NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Gliklich RE, Dreyer NA, editors. Registries for Evaluating Patient Outcomes: A User's Guide. 2nd edition. Rockville (MD): Agency for Healthcare Research and Quality (US); 2010 Sep.

Cover of Registries for Evaluating Patient Outcomes: A User's Guide

Registries for Evaluating Patient Outcomes: A User's Guide. 2nd edition.

Show details

Chapter 8Principles of Registry Ethics, Data Ownership, and Privacy


This chapter covers the ethical and legal considerations that should accompany the development and use of all health information registries, including patient registries as defined in this document, for the purposes of public health activities, governmental health program oversight, quality improvement/assurance, and research. These considerations apply generally accepted ethical principles for scientific research involving human subjects to health information registries. Related topics include issues of transparency in the operation of registries, oversight of registry activities, and property rights in health care information and registries.

The purpose of this chapter is solely to provide information that will help readers understand the issues, not to provide specific legal opinion or regulatory advice. Legal advisors should always be consulted to address specific issues and to ensure that all applicable Federal, State, and local laws are followed. The discussion below about legal protections for the privacy of health information focuses solely on U.S. law. Health information is also legally protected in European and some other countries by distinctly different rules. If registry developers intend to obtain health information from outside of the United States, they should consult legal counsel early in the registry planning process for the necessary assistance. It should also be noted that the rules and regulations described here are for the protection of patients, not to prevent legitimate research. While the requirements may seem daunting, they are not insurmountable barriers to research. With careful planning and legal guidance, registries can be designed and operated in compliance with applicable rules and regulations.

In the context of this chapter, health information is broadly construed to include any individual patient information created or used by health care providers and insurance plans that relates to a health condition, the provision of health care services, or payment for health care services.1 As a result, health information may include demographic information and personal characteristics, such as socioeconomic and marital status, the extent of formal education, developmental disability, cognitive capacities, emotional stability, as well as gender, age, and race, all of which may affect health status or health risks. Health information, as defined here, should be regarded as intimately connected to individual identity, and thus, intrinsically private. Typically, health information includes information about family members, so it also can have an impact on the privacy of third parties. Patients widely regard health information as a confidential communication to a health care provider and expect confidentiality to be maintained.

Serious ethical concerns have led to Federal legal requirements for prospective review of registry projects and specific permissions to use health information for research purposes. The creation and use of patient registries for a research purpose ordinarily constitute “research involving human subjects” as defined by regulations applicable to research activities funded by the U.S. Department of Health and Human Services2 (HHS) and certain other Federal agencies. Moreover, Federal privacy regulations resulting from the Health Insurance Portability and Accountability Act of 1996 (HIPAA)3 and the rules promulgated thereunder specifically apply to the use and disclosure of certain individually identifiable health information for research purposes.

The term human subjects is used throughout this chapter for consistency with applicable Federal law. Some may prefer the term research participants.

This chapter provides a general guide to Federal legal requirements in the United States. (Legal requirements in other countries may also be relevant and may be different from those in this country, but even a general discussion of the international situation is beyond the scope of this document.)

These legal requirements may influence registry decisions involving the selection of data elements and data verification procedures, and may also affect subsequent uses of registry data for secondary research purposes. State laws also may apply to the use of health information for research purposes. The purpose of a registry, the status of its developer, and the extent to which registry data are identifiable largely determine applicable regulatory requirements. Table 11, at the end of this chapter, provides an overview of the applicable regulatory requirements based on the type of registry developer and the extent to which registry data are identifiable. This chapter reviews the most common of these interactions. The complexity and sophistication of registry structures and operations vary widely, with equally variable processes for obtaining data. Nonetheless, common ethical and legal principles are associated with the creation and use of registries. These commonalities are the focus of this chapter.

Table 11. Summary of Privacy Rule and Common Rule Requirements.

Table 11

Summary of Privacy Rule and Common Rule Requirements.

Ethical concerns about the conduct of biomedical research, especially research involving the interaction of the clinical research community with their patients and commercial funding agencies, have produced an impetus to make financial and other arrangements more public. The discussion of transparency in this chapter includes recommendations for the public disclosure of registry operations as a means of maintaining public trust and confidence in the use of health information. Reliance on a standing advisory committee is recommended to registry developers as a way to provide expert technical guidance for registry operations and firmly establish the independence of the registry from committed or conflicted interests, as described in Chapter 2. This discussion of transparency in methods is not intended to discourage private investments in registries that produce proprietary information in some circumstances. Neither the funding source nor the generation of proprietary information from a registry determines whether a registry achieves the good practices described in this guide.

Registry developers are likely to encounter licensing requirements, including processing and use fees, in obtaining health and claims information. Health care providers and health insurance plans have plausible claims of ownership to health and claims information, although the public response to these claims has not been tested. Registry developers should anticipate negotiating access to health and claims information, especially when it is maintained in electronic form. The processes for use of registry datasets, especially in multiple analyses by different investigators, should be publicly disclosed if the confidentiality protections required for health information are to remain credible.

The next section of this chapter discusses the ethical concerns and considerations involved with obtaining and using confidential health information in registries. The following section describes the transformation of ethical concerns into the legal regulation of human subjects research and individually identifiable health information. Next, an overview is presented of these regulatory requirements and their interactions as they specifically relate to registries. Recommendations are made about registry transparency and oversight, based on the need to ensure the independence, integrity, and credibility of biomedical research, while preserving and improving the utility of registry data. And finally, property rights in health information and registries are discussed briefly.

Ethical Concerns Relating to Health Information Registries

Application of Ethical Principles

The Belmont Report4 is a summary of the basic principles and guidelines developed to assist in resolving ethical problems in the conduct of research with human subjects. It was the work product of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, which was created by the National Research Act of 1974.5

The Belmont Report identifies three fundamental principles for the ethical conduct of scientific research that involves human subjects. These principles are respect for persons (as autonomous agents; self-determination), beneficence (do good; do no harm; protect from harm), and justice (fairness; equitable distribution of benefits and burdens; equal treatment). Together, they provide a foundation for the ethical analysis of human subjects research, including the use of health information in registries developed for scientific purposes with a prospect of producing social benefits. These principles are substantively the same as those identified by the Council for International Organizations of Medical Sciences (CIOMS) in its international guidelines for the ethical review of epidemiologic studies.6

Nevertheless, the application of these principles to specific research activities can result in different conclusions about what comprises the ethical design and conduct of the research in question. These different conclusions frequently occur because the principles are assigned different values and relative importance by the person performing the ethical analysis. In most of these situations, however, a generally supported consensus position on the ethical design and conduct of the research is a desirable and achievable goal. This goal does not preclude reanalysis as social norms or concerns about research activities change over time in response to new technologies or persistent ethical questioning.

The ethical principle of respect for persons supports the practice of obtaining individuals’ consent to the use of their health information for research purposes that are unrelated to the clinical and insurance reasons for creating the information. In connection with research registries, consent may have multiple components: (1) consent to registry creation by the compilation of patient information; (2) consent to the initial research purpose and uses of registry data; and (3) consent to subsequent use of registry data by the registry developer or others for the same or different research purposes. The consent process should adequately describe registry purposes and operations to inform potential subjects’ decisions about participation in a research registry. In some defined circumstances, the principle of respect for persons may be subordinate to other ethical principles and values, with the result that an explicit consent process for participation in the registry may not be necessary. A waiver of informed consent requirements may apply to the registry and be ethically acceptable. (See discussion of waivers of informed consent requirements in this chapter’s section Potential for Individual Patient Identification.) In these situations, alternatives to an explicit consent process for each individual contributing health information to the registry may be adequate. For example, the registry might provide readily accessible, publicly available information about its activities as an alternative to individual informed consent.

A general ethical requirement for consent clearly implies that human subjects voluntarily permit the use of their health information in a registry, unless a specific exception to voluntary participation applies to the registry. One such exception is a legally mandated, public health justification for the compilation of health information (e.g., certain infectious disease reporting). Voluntary agreement to the use of health information in a registry necessarily allows a subsequent decision to discontinue participation. Any inability to withdraw information from the registry (e.g., once incorporation into aggregated data has occurred) should be clearly communicated in the consent process as a condition of initial participation. The consent process should also include instructions about the procedures for withdrawal at any time from participation in the registry unless a waiver of consent applies to the registry. Incentives for registry use of health information (e.g., insurance coverage of payments for health care services) should be carefully evaluated for undue influence both on the individuals whose health information is sought for registry projects and on the health care providers of those services.7,8

Conflicts of interest may also result in undue influence on patients and may compromise voluntary participation. One potential source of conflict widely identified with clinical research is the use of recruitment incentives paid by funding agencies to health care providers.9 Some professional societies and research organizations have developed positions on recruitment incentives. Many entities have characterized as unethical incentives that are significantly beyond fair market value for the work performed by the health care provider; others require disclosure to research subjects of any conflicting interest, financial or nonfinancial.10 There also have been attempts to enact Federal legislation that would require manufacturers of certain drugs, devices, or medical supplies to report, for eventual public display, the amounts of remuneration paid to physicians for research purposes.11 Some States, including Massachusetts, currently have similar laws in effect.12 Research organizations, particularly grantees of Federal research funding, may have systematic processes that registry developers can rely on for managing employee conflicts of interest. Nonetheless, in their planning, registry developers should specify and implement recruitment practices that protect patients against inappropriate influences.

Further considerations in applying the principle of respect for persons to the research use of health information generate ethical concerns about preserving the privacy and dignity of patients and about protecting the confidentiality of health information. These concerns have intensified as health care services, third-party payment systems, and health information systems have become more complex. Legal standards for the use and disclosure of health information have replaced professional and cultural norms for handling individually identifiable health information. Nonetheless, depending on the particular health condition or population of interest, safeguards for the confidentiality of registry data beyond applicable legal requirements may be ethically necessary to protect the privacy and dignity of those individuals contributing health information to the registry.

The principle of beneficence ethically obligates developers of health information registries for research purposes to minimize potential harms to the individuals or groups13 whose health information is included in the registry. There are usually no apparent benefits offsetting harms to individuals or groups whose health information is used in the registry. Exceptions to this arise when the registry is designed to provide benefits to the human subjects, ranging from longitudinal reports on treatment effects or health status to quality-of-care reports. Risks to privacy and dignity are minimized by conscientious protection of the confidentiality of the health information included in the registry14 through the use of appropriate physical, technical, and administrative safeguards for data in the operations of the registry. These safeguards should also control access to registry data, including access to individual identifiers that may be included in registry data. Minimization of risks also requires a precise determination of what information is necessary for the research purposes of the registry.

In an analysis applying the principle of beneficence, research involving human subjects that is unlikely to produce valid scientific information is unethical. This conclusion is based on the lack of social benefit to offset even minimal risks imposed by the research on participating individuals. Health information registries should incorporate an appropriate design (including, where appropriate, calculation of the patient sample as described in Chapter 3) and data elements, written operating procedures, and documented methodologies, as necessary, to ensure the achievement of their scientific purpose.15

Certain populations of patients may be vulnerable to social, economic, or psychological harms as a result of a stigmatizing health condition. Developers of registries compiling this health information must make special efforts to protect the identities of the human subjects contributing data to the registry. Pediatric and adolescent populations generate particular ethical concern because of a potential for lifelong discrimination that may effectively exclude them from educational opportunities and other social benefits (e.g., health care insurance).16

An ethical analysis employing the principle of justice also yields candid recognition of the potential risks to those who contribute health information to a registry, and the probable lack of benefit to those individuals (except in the cases where registries are specifically constructed to provide benefit to those individuals). The imbalance of burden and benefit to individuals, which is an issue of distributive justice, emphasizes the need to minimize the risks from registry use of health information. Reasonably precise and well-developed scientific reasons for inclusion (or exclusion) of defined health information in a registry contribute to making the research participation burden fair.

