Sunteți pe pagina 1din 16

Institutional Review Boards and

the HIPAA Privacy Rule

Overview
The Privacy Rule, at 45 CFR parts 160 and ments relate to the functioning of an IRB
164, establishes a category of health informa­ under 45 CFR part 46, 21 CFR parts 50 and
tion, defined as protected health information 56, and other Federal laws and regulations
(PHI), which a covered entity may only use or applicable to an IRB. A separate fact sheet
disclose to others in certain circumstances and entitled Privacy Boards and the HIPAA Privacy
under certain conditions. In general, the Rule discusses the concurrent authority of
Privacy Rule requires an individual to provide Privacy Boards established under the Privacy
signed permission, known as an Authorization Rule to approve such waivers or alterations.
under section 164.508 of the Privacy Rule, Additional information about the Privacy Rule
before a covered entity can use or disclose the can be found in the booklet Protecting Personal
individual’s PHI for research purposes. Under Health Information in Research: Understanding
certain circumstances, however, the Privacy the HIPAA Privacy Rule.
Rule permits a covered entity to use or disclose
PHI for research without an individual’s For guidance on the Privacy Rule, see the HHS
Authorization. One way a covered entity can Office for Civil Rights (OCR) Web site at
use or disclose PHI for research without an http://www.hhs.gov/ocr/hipaa/. For guidance on
Authorization is by obtaining proper documen­ the interpretation of HHS or FDA Protection
tation of a waiver of the Authorization require­ of Human Subjects Regulations at 45 CFR part
ment by an Institutional Review Board (IRB) 46 or 21 CFR parts 50 and 56, respectively,
or a new type of review body, a Privacy Board. visit the Office for Human Research Protec­
tions (OHRP) Web site at http://
An IRB’s authority to approve a waiver or an ohrp.osophs.dhhs.gov or the FDA Web site at
alteration of the Privacy Rule’s Authorization http://www.fda.gov/oc/gcp/, respectively.
requirement is new and in addition to, not in
lieu of, the traditional IRB authorities to Introduction to the
protect research participants from risks under Privacy Rule
45 CFR part 46 (Department of Health and
In response to a congressional mandate in the
Human Services [HHS] Regulations for the
Health Insurance Portability and Accountabil­
Protection of Human Subjects) and 21 CFR
ity Act of 1996 (HIPAA), HHS issued regula­
parts 50 and 56 (Food and Drug Administra­
tions entitled Standards for Privacy of Individu­
tion [FDA] Regulations on Protection of
ally Identifiable Health Information. For most
Human Subjects). Other Federal and State laws
covered entities, compliance with these regula­
and regulations may impose other or additional
tions, known as the Privacy Rule, was required
restrictions and limitations on the use of health
by April 14, 2003.
information for research that may not be
waived or altered by an IRB or Privacy Board
The Privacy Rule is a response to public
under the authority granted to it by the Privacy
concern over potential abuses of the privacy of
Rule.
health information. The Privacy Rule estab­
lishes a category of health information, PHI,
This fact sheet is limited to the Privacy Rule’s
which may only be used or disclosed to others
requirements relating to an IRB and approvals
in certain circumstances or under certain
of research-related requests for Authorization
conditions. PHI is a subset of what is termed
waivers or alterations and how those require­
individually identifiable health information.
With certain exceptions, individually identifi­ regulated clinical investigations, among others,
able health information becomes PHI when it is have designated IRBs.
created or received by a covered entity. Covered
entities are health plans, health care clearing- Human subjects research that is conducted or
houses, and health care providers that transmit supported by a Federal department or agency
health information electronically in connection that has adopted the Common Rule (found for
with certain defined HIPAA transactions, such HHS at 45 CFR part 46, subpart A) and that
as claims or eligibility inquiries. Researchers are does not meet the criteria for exemption or is
not themselves covered entities, unless they also regulated by the FDA is subject to review and
provide health care and engage in any of the approval by an IRB. In most instances, in order
covered electronic transactions. If, however, to approve research, an IRB must determine
researchers are employees or other workforce that specified criteria have been satisfied.
members of a covered entity (e.g., a hospital or Among these criteria, an IRB must determine
health insurer), they may have to comply with that, when appropriate, the research protocol
that entity’s new HIPAA privacy policies and includes “adequate provisions to protect the
procedures. A researcher who is not himself or privacy of subjects and to maintain the confi­
herself a covered entity or is not a workforce dentiality of data” (see 45 CFR 46.111(a)(7)
member of a covered entity may be indirectly and 21 CFR 56.111(a)(7)).
affected by the Privacy Rule, if a covered entity
supplies the research data. IRB Role under the Privacy Rule
Beginning on April 14, 2003, the Privacy Rule’s
What Is an IRB and Its Role compliance date for most covered entities, IRBs
Under the Privacy Rule? gained authority to consider, and act upon,
requests for a partial or complete waiver or
alteration of the Privacy Rule’s Authorization
IRBs
requirement for uses and disclosures of PHI for
An IRB is a board, committee, or other group
research. Although HHS and FDA Protection
formally designated by an institution to review
of Human Subjects Regulations include protec­
research involving humans as subjects. IRBs
tions to help ensure the privacy of subjects and
have authority to approve, require modification
the confidentiality of information, the Privacy
to, or disapprove all research activities covered
Rule supplements these protections by requir­
by the HHS and FDA Protection of Human
ing covered entities to implement specific
Subjects Regulations. Following initial ap­
measures to safeguard the privacy of PHI. If
proval, IRBs must conduct periodic reviews of
certain conditions are met, an IRB may grant a
such research. Every institution engaged in
waiver or an alteration of the Authorization
human subjects research conducted or sup-
requirement for research uses or disclosures of
ported by a Federal department or agency that
PHI.
has adopted the Common Rule (Federal Policy
for the Protection of Human Subjects) is
Provisions concerning requests to an IRB for a
required to designate one or more IRBs under
waiver or an alteration of the Authorization
an assurance of compliance. Additionally, when
requirement are in section 164.512(i) of the
FDA-regulated products are investigated in
Privacy Rule. It is likely that IRBs will be
human subjects, the protocol is subject to
primarily involved in acting on requests for
review and approval by an IRB. Hospitals,
waiver or alteration of the Authorization
academic medical centers, government units,
requirement in connection with research
and others engaged in federally conducted or
activities that the particular IRB oversees. The
supported health research activities involving
Privacy Rule does not impose any requirements
human subjects and entities conducting FDA-
for the location or sponsorship of an IRB
convened for the purposes of acting on a

