November 23, 2010 SACHRP Letter to HHS Secretary on HITECH Proposed Rule

Howard K. Koh, M.D., M.P.H.
Assistant Secretary for Health
US Dept. of Health and Human Services
HHH Building – Room 716G
200 Independence Avenue, S.W.
Washington, D.C.  20201

Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule

Dear Dr. Koh:

The Secretary’s Advisory Committee on Human Research Protections (SACHRP) advises the Secretary of the U.S. Department of Health and Human Services (HHS) on human subjects research protection issues. Shortly after its creation in 2003, SACHRP began developing recommendations on significant topics in research, with one of the earliest themes being privacy protection and regulation. It is within that historical context -- and in recognition of current expanded abilities to access identifiable data and materials -- that SACHRP, by this letter, offers its comments on the HHS Notice of Proposed Rulemaking that modifies the Privacy and Security Rules in light of the Health Information Technology for Economic and Clinical Health Act (HITECH).[1]

In September 2004, SACHRP submitted several recommendations to the Secretary to address the Privacy Rule issued under the Health Insurance Portability and Accountability Act (HIPAA). A recurrent theme in the recommendations was the need for more coordination and less complexity among HHS requirements for human subjects research, including HIPAA privacy requirements. As SACHRP explained at the time:

… SACHRP appreciates the fact that human subjects research is, in the regulatory sense, a complicated endeavor, often under the concurrent jurisdiction of the Office for Human Research Protections (OHRP), the Food and Drug Administration (FDA) and other agencies. The accretions of years of guidance from these agencies must be coordinated with the complexities of the new HIPAA requirements…. As set forth in this letter, SACHRP is concerned that in some areas, the application of HIPAA to human subjects research has unnecessarily complicated research activities, including IRB review and oversight.

SACHRP Chair Letter to HHS Secretary on HIPAA, September 27, 2004, available at [hereinafter SACHRP Chair Letter, September 27, 2004].

In this letter, we reiterate the importance of a harmonized approach within HHS to human subjects research regulation, including privacy regulation that now includes HIPAA and HITECH. More specifically, we address several research-specific issues in the NPRM – including compound authorizations, future research, the “minimum necessary” standard, business associates, and restrictions on the sale of protected health information (PHI) – and do so primarily in the context of SACHRP’s prior recommendations for harmonization on these topics.

Compound Authorizations (75 FR 40892-93)

HIPAA generally prohibits the use of a “compound authorization,” which is a HIPAA authorization that is combined with another type of legal permission. One exception is that a research consent form and HIPAA authorization can be combined in clinical trials. However, HHS previously took the position that if a clinical trial also included specimen/data banking, then a separate authorization for banking was needed because the “banking” activity must be regarded as distinct from the clinical trial.

In SACHRP’s 2004 recommendations, it expressed concern that HHS’s rule on compound authorizations overcomplicated banking research and revealed a lack of harmonization with OHRP, which allowed one consent form for a clinical trial that had a banking component. As SACHRP proposed:

Recommendation V: The Department should revise HIPAA’s compound authorization rules to permit the combining of research authorizations into one form when researchers seek to bank data and materials collected as part of an underlying clinical trial; however, in order to promote patients/subject choice, the rules should require that subjects be given the ability to “opt in” to the banking portion of the authorization. (Refer to Appendix E).[1]

SACHRP Chair Letter, September 27, 2004 (emphasis added).