The above analysis refers to research activities. However, the ethical concerns expressed may also apply to other activities that use the health information of individuals in scientific methodologies solely for nonresearch purposes. Public health, oversight of the delivery of health care services through government programs, and quality improvement/assurance (I/A) activities all can evoke the same set of ethical concerns as research activities about the protection of patient self-determination, privacy, and dignity; the maintenance of the confidentiality of individually identifiable health information to avoid potential socioeconomic harms; and the imposition of a risk of harm on some individuals to the benefit of others not at risk. In the past, different assignments of social value to these activities and different potential for the social benefits and harms they produce have created different levels of social acceptance and formal oversight for these activities compared with research activities. Nonetheless, these activities may include a research component in addition to their ostensible and customary objectives, a circumstance that reinforces the ethical concerns discussed above and produces additional concerns about compliance with the legal requirements for research activities. Registry developers should give careful prospective scrutiny to the proposed purposes for and activities of a registry in consultation with appropriate institutional officials to avoid both ethical and compliance issues that may undermine achievement of the registry’s objectives.

Registry developers must also consider confidentiality protections for the identity of the health care providers, at the level of both individual professionals and institutions, and the health care insurance plans from which they obtain registry data. Information about health care providers and insurance plans can also identify certain patient populations and, in rare circumstances, individual patients. Moreover, the objectives of any registry, broadly speaking, are to enhance the value of the health care services received, not to undermine the credibility and thus the effectiveness of health care providers and insurance plans in their communities. Developers of registries created for public health investigations, health system oversight activities, and quality I/A initiatives to monitor compliance with recognized clinical standards must consider and implement confidentiality safeguards for the identity of service professionals and institutions. At the same time, however, these confidentiality safeguards should be developed in a manner that permits certain disclosures, as designated by the service professionals and institutions, for the reporting of performance data, which are increasingly associated with payment from payers.

Transformation of Ethical Concerns Into Legal Requirements

Important ethical concerns about the creation, maintenance, and use of patient registries for research purposes involve risks of harm to the human subjects from inappropriate access to registry data and inappropriate use of the compiled health information. These concerns arise from public expectations of confidentiality for health information and the importance of that confidentiality in preserving the privacy and dignity of individual patients.

Over the last decade, two rapid technological developments intensified these ethical concerns. One of these advances was DNA sequencing, replication, recombination, and the concomitant application of this technology to biomedical research activities in human genetics. The other advance was the rapid development of electronic information processing, as applied to the management of health information. Widespread anticipation of potential social benefits produced by biomedical research as a result of these technologies was accompanied by ethical concerns about the potential for affronts to personal dignity and economic, social, or psychological harms to individuals or related third parties.

In addition to specific ethical concerns about the effect of technological advances in biomedical research, general social concerns about the privacy of patient information accompanied the advance of health information systems technology and communications. These social concerns produced legal protections, first in Europe and later in the United States. The discussion below about legal protections for the privacy of health information focuses solely on U.S. law. Health information is also legally protected in European and some other countries by distinctly different and even more complex rules, none of which are discussed in this chapter.17 If registry developers intend to obtain health information from outside of the United States, they should consult legal counsel early in the registry planning process for the necessary assistance.

The Common Rule

The analysis in the Belmont Report on the ethical conduct of human subjects research eventually resulted in a uniform set of regulations from the Federal agencies that fund such research known as the “Common Rule.”18,19 The legal requirements of the Common Rule apply to research involving human subjects conducted or supported by the 17 Federal departments and agencies that adopted the Rule. Some of these agencies may require additional legal protections for human subjects. The Department of Health and Human Services regulations will be used for all following references to the Common Rule.

Among these requirements is a formal written agreement, from each institution engaged in such research, to comply with the Common Rule. For human subjects research conducted or supported by most of the Federal entities that apply the Common Rule, the required agreement is called a Federalwide Assurance (FWA).20 Research institutions may opt in their FWA to apply Common Rule requirements to all human subjects research activities conducted within their facilities or by their employees and agents, regardless of the source of funding. The application of Common Rule requirements to a particular registry depends on the institutional context of the registry developer, relevant institutional policies, and whether the health information contributed to the registry maintains patient identifiers.

The Office for Human Research Protections (OHRP) administers the regulation of human subjects research conducted or supported by HHS. Guidance published by OHRP discusses research use of identifiable health information. This guidance makes clear that OHRP considers the creation of health information registries for research purposes containing individually identifiable, private information to be human subjects research for the institutions subject to its jurisdiction.21 In the section below on Research Transparency, Oversight, and Ownership, the applicability of the Common Rule to research registries is discussed in more detail.

OHRP regulations for human subjects protection require prospective review and approval of the research by an institutional review board (IRB) and the informed consent (usually written) of each of the human subjects involved in the research, unless an IRB expressly grants a waiver of informed consent requirements.22 (See Case Example 23.) A research project must satisfy certain regulatory conditions to obtain IRB approval of a waiver of the informed consent requirements. (See the section on Potential for Individual Patient Identification, later in this chapter, for discussion of waivers of informed consent requirements.) A registry plan is the research “protocol” reviewed by the IRB. At a minimum, the protocol should identify (1) the research purpose of a health information registry, (2) detailed arrangements for obtaining informed consent, or detailed justifications for not obtaining informed consent, to collect health information, and (3) appropriate safeguards for protecting the confidentiality of registry data, in addition to any other information required by the IRB on the risks and benefits of the research.23

Box Icon

Case Example 23

Considering the Institutional Review Board Process During Registry Design. The NOPR is one of the first examples of CMS’s new coverage with evidence development (CED) approach. For the expanded coverage of PET for cancer, the agency required the (more...)

As noted previously, for human subjects research conducted or supported by most Federal departments and agencies that have adopted the Common Rule, an FWA satisfies the requirement for an approved assurance of compliance. Some research organizations extend the application of their FWA to all research, regardless of the funding source. Under these circumstances, any patient information registry created and maintained within the organization may be subject to the Common Rule. In addition, some research organizations have explicit institutional policies and procedures that require IRB review and approval of all human subjects research.

The Privacy Rule

In the United States, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations24 (here collectively called the Privacy Rule) created legal protections for the privacy of individually identifiable health information created and maintained by so-called “covered entities.” Covered entities are health care providers that engage in certain financial and administrative health care transactions electronically, health plans, and health care clearinghouses.25 For the purposes of this chapter, the relevant entities are covered health care providers and health care insurance plans, which may include individual health care providers (e.g., a physician, pharmacist, or physical therapist). The discussion in this chapter assumes that the data sources for registries are covered entities to which the Privacy Rule applies. In the unlikely event that a registry developer intends to collect and use data from sources that are not covered entities under the Privacy Rule, these sources are subject only to applicable State law and accreditation requirements, if any, for patient information.

Although data sources are assumed to be subject to the Privacy Rule, registry developers and the associated institutions where the registry will reside may not be. Notably, the Privacy Rule does not apply to registries that reside outside of a covered entity. Within academic medical centers, for example, registry developers may be associated with units that are outside of the institutional health care component to which the Privacy Rule applies, such as a biostatistics or economics department. But because many, if not virtually all, data sources for registries are covered entities, registry developers are likely to find themselves deeply enmeshed in the Privacy Rule. This involvement may occur with noncovered entities as well—for instance, as a result of business practices developed in response to the Privacy Rule. In addition, the formal agreements required by the Privacy Rule in certain circumstances in order to access, process, manage, and use certain forms of patient information impose continuing conditions of use that are legally enforceable by data sources under contract law. Therefore, registry developers should become cognizant of the patient privacy considerations confronting their likely data sources and should consider following certain Privacy Rule procedures, necessary or not, for reasons of solidarity with those data sources.

In general, the Privacy Rule defines the circumstances under which health care providers and insurance plans (covered entities) may use and disclose patient information for a variety of purposes, including research. Existing State laws protecting the confidentiality of health information that are contrary to the Privacy Rule are preempted, unless the State law is more protective (which it may be).26 For example, the Privacy Rule requires that certain information be present in patient authorizations to use and disclose individually identifiable information, including an expiration date. The laws of the State of Maryland, however, specifically require that, absent certain exceptions, a patient’s authorization may only be valid for a maximum period of one year.27 As a result, a covered entity located in Maryland must comply with the State’s 1-year maximum expiration deadline on its patient authorization forms.

The Privacy Rule regulates the use of identifiable patient information within health care providers’ organizations and insurance plans, and the disclosure of patient information to others outside of the institution that creates and maintains the information.28 The initial collection of registry data from covered entities is subject to specific Privacy Rule procedures, depending on the registry’s purpose, whether the registry resides within a covered entity or outside of a covered entity, and the extent to which the patient information identifies individuals. The health care providers or insurance plans that create, use, and disclose patient information for clinical use or business purposes are subject to civil and criminal liability for violations of the Privacy Rule.

Registry developers should be sufficiently knowledgeable about the Privacy Rule to facilitate the necessary processes for their data sources. They should expect this assistance to involve interactions with clinicians, the Privacy Officer, the IRB or Privacy Board staff, health information system representatives, legal counsel, compliance officials, and contracting personnel. Registry developers should also become aware of modifications, amendments, or new implementing regulations under the Privacy Rule, which can be expected to occur as the use of electronic health information becomes more prevalent.

Subsequent use and sharing of registry data may be affected by the regulatory conditions that apply to initial collection, as well as by new ethical concerns and legal issues. The Privacy Rule created multiple pathways by which registries can compile and use patient information. To use or share compiled registry data for research purposes, a registry developer may need to employ several of these pathways sequentially and satisfy the regulatory requirements of each pathway. For instance, a registry within a covered entity may arrange to obtain written documentation of an authorization required by the Privacy Rule from each patient contributing identifiable information to a registry for a particular research project, such as the relationship between hypertension and Alzheimer’s disease. If the registry then seeks to make a subsequent use of the data for another research purpose, it may do so if it uses another permission in the Privacy Rule—for example, by obtaining additional patient authorizations or first de-identifying the data to Privacy Rule standards.

The authors recommend that registry developers plan a detailed tracking system, based on the extent to which registry data remain identifiable for individual patients, for the collection, uses, and disclosures of registry data. The tracking system should produce comprehensive documentation of compliance with both Privacy Rule requirements and legally binding contractual obligations to data sources.

The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”29 Commentary by HHS to the Privacy Rule explicitly includes within this definition of research the development (building and maintenance) of a repository or database for future research purposes.30 The definition of research in the Privacy Rule partially restates the definition of research in the preexisting Common Rule for the protection of human subjects of the HHS and other Federal agencies.31 Some implications of this partial restatement of the definition of research are discussed later in this chapter.

