Attachment B - Recommendations on the Interpretation and Application of §_.104(d)(4) the “HIPAA Exemption

SACHRP Recommendations on the Interpretation and Application of Exemption §_.104(d)(4), the “HIPAA Exemption”
On January 19, 2017, the U.S. Department of Health and Human Services (“HHS”) and 15 other federal departments and agencies (collectively, the “Common Rule Signatories”) promulgated regulations (the “Final Rule”) to revise the Federal Policy for the Protection of Human Subjects in Research (the “Common Rule”).   The Final Rule includes a new provision under which some defined categories of “secondary research uses” of identifiable private information and identifiable biospecimens are exempted from the Common Rule’s requirement that the researcher obtain institutional review board (“IRB”) review and approval of the research and informed consent of the research subject.   The term “secondary research,” while not defined in the Final Rule text itself, is described in the preamble to the Final Rule as “re-using identifiable information and identifiable biospecimens that are collected for some other ‘primary’ or ‘initial’ activity.” 
One of these new grounds for exemption in the Final Rule applies to secondary research activities that are regulated under the Health Insurance Portability and Accountability Act of 1996 Privacy Rule (the “HIPAA Exemption”).  Specifically, this new exemption is found in subsection (iii) of Section 104(d)(4), which provides:
Secondary research for which consent is not required: Secondary research uses of identifiable private information or identifiable biospecimens, if at least one of the following criteria is met:
     (i) The identifiable private information or identifiable biospecimens are publicly available;
     (ii) Information, which may include information about biospecimens, is recorded by the investigator in such a manner that the identity of the human subjects cannot readily be ascertained directly or through identifiers linked to the subjects, the investigator does not contact the subjects, and the investigator will not re-identify subjects;
    (iii) The research involves only information collection and analysis involving the investigator's use of identifiable health information when that use is regulated under 45 CFR parts 160 and 164, subparts A and E, for the purposes of ``health care operations'' or ``research'' as those terms are defined at 45 CFR 164.501 or for ``public health activities and purposes'' as described under 45 CFR 164.512(b); or
    (iv) The research is conducted by, or on behalf of, a Federal department or agency using government-generated or government-collected information obtained for nonresearch activities, if the research generates identifiable private information that is or will be maintained on information technology that is subject to and in compliance with section 208(b) of the E-Government Act of 2002, 44 U.S.C. 3501 note, if all of the identifiable private information collected, used, or generated as part of the activity will be maintained in systems of records subject to the Privacy Act of 1974, 5 U.S.C. 552a, and, if applicable, the information used in the research was collected subject to the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq.
The application of this new exemption – like the application of HIPAA itself – is complex, and without sufficient guidance, research institutions, IRBs, and the general public may have difficulty understanding the circumstances under which the HIPAA Exemption may and may not be relied upon as an exemption from Common Rule requirements.  Understanding the contours of the HIPAA Exemption will be significant for researchers involved in secondary research activities, particularly records research, as investigators conducting research activities that qualify for the exemption will be permitted to forego the requirement of securing IRB approval and informed consent (traditional informed consent, or “broad consent”) or waiver of consent for such secondary research. 
Summary of Relevant Provisions of HIPAA and HIPAA Exemption

HIPAA Requirements for Research Involving PHI

The adoption of this HIPAA Exemption has been predicated on an understanding that when both HIPAA and the Common Rule apply to specific human subjects research activities, the overlapping regulatory requirements can lead to confusion, duplicative review, and extra burden on the researcher and his or her institution.  The exemption is an acknowledgment that a subset of research activities that are already protected by HIPAA—secondary research involving protected health information (“PHI”)—already afford human subjects rigorous regulatory protection of their privacy and that aside from privacy risks, these activities typically have lower overall human subjects research risk than many forms of primary human subjects research.  Therefore, it seems appropriate from an ethical perspective, and less confusing and burdensome for researchers, if the activities already subject to HIPAA’s rigorous requirements regarding research use of PHI not simultaneously be subject to the Common Rule’s requirements regarding the use of identifiable private information. 

