HIPAA and the Common Rule
Christina Solis, JD
Elisa Fallows, MS
UTHSC-H: Legal Affairs and Institutional Compliance
Impact of the Privacy Rule
- Does not reduce the effect of the Common Rule or FDA regulations.
- Mandates more protections to ensure privacy of subjects and confidentiality of data.
- Requires action whenever any PHI is used for research.
Definition of "Research"
- A systematic investigation .designed to develop or contribute to generalizable knowledge.
Definition of "Human Subject"
- A living individual about whom an investigator . conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.
Definition of "Human Subject"
Operational Change due to Privacy Rule
- A
living individual about whom an investigator . conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information
Regarding Research, the Privacy Rule Applies to:
- Ascertainment of Potential Subjects
- Recruitment of Subjects
- Consent/Authorization Process
- Study Amendments
- Data Management
- Decedent Research
- Reuse of data for another study
Research Provisions
- Covered entities may use and disclose PHI for research:
-With individual authorization, or
-Without individual authorization under limited circumstances
Relationship to other Research Rules
- The Privacy Rule does not override the Common Rule or FDA's human subject protection regulations.
Ascertainment/Recruitment of Potential Subjects
-
Via Review of PHI
-Notification of a Review Preparatory to Research
-Description Justifying a Waiver of Authorization
- Via Ad
- If PHI or other identifiable private information is to be recorded during the ascertainment/recruitment process, consent of the potential subject, or IRB approval of a Waiver of Consent, must be obtained.
Ascertainment/Recruitment - Satisfying Both Rules
- Via a Review of Preparatory to Research
-Do not record PHI, or
-Record PHI and obtain Common Rule IRB waiver of consent, or
-De-identify PHI, then deal with the Common Rule.
-If the data now retains a link to subject identity, the Common Rule still applies.
-If the data does not retain any identifying link (data anonymized or unlinked), the Common Rule does not apply.
- Via Waiver of Authorization
-Do not record PHI - usually not useful or practical, or
-Record PHI and obtain IRB Waiver of Consent
-De-identify PHI - usually not useful or practical
Exception from Requirement for Informed Consent
An IRB may waive consent requirement or alter consent element if it finds and documents that:
- Research involves no more than minimal risk;
- Rights and welfare of subjects will not be adversely affected;
- Research could not be practicably be carried out without waiver or alteration; and
- When appropriate, the subjects will be provided pertinent information after participation.
Reducing the Impact
- Ensure that Information Associated with Data/Samples is Modified so it does not relate to a "Human Subject" and either does not involve PHI or is presented as a limited data/sample set.
- An Activity does not prompt the Common Rule or Privacy Rule Considerations Requiring IRB Review when:
-The activity is not research; OR
-The research does not involve a human subject AND
-The research does not involve PHI.
Examples of how can a PI doing research reduce the impact of the Common Rule and the Privacy Rule
- Modify information associated with the Data/Samples so the information does not relate to a "Human Subject", and the information does not involve PHI or PHI is presented as a limited data set.
How to modify data/samples so the information does not relate to a "human subject"
- Anonymize (unlink) the data/samples.
- Establish conditions whereby subject identity cannot be readily ascertained.
