Appendix H: Clarify in guidance that IRB alteration of HIPAA's authorization requirement may be sought and granted for international research

The focus of the Privacy Rule's applicability is PHI created or maintained by Covered Entities. In commentary to the first "final" privacy regulations published in December 2000, the Department noted that the definition of "individual" (e.g., the person who is the subject of protected health information) did "not exclude foreign military and diplomatic personnel, their dependents, or overseas foreign national beneficiaries," suggesting that HIPAA is triggered so long as a Covered Entity and PHI are involved. In the February 2004 Guidance, the NIH clarified this point stating that "[a]ll individually identifiable health information, including individually identifiable health information of non-U.S. citizens, is PHI when it is held by a covered entity, unless it is otherwise excepted from the definition of PHI at Section 164.501 of the Privacy Rule." However, this guidance does not address the harder issue of defining HIPAA's reach abroad and many researchers, institutions and commercial sponsors continue to struggle with the applicability of HIPAA in the context of international trials. The area of international research is one for which the Department has issued almost no guidance; therefore, SACHRP strongly urges the Department to develop and publish guidance that speaks to critical issues in the context of international research.

The Final Privacy Rule excludes from its applicability only overseas foreign national beneficiaries to the extent they receive health care from the Department of Defense or any other federal agency, or an entity acting on behalf of the DoD or other federal agency. This narrow exclusion, combined with the broad definition of individual and HIPAA's focus on Covered Entities and PHI, has resulted in the conclusion by some researchers and research institutions that HIPAA's requirements do attach to the use and disclosure of a foreign national's PHI by United States Covered Entities or covered researchers, even if the use and disclosure occurs outside of the United States. Yet others appear to have reached the opposite conclusion - that HIPAA does not apply in such cases - based on a legal conflicts of law analysis and a conclusion that foreign laws such as the European Union's directives on data protection would trump the application of HIPAA.

Some private commercial research sponsors who have become concerned about the application of HIPAA in the context of international clinical trials appear to have determined that these concerns can be eased by no longer relying on Covered Entities (such as academic research institutions or universities) to assist in the coordination of multi-national clinical trials. Instead, these companies have begun to investigate the possibility of contracting with other entities not covered by HIPAA - such as foreign research organizations - to perform this work instead. This response by the pharmaceutical, biotechnology and medical device industry has been alarming, since it threatens to cause outsourcing of professional research positions and activities. Yet outsourcing such research coordination services only undermines privacy protections for subjects, since the foreign entities coordinating research data collection and analysis lie beyond any United States laws or regulations. It is therefore critical, from SACHRP's perspective, that the Department give clear guidance in the near future on the scope of HIPAA's application in the international context, and that such guidance, insofar as possible, restrict that application in the international context. SACHRP also notes that in international trials conducted by United States entities or researchers, the Common Rule already applies and requires the consideration and protection by researchers of subjects' privacy.

SACHRP suggests that it might be possible to formulate guidance to clarify how HIPAA's hybrid entity requirements might be applied to Covered Entities that coordinate or conduct international research, such that any PHI collected in the course of the international research and transmitted to the Covered Entity might be "walled off" into a non-covered part of that Covered Entity. If, however, the Department concludes that HIPAA does apply to PHI collected and analyzed by researchers affiliated with Covered Entities and who are working in the international context, concern has been expressed by researchers and institutions that HIPAA's very complicated privacy concepts may be incomprehensible to many individuals in developing countries. SACHRP therefore would urge the Department to clarify in guidance that an IRB alteration of HIPAA's authorization requirement may be sought and granted for international research such that a "boiled down" version of the elements of authorization may be used when consenting foreign subjects who would be overwhelmed by the detail and concepts otherwise required. SACHRP would also suggest that the Department consider whether the use of an authorization in certain international contexts might be deemed by an IRB to be impracticable, thus justifying a full waiver, considering the cultural and language barriers to accurate communication of HIPAA's concepts.