The vast majority of individual and institutional health care providers in the United States—specifically, all providers who or that conduct billing or other certain financial and administrative transactions electronically—as well as health plans and health care clearinghouses are “covered entities” subject to HIPAA.   The HIPAA Privacy Rule governs the use and disclosure of PHI by covered entities and members of their “workforce,” a term that is defined broadly to include “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”   Therefore, most physicians and other researchers who are covered entities themselves or who are employed or otherwise working under the control of health care providers and other HIPAA covered entities are fully subject to the HIPAA Privacy Rule.

With limited exceptions for specific issues that are not the primary focus of this guidance, such as de-identified data sets, limited data sets, or review of information preparatory to research, the HIPAA Privacy Rule requires a covered entity, before utilizing PHI for research purposes, either (i) to secure a written authorization from an individual that gives the researcher permission to use or disclose PHI for the purposes described in the authorization, or (ii) to have the written authorization requirement waived or altered by an IRB or Privacy Board.   The three criteria for approving a waiver or alteration of authorization are as follows:

(A) The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

     (1) An adequate plan to protect the identifiers from improper use and disclosure;

     (2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless there is health or research justification for retaining the identifiers or such retention is otherwise required by law; and

     (3) Adequate written assurances that the PHI will not be reused or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule;

(B) The research could not practicably be conducted without the waiver or alteration; and
(C) The research could not practicably be conducted without access to and use of the PHI. 
Types of Research Activities for Which HIPAA Exemption May Apply

As stated above, the new HIPAA Exemption under the Common Rule applies only to secondary research, i.e., the re-use of identifiable information that was originally collected for some other research or health care activity.  The most common form of identifiable information likely to be covered by this exemption is identifiable health information found in existing clinical or research records (e.g., PHI within a hospital’s electronic medical records system or research database that was previously developed for another research study, health plan claims and payment data).   The preamble to the Final Rule provides useful examples of which research activities would and would not qualify for the HIPAA Exemption.  Investigators seeking to collect information directly from research subjects by asking them to complete a health information questionnaire would not be covered by the exemption, as that activity would be considered primary collection of information.  On the other hand, research involving the use of information in an existing databank could be considered a “secondary” use of information for purposes of this exemption. 

The preamble to the Final Rule also explains the Common Rule Signatories’ rationale underlying the addition of the HIPAA Exemption to the Common Rule, and SACHRP believes it is important to consider this commentary in evaluating how best to interpret the text of the HIPAA Exemption.  In short, the Common Rule Signatories provide that when an individual’s identifiable health information is protected by HIPAA, the HIPAA protections—specifically, the need to obtain a HIPAA authorization from a subject or seek waiver or alteration of HIPAA authorization from an IRB or privacy board—are “adequate” for the type of research that is the subject of the exemption, and that “it is unduly burdensome and confusing to require applying the protections of both HIPAA and [the Common Rule].”   In other words, through the preamble the Common Rule Signatories have expressed a view deeming HIPAA protections (authorization requirements in combination with the protections relating to the privacy and security of one’s private information) as substantially equivalent, for the types of secondary research to which the exemption will apply, to the protections under the Common Rule, which address more broadly all types of risks that subjects may face during research.

The Common Rule Signatories’ full commentary in support of the HIPAA Exemption is as follows:

With regard to the criterion at § __.104(d)(4)(iii), HIPAA also provides protections in the research context for the information that would be subject to this exemption (e.g., clinical records), such that additional Common Rule requirements for consent should be unnecessary in those contexts.  Under HIPAA, these protections include, where appropriate, requirements to obtain the individual’s authorization for future, secondary research uses of protected health information, or waiver of that authorization by an IRB or HIPAA Privacy Board.  This provision introduces a clearer distinction between when the Common Rule and the HIPAA Privacy Rule apply to research in order to avoid duplication of regulatory burden.  We believe that the HIPAA protections are adequate for this type of research, and that it is unduly burdensome and confusing to require applying the protections of both HIPAA and an additional set of protections. 

