research and hipaa privacy protections citi

-->

-->

-->

Institutional Review Board Guidance from OCR

Conclusion The Privacy Rule introduces new standards for protecting the privacy of individuals' identifiable health information held by a covered entity or its business associates. For covered entities, the Privacy Rule sets minimum standards for how PHI may be used and disclosed and how individuals can have control of their health information, including for research purposes. For independent researchers who are not subject to the Privacy Rule, the Rule may affect access to such information. The Privacy Rule was not intended to impede research. Rather, it provides ways to access vital information needed for research in a manner that protects the privacy of the research subject. The Privacy Rule describes methods to de-identify health information such that it is no longer PHI or governed by the Rule. If de-identified health information cannot be used for research, covered entities can obtain the individual's written permission for the research in an Authorization document describing the research uses and disclosures of PHI and the rights of the research subject. When obtaining the Authorization form is not practicable, an IRB or Privacy Board could waive or alter the Authorization requirement. The Privacy Rule also provides alternatives to obtaining an Authorization or a waiver or an alteration of this requirement, such as limited data sets or with representations provided for certain research activities. The Privacy Rule also contains a provision that "grandfathers" research that is ongoing before the compliance date to facilitate compliance with the Rule. Many researchers are accustomed to complying with Federal and State regulations that protect participants from research risks; some of these regulations even require, as applicable, a researcher to describe privacy and confidentiality protections in an informed consent. While the Privacy Rule may add to these privacy protections, researchers are aware of the importance of protecting research subjects from foreseeable research risks, including risks to privacy. Understanding how and why the Privacy Rule protects the privacy of identifiable health information is an important step in understanding how covered entities implement the Rule's standards. Because the Privacy Rule is new and introduces new standards for how PHI is handled by covered entities, researchers and their institutions may have questions about the Rule. Researchers are encouraged to contact their institution, IRB, counsel, or Privacy Officer to learn more about how the Privacy Rule affects their institution. Questions and comments about the Privacy Rule may also be sent to HHS's Office for Civil Rights (OCR) at [email protected]. Several other Federal agencies are also prepared to assist researchers with questions about the Privacy Rule. Information can be found at the sites listed on the next page.

- - - - - - - - Site last updated: 02/02/2007

HIPAA Resources for Researchers

Privacy review.

Under the Privacy Rule, unless one of the exceptions discussed below applies, investigators who wish to use PHI for research purposes must obtain a signed, valid  HIPAA authorization from each individual whose PHI will be used or accessed for the research study. The Privacy Rule requires that either an IRB or a privacy board must review and approve requests for waivers of authorization for use and disclosure of PHI for research purposes. At UNC-Chapel Hill, the IRB serves in this role.

Mandated Training

According to the Federal Regulations, all institutions governed by HIPAA must train their employees regarding PHI. The University provides online training for new employees and annual training updates for existing employees.

In addition, University employees involved in human subject research must complete IRB-approved ethics training through the Collaborative Institutional Training Initiative (CITI). CITI is a Web-based training package on issues relating to human subjects research. The last module “Research and HIPAA Privacy Protections” is in addition to, and does not replace, any HIPAA training required by UNC Health Care and other covered units at UNC-Chapel Hill.

Research Proposal Requirements

Requirements for new research proposals.

Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time. Researchers whose new protocols involve PHI should either:

• Collect written authorization from patients for the release of their PHI; or
• Ask the IRB for a waiver from the authorization (under defined circumstances, the most important of which is that the research could not be done without the waiver); or
• De-identify the data. PHI that has been de-identified (stripped of a long list of identifiers) is not governed by HIPAA regulations.

In addition, there are two circumstances in which the IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.

• Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.
• Data review (medical records, film library, lab data, etc.) preparatory to designing a research protocol. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.

Tracking Disclosures of PHI

If PHI is disclosed to anyone outside your research team, or to someone who was not identified in the patient authorization, you must, unless some exception applies, keep a record of with whom you shared the data and for what purpose.

Warning: The NCBI web site requires JavaScript to function. more...

An official website of the United States government

The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings
• Browse Titles

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

• Hardcopy Version at National Academies Press

6 A New Framework for Protecting Privacy in Health Research

In the previous chapters of this report, the committee put forth several recommendations that aim to improve the Privacy Rule and associated guidance in order to ease the impact on health research while still protecting patient privacy. However, in the process of developing these recommendations, the committee recognized that the Privacy Rule’s research provisions have many serious limitations and concluded that a new, more uniform approach is needed to accomplish the dual challenge of protecting privacy while facilitating beneficial and responsible research. In this chapter, the committee recommends that the U.S. Department of Health and Human Services (HHS) exempt health research from the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and lays out the details of a bold and innovative framework for protecting privacy in health research.

The overall purpose of this Institute of Medicine (IOM) study was to examine the effects of the HIPAA Privacy Rule on health research and to recommend improvements to the legislative and regulatory system accordingly. To achieve this task, the IOM convened a committee to include individuals with a broad range of expertise and experience relevant to the stated goal of the project, including individuals with knowledge of the various fields of health research, privacy and human research protections, health law, health center administration, use and protection of electronic health information, and patient advocacy (see Chapter 1 for complete statement of task and the Front Matter for committee membership).

The committee held a number of information-gathering meetings that were open to the public. During those meetings, the committee heard pre sentations on privacy in research and public health; the use of information systems to protect privacy; the effect of the Privacy Rule on various research disciplines, including those that are exclusively information based, such as health services research; the Ontario health privacy law; harmonization of the Privacy Rule and the Common Rule (see Chapter 3 ); challenges associated with the Privacy Rule’s regulation of biorepositories, databases, and future research; and the relationship between privacy and autonomy in health research. The committee also reviewed the information presented in an earlier IOM workshop on the same topic ( IOM, 2006 ) and conducted an extensive review of the literature. Members of the public were permitted to submit relevant references and written comments on their experiences with the Privacy Rule’s regulation of research and to speak at the committee’s public meetings. In addition, because there was a paucity of quantitative and systematic data on the effect of the Privacy Rule on research, the committee commissioned a number of large-scale, evidence-gathering projects to inform the committee’s deliberations (see Chapter 5 and Appendix B ).

After reviewing the available evidence, the committee concluded that a new framework for protecting privacy in health research is needed. The current system of regulating research and protecting privacy under the Privacy Rule is not working as well as it should to protect patient privacy in research, and as currently implemented, it impedes important research. The committee believes a different system could work better and provide improved privacy protections and stronger data security while also facilitating beneficial and responsible research.

In thinking about a new framework, the committee recognized that the goals of safeguarding privacy and enhancing health research are sometimes in tension. Stringent measures to safeguard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to privacy. Yet the committee believes that there is a synergy between the two, that facilitating both is desirable, and that it is possible to strengthen certain privacy protections while still facilitating important health research.

For that reason, the committee’s intent in developing the new framework was to advance both privacy and health research interests to the greatest extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, the new framework aims to strengthen health research regulations and practices that effectively safeguard personally identifiable health information, and to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health.

This chapter reviews the major goals the committee agreed on during its deliberations and describes how they should be incorporated into a new regulatory system for health research and privacy. First, the chapter will highlight the major problems with the Privacy Rule’s regulation of health research, as identified in the earlier chapters of the report. Second, the chapter will lay out the details of the new framework that the committee is recommending. Third, the committee will explain its rationale for developing the proposed framework, address potential criticism of this model, and explain how the new framework avoids many of the problems associated with the Privacy Rule.

• REVIEW OF THE LIMITATIONS OF THE PRIVACY RULE

In the earlier chapters of this report, the committee identified three overarching goals on which to ground the recommendations: (1) improve the privacy and data security of health information, (2) improve the effectiveness of health research, and (3) improve the application of privacy protections for health research (see Box 6-1 ). In the process of recommending changes to the HIPAA Privacy Rule to achieve these three goals, the committee identified many serious problems with the current regulatory system. This section reviews the most serious problems with the Privacy Rule’s regulation of health research and protection of privacy in terms of these overarching goals.

The Committee’s Three Overarching Goals. Improve the Privacy and Data Security of Health Information In the context of health research, protection of privacy includes a commitment to handle personal information (more...)

Improve the Privacy and Data Security of Health Information

In the context of health research, the privacy goal entails the commitment to handle personal information of patients and research participants in accordance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information 1 is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (accountability). The Privacy Rule falls short of the privacy goal for health research in two important ways: (1) it overstates the ability of informed consent (authorization 2 ) to protect privacy, and (2) it does not provide other meaningful methods of protecting privacy, such as effective security, accountability, and transparency.

Overemphasis on Informed Consent

The principle of autonomy currently dominates the ethical landscape for both medical care and clinical research in the United States and serves as the justification for the doctrine of informed consent (i.e., authorization) in the Privacy Rule. Historically, informed consent was based on the idea that “every human being of adult years and sound mind has a right to determine what shall be done with his own body.” 3 It was primarily considered a protection against physical harm, permitting informed, competent patients to refuse unwanted medical interventions, to choose among medically available alternatives, and to make choices that conflict with the wishes of family members or the recommendations of physicians ( Buchanan, 1999 ; Lo, in press ). Under this system, a great deal of information-based health research was conducted using personally identifiable health records without the informed consent of the persons whose records were used.

Several recent developments have brought attention to this practice, and have focused attention on the historical absence of patient autonomy in information-based research. First, the increased used of electronic health records has made it significantly easier for researchers to access large quantities of personally identifiable data. Second, the move towards personalized medicine, and the potential improvements to population health and health care that could be developed based on a better understanding of the determinants of health and illness, have increased researchers’ needs for personally identifiable health information.