request for approval of a waiver or an alteration procedures otherwise would require such review
of the Authorization requirement. Thus, an and/or approval. (See OCR guidance at http://
IRB approval for a waiver or an alteration of www.hhs. gov/ocr/hipaa/privguideresearch.pdf for
Authorization may be issued by an IRB that is more information.) Moreover, the Privacy Rule
unrelated to the institution conducting or does not require IRBs to review uses and
sponsoring the specific research project, unre­ disclosures of an individual’s PHI that are made
lated to the covered entity that creates or with an individual’s Authorization (see 67
maintains the PHI to be used or disclosed for Federal Register 53226, August 14, 2002).
research, or different from the IRB with re­
sponsibility for monitoring the underlying Waivers or Alterations of
research project. As a result, a waiver or an the Authorization
alteration of the Privacy Rule’s Authorization
requirements could be obtained from a single Requirements
IRB in connection with a multisite research For some types of research, it is impracticable
activity or where the PHI necessary for the for researchers to obtain written Authorization
research will be used or disclosed by more than from research participants. To address this type
one covered entity. of situation, the Privacy Rule contains criteria
for waiver or alteration of the Authorization
Under the Privacy Rule, an Authorization may requirement by an IRB or a Privacy Board.
be combined with the informed consent Under the Privacy Rule, either board may waive
document for research. If the informed consent or alter, in whole or in part, the Privacy Rule’s
document is combined with an Authorization Authorization requirements for the use and
meeting the Privacy Rule’s requirements, 45 disclosure of PHI in connection with a particu­
CFR part 46 and/or 21 CFR parts 50 and 56 lar research project.
would require IRB review of the combined
document. A waiver in whole occurs when the IRB deter-
mines that no Authorization will be required
An IRB’s role under the Privacy Rule, however, for a covered entity to use or disclose PHI for a
is limited to acting on requests for a waiver or particular research project because certain
an alteration of the Privacy Rule’s Authorization criteria set forth in the Privacy Rule have been
requirement. IRBs are, thus, not required to met (see section 164.512(i) of the Privacy
review and approve Authorizations under the Rule). For example, if a study involved the use
Privacy Rule. Likewise, IRBs are not required to of PHI pertaining to numerous individuals
approve stand-alone Authorizations (i.e., where contact information is unknown, and it
Authorizations that are not incorporated into would be impracticable to conduct the research
the informed consent document) under the if Authorization were required, an IRB could
HHS Protection of Human Subjects Regula­ waive all the Authorization requirements for
tions at 45 CFR part 46 or the FDA regulations research participants if the IRB determined that
at 21 CFR parts 50 and 56. However, FDA all the Privacy Rule waiver criteria had been
regulations at 21 CFR parts 50 and 56 would satisfied. If the IRB approves such a waiver, the
require such review if required by the IRB’s receipt of the requisite documentation of the
written procedures. In the exercise of ongoing approval permits a covered entity to use or
enforcement discretion, however, with respect disclose PHI in connection with a particular
to the requirements of 21 CFR 56.108(a), to research project without Authorization. A
the extent that an IRB’s written procedures partial waiver of the Authorization require­
require the review and/or approval of stand- ments of the Privacy Rule might be requested,
alone Authorizations, FDA will not take for instance, to allow a researcher to obtain
enforcement action against an IRB for failing to PHI as necessary to recruit potential research
review them even when the IRB’s written subjects. For example, even if an IRB does not

waive the Authorization requirement for the absent a health or research justification for
entire research study, an IRB may partially retaining the identifiers or if retention is
waive the Authorization requirement to permit other wise required by law; and (3) ad-
a covered entity to disclose PHI to a researcher equate written assurances that the PHI will
for the purposes of contacting and recruiting not be reused or disclosed to any other
individuals into the study. person or entity except (a) as required by
law, (b) for authorized oversight of the
An IRB may also approve a request that re- research study, or (c) for other research for
moves some, but not all, required elements of which the use or disclosure of the PHI is
an Authorization (an alteration). For example, permitted by the Privacy Rule.
an IRB may alter the Authorization to remove
the element that describes each purpose of the
· The research could not practicably be
conducted without the requested waiver or
requested use or disclosure where, for example, alteration.
the identification of the specific research study
would affect the results of the study. Before a
· The research could not practicably be
conducted without access to and use of the
covered entity could use or disclose PHI PHI.
pursuant to the altered Authorization, however,
it must receive documentation that an IRB IRB Review Proceedings
determined that all the Privacy Rule waiver
criteria at section 164.512(i)(2)(ii) had been IRB Composition
satisfied. Any subsequent use or disclosure of The Privacy Rule does not change the composi­
PHI by a covered entity for a different research tion of an IRB. Under the HHS and FDA
study would require an additional Authoriza­ Protection of Human Subjects Regulations,
tion, except as permitted without Authorization each IRB must have at least five members with
under section 164.512(i) (e.g., with a waiver of varying backgrounds to promote complete and
Authorization) or 164.514(e) (i.e., as a limited adequate review of research activities conducted
data set with a data use agreement). by the institution. An IRB must be sufficiently
qualified through the experience and expertise
The Privacy Rule establishes the criteria to be of its members, and the diversity of the mem­
evaluated by an IRB in approving an Authoriza­ bers, including consideration of race, gender,
tion waiver or alteration. Furthermore, the and cultural backgrounds and sensitivity to
criteria for an IRB waiver or alteration of the such issues as community attitudes, to promote
Authorization are consistent with the criteria respect for its advice and counsel in safeguard­
for IRB waiver of the informed consent require­ ing the rights and welfare of human subjects.
ments contained in the HHS Protection of The IRB must also be able to ascertain the
Human Subjects Regulations. For a covered acceptability of proposed research in terms of
entity to use or disclose PHI under a waiver or institutional commitments and regulations,
an alteration of the Authorization requirement, applicable law, and standards of professional
it must receive documentation of, among other conduct and practice. No IRB may consist
things, the IRB or Privacy Board’s determina­ entirely of members of one profession. In
tion that the following criteria have been met: addition, at least one member must not be
· The PHI use or disclosure involves no more
than minimal risk to the privacy of indi­
affiliated with the institution (or part of the
immediate family of a person affiliated with the
viduals based on at least the presence of (1) institution). Furthermore, no IRB may have a
an adequate plan presented to the IRB to member participate in the IRB’s initial or
protect PHI identifiers from improper use continuing review of a project in which the
and disclosure; (2) an adequate plan to member has a conflicting interest, except to
destroy those identifiers at the earliest provide information at the request of the IRB.
opportunity, consistent with the research, Each IRB must include at least one member