Implementation Considerations

As described in the preamble commentary quoted above, the purpose of the HIPAA Exemption is to “avoid duplication of regulatory burden.”  In large part, the reduced burden will take the form of a shift away from convened IRB review of many “secondary use” research studies that will instead fall solely under HIPAA requirements.  One of the main ramifications of the shift toward use of the HIPAA Exemption for such studies is that research administration and staff (or less optimally, researchers themselves) will often be responsible for determining whether a research project qualifies for the HIPAA Exemption.  If they conclude that a particular project does so qualify, there would no longer be an IRB reviewing the study and confirming that the research team is correct in concluding that the HIPAA Exemption is being utilized appropriately.  To ensure that such decisions are made in a legally and ethically appropriate fashion, research institutions will need to provide training and to develop policies and procedures to ensure that researchers seeking to utilize the HIPAA Exemption will be offered guidance from institutional officials regarding appropriate use of the exemption and will be monitored appropriately in their use of it.

Additionally, for the situations in which a research project would need to rely upon a HIPAA waiver or alternation of authorization (as opposed to an express HIPAA authorization) to qualify for the HIPAA Exemption, IRBs or Privacy Boards (depending on the institution) will play an important role in examining and determining that the uses of the identifiable information contemplated by the secondary research project will involve no more than a minimal risk to the privacy of individuals and that the research could not practicably be conducted without the waiver or alteration, criteria that are required to be satisfied under the HIPAA Privacy Rule.  Therefore, in the role prescribed for IRBs or Privacy Boards under 45 C.F.R. § 164.512(i)—a more limited role than convened IRB review—IRBs and Privacy Boards will serve as crucial gatekeepers of the HIPAA Exemption.  In order to implement the HIPAA Exemption appropriately, covered entity institutions will need to make sure that their IRBs and/or Privacy Boards and their staffs are trained and resourced to discharge these functions.

Recommendations on the Interpretation of the HIPAA Exemption

Based on the commentary offered by the Common Rule Signatories in their preamble to the Final Rule and the description offered in the above sections of this guidance regarding how the HIPAA Privacy Rule applies to use of PHI for research purposes, SACHRP makes recommendations below for understanding the scope of the HIPAA Exemption and notes important issues for research institutions and researchers to consider in evaluating how the new exemption may be used in practice.

The Term “Use” and Ability to Rely on HIPAA Exemption for Research Undertaken with Third Party Collaborators That Are Also HIPAA Covered Entities 

· SACHRP advises that secondary research in which one covered entity discloses, consistent with all HIPAA requirements, PHI to a second covered entity so that researchers at the second covered entity can participate as a research collaborator with the first covered entity should be considered eligible for the HIPAA Exemption.

The HIPAA Exemption focuses on the term “use.”  The exemption is expressly limited to “secondary research uses” of identifiable private information, and only applies to “information collection and analysis involving the investigator’s use of PHI when that use is regulated under [HIPAA] . . .”   The Common Rule does not define “use,” but the term has a particular meaning under HIPAA:  use of PHI within a covered entity, as distinguished from any sharing of PHI with a third party outside of the covered entity.   Sharing PHI with third parties constitutes a “disclosure”—not a “use”—under HIPAA, with “disclosure” defined under HIPAA regulations to mean “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 

The HIPAA Exemption expressly cross-references HIPAA when referring to a “use [that] is regulated under 45 CFR parts 160 and 164, subparts A and E.”  Accordingly, the regulatory text appears to refer only to “uses” that are internal to a covered entity.  OCR and OHRP have confirmed in conversations with SACHRP Subcommittees that this wording was intentional in order to avoid other implications that may have arisen if the exemption extended also to allow “disclosures”—for example, “disclosures” from a covered entity to a non-covered entity, with the PHI thereby losing the protections under HIPAA.  However, based on discussions with OHRP and OCR, it also appears that this exemption was intended to allow separate HIPAA covered entities to conduct collaborative research.  In light of these discussions between OCR, OHRP and the SACHRP Subcommittees, SACHRP suggests that there is a HIPAA-compliant regulatory pathway to allow the use of the HIPAA Exemption for collaborative research among covered entities.  Specifically, the exemption can and should be read to extend to research in which researchers within one covered entity share PHI with research partners within a second covered entity, so long as appropriate HIPAA authorization or waiver or alteration of authorization has been secured permitting the first covered entity to “disclose” the information to the other collaborating covered entity.

