Documente Academic
Documente Profesional
Documente Cultură
Overview
The Privacy Rule, at 45 CFR parts 160 and ments relate to the functioning of an IRB
164, establishes a category of health informa under 45 CFR part 46, 21 CFR parts 50 and
tion, defined as protected health information 56, and other Federal laws and regulations
(PHI), which a covered entity may only use or applicable to an IRB. A separate fact sheet
disclose to others in certain circumstances and entitled Privacy Boards and the HIPAA Privacy
under certain conditions. In general, the Rule discusses the concurrent authority of
Privacy Rule requires an individual to provide Privacy Boards established under the Privacy
signed permission, known as an Authorization Rule to approve such waivers or alterations.
under section 164.508 of the Privacy Rule, Additional information about the Privacy Rule
before a covered entity can use or disclose the can be found in the booklet Protecting Personal
individual’s PHI for research purposes. Under Health Information in Research: Understanding
certain circumstances, however, the Privacy the HIPAA Privacy Rule.
Rule permits a covered entity to use or disclose
PHI for research without an individual’s For guidance on the Privacy Rule, see the HHS
Authorization. One way a covered entity can Office for Civil Rights (OCR) Web site at
use or disclose PHI for research without an http://www.hhs.gov/ocr/hipaa/. For guidance on
Authorization is by obtaining proper documen the interpretation of HHS or FDA Protection
tation of a waiver of the Authorization require of Human Subjects Regulations at 45 CFR part
ment by an Institutional Review Board (IRB) 46 or 21 CFR parts 50 and 56, respectively,
or a new type of review body, a Privacy Board. visit the Office for Human Research Protec
tions (OHRP) Web site at http://
An IRB’s authority to approve a waiver or an ohrp.osophs.dhhs.gov or the FDA Web site at
alteration of the Privacy Rule’s Authorization http://www.fda.gov/oc/gcp/, respectively.
requirement is new and in addition to, not in
lieu of, the traditional IRB authorities to Introduction to the
protect research participants from risks under Privacy Rule
45 CFR part 46 (Department of Health and
In response to a congressional mandate in the
Human Services [HHS] Regulations for the
Health Insurance Portability and Accountabil
Protection of Human Subjects) and 21 CFR
ity Act of 1996 (HIPAA), HHS issued regula
parts 50 and 56 (Food and Drug Administra
tions entitled Standards for Privacy of Individu
tion [FDA] Regulations on Protection of
ally Identifiable Health Information. For most
Human Subjects). Other Federal and State laws
covered entities, compliance with these regula
and regulations may impose other or additional
tions, known as the Privacy Rule, was required
restrictions and limitations on the use of health
by April 14, 2003.
information for research that may not be
waived or altered by an IRB or Privacy Board
The Privacy Rule is a response to public
under the authority granted to it by the Privacy
concern over potential abuses of the privacy of
Rule.
health information. The Privacy Rule estab
lishes a category of health information, PHI,
This fact sheet is limited to the Privacy Rule’s
which may only be used or disclosed to others
requirements relating to an IRB and approvals
in certain circumstances or under certain
of research-related requests for Authorization
conditions. PHI is a subset of what is termed
waivers or alterations and how those require
individually identifiable health information.
With certain exceptions, individually identifi regulated clinical investigations, among others,
able health information becomes PHI when it is have designated IRBs.
created or received by a covered entity. Covered
entities are health plans, health care clearing- Human subjects research that is conducted or
houses, and health care providers that transmit supported by a Federal department or agency
health information electronically in connection that has adopted the Common Rule (found for
with certain defined HIPAA transactions, such HHS at 45 CFR part 46, subpart A) and that
as claims or eligibility inquiries. Researchers are does not meet the criteria for exemption or is
not themselves covered entities, unless they also regulated by the FDA is subject to review and
provide health care and engage in any of the approval by an IRB. In most instances, in order
covered electronic transactions. If, however, to approve research, an IRB must determine
researchers are employees or other workforce that specified criteria have been satisfied.
