Office for Civil Rights Frequently Asked Questions on the HIPAA Privacy Rule. Click here for access to the complete set. The following "Frequently Asked Questions" address broadly some of the questions that have arisen about the possible impact of the Privacy Rule on research. We will also be adding to "Frequently Asked Questions" on an ongoing basis as new questions arise. However, for a full understanding of the relevant provisions of the Rule it is important to consult the Rule itself and to discuss compliance issues with the Privacy Officer of your institution. If there are additional questions about the HIPAA Privacy Rule and research you would like addressed on this site, please submit them to .
National Institutes of Health (NIH) - Development of educational materials for researchers, in collaboration with other HHS research agencies, is the role of NIH. NIH is not involved in enforcing or monitoring compliance with the Privacy Rule. These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the Rule's requirements for research uses and disclosures are too burdensome and will choose to limit researchers' access to protected health information. We believe few providers will take this route, however, because the Common Rule includes similar, and more rigorous, requirements that have not impaired the willingness of researchers to undertake Federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires an Institutional Review Board (IRB) review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use or disclosure of protected health information for research purposes is to be altered or waived. In addition, the Rule allows an IRB to use expedited review procedures as permitted by the Common Rule to review and approve requests for waiver of authorizations. Similarly, the Rule permits Privacy Boards to use an expedited review process when the research involves no more than a minimal privacy risk to the individuals. An expedited review process permits covered entities to accept documentation of waiver of authorization when only one or more members of the IRB or Privacy Board have conducted the review. HHS regulations at 45 CFR part 46 do not require that stand-alone authorizations for use or disclosure of protected health information, not incorporated into the IRB-approved informed consent document, be reviewed and approved by the IRB. However, when the patient authorizations for use or disclosure of protected health information are to be incorporated into previously approved informed consent documents for a series of protocols and the authorization statements include protocol-specific information unique to each of the protocols, the IRB should review and approve the insertion of the authorization language separately for each protocol. In both cases, an expedited review procedure may be used. One of the permitted exceptions applies to protected health information created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual's access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial. In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories, if they are also a covered health care provider, to provide individuals with access to protected health information because doing so may result in the research laboratory losing its CLIA exemption. If a covered entity decides to be a hybrid entity, it must define and designate as its health care component(s) those parts of the entity that engage in covered functions. "Covered functions" are those functions of a covered entity that make the entity a health plan, a health care provider, or a health care clearinghouse. Thus, research components of a hybrid entity that function as health care providers and engage in standard electronic transactions must be included in the hybrid entity's health care components and be subject to the Privacy Rule. However, research components that function as health care providers, but do not engage in standard electronic transactions may, but are not required to, be included in the health care component(s) of the hybrid entity. For example, a hybrid entity, such as a university, has the option to include or exclude a research laboratory, that functions as a health care provider but does not engage in electronic transactions, as part of the hybrid entity's health care component. If such a research laboratory is included in the hybrid entity's health care component, then the employees or workforce members of the laboratory must comply with the Privacy Rule. But if the research laboratory is excluded from the hybrid entity's health care component, the employees or workforce members of the laboratory are not subject to the Privacy Rule. However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization. However, a researcher who is not a part of the covered entity may not use the preparatory research provision to contact prospective research subjects. Rather, the outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB or Privacy Board as permitted at 45 CFR 164.512(i)(1)(i). The IRB or Privacy Board waiver of authorization permits the partial waiver of authorization for the purposes of allowing a researcher to obtain protected health information as necessary to recruit potential research subjects. For example, even if an IRB does not waive informed consent and individual authorization for the study itself, it may waive such authorization to permit the disclosure of protected health information as necessary for the researcher to be able to contact and recruit individuals into the study. HHS regulations at 45 CFR 46.102(d) define "research" as "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge." HHS regulations at 45 CFR 46.102(f) define "human subject" as a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information. . . . Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects. When a "preparatory to research" activity (i) involves human subjects research, as defined above; (ii) is conducted or supported by HHS or conducted under an applicable assurance approved by the Office of Human Research Protections (OHRP); and (iii) does not meet the criteria for exemption under HHS regulations at 45 CFR 46.101(b), the research must be reviewed and approved by an institutional review board in accordance with HHS regulations at 45 CFR 46.109(a), and informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. The Privacy Rule permits, under the "preparatory to research" provision, investigators who are employees or other members of the covered entity's workforce to obtain and record information from that covered entity's medical records for the purposes of identifying and recruiting potential human subjects. Such activities in which an investigator obtains and records individually identifiable health information would involve human subjects research under the HHS regulations at 45 CFR part 46 and would not satisfy the criteria for any exemption under HHS regulations at 45 CFR 46.101(b). As a result, if such activities are conducted or supported by HHS or conducted under an applicable OHRP-approved assurance, the research activities must be reviewed and approved by an IRB and informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. The above interpretation does not contradict in any way the Office for Civil Rights' (OCR) interpretation