Guidance published by the National Institutes of Health (NIH) discusses how the Privacy Rule impacts health services research and research databases and repositories. The NIH guidance identifies the options available to investigators under the Privacy Rule for access to the health information held by health care providers and insurance plans.32 In addition to provisions for the use or disclosure of identifiable patient information for research, the Privacy Rule permits health care providers and insurance plans to use or disclose patient information for certain defined public health activities.33 The Privacy Rule defines a public health authority as “an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency… that is responsible for public health matters as part of its official mandate.”34 The Centers for Disease Control and Prevention (CDC) and HHS have jointly published specific guidance on the Privacy Rule for public health activities.35 Other Privacy Rule provisions permit the use or disclosure of patient health information as required by other laws.36

The privacy protections for patient information created by the Privacy Rule that are generally relevant to registries developed for research purposes include explicit individual patient authorization for the use or disclosure of identifiable information,37 legally binding agreements for the release of “limited datasets” between health information sources and users,38 the removal of specified identifiers or statistical certification to achieve de-identification of health information,39 and an accounting of disclosures to be made available to patients at their request.40 In addition, if certain criteria required by the Privacy Rule are satisfied, an IRB or Privacy Board can grant a waiver of individual patient authorization for the use or disclosure of health information in research.41

FDA Regulations

U.S. Food and Drug Administration (FDA) regulatory requirements for research supporting an application for FDA approval of a product also include protections for human subjects, including specific criteria for protection of privacy and maintaining the confidentiality of research data.42

Applicability of Regulations to Research; Multiple-Purpose Registries

At many institutions, the IRB or the office that provides administrative support for the IRB is the final arbitrator of the activities that constitute human subjects research, and thus may itself determine what activities require IRB review. A registry developer is strongly encouraged to consult his or her organization’s IRB early in the registry planning process to avoid delays and revision of documentation for the IRB. Distinctions between research and other activities that apply scientific methodologies are frequently unclear. Such other activities include both public health practice43 and quality-related investigations.44 Both the ostensible and secondary purposes of an activity are factors in the determination of whether registry activities constitute research subject to the Common Rule. As interpreted by OHRP, if any secondary purpose of an activity is research, then the activity should be considered research.45 This OHRP interpretation of research purpose differs from that of the Privacy Rule with respect to quality-related studies performed by health care providers and insurance plans. Under the Privacy Rule, only if the primary purpose of a quality-related activity is to obtain generalizable knowledge do the research provisions of the Privacy Rule apply; otherwise, the Privacy Rule defines the activity as a “health care operation.”46

Registry developers should rely on their Privacy Officer’s and IRB’s experience and resources in defining research and other activities for their institutions and determining which activities require IRB review as research. In response to accreditation standards, inpatient facilities typically maintain standing departmental (e.g., pediatrics) or service (e.g., pharmacy or nursing) committees to direct, review, and analyze quality-related activities. Some physician groups also establish and maintain quality-related programs, because good clinical practice includes ongoing evaluation of any substantive changes to the standard of care. These institutional quality committees can provide guidance on the activities that usually fall within their purview. Similarly, public health agencies typically maintain systematic review processes for identifying the activities that fit within their legal authority.

As briefly mentioned previously, use of registry data for multiple research purposes may entail obtaining additional permissions from patients or satisfying different regulatory requirements for each research purpose. Standard confidentiality protections for registry data include requirements for physical, technical, and administrative safeguards to be incorporated into plans for a registry. In some instances, an IRB may not consider legally required protections for the research use of patient information sufficient to address relevant ethical concerns, including the protections of the Privacy Rule that may be applicable to registries created and maintained within health care providers and insurance plans as covered entities. For example, information about certain conditions (such as alcoholism or HIV-positive status) and certain populations (such as children) may present an unusual potential for harm from social stigma and discrimination. Under these circumstances, the IRB can make its approval of a registry plan contingent on additional safeguards that it determines are necessary to minimize the risks to individuals contributing health information to the registry.

Applicable Regulations

This section describes the specific applicability of the Common Rule47 and the Privacy Rule48 to the creation and use of health information registries. The discussion in this section assumes three general models for health information registries. One model is the creation of a registry containing the contact, demographic, and diagnostic or exposure information of potential research subjects who will be individually notified about projects in which they may be eligible to participate. The notification process permits the registry to shield registry participants from an inordinate number of invitations to participate in research projects, as well as to protect privacy. This model is particularly applicable to patients with unusual conditions, patients who constitute a vulnerable population,49 or both (e.g., children with a rare condition). A second model is the creation of a registry and all subsequent research use of registry data by the same group of investigators. No disclosures of registry data will occur and all research activities have the same scientific purpose. This model applies, in general, to quality-related investigations of a clinical procedure or service. A third model is the creation of a registry for an initial, specific purpose by a group of investigators with the express intent to use registry data themselves, as well as to disclose registry data to other investigators for additional related or unrelated scientific purposes. An example of this last model is a registry of health information from patients diagnosed with a condition that has multiple known comorbidities to which registry data can be applied. This third model is most directly applicable to industry-sponsored registries. The American College of Epidemiology encourages the data sharing contemplated in this last registry model.50 Data sharing enhances the scientific utility of registry data and diminishes the costs of compilation.

A registry developer should try to evaluate how the regulations apply to each of these models. Registry developers are strongly encouraged to consult with their organization’s Privacy Officer and IRB or Privacy Board early in the planning process to clarify applicable regulatory requirements and the probable effect of those requirements on considerations of registry design and development.

Public Health, Health Oversight, FDA-Regulated Products

When Federal, State, or municipal public health agencies create registries in the course of public health practice, specific legislation typically authorizes the creation of the registries and regulates data acquisition, maintenance, security, use, and disclosures of registry data for research. Ethical considerations and concerns about maintaining the confidentiality of patient information used by public health authorities are similar to those for research use, but they are explicitly balanced against potential social benefits during the legislative process. Nonetheless, if the registry supports research activities as well as its public health purposes, Common Rule requirements for IRB review may apply to the creation of the registry.

Cancer registries performing public health surveillance activities mandated by State law are well-known exceptions to Common Rule regulation. However, secondary uses of public health registry data for research and the creation of registries funded by public health agencies, such as the CDC and the Agency for Healthcare Research and Quality (AHRQ), may be subject to the Common Rule as sponsored research activities. The Common Rule’s definitions of human subjects research51 may encompass these activities, which are discussed in the next subsections of this chapter. Not all cancer registries support public health practice alone, even though the registries are the result of governmental programs. For example, the Surveillance Epidemiology and End Results (SEER) program, funded by the National Cancer Institute, operates and maintains a population-based cancer reporting system of multiple registries, including public use datasets with public domain software. SEER program data are used for many research purposes in addition to aiding public health practices.52

Disclosures of health information by health care providers and insurance plans for certain defined public health activities are expressly recognized as an exception to Privacy Rule requirements for patient authorization.53 An example of a public health activity is the practice of surveillance, whereby the distributions and trends of designated risk factors, injuries, or diseases in populations are monitored and disseminated.54 Health care providers or insurance plans are likely to demand documentation of public health authority for legal review before making any disclosures of health information. Registry developers should obtain this documentation from the agency that funds or enters into a contract for the registry, and present it to the health care provider or insurance plan well in advance of data collection efforts.

The Privacy Rule permits uses and disclosures by health care providers and insurance plans for “health oversight activities” authorized by law.55 These activities include audits and investigations involving the “health care system” and other entities subject to government regulatory programs for which health information is relevant to determining compliance with program standards.56 The collection of patient information, such as occurrences of decubitus ulceration, from nursing homes that are operating under a compliance or corporate integrity agreement with a Federal or State health care program, is an example of a health oversight activity.

The Privacy Rule characterizes responsibilities related to the quality, safety, or effectiveness of a product or activity regulated by FDA as public health activities. This public health exception for uses and disclosures of patient information in connection with FDA-regulated products or activities includes adverse event reporting; product tracking; product recalls, repairs, replacement, or look-back; and postmarketing surveillance (e.g., as part of a risk management program that is a condition for approval of an FDA-regulated product).57

Research Purpose of a Registry

The Common Rule defines research, and its definition is partially restated in the Privacy Rule, as described earlier. These regulatory definitions affect how the regulatory requirements of each rule are applied to research activities.58

In the Common Rule:

Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported under a program which is considered research for other purposes. For example, some demonstration and service programs may include research activities.59

OHRP interprets this Common Rule definition of research to include activities having any research purpose, no matter what the ostensible objective of the activity may be. Compliance with Common Rule requirements depends on the nature of the organization where the registry resides. If an organization receives Federal funding for research, then it is likely that Common Rule requirements apply.

The Privacy Rule’s definition of research60 restates the first sentence of the Common Rule definition. However, the Privacy Rule distinguishes between research and quality improvement/assurance activities conducted by covered entities,61 which are defined as “health care operations.”62 As a result, if the primary purpose of a quality-related registry maintained by a covered entity is to support a research activity (i.e., to create generalizable knowledge), Privacy Rule requirements for research apply to the use or disclosure of the patient information to create the registry and to subsequent research use of registry data. If, however, the primary purpose is other than to create generalizable knowledge, the study is considered a health care operation of the covered entity and is not subject to Privacy Rule requirements for research activities or patient authorization.

As noted earlier, both public health practice and quality I/A activities can be difficult to distinguish from research activities.63 The determination of whether a particular registry should be considered as or include a research activity depends on a number of different factors, including the nature of the organization where the registry will reside; the employment duties of the individuals performing the activities associated with the registry; the source of funding for the registry; the original, intended purpose of the registry; the sources of registry data; whether subsequent uses or disclosures of registry data are likely; and other circumstances of registry development.

Quality I/A activities entail many of the same ethical concerns about protecting the confidentiality of health information as research activities do. Express consent to quality I/A activities is not the usual practice; instead, the professional and cultural norms of health care providers, both individual and institutional, regulate these activities. Registry developers should consider whether the ethical concerns associated with a proposed quality I/A registry require independent review and the use of special procedures such as notice to patients. Registry advisory committee members, quality I/A literature,64 hospital ethics committees, IRB members, and clinical ethicists can make valuable contributions to these decisions.

To avoid surprises and delays, the decision about the nature of the activity that the registry is intended to support should be made prospectively, in consultation with appropriate officials of the funding agency and officials of the organization where the registry will reside. Some research institutions may have policies that either require IRB review for quality I/A activities, especially if publication of the activity is likely, or exclude them from IRB review. Most frequently, IRBs make this determination on a case-by-case basis.

Potential for Individual Patient Identification

The specific regulatory requirements applicable to the use or disclosure of patient information for the creation of a registry to support research depend in part on the extent to which patient information received and maintained by the registry can be attributed to a particular person. Various categories of information, each with a variable potential for identifying individuals, are distinguished in the Privacy Rule: individually identifiable health information, de-identified information, and a limited dataset of information.65 The latter two categories of information may or may not include a code linked to identifiers.

If applicable, Common Rule requirements affect all research involving patient information that is individually identifiable and obtained by the investigator conducting the research. The definition of “human subject” in the Common Rule is “a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”

This regulatory definition further explains that:

Private information includes…information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.66

In short, the Common Rule definition of human subject makes all research use of identifiable patient information subject to its requirements; if the identity of the patients whose information is used for research purposes is not readily ascertainable to the investigator, the research is not human subjects research to which the Common Rule applies. Moreover, research involving the collection of information from existing records is exempt from the Common Rule if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers (coded link), to the subjects. Registry developers should consult the IRB early in the process of selecting data elements to obtain guidance about whether registry activities constitute human subjects research or may be exempt from Common Rule requirements.

Also among the criteria specified by the Common Rule for IRB approval of research involving human subjects are provisions to protect the privacy of subjects and to maintain the confidentiality of data.67 In addition, the consent process for research subjects should include explicit information about confidentiality protections for the use of records containing identifiers.68

Data collection frequently requires patient identifiers, especially in prospective registries with ongoing data collection, revision, and updates. Secondary or subsequent research use by outside investigators (i.e., those not involved in the original data collection) of patient information containing direct identifiers is complicated, however, because ethical principles for the conduct of human subjects research require that risks, including risks to confidentiality of patient information, be minimized. In addition, the Privacy Rule requires an authorization to specifically describe the purpose of the use or disclosure of patient information. Unless the registry developer sufficiently anticipates the purposes of secondary research, the authorization may not be valid for the use of identifiable registry data for secondary research purposes. The Privacy Rule provides options for the collection and use of health information that is identifiable to a greater or lesser extent; it also contains standards for de-identifying information and creating limited datasets.69 Chapter 7 provides a discussion of the technical and legal considerations related to linking registry data for secondary research purposes.