whose primary concerns are in scientific areas HHS or FDA list of approved categories3 and
and at least one member whose primary involves no more than minimal risks. In
concerns are in nonscientific areas. The Privacy addition, 45 CFR 46.110 and 21 CFR 56.110
Rule permits a covered entity to accept docu­ permit an IRB to use an expedited review
mentation of waiver or alteration approval procedure to review minor changes in previ­
from any qualified IRB or Privacy Board—not ously approved research. A modification to a
only the IRB overseeing the institution’s previously approved research protocol, which
research. only involves the addition of an Authorization
for the use or disclosure of PHI to the IRB-
IRB Procedural Requirements approved informed consent, may be reviewed
When acting upon a request to waive or alter by the IRB through an expedited review
the Authorization requirement, an IRB must procedure, since this type of modification may
follow the procedural requirements of the HHS be considered to be no more than a minor
Protection of Human Subjects Regulations change to research. If expedited review proce­
and/or, if applicable, FDA regulations, includ­ dures are appropriate for acting on the request,
ing using either the normal review procedures the review may be carried out by the IRB chair
(review by the convened IRB)1 or the expe­ or by one or more experienced reviewers
dited review procedures.2 The FDA Protection designated by the chair from among the IRB
of Human Subjects Regulations also require the members. A member with a conflicting interest
IRB to follow its established written procedures may not participate in an expedited review. If
whether a request for a waiver or an alteration an IRB uses expedited review procedures, it
of the Authorization requirement is considered must adopt methods for keeping all its mem­
by a convened IRB or by an IRB under the bers advised of requests for waivers or alter­
expedited review procedures. ations of the Authorization requirement as well
as those requests that have been granted under
Review by the Convened IRB an expedited review procedure. If the head of
When a request for a waiver or an alteration of the Federal department or agency (or his/her
the Authorization requirement is considered by designee) regulating the research has restricted,
the convened IRB, a majority of the IRB suspended, terminated, or chosen not to
members must be present at the meeting, authorize an institution or IRB to use expe­
including at least one member whose primary dited review procedures, the IRB cannot grant
concerns are in nonscientific areas. In order for waivers or alterations of the Authorization
an approval of a waiver or an alteration of the requirement on an expedited basis.
Privacy Rule’s Authorization requirement to be
effective, it must be approved by a majority of Documentation of
the IRB members present at the convened
meeting. If a member of the IRB has a conflict­
Authorization Waiver or
ing interest with respect to the PHI use and Alteration Determinations
disclosure for which a waiver or an alteration Before a covered entity may use or disclose PHI
approval is being sought, that member may not for research based on a waiver or an alteration
participate in the review. of Authorization by an IRB, a covered entity
must receive documentation showing the
Expedited Review following:
HHS and FDA have established categories of
research that may be reviewed by an IRB ·· The identity of the approving IRB

The date on which the waiver or alteration

through an expedited review procedure. Expe­


was approved

dited review of a request for a waiver or an


alteration of the Authorization requirement is · A statement that the IRB has determined

that all the specified criteria for a waiver or

permitted where the research activity is on the

an alteration were met (see Waivers or


Privacy Rule permits a covered entity reason-
Alterations of the Authorization Require­
ably to rely on an IRB’s or a Privacy Board’s
ments)
documentation granting a waiver or alteration
· A brief description of the PHI for which use

or access has been determined by the IRB to

of the Authorization requirement so long as the


documentation is proper. The documentation
be necessary in connection with the specific
on which the covered entity relies must be in
research activity
writing and meet the signature and other
· A statement that the waiver or alteration

was reviewed and approved under either

requirements discussed in the Documentation


of Authorization Waiver or Alteration Deter­
normal or expedited review procedures (see
minations section.
IRB Approval Proceedings)

