Written by: Compliance blogger
The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities.
The Common Rule is a federal policy regarding Human Subjects. On June 19, 2018, the federal government published the final rule for the Federal Policy for the Protection of Human Subjects, referred to as “The Common Rule”. The Common Rule was substantially revised in 2017, and has been amended twice to delay the date that regulated entities must comply with the revised version of the rule. Implementation of the Final Rule related to the Common Rule is January 21, 2019.
The chart below outlines the basic primary differences between these two regulations which includes the Department of Defense (DoD) implementation of the regulation:
The Common Rule
HIPAA Privacy Rule
Protection for Human Subjects
(45 CFR 46)
HIPAA Privacy Rule
(45 CFR 160 and 164)
Protect individuals who are the subject of research projects. Consideration is given to how various aspects of the research project, including privacy, confidentiality, data collection, data maintenance and data retention, impact physical, emotional, financial, and informational harms
Protect individuals against information harm while allowing the necessary flow of health information with specific rules pertaining to the privacy and security of protected health information (PHI)
Informed consent from each research participant (oral and/or written)
HIPAA Authorization from each research participant (must be written and signed)
Office for Human Research Protections, United States Department of Health and Human Service (HHS), and DoD Assistant Secretary of Defense for Research and Engineering
Office for Civil Rights, HHS
Institutional Review Boards (IRBs)
IRBs or HIPAA Privacy Boards
Human Research Protection Officials (HRPOs) and/or IRBs can exempt certain research projects from IRB review in accordance with 32 CFR 219.101(b)
None. All research projects seeking PHI from a HIPAA covered entity, including Defense Health Agency (DHA), must comply with the HIPAA Privacy Rule
Department of Defense (DoD) Implementing Regulation
Protection of Human Subjects (32 CFR 219); Protection of Human Subjects and Adherence to Ethical Standards in DoD-Supported Research
DoD Health Information Privacy Regulation (DoD 6025.18-R)
Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” See 45 CFR 164.501.
In the course of your organization conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information (IIHI). Under the Privacy Rule, covered entities are permitted to use and disclose protected health information (PHI) for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.
To use or disclose protected health information without authorization by the research participant, a covered entity must obtain one of the following:
- Documented Institutional Review Board (IRB) or Privacy Board Approval
A covered entity may use or disclose protected health information for research purposes pursuant to a waiver of authorization by an IRB or Privacy Board, provided it has obtained documentation of all of the following:
- Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
- A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Rule;
- A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
- A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
- The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.
- Preparatory to Research
Representations from the researcher, either in writing or orally, that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any protected health information from the covered entity, and representation that protected health information for which access is sought is necessary for the research purpose. See 45 CFR 164.512(i)(1)(ii).
- Research on Protected Health Information of Decedents
Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the protected health information of decedents, that the protected health information being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. See 45 CFR 164.512(i)(1)(iii).
- Limited Data Sets with a Data Use Agreement
A data use agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. See 45 CFR 164.514(e). A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual.
- Research Use/Disclosure with Individual Authorization
The Privacy Rule also permits covered entities to use or disclose protected health information for research purposes when a research participant authorizes the use or disclosure of information about him or herself. Today, for example, a research participant’s authorization will typically be sought for most clinical trials and some records research. In this case, documentation of IRB or Privacy Board approval of a waiver of authorization is not required for the use or disclosure of protected health information. To use or disclose protected health information with authorization by the research participant, the covered entity must obtain an authorization that satisfies the requirements of 45 CFR 164.508. The Privacy Rule has a general set of authorization requirements that apply to all uses and disclosures, including those for research purposes. However, several special provisions apply to research authorizations.
- Accounting for Research Disclosures
In general, the Privacy Rule gives individuals the right to receive an accounting of certain disclosures of protected health information made by a covered entity. See 45 CFR 164.528. This accounting must include disclosures of protected health information that occurred during the six years prior to the individual’s request for an accounting, or since the applicable compliance date (whichever is sooner), and must include specified information regarding each disclosure. A more general accounting is permitted for subsequent multiple disclosures to the same person or entity for a single purpose. See 45 CFR 164.528(b)(3).
In addition, for disclosures of protected health information for research purposes without the individual’s authorization pursuant to 45 CFR164.512(i), and that involve at least 50 records, the Privacy Rule allows for a simplified accounting of such disclosures by covered entities. Under this simplified accounting provision, covered entities may provide individuals with a list of all protocols for which the patient’s protected health information may have been disclosed under 45 CFR 164.512(i), as well as the researcher’s name and contact information. Other requirements related to this simplified accounting provision are found in 45 CFR 164.528(b)(4).
Under the Privacy Rule, a covered entity may use and disclose protected health information that was created or received for research, either before or after the applicable compliance date, if the covered entity obtained any one of the following prior to the compliance date:
- An authorization or other express legal permission from an individual to use or disclose protected health information for the research;
- The informed consent of the individual to participate in the research;
- A waiver of authorization approved by either an IRB or a privacy board (in accordance with 45 CFR164.512(i)(1)(i)); or
- A waiver of informed consent by an IRB in accordance with the Common Rule or an exception under FDA’s human subject protection regulations at 21 CFR 50.24. However, if a waiver of informed consent was obtained prior to the compliance date, but informed consent is subsequently sought after the compliance date, the covered entity must obtain the individual’s authorization as required at 45 CFR 164.508. For example, if there was a temporary waiver of informed consent for emergency research under the FDA’s human subject protection regulations, and informed consent was later sought after the compliance date, individual authorization would be required before the covered entity could use or disclose protected health information for the research after the waiver of informed consent was no longer valid. The Privacy Rule allows covered entities to rely on such express legal permission, informed consent, or waiver of authorization of informed consent, which they create or receive before the applicable compliance date, to use and disclose protected health information for specific research studies, as well as for future unspecified research that may be included in such permission.
Learn More about the Federal Policy for the Protection of Human Subjects ('Common Rule')
The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 (Click Here for historical information published by DHHS). The main elements of the Common Rule include:
- Requirements for assuring compliance by research institutions
- Requirements for researchers' obtaining and documenting informed consent
- Requirements for Institutional Review Board (IRB) membership, function, operations, review of research, and record keeping.
The Revised Common Rule Compliance Deadline is January 21, 2019. The three provisions are:
- The revised definition of “research,” which deems certain activities not to be research;
- The allowance for no annual continuing review of certain categories of research; and
- The elimination of the requirement that institutional review boards review grant applications or other funding proposals related to the research.
If institutions choose to implement these three burden-reducing provisions for particular studies, such studies will be subject to the 2018 Requirements beginning on January 21, 2019.
Click Here for more information on the Federal Register Publication of the Final Common Rule
Click Here for the Revised Common Rule Q&A webpage provided by HDDS
Click Here for the October 2018 Guidance from the FDA on Regulated Clinical Investigations