This disclosure from one covered entity to another covered entity is the essential element permitting the HIPAA Exemption to extend to research carried out by multiple covered entity institutions.  Specifically, the HIPAA Exemption, which lies within the Common Rule and not HIPAA, does not by itself permit multiple covered entities to engage in all of the activities that are needed to conduct collaborative research using the HIPAA Exemption.  Instead, in order for research involving multiple covered entity institutions to be eligible for the HIPAA Exemption, a disclosure of PHI must be effected under the HIPAA Privacy Rule – that is, one of the covered entities must obtain from an IRB or Privacy Board a waiver or alteration of authorization to allow the disclosure of  the PHI from that covered entity to the other, unless the PHI may be disclosed pursuant to a previously executed HIPAA authorization form or a previously obtained waiver or alteration of authorization.  This permission from the IRB or Privacy Board and resulting lawful disclosure of the PHI between covered entities must be accomplished under the authority and processes of the HIPAA Privacy Rule, because, as described above, the HIPAA Exemption does not by itself allow “disclosure” of PHI from one covered entity to another.  Once disclosure of PHI from one covered entity to another has been effected under color of law, all HIPAA requirements continue to apply, including most notably the requirement that accounting of disclosures of PHI would be required for disclosures made pursuant to a waiver or alteration of authorization under HIPAA.   

However, assuming that the disclosure between covered entities has been carried out consistent with these HIPAA requirements, the HIPAA Exemption should be available for the collaborative secondary research carried out by both covered entities.  Following the disclosure of PHI between covered entities, the researchers at the recipient covered entity are, of course, bound to comply with HIPAA in their use of that PHI because, although not part of the disclosing entity’s workforce, they are members of the recipient covered entity’s workforce.  Given the recipient entity’s own HIPAA obligations, researchers at both institutions therefore would satisfy the requirement within the HIPAA Exemption that “[t]he research involves only information collection and analysis involving the investigator’s use of PHI when that use is regulated under [HIPAA] for the purposes of ‘health care operations’ or ‘research’ . . .”    For these reasons, and assuming compliance with the HIPAA disclosure requirements described above, SACHRP recommends that the HIPAA Exemption should extend to collaborative research carried out by two covered entities, if the only PHI involved in the secondary research is protected by the HIPAA Privacy Rule.  Through conversations with HHS representatives, SACHRP has confirmed that this recommendation is consistent with an intent of the Final Rule is to permit covered entities conducting collaborative research to rely on the HIPAA Exemption for their joint research efforts. 

