this may either be
combined with an IRB approved consent for research or obtained as a
separate document. As noted below, all future research uses and disclosures
of PHI from a database or repository require IRB +I- Privacy Board
approval. The IRB may require re-consent/authorization if the intended
purpose of the future research is outside the original intent of the
databaselrepository. Or, alternatively, the IRB may waive consent and authorization. Anonymization and de-identification of the data or release as a limited data set with a data use agreement (discussed below) are alternate considerations that may be useful in certain circumstances.
3. OTHER INTERACTIONS BETWEEN THE PRIVACY RULE AND THE COMMON RULE
As described above (Review Preparatory to Research), DHHS has provided guidance that it considers research to be occurring if the investigator records PHI or other identifiable private information during the search for potential subjects (during the ascertainmentJrecruitment process).
The investigator must therefore first obtain IRB approval of the research, and then obtain either consent and authorization of the subjects or IRB +/- Privacy Board approval of a waiver of consent and authorization to conduct the study.
To approve a waiver of consent under the Common Rule [45 CFR 46.1 16(d)], the IRB must find that:
a) The research involves no more than minimal risk.
b) The waiver does not adversely affect the rights and welfare of the subject.
c) The research could not be practicably carried out without the waiver.
d) Whenever appropriate, the subjects will be informed of any pertinent information.
In order for the IRB or Privacy Board also to approve an alteration or waiver of authorization, the Privacy Rule [45 CFR 164.5 12(i)(2)(ii)) requires the IRB or Privacy Board to find that:
a) Disclosure of the PHI involves no more than minimal risk to the privacy of individuals.
b) The waiver will not adversely affect the privacy rights or welfare of the subject.
c) The research could not practicably be carried out without the waiver.
d) The research could not practicably be carried out without access to the PHI.
e) The privacy risks are reasonable in relation to the information to be
gained.
204 Chapter 10
f)There is an adequate plan to protect the identifiers from improper
use and disclosure.
g) There is an adequate plan to destroy the identifiers at the earliest opportunity.
h) There is written assurance that the PHI will not be further disclosed.
3.1 How can the investigator reduce the impact of the Common Rule and the Privacy Rule on hislher research that utilizes datdsample repositories?
Both the Common Rule and the Privacy Rule contain provisions that, if met, permit research to proceed without further restrictions from either Rule.
For example, a research activity does not prompt Common Rule or Privacy Rule considerations if the research does not involve a "human subject", as defined by 45 CFR 46.102(f), and the research does not involve the use or disclosure of PHI, as defined by 45 CFR 160.103. More precisely stated for our purposes, if the information associated with the research data and/or samples is modified so it does not relate, either directly or indirectly, to an identifiable living person, and the information either does not involve PHI, or includes only a few specific indirect identifiers linked to the person (limited data set) and is accompanied by a data use agreement, then research with those datdsamples can be declared not to involve a human subject and thus not to be subject to the Common Rule, and either not be subject to or be in compliance with the Privacy Rule.
By far the most common use of these approaches relates to research with a database andlor a sample repository.7 By meeting the following conditions, the investigator is able to reduce the impact of both Rules on hislher research activity.
1) Modify information associated with the datdsamples so the information does not relate to a "human subject", thereby permitting the research not to be subject to the Common Rule.
(9)
This can be achieved either by anonymizing (unlinking) the
datdsamples or by establishing the conditions whereby the subject's
identity cannot readily be ascertained. Either approach satisfies
Common Rule considerations. In many circumstances,
anonymization also satisfies the Privacy Rule.
a) Anonymizing (unlinking) the datdsamples involves removing all identifiers and codes that directly or indirectly link a particular data point or sample to an identifiable person. These datalsamples then become irreversibly unlinked from any subject identifiers.
b) Establishing the conditions whereby the subject's private information or specimens cannot be individually identifiable either directly or indirectly through a coding system:
(i) Confirmation that the private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals;
and
(ii) The investigator cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because, for example:
(a) the key to decipher the code is destroyed before the research begins;
(b) the investigator and the holder of the key enter into an agreement prohibiting the release of the key to the investigator under any circumstances, until the individuals are deceased;
(c) there are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the individuals are deceased; or
(d) there are other legal requirements prohibiting the release of the key to the investigators, until the individuals are deceased.