members of a covered entity (e.g., a hospital or Among these criteria, an IRB must determine
health insurer), they may have to comply with that, when appropriate, the research protocol
that entity’s new HIPAA privacy policies and includes “adequate provisions to protect the
procedures. A researcher who is not himself or privacy of subjects and to maintain the confi
herself a covered entity or is not a workforce dentiality of data” (see 45 CFR 46.111(a)(7)
member of a covered entity may be indirectly and 21 CFR 56.111(a)(7)).
affected by the Privacy Rule, if a covered entity
supplies the research data. IRB Role under the Privacy Rule
Beginning on April 14, 2003, the Privacy Rule’s
What Is an IRB and Its Role compliance date for most covered entities, IRBs
Under the Privacy Rule? gained authority to consider, and act upon,
requests for a partial or complete waiver or
alteration of the Privacy Rule’s Authorization
IRBs
requirement for uses and disclosures of PHI for
An IRB is a board, committee, or other group
research. Although HHS and FDA Protection
formally designated by an institution to review
of Human Subjects Regulations include protec
research involving humans as subjects. IRBs
tions to help ensure the privacy of subjects and
have authority to approve, require modification
the confidentiality of information, the Privacy
to, or disapprove all research activities covered
Rule supplements these protections by requir
by the HHS and FDA Protection of Human
ing covered entities to implement specific
Subjects Regulations. Following initial ap
measures to safeguard the privacy of PHI. If
proval, IRBs must conduct periodic reviews of
certain conditions are met, an IRB may grant a
such research. Every institution engaged in
waiver or an alteration of the Authorization
human subjects research conducted or sup-
requirement for research uses or disclosures of
ported by a Federal department or agency that
PHI.
has adopted the Common Rule (Federal Policy
for the Protection of Human Subjects) is
Provisions concerning requests to an IRB for a
required to designate one or more IRBs under
waiver or an alteration of the Authorization
an assurance of compliance. Additionally, when
requirement are in section 164.512(i) of the
FDA-regulated products are investigated in
Privacy Rule. It is likely that IRBs will be
human subjects, the protocol is subject to
primarily involved in acting on requests for
review and approval by an IRB. Hospitals,
waiver or alteration of the Authorization
academic medical centers, government units,
requirement in connection with research
and others engaged in federally conducted or
activities that the particular IRB oversees. The
supported health research activities involving
Privacy Rule does not impose any requirements
human subjects and entities conducting FDA-
for the location or sponsorship of an IRB
convened for the purposes of acting on a
request for approval of a waiver or an alteration procedures otherwise would require such review
of the Authorization requirement. Thus, an and/or approval. (See OCR guidance at http://
IRB approval for a waiver or an alteration of www.hhs. gov/ocr/hipaa/privguideresearch.pdf for
Authorization may be issued by an IRB that is more information.) Moreover, the Privacy Rule
unrelated to the institution conducting or does not require IRBs to review uses and
sponsoring the specific research project, unre disclosures of an individual’s PHI that are made
lated to the covered entity that creates or with an individual’s Authorization (see 67
maintains the PHI to be used or disclosed for Federal Register 53226, August 14, 2002).
research, or different from the IRB with re
sponsibility for monitoring the underlying Waivers or Alterations of
research project. As a result, a waiver or an the Authorization
alteration of the Privacy Rule’s Authorization
requirements could be obtained from a single Requirements
IRB in connection with a multisite research For some types of research, it is impracticable
activity or where the PHI necessary for the for researchers to obtain written Authorization
research will be used or disclosed by more than from research participants. To address this type
one covered entity. of situation, the Privacy Rule contains criteria
for waiver or alteration of the Authorization
Under the Privacy Rule, an Authorization may requirement by an IRB or a Privacy Board.
be combined with the informed consent Under the Privacy Rule, either board may waive
document for research. If the informed consent or alter, in whole or in part, the Privacy Rule’s
document is combined with an Authorization Authorization requirements for the use and
meeting the Privacy Rule’s requirements, 45 disclosure of PHI in connection with a particu
CFR part 46 and/or 21 CFR parts 50 and 56 lar research project.