Under the Privacy Rule the concept of informed consent is extended beyond control of one’s body, to control of one’s health information in an attempt to address the historical lack of informational autonomy, and with the goal of protecting individuals against the nonphysical harm of unauthorized uses or disclosures of their protected health information. However, consent (authorization) itself cannot achieve the separate aim of privacy protection. The Privacy Rule, as currently defined and operationalized in practice, does not provide effective privacy safeguards for information-based research because of an over-reliance on informed consent, rather than comprehensive privacy protections.

The Limitations of Relying on Consent to Protect Privacy

As has been described above, the protection of medical privacy in the data processing environment requires the adoption of comprehensive privacy protections, which establish a variety of obligations on entities that collect and use personal information. These obligations to safeguard privacy, such as security, transparency, and accountability, are independent of patient consent. In fact, preventing the secondary use of personal data is the only privacy obligation that consent can potentially address. However, informed consent has recently been put forward as an alternative to the adoption of comprehensive privacy protections, with the practical consequence that many privacy obligations are ignored ( Allen, 2007 ; Rotenberg, 2001 ; Solove et al., 2006) (see the section on Other Federal Actions for examples of currently proposed bills). This section describes some of the major limitations of relying heavily on informed consent to protect informational privacy, as is done in the HIPAA Privacy Rule, rather than requiring the implementation of a full range of privacy protections.

With a primary focus on informed consent in privacy laws, many entities that hold personal health data may have insufficient incentives to implement comprehensive privacy protections. If compliance with consent requirements frees the data holders from further privacy obligations, some organizations and researchers may be less likely to invest in privacy-enhancing technologies or the infrastructure necessary to truly protect data. This emphasis also creates few reasons for organizations to make their activities transparent or to create institutional accountability ( AHIC, 2008 ; Cate, 2008 ; CDT, 2008a ; U.S. Congress, 2008a).

In addition, although informed consent can allow patients to control whether their information is used for any secondary purposes, such as research, few patients are sufficiently informed to make educated decisions about how their data should be used (Schneider, 2006). Studies indicate that many consumers do not read the details of informed consent forms, which are often lengthy documents, and even when they do read the forms they often do not comprehend all the details ( Cate, 2008 ). Two separate studies have found that many consumers mistake the existence of any privacy policy for a guarantee that information will be strongly protected and withheld from outside persons, even if the consent says differently ( Good et al., 2005 ; Turow et al., 2007). This difficulty is magnified by the fact that often patients are asked to give informed consent at a time when they are not in good health and are not motivated or lack the ability to make these kinds of complicated decisions ( CDT, 2008b ; U.S. Congress, 2008a).

Relying heavily on informed consent rather than comprehensive privacy obligations may also lead to a shift from substantive privacy protections toward costly procedural requirements that actually provide consumers with few meaningful choices, especially if informed consent is required as a condition of obtaining services ( Cate, 2008 ; Thomas and Walport, 2008). Data holders may offer blanket consents to shield themselves from liability without actually providing any substantial privacy protection. In these situations patients lack reasonable alternatives and are forced to relinquish control over how their health information is used ( CDT, 2008a ; Thomas and Walport, 2008; U.S. Congress, 2008a,b).

In the case of medical records research, it is questionable as to whether a reliance on informed consent actually fosters patient confidentiality and protection ( AMS, 2006 , 2008 ; Casarett et al., 2005 ; Thomas and Walport, 2008). For example, if individuals must be contacted each time their records may be used in a particular study in order to obtain informed consent, as the Privacy Rule requires, such contact could be considered intrusive and counter to the tenets of confidentiality. Also, a common methodological approach to studying disease is to compare people with a particular disease to people who do not have that disease—known as a case-control study. But people may become alarmed if they are asked to consent to their records being used in such a study on a particular disease (e.g., cancer) for which they have not been diagnosed ( Casarett et al., 2005 ).

Because of these limitations, the committee believes it is important to shift the focus in privacy protections toward a set of more comprehensive privacy obligations. This will ensure that health information privacy protections are more robust and more likely to minimize the risks to personal privacy that result from the collection of personally identifiable health information.

Failure to Incorporate Other Meaningful Privacy Protections

Implementation of the Privacy Rule does not ensure that covered entities or the research community will adopt a full range of measures to protect data; the security, transparency, and accountability provisions have proven ineffectual. As highlighted in Chapter 2 , the HIPAA Security Rule does lay out a number of security requirements that covered entities must implement for protecting electronic protected health information. However, despite this regulation, there have been a number of highly publicized examples of data security breaches in health research, most often due to stolen or misplaced computers containing health data. A recent survey conducted by Campus Computing Project found that from 2006 to 2007, colleges of all types saw a 3.6 percent increase in the number of stolen computers with sensitive data. This problem was most prevalent at major research universities ( Foster, 2008 ). Also, a report from the Identity Theft Resource Center found that identity thefts are up 69 percent for the first half of 2008, compared to the same time period in 2007, and so the consequences of security breaches are more likely to lead to tangible harm than previously believed ( ITRC, 2008 ). These facts suggest that holders of personally identifiable health data should be required to implement security safeguards beyond what is provided for under the current HIPAA Security Rule.

In addition, as discussed in Chapter 4 , it has been argued that the current interpretation of the Privacy Rule has not successfully resulted in accountability for misuses and unauthorized disclosures of protected health information. The regulation provides both civil and criminal penalties for covered entities that breach the Privacy Rule, but enforcement of the Pri vacy Rule has been criticized as inadequate. To date, there have been no civil penalties imposed against any covered entity and only three criminal prosecutions, despite the fact that between April 2003 and August 2008, more than 38,000 complaints were received by HHS regarding alleged violations of the Privacy Rule. HHS has not provided information on how many of these alleged violations are in the context of health research ( HHS, 2008a ; Rahman, 2006 ). On July 18, 2008, HHS required a monetary payment to settle potential violations of the Privacy and Security Rules for the first time, signaling that HHS may start to take a more assertive approach to enforcement of the Privacy and Security Rules in the future ( HHS, 2008b ). This agreement was in response to the covered entity allowing backup tapes, optical disks, and laptops—containing unencrypted protected health information on 386,000 patients—to be stolen or lost.

Finally, the accounting for disclosures provision of the Privacy Rule was intended to make covered entities’ actions open and transparent (discussed in Chapter 4 ). This provision gives individuals the right to receive a list of certain disclosures that a covered entity has made of their protected health information in the past 6 years, including disclosures made for research purposes. 4 However, this requirement has numerous exceptions. Also, for research involving groups of 50 or more, covered entities are only required to produce a general list of all protocols for which a person’s protected health information may have been disclosed, but do not have to provide any more specific information. Therefore, the accounting for disclosures provision does not require covered entities to provide individuals with a clear description of how their health information is used, and does not provide individuals with the detailed information they may want ( AHIC, 2007 ; Pritts, 2008 ). At the same time, survey data show that this provision is a considerable administrative obligation for covered entities, and is rarely requested by patients ( AHIMA, 2006 ; see also Chapter 4 ).

Improve the Effectiveness of Health Research

The health research goal emphasizes the importance of research in extending high-quality, healthy lives, and in leading to improved methods for prevention, diagnosis, and treatment. Unfortunately, the available evidence indicates that the current interpretation and implementation of the Privacy Rule has had an unintended negative impact on health research. As discussed in Chapter 5 , the Privacy Rule, as interpreted and implemented by covered entities, has:

• Increased the cost and time needed to conduct a research project from start to finish
• Made recruitment of research participants more difficult
• Increased the likelihood of selection bias and made it more difficult to produce generalizable findings
• Increased research participants’ confusion regarding their rights and protections
• Led researchers to abandon important studies
• Created new barriers to the use of patient specimens collected during clinical trials or treatment
• Failed to create an effective way for researchers to conduct studies using data with direct identifiers removed

These negative consequences are particularly problematic in light of recent trends in health care and research. Since the Privacy Rule was implemented, health data have assumed an even greater role in health research, and will become more essential as health care administration moves toward personalized medicine, in which preventive and therapeutic interventions are tailored to the individual characteristics of patients. Developing drug therapies and treatment protocols that focus on smaller and smaller subsets of the population based on genetic makeup or health history and environmental exposures requires access to more and more personal data to conduct effective health research. In addition, burgeoning health care costs and increasing limitations on expenditures by health care plans highlight the need for health services research to better determine which patients benefit from current approaches and which patients may even be harmed. If the current approach to privacy protection in research under the Privacy Rule continues unchanged, these advances will be burdened and potentially delayed, and opportunities for medical progress may be lost.

Alternative models The challenges described above are causing some leading scientists, legal experts, and privacy advocates to develop new paradigms for determining when personally identifiable health data, including biological samples, can be used for research. The recognition that a primary focus on consent is not always meaningful or protective of privacy, and that it impedes important information-based research, is gaining acknowledgment in the United Kingdom and in other countries in Europe, as well as the United States ( AMS, 2006 , 2008 ; Thomas and Walport, 2008). The committee reviewed several alternative models and took them into consideration in the development of the proposed new framework for protecting privacy in health research.

