Institutional Review Boards and the HIPAA Privacy Rule
Overview
The Privacy Rule, at 45 CFR parts 160 and 164, establishes a category of health information, defined as protected health information (PHI), which a covered entity may only use or disclose to others in certain circumstances and under certain conditions. In general, the Privacy Rule requires an individual to provide signed permission, known as an Authorization under section 164.508 of the Privacy Rule, before a covered entity can use or disclose the individual's PHI for research purposes. Under certain circumstances, however, the Privacy Rule permits a covered entity to use or disclose PHI for research without an individual's Authorization. One way a covered entity can use or disclose PHI for research without an Authorization is by obtaining proper documentation of a waiver of the Authorization requirement by an Institutional Review Board (IRB) or a new type of review body, a Privacy Board.
An IRB's authority to approve a waiver or an alteration of the Privacy Rule's Authorization requirement is new and in addition to, not in lieu of, the traditional IRB authorities to protect research participants from risks under 45 CFR part 46 (Department of Health and Human Services [HHS] Regulations for the Protection of Human Subjects) and 21 CFR parts 50 and 56 (Food and Drug Administration [FDA] Regulations on Protection of Human Subjects). Other Federal and State laws and regulations may impose other or additional restrictions and limitations on the use of health information for research that may not be waived or altered by an IRB or Privacy Board under the authority granted to it by the Privacy Rule.
This fact sheet is limited to the Privacy Rule's requirements relating to an IRB and approvals of research-related requests for Authorization waivers or alterations and how those requirements relate to the functioning of an IRB under 45 CFR part 46, 21 CFR parts 50 and 56, and other Federal laws and regulations applicable to an IRB. A separate fact sheet entitled Privacy Boards and the HIPAA Privacy Rule discusses the concurrent authority of Privacy Boards established under the Privacy Rule to approve such waivers or alterations. Additional information about the Privacy Rule can be found in the booklet Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule.
For guidance on the Privacy Rule, see the HHS Office for Civil Rights (OCR) Web site at http://www.hhs.gov/ocr/hipaa. For guidance on the interpretation of HHS or FDA Protection of Human Subjects Regulations at 45 CFR part 46 or 21 CFR parts 50 and 56, respectively, visit the Office for Human Research Protections (OHRP) Web site at http://ohrp.osophs.dhhs.gov or the FDA Web site at http://www.fda.gov/oc/gcp, respectively.
Introduction to the Privacy Rule
In response to a congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HHS issued regulations entitled Standards for Privacy of Individually Identifiable Health Information. For most covered entities, compliance with these regulations, known as the Privacy Rule, was required by April 14, 2003.
The Privacy Rule is a response to public concern over potential abuses of the privacy of health information. The Privacy Rule establishes a category of health information, PHI, which may only be used or disclosed to others in certain circumstances or under certain conditions. PHI is a subset of what is termed individually identifiable health information. With certain exceptions, individually identifiable health information becomes PHI when it is created or received by a covered entity. Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries. Researchers are not themselves covered entities, unless they also provide health care and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a covered entity (e.g., a hospital or health insurer), they may have to comply with that entity's new HIPAA privacy policies and procedures. A researcher who is not himself or herself a covered entity or is not a workforce member of a covered entity may be indirectly affected by the Privacy Rule, if a covered entity supplies the research data.
What Is an IRB and Its Role Under the Privacy Rule?
IRBs
An IRB is a board, committee, or other group formally designated by an institution to review research involving humans as subjects. IRBs have authority to approve, require modification to, or disapprove all research activities covered by the HHS and FDA Protection of Human Subjects Regulations. Following initial approval, IRBs must conduct periodic reviews of such research. Every institution engaged in human subjects research conducted or supported by a Federal department or agency that has adopted the Common Rule (Federal Policy for the Protection of Human Subjects) is required to designate one or more IRBs under an assurance of compliance. Additionally, when FDA-regulated products are investigated in human subjects, the protocol is subject to review and approval by an IRB. Hospitals, academic medical centers, government units, and others engaged in federally conducted or supported health research activities involving human subjects and entities conducting FDA-regulated clinical investigations, among others, have designated IRBs.
Human subjects research that is conducted or supported by a Federal department or agency that has adopted the Common Rule (found for HHS at 45 CFR part 46, subpart A) and that does not meet the criteria for exemption or is regulated by the FDA is subject to review and approval by an IRB. In most instances, in order to approve research, an IRB must determine that specified criteria have been satisfied. Among these criteria, an IRB must determine that, when appropriate, the research protocol includes "adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data" (see 45 CFR 46.111(a)(7) and 21 CFR 56.111(a)(7)).
IRB Role under the Privacy Rule
Beginning on April 14, 2003, the Privacy Rule's compliance date for most covered entities, IRBs gained authority to consider, and act upon, requests for a partial or complete waiver or alteration of the Privacy Rule's Authorization requirement for uses and disclosures of PHI for research. Although HHS and FDA Protection of Human Subjects Regulations include protections to help ensure the privacy of subjects and the confidentiality of information, the Privacy Rule supplements these protections by requiring covered entities to implement specific measures to safeguard the privacy of PHI. If certain conditions are met, an IRB may grant a waiver or an alteration of the Authorization requirement for research uses or disclosures of PHI.