of the HIPAA Privacy Rule. It should be noted that patient authorization for use or disclosure of protected health information provided for under the HIPAA Privacy Rule and legally effective informed consent for research provided for under HHS regulations at 45 CFR 46.116 and 46.117 are not the same. Furthermore, the HIPAA Privacy Rule does not preempt any requirements of 45 CFR part 46, and vice-versa. In situations where both 45 CFR part 46 and the HIPAA Privacy Rule are applicable, institutions must adhere to both sets of regulations. For formal guidance on interpretation of the HIPAA Privacy Rule, contact the HHS Office for Civil Rights, http://www.hhs.gov/ocr/hipaa/. For formal guidance on interpretation of HHS regulations at 45 CFR part 46, contact OHRP, http://ohrp.osophs.dhhs.gov. If the health department performs some covered functions (i.e., those activities that make it a provider that conducts certain transactions electronically, a health plan or a health care clearinghouse) and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the health care component(s) of the organization and thereby become a type of covered entity known as a "hybrid entity." Most of the requirements of the Privacy Rule apply only to the hybrid entity's health care component(s). If a health department elects to be a hybrid entity, there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department. See 45 CFR 164.504 (a) - (c) for more information about hybrid entities. The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care. The Privacy Rule does not require that a justification be provided with respect to each distinct medical record. Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosures to the individual who is the subject of the protected health information. A: New and Competing Continuation Grant and Cooperative Agreement Grant and Cooperative Agreement Applications: When conducting investigator-initiated research that involves a covered entity the Privacy Rule may influence the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should continue to follow the instructions in the PHS 398 (http://grants.nih.gov/grants/funding/phs398/phs398.html) and discuss such issues, as needed, in the research plan and budget sections of the application. It is important to note that the Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR part 46. Therefore, instructions in the Human Subjects section of the PHS 398 remain the same. Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects from research risks, and when appropriate, address these issues in the Human Subjects section of the research plan. New and competing continuation grant & cooperative agreement applications will continue to be evaluated using the existing review criteria found in PHS 398 and reviewers will continue to use the existing NIH Instructions to Reviewers for Evaluating Research Involving Human Subjects http://grants.nih.gov/grants/peer/hs_review_inst.pdf. Some Requests For Applications (RFAs) and Program Announcements (PAs) may request applications for specific areas of research and could indicate the need to provide a plan for acquiring or accessing data under the Privacy Rule. In such cases, the review criteria listed in the RFA or PA could be augmented to include adequacy of such plans and reviewers would evaluate these. NIH funding decisions for new and competing continuation grants and cooperative agreements will continue to be based on scientific merit, programmatic need, and availability of funds. Program staff will continue to discuss and seek resolution of issues or problems noted in the summary statement - including issues noted regarding the effect of the Privacy Rule - with investigators prior to funding. Research Contract Proposals: When performing research under a research contract that involves a covered entity, the Privacy Rule may affect the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should discuss the issues, as needed, in the technical and business proposal sections of the contract proposal. It is important to note that the Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR part 46. Therefore, instructions in Section L of the solicitation remain the same. Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects from research risks, and when appropriate, address these issues in the Human Subjects section of the technical proposal. For new contract solicitations, reviewers will use the evaluation criteria set forth in Section M of the solicitation and continue to use the existing instructions found in Manual Chapter 6315-1 (http://www1.od.nih.gov/oma/manualchapters/contracts/6315-1/). Some Requests for Proposals (RFPs) could indicate the need to provide a plan for acquiring or accessing data under the Privacy Rule. In such cases, the review criteria listed in the RFP could be augmented to include adequacy of these plans and reviewers would evaluate these. NIH funding decisions for new research contracts will continue to be based on technical merit and cost. The technical evaluation report will include a discussion of issues and problems, including any noted regarding the Privacy Rule. The contracting officer will include these issues and problems during discussions held with offerors in the competitive range and seek resolution prior to award. Effects on Non-Competing Applications/Contracts - Progress Monitoring Grants and Cooperative Agreements: During the period of award, principal investigators of grants and cooperative agreements communicate progress and issues about the research with NIH program and grants management staff in annual progress reports, as well as on as-needed bases. If situations are encountered that significantly delay the study, change the study design or procedures, or change the costs of the research, these issues should be communicated to NIH staff as soon as possible. This same practice applies to significant research delays or problems associated with acquiring or accessing data under the Privacy Rule; issues should be communicated to NIH staff. NIH staff will evaluate situations on a case-by-case basis. Research Contracts: During the contract period of performance, the contractor communicates progress and issues about the research to the contracting officer and project officer on a regular and as-needed basis. If it encounters situations that significantly delay the study, change the study design or procedures, or change the costs of the research these should be communicated to NIH staff as soon as possible. In this same manner, significant research delays or problems associated with acquiring or accessing data under the Privacy Rule should be communicated to the contracting officer and project officer who will evaluate the situation on a case-by-case basis. National Institutes of Health (NIH) staff can provide assistance in locating educational materials on the Privacy Rule. For general questions about how the Privacy Rule may affect the review, funding, and progress monitoring of NIH grants, cooperative agreements and research contracts, please contact program and grants management staff in the NIH relevant to your area of scientific interest. If there are additional questions about the HIPAA Privacy Rule and research you would like addressed on this site, please submit them to . |