Collaborating covered entities that seek to rely on the HIPAA Exemption for their joint research activities nevertheless should be aware of the obligations that these “disclosures” entail – for example, the need to comply with HIPAA accounting of disclosure requirements identified above.  In addition, collaborating covered entities seeking to make use of the exemption for their joint research efforts should consider their respective obligations in the event that one of the parties breaches privacy of the shared PHI used in the research.  Under the HIPAA Exemption, for example, if one covered entity uses PHI for “big data” research and suffers a breach, the covered entity itself is responsible for complying with the Breach Notification Rule.  If instead, the covered entities disclose PHI to one other for collaborative “big data” research to take advantage of the HIPAA Exemption, and one entity breaches (such as through a lost laptop containing the full, combined collaborative “big data” dataset), then it appears that the breaching covered entity would have the duty to notify all affected individuals (even those individuals who are not patients or clients of the breaching covered entity), as well as HHS, and the media as applicable, in accordance with the HIPAA Breach Notification Rule.  Further, unless the collaborating parties agree otherwise as part of their disclosures to one another, there is no requirement that the breaching entity notify the covered entity (or entities) whose patients’ or clients’ PHI was breached.  These disclosures among covered entities, using the HIPAA regulatory pathways that allow such disclosures, do not require, for example, business associate agreements mandating such cross-notification and require no data use agreement mandating such cross-notification.  Further, as the HIPAA Exemption has been applied, there would be no mandated Common Rule unanticipated problem reporting to an IRB.  Of the ten collaborating institutions in this example, it appears that the one that breached all the others’ datasets would be responsible for all notifications, unless otherwise agreed and arranged among the collaborating covered entities.  For the sole breaching covering entity to make all these breach notifications to patients would be awkward at best and quite difficult, as none of the affected individuals would previously been aware of  the research and likely would question why an external covered entity has their PHI, is contacting them directly, and is notifying the media about a large breach.  These and related complications should be anticipated by collaborating covered entities seeking to use the HIPAA Exemption for their joint research activities.  It would be of great use to the research community if HHS were to publish FAQs or additional guidance on implementing collaborative covered entity research under the HIPAA Exemption that would elucidate these potential complications.

Covered entities should also note the limits on the types of third parties that would be permitted to receive PHI while still keeping the research project within the confines of the HIPAA Exemption.  Specifically, research projects in which a first team of researchers within a covered entity shares PHI with a second team of researchers which is not part of any covered entity’s workforce will typically not be able to rely on the HIPAA Exemption for their joint research activities.  For example, if a research protocol calls for a physician-investigator within the “health care component” of a HIPAA “hybrid entity”  (e.g., a university with a subsidiary hospital, in which the hospital and certain other biomedical components of the university are designated as the “health care component” subject to HIPAA) to share PHI for purposes of collaborating with an economics professor from the portion of the university that is not part of the “health care component,” then the research activities in question would not be limited to “use . . . regulated under HIPAA,” because although the physician-investigator would need a HIPAA authorization or waiver or alteration of authorization to share the data with the economics professor, the professor’s subsequent use of the data would not itself be subject to and restricted by HIPAA.  Because such a research project would not satisfy the HIPAA Exemption, the investigator would therefore need to comply with existing Common Rule requirements relating to IRB review and approval and informed consent or waiver of consent, in addition to satisfying applicable HIPAA requirements.

Business Associates under the HIPAA Exemption

· SACHRP recommends that the HIPAA Exemption be available for situations in which a covered entity engages a non-covered entity to perform or support research or research-related activities, but only if (a) the activities performed by the non-covered entity are considered business associate activities under the HIPAA Privacy Rule, (b) such entity has entered into a business associate agreement with the covered entity, and (c) the research for which the exemption is used is conducted only with data otherwise shared for business associate purposes.

A “business associate” is an entity that performs one of the recognized business associate functions under HIPAA regulations on behalf of a covered entity.  Recognized business associate functions include de-identification of PHI, preparation of a limited data set, and performing data aggregation activities.  A covered entity may also engage a business associate to conduct utilization and quality assurance reviews – activities that may not be initially be considered “research” under the Privacy Rule but could become research if, for example, a hospital elects to do further analysis of quality assurance data, with an intent of publishing such analysis in light of their public health significance.  When engaging in activities involving PHI that are recognized as business associate activities under the HIPAA Privacy Rule, the third-party person or entity is considered a “business associate” and is subject to the HIPAA Privacy Rule, including direct oversight by the HHS Office for Civil Rights (“HHS OCR”), which enforces HIPAA.  As part of this regulatory oversight, an entity performing business associate functions must enter into a business associate agreement with the covered entity for which it is performing such functions.  The business associate agreement contains a stringent set of covenants governing the business associate’s use of the PHI.  Given that a business associate performing the above-described functions under a business associate agreement would be fully subject to the HIPAA Privacy Rule, SACHRP recommends that the HIPAA Exemption should extend to secondary research in which the business associate is, by engaging in one of these functions, participating alongside the covered entity in the research.  