SACHRP appreciates HHS’s recognition of this recommendation in the NPRM. HHS cites Recommendation V above for its new proposal to allow one combined authorization for a clinical trial that also includes banking, as long as covered entities distinguish between which activity is “conditioned” on signing the authorization (i.e., the clinical trial) and which activity is optional or “unconditioned” (i.e., banking).[2] HHS appropriately acknowledges that “multiple forms may be confusing for research subjects,” “documenting and storing twice as many authorizations is a major concern,” and reportedly, “recruitment into clinical trials has been hampered, in part, because [of] the multiplicity of forms.”[3]

We offer the following comments:

  1. SACHRP supports HHS’s proposal to modify the Privacy Rule to allow a covered entity to use one consolidated authorization that covers a clinical trial and a banking component. In particular, we support the harmonization goal of this proposal, as it would better align HIPAA with Common Rule informed consent requirements, as interpreted by OHRP.
  2. We request that HHS confirm in the final rule, for the sake of clarity in application, that compound authorizations are permissible for any type of combined research studies, including but not limited to clinical trials with a banking component (provided that the conditioned and unconditioned activities are clear). For example, we believe HHS’s proposal would allow a covered entity to use a combined authorization for (i) a clinical trial and optional sub-study or sub-studies (e.g., a pharmacokinetic sub-study using data from a clinical trial), and (ii) a banking protocol that permits secondary research.
  3. We support HHS’s proposal to give covered entities flexibility in how to distinguish between conditioned and unconditioned activities in their forms. For example, HHS notes that a check-box or extra page explaining the “unconditioned” (banking) activity may be appropriate. We ask that HHS encourage entities to implement the new standard in a way that minimizes duplicative or confusing information for potential research participants. We also recommend that HHS allow entities to present the “unconditioned” activity in ways that can be most easily tracked. This would help to ensure that entities are able to honor individuals’ requests and avoid negative effects on individuals’ interests. To illustrate these points, SACHRP offers three models in Attachment A that we believe should be acceptable under the final rule and ask that HHS confirm their acceptability.
  4. We ask HHS to confirm that its proposal does not affect the availability of the waiver provisions in the existing Privacy Rule. That is, if a covered entity uses a compound authorization for a clinical trial with a banking component, and a researcher later proposes to an IRB or a Privacy Board a new study that is distinct from both the original study and the banking activity, the covered entity, through its IRB or Privacy Board, may consider and approve a waiver of authorization to allow the third, new study to be undertaken.
  5. We recommend that HHS clarify the effect of revoking only one part of a compound authorization. For example, if a covered entity uses a combined consent/authorization for a clinical trial and optional banking research, and an individual who authorized all the research later revokes authorization for banking, then the covered entity may still rely on the consent/authorization for the clinical trial.
  6. We encourage HHS to engage in ongoing dialogue with covered entities to develop best practices for documentation that satisfy the new proposed compound authorization rule. The harmonization goal is best achieved if entities can satisfy HIPAA, Common Rule, and FDA requirements with one template form.
  7. We ask HHS to clarify the practical implications of a finalized compound authorization rule for covered entities, in terms of the timing of compliance and permissible strategies for new studies and previously approved, ongoing studies.

I. Future/Secondary Research (75 FR 40893-94)

HHS previously took the position that an authorization must be study-specific and could not authorize broad areas of future/secondary research. This interpretation conflicted with OHRP’s view that informed consent may describe both a specific study and the possibility of future/secondary research. As SACHRP explained in 2004:

Recommendation IV: When an IRB has considered and approved a research consent form that permits consent to certain future uses under the Common Rule standard, the Final Privacy Rule should likewise permit subjects to authorize the use and disclosure of their PHI for the same future uses. Any subsequent research using the PHI that goes beyond the scope of the authorization to future uses or disclosures would require IRB or Privacy Board waiver of the Privacy Rule’s Authorization requirements, or subsequent authorization from each subject. (Refer to Appendix D).

SACHRP Chair Letter, September 27, 2004 (emphasis added).

SACHRP appreciates HHS’s recognition of this recommendation in the NPRM. HHS cites Recommendation IV above for its proposed new interpretation that would allow an authorization for future/secondary research. We support the harmonization goal of this proposal, and believe that this proposal for the HIPAA authorization is more consistent with OHRP’s interpretation of Common Rule informed consent requirements.