would require IRB review of the combined
document. A waiver in whole occurs when the IRB deter-
mines that no Authorization will be required
An IRB’s role under the Privacy Rule, however, for a covered entity to use or disclose PHI for a
is limited to acting on requests for a waiver or particular research project because certain
an alteration of the Privacy Rule’s Authorization criteria set forth in the Privacy Rule have been
requirement. IRBs are, thus, not required to met (see section 164.512(i) of the Privacy
review and approve Authorizations under the Rule). For example, if a study involved the use
Privacy Rule. Likewise, IRBs are not required to of PHI pertaining to numerous individuals
approve stand-alone Authorizations (i.e., where contact information is unknown, and it
Authorizations that are not incorporated into would be impracticable to conduct the research
the informed consent document) under the if Authorization were required, an IRB could
HHS Protection of Human Subjects Regula waive all the Authorization requirements for
tions at 45 CFR part 46 or the FDA regulations research participants if the IRB determined that
at 21 CFR parts 50 and 56. However, FDA all the Privacy Rule waiver criteria had been
regulations at 21 CFR parts 50 and 56 would satisfied. If the IRB approves such a waiver, the
require such review if required by the IRB’s receipt of the requisite documentation of the
written procedures. In the exercise of ongoing approval permits a covered entity to use or
enforcement discretion, however, with respect disclose PHI in connection with a particular
to the requirements of 21 CFR 56.108(a), to research project without Authorization. A
the extent that an IRB’s written procedures partial waiver of the Authorization require
require the review and/or approval of stand- ments of the Privacy Rule might be requested,
alone Authorizations, FDA will not take for instance, to allow a researcher to obtain
enforcement action against an IRB for failing to PHI as necessary to recruit potential research
review them even when the IRB’s written subjects. For example, even if an IRB does not
waive the Authorization requirement for the absent a health or research justification for
entire research study, an IRB may partially retaining the identifiers or if retention is
waive the Authorization requirement to permit other wise required by law; and (3) ad-
a covered entity to disclose PHI to a researcher equate written assurances that the PHI will
for the purposes of contacting and recruiting not be reused or disclosed to any other
individuals into the study. person or entity except (a) as required by
law, (b) for authorized oversight of the
An IRB may also approve a request that re- research study, or (c) for other research for
moves some, but not all, required elements of which the use or disclosure of the PHI is
an Authorization (an alteration). For example, permitted by the Privacy Rule.
an IRB may alter the Authorization to remove
the element that describes each purpose of the
· The research could not practicably be
conducted without the requested waiver or
requested use or disclosure where, for example, alteration.
the identification of the specific research study
would affect the results of the study. Before a
· The research could not practicably be
conducted without access to and use of the
covered entity could use or disclose PHI PHI.
pursuant to the altered Authorization, however,
it must receive documentation that an IRB IRB Review Proceedings
determined that all the Privacy Rule waiver
criteria at section 164.512(i)(2)(ii) had been IRB Composition
satisfied. Any subsequent use or disclosure of The Privacy Rule does not change the composi
PHI by a covered entity for a different research tion of an IRB. Under the HHS and FDA
study would require an additional Authoriza Protection of Human Subjects Regulations,
tion, except as permitted without Authorization each IRB must have at least five members with
under section 164.512(i) (e.g., with a waiver of varying backgrounds to promote complete and
Authorization) or 164.514(e) (i.e., as a limited adequate review of research activities conducted
data set with a data use agreement). by the institution. An IRB must be sufficiently
qualified through the experience and expertise
The Privacy Rule establishes the criteria to be of its members, and the diversity of the mem
evaluated by an IRB in approving an Authoriza bers, including consideration of race, gender,
tion waiver or alteration. Furthermore, the and cultural backgrounds and sensitivity to
criteria for an IRB waiver or alteration of the such issues as community attitudes, to promote
Authorization are consistent with the criteria respect for its advice and counsel in safeguard
for IRB waiver of the informed consent require ing the rights and welfare of human subjects.
