TABLE A-1Previous Recommendations to HHS Regarding Research and the HIPAA Privacy Rule

Topic Issues Recommendations Organization
Accounting for disclosures of protected health information (PHI) for research purposes Creates excessive paperwork for covered entities and has resulted in some covered entities refusing to make PHI available to researchers. 1. Eliminate the accounting for disclosures requirement for research (AAMC, SACHRP) and instead, inform patients that PHI might be used for research purposes (SACHRP). NCVHSAAMCSACHRP
2. HHS should issue guidance to provide covered entities with ways to fulfill this requirement in a convenient and practical manner (NCVHS).
Standards for deidentification of data Loss of ability to carry out research because of loss of information, cost, and administrative burden. HHS should review standards to reduce the number of categories removed from deidentified data. NCVHSAAMCSACHRP
Recruitment of research subjects
  1. Institutional Review Boards (IRBs) already consider recruitment as part of their study oversight.
  2. Artificial distinction between internal and external researchers exists.
  3. Identification and contacting potential research participants are considered different activities.
  4. Creation of biased populations in studies, especially too few less-educated, low-income individuals.
1. HHS should classify research recruitment as a health care operation, obviating the need for authorization and allaying confusion (SACHRP). NCVHSSACHRP
2. If “1” is rejected, HHS should provide additional formal guidance on contacting potential research participants and HHS should end differential treatment of internal and external researchers for purposes of identifying and contacting potential participants (SACHRP, NCVHS).
Databases and tissue repositories: future uses of research data and biological materials Loss of future research opportunities; confusion regarding combined authorization. 1. When an IRB has approved a consent form that permits future uses under the Common Rulestandard, the same should apply under the Privacy Rule. Permit combining research authorization for a clinical trial and for banking data and materials collected as part of the trial in a single form (NCVHS, SACHRP). NCVHSSACHRPNCAB
2. Eliminate the restriction on the use of data for unspecified future research, or allow a less specific description of the intended use (NCAB).
3. Clarify how identified datasets collected under a broad authorization to create a database could be released to researchers through the use of a waiver of authorization, a limited dataset, or by deidentifying the information.
Research exempt under the Common Rule Discrepancies between the Common Rule and the Privacy Rule create challenges for IRBs and Privacy Boards that must make decisions about such things as waivers of authorization. 1. Revise categories of research not requiring authorization to include research determined by IRB to be exempt from Common Rule requirements (SACHRP). NCVHSSACHRP
2. HHS should provide further interpretation, guidance, and technical assistance to help the research community to understand the relationship between the Privacy Rule and the Common Rule (NCVHS).
Use and disclosure of PHI for research The process for obtaining an authorization or waiver of authorization is burdensome, and discourages research from being conducted. 1. Authorization and waiver of authorization requirements should be eliminated for research purposes. Research disclosures are adequately protected by the Common Rule (AAMC). NCVHSAAMCNCAB
2. Continue to require authorization or waiver of authorization for research, despite the administrative burden (NCVHS).
IRB waiver of authorization Authorization and informed consent can be combined into a single document. Under the Common Rule, IRBs must review informed consent documents. However, the Privacy Rule does not require IRBs to review authorization forms. HHS should clarify that nothing in the Privacy Rule prevents IRBs from reviewing authorization forms when considering the adequacy of privacy and confidentiality of subjects under the Common Rule. NCVHS
Genetics research It is unclear whether DNA samples can ever be deidentified because analyzing the samples could reveal unique DNA identifiers of the individual. HHS should clarify whether DNA samples can be considered deidentified data. NCVHS
Types of covered entities Academic medical centers cannot organize in a manner that reflects the functional operations of the medical school, affiliated practice plans, and teaching hospital. The covered entity status, hybrid entity status, and affiliated covered entity status should be redefined to reflect the function served by the different parts of the organization, not the organizational form of the organization. AAMC
Transition provisions The implementation of the Privacy Rule could hamper studies already under way. For research begun before the Privacy Rule took effect, grandfather research that did not receive IRB review or oversight because it was exempt under Common Rule. SACHRP
International research
  1. Different interpretations of the Privacy Rule lead to recruitment difficulties.
  2. Tendency to abandon U.S. research sites for those with less stringent rules. (NOTE: This is not strictly a problem in international research.)
1. Clarify, if legally possible, that PHI from foreign nationals outside the United States collected by researchers from covered entities is not subject to the Privacy Rule solely because of the relationship with the covered entity. SACHRP
2. More generally, clarify what the rules are regarding research on foreign nationals.
Public health research Effect on registries and other public health tools. Broaden the definition of public health authority to ensure inclusion of federal and state agencies that are primarily responsible for the prevention and control of disease, injury, or disability, or the analysis of data in alliance with public health and public benefits agencies. SACHRP

From: Appendix A, Previous Recommendations to the Department of Health and Human Services

Cover of Beyond the HIPAA Privacy Rule
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors.
Washington (DC): National Academies Press (US); 2009.
Copyright © 2009, National Academy of Sciences.

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.