Appendix D: Application of the Privacy Rule to research databases and repositories needs further refining to align it with existing Common Rule requirements

As the HIPAA Privacy Rule commentaries recognize, many Covered Entities maintain databases into which patient health information is placed, processed and stored. Databases and tissue repositories are created for many different purposes, including to track treatment patterns and treatment outcomes to improve patient care, and to conduct research to understand diseases and how they can be treated. In the commentary to the August 2002 Final Privacy Rule, NHRPAC had sought clarification that the creation and maintenance of research databases and repositories are pre-research activities that are not subject to HIPAA's research Rules, and that the use and disclosure of PHI for these purposes is permissible as an activity preparatory to research and would therefore not require individual authorization or IRB/privacy board waiver of authorization. In response, the Department stated that it interpreted the definition of research under both the Common Rule and HIPAA to include the development of research repositories and databases for future research purposes, thereby requiring authorization or waiver of authorization to the extent PHI would be involved. The position that the creation and maintenance of research databases is itself a "research" activity was solidified in subsequent NIH guidance documents. These NIH guidance documents also clarified that any subsequent research performed using the stored data or biologic samples would require additional authorization or waiver of authorization, specific to the research study at hand.

SACHRP acknowledges the Department's general interpretation of existing Common Rule guidance on the creation and maintenance of databases and repositories and supports the Department's view that these activities - to the extent they involve identifiable private information, as that term is defined in the Common Rule, and PHI - require IRB approval, informed consent, and authorization (or IRB waiver of consent and authorization). However, SACHRP believes that certain aspects of the Department's application of the Privacy Rule to research databases and repositories needs further refining to align it with existing Common Rule requirements.

Under existing interpretations of the Common Rule's informed consent requirements, it is generally permissible to seek subjects' consent to future research so long as the future uses are described in sufficient detail to allow an informed consent. Consent to future uses may be appropriate, for example, where data or biologic materials collected from patients with a certain disease and studied in the course of a primary research study will be stored and studied in the future as additional tests and hypotheses are developed. An IRB reviewing a consent form for such a study may be comfortable that the subjects are adequately informed about the general types of research to be conducted in the future and the privacy protections that will be in place to ensure that the scope of the subjects' consent is honored. On the other hand, there may be circumstances under which the initial study's sole purpose is to collect biologic samples to be stored for future purposes, and it is unclear at the time of collection as to which future uses the specimens will be put. Under such circumstances, where the future uses would more appropriately be characterized as "new" research uses (as opposed to an extension of the primary study), an IRB may require that the researchers maintaining the database or repository return to the IRB with additional specific research protocols and either seek informed consent from subjects or seek IRB waiver of the consent requirement before using the data or identified biologic materials for the future research purposes.

HIPAA's Privacy Rule, as set forth in OCR and NIH interpretations, appears to diverge from the Common Rule on this point, in that the Privacy Rule interpretations appear to regard all future uses of PHI as nonspecific and therefore as not includable in a HIPAA authorization for a specimen or data collection study. Early NIH guidance on HIPAA, "Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule" (published April 14, 2003 and revised September 25, 2003) reiterated that HIPAA prohibits blanket or broad research authorizations for "nonspecific research" or "future, unspecified projects" and requires that research authorizations "pertain only to a specific research study." Furthermore, this guidance stated that "[t]he Privacy Rule considers the creation and maintenance of a research repository or database as a specific research activity, but the subsequent use or disclosure by a Covered Entity of information from the database for a specific research study will require separate Authorization …" The February 2004 NIH Guidance supports the current interpretation that any subsequent use or disclosure of data or materials stored in a research database or repository requires additional HIPAA authorization or IRB waiver of authorization.

As a result, even in circumstances in which an IRB approves an informed consent process and form that seek subjects' consent to certain discrete future uses, researchers are required under HIPAA to seek a subsequent authorization from subjects for the same future uses, and under HIPAA's compound authorization rules, discussed below, are not allowed to include that authorization in the authorization for the data or tissue collection study. Alternatively, researchers can attempt to obtain IRB or privacy board waiver of authorization for the subsequent use. The impact of this disparity between practice under the Common Rule and under the Privacy Rule is to confuse subjects rather than to increase their understanding. In such collection studies, for example, the informed consent and HIPAA authorization for the primary study may be combined in one document. That one document may also contain informed consent from the subject for certain discrete future uses or categories of future use. Yet the same document may not contain a HIPAA authorization for the same future uses, thus requiring that the researchers obtain a second subsequent authorization from the same subjects. The potential for confusion and administrative burden appears to outweigh any increase in the protection afforded to the privacy of subjects' information.