However, SACHRP notes that any extension of the HIPAA Exemption to cover research-related activities carried out by business associates must in fact be limited to activities considered to be business associate activities under the HIPAA Privacy Rule and that use for the exempt research activity the same data set that has been used for the business associate functions.  The execution of a business associate agreement with a covered entity is necessary but not sufficient to permit a non-covered entity third party to participate in research for which the HIPAA Exemption may be available.  The HHS Office for Civil Rights (“HHS OCR”), which enforces HIPAA, addressed this issue in an FAQ in 2002, in which it stated that although not required, “the HIPAA Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so.”   This guidance simply illustrates that the HIPAA Privacy Rule permits a covered entity to enter into a business associate agreement voluntarily with a non-covered entity researcher, regardless of whether the third party is performing business associate activities; but the guidance does not mean that third-party researchers not engaged in business associate activities under the HIPAA Privacy Rule may avail themselves of the HIPAA Exemption simply by executing a business associate agreement.  Instead, SACHRP has confirmed with OCR that an organization is not recognized as a business associate for purposes of triggering HIPAA Privacy Rule requirements and oversight by OCR unless the entity is actually engaged in business associate activities.  Therefore, unless a third party is engaging in business associate activities, has entered into a business associate agreement with the covered entity that is the source of the PHI, and for the research activity is using only the PHI that has been shared for business associate purposes, that third party cannot conduct research that qualifies for the HIPAA Exemption.

Application of Exemption to Use of Identifiable Biospecimens.

SACHRP recommends that the HIPAA Exemption should be available only for the research use of identifiable health information, and not for the research use of identifiable biospecimens. 
The introductory paragraph that applies to the HIPAA Exemption states that “[s]econdary research uses of identifiable private information or identifiable biospecimens” shall be exempt from the Common Rule “if at least one of the following criteria [four sets of exemptions, including the HIPAA Exemption at §___.104(d)(4)(iii)] is met.”   In other words, the “stem” of this provision includes identifiable information or identifiable biospecimens, but only when one of the four criteria is met, and the HIPAA Exemption refers only to research activities involving information, not biospecimens.

SACHRP believes that for a variety of legal, policy and pragmatic reasons the HIPAA Exemption should not be read to be available for research involving identifiable biospecimens.   

First, applying the exemption only to identifiable health information is the most literal reading of §___.104(d)(4)(iii), which mentions only “use of identifiable health information,” in contrast to §___.104(d)(4)(i) and (ii), each of which expressly include biospecimens.   

Second, reading the HIPAA Exemption to permit the exemption of identifiable biospecimens from informed consent requirements would subvert the greater protection afforded to identifiable biospecimens under the modernized Common Rule infrastructure described in the Final Rule – a framework of enhanced protections for use of identifiable biospecimens that was a consistent focus of the Common Rule Signatories throughout the rulemaking process that led to the Final Rule.  For example, the Final Rule adds two new elements pertaining to biospecimens that must be included, when relevant, to informed consent forms:  first, that the subject’s biospecimens may be used for commercial profit (even if identifiers are removed) and whether the subject will or will not share in this commercial profit; and second, whether the research will (if known) or might include whole genome sequencing.   Additionally, the Final Rule includes a broad consent framework that permits investigators to use biospecimens for future research, but only upon satisfaction of many detailed requirements that must be reviewed and approved by an IRB.   An interpretation that the HIPAA Exemption is available to allow use of identifiable biospecimens would appear inconsistent with the spirit of these other enhanced human subjects research protections for such research.  

