September 27, 2004 SACHRP chair letter to HHS Secretary on HIPAA - Health Insurance Portability and Accountability Act

The Honorable Tommy G. Thompson
Department of Health and Human Services
200 Independence Ave., SW
Washington, D.C. 20201

Dear Mr. Secretary,

Over the past several months, the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has carefully considered the difficulties in implementing the Final Privacy Rule issued in August 2002 by the Department under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

SACHRP fully and strongly supports the Department’s commitment to enhancing privacy protections for human research subjects, and notes that consideration of privacy issues has long been a required part of the research application and approval process under the regulations applicable to human subjects research, known as the “Common Rule” (i.e. the Federal Policy for the Protection of Human Subjects). However, commentary from representatives of the Association of American Medical Colleges, the National Committee on Health and Vital Statistics, and a number of academic health science centers indicates that there have, and continue to be, significant problems associated with the implementation of HIPAA in the context of research involving human subjects. In consideration of these problems, the following are SACHRP’s recommendations concerning needed clarification and modification of the Privacy Rule. Each of the nine recommendations contains a referenced appendix, which provides a detailed rationale.

Recommendation I: The disclosure of protected health information (PHI) for research purposes should be expressly exempted from the Final Privacy Rule’s accounting requirements, and instead, Covered Entities should be required to inform patients in the Notice of Privacy Practices that their PHI may be used and disclosed for research purposes without their express authorization only in limited circumstances where additional safeguards are in place. (Refer to Appendix A).

Recommendation II: The Department should review the standards for de-identification of data in order to reduce the number of data categories that must be eliminated for data to be regarded as de-identified. Among those data categories that should be strongly considered for deletion from the de-identification standards are zip codes, geographic subdivisions, and dates. While the specific addresses of persons should not be included in de-identified information, more general areas of residence, work or origin, may, in fact, be essential to epidemiologic and other studies of, for example, disease incidence. Additionally, most dates, including admission and discharge dates, provide essential endpoints for much research without directly identifying the individual. (Refer to Appendix B)

Recommendation III: Rather than focusing on the distinction between “internal” and “external” researchers created by HIPAA’s artificial organizational rules, the Department should key any distinction in the ability of researchers to use PHI to contact subjects without the additional requirement of Institutional Review Board (IRB) waiver or a business associate agreement around whether the Covered Entity exercises effective control over the researcher through application of its policies and procedures. Specifically, SACHRP recommends that the existing distinction be removed between, on the one hand, all researchers who are affiliated with the Covered Entity, through membership in the Covered Entity’s “workforce,” making them “internal” to the Covered Entity for HIPAA purposes, and on the other hand, those who otherwise are subject to the Covered Entity’s policies and procedures, for example, by virtue of being a member of the Covered Entity’s faculty or medical staff or by being in an organized health care arrangement with the Covered Entity. SACHRP also recommends that additional guidance be provided so that the Department’s interpretation of HIPAA does not result in a weakening of existing privacy protections under the Common Rule. (Refer to Appendix C).

Recommendation IV: When an IRB has considered and approved a research consent form that permits consent to certain future uses under the Common Rule standard, the Final Privacy Rule should likewise permit subjects to authorize the use and disclosure of their PHI for the same future uses. Any subsequent research using the PHI that goes beyond the scope of the authorization to future uses or disclosures would require IRB or Privacy Board waiver of the Privacy Rule’s Authorization requirements, or subsequent authorization from each subject. (Refer to Appendix D).

Recommendation V: The Department should revise HIPAA’s compound authorization rules to permit the combining of research authorizations into one form when researchers seek to bank data and materials collected as part of an underlying clinical trial; however, in order to promote patients/subject choice, the rules should require that subjects be given the ability to “opt in” to the banking portion of the authorization. (Refer to Appendix E).

Recommendation VI: The Department should revise the categories of research for which authorization is not required, so that those categories are consistent with research determined by an IRB or other appropriate institutional authority to be exempt from the requirements of the Common Rule. (Refer to Appendix F).

Recommendation VII: The Department should revise the transition Rules to grandfather not only research that received IRB waiver of informed consent under the Common Rule prior to HIPAA’s compliance date but also research that did not receive IRB review or oversight as a result of having met an exemption under the Common Rule. (Refer to Appendix G).

Recommendation VIII: The Department should clarify, if legally possible, that PHI collected from foreign nationals outside the United States by researchers engaged in international research who are affiliated with Covered Entities is not subject to HIPAA’s requirements solely as a result of the researchers’ affiliation with the Covered Entity. Alternatively, SACHRP recommends that there be guidance as to how research conducted outside the United States can be insulated from HIPAA’s applicability so that Covered Entities and their affiliated researchers can continue to participate in this important research without triggering HIPAA’s requirements. (Refer to Appendix H).

Recommendation IX: The Department should revisit both the definition of public health authority as well as the exception for uses and disclosures for public health activities. The revisions should serve to broaden them sufficiently to ensure that federal and state agencies whose primary purpose is the prevention or control of disease, injury, or disability or the analysis of data in alliance with public health and public benefits agencies fall under this exception, even if the legal authority establishing such agencies does not explicitly authorize them to compel the collection of PHI in the course of their duties. (Refer to Appendix I).

Finally, it should be noted that SACHRP appreciates the fact that human subjects research is, in the regulatory sense, a complicated endeavor, often under the concurrent jurisdiction of the Office for Human Research Protections (OHRP), the Food and Drug Administration (FDA) and other agencies. The accretions of years of guidance from these agencies must be coordinated with the complexities of the new HIPAA requirements. In most cases, SACHRP understands that Covered Entities have had little problem in crafting and securing subjects’ authorizations for enrollment in research studies, and in understanding the need after HIPAA for an enhanced awareness of respect for privacy rights of subjects. At the same time, however, the HIPAA requirements have introduced great uncertainty and have caused both anguish and confusion in some areas in which the Privacy Rule seems duplicative, contrary to, or inconsistent with established Common Rule practices.

It is important to note in this regard that strong federal policy, long preceding HIPAA, decreed protection and balancing of three interests in human subjects research B justice, beneficence and respect for persons, which must be read to include privacy B and not the consideration of one interest to the exclusion or unwarranted diminishment of the other two. As set forth in this letter, SACHRP is concerned that in some areas, the application of HIPAA to human subjects research has unnecessarily complicated research activities, including IRB review and oversight. While one concern is that cost must not be increased unless meaningful protections are achieved, another concern is that complexity adds confusion, both to subjects and to researchers. SACHRP therefore urges the Department to consider the overall impact of HIPAA on both human subjects and the wide variety of research projects necessary to promote the common good.

SACHRP thanks the Department for its consideration of these comments and suggestions as it proceeds with its continued guidance for and refinement of the HIPAA Privacy Rule. SACHRP stands ready to assist the Department and to provide any other help that the Department may request.


Ernest D. Prentice, Ph.D.

Bernard A. Schwetz, D.V.M., Ph.D., Executive Secretary B SACHRP
Catherine Slatinshek, M.A., Executive Director B SACHRP

Content created by Office for Human Research Protections (OHRP)
Content last reviewed