· The required signature of the IRB chair or

the chair’s designee

A covered entity’s ability reasonably to rely on


documentation of an Authorization waiver or
alteration may be especially important for
As noted, the IRB’s documentation of its research projects taking place at multiple sites
approval must describe the PHI for which use and/or requiring the use and disclosure of PHI
or access has been determined to be necessary created or maintained by more than one
for the research. This would include stating, for covered entity (collectively, multisite projects).
example, that the waiver was limited to only Often, different IRBs are involved in multisite
certain information in a patient’s medical project reviews. For these situations, HHS has
record, instead of the entire record. If a covered stated (65 Federal Register 82692, December
entity uses or discloses PHI based on an IRB 28, 2000) that a covered entity’s responsibility
approval of a waiver or an alteration of the is only to “obtain the documentation that one
Authorization requirement, the covered entity IRB or [P]rivacy [B]oard has approved the
must retain the IRB’s documentation on which alteration or waiver of Authorization.” (Em­
it relied for at least 6 years from the date the phasis added.) Consequently, the Privacy Rule
waiver or alteration was obtained, or the date allows a waiver or an alteration of Authoriza­
when it was last in effect, whichever is later. tion obtained from a single IRB or Privacy
Board to be used to obtain PHI in connection
Other provisions of applicable Federal law and with multisite projects. However, HHS also
regulations, as well as the written policies and recognizes that “covered entities may elect to
procedures of a specific IRB, may require the require IRB or Privacy Board reviews before
IRB to create and maintain additional docu­ disclosing [PHI] to requesting researchers” (67
mentation of its actions on requests to approve Federal Register 53232, August 14, 2002). The
a waiver or an alteration of the Privacy Rule’s Privacy Rule does not require entities to change
Authorization requirement. their practices with respect to how they address
potential splits between review boards. How-
Verification Requirements: ever, HHS “strongly encourages researchers to
Right to Rely notify IRBs and [P]rivacy [B]oards of any prior
IRB or [P]rivacy [B]oard review of a research
In some circumstances, IRBs and Privacy
protocol” (65 Federal Register 82692, December
Boards will coexist. Where these boards coexist,
28, 2000).
the Privacy Rule requires approval of a waiver
or an alteration of Authorization by only one of
A covered entity must limit the use or disclo­
them. Furthermore, a covered entity may use or
sure of PHI for research that is based on
disclose PHI based on a waiver or an alteration
documentation of an approved waiver or
of Authorization approved by any IRB or
alteration of Authorization to the minimum
Privacy Board, without regard to the location or
necessary to accomplish the intended purpose
affiliation of the IRB or Privacy Board. The

of the particular research protocol or project new informed consent document after the
(see section 164.502(b) of the Privacy Rule). compliance date is sought
Documentation supporting an IRB’s approval
of a waiver or an alteration of Authorization The transition provisions also do not apply if
must include a description of the PHI without any change is made after the compliance date
access to and use of which the IRB has deter- to an informed consent, express legal permis­
mined the research could not practicably be sion, or IRB waiver for the research obtained
conducted. If an IRB has granted a waiver or before the compliance date that would make
an alteration of Authorization, a covered entity these prior permissions invalid. Under all these
may rely, if such reliance is reasonable under circumstances, an Authorization that complies
the circumstances, on the IRB’s documentation with section 164.508 of the Privacy Rule is
to satisfy itself that the requested PHI use or required unless the activity is otherwise permit­
disclosure is limited to the minimum necessary ted by the Privacy Rule without Authorization
for the stated research purpose (see section (e.g., through a waiver of Authorization).
164.514(d)(3)(iii) of the Privacy Rule). Such
reliance is appropriate regardless of whether the In some instances, express legal permissions,
documentation of waiver or alteration is informed consents, or IRB-approved waivers of
obtained from an external IRB or associated informed consents are not study specific. These
with the covered entity relying on the docu­ permissions for research and waivers, if ob­
mentation (see 67 Federal Register at 53198, tained before the compliance date, are
August 14, 2002). grandfathered by the transition provisions even
if provided for future unspecified research,
Research Uses and subject to the conditions described above.
Disclosures Under
Permissions Obtained Prior Frequently Asked
Questions and Answers
to the Privacy Rule’s
Compliance Date Q: How does the scope of coverage of the
Sections 164.532(a) and (c) of the Privacy Rule HHS and FDA Protection of Human
provide that, after the compliance date (for Subjects Regulations (45 CFR part 46
most covered entities, April 14, 2003), a and 21 CFR parts 50 and 56) differ
covered entity may use or disclose an from that of the Privacy Rule (i.e., who
individual’s PHI without an Authorization, or and what is covered under each of these
waiver or alteration of the Authorization regulations)?
requirement, in connection with ongoing
research if specific conditions are met. For A: While the HHS Protection of Human
many such uses and disclosures of PHI in Subjects Regulations and the Privacy Rule
connection with ongoing research, a covered pertain to some of the same entities, the
entity may rely on any one of the following scope of coverage of these two regulations
that was obtained prior to the compliance date: differs. The HHS Protection of Human
· An Authorization or other express legal

permission from an individual to use or

Subjects Regulations apply to all research


involving human subjects that is conducted
disclose PHI for research
or supported by any component of HHS,
· The informed consent of the individual to

participate in the research

unless the research involves one or more of


the categories of exempt research described
· A waiver by an IRB of informed consent in

accordance with applicable laws and regula­

under the HHS regulations at 45 CFR


46.101(b). FDA Protection of Human
tions governing informed consent, unless a
Subjects Regulations apply to research

related to FDA-regulated products that statistical verification as specified in the