ments contained in the HHS Protection of The IRB must also be able to ascertain the
Human Subjects Regulations. For a covered acceptability of proposed research in terms of
entity to use or disclose PHI under a waiver or institutional commitments and regulations,
an alteration of the Authorization requirement, applicable law, and standards of professional
it must receive documentation of, among other conduct and practice. No IRB may consist
things, the IRB or Privacy Board’s determina entirely of members of one profession. In
tion that the following criteria have been met: addition, at least one member must not be
· The PHI use or disclosure involves no more
than minimal risk to the privacy of indi
affiliated with the institution (or part of the
immediate family of a person affiliated with the
viduals based on at least the presence of (1) institution). Furthermore, no IRB may have a
an adequate plan presented to the IRB to member participate in the IRB’s initial or
protect PHI identifiers from improper use continuing review of a project in which the
and disclosure; (2) an adequate plan to member has a conflicting interest, except to
destroy those identifiers at the earliest provide information at the request of the IRB.
opportunity, consistent with the research, Each IRB must include at least one member
whose primary concerns are in scientific areas HHS or FDA list of approved categories3 and
and at least one member whose primary involves no more than minimal risks. In
concerns are in nonscientific areas. The Privacy addition, 45 CFR 46.110 and 21 CFR 56.110
Rule permits a covered entity to accept docu permit an IRB to use an expedited review
mentation of waiver or alteration approval procedure to review minor changes in previ
from any qualified IRB or Privacy Board—not ously approved research. A modification to a
only the IRB overseeing the institution’s previously approved research protocol, which
research. only involves the addition of an Authorization
for the use or disclosure of PHI to the IRB-
IRB Procedural Requirements approved informed consent, may be reviewed
When acting upon a request to waive or alter by the IRB through an expedited review
the Authorization requirement, an IRB must procedure, since this type of modification may
follow the procedural requirements of the HHS be considered to be no more than a minor
Protection of Human Subjects Regulations change to research. If expedited review proce
and/or, if applicable, FDA regulations, includ dures are appropriate for acting on the request,
ing using either the normal review procedures the review may be carried out by the IRB chair
(review by the convened IRB)1 or the expe or by one or more experienced reviewers
dited review procedures.2 The FDA Protection designated by the chair from among the IRB
of Human Subjects Regulations also require the members. A member with a conflicting interest
IRB to follow its established written procedures may not participate in an expedited review. If
whether a request for a waiver or an alteration an IRB uses expedited review procedures, it
of the Authorization requirement is considered must adopt methods for keeping all its mem
by a convened IRB or by an IRB under the bers advised of requests for waivers or alter
expedited review procedures. ations of the Authorization requirement as well
as those requests that have been granted under
Review by the Convened IRB an expedited review procedure. If the head of
When a request for a waiver or an alteration of the Federal department or agency (or his/her
the Authorization requirement is considered by designee) regulating the research has restricted,
the convened IRB, a majority of the IRB suspended, terminated, or chosen not to
members must be present at the meeting, authorize an institution or IRB to use expe
including at least one member whose primary dited review procedures, the IRB cannot grant
concerns are in nonscientific areas. In order for waivers or alterations of the Authorization
an approval of a waiver or an alteration of the requirement on an expedited basis.
Privacy Rule’s Authorization requirement to be
effective, it must be approved by a majority of Documentation of
the IRB members present at the convened
meeting. If a member of the IRB has a conflict
Authorization Waiver or
ing interest with respect to the PHI use and Alteration Determinations
disclosure for which a waiver or an alteration Before a covered entity may use or disclose PHI
approval is being sought, that member may not for research based on a waiver or an alteration
participate in the review. of Authorization by an IRB, a covered entity
must receive documentation showing the
Expedited Review following:
HHS and FDA have established categories of
research that may be reviewed by an IRB ·· The identity of the approving IRB
of the particular research protocol or project new informed consent document after the
(see section 164.502(b) of the Privacy Rule). compliance date is sought
Documentation supporting an IRB’s approval
of a waiver or an alteration of Authorization The transition provisions also do not apply if
must include a description of the PHI without any change is made after the compliance date
access to and use of which the IRB has deter- to an informed consent, express legal permis
mined the research could not practicably be sion, or IRB waiver for the research obtained
conducted. If an IRB has granted a waiver or before the compliance date that would make
an alteration of Authorization, a covered entity these prior permissions invalid. Under all these
may rely, if such reliance is reasonable under circumstances, an Authorization that complies
the circumstances, on the IRB’s documentation with section 164.508 of the Privacy Rule is
to satisfy itself that the requested PHI use or required unless the activity is otherwise permit
disclosure is limited to the minimum necessary ted by the Privacy Rule without Authorization
for the stated research purpose (see section (e.g., through a waiver of Authorization).
