The Privacy Rule introduces new standards for protecting the privacy of individuals' identifiable health information held by a covered entity or its business associates. For covered entities, the Privacy Rule sets minimum standards for how PHI may be used and disclosed and how individuals can have control of their health information, including for research purposes. For independent researchers who are not subject to the Privacy Rule, the Rule may affect access to such information.
The Privacy Rule was not intended to impede research. Rather, it provides ways to access vital information needed for research in a manner that protects the privacy of the research subject. The Privacy Rule describes methods to de-identify health information such that it is no longer PHI or governed by the Rule. If de-identified health information cannot be used for research, covered entities can obtain the individual's written permission for the research in an Authorization document describing the research uses and disclosures of PHI and the rights of the research subject. When obtaining the Authorization form is not practicable, an IRB or Privacy Board could waive or alter the Authorization requirement. The Privacy Rule also provides alternatives to obtaining an Authorization or a waiver or an alteration of this requirement, such as limited data sets or with representations provided for certain research activities. The Privacy Rule also contains a provision that "grandfathers" research that is ongoing before the compliance date to facilitate compliance with the Rule.
Many researchers are accustomed to complying with Federal and State regulations that protect participants from research risks; some of these regulations even require, as applicable, a researcher to describe privacy and confidentiality protections in an informed consent. While the Privacy Rule may add to these privacy protections, researchers are aware of the importance of protecting research subjects from foreseeable research risks, including risks to privacy. Understanding how and why the Privacy Rule protects the privacy of identifiable health information is an important step in understanding how covered entities implement the Rule's standards.
Because the Privacy Rule is new and introduces new standards for how PHI is handled by covered entities, researchers and their institutions may have questions about the Rule. Researchers are encouraged to contact their institution, IRB, counsel, or Privacy Officer to learn more about how the Privacy Rule affects their institution. Questions and comments about the Privacy Rule may also be sent to HHS's Office for Civil Rights (OCR) at firstname.lastname@example.org. Several other Federal agencies are also prepared to assist researchers with questions about the Privacy Rule. Information can be found at the sites listed on the next page.