- Purchase/rental options available:
Kennedy Institute of Ethics Journal 12.3 (2002) 299-303
[Access article in PDF]
Bioethics Inside the Beltway
What Should IRBs Consider When Applying the Privacy Rule to Research?
Julie Waltz Gerlach
In 1996, Congress mandated the establishment of standards for the privacy of individually identifiable health information through the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). Until the establishment of HIPAA, personal health information could be distributed without notice or consent for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. Patient information held by a health plan could be passed on to a lender who then might deny the patient's application for a home mortgage or a credit card or to an employer who might use it for personnel decisions. Congress failed to meet its 21 August 1996 deadline established by HIPAA to pass privacy legislation; the Act passed the responsibility to Department of Health and Human Services (DHHS). On 28 December 2000, the Secretary of Health and Human Services released final privacy regulations relating to the protection of patients' individually identifiable health information. The "Standards for Privacy of Individually Identifiable Health Information" (Privacy Rule/current) took effect 14 April 2001. As required by HIPAA, the Privacy Rule established conditions for the collection, use, and disclosure of protected health information by covered entities for research purposes. Covered entities, defined as health plans, health care clearinghouses, and health care providers that engage electronically in a wide range of financial and administrative transactions related to payment and reimbursement, must comply by 14 April 2003 (DHHS 2000, p. 82462). To ensure that the provisions of the final rule provide strong privacy protection without hindering access to health care, the Department of Health and Human Services (DHHS 2002, p. 14776) has proposed modifications to the Privacy Rule.
The final Privacy Rule (DHHS 2001) grants substantial rights to individuals/research participants to be informed of how their protected health information is maintained and how that information may be used or disclosed. It also defines individual's/research participants' rights with regard to gaining access to information about themselves, when such information is held by covered entities. [End Page 299]
The Privacy Rule requires researchers either to receive authorization from individuals/research participants to collect, use, and disclose protected health information, or to obtain a waiver of authorization that is approved by an institutional review board (IRB) or Privacy Board, or to use de-identified data. Section 164.508 of the Privacy Rule, entitled "Use and Disclosures for Which an Authorization Is Required," describes how IRBs will be directly affected. The rule focuses not just on research but on the overall privacy of all identifiable health information. Institutions have the option of adding these required duties to IRBs or establishing "privacy boards." Privacy boards, as defined by the Privacy Rule, are to be composed of members with varying backgrounds and professional competency to review the effect of the research protocol on the individual/research participant's privacy rights. The board must include at least one member who is not affiliated with the covered entity, or any entity conducting or sponsoring the research, and not related to any person who is affiliated with such entities. Board members cannot participate in the review of any research project in which the member has a conflict of interest.
The basic concepts and tenets of privacy and confidentiality are well known to IRBs in the United States, which operate under the Common Rule (45 CFR 46) and/or the Food and Drug Administration's (FDA) human subject protection regulations. Both sets of regulations require IRBs to ensure that risks (including privacy risks) are minimized. Under these regulations, IRBs must consider the confidentiality of research data and whether researchers should have access to confidential medical information. IRBs also must review the consent form as a process of communication that will inform research subjects about the research study.
One noteworthy aspect of the Privacy Rule is its application to all research regardless of funding source. Currently, research funded by...