Research Provisions of the Privacy Rule
Research Use/Disclosure with Individual Authorization
- The Privacy Rule permits covered entities to use or disclose protected health information for research purposes when the individual who is the subject of the information authorizes the use or disclosure. For clinical trials, authorization must be sought in addition to informed consent. Authorization must also be sought for other research uses or disclosures of protected health information that do not qualify for an IRB waiver of authorization (discussed below).
- The Privacy Rule has a general set of authorization requirements that apply to all uses and disclosures, including those for research purposes. However, several special provisions apply to research authorizations:
- Unlike other authorizations, which require an expiration date, an authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the end of the research study; and
- An authorization for the use or disclosure of protected health information for research may be combined with a consent to participate in the research, or with any other legal permission related to the research study (except for research involving the use or disclosure of psychotherapy notes, which must be authorized separately); and
- Research authorization forms must be filled out completely and accurately by the investigator, to ensure that all parties who require access to protected health information for the research (including sponsors, CROs, DSMBs, IRBs, etc.) are identified in the form and may receive the information. The IRB combined authorization/consent form should be completed by the investigator and submitted to the IRB for review and approval.
Waiver of Authorization for Use or Disclosure of Protected Health Information in Research
Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances. A covered entity may use or disclose protected health information for research when presented with documentation that an IRB has granted a waiver of authorization [See 45 CFR 164.512(i)(1)(i)]. This provision of the Privacy Rule might be used, for example, to conduct records research, epidemiological studies, or other research where de-identified data is unavailable or not suited to the research purpose.
The waiver documentation presented to the covered entity must include the following:
- Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
- A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
- A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
- A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
- The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.
The following criteria must be satisfied for the IRB to approve a waiver of authorization under the Privacy Rule:
- The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- an adequate plan to protect the identifiers from improper use and disclosure;
- an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
- the research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the protected health information
Review Preparatory to Research
The Privacy Rule permits a covered entity to use or disclose protected health information to a researcher without authorization or waiver for the limited purpose of a "review preparatory to research."
Such reviews may be used to prepare a research protocol, or to determine whether a research site has a sufficient population of potential research subjects.
Prior to permitting the researcher to access the protected health information, the covered entity must obtain representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research purpose.
Researchers should consult with UVa Health Information Services (HIS) regarding any forms or applications necessary to conduct a review preparatory to research.
Researchers conducting a review preparatory to research may not record information in identifiable form (see identifiers below), nor may they use the information that they receive to contact potential subjects.
Because the Privacy Rule permits a covered entity to disclose protected health information to the individual who is the subject of the information, covered health care providers and subjects may continue to discuss the option of enrolling in a clinical trial without subject authorization.
Even when permitted by the Privacy Rule, however, any use of subject information for recruitment must comply with IRB recruitment policies.
Geographic info. (city, state, and zip)
Elements of Dates (except years)
Telephone #s Unique identifying #s
Certificate /License #s
VIN and Serial #s, license plate #s.
Device identifiers, serial #s
IP address #s
Biometric identifiers (finger prints)
Full face, comparable photo images
Medical Record, prescription #s
Health Plan Beneficiary #s
Research on Protected Health Information of Decedents
The protections of the Common Rule (45CFR46) apply only to living human beings; by contrast, the Privacy Rule also protects the identifiable health information of deceased persons ("decedents").
The Privacy Rule contains an exception to the authorization requirement for research that involves the protected health information of decedents.
A covered entity may use or disclose decedents' protected health information for research if the entity obtains representations from the researcher that:
- the use or disclosure being sought is solely for research on the protected health information of decedents,
- that the protected health information being sought is necessary for the research, and,
- at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.
Researchers should submit the applicable UVa Health Information Services (HIS) form to HIS when they intend to conduct research involving decedents' protected health information.
Limited Data Sets with a Data Use Agreement
When a researcher does not need direct identifiers for a study but does require certain data elements that are not permitted in de-identified data, the Privacy Rule permits a covered entity to disclose a "limited data set" to the researcher without authorization or waiver, provided that the researcher has signed a data use agreement.