• Reciprocity, Solidarity, and Mutuality Models. These models seek to address the situation where there is no consent for future research uses (whether specified or unspecified). Proponents of the reciprocity model argue that by accepting the benefit of past medical research (which is intrinsic in the use of medical services), patients inherently agree to allow the use of their health information in future research for the common good ( Knoppers and Chadwick, 2005 ; Liu, 2007 ). Critics of this approach argue that voluntary altruism by past research participants imposes no reciprocal obligation on the larger community ( Jonas, 1991 ). Proponents of the solidarity model similarly argue that individual ties to society and social relationships require individuals to participate in research without informed consent for the common good ( Chadwick and Berg, 2001 ). The mutuality model is based on the insurance industry’s concept of individuals entering a pool for sharing losses and known risks. In the research context, mutuality requires individuals to pool their health information for the benefit of all, rather than provide for discretionary control of individual information ( Knoppers and Chadwick, 2005 ).
• Harms-Based Model. The harms-based model seeks to narrowly tailor the restrictions that are applied to the use of personally identifiable health information based on the specific risks associated with unauthorized use of that information. There are two categories of potential harm commonly cited with respect to unauthorized uses of personally identifiable health information: (1) discrimination and stigmatization and (2) erosion of trust leading to compromises in health care ( NCVHS, 2007 ). For example, such an approach would logically call for the adoption of nondiscrimination legislation and a requirement that entities with a legitimate need for personally identifiable health information secure the information against further unauthorized access. This would arguably address directly the risks of harm to the individuals involved when their personally identifiable health information is used for research, while recognizing the need for researchers’ access to information in order to achieve the public’s goals of improving individual and public health and advancing scientific knowledge.

Improve the Application of Privacy Protections for Health Research

The goal of improving the application of privacy protections for health research stresses the need for consistent standards for the use and disclosure of personally identifiable health information in health research. The extent of privacy protections should not depend on the holder of the personally identifiable health information, the source of the data, or what type of fund ing is supporting the research project. In addition, all institutions required to comply with the privacy protections should ideally interpret and implement them in a consistent manner. Major problems identified with the Privacy Rule’s regulation of research under this principle include: (1) discrepancies between the Privacy Rule and other rules and regulations relevant to health research, (2) the Privacy Rule’s limitation in scope, and (3) large variations in interpretation and implementation by covered entities.

Discrepancies with Other Rules That Regulate Research

The Privacy Rule was intended to provide consistent standards in the United States for the use and disclosure of protected health information, including for research purposes. However, in the current state, the Privacy Rule is difficult to reconcile with HHS regulations for the Protection of Human Subjects (45 C.F.R. 46), the Food and Drug Administration human subjects regulation (21 C.F.R. parts 50 and 56), and other applicable federal and state laws. For example, the provisions governing data deidentification, consent for future research, and recruitment of research volunteers vary among these regulations, making important research activities more challenging to undertake (see Chapter 4 ).

Limitation in Scope

The Privacy Rule pertains only to covered entities; thus this regulation does not apply uniformly to all health research in the United States (see Chapter 4 ). Similarly, as described in Chapter 3 , the Common Rule only applies to research conducted or supported by the U.S. government (although its influence is broader because most institutions that accept federal funds sign a federalwide assurance to abide by the Common Rule requirements in all research conducted at the institution, regardless of funding source). Because both of these Rules are limited in scope, there are significant gaps in whom and what is covered by current federal research regulations. This is in stark contrast to most other countries, in which research regulations are not limited by provisions regarding funding or particular health care transactions, but instead apply to all research conducted in that country ( Casarett et al., 2005 ).

Differences in Interpretation

Because the Privacy Rule is such a complex regulation, there is substantial variation across institutions in how the Privacy Rule has been interpreted and implemented (see Chapter 5 ). For example, the way in which Institutional Review Boards (IRBs) and Privacy Boards interpret the concepts of impracticability and minimal risk when making decisions about authorization requirements varies across institutions, and often is quite conservative (see Chapter 4 ). Inconsistent interpretation and application of the Privacy Rule research provisions by IRBs, Privacy Boards, and covered entities that hold the protected health information, especially for multisite research and studies that are reviewed by multiple IRBs and Privacy Boards, can create barriers to research such as variations in protocol at different institutions and, at times, discontinuation of studies. A lack of clarity in how the Privacy Rule applies to various types of health research or closely related health care practices adds another layer of complexity and variability (see Chapter 3 ). In fact, some covered entities are reluctant to permit access to data for research even when all provisions of the Privacy Rule are followed, out of fear of misinterpreting the Privacy Rule ( Casarett et al., 2005 ; Rothstein, 2005 ).

• THE NEW FRAMEWORK

Given the clear limitations of the HIPAA Privacy Rule, the committee concluded that a new approach to the regulation of health research is needed. The committee favors an approach in which both individual privacy and the societal value of research are carefully considered and supported. To achieve this goal, the committee identified a number of key concepts ( CIHR, 2005 ; Gostin, 2001 ) to incorporate into the new framework, including:

• All researchers should be required to follow the same set of privacy rules.
• Whenever possible, information-based research should be done using health data with direct identifiers removed.
• —Measures taken to protect the privacy, security, and confidentiality of the data;
• —Potential harms that could result from disclosure of the data; and
• —Potential public benefits of the research.
• Researchers should identify and document research objectives to justify the data they wish to use and/or collect.
• Researchers, institutions, and organizations that store personally identifiable health data should establish security safeguards and set limits on access to data.
• Researchers who violate individuals’ privacy should be penalized.

These concepts are intended to support the beneficial use of existing health data, as well as the collection and use of health data for research purposes, while protecting individuals’ privacy.

Examples of Informative Models

One informative example that incorporates many of the privacy principles listed above is Ontario’s Personal Health Information Protection Act (PHIPA). 5 This provincial law governs the manner in which “personal health information” 6 is collected, used, and disclosed within the Ontario health care system. PHIPA only applies to the province of Ontario (not the entire country) and operates in a universal health care system, so the legislation as a whole may not be easily transferable to the United States. However, many of the major concepts in PHIPA influenced the committee’s deliberations regarding the new framework.

PHIPA shares a number of similarities with the Privacy Rule ( Table 6-1 ). In general, both regulations require the holder of personally identifiable health data to obtain informed consent (referred to as authorization in the Privacy Rule) 7 before using any personally identifiable health information for a purpose other than providing services directly related to health care of the patient. If a researcher wishes to use personally identifiable health data without informed consent, both regulations require the researcher to obtain a waiver of informed consent approved by an independent ethics board prior to the start of the study.

The HIPAA Privacy Rule Versus PHIPA.

Despite these similarities, the Privacy Rule and PHIPA have some key differences that are important in research. One major difference is that unlike the Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA implements a more uniform approach. PHIPA applies to health information custodians (HICs) (e.g., providers, hospitals, and pharmacies) who collect, use, and disclose personal health information and to non-HICs when they receive personal health information from a HIC. This means that the privacy protections follow the data, even after the data are no longer held by a HIC. All health researchers are required to comply with PHIPA when using personal health information. In contrast, the Privacy Rule fails to provide individuals with privacy protections if their information is held by an entity other than a covered entity. Only some researchers qualify as covered entities or are employed by covered entities and are directly regulated by the Privacy Rule; for others, the Privacy Rule regulates access to protected health information held by covered entities but the researchers themselves are not subject to the provisions.

A second major difference is the Privacy Rule and PHIPA’s treatment of deidentified information. Deidentified information is outside the scope of both rules. However, PHIPA provides a more vague definition of “deidentified” than the Privacy Rule, defining it to mean the removal of “any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.” 8 Because of the lack of specificity in the definition, and the fact that the Ontario Information and Privacy Commissioner has not issued any guidance on the deidentification process, HICs are required to exercise judgment in determining when enough identifiers have been removed that the information is deidentified. Many HICs take a very conservative approach to the disclosure of personal-level, deidentified information for research and require Research Ethics Board approval (Canadian equivalent of an IRB or Privacy Board ). 9 In contrast, the Privacy Rule provides two very detailed methods of deidentifying health information: (1) the safe harbor method, and (2) the statistical method (see Chapter 4 ). If a covered entity complies with either of these methods, it may disclose the deidentified information to researchers without IRB or Privacy Board approval.

A third major difference is that under PHIPA, HICs are permitted to disclose personal health information without consent to “prescribed persons or entities” that are prescribed by the legislation, including registries compiled or maintained for purposes of facilitating or improving the provision of health care or that relate to the storage or donation of body parts or bodily substances. In order to be designated as a prescribed person or entity, the person or entity must have in place practices, policies, and procedures to protect the privacy of individuals whose personal health information it receives and to maintain the confidentiality of such information. These practices, policies, and procedures must be reviewed and approved by Ontario’s Information and Privacy Commissioner (IPC), an individual appointed by the Ontario Legislature, every 3 years. Prescribed persons and entities must also make public a description of the functions of the registry and a summary of its practices, policies, and procedures. Currently, five registries are designated as a “prescribed person” under PHIPA. 10

Once personal health information is held by a prescribed entity, the entity may use and disclose the information for research purposes in accordance with the normal rules and restrictions on HICs disclosing information for research—including the requirement for approval by a Research Ethics Board if the information is in identifiable form. There are several advantages for researchers in obtaining information from prescribed entities, rather than other HICs. Prescribed entities collect personal health information from a wide range of sources and can link and match the per sonal health information longitudinally. In addition, there is little danger of selection bias, because informed consent is not required in the collection of the data. Prescribed entities very rarely need to disclose information in identifiable form for research, because researchers are given data that is already aggregated and linked. PHIPA instructs the prescribed entities to use their judgment in determining if information is deidentified. However, as noted above, all prescribed entities must have their policies and practices reviewed by the IPC, including their policies for the deidentification of data. As a result, prescribed entities are confident in their deidentification process, and researchers obtaining data from prescribed persons are rarely required to obtain informed consent or Research Ethics Board approval.

