research (HIPAA)

HIPAA defines research as any "systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge."

Covered entities must normally obtain an authorization from the individual for research-related uses and disclosures of protected health information (PHI). Further, the covered entity must mention research in its Notice of Privacy Practices, as one kind of possible use or disclosure.

First, It should be noted that not all kinds of research-like activity fall into this category under HIPAA. Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines or protocols, fall under the category of health care operations, provided that obtaining generalizable knowledge is not the primary purpose. And activities that aim at very broadly generalizable knowledge for population health also fall into a different category -- namely, public health.

Activities considered to fall within the categories of health care operations or public health are covered simply by inclusion in the Notice and, optionally, a HIPAA consent process.

Second, while HIPAA's Privacy Rule has its own requirements for the protection of identifiable health information used for purposes that meet its definition of research, the human subjects protections of the Common Rule and the equivalent ones of the FDA remain in full force. HIPAA's constraints are in addition to these, rather than a replacement; all the requirements for informed consent and IRB review that come from the Common Rule and FDA regulations must still be met.

There are three exceptions to HIPAA's general requirement of an authorization for research uses of PHI:

  • where the PHI will not leave the covered entity, will be used solely for reviews preparatory to research (e.g., for the development of a protocol), and the researcher represents to the covered entity that such access is essential;
  • where the PHI refers solely to deceased persons (the covered entity may ask for documentation of death), and the researcher again asserts to the covered entity that access is necessary for the research purpose(s); or
  • when an Institutional Review Board (IRB) or a Privacy Board determines that a waiver of the authorization requirement is appropriate.

Covered entities may determine their own processes for approval of the "representations" of the first two exceptions. Typically that would involve a submission to the organization's privacy office/officer or to an IRB. Meeting the last of the three exceptions requires a determination by an IRB or Privacy Board that each of the following is true:

  • use or disclosure of the PHI involves no more than minimal risk to the individuals, based on the following elements:

    an adequate plan to protect the identifiers from improper use and disclosure;

    an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law); and

    adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by HIPAA;

  • the research could not practicably be conducted without access to and use of the PHI; and
  • the research could not practicably be conducted without the waiver.

PHI uses and disclosures pursuant to these exceptions are subject to HIPAA's minimum necessary standard. A covered entity may reasonably rely on a researcher's documentation or the representations of an IRB or Privacy Board that the information requested is the minimum necessary for the research purpose, and meets the required exception criteria. (This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or one that is associated with the covered entity.)

Disclosures for research operating under an authorization exception are also subject to HIPAA's disclosure accounting requirement. The requirement can be met for studies involving more than 50 records by providing individuals with:

  • a list of all protocols for which their PHI may have been disclosed pursuant to a waiver/exception;
  • the purpose of those studies and the types of PHI sought;
  • the timeframes of those disclosures; and
  • a researcher's name and contact information for each study.

When requested by the individual, the covered entity must provide assistance in contacting those researchers to whom it is likely that the individual's PHI was actually disclosed.

(Where fewer than 50 subjects are involved, the listing must be more specific and detailed, commensurate with the requirements for other types of PHI disclosure accounting. Covered entities may choose to impose a detailed accounting requirement even on large research studies. DHHS "encourage[s]" covered entities using the abbreviated accounting to list disclosures in ways that help individuals "more readily identify" the specific studies for which their PHI may have been disclosed.)

Perhaps surprisingly, research uses and disclosures of PHI pursuant to an authorization are not bound by the minimum necessary criterion. Nor do uses and disclosures made pursuant to an authorization for research require any accounting. Neither minimum necessary nor use/disclosure accounting apply to anything done under the authority of a HIPAA authorization.

DHHS's theory is that, given the "knowledge and voluntary agreement" requisite to an authorization, the data subject has freely forgone these rights. Covered entities and IRBs may choose to impose minimum necessary and use/disclosure accounting requirements on researchers anyway. Note also that unlike the Common Rule, the Privacy Rule does not require IRB or Privacy Board review of research uses and disclosures made with individual authorization.

There are two ways for researchers to bypass these issues. First, a covered entity may disclose PHI in a limited data set to a researcher who has entered into an appropriate data use agreement. It is not necessary to have an authorization or a waiver of authorization from an IRB or Privacy Board. Second, a researcher may use PHI contained in fully de-identified information. Limited data set and de-identified data use are also exempt from the disclosure accounting requirements (though they are subject to the minimum necessary criterion).

Note that the concept of "personally identifiable information" that triggers IRB review subject to the Common Rule does not precisely coincide with the definition of "individually identifiable health information" in the Privacy Rule. Indeed, there is no uniform definition of personally identifiable information under the Common Rule; rather, as a matter of practice, it is currently set by each individual IRB. By contrast, the Privacy Rule has very specific definitions for individually identifiable health information (a.k.a., protected health information) as well as de-identified health information and that suitable for a limited data set.

Analogous uncertainties attend defining "minimal risk" -- one of the criteria for the third exception to the HIPAA authorization requirement. Under the Common Rule, minimal risk means "the probability and magnitude of harm or discomfort" anticipated in the research is not greater than that "ordinarily encountered in daily life" or "routine physical or psychological examinations." Privacy risks do not lend themselves as easily to such comparisons.

Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even when the covered entity has hired the researcher to perform research on the covered entity's own behalf. (A covered entity is not prohibited from entering into a business associate contract with a researcher if it wishes to do so.) However, a covered entity must enter into a data use agreement prior to disclosing a limited data set for research purposes to a researcher.

As with other types of authorization, research authorizations must be in writing and signed by the individual, and must contain the requisite core elements and statements. (See the glossary entry for authorizations for details of the requirements that apply.)

Unlike other kinds of authorizations, those for research do not require an expiration date -- it can simply say "none." (Previously this was only allowed for the creation of research databases and repositories, but it is allowed for any kind of research now.) If an expiration date is omitted, however, that fact must be clearly stated on the form. Alternatively, the research authorization can, like any other authorization, specify an expiration event instead of a date -- such as "the end of a research project." (Covered entities or IRBs may choose to require a specific date, or a more specific description of what events constitute an end to the study.)

Normally, HIPAA authorizations cannot be combined with other types of documents (such as a Notice of Privacy Practices or an optional consent). However, authorization for the use or disclosure of PHI for research may be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research. Note that in the event that an optional consent or another authorization conflicts, the institution is bound by the more restrictive arrangement unless/until the conflict is resolved.

A covered entity may condition research-related treatment on provision of an authorization by the research subject. (Generally, treatment cannot be conditioned on an authorization.)

DHHS has noted that it may sometimes be advisable for authorization forms to include a statement regarding how PHI obtained for a research study will be used and disclosed for treatment, payment, and health care operations, if such information would assist individuals in making informed decisions about whether or not to provide their authorization for a research study. But, unlike under an earlier version of the Privacy Rule, it is not required for research involving treatment.

DHHS has also noted that it may be advisable -- though, again, not required -- to include statements about the sources of funding for the study and the payment arrangements for investigators. This is consistent with DHHS recommendations for informed consent under the Common Rule: such information should be included when it might be considered "material to the potential subject's decision-making process" -- viz., when it identifies possible conflicts of interest.

An individual may revoke an authorization at any time, provided that the revocation is in writing. Revocations are not valid to the extent that the covered entity has taken actions relying on the prior authorization, such as in its provision of prior treatment. And such revocations may be limited "as necessary to maintain the integrity of the research study."

The latter exception would, for example, permit the continued use and disclosure of already-gathered PHI (in subsequent statistical analyses and reporting, especially to account for the subject's withdrawal), as necessary to incorporate the information as part of a marketing application submitted to the FDA, to conduct investigations of scientific misconduct, or to report adverse events.

However, the reliance exception would not permit a covered entity to continue disclosing additional PHI to a researcher, or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization.

Note that the development of repositories and databases for future research are considered research for the purposes of the Privacy Rule (just as under the Common Rule). If such activities are contemplated as part of a protocol, they must be described. Use of PHI for such purposes requires authorization, or a determination of exception or IRB/Privacy Board waiver.

DHHS has reiterated in its commentary that the Privacy Rule permits the use or disclosure of PHI for retrospective research studies involving data re-analysis only if such use or disclosure is made either with patient authorization or a waiver/exception of patient authorization as permitted by the criteria above.

It is not permissible to have an authorization for unspecified future research. DHHS has decided to retain the requirement that each purpose of the requested use or disclosure described in the authorization form be research study specific. However, DHHS has noted that, in the past, some express legal permissions and informed consents have not been study-specific and sometimes authorize the use or disclosure of information for future unspecified research. These are "grandfathered in" per the rules below.

Covered entities may continue to discuss recruitment into research with patients for whom such involvement might be appropriate. Typically this would be undertaken by one of the patient's health care providers. However, a patient's PHI cannot be disclosed to other parties for the purpose of research recruitment without an authorization or a waiver/exception determination.

(Under the Privacy Rule, a covered entity is permitted to disclose PHI to the individual who is the subject of the information, regardless of the purpose of the disclosure. Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an IRB or Privacy Board waiver of patient authorization. However, where a covered entity wants to disclose an individual's information to a third party for purposes of recruitment in a research study, the covered entity first must obtain either authorization from that individual, or a waiver/exception of authorization).

Covered entities are permitted to use or disclose PHI created or received before the Privacy Rule compliance date for a specific research study (or, in a special exception, unspecified future research). But only if they have obtained, prior to the compliance date, one of the following:

  • an authorization or other express legal permission from an individual to use or disclose PHI for the research study;
  • the informed consent of the individual to participate in the research study; or
  • a waiver, by an IRB, of informed consent for the research study in accordance with the Common Rule or FDA's human subject protection regulations.

As noted at the outset, the Privacy Rule is intended to supplement and build upon the human subject protections already afforded by the Common Rule and the FDA's human subject protection regulations. One provision already in effect under these authorities is that to approve a study, an IRB must determine there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. HIPAA's research regulations add another layer to that protection, but where IRBs are already performing strict scrutiny, the net added burden should be small.

Though IRBs and Privacy Boards may initially struggle to interpret the criteria, DHHS has commented, experience and guidance have enabled IRBs to successfully implement the Common Rule's criteria and those also require subjective determinations. Furthermore, DHHS has indicated it will issue guidance documents in future, to reduce the range of subjectivity.

See also:

Last modified: 12-May-2005 [RC]


   © 2002-2006 Contributing authors and University of Miami School of Medicine