Direct identifiers generally include a patient’s name, initials, contact information, medical record number, and Social Security Number, alone or in combination with other information. As described by the Privacy Rule standard, a limited dataset of patient information does not include specified direct identifiers of the patient or the patient’s relatives, employer, or household members.70

In an electronic environment, masking individual identities is a complex task. Data suppression limits the utility of the information from the registry, and linkage or even triangulation of information can re-identify individuals. A technical assessment of electronic records for their uniqueness within any dataset is necessary to minimize the potential for re-identification. In aggregated published data, standard practice assumes that a subgroup size of less than six may also be identifiable, depending on the nature of the data. An evaluation for uniqueness should ensure that the electronic format does not produce a potential for identification greater than this standard practice, even when the information is triangulated within a record or linked with other data files.

If a registry for research, public health, or other purposes will use any of the categories of health information discussed below, a registry developer should consult the IRB, the Privacy Officer, and the institutional policies developed specifically in response to the Privacy Rule early in his or her planning. These consultations should establish the purpose of the registry, the applicability of the Common Rule requirements to registry activities, and the applicability of the Privacy Rule to the collection and use of registry data. In addition, the registry developer should consult a representative of the information technology or health information system office of each health care provider or insurance plan that will be a source of data for the registry, as well as a representative of the IRB or Privacy Board for each data source, so as to obtain feasibility estimates of data availability and formats.

De-Identified Patient Information

The Privacy Rule describes two methods for de-identifying health information.71 One method requires the removal of certain data elements. The other method requires a qualified statistician to certify that the potential for identifying an individual from the data elements is negligible. A qualified statistician should have “appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” in order to make this determination.72 De-identified information may include a code permitting re-identification of the original record by the data source (covered entity).73 The code may not be derived from information about an individual and should resist translation. In addition, the decoding key must remain solely with the health care provider or plan that is the source of the patient information.74

Research on existing data in which individual patients cannot be identified directly or indirectly through linked identifiers does not involve human subjects as defined by the Common Rule, and thus is not subject to the requirements of the Common Rule.75 Refer to the discussion later in this chapter.

As a prudent business practice, each health care provider or insurance plan that is a source of de-identified information is likely to require an enforceable legal agreement with the registry developer. It should be signed by an appropriate institutional official on behalf of the registry developer. At a minimum, this agreement will likely contain the following terms, some of which may be negotiable: the identification of the content of the data and the medium for the data; a requirement that the data recipient, and perhaps the health care provider or insurance plan providing the data, make no attempt to identify individual patients; the setting of fees for data processing and data use; limitations on disclosure or further use of the data, if any; and an allocation of the risks of legal liability for any improper use of the data.

Limited Datasets of Health Information

De-identified health information may not suffice to carry out the purposes of a registry, especially if the registry will receive followup information through the monitoring of patients over time or information from multiple sources to compile complete information on a health event (e.g., cancer incidence). Dates of service and geographic location may be crucial to the scientific purposes of the registry or to the integrity and use of the data. Health information provided to the registry without direct identifiers may constitute a limited dataset as defined by the Privacy Rule.76 A health care provider or insurance plan may disclose a limited dataset of health information by entering into a data use agreement (DUA) with the recipient. The terms of the DUA should satisfy specific Privacy Rule requirements.77 Institutional officials for both the data source and the registry developer should sign the DUA so that a legal contract results. The DUA establishes the uses of the limited dataset permitted by the registry developer (i.e., the creation of the registry and subsequent use of registry data for specified research purposes). The DUA may not authorize the registry developer to use or disclose information in a way that would violate the Privacy Rule if done by the data source.78

An investigator who works within a health care provider or insurance plan to which the Privacy Rule applies and that is the source of the health information for a registry may use a limited dataset to develop a registry for a research purpose. In these circumstances, the Privacy Rule still requires a DUA that satisfies the requirements of the Privacy Rule between the health care provider or insurance plan and the investigator. This agreement may be in the form of a written confidentiality agreement.79

A registry developer may assist a health care provider or insurance plan by creating the limited dataset. In some situations, this assistance may be crucial to data access and availability for the registry. In order for the registry developer to create a limited dataset on behalf of a data source, the Privacy Rule requires the data source (the covered entity) to enter into a business associate agreement with the registry developer (the business associate) that satisfies certain regulatory criteria.80 The business associate agreement is a binding legal arrangement that should be signed by appropriate institutional officials on behalf of the data source and registry developer. This agreement contains terms for managing health information that are required by the Privacy Rule and that become a legally binding contract between the data source and data recipient.81 Most health care providers have developed a standard business associate agreement in response to the Privacy Rule and will likely insist on using it, although it may require some negotiated modifications for the production of registry data.

The registry populated with a limited dataset may include a coded link that connects the data back to patient records, provided the link does not replicate part of a direct identifier.82 The key to the code may allow health information obtained from monitoring patients over time to supplement existing registry data or allow the combination of information from multiple sources.

The DUA for a limited dataset of health information requires the data recipient to warrant that no attempt will be made to identify the health information with individual patients or to contact those patients.83

If the registry data obtained by investigators constitute a limited dataset and do not contain a coded link to identifiers, then the research would not involve human subjects, as defined by HHS regulations at 45 Code of Federal Regulations (CFR) 46.102(f), and the Common Rule requirements would not apply to the registry.84 An IRB or an institutional official knowledgeable about the Common Rule requirements should make the determination of whether a research registry involves human subjects; frequently, a special form for this purpose is available from the IRB. The IRB (or institutional official) should provide documentation of its decision to the registry developer.

Direct Identifiers: Authorization and Consent

The Privacy Rule permits the use or disclosure of patient information for research with a valid, written authorization from each patient whose information is disclosed.85 The Privacy Rule specifies the content of this authorization, which gives permission for a specified use or disclosure of the health information.86 Health care providers and insurance plans frequently insist on use of the specific authorization form they develop to avoid legal review and potential liability from the use of other forms.

One exception to the requirement for an authorization occurs when a health care provider or insurance plan creates a registry to support its “health care operations.”87 Health care operations specifically include quality I/A activities, outcomes evaluation, and the development of clinical guidelines; however, the Privacy Rule definition of health care operations clearly excludes research activities.88 For example, a hospital registry created to track its patient outcomes against a recognized clinical care standard as a quality improvement initiative has a health care operations purpose. The hospital would not have to obtain an authorization for use of the health information from the patients it tracks in this registry.

Research use of health information containing identifiers constitutes human subjects research as defined by the Common Rule.89 In general, the Common Rule requires documented, legally effective, voluntary, and informed consent of each research subject.90

Documentation of the consent process required by the Common Rule may be combined with the authorization required by the Privacy Rule for disclosure and use of health information.91 A health care provider or insurance plan may not immediately accept the combination of these forms as a valid authorization; it may insist on legal review of the combination form before permitting disclosure of any health information.

Authorizations for the use or disclosure of health information under the Privacy Rule and informed consent to research participation under the Common Rule should be legally effective (i.e., patients must be legally competent to provide these permissions). Adults, defined in most States as 18 years and over, are presumed legally competent in the absence of a judicially approved guardianship. Children under 18 years old are presumed legally incompetent; therefore, a biological, adoptive, or custodial parent or guardian must provide permission on the child’s behalf. Registry developers should consult legal counsel about situations in which these presumptions seem inapplicable, such as a registry created to investigate contraceptive drug and device use by adolescents, where State law exceptions may exist.

In addition to being voluntary and legally effective, an individual’s consent should be informed about the research, including what activities are involved, as well as the expected risks and potential benefits from participation. The Common Rule requires the consent process to include specific elements of information.92 Registry developers should plan to provide non-English-speaking patients with appropriate resources to ensure that the communication of these elements during the consent process is comprehensible. All written information for patients should be translated, or else arrangements should be made for qualified translators to attend the consent process.

IRBs may approve waivers for both authorization (for disclosure of patient information for registry use) and consent (to registry participation), provided the research use of health information satisfies certain regulatory conditions. In addition, the Privacy Rule created Privacy Boards specifically to approve waivers of authorization for the research use of health information in organizations without an IRB.93. Waivers are discussed in detail below.

An important distinction exists between the Common Rule and Privacy Rule concerning the scope of permission to use health information for research purposes. Under the Common Rule, consent for participation in future, unspecified research may be obtained, provided potential subjects receive clear notice during the consent process that this research is intended to occur. For an authorization to be valid under the Privacy Rule, however, the authorization should describe each purpose of the use or disclosure of health information.94

In certain limited circumstances, research subjects can consent to future unspecified research using their identifiable patient information. The Common Rule permits an IRB-approved consent process to be broader than a specific research project95 and to include information about research that may be done in the future. In its review of such future research, an IRB subsequently can determine that the previously obtained consent (1) satisfies or (2) does not satisfy the regulatory requirements for informed consent. If the previously obtained consent is not satisfactory, an additional consent process may be required; alternatively, the IRB may grant a waiver of consent, provided the regulatory criteria for a waiver are satisfied.

For example, an IRB-approved consent process for the creation of a research registry should include a description of the specific types of research to be conducted using registry data. For any future research that involves identifiable information maintained by the registry, the IRB may determine that the original consent process (for the creation of the research registry) satisfies the applicable regulatory requirements because the prospect of future research and future research projects were adequately described. The specific details of that future research on registry data may have been unknown when data were collected to create the registry, but the future research may have been sufficiently anticipated and described to satisfy the regulatory requirements for informed consent. For consent to be informed as demanded by the ethical principle of respect for persons, however, any description of the nature and purposes of the research should be as specific as possible.

If a registry developer anticipates subsequent research use of identifiable registry data, he or she should request an assessment by the IRB of the description of the research used in the consent process for potential subjects at the time the data are initially collected. Nonetheless, in its review of any subsequent research, an IRB may find it appropriate to require an additional consent process for each research subject or to grant a waiver for obtaining further consent.

The commentary accompanying the publication of the Privacy Rule clearly rejected broadening the description of purpose in authorizations to include future unspecified research.96 As a result, the research purpose stated in an original authorization for a registry limits the use of registry data to that purpose.97 Subsequent use of registry data maintained within a health care provider or insurance plan for a different research purpose requires a new authorization from each individual whose registry data would be involved or an approved waiver of authorization. Alternatively, the use or disclosure of a limited dataset or de-identified registry data can occur, provided regulatory criteria are satisfied. Registries maintained by organizations to which the Privacy Rule does not apply (e.g., funding agencies for research that are not health care providers or insurance plans, professional societies, or non-health care components of hybrid entities such as universities) are not legally bound by the limited purpose of the original authorization. However, data sources subject to the Privacy Rule are likely to be unwilling to provide patient information without a written agreement with the registry developer that includes legally enforceable protections against redisclosure of identifiable patient information. A valid authorization contains a warning to patients that their health information may not be protected by Privacy Rule protections in recipient organizations.98

Registry developers can request that patients obtain and share copies of their own records from their health care providers or insurance plans. This strategy can be useful for mobile populations, such as elderly retirees who occupy different residences in winter and summer, and for the health records of school children. A Federal privacy law99 protects the health records of children that are held by schools from disclosure without explicit parental consent; thus, parents can often obtain copies of these records more easily than investigators. Alternatively, individuals can simply be asked to volunteer health information in response to an interview or survey. These collection strategies do not require obtaining a Privacy Rule authorization from each subject; IRB review and other requirements of the Common Rule, including careful protections of the confidentiality of registry data, may, nonetheless, apply to a registry project with a research purpose. Moreover, a registry developer may encounter Privacy Rule requirements for the use or disclosure of patient information by a health care provider or insurance plan for purposes of recruiting registry participants. For example, a patient authorization or waiver of authorization (discussed below) may be necessary for the disclosure of patient contact information by a health care provider or insurance plan (covered entity) to a registry developer.