164.514(d)(3)(iii) of the Privacy Rule). Such
reliance is appropriate regardless of whether the In some instances, express legal permissions,
documentation of waiver or alteration is informed consents, or IRB-approved waivers of
obtained from an external IRB or associated informed consents are not study specific. These
with the covered entity relying on the docu permissions for research and waivers, if ob
mentation (see 67 Federal Register at 53198, tained before the compliance date, are
August 14, 2002). grandfathered by the transition provisions even
if provided for future unspecified research,
Research Uses and subject to the conditions described above.
Disclosures Under
Permissions Obtained Prior Frequently Asked
Questions and Answers
to the Privacy Rule’s
Compliance Date Q: How does the scope of coverage of the
Sections 164.532(a) and (c) of the Privacy Rule HHS and FDA Protection of Human
provide that, after the compliance date (for Subjects Regulations (45 CFR part 46
most covered entities, April 14, 2003), a and 21 CFR parts 50 and 56) differ
covered entity may use or disclose an from that of the Privacy Rule (i.e., who
individual’s PHI without an Authorization, or and what is covered under each of these
waiver or alteration of the Authorization regulations)?
requirement, in connection with ongoing
research if specific conditions are met. For A: While the HHS Protection of Human
many such uses and disclosures of PHI in Subjects Regulations and the Privacy Rule
connection with ongoing research, a covered pertain to some of the same entities, the
entity may rely on any one of the following scope of coverage of these two regulations
that was obtained prior to the compliance date: differs. The HHS Protection of Human
· An Authorization or other express legal
the holder of the individually identifying and approval is required for any document
information sign an agreement prohibiting that contains the IRB-approved informed
the release of individually identifying consent document for human subjects
information to the investigator under any research. Therefore, if the Authorization
circumstances, or (2) there are other legal language is part of the IRB-approved
requirements prohibiting the release of the informed consent document, such as when
link to the investigator. the Authorization form is combined with an
informed consent, the IRB is required to
Q: Who furnishes the description of the PHI review such language.
to be included in the IRB’s docu
mentation? Generally, neither HHS regulations at 45
CFR part 46 nor FDA regulations at 21
A: The Privacy Rule does not state who CFR parts 50 and 56 require that stand-
furnishes the description of the PHI to be alone Authorizations (i.e., Authorizations
included in the IRB’s documentation. that are not incorporated into the informed
However, the researcher requesting the consent document) for use or disclosure of
waiver or alteration of the Privacy Rule’s PHI be reviewed and approved by the IRB.
Authorization requirement from the IRB However, FDA regulations at 21 CFR
may be in the best position to adequately 56.108(a) mandate such review if required
describe the PHI to be used and disclosed by the IRB’s written procedures. In the
and would submit this information as part exercise of ongoing enforcement discretion,
of the request for such approval. Regardless however, with respect to the requirements of
of who provides the description of the PHI, 21 CFR 56.108(a), to the extent that an
the IRB is the entity that decides whether or IRB’s written procedures require the review
not and the extent to which a waiver or and/or approval of stand-alone Authoriza
alteration of Authorization is granted, and, tions, FDA will not take enforcement action
therefore, it is the IRB that makes the final against an IRB for failing to review them
decision regarding the descrip tion of the even when the IRB’s written procedures
PHI to be included in the IRB’s documen otherwise would require such review and/or
tation. approval.
Q: When must an IRB review and approve the The Privacy Rule does not require IRBs to
language of an Authorization for use or review or approve Authorizations used for
disclosure of PHI related to human sub research or other disclosures; it only re-
jects research activities regulated by HHS quires that the Authorization comply with
Protection of Human Subjects Regulations the requirements of the Privacy Rule at
at 45 CFR part 46 and FDA Protection of section 164.508. For OCR guidance on this
Human Subjects Regulations at 21 CFR topic, see http://www.hhs.gov/ocr/hipaa/
parts 50 and 56? privguideresearch.pdf.