Recently, a similar approach to prescribed entities was recommended in a report commissioned by the United Kingdom’s Prime Minister on secondary uses of personal information. This report suggested the creation of “safe harbors,” which have three defining characteristics: (1) they provide a secure environment for processing personally identifiable health data, (2) they are restricted to “approved researchers” who meet relevant criteria, and (3) they implement penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data (Thomas and Walport, 2008).

The United Kingdom approach is also comparable to PHIPA, because both models incorporate the concept that personally identifiable information should only be disclosed for health research when the research is beneficial to the public and has scientific merit. PHIPA instructs Research Ethics Boards to consider both “the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose PHI is being disclosed” when reviewing research plans. The United Kingdom model identifies the principle of proportionality, defined as “an objective judgment as to whether the benefits outweigh the risks,” as a key consideration when deciding whether personal information may or may not be shared for health research (Thomas and Walport, 2008). There is also a precedence for weighing scientific merit in the United States—as previously noted in Box 4-5 , Centers for Medicare & Medicaid’s (CMS’s) Privacy Boards are instructed to “balance the potential risks to the beneficiary confidentiality with the probable benefits gained from the completed research,” as well as to consider the researchers’ demonstrated expertise and experience in conducting such a study.

The committee believes an approach similar to PHIPA and the recently proposed model from the United Kingdom, combined with strong security measures, offers adequate privacy protections for personally identifiable health information, while greatly expanding research opportunities. In particular, the prescribed entity/safe harbor concept offers a useful way to conduct medical records research and effectively protect patient pri vacy and confidentiality by facilitating greater use of deidentified data in research. Also, PHIPA, the United Kingdom model, and the CMS focus on only permitting the disclosure of personally identifiable information for socially beneficial research that has scientific merit ensures that approved research projects address important health questions and utilizes a scientifically rigorous methodology. In addition, PHIPA’s focus on transparency, by requiring prescribed persons and entities to post their research purpose, policies, and procedures, is consistent with desirable comprehensive privacy protections.

The Committee’s Recommendation

The committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new approach to ensuring privacy in health research. When this new approach is implemented, HHS should exempt health research from the Privacy Rule. The committee suggests a two-part practical approach to protecting health information privacy because there are fundamental differences between information-based research and direct, interventional human subjects research. First,congressional action should be taken to require all interventional research (e.g., Phase I–III clinical trials) to comply with the Common Rule , regardless of funding source. This would eliminate current gaps in oversight and provide protection for all patients who consent to participate in interventional clinical trials. In addition, all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures, as recommended in Chapter 2 . Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study, as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent (as recommended in Chapter 4 ).

Second, Congress should authorize HHS and other relevant federal agencies to develop a new approach to uniform, goal-oriented oversight of information-based research, with a focus on best practices in privacy, security, and transparency as in PHIPA and the proposed United Kingdom model ( CIHR, 2005 ; Thomas and Walport, 2008) and minimizing ineffective and burdensome administrative tasks. This new approach should include a mechanism by which some programs or institutions could be certified by HHS or another accrediting body, similar to a prescribed entity as in PHIPA or a “safe harbor” as in the United Kingdom model. Such certified entities could then collect and analyze personally identifiable health information for clearly defined and approved purposes, without individual consent. Because of the administrative requirements in becoming certified, this option is most appropriate for disease registries and other very large scale research databases. The regulations should require specific privacy safeguards for certified entities, including mandatory privacy training for all staff/researchers; signing of confidentiality agreements; privacy breach policies and procedures; and mandatory privacy impact assessments. In addition, the regulations should require certified entities to publicize the scope and purpose of their data collection (e.g., the types of studies that may be undertaken with the data). The regulations could also require entities to provide details on what their database will not be used for, to assure the public that certain types of activities will not be conducted.

Certified entities could also link personally identifiable data from multiple sources (see discussion on linking in Chapter 4 ) and then provide aggregated datasets to researchers with direct identifiers removed (see discussion on deidentified data and limited datasets in Chapter 4 ) ( AMS, 2008 ; Thomas and Walport, 2008). Aggregation would generate more complete datasets for analysis and thus lead to more meaningful research results. Data with direct identifiers removed would protect patient privacy in research and would also streamline research efforts by eliminating the need to undergo ethics board review, which is not required for research using deidentified data under the Privacy Rule, PHIPA, or the United Kingdom model. To further protect privacy, unauthorized reidentification of information that has had direct identifiers removed should be prohibited by law, and violators should face legal sanctions. In addition, researchers receiving information with direct identifiers removed should be required to establish security safeguards and to set limits on access to data.

In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This ethics oversight board could perhaps entail a new body specifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research. If researchers seek a waiver of informed consent, an ethics oversight board should consider the measures the researchers have proposed to take to protect the privacy, security, and confidentiality of the data, the potential harms that could result from disclosure of the data, and the potential public benefits of the proposed research study. Privacy should not automatically be a more compelling interest than improving health care. However, even research with little risk to privacy should not be conducted if the study has little scientific merit or anticipated public benefit.

Under this new system, HHS should implement real consequences for any researcher or institution that mishandles personally identifiable health information, regardless of whether it is obtained through informed consent or under a waiver of informed consent. In order to facilitate consistent application of this option, HHS should issue clear guidance and best practices (as recommended in Chapter 4 ) on how to assess the potential harm, the proposed measures to protect privacy and confidentiality , and the potential public benefits of a research study, as has been done under PHIPA. For example, the Canadian Institute for Health Information has developed best privacy practices for research to provide guidance for determining whether or not a waiver of consent is warranted ( CIHR, 2005 ).

The primary focus of many IRBs in reviewing research protocols in the past has been on risks to the physical safety of research participants. There is a great deal of variability in whether and how IRBs consider the public benefit and scientific merit of research proposals. But the first rule of ethical research is that the research must have scientific value—meaning that it addresses an important question of human health and is designed and conducted using methodology that is appropriate and rigorous. The scientific merit of research varies by project, just as the potential risk to privacy of research varies across different protocols. The committee believes that when making decisions about whether a research protocol that entails the disclosure of personally identifiable information should go forward, ethical oversight boards should take all these factors—potential risks/harms to research participants’ privacy as well as scientific merit and potential public benefit of the research proposal—into consideration.

In 2001, a previous IOM committee, the Committee on Assessing the System for Protecting Human Research Subjects, recommended that “human research participant protection programs” use distinct mechanisms for initial, focused reviews of scientific merit and financial conflicts of interest and that these reviews should precede and inform the comprehensive ethical review of research studies. Ethical oversight board members themselves may not have the expertise to assess the merit of diverse research studies, but they should have access to evaluations by scientific review committees or funder peer review panels. Input regarding the scientific value of studies from these experts would help ethical oversight boards assess the anticipated benefits of a proposed research project.

The Role of Informed Consent in the New Framework

Informed consent is intended to achieve two purposes: (1) protect research participants from harm and (2) provide respect for the person (including the person’s privacy, religious beliefs, cultural preferences, and world views). As outlined above, the framework maintains a requirement for informed consent for all interventional clinical research. The purpose of informed consent in this type of research is mainly to protect research participants from harm by providing a description of the potential risks and benefits of the study and to seek permission to involve the subject. Although privacy protection is a component of the risk/benefit considerations, the main focus traditionally has been on physical harms. One study found that confidentiality is one of the least important considerations for potential research participants in deciding whether to participate in interventional clinical research (Tait et al., 2002).

However, it is important to note that interventional researchers are expected to follow the principles of medical ethics, which require that information disclosed in the course of medical treatment is kept as confidential as possible. Moreover, the committee’s framework includes the recommendation that strong security safeguards be required for any data collected in conjunction with an interventional study. The framework’s permission of future consent for researchers’ use of data and biological materials, actually increases individuals’ ability to exercise control over their personally identifiable information. Under the Privacy Rule, the requirement to obtain a new authorization form signed for each research study means that most future studies actually proceed under a waiver of authorization, and individuals are deprived of all input into future uses of their information ( Nosowsky and Giordano, 2006 ). Thus, informed consent in this context addresses protection from both physical harm and dignitary harm.

In contrast, in information-based research that relies solely on medical records and stored biospecimens, the research participant faces no risk of physical harm. In this context, informed consent is intended to ensure that individuals are able to exercise control over their personally identifiable health information that is held by third parties, and to give individuals the right to determine whether their personally identifiable health information can be used in a particular research project (or a series of such projects, if consent for future research is permitted). However, a universal requirement for informed consent can lead to invalid results, because of significant differences between patients who do or do not grant consent, and missed opportunities to advance medical science because it can be prohibitively costly and difficult to obtain consent for studies that require analysis of very large datasets.

As a result, the framework includes two alternatives to requiring informed consent that can be used in certain circumstances (i.e., disclosure to a certified entity and waiver of informed consent by an ethics oversight board), which are intended to facilitate research that is in the public interest. For research that makes use of these two alternatives, the framework counterbalances the absence of informed consent with an increase in security, transparency, and accountability protections by: (1) requiring certified entities to protect the privacy and confidentiality of personally identifiable health information records in a manner that is approved by an outside party (HHS or a different body), (2) requiring certified entities to fully disclose what research is being conducted with its data, (3) requiring ethics oversight review for research that uses personally identifiable data under a waiver of informed consent, (4) implementing clear and consistent consequences for researchers who are responsible for privacy or security breaches, and (5) encouraging the development and use of improved security protections for use in health research.

