Office for Human Research Protections (OHRP)
Secretary's Advisory Committee on Human Research Protections (SACHRP)
Summary of SACHRP's Recommendations on the HIPAA Privacy Rule
Accounting requirements for research
Recommendation I: The disclosure of protected health information (PHI) for research purposes should be expressly exempted from the Final Privacy Rule=s accounting requirements, and instead, Covered Entities should be required to inform patients in the Notice of Privacy Practices that their PHI may be used and disclosed for research purposes without their express authorization only in limited circumstances where additional safeguards are in place. (Refer to Appendix A).
Recommendation II: The Department should review the standards for de-identification of data in order to reduce the number of data categories that must be eliminated for data to be regarded as de-identified. Among those data categories that should be strongly considered for deletion from the de-identification standards are zip codes, geographic subdivisions, and dates. While the specific addresses of persons should not be included in de-identified information, more general areas of residence, work or origin, may, in fact, be essential to epidemiologic and other studies of, for example, disease incidence. Additionally, most dates, including admission and discharge dates, provide essential endpoints for much research without directly identifying the individual. (Refer to Appendix B)
Recommendation III: Rather than focusing on the distinction between Ainternal@ and Aexternal@ researchers created by HIPAA=s artificial organizational rules, the Department should key any distinction in the ability of researchers to use PHI to contact subjects without the additional requirement of Institutional Review Board (IRB) waiver or a business associate agreement around whether the Covered Entity exercises effective control over the researcher through application of its policies and procedures. Specifically, SACHRP recommends that the existing distinction be removed between, on the one hand, all researchers who are affiliated with the Covered Entity, through membership in the Covered Entity=s Aworkforce,@ making them Ainternal@ to the Covered Entity for HIPAA purposes, and on the other hand, those who otherwise are subject to the Covered Entity=s policies and procedures, for example, by virtue of being a member of the Covered Entity=s faculty or medical staff or by being in an organized health care arrangement with the Covered Entity. SACHRP also recommends that additional guidance be provided so that the Department=s interpretation of HIPAA does not result in a weakening of existing privacy protections under the Common Rule. (Refer to Appendix C).
Recommendation IV: When an IRB has considered and approved a research consent form that permits consent to certain future uses under the Common Rule standard, the Final Privacy Rule should likewise permit subjects to authorize the use and disclosure of their PHI for the same future uses. Any subsequent research using the PHI that goes beyond the scope of the authorization to future uses or disclosures would require IRB or Privacy Board waiver of the Privacy Rule=s Authorization requirements, or subsequent authorization from each subject. (Refer to Appendix D).
Recommendation V: The Department should revise HIPAA=s compound authorization rules to permit the combining of research authorizations into one form when researchers seek to bank data and materials collected as part of an underlying clinical trial; however, in order to promote patients/subject choice, the rules should require that subjects be given the ability to Aopt in@ to the banking portion of the authorization. (Refer to Appendix E).
Recommendation VI: The Department should revise the categories of research for which authorization is not required, so that those categories are consistent with research determined by an IRB or other appropriate institutional authority to be exempt from the requirements of the Common Rule. (Refer to Appendix F).
Recommendation VII: The Department should revise the transition Rules to grandfather not only research that received IRB waiver of informed consent under the Common Rule prior to HIPAA=s compliance date but also research that did not receive IRB review or oversight as a result of having met an exemption under the Common Rule. (Refer to Appendix G).
Recommendation VIII: The Department should clarify, if legally possible, that PHI collected from foreign nationals outside the United States by researchers engaged in international research who are affiliated with Covered Entities is not subject to HIPAA=s requirements solely as a result of the researchers= affiliation with the Covered Entity. Alternatively, SACHRP recommends that there be guidance as to how research conducted outside the United States can be insulated from HIPAA=s applicability so that Covered Entities and their affiliated researchers can continue to participate in this important research without triggering HIPAA=s requirements. (Refer to Appendix H).
Recommendation IX: The Department should revisit both the definition of public health authority as well as the exception for uses and disclosures for public health activities. The revisions should serve to broaden them sufficiently to ensure that federal and state agencies whose primary purpose is the prevention or control of disease, injury, or disability or the analysis of data in alliance with public health and public benefits agencies fall under this exception, even if the legal authority establishing such agencies does not explicitly authorize them to compel the collection of PHI in the course of their duties. (Refer to Appendix I).