Certificates of Confidentiality and Other Privacy Protections

Certificates of confidentiality granted by the National Institutes of Health permanently protect identifiable information about research subjects from legally compelled disclosure. For the purposes of certificates of confidentiality, identifiable information is broadly defined to include any item, or combination of items, in research data that could directly or indirectly lead to the identification of a research participant.100 Federal law authorizes the Secretary of HHS (whose authority is delegated to NIH) to provide this privacy protection for subjects of biomedical, behavioral, clinical, and other research.101 Federal funding for the research is not a precondition for obtaining a certificate of confidentiality.102 An investigator whose research project has been granted a certificate of confidentiality may refuse to disclose identifying information collected for that research even though a valid subpoena exists for the information in a civil, criminal, administrative, or legislative proceeding at the Federal, State, or local level. The protection provided by a certificate of confidentiality is intended to prevent the disclosure of personal information that could result in adverse effects on the social, economic, employment, or insurance status of a research subject.103 Detailed information about certificates of confidentiality is available on the NIH Web site.104

The grant of a certificate of confidentiality to a research project, however, is not intended to affect State laws requiring health care and other professionals to report certain conditions to State officials; for example, designated communicable diseases, neglect and abuse of children and the elderly, or threatened violent harm. If investigators are mandatory reporters under State law, in general, they continue to have a legal obligation to make these reports.105 In addition, other legal limitations to the privacy protection provided by certificates of confidentiality exist and may be relevant to particular research projects. Information on the NIH Web site describes some of these other legal limitations.106

Registry developers should also be aware that Federal law provides specific confidentiality protections for the identifiable information of patients in drug abuse and alcoholism treatment programs that receive Federal funding.107 These programs may disclose identifiable information about their patients for research activities only with the documented approval of the program director.108 The basis for the director’s approval is receipt of written assurances about the qualifications of the investigator to conduct the research and the confidentiality safeguards incorporated into the research protocol, and an assurance that there will be no further disclosure of identifying information by the investigator. Moreover, an independent review of the research project should determine and verify in writing that the protocol provides adequate protection of the rights and welfare of the patients and that the benefits of the research outweigh any risks to patients.109 Prior to submitting proposed consent documentation to an IRB, registry developers should consult legal counsel for important information about the limitations of these confidentiality protections.

As a condition of approval, IRBs frequently require investigators to obtain a certificate of confidentiality for research involving information about substance abuse or other illegal activities (e.g., underage purchase of tobacco products), sexual attitudes and practices, and genetic information. Registry developers should consult legal counsel to determine if and how the limitations of a certificate of confidentiality may affect privacy protection planning for registry data. In all circumstances, the consent process should communicate clear notice to research subjects about the extent of privacy protections they may expect for their health information when it is incorporated into a registry.

In the absence of a certificate of confidentiality, a valid subpoena or court order for registry data will usually compel disclosure of the data unless State law specifically protects the confidentiality of data. For example, Louisiana’s laws specifically protect the collection of information on tobacco use from subpoena.110 On the other hand, a subpoena or court order may supersede State law confidentiality protections. These legal instruments can be challenged in the court having jurisdiction for the underlying legal proceeding. In some circumstances, research institutions may be willing to pursue such a challenge. The remote yet definite possibility of this sort of disclosure should be clearly communicated to research subjects as a limitation on confidentiality protections, both during the consent process and in an authorization for use or disclosure of patient information.

State law may assure the confidentiality of certain quality I/A activities performed by health care providers as peer review activities.111 When State law protects the confidentiality of peer review activities, generally, it is implementing public policy that encourages internal activities and initiatives by health care providers to improve health care services by reducing the risks of medical errors and systematic failures. Protection by peer review statutes may limit the use of data generated by quality I/A activities for any other purposes.

Waivers and Alterations of Authorization and Consent

As mentioned above, the Privacy Rule authorizes Privacy Boards and IRBs to sometimes waive or alter authorizations by individual patients for the disclosure or use of health information for research purposes. (See Case Example 24.) In addition, the Common Rule authorizes IRBs to waive or alter the consent process. The Privacy Rule and the Common Rule each specify the criteria under which waivers or alterations of authorization and the consent process are permitted.112 There are different potential risks to patients participating in the registry resulting from these waivers of permission. A waiver of authorization potentially imposes the risk of a loss of confidentiality and consequent invasion of privacy. A waiver of consent potentially imposes risks of harm from the loss of self-determination, dignity, and privacy expected under the ethical principles of respect for persons and beneficence. Acknowledging these potential risks, regulatory criteria for waiver and alterations require an IRB or Privacy Board to determine that risks are minimal. This determination is a necessary condition for approval of an investigator’s request for a waiver or alteration of these permissions.

Box Icon

Case Example 24

Issues With Obtaining Informed Consent. The registry began in 2001 with Phase I, in which data were gathered from 21 hospitals in Canada. All patients admitted to the hospital or seen in the emergency department with symptoms of acute stroke within 14 (more...)

The following discussion refers only to waivers; registry developers should note that Privacy Boards and IRBs may approve alterations to authorizations or the consent process, provided a requested alteration satisfies all the same criteria required for a waiver by the Privacy Rule or Common Rule. Alterations are generally preferable to waivers in an ethical analysis based on the principle of respect for persons, because they acknowledge the importance of self-determination. In requesting alterations to an authorization or to the consent process, registry developers should be prepared to justify each proposed change or elimination of required elements (such as description of alternative procedures, courses of treatment, or benefits). Plausible justifications include a registry to which a specific element does not apply or a registry in which one element contradicts other required information in the authorization or consent documentation. The justifications for alterations should relate as specifically and directly as possible to the regulatory criteria for IRB or Privacy Board approval of waivers and alterations.

The Privacy Rule authorizes an IRB or Privacy Board to approve a waiver of authorization if the following criteria are met: (1) the use or disclosure involves no more than minimal risk to the privacy of individuals; (2) the research cannot be practicably conducted without the waiver; and (3) the research cannot be practicably conducted without access to, and use of, health information. The determination of minimal risk to privacy includes several elements: an adequate plan to protect identifiers from improper use or disclosure; an adequate plan to destroy identifiers, unless a health or research justification exists to retain them; and adequate written assurances that the health information will not be reused or disclosed to others, except as required by law, as necessary for oversight of the research, or as permitted by the Privacy Rule for other research.113 The Privacy Board or IRB should provide detailed documentation of its decision for presentation to the health care provider or insurance plan (covered entity) that is the source of the health information for registry data.114 The documentation should clearly communicate that each of the criteria for a waiver required by the Privacy Rule has been satisfied.115 The Privacy Board or IRB documentation should also provide a description of the health information it determined necessary to the conduct of the research and the procedure it used to approve the waiver.116 A health care provider or insurance plan may insist on legal review of this documentation before permitting the disclosure of any health information.

The criteria for a waiver of consent in the Common Rule are similar to those for a waiver of authorization under the Privacy Rule. An IRB should determine that: (1) the research involves no more than minimal risk to subjects; (2) the waiver will not adversely affect the rights and welfare of subjects; (3) the research cannot practicably be carried out without a waiver; and (4) whenever appropriate, subjects will be provided with additional information after participation.117 The criterion for additional information can be satisfied at least in part by public disclosure of the purposes, procedures, and operations of a registry, as discussed later in Registry Transparency.

Some IRBs produce guidance about what constitute “not practicable” justifications and the circumstances in which justifications remain applicable. For population-based research projects, registry developers may also present the scientific justification of avoiding selection bias. A waiver permits the registry to include the health information of all patients who are eligible. An IRB may also agree to consider requests for a limited waiver of consent that applies only to those individuals who decline use of their health information in a registry project. This limited waiver of consent most often permits the collection of de-identified and specified information sufficient to characterize this particular population.

An important difference between the Common Rule and FDA regulations for the protection of human subjects involves consent to research participation. The FDA regulations require consent, except for emergency treatment or research, and do not permit the waiver or alteration of informed consent.118 If registry data are intended to support the labeling of an FDA-regulated product, a registry developer should plan to obtain the documented, legally effective, voluntary, and informed consent of each individual whose health information is included in the registry.

The Privacy Rule creates a legal right for patients, by request, to receive an accounting of certain disclosures of their health information that are made by health care providers and insurance plans.119 The accounting must include disclosures that occur with a waiver of authorization approved by a Privacy Board or IRB. The Privacy Rule specifies the information that an accounting should contain120 and requires it to cover a 6-year period or any requested shorter period of time.121 If multiple disclosures are made to the same recipient for a single purpose, including a research purpose, a summary of these disclosures may be made. In addition, because most waivers of authorization cover records of many individuals, and thus an individualized accounting in such circumstances may be burdensome, the Privacy Rule provides that if the covered entity has disclosed the records of 50 or more individuals for a particular research purpose, the covered entity may provide to the requestor a more general accounting, which lists the research protocols for which the requestor’s information may have been disclosed, among other items.122

The Common Rule permits an IRB to waive documentation of the consent process under two different sets of regulatory criteria. The first set of conditions for approval of this limited waiver require that the only record linking an individual subject to the research is the consent document; the principal risk to subjects is the potential harm from a breach of confidentiality; and each subject individually determines whether his or her consent should be documented.123 Alternatively, an IRB can waive documentation of consent if the research involves no more than minimal risk of harm to subjects and entails no procedures for which written consent is normally obtained outside of a research context.124 For either set of regulatory criteria, the IRB may require the investigator to provide subjects with written information about the research activities in which they participate.125 The written information may be as simple as a statement of research purposes and activities, or it may be more elaborate, such as a Web site for regularly updated information describing the progress of the research project.

Patient Safety Organizations

The final rule (the “Rule”) implementing the Patient Safety and Quality Improvement Act of 2005 (PSQIA) became effective on January 19, 2009.126 The PSQIA was enacted in response to a 1999 report by the Institute of Medicine that identified medical errors as a leading cause of hospital deaths in the United States, with many such errors being preventable.127 The PSQIA allows health care providers to voluntarily report patient safety data, known as patient safety work product (PSWP), to independent patient safety organizations (PSOs). In general, patient safety work product falls into three general categories: (1) information collected or developed by a provider for reporting to a PSO and actually reported; (2) information developed by the PSO itself as part of patient safety activities; and (3) information that identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting to, a patient safety evaluation system.128 The PSQIA broadly defines PSWP to include any data, reports, records, memoranda, analyses, and statements that can improve patient safety, health care quality, or health care outcomes, provided that all such data must be developed for the purpose of reporting it to a PSO. Certain categories of information are expressly excluded from being PSWP. These include “a patient’s medical record, billing and discharge information, or any other original patient or provider information...[and] information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.”129

Once PSWP is collected by a PSO, it is aggregated and analyzed by the PSO to assist a provider in determining, among other things, certain quality benchmarks and underlying causes of patient risks. Under the PSQIA, PSWP is considered privileged and confidential. Once PSWP is transmitted from the provider to the PSO, it may not be disclosed unless certain requirements are met. Penalties may be imposed for any breaches.130

However, PSOs may disclose PSWP—that is, they may release, transfer, provide access to, or otherwise divulge PSWP to another person—as long as it is an authorized disclosure under the PQIA and Rule by meeting one or more exceptions. These exceptions include disclosures authorized by the identified health care providers and disclosures of nonidentifiable PSWP and disclosures to FDA, among others.131 With respect to disclosure of PSWP for purposes of research, the regulations provide a very narrow exception. The Rule allows for disclosure of identifiable PSWP to entities carrying out, “research, evaluations or demonstration projects that are funded, certified or otherwise sanctioned by rule or other means by the Secretary [of Health and Human Services].”132 Keep in mind that all such disclosures must comply with HIPAA as well as the PSQIA. Notably, the disclosure of PSWP for general research activities is not permitted under the PSQIA or the Rule.