Public opinion polls indicate that a significant portion of the public would prefer to control all access to their medical records via informed consent. However, as noted above, a universal requirement for informed consent would impede important health research and lead to biased, ungeneralizable results, to the detriment of society. The committee believes that the new framework provides strong protections for data privacy and security, beyond that currently provided under the Privacy Rule, while increasing the opportunities for important health research by offering an alternative to informed consent under certain circumstances.

The Belmont Report, one of the most influential reports on the advancement of human research participant protections, recognizes that principles of respect for persons and autonomy are not absolutes and must be considered along with other ethical principles. It acknowledges that there may be compelling reasons to limit autonomy, providing that “To show lack of respect for an autonomous agent is to repudiate that person’s considered judgments, to deny an individual the freedom to act on those considered judgments, or to withhold information necessary to make a considered judgment, when there are no compelling reasons to do so ” (emphasis added) ( HEW, 1979 ). Similarly, a 1994 IOM report argued that existing health information, stored in medical records and biospecimen banks, should be released to researchers without informed consent if such studies were regarded as being in the public’s interest ( IOM, 1994 ).

If society seeks to derive the benefits of medical research in the form of improved health and health care, information should be shared to achieve that societal benefit ( Chadwick and Berg, 2001 ; Knoppers and Chadwick, 2005 ; Liu, 2007 ), and governing regulations should support the use of such information. Recent reports from the United Kingdom have come to a similar conclusion and recommend that the law allow the use of personally identifiable health information without consent if the use of that information is necessary and the potential benefits to society outweigh the individual risks ( AMS, 2006 , 2008 ; Thomas and Walport, 2008). In the committee’s proposed new framework, the greater emphasis on ensuring the security protections of personally identifiable health information, facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research should help to foster its acceptability. Nonetheless, to implement this new framework, effective communication with the public regarding the value of this model will be important to address concerns and gain acceptance, as recommended in Chapter 3 .

• THE NEW FRAMEWORK ADDRESSES THE OVERARCHING GOALS

The committee supports its argument in favor of implementing a new framework for protecting privacy in health research by outlining how this approach achieves the committee’s three overarching goals: (1) improving the privacy and data security of health information, (2) improving the effectiveness of health research, and (3) improving the application of privacy protections for health research (see Box 6-1 ). The committee believes many of the limitations of the current federal regulation of research can be improved or solved by the proposed framework.

Improving the Privacy and Data Security of Health Information

The new framework includes a number of mechanisms to improve the protection of research participants’ privacy and security in health research. First, the privacy of research participants is improved because the new framework applies to all institutions and all health researchers who collect, use, and disclose personally identifiable health information. Similar to Ontario’s PHIPA, this means that the privacy protections follow the data. No matter what entity or individual holds the personally identifiable data, the same set of privacy safeguards are required.

Second, the new framework maintains the requirement that researchers obtain informed consent for all interventional clinical research and strengthens the security protections of data collected in the course of a clinical trial. The new framework also permits research participants in interventional, clinical research to provide informed consent for future research uses of their data and biological materials collected as part of the study. The privacy of these individuals is protected by requiring an IRB to review any future studies and to determine that the future uses are not incompatible with the original informed consent. This aspect of the new framework actually promotes individuals’ ability to exercise control over their personally identifiable information. As stated above, the requirement in the Privacy Rule that researchers must obtain new authorization for every use of protected health information means that most future studies proceed under a waiver of authorization, and individuals are deprived of all input into future uses of their information ( Nosowsky and Giordano, 2006 ).

Third, the new framework protects privacy by maintaining the default requirement that researchers must obtain informed consent to use person ally identifiable data for research. If researchers wish to use personally identifiable data without obtaining informed consent for information-based research, they are required to identify and document their research objectives to an ethics oversight board, and they must identify the measures by which they will protect the privacy, security, and confidentiality of the data. The ethics oversight boards provide impartial review, and are only permitted to waive informed consent after considering the measures to protect the privacy, security, and confidentiality of the data; the risk of harm in conducting the research; and the potential public benefit of the research study.

Fourth, the new framework protects privacy by creating certified entities that facilitate researchers use of data with direct identifiers removed. One of the major problems with the deidentification provisions of the Privacy Rule is the difficulty in linking data from multiple sources to generate more complete datasets or to follow patient outcomes longitudinally (see Chapter 5 for more details). The new framework’s certified entity concept provides a solution to this problem; certified entities are able to link and match personally identifiable information longitudinally from multiple sources and can then disclose data with direct identifiers removed to researchers. Because the data provided by certified entities with direct identifiers removed has already been linked and aggregated, it is more useful for research. Thus, researchers will be able to make greater use of deidentified datasets and will need access to personally identifiable data in fewer situations. Privacy is improved because there are fewer risks to privacy when researchers do not access or use personally identifiable data.

In addition, the privacy of data held by certified entities is protected because certified entities are required to have their privacy and security policies approved and re-approved on a regular basis by an outside party (HHS or a different body). Certified entities are also required to implement specific privacy safeguards including mandatory privacy training for all staff/researchers, signing of confidentiality agreements, privacy breach policies and procedures, mandatory privacy impact assessments, and security safeguards and limits on access to data.

Finally, the new framework protects privacy in health research by requiring the implementation of comprehensive privacy protections, including transparency, accountability, and security. Transparency is improved by the new framework’s requirement that certified entities publicize the scope and purpose of their data collection and provide information on what uses of their data will not be permitted. Transparency is also achieved by requiring researchers to describe in detail their research plans and objectives (either to potential research participants or to the ethics oversight board) and to justify the data they wish to use and/or collect. Accountability is improved by the new framework because it requires Congress and HHS to implement clear and consistent consequences for researchers who are responsible for privacy or security breaches. The new framework also includes provisions for penalizing any individuals who attempt to reidentify data that has had its direct identifiers removed. Security is improved in the new framework because all holders of health data, both personally identifiable data and data with direct identifiers removed, are required to implement security safeguards, as described in Chapter 2 , and to set limits on access to data. The committee also believes that the increased emphasis on accountability in the new framework will encourage researchers and other stakeholders to invest money in developing privacy-enhancing technologies for use in research, to reduce the risk of accidental breaches and the associated consequences.

Improving the Effectiveness of Health Research

The new framework is intended to provide a method of regulating health research, including the protection of individual privacy, in a way that minimizes impediments to beneficial research. First, allowing patients to consent to the future use of specimens collected during the course of an interventional study or treatment will reduce many barriers to researchers’ use of existing biospecimen banks. Patient privacy is protected by requiring any future uses of these specimens to be approved by an IRB, which should determine whether a proposed study has scientific merit, implements appropriate privacy protections, and is not incompatible with the original consent.

Second, the creation of certified entities that can receive personally identifiable health information for information-based research without patient informed consent, similar to PHIPA’s prescribed entities and the United Kingdom’s safe harbors (Thomas and Walport, 2008), will result in more complete and representative datasets, and thus will result in more generalizable results. The creation of certified entities will also facilitate research using data with direct identifiers removed. As stated above, under the current system, researchers cannot link datasets from multiple covered entities without a unique identifier. If a certified entity performed this task, researchers could make greater use of data without identifiers.

Third, the goal-oriented framework with a focus on best practices should aid the work of both researchers and IRBs and reduce the variability across different institutions. For example, it should be easier for IRBs to make appropriate decisions regarding waivers of informed consent because the framework’s goal is to allow beneficial research to be conducted if comprehensive privacy and security safeguards are in place and privacy risks are minimized. Identification and dissemination of best practices in privacy protection for various types of health research would help delineate what IRBs should do to facilitate responsible research, rather than just defining what is permissible.

Finally, the committee believes this framework will reduce some of the research costs and time that have increased since the Privacy Rule was implemented because the framework is designed to make research oversight more uniform and to reduce administrative burdens.

Improving the Application of Privacy Protections for Health Research

A recent report by the National Committee on Vital and Health Statistics (NCVHS) recognized the importance of having nationally uniform privacy protections for all secondary uses of health data, including research. The report criticized the Privacy Rule’s reliance on the covered entity construct and creation of business associate agreements to PHI ( NCVHS, 2007 ). The framework proposed by the IOM committee addresses this criticism of the Privacy Rule, and provides for a comprehensive regulation of research that applies to all researchers and protects all personally identifiable health data in research. It eliminates a primary problem of harmonization of privacy protections because the framework is intended to be the only regulation governing researchers’ use of health data. In addition, the implementation of this framework would improve the clarity of privacy protections because currently much of the confusion is due to the Privacy Rule’s complicated interactions with other existing privacy regulations, such as the Common Rule .

One potential challenge under the new framework is the need to define health research and to distinguish interventional research from information-based research. HHS will need to develop clear guidelines to help researchers and ethics oversight boards consistently make this distinction. The identification and dissemination by HHS of best practices in research protections (as recommended in Chapter 5 ) will be important to ensure greater uniformity of goal-oriented research oversight and to ensure that the framework is implemented in a way that facilitates research without undermining individual privacy. In addition, there will be some administrative burden in certifying and overseeing the certified entities.

• RELEVANCE OF THE RECOMMENDATION TO OTHER FEDERAL ACTIONS

The committee’s recommendation for a new framework to regulate health research is particularly timely because new actions at the federal level are being considered or have already been taken to protect the privacy of electronic health records. These developments raise new concerns about potential impacts on health research. The committee believes this proposal will stimulate fresh ideas about the best ways to protect privacy and improve research as the nation addresses these two interrelated values over the next several years.