Third, if the HIPAA Exemption were to extend to identifiable biospecimens, the utility of the exemption with respect to such specimens would be extremely limited.  A significant portion of biospecimen-related research that would be conducted under the HIPAA Exemption would likely relate to genetic testing.  However, approximately half of the U.S. states, including the states in which a disproportionate share of genetic research is conducted, such as New York and California, have state-specific laws that would require informed consent of the subject (or waiver of consent under an IRB-approved protocol) in order to conduct the secondary research activity and/or to use and disclose the genetic information generated in such testing or sequencing, notwithstanding any loosening of Common Rule requirements.

For all of these reasons, it is SACHRP’s view that reading the HIPAA Exemption to include identifiable biospecimens would be inconsistent with the plain language as well as the policy aims of the Final Rule and contrary to the Common Rule Signatories’ intent in promulgating the Final Rule.  To avoid any potential misinterpretation, SACHRP recommends that HHS or the collective Common Rule Signatories issue a formal clarification on this issue, preferably concluding, consistent with this SACHRP recommendation, that the HIPAA Exemption does not apply to research activities involving identifiable biospecimens. 
Use of Information Added to Database After Secondary Research Begins

· SACHRP recommends that all data collected by databases that are subject to the HIPAA Privacy Rule that continuously collect identifiable private information should be eligible for the HIPAA Exemption, including the data collected only after a secondary research project for which the HIPAA Exemption is sought has begun.

Although the HIPAA Exemption applies only to secondary research uses of identifiable private information, the exemption is not limited to data that have been collected in the past, before the secondary research project at issue begins.  Although the HIPAA Exemption may undoubtedly be applied to information collected before a secondary research project relying on the exemption begins, the exemption can also extend to information added to an existing source database at some future point, after a secondary research project begins.  The types of secondary research projects for which investigators will likely seek to make use of the HIPAA Exemption include long-term medical records or social services review studies, in which investigators would seek to use PHI that does not yet exist but that would be anticipated to be added to medical or client records at some future point, while the secondary research is ongoing.  The preamble confirms this understanding, noting that “unlike the pre-2018 rule’s exemption . . . the final rule has no requirement that the information must be pre-existing at the time that the investigator begins a particular research study.”   

Therefore, in addition to previously collected data, the HIPAA Exemption also applies to future data to be added to databases that continuously collect identifiable private information.
Why Are Health Care Operations and Public Health Activities Contemplated in the Exemption?

· SACHRP advises that “health care operations” and “public health activities” are included in the HIPAA Exemption in recognition of the fact that while the Common Rule considers an activity to be “research” if any purpose of the activity is research, HIPAA employs a primary purpose test in determining whether an activity is research.
The HIPAA Exemption applies to use of identifiable health information when such use is regulated for any of three purposes under HIPAA:  “research”; “health care operations”; or “public health activities and purposes.”   Given that the Common Rule applies only to “research,” and that the HIPAA definition of “research” is identical to the definition used under the Common Rule, the reference in the HIPAA Exemption to health care operations and public health activities is the cause of some confusion as to whether the definitions of research under the two sets of regulations, although the same in wording, are actually different in effect.   
In SACHRP’s view, “health care operations” is used in the HIPAA Exemption in recognition of the fact that, as described above, even though the text of the definition of “research” is the same in both the HIPAA Privacy Rule and the Common Rule, an activity can be considered “research” under the Common Rule but not subject to research requirements under HIPAA when the primary purpose of the activity is health care operations but a secondary purpose is research.  Although this “primary purpose” distinction is not, in contrast to the definition of “health care operations,” an express component of the HIPAA Privacy Rule provision on public health activities and purposes, public health activities appear to have been added to the HIPAA Exemption for the same reason:  when the activities permitted under 45 C.F.R. § 164.512(b) may be considered “research” under the Common Rule (e.g., collecting adverse event information on an FDA-regulated product and using it to study the efficacy or safety of the product) but are treated as public health activities  under HIPAA, then those activities should also be able to receive the benefit of the HIPAA Exemption .
HIPAA Exemption May Be Used in Combination with Other Common Rule Exemptions 

· SACHRP recommends that the HIPAA Exemption be made available for use in combination with other Common Rule exemptions that can collectively exempt a research project from Common Rule requirements. 