HHS requested comment on what degree of specificity the Privacy Rule should require in an authorization for future research. We support an approach that best meets harmonization goals so that covered entities can use a consistent approach to obtaining informed consent for future research and authorization for the same scope of future research.

SACHRP offers the following comments:

1. We believe that an informed consent and authorization, together, should provide appropriate information such that it would be reasonable for an individual to expect that his/her health information could be used or disclosed for the research. Consistent with informed consent standards, the authorization should be reasonably specific such that individuals are aware of the types of research that may be conducted. IRBs are already responsible under the Common Rule for determining what information is material to potential participants before they agree to research, including future/secondary research. We do not recommend requiring IRBs or covered entities to adopt prescribed statements about certain types of research, because conceptions of the types of research requiring special considerations, such as “sensitive” research, change over time. In addition, IRBs need flexibility in approving consent forms to address concerns unique to particular subject populations, and prescribed authorization statements may conflict with an IRB’s judgments about how to describe the research appropriately in the informed consent.

2. We recommend that HHS clarify in the final rule that covered entities have flexibility in applying the existing authorization elements (45 CFR 164.508) to future/secondary research. The existing elements are designed to apply to a specific research activity and are, or could be interpreted to be, too rigid for future/secondary research. Examples include:

  • The existing authorization standards require a revocation to be in writing. For longer-term research studies, such as banking research and future/secondary research, HHS should permit (but not require) covered entities to accept an oral revocation by an individual (such as by telephone call to the researcher or institution), as this is less burdensome to individuals. [45 CFR 164.508(b)(5) and (c)(2)(i).]
  • An authorization currently must identify the health information to be used or disclosed in a “specific and meaningful fashion.” For future/secondary research, a high level of specificity may not be possible. Covered entities should be allowed to describe the information reasonably, consistent with the nature of research described in the authorization. For example, if updated medical information (beyond the information collected at the time of the original study) may be used for the future research, statements such as “your future medical records [at Hospital]” or “your future medical records [relating to diseases/conditions]” should be regarded as satisfying the standard. We request this clarification because some biobanks enrich the research value of stored specimens through ongoing linkage to medical information (e.g., outcomes data), so covered entities will need to know if statements such as the above appropriately inform individuals under the Privacy Rule. [45 CFR 164.508(c)(1)(i).]
  • An authorization currently must be specific as to the “person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.” The level of specificity for this standard should be reasonably interpreted and flexibility should be allowed, in light of the uncertainty of the identity of future researchers who will have legitimate research need to access the PHI. For example, it would be helpful if HHS could accept the proposition that “other researchers at academic or commercial entities domestically or outside the U.S.” is permissible, in the interests of ensuring individuals are aware upfront of the potential breadth of disclosures; such an expression of the identity of future researchers is already often allowed by IRBs in approving consent forms for future, “downstream” research. An alternative is that covered entities would need to specify a group initially (e.g., “other oncology researchers”), but may need, through IRBs or privacy boards, to consider waiving authorization downstream for a different disclosure. [45 CFR 164.508(c)(1)(iii).]

3. In the interests of harmonization, we request that OCR and OHRP consult with FDA to determine whether a consent/authorization to future/secondary research that meets Common Rule and Privacy Rule standards also meets FDA standards for informed consent. It would be most useful and efficient if these three offices within HHS could adopt a common approach to this issue.

4. We recommend that HHS grandfather existing, ongoing studies that involve the possibility of future/secondary research, if an IRB-approved consent reasonably informed the individuals of how their health information could be used or shared for such research.

5. We ask HHS to clarify the practical implications for covered entities of the new interpretation that would allow authorizations for future/secondary research, including the timing of compliance and permissible approaches for new studies.

II. Minimum Necessary (75 FR 40896)

HHS requested input as it develops required guidance under HITECH on the “minimum necessary” standard. SACHRP supports the flexibility permitted under the minimum necessary standard in the original Privacy Rule, as that standard applies to research. The standard and its interpretation should not be changed in any way that affects IRBs, or that affects covered entities’ ability to rely on a researcher’s representation as to the minimum necessary information needed for a research use.