An example of one of the recent developments affecting research is the Department of Veterans Affairs’ (VA’s) August 2007 directive. Outlining new conditions under which it would release data from VA hospitals to state central cancer registries, the directive requires states to sign a data use agreement with the VA and to agree to implement privacy and security protections above and beyond the protections required in the HIPAA Privacy and Security Rules. Among other requirements, state registries must agree not to release VA cancer data to persons outside the registry or to reuse the data for any purpose other than for maintaining cancer statistics ( Kolata, 2007b ).

Each state has a law establishing cancer surveillance programs that collect information on every patient who is diagnosed with cancer in that state. Also, the National Cancer Institute (NCI) collects cancer statistics from 17 U.S. regions in order to track national cancer rates. Prior to the VA directive, the state cancer surveillance programs and the NCI included information gathered from VA hospitals. However, as of October 10, 2007, only a small percentage of the states had signed the VA directive, and most cancer surveillance programs were missing data on veterans ( Kolata, 2007a ).

In addition, the VA directive stipulates that researchers who want to use cancer statistics from VA hospitals must either obtain permission from the VA Under Secretary of Health or collaborate with a VA researcher on the project. Health researchers are finding it hard to conduct cancer research under these conditions, which makes it difficult to find VA researchers willing to collaborate on specific projects. The directive also complicates the IRB approval process, often requiring researchers to obtain approval from their local IRB, the cancer registry IRB, and the VA Under Secretary ( Kolata, 2007b ). In addition, cancer researchers who either cannot meet the VA requirements or choose not to go through the additional procedural requirements, and do not include VA data in their study, risk having their results compromised by selection bias (see Chapter 5 , section on Selection Bias ).

Several recently proposed bills that address the use of electronic medical records also contain language regarding health privacy and health research ( Table 6-2 ).

Health Information Technology (HIT) Bills from the 110th Congress.

In 2004, President Bush issued an executive order calling for the widespread adoption of an interoperable electronic health record system within 10 years, arguing that health information technology (HIT) is a means of addressing rising health care costs and improving the quality and efficiency of health care ( Bush, 2004 ). In response, HHS has awarded a number of HIT grants to gather information on privacy and security issues in HIT, solicited recommendations from NCVHS, and created the American Health Information Community to provide policy advice ( AHIC, 2006 ; GAO, 2007 ; NCVHS, 2006 ).

But privacy concerns are emerging as a primary obstacle to implementing a nationwide HIT system, with many privacy and consumer groups pushing for tighter privacy protections than offered under the Privacy Rule. In a 2006 poll, 62 percent of respondents stated that the use of electronic health records would pose new risks to privacy, and 42 percent answered that the privacy risks of HIT outweigh expected benefits ( Harris Interactive, 2007 ). Another poll found that 80 percent of Americans say they are very concerned about identity theft or fraud in an HIT system ( Markle Foundation, 2006 ). The Government Accountability Office recently released a report that legitimized these concerns and criticized HHS for failing to define an overall approach for protecting privacy in a nationwide HIT system ( GAO, 2007 ).

To address the privacy concerns, Congress has proposed a number of bills intended to advance the implementation of an HIT system and at the same time protect individual privacy 11 (see Table 6-2 ). Several of these bills include new restrictions and rules governing researchers’ access to personally identifiable health information. It is unclear whether any of these bills will pass or what requirements a final law might include. However, because a nationwide HIT system has the potential to facilitate health research by making large amounts of health data available to study, and thus could lead to major advances in medicine, caution is warranted. Adoption of new, restrictive regulations might impede health research, to the detriment of patients and society. Therefore, a closer examination of some concepts that have been incorporated into these proposed bills, including autonomy and informed consent, is warranted. At the same time, it is clear there is a need to develop privacy safeguards that anticipate the risk of extensive electronic recordkeeping, as well as the growing problems of identity theft and security breaches.

• CONCLUSIONS AND RECOMMENDATIONS

The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy protections in health research under the Common Rule . But the Privacy Rule has numerous limitations of its own. In proposing the Privacy Rule, HHS acknowledged that, ideally, it would have preferred to regulate health researchers directly by extending the protections of the Common Rule to research that is not federally supported and by imposing additional criteria for the waiver of patient informed consent for the use of personally identifiable health information in research. 12 But HHS recognized it did not have the authority to do this. For that reason, HHS attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing restrictions on information disclosures by covered entities. NCVHS and others have noted the limitations of the Privacy Rule and have called for stronger protections of health privacy—notably, by expanding the purview of the Privacy Rule beyond the current covered entities.

However, the IOM committee believes an even bolder change is needed. The number of studies using medical records to address important questions about health and disease will likely increase with the growing availability of electronic health records. As the volume and importance of digital personally identifiable health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect health information in the health research setting. Thus, the IOM committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new framework for ensuring privacy that would apply uniformly to all health research and that will both protect individuals’ privacy and facilitate responsible and beneficial health research.

When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach would enhance privacy protections through improved data privacy and security, increased transparency of activities and policies, and greater accountability. The new approach should do all the following:

• Apply to any person, institution, or organization conducting health research in the United States, regardless of the source of data or funding.
• Entail clear, goal-oriented, rather than prescriptive, regulations.
• Require researchers, institutions, and organizations that store health data to establish strong data security safeguards.
• Make a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based.
• Facilitate greater use of data with direct identifiers removed in health research, and implement legal sanctions to prohibit unauthorized reidentification of information that has had direct identifiers removed.
• Certify institutions that have policies and practices in place to protect data privacy and security in order to facilitate important large-scale information-based research for clearly defined and approved purposes, without individual consent.
• Include federal oversight and enforcement to ensure regulatory compliance.

A new approach to protecting the privacy of personally identifiable information used in health research that emphasizes privacy, security, accountability, and transparency and that is applicable to all health research in the United States would eliminate the research community’s confusion, reduce institutional variability in research privacy practices, facilitate responsible research, and enhance the public’s trust in the research enterprise. Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research.

The new framework developed by HHS and other relevant federal agencies should provide strong and effective protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the public’s health. And it should do so in a way that does not burden individuals with a flurry of health privacy notices and consent forms, or burden our health care system with a new level of bureaucracy and expense.