An organization desiring to become a PSO must complete and submit a certification form to the Agency for Healthcare Research and Quality to become “listed” as a PSO.133 A registry may choose to become listed as a PSO; however, the registry should consider whether the obligations imposed on it in its capacities as a PSO would limit or otherwise restrict its attainment of its original objectives and whether it can fully meet the requirements of the PSQIA. In evaluating whether or not to be listed as a PSO, the registry developer should carefully review the registry’s organizational structure and data collection processes to help ensure that there is a clear distinction between the collection of registry-related data and PSWP. For example, certain registries may publish certain information and results related to the data collected in the registry. As described above, if that registry is a PSO, then it must ensure that any data published do not constitute unauthorized disclosure for purposes of the PSQIA. It is imperative that an applicable exception to the disclosure of PSWP exist. Instead of becoming a PSO itself, a registry may elect to form a separate division or legal organization that it controls. These types of PSOs are referred to as “Component PSOs.” This structure may help segregate registry data and PSWP, thus reducing the possibility of an impermissible disclosure of PSWP.

Recent Developments Affecting the Privacy Rule

The Institute of Medicine Report

On February 4, 2009, the Institute of Medicine (IOM) published a report that examined how research was being conducted within the framework of the Privacy Rule. Within the IOM Report were findings of the IOM Committee on Health Research and the Privacy of Health Information (the IOM Committee)—the group that had assessed whether the Privacy Rule had had an impact on the conduct of health research and that had proposed recommendations to ensure that important health research might be conducted while maintaining or strengthening privacy protections for research subjects’ health information.134 The IOM Report specifically acknowledged that the Privacy Rule was difficult to reconcile with other regulations governing the conduct of research, including the Common Rule and the FDA regulations, and it noted a number of inconsistencies among applicable regulations related to the de-identification of data and the use of informed consent for future research studies, among others.

Citing more uniform regulations in other countries, the IOM Report affirmed that “a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research.”135 As its primary recommendation, the IOM Committee held that research should be entirely exempt from the Privacy Rule. In making such a recommendation, the IOM Committee encouraged Congress to allow HHS and other Federal agencies to develop separate guidance for the conduct of health research. Until such an overhaul could be accomplished, the IOM Committee called upon HHS to revise the Privacy Rule and associated guidance. While neither of the above recommendations have been enacted to date, registry operators should be aware that modifications to or elimination of the Privacy Rule as it relates to research activities may be a possibility in the near future.

The Genetic Information Nondiscrimination Act of 2008

The Genetic Information Nondiscrimination Act of 2008 (GINA) was signed into law on May 21, 2008. In general, GINA prohibits discrimination in health coverage (Title I) and employment (Title II) based on genetic information. GINA defines genetic information as information about an individual’s genetic tests, the genetic tests of an individual’s family members, and the manifestation of a disease or disorder in an individual’s family (e.g., family history). Title I of GINA took effect for most health plans on May 22, 2009, and Title II became effective for employers on November 21, 2009. GINA also specifies that the definition of genetic information includes the genetic information of a fetus carried by a pregnant woman and an embryo legally held by an individual or family member utilizing an assisted reproductive technology. Pursuant to GINA, health insurers and employers are prohibited from using genetic information of individuals or their family members in determining insurance eligibility and coverage, in underwriting and premium setting, or in making employment-related decisions.

In addition to its nondiscrimination requirements, GINA also amended the Privacy Rule to clarify that genetic information is included within the Privacy Rule definition of protected health information. As a result, health plans and employers that are covered entities are required to treat any genetic information they collect as protected health information.


The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Funds resulting from passage of the ARRA are supporting new registries developed to study comparative effectiveness. It should be noted that there are no regulatory or ethical exceptions for such comparative effectiveness registries. Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) significantly modifies the rights and obligations of health care providers as covered entities and those who perform certain services on behalf of covered entities (their so-called business associates) as defined in the HIPAA Privacy Rule.

Perhaps most significantly, the HITECH Act extends to business associates the scope of many key privacy and security obligations contained in the Privacy Rule. Specifically, business associates will be required to comply with obligations related to administrative, physical, and technical safeguards, plus documentation. While many business associate agreements previously contained general safeguarding requirements (e.g., requiring the business associate to maintain appropriate technical safeguards), these agreements often had not imposed specific security requirements (e.g., a requirement that the business associate implement procedures to terminate an electronic session after a predetermined time of inactivity). These expanded obligations will also subject business associates to civil and criminal penalties once reserved only for covered entities under the Privacy Rule. The obligations imposed on business associates took effect on February 17, 2010.

The HITECH Act also creates a new requirement for covered entities and business associates to report data security breaches. If unsecured protected health information is accessed, acquired, or disclosed as a result of a data security breach, a covered entity must notify each individual whose information was improperly accessed, acquired, or disclosed. Depending on the number of affected individuals, such notifications may be made via first-class mail, e-mail, posting on the entity’s Web site, or by notice to media outlets.

If any unsecured protected health information stored or maintained by a business associate is breached or compromised, the business associate must provide notification to the applicable covered entity without unreasonable delay, and in no case later than 60 days after the breach becomes known, or reasonably should have become known, to the business associate. Any notification by a business associate must include the identification of any individual(s) whose information was accessed, acquired, or disclosed during the breach. Under the Privacy Rule, business associate agreements would contain similar breach notification requirements; however, the HITECH Act imposes a statutory obligation on business associates. The data breach notification requirements became effective September 23, 2009.136

Summary of Regulatory Requirements

The use and disclosure of health information by health care providers and insurance plans for research purposes, including registries, are assumed by the authors of this chapter to be subject to regulation under the Privacy Rule and may be subject to the Common Rule.

In general, the Privacy Rule permits the use or disclosure of patient information for a registry, subject to specific conditions, in the following circumstances: (1) registries serving public health activities, including registries developed in connection with FDA-regulated products; (2) registries developed for the health care operations of health care providers and insurance plans (covered entities), such as quality I/A; (3) registries created by health oversight authorities for health system oversight activities authorized by law; (4) registries using de-identified health information; (5) registries using a “limited dataset” of patient information that lacks specified direct identifiers; (6) registries using information obtained with patient authorizations; or (7) registries using information obtained with a waiver of authorization.

The Common Rule will apply to the creation and use of registry data if (1) the organization where the registry resides is subject to Common Rule requirements and has an FWA that encompasses the registry project; and (2) the creation of the registry and subsequent research use of the registry data constitute human subject research as defined by the Common Rule and are not exempt from Common Rule requirements; and (3) registry activities include a research purpose, which may be in addition to the main purpose of the registry. Registry developers are strongly encouraged to consult the IRB, not only about the applicability of the Common Rule, but also about the selection of data elements, the content of the consent process or the regulatory criteria for waiver, and any anticipated future research involving identifiable registry data.

State laws regulate public health activities and may also apply in various ways to the research use of health information. NIH can issue certificates of confidentiality to particular research projects for the protection of identifiable personal information from most legally compelled disclosures. Federal law provides specific privacy protections to the health information of patients in substance abuse programs that receive Federal funding. The institutional policies of health care providers and insurance plans may also affect the use and disclosure of the health information of their patient and insured populations.

Legal requirements applying to use or disclosures of health information for research are evolving and can significantly influence the planning decisions of registry developers and investigators. It is prudent to obtain early and frequent consultation, as necessary, with institutional privacy officers, Privacy Board, or IRB staff and members, information system representatives of health care providers and insurance plans, plus technology transfer representatives and legal counsel.

Registry Transparency, Oversight, and Data Ownership

Registry Transparency

Efforts to make registry operations transparent (i.e., to make information about registry operations public and readily accessible to anyone who is interested) are desirable. Such efforts may be crucial to realizing the potential benefits of research using health information. Registry transparency can also educate about scientific processes. Transparency contributes to public and professional confidence in the scientific integrity and validity of registry processes, and therefore in the conclusions produced by registry activities. Public information about registry operations may also increase the scientific utility of registry data by promoting inquiries from scientists with interests to which registry data may apply.

Registry developers can achieve transparency by making the registry’s scientific objectives, governance, eligibility criteria, sampling and recruitment strategies, general operating protocol, and sources of data available to anyone who is interested. Proprietary interests by funding agencies, contractual conditions, and licensing terms for the use of patient or claims information may limit, to some extent, the information about the registry that is available to the public. It is important to stress that, while transparency and access to information are values to be encouraged, investments in patient registries that produce proprietary information are not intended to be discouraged or criticized. Neither the funding source nor the generation of proprietary information from a registry determines whether a registry achieves the good practices described in this handbook. Funding agencies, health care providers, and insurance plans, however, also have an important stake in maintaining public confidence in health information management. The extent of registry transparency should be prospectively negotiated with these entities.

Creating a Web site of information about registry objectives and operations is one method of achieving transparency; ideally, registry information should be available in various media. An IRB may require registry transparency as a condition of approval to satisfy one of the regulatory criteria for granting a waiver of consent. The regulatory requirement is to provide “additional pertinent information after participation.”137 Currently, an international transplant registry maintains a Web site that provides a useful model of registry transparency.138

Registry Oversight

Registry governance must reflect the nature and extent of registry operations. As described in Chapter 2, possible governing structures can vary widely, from one where the registry developer is the sole decisionmaker to a system of governance by committee(s) comprising representatives of all stakeholders in the registry, including investigators, the funding agency, patients, clinicians, biostatisticians, information technology specialists, and government agencies.

Registry developers should also consider appointing an independent advisory board to provide oversight of registry operations. An advisory board can assist registry operations in two important areas: (1) providing guidance for the technical aspects of the registry operations, and (2) establishing the scientific independence of the registry. The latter function can be valuable when dealing with controversies, especially those about patient safety and treatment, or about actions by a regulatory agency. Advisory board members collectively should have relevant technical expertise, but should also include appropriate representatives of other registry stakeholders, including patients. Advisory board oversight should be limited to making recommendations to the ultimate decisionmaker, whether an executive committee or the registry developer.

Registry developers may also appoint other types of oversight committees to resolve specific recurring problems, such as verifying diagnoses of patient conditions or adjudicating data inconsistencies.

Data Ownership

Health Information Ownership in General

Multiple entities are positioned to assert ownership claims to health information in various forms. Certain States have enacted laws that assign ownership to health records.139 The Privacy Rule was not intended to affect existing laws governing the ownership of health records.140 At the current time, such claims of ownership are plausible, but none is known to be legally tested or recognized, with the exception of copyright. The entities potentially claiming ownership include health care providers and insurance plans, funding agencies for registry projects, research institutions, and government agencies. Notably, health care providers are required by State law to maintain documentation of the services they provide. This documentation is the medical-legal record compiled on each patient who receives health care services from an individual or institutional provider. Individuals, including patients (in addition to a potential liberty interest in maintaining control of its use), registry developers, and investigators, may also assert ownership claims to health information. The basis for these claims is control of the tangible expression of and access to the health information.

There is no legal basis for assertions of ownership for facts or ideas; in fact, established public policy supports the free exchange of ideas and wide dissemination of facts as fundamental to innovation and social progress.141 However, as a tangible expression of health information moves from its creation to various derived forms under the control of successive entities, rights of ownership may be transferred (assigned), shared, or maintained, with use of the information licensed (i.e., a limited transfer of rights for use under specific terms and conditions). Currently, in each of these transactions, the rights of ownership are negotiated on a case-by-case basis and formalized in written private agreements. The funding agency for a registry may also assert claims to ownership as a matter of contract law in their sponsorship agreements with research organizations.