The limited data set is still considered to be protected health information, but it must exclude only specified direct identifiers of the individual or of relatives, employers, or household members of the individual.
The research involves a limited data set if the data contains none of the following 16 identifiers:
- Postal address info. (if other than city, state and zip)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security #s
- Medical record, prescription numbers
- Health plan beneficiary #s
- Account #s
- Certificate/license #s
- Vehicle identifiers (VIN) and serial #s, license plate #s
- Device identifiers, serial #s
- Web URLs
- IP address #s
- Biometric identifiers (finger prints)
- Full face, comparable photo images
The recipient must also agree to the following:
- Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law;
- Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
- Report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware; Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
- Not to identify the information or contact the individual.
Accounting for Research Disclosures
The Privacy Rule gives individuals the right to receive an accounting of certain disclosures of protected health information made by a covered entity. See 45 CFR 164.528.
Among the types of disclosures that are exempt from this accounting requirement are:
- Research disclosures made pursuant to an individual's authorization;
- Disclosures of the limited data set to researchers with a data use agreement under 45 CFR 164.514(e).
If required, the accounting must include:
- disclosures of protected health information that occurred during the six years prior to the individual's request for an accounting, or since the applicable compliance date (whichever is sooner), and
- specified information regarding each disclosure.
A more general accounting is permitted for subsequent multiple disclosures to the same person or entity for a single purpose. [See 45 CFR 164.528(b)(3)].
In addition, for disclosures of protected health information for research purposes without the individual's authorization pursuant to 45 CFR164.512(i), and that involve at least 50 records, the Privacy Rule allows for a simplified accounting of such disclosures by covered entities. Under this simplified accounting provision, covered entities may provide individuals with a list of all protocols for which the subject's protected health information may have been disclosed under 45 CFR 164.512(i), as well as the researcher's name and contact information. Other requirements related to this simplified accounting provision are found in 45 CFR 164.528(b)(4).
Note that each covered entity must have procedures in place to track disclosures of protected health information and to provide accountings to subjects upon request. UVA researchers are required to track their own disclosures of PHI during the course of their research.
The Web address to DisclosureTrac is: http://hscshisweb1/DisclosureTrac/DST_Login.aspx
Waiver of Informed Consent for Creation of Databases
A covered entity may use or disclose protected health information without individuals' authorizations for the creation of a research database, provided that the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied.
Creation of a database of health information for research purposes is regarded as a research activity that requires
- submission of a protocol and
- a consent/authorization form;
- waiver of consent/authorization; or
- an IRB exemption determination.
Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule.
Subjects' Rights to Access Records
With few exceptions, the Privacy Rule gives subjects the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a designated record set.
A designated record set is basically a group of records that a covered entity uses to make decisions about individuals, and includes a health care provider's medical records and billing records, and a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. While it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by the covered entity as part of a designated record set (e.g., maintained in the medical record) would be accessible to research participants unless one of the Privacy Rule's permitted exceptions applies.
One of the permitted exceptions applies to protected health information created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual's access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when authorizing the use or disclosure of his or her protected health information for the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial.
The Privacy Rule contains certain grandfathering provisions that permit a covered entity to use and disclose protected health information for research after the Rule's compliance date of April 14, 2003, if the researcher obtained any one of the following prior to the compliance date:
- An authorization or other express legal permission from an individual to use or disclose protected health information for the research;
- The informed consent of the individual to participate in the research; or
- An IRB waiver of informed consent for the research.
Even if informed consent or other express legal permission was obtained prior to the compliance date, if new subjects are enrolled or existing subjects are re-consented after the compliance date, the covered entity must obtain the individual's authorization. For example, if there was a temporary waiver of informed consent for emergency research under the FDA's human subject protection regulations, and informed consent was later sought after the compliance date, individual authorization must be sought at the same time.
The transition provisions apply to both uses and disclosures of protected health information for specific research protocols and uses or disclosures to databases or repositories maintained for future research.
The UVa Health System also has information regarding HIPAA available on the Health System HIPAA Initiatives website.