• AHIC (American Health Information Community). Letter to Michael Leavitt. 2006. [accessed September 3, 2008]. http://www ​.ncvhs.hhs.gov/061030lt.pdf .
• AHIC. Confidentiality, privacy, and security workgroup, summary of the 14th web conference. 2007. [accessed August 27, 2008]. http://137 ​.187.25.8/healthit ​/ahic/materials ​/summary/cpssum_100407.html .
• AHIC. Confidentiality, privacy & security workgroup draft recommendation letter from September 23, 2008. 2008. [accessed September 19, 2008]. http://www ​.hhs.gov/healthit ​/ahic/materials ​/08_08/cps/rec_letter.html .
• AHIMA (American Health Information Management Association). The state of HIPAA privacy and security compliance. 2006. [accessed April 20, 2008]. http://www ​.ahima.org ​/emerging_issues/2006StateofHIPAACompliance.pdf .
• Allen A. Allen’s privacy law and society. Eagan, MN: Thomson-West; 2007.
• AMS (Academy of Medical Sciences). Personal data for public good: Using health information in medical research. 2006. [accessed August 28, 2008]. http://www ​.acmedsci.ac ​.uk/images/project/Personal.pdf .
• AMS. Submission to data sharing review. 2008. [accessed September 4, 2008]. http://www ​.acmedsci.ac ​.uk/download.php?file= ​/images/publication/120341733123.pdf .
• Buchanan A. Research involving human biological materials: Ethical issues and policy guidance. II. Washington, DC: National Bioethics Advisory Commission; 1999. An ethical framework for biological samples policy, National Bioethics Advisory Committee commissioned paper; pp. B1–B31.
• Bush GW. Executive Order 13335. 69 Fed. Reg. 24059. 2004
• Casarett D, Karlawish J, Andrews E, Caplan A. Bioethical issues in pharmacoepidemiological research. In: Strom BL, editor. Pharmacoepidemiology. West Sussex, England: John Wiley & Sons, Ltd.; 2005. pp. 417–432.
• Cate F. The autonomy trap. 2008
• CDT (Center for Democracy & Technology). Beyond consumer consent: Why we need a comprehensive approach to privacy in a networked world. 2008a. [accessed September 4, 2008]. http://www ​.cdt.org/healthprivacy ​/20080221consentbrief.pdf .
• CDT. Comprehensive privacy and security: Critical for health information technology. 2008b. [accessed September 4, 2008]. http://www ​.cdt.org/healthprivacy ​/20080514HPframe.pdf .
• Chadwick R, Berg K. Solidarity and equity: New ethical frameworks for genetic databases. Nature. 2001; 2 :318–321. [ PubMed : 11283704 ]
• CIHR (Canadian Institutes of Health Research). CIHR best practices for protecting privacy in health research. Ottawa, Ontario: Public Works and Government Services Canada; 2005.
• Foster AL. Increase in stolen laptops endangers data security. The Chronicle of Higher Education. 2008 July 4
• GAO (Government Accountability Office). Health information technology: Early efforts initiated but comprehensive privacy approach needed for national strategy. Washington, DC: GAO; 2007.
• Good N, Dhamija R, Grossklags J, Thaw D, Aronowitz S, Mulligan D, Konstan J. Stopping spyware at the gate: A user study of privacy, notice and spyware. 2005. [accessed September 4, 2008]. http://cups ​.cs.cmu.edu ​/soups/2005/2005proceedings/p43-good ​.pdf .
• Gostin LO. Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis. 2001; 9 :321. [ PubMed : 11794835 ]
• Harris Interactive. The benefits of electronic medical records sound good, but privacy could become a difficult issue. 2007. [accessed April 3, 2007]. http://www ​.harrisinteractive ​.com/news/printerfriend/index ​.asp?NewsID=1174 .
• HEW (Department of Health, Education and Welfare). The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research. 1979. [accessed August 21, 2008]. http://ohsr ​.od.nih.gov ​/guidelines/belmont.html . [ PubMed : 25951677 ]
• HHS. Compliance and enforcement: Privacy Rule enforcement highlights. 2008a. [accessed July 23, 2008]. http://www ​.hhs.gov/ocr ​/privacy/enforcement/
• HHS. Resolution agreement. 2008b. [accessed October 3, 2008]. http://www ​.hhs.gov/ocr ​/privacy/enforcement/agreement.pdf .
• IOM (Institute of Medicine). Health data in the information age: Use, disclosure, and privacy. Washington, DC: National Academy Press; 1994. [ PubMed : 25144051 ]
• IOM. Effect of the HIPAA Privacy Rule on health research: Proceedings of a workshop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press; 2006.
• ITRC (Identity Theft Resource Center). Security breaches. 2008. [accessed July 22, 2008]. http://www ​.idtheftcenter ​.org/artman2/publish ​/lib_survey/ITRC ​_2008_Breach_List_printer.shtml .
• Jonas H. Philosophical reflections on experimenting with human subjects. In: Mappes TA, Zembaty JS, editors. Biomedical ethics. New York: Oxford University Press; 1991. pp. 215–219.
• Knoppers BM, Chadwick R. Human genetic research: Emerging trends in ethics. Nature Reviews Genetics. 2005; 6 :75–79. [ PubMed : 15630423 ]
• Kolata G. How data on cancer are collected and used. The New York Times. 2007a October 10
• Kolata G. States and V.A. at odds on cancer data. The New York Times. 2007b October 10
• Liu ET. The importance of research using personal information for scientific discovery and the reduction of disease, in personal information for biomedical research. 2007 [accessed September 4, 2008]; http://www ​.bioethics-singapore ​.org/uploadfile ​/20013%20PMPI%20Annex%20A-3.pdf .
• Lo B. Resolving ethical dilemmas: A guide for clinicians. 4. Philadelphia, PA: Lippincott Williams & Wilkins; 2009. in press.
• Markle Foundation. Survey finds Americans want electronic personal health information to improve own health care. 2006. [accessed September 4, 2008]. http://www ​.markle.org ​/downloadable_assets ​/research_doc_120706.pdf .
• NCVHS (National Committee on Vital and Health Statistics). Functional requirements needed for the initial definition of a nationwide health information network. 2006. [accessed September 4, 2008]. http://www ​.ncvhs.hhs.gov/061030lt.pdf .
• NCVHS. Enhanced protections for uses of health data: A stewardship framework for “secondary uses” of electronically collected and transmitted health data. 2007. [accessed December 19, 2007]. http://ncvhs ​.hhs.gov/071221lt.pdf .
• Nosowsky R, Giordano T. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine. 2006; 57 :575–590. [ PubMed : 16409167 ]
• Pritts J. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. 2008. [accessed March 15, 2008]. http://www ​.iom.edu/CMS/3740/43729/53160 ​.aspx .
• Rahman N. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society. 2006; 2 (3):685.
• Rotenberg M. Fair information practices and the architecture of privacy: (what Larry doesn’t get). Stanford Technology Law Review 1. 2001. [accessed November 6, 2008]. http://stlr ​.stanford ​.edu/STLR/Articles/01_STLR_1 .

The term “personally identifiable health information” is used when discussing individual’s health data in a context independent of the HIPAA Privacy Rule or any other body of law.

In the Privacy Rule, the informed consent concept is referred to as “authorization.”

Stated by Justice Benjamin Cardozo in Schloendorff v. Society of New York Hospital , 105 N.E. 92 (N.Y. 1914).

See 45 C.F.R. § 164.528 (2006).

Personal Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04.

PHIPA defines personal health information as “identifying information about an individual in oral or recorded form” (PHIPA, Section 4).

The remainder of this chapter uses the term “informed consent” to refer to the requirement of obtaining permission to use personally identifiable data.

PHIPA, Section 47(1) (2007).

Personal communication, Ann Cavoukian, Ontario’s Office of the Information and Privacy Commissioner, October 20, 2008.

The Cardiac Care Network of Ontario (Registry of Cardiac Services), INSCYTE (Information System for Cytology), The Canadian Stroke Network (Canadian Stroke Registry), Cancer Care Ontario (Colorectal Cancer Screening Registry), and Hamilton Health Sciences Corporation (Critical Care Information System).

A number of bills from the 110th Congress also address the implementation of HIT, but do not include comprehensive privacy or research provisions, including HR 1368, S 1408, and S 1455.

U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) (for a discussion on the benefits of health records research).

• Cite this Page Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 6, A New Framework for Protecting Privacy in Health Research.
• PDF version of this title (1.6M)
• Disable Glossary Links

In this Page

Other titles in this collection.

• The National Academies Collection: Reports funded by National Institutes of Health

Related information

• PubMed Links to PubMed

Recent Activity

• A New Framework for Protecting Privacy in Health Research - Beyond the HIPAA Pri... A New Framework for Protecting Privacy in Health Research - Beyond the HIPAA Privacy Rule

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

Connect with NLM

National Library of Medicine 8600 Rockville Pike Bethesda, MD 20894

Web Policies FOIA HHS Vulnerability Disclosure

Help Accessibility Careers

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Research Uses and Disclosures

217-may a covered entity accept documentation of an irb waiver of authorization.

Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher’s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information requested is the minimum necessary for the research purpose. See 45 CFR 164.514(d)(3)(iii).

302-Will HIPAA hinder medical research

We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected.

303-Are some criteria so subjective that IRB and privacy boards may makeinconsistent determinations

Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied.

304-Does HIPAA prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing information

No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.

305-Does HIPAA permit creating a database for research purposes through an IRB or Privacy Board waiver

Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied.

306-Can researchers access existing databanks or repositories created prior to the compliance date without permission

Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).

307-How does the Rule help IRBs handle the additional responsibilities imposed by the HIPAA Privacy Rule

Recognizing that some institutions may not have IRBs, or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board–which could have fewer members, and members with different expertise than IRBs.

308-By establishing new waiver criteria and authorization requirements, hasn't HIPAA modified the Common Rule

No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.

309-Is documentation of IRB and Privacy Board approval required by the HIPAA

No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

310-Does HIPAA require a covered entity to create an IRB or Privacy Board before using or disclosing protected health information for research

The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board.

311-What does HIPAA say about a research participant's right of access to research records or results

With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a “designated record set.”

313-Do HIPAA's requirements for authorization and the Common Rule's requirements for informed consent differ?

Yes. Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information.

314-When is a researcher considered to be a covered health care provider under HIPAA

A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule.

315-When can a covered determine whether a research component of the entity is part of their covered functions

A covered entity that qualifies as a hybrid entity, meaning that the entity is a single legal entity that performs both covered and non-covered functions, may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. Therefore, if a researcher is an employee or workforce member of a covered entity that has decided not to be a hybrid entity, the researcher is part of the covered entity and is, therefore, subject to the Privacy Rule.

316-If a research subject revokes authorization to disclose information can a researcher continue using the information already obtained

Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study.

317-Can the preparatory research provision of the HIPAA Privacy Rule be used to recruit individuals into a research study

The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity’s site.

318-Does HIPAA require documentation of IRB approval of an alteration or waiver of individual authorization

No. Documentation of IRB or Privacy Board approval of an alteration or waiver of individual authorization is only needed before a covered entity may use or disclose protected health information under 45 CFR 164.512(i)(1)(i).

319-If consent was obtained before the compliance date but the IRB modifies the document is authorization required

If informed consent or reconsent (ie., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research.

320-Can covered entities continue to disclose adverse event reports that contain information

Yes. The Office for Human Research Protections is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the Office for Human Research Protections either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b).

321-Can covered entities continue to disclose information to the HHS Office for Human Research Protections

Yes. The Office for Human Research Protections is a health oversight agency under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to the Office for Human Research Protections for such compliance investigations either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for health oversight activities as permitted at 45 CFR 164.512(d).

• Skip to primary navigation
• Skip to main content

Research Training Finder

Research HIPAA

This web-based course is offered through the Collaborative Institutional Training Initiative (CITI Program). This course covers requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) and the responsibilities of researchers and organizations for meeting HIPAA’s privacy requirements and the appropriate data security protections that are necessary to protect privacy. The Research HIPAA Refresher course must be completed every 3 years to maintain certification.

• Skip to primary navigation
• Skip to main content
• Skip to footer

Human Research Protection Program

For the trainings, please make sure you are registered with a free CITI account that is affiliated with USC. In order to avoid the paywall, go to  www.citiprogram.org  and click ‘Register’ in the far right-hand side.

Beneath that, type “University of Southern California” into the “Select Your Organization Affiliation” section. Do not select the option that includes (SSO) at the end.

Check the boxes as they appear and then click the “Create CITI Program Account” button on the right-hand side. Again, avoid the USC/SSO-specified option.

This should set you up with a free USC-affiliated account. The option should be accessible from there.

