Analysis of NPRM

On March 21, 2002, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking ("NPRM") proposing to modify and clarify certain provisions of the Health Insurance Portability and Accountability Act ("HIPAA") privacy regulation which, in its current form, will inhibit BIO members' ability to conduct important research activities. The proposed modifications and clarifications reflect a positive response by HHS to many of the concerns raised by BIO, both in written comments to HHS and in Congressional testimony, that the regulation imposes unnecessary and confusing new requirements on research which needlessly confuse and complicate the existing research approval process.

This memo summarizes these and other significant provisions of the NPRM with particular relevance to BIO members. Among the major improvements sought by BIO that are included in the NPRM are:

• added protection for post-marketing surveillance and registry activities;
• simplification of the research authorization requirements; and
• more realistic criteria for waiver of authorization by an institutional review board ("IRB") or privacy board, including elimination of the subjective review criteria.

HHS did not directly act on BIO's concern that the existing safe harbor for using de-identified information does not permit useful information to be made available for research without obtaining an IRB or privacy board waiver. However, HHS has specifically requested public comment on the creation of an alternative de-identification safe harbor standard for research uses and disclosures. BIO has advocated such an approach in comments and in visits with Administration officials, and depending on public input, HHS could make such a change when it finalizes the rule.

Post-Marketing Surveillance Activities Protected

In keeping with the renewed interest in public health surveillance, HHS proposes to modify the regulation's public health provisions to make clear that covered entities may disclose protected health information (PHI) to manufacturers for inclusion in patient registries and for other important post-marketing surveillance purposes. The regulation currently permits the disclosure of PHI for post-marketing surveillance conducted by a FDA-regulated entity only "to comply with the requirements or at the direction of" that agency. BIO's comments, and those of many others, pointed out that many critical public health-related activities are conducted voluntarily by manufacturers in accord with FDA registry guidelines, as FDA's statutory authority to "require or direct" such activities is not unlimited. HHS proposes to modify the existing language to permit disclosures of PHI to "[a] person subject to [FDA jurisdiction] with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity." The revised regulation would expressly cite post-marketing surveillance as one example of a FDA-related public health activity.

Research Authorization Requirements Simplified

The NPRM proposes to simplify many of the regulation's authorization provisions. First, it eliminates the privacy regulation's confusing attempt to distinguish authorizations for research that involves treatment (e.g., clinical trials) from research that does not (e.g., studies of product safety and retrospective chart reviews) and, where research involves treatment, to distinguish PHI used for research purposes from PHI to be used for treatment purposes. Instead of the three different sets of authorization criteria, HHS now proposes a uniform set of requirements applicable to all authorizations, including those for research purposes. Thus, regardless of the nature of the research, all research authorizations must include:

1. a description of the information to be used or disclosed;
2. identification of the persons or class of persons authorized to make the use or disclosure;
3. identification of the persons or class of persons to whom the covered entity may disclose the PHI;
4. a description of each purpose of the use or disclosure;
5. an explanation of the individual's right to revoke the authorization;
6. a statement that the covered entity may condition the provision of research-related treatment on obtaining a signed authorization;
7. a statement that the regulation might not prohibit the recipient from further disclosing the PHI;
8. an expiration date or event;
9. the individual's signature and date; and
10. if signed by a personal representative, a description of his or her authority to act for the individual.

In addition to adopting a uniform set of authorization requirements, HHS would permit research authorizations to be combined with any other written permission relating to the same study (e.g., the informed consent document). The NPRM also would standardize and broaden the regulation's transition provisions to allow the continued use and disclosure of PHI obtained before or after the compliance date for a specific study-whether or not the study involves treatment-if, prior to the compliance date, the covered entity has obtained expressed legal permission to use or disclose the participant's information for the study or an IRB has waived informed consent in accordance with the Common Rule or the Food and Drug Administration's ("FDA's") human subject protection regulations.