Many health care providers are currently installing systems for electronic health records at great expense. Many are also contemplating an assertion of ownership in their health records, which may include ownership of copyright. The claim to ownership by health care providers may be an overture to commercialization of their health care information in aggregate form.142 Public knowledge of and response to such assertions of ownership are uncertain at this time. A licensing program for the use of health information may permit health care providers to recoup some of their investment in electronic health records and the infrastructure, including full-time technicians, required to maintain them. In the near future, research use of health information for a registry may require licensing, in addition to the terms and conditions in data use agreements and, if necessary, in business associate agreements required by Privacy Rule regulations. Subsequent research use of the registry data will likely depend on the terms of the original license for use.

Among the changes ARRA has made in the regulation of health care information is a prohibition on its sale, subject to certain exceptions, including one for research use. This exception permits covered entities to recover reasonable payment for processing of health information for research use.143

For academic institutions, publication rights are an important component of intellectual property rights in data. Formal institutional policies may address publication rights resulting from faculty educational and research activities. Moreover, the social utility and benefit of any registry is evaluated on the basis of its publicly known findings and any conclusions based on them. The authors strongly encourage registry developers to maximize public communication of registry findings through the customary channels of scientific conferences and peer-reviewed journals. The goals of public communication for scientific findings and conclusions apply equally to registries operated outside of academic institutions (i.e., directly by industry or professional societies). For further discussion of developing data access and publication policies for registries, see Chapter 2.

The concept of ownership does not fit health information comfortably, because it largely fails to acknowledge individual patient privacy interests in health information. An inescapable personal nexus exists between individuals and information about their health. A recent failure that illustrates this relationship, with regard to patient interests in residual tissue from clinical procedures, resulted in widely publicized litigation.144 The legal concept of custody may be a useful alternative to that of ownership. Custodians have legal rights and responsibilities; for instance, those that a guardian has for a ward or parents have for their children. Custody also has a protective function, which supports public expectations of confidentiality for health information that preserves the privacy and dignity of individual patients. Custody and its associated legal rights and responsibilities are also transferable from one custodian to another. The concept of custody can support health care provider investments in information systems and the licensed use of health information for multiple, socially beneficial purposes without denying patient interests in their health information.

The sharing of registry data subsequent to their collection currently presents special ethical challenges and legal issues.145 The arrangements that will determine the essential conditions for shared use include applicable Federal or State law and regulatory requirements under which the health information was originally obtained. These legal and regulatory requirements, as well as processing and licensing fees, claims of property rights, and concerns about legal liability, are likely to result in formal written agreements for each use of registry data. Moreover, to educate patients and to establish the scientific independence of the registry, registry developers should make transparent the criteria under which uses of data occur.

In short, no widely accepted social or legal standards currently govern property rights in health information, with the possible exception of copyright, which is discussed below. At this time, agreements between health information sources and other users privately manage access and control. The Privacy Rule regulates the use and disclosure of health information by covered entities (certain health care providers and insurance plans), plus certain third parties working on behalf of covered entities, but does not affect current laws regarding property rights in health information when they exist.

Copyright Protection for Health Information Registries

In terms of copyright theory, a health information registry is likely to satisfy the statutory definition of a compilation146 and reflect independent creativity by its developer.147 Thus, copyright law may provide certain protections for a health information registry existing in any medium, including electronic digital media. The “facts” compiled in a health information registry, however, do not correlate closely to other compilations protected by copyright, such as telephone books or even genetic databases.148 Instead, registry data constitute legally protected, confidential information about individual patients to which independent and varied legal protections apply. Copyright protections may marginally enhance, but do not diminish, other legal restrictions on access to and use of health information and registry data. For more information on copyright law, see Appendix B.


Ethical considerations are involved in many of the essential aspects of planning and operating a registry. These considerations can affect the scientific, logistical, and regulatory components of registry development, as well as claims of property rights in health information. The guiding ethical principles for these considerations are respect for persons, beneficence, and justice.

At the most fundamental level, investigations that involve human subjects and that are not capable of achieving their scientific purpose are unethical. The risk-benefit ratio of such studies is unacceptable in an analysis based on the principle of beneficence, which obligates investigators to avoid harming subjects, as well as maximizing the benefits and minimizing the harms of research projects. Ethical scientific design must be robust, must be based on an important question, and must incorporate sufficient statistical power, precise eligibility criteria, appropriately selected data elements, and adequately documented operating procedures and methodologies.

In addition, an ethical obligation to minimize harms involves planning adequate protections for the confidentiality of the health information disclosed to a registry. Such planning should include devising physical, technical, and administrative safeguards for access to and use of registry data. Reducing the potential harms from the use of health information in a registry is particularly important, because generally no directly offsetting benefit from participation in a registry accrues to individuals whose health information is used in the registry. According to an analysis applying the principle of justice, research activities that produce a significant imbalance of potential risks and benefits to participating individuals are unethical.

Protection of the confidentiality of the health information used to populate a registry reflects the ethical principle of respect for persons. Health information intimately engages the privacy and dignity of patients. Registry developers should acknowledge public expectations of protection for patient privacy and dignity with clear and consistent communications to patients about protections against inappropriate access to and use of registry data.

The regulatory requirements of the Privacy Rule and Common Rule have deep connections to past ethical concerns about research involving human subjects, to general social anxiety about privacy associated with rapid advances in health information systems technology and communications, and to current biomedical developments in human genetics. Compliance with these regulatory requirements not only is a cost of doing business for a registry project, but also demonstrates recognition of the ethical considerations accompanying use of health information for scientific purposes. Compliance efforts by registry developers also acknowledge the important public relations and liability concerns of health care providers and insurance plans, public health agencies, health oversight agencies, and research organizations. Regulatory compliance contributes to, and generally supports, the credibility of scientific research activities and research organizations, as well as that of particular projects. Public confidence is crucial to the continuing support of the health care institutions to which society entrusts the sick, and to the academic institutions to which society entrusts its children and its hopes for the future.

Other Federal and State privacy laws may affect registry development, especially registries created for public health purposes. These laws express an explicit, legislatively determined balance of individual patient interests in health information against the potential social benefits from various uses of health information, including research uses. Consultation with legal counsel is strongly recommended to determine the possible effect of these laws on a particular registry project.

Ethical considerations also affect the operational aspects of registries, including governance, transparency, and data ownership. Registry governance, discussed in Chapter 2, should reflect both appropriate expertise and representation of stakeholders, including patients. Advisory committee recommendations can provide useful guidance in dealing with controversial issues. Transparency involves making information about registry governance and operations publicly available. Registry transparency improves both public and professional credibility for the scientific endeavors of a registry, the confidential use of health information for scientific purposes, and the results produced from analyses of registry data. In short, registry transparency promotes public trust.

Claims of “ownership” for health information and registries are plausible, but have not yet been legally tested. In addition, public response to such claims is uncertain. Ostensibly, such claims do not seem to acknowledge patient interests in health information. Nonetheless, in theory, copyright protections for compilations may be applied to the patient information held by health care providers and insurance plans, as well as to registries. In general, claims of property rights in health information are likely to be negotiated privately as additions to the regulatory terms and conditions in formal agreements between registry developers, funding agencies, and health care providers or insurance plans. As a practical matter, “ownership” implies operational control of registry data and publication rights.

In summary, careful attention to the ethical considerations related to the design and operation of a registry, as well as the applicable legal requirements, will contribute to the success of registry projects and ensure the realization of their social and scientific benefits.

Summary of Privacy Rule and Common Rule Requirements

Table 11 summarizes Privacy Rule and Common Rule requirements. The table generally assumes that the Privacy Rule applies to the data source— i.e., that the data source is a “covered entity.” The exception is Category 8, registry developers that use data not subject to the Privacy Rule.

Note that the information in the table is merely a simplified summary that is subject to change by other applicable law and may be amplified by institutional policies. In addition, each research project is unique, and this table does not address all of the nuances of the regulatory requirements. Reference to this table is not a substitute for consultation with appropriate institutional officials about the regulatory requirements that may apply to a particular registry project