From your main log-in page scroll down to your affiliations. Next to University of Southern California, click the ‘View Courses’ button.

On the new page, scroll down to the bottom of the page. In the grey box at the bottom, click the ‘Add Courses’ option.

At the top of the page, CITI will ask you if you wish to take the course “COVID-19 Back to Campus (Fall 2020).” This course is optional; you do not have to select ‘Yes’ if you do not wish to take it.

Under Question #2, select which trainings are appropriate. The most commonly selected are Human Subjects Research, Good Clinical Practice and Research HIPAA. 

If you selected Human Subjects Research in Question #2, proceed to Question #3 and select your Human Subjects Research training by campus. There is an option to take the Human Subjects training in Spanish, for either campus, in this box.

If you selected Good Clinical Practice in Question #2, proceed to Question #4 and select your Good Clinical Practice based on type of research and/or campus.

Click ‘Submit,’ and you will be done adding courses.

You will be required to take the Human Research Subjects training if you are being added to an IRB protocol. We offer a “Biomedical” and “Social/Behavioral” option. Please select the option that best characterizes the nature of the research you will be doing. 

Good Clinical Practice course is required only if you are doing research for a clinical trial. Please select the option that is most appropriate for your research.

Research HIPAA is required only if you are doing research with highly sensitive patient information. This course is separate from the Office of Compliance HIPAA course, and we are happy to look at CITI Research HIPAA certificates from other institutions to determine if they are eligible to transfer.

For more information please view the Education and Certification page on the HRPP website.

Any questions about the above can be sent to  [email protected]  for any further clarification.

Requests to transfer GCP and/or Human Subjects training certifications from outside Institutions or vendors will be evaluated to determine that course content is equivalent to USC CITI course requirements prior to being accepted.

A copy of the certification and transcript must be emailed to  [email protected] .

Please send a copy of your completed Human subjects certifications to  [email protected]  or  [email protected]  and request to have it be uploaded to your iStar profile.

If you received a notice from iStar indicating your certificate is about to expire, you must re-certify. The human subjects education policy is that investigators/personnel must complete training every 3 years.

Yes. GCP is a separate requirement from human subjects training. GCP training and human subjects education must be taken every three years. Both courses are available at www.citiprogram.org A refresher course becomes available in CITI 90 days before the three year certificate expires.

Yes, even if a project is exempt, study personnel are still required to take Human Subjects Protections Training.

No. If a project was determined to be “not human subjects research” (NHSR) (e.g., this applies whether coded specimen/data or not meeting the federal definition) study personnel do not need to take the Human Subjects training on CITI.

Yes, you must complete Human Subjects Protections Training even if you completed HIPAA Training.

Amendments for adding “key personnel” on a study require that the added individual(s) complete CITI before the amendment is approved.

3720 S. Flower Street, Suite 325 Los Angeles, CA 90089

• Announcements
• Getting Started
• Internal Staff Webpage
• Education & Certification
• HRPP Performance & Metrics
• Policies and Procedures
• Post Approval Monitoring (PAM)
• Youtube Channel
• Biospecimen & Data Repositories
• Investigational Drugs and Devices
• Investigator-Initiated Trials
• Emergency Research
• SBIRB Social Behavioral Research
• Student Researchers
• Requesting USC to Rely on an External IRB
• Requesting USC IRB to Act as the sIRB
• Starting a Research Trial: the Basics
• Forms and Templates
• FWA and IRB Registration Numbers
• IRB Member Toolbox
• IRB Review: How to
• IRB Submission Guidelines
• Levels of IRB Review
• Not Human Subjects Research (NHSR)
• Post IRB Review and Approval
• Privacy, Confidentiality, and Anonymity in Human Subjects Research
• Urgent Review

CITI - Research and HIPAA Privacy Protections

When required, the information provided to the data subject in a HIPAA disclosure accounting ...

There's no tags or description

Looks like no one added any tags here yet for you.

must be more detailed for disclosures that involve fewer than 50 subject records.

Recruiting into research ...

Can qualify as an activity "preparatory to research," at least for the initial contact, but data should not leave the covered entity.

If you're unsure about the particulars of HIPAA research requirements at your organization or have questions, you can usually consult with:

An organizational IRB or Privacy Board, privacy official ("Privacy Officer"), or security official ("Security Officer"), depending on the issue.

HIPAA protects a category of information known as protected health information (PHI). PHI covered under HIPAA includes:

Identifiable health information that is created or held by covered entities and their business associates.

HIPAA includes in its definition of "research," activities related to:

Development of generalizable knowledge.

Explore top notes

Explore top flashcards.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/news-events/events/2024/10/safeguarding-health-information-building-assurance-through-hipaa-security

Safeguarding Health Information: Building Assurance through HIPAA Security 2024

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) are pleased to announce the return of the Safeguarding Health Information: Building Assurance through HIPAA Security conference. After a 5-year absence, the conference is returning to Washington D.C. on October 23-24, 2024 at the HHS Headquarters.

The conference will explore the current healthcare cybersecurity landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event will highlight the present state of healthcare cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards.

The conference will offer sessions that explore best practices in managing risks to and the technical assurance of electronic health information. Presentations will cover a variety of topics including managing cybersecurity risk and implementing practical cybersecurity solutions, understanding current cybersecurity threats to the healthcare community, cybersecurity considerations for IoT in healthcare environments, updates from federal healthcare agencies, and more.

Will be posted soon.

• Technical Help
• CE/CME Help
• Billing Help
• Sales Inquiries

Updates to our HIPAA and Information Privacy Content

Published January 1st, 2023

Effective April 1, 2023, CITI Program will offer a new HIPAA-focused series containing a set of courses to meet your training needs. The existing Health Privacy (HIPAA) course will be moved into this new series and will reflect some exciting additional changes. We are also announcing the launch of a new HIPAA for Healthcare Professionals course, which will join this new series later in the Spring.

We are separating our growing body of HIPAA-related modules from the current Information Privacy & Security (IPS) series as part of our commitment to expand peer-reviewed, expert-developed content. These changes enable us to expand the new HIPAA series and add new content offerings to the IPS series.

Beginning on April 1st, when renewing your organization’s subscription you will be invoiced for the new HIPAA series add-on if currently utilizing modules from the HIPAA course.

The new HIPAA series will include three role-based courses:

• HIPAA for Healthcare Professionals
• HIPAA for Education and Research
• HIPAA for Marketing and Fundraising Professionals

The updated IPS series will include an additional five webinars:

• Data Management and Security for Student Researchers: An Overview
• FERPA and Online Learning in the Time of COVID-19
• Bring Your Own Device (BYOD) Studies
• Partnering with Technology Companies
• Leveraging IT Insight in IRB Review

Recap of Changes

Before April 1st, 2023

• Information Privacy & Security (IPS) series includes Health Privacy (HIPAA), Information Security , and FERPA courses

After April 1st, 2023

• Health Privacy (HIPAA) content moved to the new HIPAA-focused series to create HIPAA for Education and Research and HIPAA for Marketing and Fundraising Professionals
• New HIPAA for Healthcare Professionals course will join the HIPAA series
• Information Privacy and Security (IPS) series will no longer include HIPAA modules
• Information Privacy and Security (IPS) series will include five additional webinars at no additional cost
• (IPS) series will include five additional webinars at no additional cost

• New Webinar – Service Dog 101: Everything You Need to Know
• New Course and Series Available on Fraud, Waste, and Abuse
• In Memoriam: CITI Program Co-Founder Dr. Paul Braunschweiger
• New Course – OHRP: Participant-Centered Informed Consent Training
• Research Nurse Coordinator
• Clinical Research Coordinator
• SUPPORT TECHNICIAN
• Education and Development Specialist in the Human Subjects Protection Program

Privacy Overview

Cookie	Duration	Description
BUY_NOW		This cookie is set to transfer purchase details to our learning management system.
CART_COUNT		This cookie is set to enable shopping cart details on the site and to pass the data to our learning management system.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-33803854-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-33803854-7	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.
BrowserId	1 year	This cookie is used for registering a unique ID that identifies the type of browser. It helps in identifying the visitor device on their revisit.
CFID	session	This cookie is set by Adobe ColdFusion applications. This cookie is used to identify the client. It is a sequential client identifier, used in conjunction with the cookie "CFTOKEN".
CFTOKEN	session	This cookie is set by Adobe ColdFusion applications. This cookie is used to identify the client. It provides a random-number client security token.
CONSENT	16 years 5 months 4 days 4 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year 24 days	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_gfpc	session	No description available.
_uetvid	1 year 24 days	No description available.
_zm_chtaid	2 hours	No description available.
_zm_csp_script_nonce	session	No description available.
_zm_cta	1 day	No description
_zm_ctaid	2 hours	No description available.
_zm_currency	1 day	No description available.
_zm_mtk_guid	2 years	No description available.
_zm_page_auth	session	No description available.
_zm_sa_si_none	session	No description
_zm_ssid	session	No description available.
AnalyticsSyncHistory	1 month	No description
BNI_persistence	4 hours	No description available.
BrowserId_sec	1 year	No description available.
CookieConsentPolicy	1 year	No description
cred		No description available.
f	never	No description available.
L-veVQq	1 day	No description
li_gc	2 years	No description
owner_token	1 day	No description available.
PP-veVQq	1 hour	No description
renderCtx	session	This cookie is used for tracking community context state.
RL-veVQq	1 day	No description
twine_session	1 month	No description available.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
web_zak	past	No description
wULrMv6t		No description
zm_aid	past	No description
zm_haid	past	No description