involve one or more human subjects. Privacy Rule or (2) by removing certain
pieces of information from each record, as
In contrast, the Privacy Rule applies to specified in the Privacy Rule, about the
“covered entities” that are defined in the individual, relatives, employers, or house-
regulations: (1) Health plans, (2) health care hold members of the individual and having
clearinghouses, and (3) health care providers no knowledge that the remaining informa­
who electronically transmit any health tion could be used alone or in combination
information in connection with transactions with other information to identify the
for which HHS has adopted standards. The individual. Under the second method of de-
Privacy Rule protects, with limited excep­ identification, in general, unique identify­
tions, individually identifiable health ing numbers, characteristics, or codes must
information when it is created or main­ be removed if the health information is to
tained by a covered entity. be considered to be de-identified unless
permitted by the Privacy Rule as a re-
Of note, certain research activities involving identification code.
human subjects that are exempt under the
HHS Protection of Human Subjects Regula­ Q: Do HHS Protection of Human Subjects
tions may still need to satisfy the require­ Regulations or the Privacy Rule consider
ments of the Privacy Rule. information “individually identifiable”
if the information is associated only
Q: What constitutes “individually identifi­ with a code assigned for
able” information under the HHS Protec­ re-identification?
tion of Human Subjects Regulations versus
under the Privacy Rule? A. The Privacy Rule permits a covered entity
to determine that health information is de-
A: The HHS Protection of Human Subjects identified even if the health information has
Regulations at 45 CFR 46.102(f ) define a been assigned, and retains, a code or other
“human subject,” in part, as a living indi­ means of record identification, provided
vidual about whom an investigator conduct­ that the code is not derived from or related
ing research obtains “identifiable private to the information about the individual and
information...Private information must be could not be translated to identify the
individually identifiable (i.e., the identity of individual and the covered entity does not
the subject is or may be readily ascertained use or disclose the code for other purposes
[emphasis added] by the investigator or or disclose the mechanism for re-identifica­
associated with the information) in order for tion.
obtaining the information to constitute
research involving human subjects.” Under the HHS Protection of Human
Subjects Regulations, if an investigator
The Privacy Rule at section 160.103 defines obtains private information about living
“individually identifiable health informa­ individuals for research purposes and that
tion,” in part, as“...information that identi­ private information retains a link to indi­
fies the individual, or with respect to which vidually identifying information, such
there is a reasonable basis to believe the private information ordinarily would be
information can be used to identify the considered by OHRP to be individually
individual.” In addition, the Privacy Rule at identifiable to the investigator. However,
section 164.514 allows a covered entity to OHRP does not ordinarily consider such
determine that health information is not information to be individually identifiable
individually identifiable using either (1) to the investigator if (1) the investigator and

the holder of the individually identifying and approval is required for any document
information sign an agreement prohibiting that contains the IRB-approved informed
the release of individually identifying consent document for human subjects
information to the investigator under any research. Therefore, if the Authorization
circumstances, or (2) there are other legal language is part of the IRB-approved
requirements prohibiting the release of the informed consent document, such as when
link to the investigator. the Authorization form is combined with an
informed consent, the IRB is required to
Q: Who furnishes the description of the PHI review such language.
to be included in the IRB’s docu­
mentation? Generally, neither HHS regulations at 45
CFR part 46 nor FDA regulations at 21
A: The Privacy Rule does not state who CFR parts 50 and 56 require that stand-
furnishes the description of the PHI to be alone Authorizations (i.e., Authorizations
included in the IRB’s documentation. that are not incorporated into the informed
However, the researcher requesting the consent document) for use or disclosure of
waiver or alteration of the Privacy Rule’s PHI be reviewed and approved by the IRB.
Authorization requirement from the IRB However, FDA regulations at 21 CFR
may be in the best position to adequately 56.108(a) mandate such review if required
describe the PHI to be used and disclosed by the IRB’s written procedures. In the
and would submit this information as part exercise of ongoing enforcement discretion,
of the request for such approval. Regardless however, with respect to the requirements of
of who provides the description of the PHI, 21 CFR 56.108(a), to the extent that an
the IRB is the entity that decides whether or IRB’s written procedures require the review
not and the extent to which a waiver or and/or approval of stand-alone Authoriza­
alteration of Authorization is granted, and, tions, FDA will not take enforcement action
therefore, it is the IRB that makes the final against an IRB for failing to review them
decision regarding the descrip tion of the even when the IRB’s written procedures
PHI to be included in the IRB’s documen­ otherwise would require such review and/or
tation. approval.

Q: When must an IRB review and approve the The Privacy Rule does not require IRBs to
language of an Authorization for use or review or approve Authorizations used for
disclosure of PHI related to human sub­ research or other disclosures; it only re-
jects research activities regulated by HHS quires that the Authorization comply with
Protection of Human Subjects Regulations the requirements of the Privacy Rule at
at 45 CFR part 46 and FDA Protection of section 164.508. For OCR guidance on this
Human Subjects Regulations at 21 CFR topic, see http://www.hhs.gov/ocr/hipaa/
parts 50 and 56? privguideresearch.pdf.

A: The HHS Protection of Human Subjects Q: Does the Privacy Rule require IRBs to
Regulations do not expressly require that review and/or approve Authorizations,
Privacy Rule Authorizations be reviewed or either as stand-alone documents (i.e.,
approved by the IRB. However, under HHS Authorizations that are not combined with
regulations at 45 CFR 46.117(a) and FDA informed consent documents) or when
regulations at 21 CFR 50.27(a), IRB review combined with informed consent?

A: No.

written informed consent form, consent


Q: Do FDA regulations require IRBs to form updates, subject recruitment proce­
review and/or approve stand-alone dures (e.g., advertisements), and any other
Authorizations, i.e., Authorizations that written information to be provided to sub­
are not combined with informed consent jects.” (Emphasis added.) (See ICH E6
documents? 4.4.1.) This language recommends, but does
not require, such review. In general, the
A: No. FDA regulations do not specifically ICH Good Clinical Practice guidelines are
require IRBs to review and/or approve recommendations, not legal requirements.
stand-alone Authorizations. However, FDA As such, they are not subject to enforcement
regulations governing IRBs require, in by U.S. authorities.
pertinent part, that IRBs adopt and follow
written procedures for reviewing clinical Q: How does the composition of IRBs vary
research. See 21 CFR 56.108(a). Pursuant from that of Privacy Boards?
to this provision, IRBs that have written
procedures requiring them to review all A: The HHS and FDA Protection of Human
written materials provided to potential Subjects Regulations at 45 CFR 46.107 and
research subjects must review and approve 21 CFR 56.107, respectively, require,
stand-alone Authorizations, even though among other things, that IRBs have at least
such review is not otherwise required under five members with varying backgrounds to
the Privacy Rule, HHS Protection of Hu­ promote complete and adequate review of
man Subjects Regulations, or FDA regula­ research activities commonly conducted by
tions governing IRBs. However, in the the institution. The IRB must be suffi­
exercise of ongoing enforcement discretion ciently qualified through the experience and
with respect to the requirements of 21 CFR expertise of its members, and the diversity
56.108(a), to the extent that an IRB’s of members, including consideration of
written procedures require the review and/or race, gender, and cultural backgrounds and
approval of stand-alone Authorizations, sensitivity to such issues as community
FDA will not take enforcement action attitudes, to promote respect for its advice
against an IRB for failing to review them and counsel in safeguarding the rights and
even when the IRB’s written procedures welfare of human subjects. The IRB must
otherwise would require such review also be able to ascertain the acceptability of
and/or approval. For OCR guidance on this proposed research in terms of institutional
topic, see http://www.hhs.gov/ocr/hipaa/ commitments and regulations, applicable
privguideresearch.pdf. law, and standards of professional conduct
and practice. The IRB must also include at
Q: Do international guidelines require IRBs least one member whose primary concerns
to review and/or approve stand-alone are in scientific areas, and at least one
Authorizations, i.e., Authorizations that are member whose primary concerns are in
not combined with informed consent nonscientific areas. In addition, the IRB
documents? must include at least one member who is
not otherwise affiliated with the institution
A: No. The International Conference on and who is not part of the immediate family
Harmonisation (ICH) Good Clinical of a person affiliated with the institution.
Practice: Consolidated Guideline (E6)
states, for example, “Before initiating a trial, The Privacy Rule, at section 164.512(i)
the investigator/institution should have (1)(i)(B), requires that a Privacy Board have
written and dated approval/favourable members with varying backgrounds and
opinion from the IRB/IEC [Independent
Ethics Committee] for the trial protocol,