A: The HHS Protection of Human Subjects Q: Does the Privacy Rule require IRBs to
Regulations do not expressly require that review and/or approve Authorizations,
Privacy Rule Authorizations be reviewed or either as stand-alone documents (i.e.,
approved by the IRB. However, under HHS Authorizations that are not combined with
regulations at 45 CFR 46.117(a) and FDA informed consent documents) or when
regulations at 21 CFR 50.27(a), IRB review combined with informed consent?
A: No.
10
11
under section 164.512(i), a covered entity more than a minor change to the research
must obtain a statement that an IRB or a and, as a result, may be reviewed by the IRB
Privacy Board has determined that the under an expedited review procedure, in
alteration or waiver, in whole or in part, of accordance with the requirements of HHS
Authorization satisfies the following three regulations at 45 CFR 46.110 and FDA
criteria in the Privacy Rule: regulations at 21 CFR 56.110.
1. The use or disclosure of PHI involves no
Q: Do HHS regulations at 45 CFR part 46
more than a minimal risk to the privacy
and FDA regulations at 21 CFR parts 50
of individuals, based on, at least, the
and 56 permit the IRB to review and
presence of the following elements:
approve the insertion of Authorization
· An adequate plan to protect the
identifiers from improper use and
language as a single modification that
applies to the informed consent documents
disclosure of multiple protocols previously approved
· An adequate plan to destroy the
identifiers at the earliest opportunity
by the IRB?
consistent with conduct of research, A: Yes, when Authorizations for use or disclo
unless a health or research justification sure of PHI will to be incorporated into
for retaining the identifiers or such previously approved informed consent
retention is otherwise required by law documents for a series of protocols, and the
· Adequate written assurances that the
PHI will not be reused or disclosed
Authorizations are composed entirely of
identical template language, the IRB may
except as required by law, for autho approve the insertion of the Authorization
rized oversight of the research study, language as a single modification that
or for other research for which the use applies to the entire series of protocols.
or disclosure of PHI would be permit
ted by the Privacy Rule However, when Authorizations for use or
2. The research could not practicably be disclosure of PHI will be incorporated into
conducted without the waiver or alter previously approved informed consent
ation. documents for a series of protocols and the
3. The research could not practicably be Authorization statements include protocol-
conducted without access to and use of specific information unique to each proto
the PHI. col, the IRB should review and approve the
insertion of the Authorization language
Q: Under the HHS regulations at 45 CFR separately for each protocol.
part 46 and FDA regulations at 21 CFR
part 56, can an IRB use an expedited In both cases, an expedited review proce
review procedure to review and approve a dure may be used.
modification to a previously approved
informed consent document where the Q: When do the requirements under HHS
modification involves only the addition of regulations at 45 CFR part 46 related to
an Authorization for use or disclosure of IRB review and informed consent apply to
PHI? “preparatory to research” activities as
permitted by the Privacy Rule at section
A: Yes. For research protocols previously 164.512(i)(1)(ii)?
approved by the IRB, the addition to the
IRB-approved informed consent document A: HHS Protection of Human Subjects Regu
of language regarding Authorization for use lations at 45 CFR part 46 do not reference
or disclosure of PHI may be considered no “preparatory to research” activities.
12
HHS regulations at 45 CFR 46.102(f ) The Privacy Rule permits, under section
define “human subject” as 164.512(i)(1)(ii), a covered entity to provide
a living individual about whom an investigators with access to PHI for purposes
investigator (whether professional or preparatory to research, such as for identifying
student) conducting research obtains (1) potential human subjects to aid in study
data through intervention or interaction recruitment, among other things. Such access
with the individual or (2) identifiable is permitted provided that the covered entity
private information.... Private informa receives certain required representations from
tion includes information about behavior the researcher and the researcher does not
that occurs in a context in which an remove any PHI from the covered entity
individual can reasonably expect that no during the course of the review.
