Analysis of NPRM

On March 21, 2002, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking ("NPRM") proposing to modify and clarify certain provisions of the Health Insurance Portability and Accountability Act ("HIPAA") privacy regulation which, in its current form, will inhibit BIO members' ability to conduct important research activities. The proposed modifications and clarifications reflect a positive response by HHS to many of the concerns raised by BIO, both in written comments to HHS and in Congressional testimony, that the regulation imposes unnecessary and confusing new requirements on research which needlessly confuse and complicate the existing research approval process.

This memo summarizes these and other significant provisions of the NPRM with particular relevance to BIO members. Among the major improvements sought by BIO that are included in the NPRM are:

  • added protection for post-marketing surveillance and registry activities;
  • simplification of the research authorization requirements; and
  • more realistic criteria for waiver of authorization by an institutional review board ("IRB") or privacy board, including elimination of the subjective review criteria.

HHS did not directly act on BIO's concern that the existing safe harbor for using de-identified information does not permit useful information to be made available for research without obtaining an IRB or privacy board waiver. However, HHS has specifically requested public comment on the creation of an alternative de-identification safe harbor standard for research uses and disclosures. BIO has advocated such an approach in comments and in visits with Administration officials, and depending on public input, HHS could make such a change when it finalizes the rule.

Post-Marketing Surveillance Activities Protected

In keeping with the renewed interest in public health surveillance, HHS proposes to modify the regulation's public health provisions to make clear that covered entities may disclose protected health information (PHI) to manufacturers for inclusion in patient registries and for other important post-marketing surveillance purposes. The regulation currently permits the disclosure of PHI for post-marketing surveillance conducted by a FDA-regulated entity only "to comply with the requirements or at the direction of" that agency. BIO's comments, and those of many others, pointed out that many critical public health-related activities are conducted voluntarily by manufacturers in accord with FDA registry guidelines, as FDA's statutory authority to "require or direct" such activities is not unlimited. HHS proposes to modify the existing language to permit disclosures of PHI to "[a] person subject to [FDA jurisdiction] with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity." The revised regulation would expressly cite post-marketing surveillance as one example of a FDA-related public health activity.

Research Authorization Requirements Simplified

The NPRM proposes to simplify many of the regulation's authorization provisions. First, it eliminates the privacy regulation's confusing attempt to distinguish authorizations for research that involves treatment (e.g., clinical trials) from research that does not (e.g., studies of product safety and retrospective chart reviews) and, where research involves treatment, to distinguish PHI used for research purposes from PHI to be used for treatment purposes. Instead of the three different sets of authorization criteria, HHS now proposes a uniform set of requirements applicable to all authorizations, including those for research purposes. Thus, regardless of the nature of the research, all research authorizations must include:

  1. a description of the information to be used or disclosed;
  2. identification of the persons or class of persons authorized to make the use or disclosure;
  3. identification of the persons or class of persons to whom the covered entity may disclose the PHI;
  4. a description of each purpose of the use or disclosure;
  5. an explanation of the individual's right to revoke the authorization;
  6. a statement that the covered entity may condition the provision of research-related treatment on obtaining a signed authorization;
  7. a statement that the regulation might not prohibit the recipient from further disclosing the PHI;
  8. an expiration date or event;
  9. the individual's signature and date; and
  10. if signed by a personal representative, a description of his or her authority to act for the individual.

In addition to adopting a uniform set of authorization requirements, HHS would permit research authorizations to be combined with any other written permission relating to the same study (e.g., the informed consent document). The NPRM also would standardize and broaden the regulation's transition provisions to allow the continued use and disclosure of PHI obtained before or after the compliance date for a specific study-whether or not the study involves treatment-if, prior to the compliance date, the covered entity has obtained expressed legal permission to use or disclose the participant's information for the study or an IRB has waived informed consent in accordance with the Common Rule or the Food and Drug Administration's ("FDA's") human subject protection regulations.

Finally, HHS has recognized that requiring covered entities to track disclosures authorized by an individual and, upon request, provide the individual with a history of such disclosures over the previous six years, imposes an unnecessary and costly administrative burden on academic medical centers and other research partners. Thus, HHS proposes to eliminate the six-year accounting requirement for PHI disclosed pursuant to an individual authorization. This change responds directly to BIO's assertion that the regulation's administrative requirements would have the unintended consequence of making academic medical centers and others reluctant to host sponsored research or incur greater cost in doing so. (However, the tracking requirement has not been eliminated where data are disclosed under a waiver or authorization, or where data are included in reports for public health purposes, including post-marketing surveillance of product safety and efficacy.)

Criteria for Waiver of Authorization for Research Streamlined

BIO's comments emphasized that the regulation's criteria for waiver of research authorization are both confusing and inconsistent with the Common Rule's waiver criteria. The NPRM deletes or modifies several criteria that are duplicative or are impracticable to apply to patient privacy. For example, HHS proposes to eliminate the requirements that an IRB or privacy board determine that the privacy risks to the study participants are reasonable in relation to the anticipated benefits, if any, to the individual and the importance of the knowledge that may reasonably be expected from the research. This provision in the regulation was a major - and particularly objectionable - expansion of the Common Rule.

Should these changes go into effect, the privacy regulation would, as amended by the NPRM, require a finding by the IRB or privacy board that the following criteria have been satisfied to waive or alter the authorization requirements:

  1. the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals based on at least the presence of-
    1. an adequate plan to protect identifiers from improper use and disclosure,
    2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research (unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law), and
    3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity (except as required by law, for oversight of the study, or for other research for which the use or disclosure of PHI would be permitted by the regulation);
  2. the research could not practicably be conducted without the waiver; and
  3. the research could not practicably be conducted without access to and use of the PHI.

In addition, the NPRM clarifies that IRBs and privacy boards may grant waivers of authorization for the specific purpose of disclosing PHI to researchers and sponsors as necessary to contact and recruit potential study participants.

Comments Sought on Safe Harbor For Research Use of Facially De-identified Information

BIO has consistently argued that the regulation's de-identification safe harbor is so stringent as to be useless for many research purposes. The preamble to the NPRM acknowledges this concern. The NPRM slightly modifies the clarifies that age may be expressed in months, days, or hours, and that a re-identification code does not constitute a proscribed identifier the presence of which removes a data set from the safe harbor.

HHS has specifically requested public comment on a proposal (not incorporated in the regulatory text of the NPRM) to create an alternative de-identification standard that would permit uses and disclosures of a "limited data set" of facially de-identified information for research, public health, and health care operations purposes. Under the proposal, which echoes BIO's recommendation that HHS permit the retention of dates and five-digit zip codes for research uses and disclosures, the limited data set could include admission, discharge, and service dates; dates of death; ages (including age 90 or older); and five-digit zip codes. The "de-identified" data could not, however, include names, street addresses, telephone or fax numbers, e-mail addresses, Social Security numbers, certificate/license numbers, vehicle identifiers or serial numbers, URLs or IP addresses, or full face photos or comparable images. Researchers and sponsors who receive limited data sets would be required to enter into data use or similar agreements in which the recipient agrees to limit the use of the data to research purposes, to limit who may use or receive the data, and not to re-identify or contact the individuals to whom the information refers.

HHS specifically requests comments on the feasibility of this alternative de-identification standard and, in particular, on the need to permit the inclusion of other geographic units (e.g., city, county, precinct, neighborhood) and dates of birth as well. It is critical that the regulation's definition of de-identified is changed to be consistent with good research practice. BIO members should take advantage of this opportunity to submit comments in support of HHS's proposal and also to advocate for the inclusion of dates of birth and geographic units other than addresses.