V. Business Associates (75 FR 40872-74)

HITECH substantially expands the requirements and the liability of business associates. Existing HHS guidance clarifies that researchers generally are not business associates because research is not a “covered function.” SACHRP requests that HHS confirm that outsourced research review, approval, and continuing oversight functions (such as through using an external or independent IRB) similarlydo not give rise to a business associate relationship. This clarification would serve an important harmonization goal, as federal policy looks increasingly toward the use of central IRBs (which are outside of and separate from a covered entity’s own IRB). We are concerned that if outside IRBs were regarded as business associates, this could deter some entities from using them, as the need to negotiate business associate agreements and related liability risks under HITECH would be a new, time- and resource-intensive requirement for IRBs and the institutions that they serve. Any such disincentive to use external, central IRBs would undermine and run contrary to the position of, for example, the NIH, which increasingly has supported the use of central IRBs in multi-site studies.

No Sale of PHI (75 FR 40890-92)

HITECH prohibits a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of protected health information, without individual authorization. The research exception permits a covered entity to receive a reasonable, cost-based fee to cover the cost of preparing and transmitting information for research purposes.

  • We ask that HHS clarify how this provision applies to a scenario in which a covered entity discloses protected health information to a business associate for one purpose (e.g., quality benchmarking), and the business associate asserts the right to create a limited data set and use or disclose it for separate, unrelated research by itself or other third parties. For example, the business associate may aggregate identifiable information that it receives for benchmarking purposes in its own proprietary database, and then make a limited data set available to other parties for research, for a fee. We ask that HHS clarify whether this is impermissible direct or indirect remuneration to the business associate (which already has been paid for the primary service), unless the covered entity obtains individuals’ written authorization.
  • A pharmaceutical or device company funds a researcher within a hospital to perform (under a waiver of consent and authorization) a retrospective records review study of patient records within that hospital, to determine adverse effects, if any, of a drug or device. We ask OCR to confirm that, unless authorizations are obtained, the covered entity hospital may accept only a reasonable fee that covers the study and its assembling and transmittal of the data.
  • Alternately, the company may offer to pay the medical records department or QA office of the hospital to assemble these data, under a waiver of authorization and consent granted by the hospital’s IRB/privacy board to a company researcher. In this scenario, the assembling of the data is done by the medical records department or QA office, and is transmitted to the company. We ask OCR to confirm that the hospital may accept only a reasonable fee for this service, including transmittal of the data.
  • A pharmaceutical or device company sponsor pays a covered entity for carrying out a clinical trial. As part of the trial, the sponsor pays for a number of required services and activities (e.g., patient enrollment, informed consent process, certain medical tests or services, reporting of adverse events, IRB fees, data collection and analysis) and expects to receive case report forms, adverse events reports, and other specific data on subjects, all of which would be allowed by authorizations and informed consents signed by the subjects. We ask OCR to confirm that this practice, including the payment by a sponsor for the regular costs of the clinical trial, is permissible and does not require a specific statement in the authorization from subjects, in order for this payment to be made.

We appreciate the careful attention that SACHRP’s prior recommendations have received. Thank you for the opportunity to comment.



Barbara E. Bierer, M.D.
Chair, Secretary’s Advisory Committee
on Human Research Protections

[1] Appendix E explained in part: “While SACHRP recognizes the distinct importance of the informed consent and HIPAA authorization documents and appreciates the Department's clarifications regarding combining research informed consents with HIPAA research authorization forms, the more integrated the information provided to subjects, whether required by the Common Rule or the Privacy Rule, the better chance that the resulting consent and authorization will be meaningful to subjects.” SACHRP Chair Letter, September 27, 2004, Appendix E, available at
[2] 75 Fed. Reg. at 40893.
[3] Id.


Content created by Office for Human Research Protections (OHRP)
Content last reviewed