observation or recording is taking place,
and information which has been pro Activities in which an investigator obtains and
vided for specific purposes by an indi records individually identifiable health
vidual and which the individual can information for purposes of identifying
reasonably expect will not be made potential human subjects to aid in study
public (for example, a medical record). recruitment, among other things, would
Private information must be individually involve human subjects research under the
identifiable (i.e., the identity of the HHS regulations at 45 CFR part 46 and
subject is or may readily be ascertained would not satisfy the criteria for any exemp
by the investigator or associated with the tion under HHS regulations at 45 CFR
information) in order for obtaining the 46.101(b). As a result, if such activities are
information to constitute research conducted or supported by HHS or con
involving human subjects. ducted under an applicable OHRP-approved
assurance, the research activities must be
When a “preparatory to research” activity reviewed and approved by an IRB in accor
(i) involves human subjects research, as dance with HHS regulations at 45 CFR
defined above; (ii) is conducted or sup- 46.109(a). In addition, informed consent of
ported by HHS or conducted under an the subjects, about whom identifiable private
applicable OHRP-approved assurance; and information (e.g., health information) is being
(iii) does not meet the criteria for exemp obtained, must be sought and documented in
tion under HHS regulations at 45 CFR accordance with, and to the extent required
46.101(b), the research must be reviewed by, HHS regulations at 45 CFR 46.116 and
and approved by an IRB in accordance with 46.117, respectively.
HHS regulations at 45 CFR 46.109(a). In
addition, informed consent of the subjects For example, if an investigator who is covered
must be sought and documented in accor by an applicable OHRP-approved assurance
dance with, and to the extent required by, obtains and records identifiable private
HHS regulations at 45 CFR 46.116 and information from medical records for the
46.117, respectively. However, under HHS purpose of contacting these individuals to
Protection of Human Subjects Regulations determine if they would be interested in
at 45 CFR 46.116(c) and (d), an IRB may participating in a research study, this activity
approve a consent procedure for such a
13
constitutes human subjects research, and A: Covered entities that obtain certain required
thus, would require either (1) that subjects’ representations from a researcher may use
informed consent be sought as required by and disclose PHI for activities preparatory
the HHS regulations at 45 CFR 46.116, or to research that include, but are not limited
(2) that the IRB approve an informed to the following:
consent procedure which does not include
or which alters some or all the elements of ·· Preparing a research protocol
14
15
Q: May research sponsors and researchers who Q: Do the HHS or FDA Protection of Human
are NOT covered entities continue to Subjects Regulations require IRBs to
obtain informed consent from research oversee the compliance of investigators
participants under the HHS or FDA with the Privacy Rule?
Protection of Human Subjects Regulations
to conduct a limited class of unspecified A: No. Neither the HHS nor FDA Protection
future research even though the Privacy of Human Subjects Regulations require
Rule requires that Authorizations for IRBs to oversee investigators’ compliance
research be research trial or study specific? with the Privacy Rule.
A: Research sponsors and researchers who are Q: Will OHRP or FDA assess compliance
not covered entities or not workforce with the requirements of the Privacy Rule
members of a covered entity are not re during their compliance oversight evalua
quired to comply with the Privacy Rule. tions pertaining to the HHS or FDA
However, research sponsors and researchers Protection of Human Subjects Regulations
may be subject to the HHS and/or FDA (45 CFR part 46 and 21 CFR parts 50 and
Protection of Human Subjects Regulations, 56, respectively)?
which are not modified or replaced by the
Privacy Rule. Thus, research sponsors and A: No. Since neither OHRP nor FDA enforce
researchers may, to the extent permitted by the Privacy Rule, OHRP will not assess
the HHS and FDA Protection of Human compliance with the Privacy Rule during
Subjects Regulations at 45 CFR 46.116 and compliance oversight evaluations, and FDA
21 CFR 50.25, respectively, continue to will not assess compliance with the require
obtain informed consent from research ments of the Privacy Rule during inspec
participants under these regulations to tions to determine compliance with their
conduct a limited class of unspecified future respective regulations.
research.
1 Including 21 CFR 56.108 and 45 CFR 46.108.
2 Including 21 CFR 56.110 and 45 CFR 46.110.
3 These categories are published and updated in the Federal
16