10

appropriate professional competency as A: Under 45 CFR 46.116(d), an IRB may


necessary to review the effect of the research approve a consent procedure that does not
protocol on the individual’s privacy rights include, or which alters, some or all the
and related interests, and include at least elements of informed consent specified in
one member who is not affiliated with any this section, or may waive the requirements
entity conducting or sponsoring the re- to obtain informed consent, provided the
search and not related to any person who is IRB finds and documents that the following
affiliated with any of these entities. In four criteria have been met:
addition, a Privacy Board may not have any
1. The research involves no more than
member participating in a review of any
minimal risk to the subject.
project in which the member has a conflict
2. The waiver or alteration will not ad­
of interest.
versely affect the rights and welfare of
the subjects.
Of note, covered entities may reasonably
3. The research could not practicably be
rely on documentation from an IRB that
carried out without the waiver or alter­
satisfies the membership requirements of
ation.
the HHS or FDA Protection of Human
4. Whenever appropriate, the subjects will
Subjects Regulations in order to use or
be provided with additional pertinent
disclose PHI without Authorization, as
information after participation.
permitted by the Privacy Rule at section
164.512(i)(1)(i).
In addition, 45 CFR 46.116(c) also permits
an IRB to approve a consent procedure
Q: How do the requirements regarding
which does not include, or which alters,
members with conflicting interests vary
some or all the elements of informed
between IRBs under the HHS and FDA
consent or to waive the requirement to
Protection of Human Subjects Regula­
obtain informed consent, provided the IRB
tions, and the Privacy Boards under the
finds and documents the following:
Privacy Rule?

A: The HHS and FDA Protection of Human


· The research or demonstration project is
to be conducted by or is subject to the
Subjects Regulations at 45 CFR 46.107(e) approval of state or local government
and 21 CFR 56.107(e), respectively, pro­ officials and is designed to study, evalu­
hibit an IRB member who has a conflicting ate, or otherwise examine public benefit
interest from participating in an initial or or service programs, and certain aspects
continuing review or approval of of these programs as specified at 45 CFR
research, except to provide information at 46.116(c)(1).
the request of the IRB. · The research could not practicably be
carried out without the waiver or alter­
Similarly, the Privacy Rule, at section ation.
164.512(i)(1)(i)(B)(3), prohibits a Privacy
Board member from participating in a Under the Privacy Rule at section
review of any project in which the member 164.512(i) (1)(i), a covered entity may use
has a conflicting interest. or disclose PHI for a research study without
Authorization from the research participant
Q: How do the criteria to alter or waive if the covered entity obtains documentation
informed consent under 45 CFR part 46 that an alteration or waiver of the research
differ from criteria to alter or waive participant’s Authorization for use or
Authorization under the Privacy Rule? disclosure of information for research
purposes has been approved by an IRB or a
Privacy Board. Among other requirements

11

under section 164.512(i), a covered entity more than a minor change to the research
must obtain a statement that an IRB or a and, as a result, may be reviewed by the IRB
Privacy Board has determined that the under an expedited review procedure, in
alteration or waiver, in whole or in part, of accordance with the requirements of HHS
Authorization satisfies the following three regulations at 45 CFR 46.110 and FDA
criteria in the Privacy Rule: regulations at 21 CFR 56.110.
1. The use or disclosure of PHI involves no
Q: Do HHS regulations at 45 CFR part 46
more than a minimal risk to the privacy
and FDA regulations at 21 CFR parts 50
of individuals, based on, at least, the
and 56 permit the IRB to review and
presence of the following elements:
approve the insertion of Authorization
· An adequate plan to protect the
identifiers from improper use and
language as a single modification that
applies to the informed consent documents
disclosure of multiple protocols previously approved
· An adequate plan to destroy the
identifiers at the earliest opportunity
by the IRB?