2) Modify information associated with the datdsamples so the information does not contain PHI, rendering the data not subject to the Privacy Rule, or presenting the PHI as a limited data set with a data use agreement, thereby fulfilling Privacy Rule requirements.
a) The information will not contain PHI if the information does
not include health information (45 CFR 160.103), or the health
information linked to the datalsamples has been de-identified (45
CFR 164.514(b)). Note that the Privacy Rule describes two methods
for de-identification: the "statistical method (45 CFR
164.514(b)(l)) and the "safe harbor" method (45 CFR
164.514(b)(2)). While the latter is by far more commonly used than
206 Chapter 10 the former, the "statistical method" has the virtue of permitting more identifiers, including selected direct identifiers, to be retained with the de-identified data as long as a person such as a statistician, using generally accepted statistical and scientific principles, determines that the risk of datdsample re-identification is very small.
b) The PHI can be presented as a limited data set (45 CFR 164.514(e)) by removing all direct personal identifiers, and removing postal address information except for town or city, State and zip code (nine digit zip code is permitted). Event dates, the subject's age (without restriction) and an identifying code derived from the subject's PHI (such as subject initials) may be included in the limited data set. Therefore data in a limited data set are not de- identified data.
A data use agreement must be in place to ensure that the limited data set recipient will only use or disclose the protected health information for limited purposes. This agreement must establish the proposed uses of the data and who is permitted to have access to the data, and must ensure that no other use will be made of the data, no attempt will be made to contact individuals whose data are included in the limited data set, and appropriate safeguards are in place to protect the data from unauthorized use.
In summary, note that a research use of anonymized (unlinked) data is not subject to the Common Rule, and likewise, a research use of de- identified data is not subject to the Privacy Rule.
The only setting where anonymization (unlinking) of datalsamples does not also confer the status of de-identification is when the anonymized (unlinked) health information contains an event date more specific than the year, a geocode (such as the subject's home address) more specific than State or 3 digit zip code, or a subject's specific age if over 89 years (instead record as age 90+ years).
The only setting where de-identification does not also confer the status of anonymization (unlinking) is when a code with a link back to the subject's identity is retained with the de-identified data.
CONCLUSION
The Privacy Rule has increased the complexity of life for an investigator
engaged in research with human subjects. However, contrary to the fears of
many and the claims of some, the Privacy Rule need not stifle such research.
By understanding all of the regulations that govern research with human subjects, including the Common Rule, FDA regulations and the Privacy Rule, investigators are able to perform scientifically sound and ethical research. The IRB with which the investigator works can be a valuable resource to guide the research team as the study is designed and submitted for approval.
REFERENCES
August 2003 Complete Privacy, Security, and Enforcement (Procedural) Regulations Text (45 CFR Parts 160 and 164)
htt~://www.hhs.~ov/ocr/combinedregtext.pdf/, Sponsor: DHHS Office for Civil Rights, Accessed: 23 January 2006.
Code of Federal Regulations Title 45 Part 46
h t t v : N w w w . h h s . ~ o v l o h r D / h u m a n s u b i e c t s l ~ , Sponsor:
DHHS Office for Human Research Protections, Accessed: 23 January 2006.
Guidance for Institutional Review Boards and Clinical Investigators, 1998 Update, Appendix E: Significant Differences in FDA and HHS Regulations http:Nwww.fda.aovloc/ohrt/irbslavpendixe.html/, Sponsor: FDA,
Accessed 23 January 2006.
Code of Federal Regulations Title 21 Part 56
httv://www.cfsan.fda.aov/-lrd/cfr56.html/, Sponsor: FDA, Accessed 23 January 2006.
HIPAA Privacy Rule
-Information for Researchers httv://privacvruleandresearch.nih.~ov/, Sponsor: NIH, Accessed 23 January 2006.
Privacy Boards and the HIPAA Privacy Rule
httu://urivacyruleandresearch.nih.gov/udf/privac boards hiuaa privacv rule.~d0,