References for Chapter 8

45 CFR 160.103: definition of health information; 45 CFR 46.102(f): definition of human subject.
45 CFR Part 46.
Part C of Title XI of the Social Security Act, 42 USC §§ 1320d to 1320d-8 (2000), and section 264 of the Health Insurance Portability and Accountability Act of 1996, 42 USC §1320d-2 note (2000); 45 CFR Parts 160 and 164.
National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. Apr 18, 1979. [Accessed June 30, 2010]. Available at http://www​​/humansubjects/guidance/belmont.htm.
Public Law 93-348 (1974), Title II.
Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies (hereinafter CIOMS Guidelines). 1991. [Accessed June 24, 2010]. Available at http://www​​/guidelines​/1991_texts_of_guidelines.htm. and noted to be under revision. See especially sections entitled General Ethical Principles and Informed Consent.
Grant RW, Sugarman J. Ethics in human subjects research: do incentives matter? J Med Philos. 2004;29(6):717–38. [PubMed: 15590518]
CIOMS Guidelines, note 6, at paragraphs 11 and 12.
Department of Health and Human Services, Office of the Inspector General. Recruiting human subjects: sample guidelines for practice. OEI-01-97-00196. Jun, 2000. p. 5.
Department of Health and Human Services, Office of the Inspector General. Recruiting human subjects: sample guidelines for practice. OEI-01-97-00196. Jun, 2000. Appendix A.
Physician Payments Sunshine Act of 2007 (Introduced in Senate), S 2029 IS, 100th Congress, First Session.
Massachusetts regulation 105 CMR 970.000 implement M.G.L. c. 111N, Pharmaceutical and Medical Device Manufacturer Conduct, as enacted under Chapter 305 of the Acts of 2008, An Act To Promote Cost Containment, Transparency and Efficiency in the Delivery of Quality Health Care.
CIOMS Guidelines, note 6, at paragraphs 18–21.
CIOMS Guidelines, note 6, at paragraph 26.
CIOMS Guidelines, note 6, at paragraph 40.
See generally CIOMS Guidelines, note 6, at paragraph 43.
See, for example, Section III, Article 8, of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
See, for example, U.S. Department of Health and Human Services (HHS) regulations at 45 CFR Part 46; 21 CFR Parts 50 and 56 for research conducted in support of products regulated by the U.S. Food and Drug Administration (FDA).
Regulations identical to 45 CFR 46 Subpart A apply to research funded or conducted by a total of 17 Federal agencies, some of which may also require additional legal protections for human subjects.
The terms of the model Federalwide Assurance (FWA) are available from the Office for Human Research Protection in the U.S. Department of Health and Human Services. [Accessed June 24, 2010]. http://www​​/humansubjects/assurance/filasurt.htm.
Office for Human Research Protection. Guidance on Research Involving Coded Private Information or Biological Specimens. Aug 10, 2004. p. 3.
45 CFR Part 46, Subpart A.
See, for example International Society for Pharmacoepidemiology (ISPE). Guidelines for Good Pharmacoepidemiology Practices (GPP) Pharmacoepidemiol Drug Safety. 2004 2005 August;14:589–95. on the essential elements of a protocol.
Part C of Title XI of the Social Security Act, 42 USC §§ 1320d to 1320d-8 (2000), and section 264 of the Health Insurance Portability and Accountability Act of 1996, 42 USC § 1320d-2 note (2000); 45 CFR Parts 160 and 164.
45 CFR 160.102, Applicability, and 160.103, definitions of covered entity, health care provider, health plan, health care clearinghouse, and transaction.
45 CFR 160.203.
Maryland Health General Statute §. 4–303(b)(4).
45 CFR 160.103 defines both “disclosure” and “use” for the purposes of the Privacy Rule.
45 CFR 164.501.
67 Fed Reg 53231, August 14, 2002.
45 CFR 46.102(d).
U.S. Department of Health and Human Services (HHS), National Institutes of Health (NIH). Health services research and the HIPAA Privacy Rule. NIH Publication Number 05-5308, May 2005. See also HHS, NIH. Research repositories, databases, and the HIPAA Privacy Rule. NIH Publication Number 04-5489, January 2004.
45 CFR 164.512(b).
45 CFR 164.501.
Centers for Disease Control and Prevention. HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services. MMWR. 2003:52. (early release) [PubMed: 12741579]
45 CFR 164.512(a).
45 CFR 164.508(a).
45 CFR 164.514(e).
45 CFR 164.514(a)–(c).
45 CFR 164.528.
45 CFR 164.512(i)(1)(i).
21 CFR 65.111(a)(7).
Centers for Disease Control and Prevention. Guidelines for Defining Public Health Research and Public Health Non-Research, revised October 4, 1999. [Accessed 30 June 2010]. http://www​​/science/regs/hrpp/researchdefinition​.htm
Gostin LO. Public health law: power, duty, restraint. Berkeley and Los Angeles, CA: University of California Press; New York: The Milbank Memorial Fund; 2000. pp. 126–127. (hereinafter Public Health Law). See also CIOMS Guidelines, note 6, Introduction, noting that epidemiological practice and research may overlap.
Bellin E, Dubler NN. The quality improvement-research divide and the need for external oversight. Am J Public Health. 2001;91(9):1512–1517. (hereinafter Quality Improvement-Research Divide) [PMC free article: PMC1446813] [PubMed: 11527790]
Lindenauer PK, Benjamin EM, et al. The Role of the institutional review board in quality improvement: a survey of quality officers, institutional review board chairs, and journal editors. Am J Med. 2002;113(7):575–9. [PubMed: 12459404]
Lo B, Groman M. Oversight of quality improvement: focusing on benefits and risks. Arch Intern Med. 2003;163(12):1481–6. [PubMed: 12824099]
Office for Human Research Protections. [Accessed June 24, 2010]. http://www​
National Institutes of Health. Health services research and the HIPAA Privacy Rule. Publication Number 05-5308, p. 2–3. See also 45 CFR 164.501 for the definition of health care operations.
A copy of the HHS version of the “Common Rule,” 45 CFR Part 46, subpart A, and additional subparts B, C, and D regarding vulnerable populations may be obtained on the Web site of the Office for Human Research Protection (OHRP) in the U.S. Department of Health and Human Services. Available at: Accessed June 24, 2010.
A copy of the “Privacy Rule,” 45 CFR Parts 160 and 164, may be obtained on the Web site of the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services. [Accessed June 24, 2010]. http://www​​.html.
The Common Rule as adopted by HHS contains special protections for certain defined “vulnerable” populations, i.e., women, human fetuses, neonates, prisoners, and children. See 45 CFR Part 46, Subparts B, C, D.
American College of Epidemiology: Policy Statement on Sharing Data from Epidemiologic Studies. May, 2002. [Accessed June 24, 2010]. http://www​.acepidemiology​.org/policystmts/DataSharing.pdf.
45 CFR 46.102(d).
Centers for Disease Control and Prevention. National Program of Cancer Registries (NPCR). Description of SEER program. [Accessed June 24, 2010]. http://www​​.htmsectionIV.
45 CFR 164.512(b).
Gostin LO, Lillienfeld DE, Stolley PD Foundations of epidemiology (revised). Oxford University Press; 1994. p. 104.See also Gostin LO, Public Health Law, note 43, at 114, Table 5
45 CFR 164.512(d).
45 CFR 164.512(d)(1).
45 CFR 164.512(b)(1)(iii).
45 CFR 46.102(d) and 45 CFR 164.501, respectively.
45 CFR 46.102(d).
45 CFR 164.501.
National Institutes of Health, U.S. Department of Health and Human Services. Health services research and the HIPAA Privacy Rule. NIH Publication No. 04-5489. Jan, 2004. [Accessed June 24, 2010]. pp. 2–3. http:​//privacyruleandresearch​​.asp.
45 CFR 164.501.
Centers for Disease Control and Prevention. Guidelines for Defining Public Health Research and Public Health Non-Research. Oct 4, 1999. [Accessed June 30, 2006]. pp. 126–127. http://www​ Public Health Law, supra, note 43.See also CIOMS Guidelines, supra, note 6, Introduction, noting that epidemiological practice and research may overlap; and Quality Improvement-Research Divide, supra, note 44.
Quality Improvement-Research Divide, note 44, 1512–7Lindenauer PK, Benjamin EM, et al. The role of the institutional review board in quality improvement: a survey of quality officers, institutional review board chairs, and journal editors. Am J Med. 2002;113(7):575–9.Lo B, Groman M Oversight of quality improvement: focusing on benefits and risks. Arch Intern Med. 2003;163(12):1481–6.
See 45 CFR 160.103 for the definition of individually identifiable health information and 45 CFR 164.514(a)–(c) and (e) on the de-identification of health information and limited datasets, respectively.
45 CFR 46.102(f).
45 CFR 46.111(a)(7).
45 CFR 46.116(a)(5).
See 45 CFR 164.514(a)–(c) and (e) on the deidentification of health information and limited datasets, respectively.
45 CFR 164.514(e)(2).
45 CFR 164.514(b).
45 CFR 164.514(b)(1).
45 CFR 164.514(c).
45 CFR 164.514(c).
45 CFR 46.102(f).
45 CFR 164.514(e)(2).
45 CFR 164.514(e)(4).
45 CFR 164.514(e)(4)(ii)(A).
67 Fed Reg 53181, 53236, August 14, 2002.
45 CFR 164.504(e).
45 CFR 164.504(e).
45 CFR 164.514(e)(2).
45 CFR 164.514(e)(4)(ii)(C)(5).
45 CFR 46.101(b)(4).
45 CFR 164.508.
45 CFR 164.508(c).
45 CFR 164.502(a)(1).
45 CFR 164.501.
45 CFR 46.102(f).
45 CFR 46.116.
45 CFR 164.508(b)(3).
45 CFR 46.116.
45 CFR 164.512(i)(1)(i)(B).
45 CFR 164.508(c)(1)(iv).
45 CFR 46.116.
67 Fed Reg 53181, 53226, August 14, 2002.
Department of Health and Human Services. Institutional review boards and the HIPAA Privacy Rule. NIH Publication Number 03-5428. Aug, 2003. [Accessed June 24, 2010]. pp. 15–16. http:​//privacyruleandresearch​
45 CFR 164.508(c)(2)(iii).
Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g, 34 CFR Part 99.
From the NIH Web site.
Public Health Services Act Section 301(d), 42 USC 241(d) as amended. See also 42 CFR Part 2a about research activities on mental health, including the use and effect of alcohol and other psychoactive drugs.
Office for Human Research Protection in the Department of Health and Human Services. Guidance on Certificates of Confidentiality. Background. Feb 25, 2003. [Accessed June 24, 2010]. http://www​​/humansubjects/guidance/certconf.htm.
National Institutes of Health. Notice NOTOD-02-037. Mar 15, 2002. [Accessed June 24, 2010]. http://grants1​​/grants/guide/notice-files​/NOT-OD-02-037.html.
Information about obtaining a certificate of confidentiality is available at the “CoC Kiosk” on the NIH Web site. [Accessed June 24, 2010]. Available at http://grants​​/grants/policy/coc/index.htm.
National Institutes of Health, Office of Extramural Research. Certificates of Confidentiality: Background Information, Web posting. Feb 14, 2006. [Accessed June 24, 2010]. http://grants​​/grants/policy/coc/background.htm.
Information about certificates of confidentiality is available at the “CoC Kiosk” on the NIH Web site. [Accessed June 24, 2010]. Available at http://grants​​/grants/policy/coc/index.htm.
42 USCS 290dd-2 and 290ee-3; 42 CFR Part 2.
42 CFR 2.52(a).
42 CFR 2.52(a).
Louisiana statute re protection of tobacco data from subpoena.
See, for example, Wis. Stat. 146.38.
See 45 CFR 164.512(i) and 46.116(d), respectively.
45 CFR 164.512(i)(2)(ii).
45 CFR 164.512(i)(1)(i).
45 CFR 164.512(i)(2).
45 CFR 164.512(i)(2)(iii) and (iv).
45 CFR 46.116(d).
21 CFR 50.20 and 50.23.
45 CFR 164.528(a)(1).
45 CFR 164.528(b).
45 CFR 164.528(a)(1).
45 CFR 164.528(b)(3) and (4).
45 CFR 46.117(c)(1).
45 CFR 46.117(c)(2).
45 CFR 46.117(c).
42 CFR 3.
Kohn LT, Corrigan JM, Donaldson MS.Committee on Quality of Health Care in America, Institute of Medicine. To Err Is Human: Building a Safer Health System. Nov 1, 1999.
See 73 Fed. Reg. 70,739.
42 C.F.R. § 3.20.
42 CFR 3.204.
42 CFR 3.206.
73 FR 70781 (November 21, 2008).
42 CFR 3.102.
Committee on Health Research and the Privacy of Health Information. Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies Press; The HIPAA Privacy Rule; Institute of Medicine. http://www​
Beyond the HIPAA Privacy Rule, page 26.
74 F.R. 42740 (August 24, 2009).
45 CFR 46.116(d)(4).
The Center for International Blood and Marrow Transplant Research. [Accessed June 30, 2010]. http://www​
67 F.R. 53213, August 14, 2002.
67 F.R. 53213, August 14, 2002.
Joyce C, Patry W, Leaffer M, et al. Copyright law. 3rd Edition. New York and San Francisco: Matthew Bender & Co., Inc; 1994. pp. 1–41. reprinted 1997. “The Landscape of Copyright,”.
American Medical Association House of Delegates, Connecticut Delegation: Guiding Principles, Collection and Warehousing of Electronic Medical Record Information. Resolution #802. Sept 16, 2005. [Accessed June 24, 2010]. http://www​​/meetings/public/interim05/802i05.pdf
Bailey S. Your data for sale? Boston Globe. Mar 24, 2006. [Accessed June 24, 2010]. http://www​​/business/healthcare​/articles/2006/03/24​/your_data_for_sale/
American Recovery and Reimbursement Act section 13405(d)(2)(B).
Washington University v. Catalona, Case No. 4:03CV1065SNL (E.D. Mo., filed Mar. 31, 2006). Washington University v. William J. Catalona, M.D., No. 06-2286 and No. 06-2301 (8th Cir. June 20, 2007).
American College of Epidemiology. Policy Statement on Sharing Data from Epidemiologic Studies. May, 2002. [Accessed June 30, 2010]. Available at http://www​.acepidemiology​.org/policystmts/DataSharing.pdf.
National Institutes of Health, U.S. Department of Health and Human Services. Final NIH Statement on Sharing Research Data, Notice NOT-OD-03-032. Feb 26, 2003. [Accessed June 24, 2010]. Available at http://grants​​/grants/guide/notice-files​/not-od-03-032.html.
17 USC § 101.
Feist Publications, Inc. v. Rural Telephone Service, Co., Inc., 499 U.S. 340, 345, 348 (1991).
Id., 340 et seqHarris RK, Rosenfield SS Copyright Protection for Genetic Databases, 2005. Jurimetrics J. 45:225–250.(hereinafter Genetic Databases).


  • PubReader
  • Print View
  • Cite this Page
  • PDF version of this title (2.2M)

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...