consistent with conduct of research, A: Yes, when Authorizations for use or disclo­
unless a health or research justification sure of PHI will to be incorporated into
for retaining the identifiers or such previously approved informed consent
retention is otherwise required by law documents for a series of protocols, and the
· Adequate written assurances that the
PHI will not be reused or disclosed
Authorizations are composed entirely of
identical template language, the IRB may
except as required by law, for autho­ approve the insertion of the Authorization
rized oversight of the research study, language as a single modification that
or for other research for which the use applies to the entire series of protocols.
or disclosure of PHI would be permit­
ted by the Privacy Rule However, when Authorizations for use or
2. The research could not practicably be disclosure of PHI will be incorporated into
conducted without the waiver or alter­ previously approved informed consent
ation. documents for a series of protocols and the
3. The research could not practicably be Authorization statements include protocol-
conducted without access to and use of specific information unique to each proto­
the PHI. col, the IRB should review and approve the
insertion of the Authorization language
Q: Under the HHS regulations at 45 CFR separately for each protocol.
part 46 and FDA regulations at 21 CFR
part 56, can an IRB use an expedited In both cases, an expedited review proce­
review procedure to review and approve a dure may be used.
modification to a previously approved
informed consent document where the Q: When do the requirements under HHS
modification involves only the addition of regulations at 45 CFR part 46 related to
an Authorization for use or disclosure of IRB review and informed consent apply to
PHI? “preparatory to research” activities as
permitted by the Privacy Rule at section
A: Yes. For research protocols previously 164.512(i)(1)(ii)?
approved by the IRB, the addition to the
IRB-approved informed consent document A: HHS Protection of Human Subjects Regu­
of language regarding Authorization for use lations at 45 CFR part 46 do not reference
or disclosure of PHI may be considered no “preparatory to research” activities.

12

HHS regulations at 45 CFR 46.102(d) “preparatory to research” activity that does


define “research” as “a systematic investiga­ not include, or that alters, some or all the
tion, including research development, testing elements of informed consent, or may waive
and evaluation, designed to develop or the requirements to obtain informed
contribute to generalizable knowledge.” consent for such a “preparatory to research”
(Emphasis added.) activity if certain criteria are satisfied.

HHS regulations at 45 CFR 46.102(f ) The Privacy Rule permits, under section
define “human subject” as 164.512(i)(1)(ii), a covered entity to provide
a living individual about whom an investigators with access to PHI for purposes
investigator (whether professional or preparatory to research, such as for identifying
student) conducting research obtains (1) potential human subjects to aid in study
data through intervention or interaction recruitment, among other things. Such access
with the individual or (2) identifiable is permitted provided that the covered entity
private information.... Private informa­ receives certain required representations from
tion includes information about behavior the researcher and the researcher does not
that occurs in a context in which an remove any PHI from the covered entity
individual can reasonably expect that no during the course of the review.
observation or recording is taking place,
and information which has been pro­ Activities in which an investigator obtains and
vided for specific purposes by an indi­ records individually identifiable health
vidual and which the individual can information for purposes of identifying
reasonably expect will not be made potential human subjects to aid in study
public (for example, a medical record). recruitment, among other things, would
Private information must be individually involve human subjects research under the
identifiable (i.e., the identity of the HHS regulations at 45 CFR part 46 and
subject is or may readily be ascertained would not satisfy the criteria for any exemp­
by the investigator or associated with the tion under HHS regulations at 45 CFR
information) in order for obtaining the 46.101(b). As a result, if such activities are
information to constitute research conducted or supported by HHS or con­
involving human subjects. ducted under an applicable OHRP-approved
assurance, the research activities must be
When a “preparatory to research” activity reviewed and approved by an IRB in accor­
(i) involves human subjects research, as dance with HHS regulations at 45 CFR
defined above; (ii) is conducted or sup- 46.109(a). In addition, informed consent of
ported by HHS or conducted under an the subjects, about whom identifiable private
applicable OHRP-approved assurance; and information (e.g., health information) is being
(iii) does not meet the criteria for exemp­ obtained, must be sought and documented in
tion under HHS regulations at 45 CFR accordance with, and to the extent required
46.101(b), the research must be reviewed by, HHS regulations at 45 CFR 46.116 and
and approved by an IRB in accordance with 46.117, respectively.
HHS regulations at 45 CFR 46.109(a). In
addition, informed consent of the subjects For example, if an investigator who is covered
must be sought and documented in accor­ by an applicable OHRP-approved assurance
dance with, and to the extent required by, obtains and records identifiable private
HHS regulations at 45 CFR 46.116 and information from medical records for the
46.117, respectively. However, under HHS purpose of contacting these individuals to
Protection of Human Subjects Regulations determine if they would be interested in
at 45 CFR 46.116(c) and (d), an IRB may participating in a research study, this activity
approve a consent procedure for such a

13
constitutes human subjects research, and A: Covered entities that obtain certain required
thus, would require either (1) that subjects’ representations from a researcher may use
informed consent be sought as required by and disclose PHI for activities preparatory
the HHS regulations at 45 CFR 46.116, or to research that include, but are not limited
(2) that the IRB approve an informed to the following:
consent procedure which does not include
or which alters some or all the elements of ·· Preparing a research protocol

Assisting in the development of a re-

informed consent, or waive the requirement


search hypothesis

to obtain informed consent in accordance


with the provisions of the HHS regulations · Aiding in research recruitment, such as

identifying prospective research partici­

at 45 CFR 46.116(c) or (d). Informed


pants who would meet the eligibility

consent also must be documented in accor­


criteria for enrollment into a research

dance with, and to the extent required by,


study

the HHS regulations at 45 CFR 46.117.