Although the Common Rule is silent as to whether more than one exemption may be used in combination to hold a research project exempt from Common Rule requirements or whether all data within a study must qualify for the HIPAA Exemption in order for researchers to rely on the exemption, SACHRP recommends that a multi-exemption approach should be permissible under the Common Rule.  In other words, if an investigator is preparing a research study in which one set of data is eligible for the HIPAA Exemption and the remaining data are eligible for a separate exemption under the Common Rule, then the study may proceed on an exempt basis.  An example of a study that may fall into this category is a research project using PHI from the medical records of a covered entity as well as using government records containing some additional identifiable private information that are available to the public upon request.  While the latter dataset would not be exempt under the HIPAA Exemption, it would be exempt under §__.104(d)(4)(i).
Consideration of Other Legal Requirements

· SACHRP advises that the HIPAA Exemption does not serve to exempt research from other sets of federal or state laws or regulations that may apply.

The HIPAA Exemption lies within the Common Rule and therefore, if satisfied, serves to exclude the research-related activities in question from the human subjects research regulations at 45 C.F.R. Part 46, Subpart A (the Common Rule), Subpart B (additional protections for pregnant women, human fetuses and neonates involved in research), and Subpart D (additional protections for children involved as subjects in research).   There are other regulatory regimes that can apply to human subjects research activities, most importantly FDA regulations, which apply to research involving FDA-regulated products or supporting FDA marketing applications, and state laws that provide greater protection than those provided by HIPAA for certain categories of health information, such as information derived from HIV/AIDS testing or genetic testing.   The HIPAA Exemption may not be used to waive separate consent or use requirements that exist under these distinct regulatory regimes.
FDA regulations require that IRB review must be undertaken and informed consent must be obtained in every study that is subject to FDA jurisdiction, with limited exceptions from the general informed consent rule only in life-threatening situations or when requirements for emergency research are met.  Recent FDA guidance announced that, notwithstanding FDA regulations, the agency will permit waiver of informed consent in the case of minimal risk research, in exercise of FDA’s discretion.   However, even when an IRB grants a waiver of informed consent under the recent FDA guidance, the research as a whole is still required to undergo initial and continuing review by an IRB,  whereas the HIPAA Exemption is designed to go a step further and eliminate the need to seek waiver of informed consent from an IRB, when appropriate.  

With respect to state law requirements, many states treat certain categories of personal health information as particularly sensitive and afford such information additional protection.  California, for example, requires that health records relating to HIV/AIDS may not be disclosed except pursuant to limited public health exceptions or written authorization by the person who is the subject of the record or his/her guardian.   Several states, including New York, ban genetic testing results from being disclosed except as authorized in writing by the test subject (i.e., in the informed consent form).   Research institutions – particularly institutions conducting research in many different states – are often less familiar with these supplemental state requirements than with federal HIPAA and Common Rule requirements, and it is therefore extremely important that they review carefully whether particular state-level consent requirements may apply, even if the research otherwise qualifies for the HIPAA Exemption.

Unless and until the FDA or state agencies issue regulations or guidance that would seek to harmonize a particular supplemental legal requirement with the HIPAA Exemption, the HIPAA Exemption serves only to exempt research from Common Rule requirements and does not speak to how such research activities should be treated under these other applicable regulatory frameworks.  The Common Rule reinforces the fact that it does not serve as a substitute for  other federal or state laws or regulations that provide additional protection for human subjects, stating that “[c]ompliance with this policy requires compliance with pertinent federal laws or regulations that provide additional protections for human subjects” and “[t]his policy does not affect any state or local laws or regulations . . . that may otherwise be applicable and that provide additional protections for human subjects.”   Thus, investigators must obtain informed consent or waiver of consent for any studies that are subject to FDA jurisdiction unless and until the FDA issues new guidance to the contrary and must always review whether additional state-level clinical or research-related protections may apply.
Content created by Office for Human Research Protections (OHRP)
Content last reviewed