Under these provisions, no PHI may be
Similarly, if such an investigator obtains and
removed from the covered entity during the
records identifiable private information to
course of the review.
develop a database of potential research
subjects for future research studies, this
Q: If, under the “preparatory to research”
activity is also human subjects research as
provisions, a researcher identifies
defined in 45 CFR part 46, and thus would
subjects who meet the study’s eligibility
need to meet the requirements of the HHS
criteria, how can the researcher contact
regulations as discussed above.
the potential participant to obtain
Authorization?
The above interpretation does not conflict
in any way with OCR’s interpretation of the
A: Under the “preparatory to research” provi­
Privacy Rule. It should be noted that
sion, covered entities may use and disclose
Authorization for use or disclosure of PHI
to researchers PHI to aid in study recruit­
provided for under the Privacy Rule and
ment. They may allow a researcher to
legally effective informed consent for
identify, but not contact, potential study
research provided for under HHS regula­
participants. To contact potential study
tions at 45 CFR 46.116 and 46.117 are not
participants, a researcher may do so, with-
the same.
out Authorization from the individual,
under the following circumstances:
Furthermore, the Privacy Rule does not
override any requirements of 45 CFR part
46, and vice versa. In situations where both
· If the researcher is a workforce member
of a covered entity, the researcher may
45 CFR part 46 and the Privacy Rule are contact the potential study participant, as
applicable, institutions must adhere to both part of the covered entity’s health care
sets of regulations. operations, for the purposes of seeking
Authorization. Alternatively, the covered
Q: Under certain circumstances, the “prepara­ entity may contract with a researcher as a
tory to research” provision at section business associate to assist in contacting
164.512(i)(1)(ii) of the Privacy Rule individuals on behalf of the covered
permits covered entities to use or disclose entity to obtain their Authorizations.
PHI for purposes preparatory to research.
What kinds of activities are considered
· If the covered entity obtains documenta­
tion that an IRB has partially waived the
preparatory to research? Authorization requirement to disclose
PHI to a researcher for recruitment

14

purposes, the covered entity could sufficiently anticipated and described to


disclose to the researcher that PHI satisfy 45 CFR part 46 or 21 CFR part 50.
necessary for the researcher to contact However, the informed consent information
the individual. describing the nature and purposes of the
research should be as specific as possible.
Q: The Privacy Rule requires that Authoriza­
tion for PHI uses and disclosures for The Privacy Rule does not override or
research purposes be research trial or modify the HHS or FDA Protection of
study specific. May research sponsors Human Subjects Regulations on informed
and researchers who are covered entities consent. Rather, these Federal regulations
continue to obtain informed consent must be construed together where more
from research participants under the than one applies. Under the Privacy Rule,
HHS or FDA Protection of Human an Authorization governs the use of PHI by
Subjects Regulations to conduct a a covered entity for research and the pur­
limited class of unspecified future poses and conditions for which a covered
research? entity may disclose PHI to a researcher.
Therefore, an Authorization, whether
A: Yes, under certain limited circumstances, combined with an IRB-approved consent
the HHS and FDA Protection of Human (as permitted in the Privacy Rule at section
Subjects Regulations at 45 CFR 46.116 and 164.508(b)(3)(i)) or separate, could not be
21 CFR 50.25, respectively, permit an IRB- for future unspecified research. Rather, the
approved informed consent to be broader Authorization would need to describe the
than for a specific research study. For research purpose of the use or disclosure,
example, when obtaining biological or required by section 164.508 of the Privacy
tissue specimens from living individuals to Rule, which must be research trial or study
create a repository established and main­ specific. Even where an Authorization is
tained for research purposes, the IRB- combined with an IRB-approved informed
approved informed consent document may consent, the Authorization would need to
include a description of the specific types of be limited in such a way, even though the
research to be conducted using the data and HHS and FDA Protection of Human
specimens maintained for the repository. In Subjects Regulations would permit the IRB-
addition, for future research that involves approved informed consent document to
the study of individually identifiable also describe the certain unspecified types of
information maintained for the repository, research that may be conducted in the
an IRB may determine that the original future using the data and specimens main­
informed consent for the creation of the tained for the repository. Thus, uses and
research repository satisfies the requirements disclosures for such future research would
of 45 CFR part 46 and/or 21 CFR part 50 require an additional Authorization, except
for the conduct of future research, provided as permitted without Authorization, under
that the future research now being proposed section 164.512(i) (e.g., with a waiver of
was adequately described in the origi­ Authorization) or 164.514(e) (i.e., as a
nal informed consent. For some tissue limited data set with a data use agreement).
repositories, the specific type of research
that may be done in the future on donated
biological and tissue specimens was un­
known when the tissue was donated but

15

Q: May research sponsors and researchers who Q: Do the HHS or FDA Protection of Human
are NOT covered entities continue to Subjects Regulations require IRBs to
obtain informed consent from research oversee the compliance of investigators
participants under the HHS or FDA with the Privacy Rule?
Protection of Human Subjects Regulations
to conduct a limited class of unspecified A: No. Neither the HHS nor FDA Protection
future research even though the Privacy of Human Subjects Regulations require
Rule requires that Authorizations for IRBs to oversee investigators’ compliance
research be research trial or study specific? with the Privacy Rule.

A: Research sponsors and researchers who are Q: Will OHRP or FDA assess compliance
not covered entities or not workforce with the requirements of the Privacy Rule
members of a covered entity are not re­ during their compliance oversight evalua­
quired to comply with the Privacy Rule. tions pertaining to the HHS or FDA
However, research sponsors and researchers Protection of Human Subjects Regulations
may be subject to the HHS and/or FDA (45 CFR part 46 and 21 CFR parts 50 and
Protection of Human Subjects Regulations, 56, respectively)?
which are not modified or replaced by the
Privacy Rule. Thus, research sponsors and A: No. Since neither OHRP nor FDA enforce
researchers may, to the extent permitted by the Privacy Rule, OHRP will not assess
the HHS and FDA Protection of Human compliance with the Privacy Rule during
Subjects Regulations at 45 CFR 46.116 and compliance oversight evaluations, and FDA
21 CFR 50.25, respectively, continue to will not assess compliance with the require­
obtain informed consent from research ments of the Privacy Rule during inspec­
participants under these regulations to tions to determine compliance with their
conduct a limited class of unspecified future respective regulations.
research.
1 Including 21 CFR 56.108 and 45 CFR 46.108.
2 Including 21 CFR 56.110 and 45 CFR 46.110.
3 These categories are published and updated in the Federal

Register. The current list of categories has been published at


63 Federal Register 60364 (November 9, 1998). A copy of the
list is available at http://www.hhs.gov/ohrp/humansubjects/
guidance/expedited98.htm and http://www.fda.gov/oc/ohrt/irbs/
expeditedreview.html.

NIH Publication Number 03-5428 August 2003

16