Provisions concerning requests to an IRB for a waiver or an alteration of the Authorization requirement are in section 164.512(i) of the Privacy Rule. It is likely that IRBs will be primarily involved in acting on requests for waiver or alteration of the Authorization requirement in connection with research activities that the particular IRB oversees. The Privacy Rule does not impose any requirements for the location or sponsorship of an IRB convened for the purposes of acting on a request for approval of a waiver or an alteration of the Authorization requirement. Thus, an IRB approval for a waiver or an alteration of Authorization may be issued by an IRB that is unrelated to the institution conducting or sponsoring the specific research project, unrelated to the covered entity that creates or maintains the PHI to be used or disclosed for research, or different from the IRB with responsibility for monitoring the underlying research project. As a result, a waiver or an alteration of the Privacy Rule's Authorization requirements could be obtained from a single IRB in connection with a multisite research activity or where the PHI necessary for the research will be used or disclosed by more than one covered entity.
Under the Privacy Rule, an Authorization may be combined with the informed consent document for research. If the informed consent document is combined with an Authorization meeting the Privacy Rule's requirements, 45 CFR part 46 and/or 21 CFR parts 50 and 56 would require IRB review of the combined document.
An IRB's role under the Privacy Rule, however, is limited to acting on requests for a waiver or an alteration of the Privacy Rule's Authorization requirement. IRBs are, thus, not required to review and approve Authorizations under the Privacy Rule. Likewise, IRBs are not required to approve stand-alone Authorizations (i.e., Authorizations that are not incorporated into the informed consent document) under the HHS Protection of Human Subjects Regulations at 45 CFR part 46 or the FDA regulations at 21 CFR parts 50 and 56. However, FDA regulations at 21 CFR parts 50 and 56 would require such review if required by the IRB's written procedures. In the exercise of ongoing enforcement discretion, however, with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval. (See OCR guidance at http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf for more information.) Moreover, the Privacy Rule does not require IRBs to review uses and disclosures of an individual's PHI that are made with an individual's Authorization (see 67 Federal Register 53226, August 14, 2002).
Waivers or Alterations of the Authorization Requirements
For some types of research, it is impracticable for researchers to obtain written Authorization from research participants. To address this type of situation, the Privacy Rule contains criteria for waiver or alteration of the Authorization requirement by an IRB or a Privacy Board. Under the Privacy Rule, either board may waive or alter, in whole or in part, the Privacy Rule's Authorization requirements for the use and disclosure of PHI in connection with a particular research project.
A waiver in whole occurs when the IRB determines that no Authorization will be required for a covered entity to use or disclose PHI for a particular research project because certain criteria set forth in the Privacy Rule have been met (see section 164.512(i) of the Privacy Rule). For example, if a study involved the use of PHI pertaining to numerous individuals where contact information is unknown, and it would be impracticable to conduct the research if Authorization were required, an IRB could waive all of the Authorization requirements for research participants if the IRB determined that all of the Privacy Rule waiver criteria had been satisfied. If the IRB approves such a waiver, the receipt of the requisite documentation of the approval permits a covered entity to use or disclose PHI in connection with a particular research project without Authorization. A partial waiver of the Authorization requirements of the Privacy Rule might be requested, for instance, to allow a researcher to obtain PHI as necessary to recruit potential research subjects. For example, even if an IRB does not waive the Authorization requirement for the entire research study, an IRB may partially waive the Authorization requirement to permit a covered entity to disclose PHI to a researcher for the purposes of contacting and recruiting individuals into the study.
An IRB may also approve a request that removes some, but not all, required elements of an Authorization (an alteration). For example, an IRB may alter the Authorization to remove the element that describes each purpose of the requested use or disclosure where, for example, the identification of the specific research study would affect the results of the study. Before a covered entity could use or disclose PHI pursuant to the altered Authorization, however, it must receive documentation that an IRB determined that all of the Privacy Rule waiver criteria at section 164.512(i)(2)(ii) had been satisfied. Any subsequent use or disclosure of PHI by a covered entity for a different research study would require an additional Authorization, except as permitted without Authorization under section 164.512(i) (e.g., with a waiver of Authorization) or 164.514(e) (i.e., as a limited data set with a data use agreement).
The Privacy Rule establishes the criteria to be evaluated by an IRB in approving an Authorization waiver or alteration. Furthermore, the criteria for an IRB waiver or alteration of the Authorization are consistent with the criteria for IRB waiver of the informed consent requirements contained in the HHS Protection of Human Subjects Regulations. For a covered entity to use or disclose PHI under a waiver or an alteration of the Authorization requirement, it must receive documentation of, among other things, the IRB or Privacy Board's determination that the following criteria have been met:
- The PHI use or disclosure involves no more than minimal risk to the privacy of individuals based on at least the presence of (1) an adequate plan presented to the IRB to protect PHI identifiers from improper use and disclosure; (2) an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and (3) adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.
- The research could not practicably be conducted without the requested waiver or alteration.
- The research could not practicably be conducted without access to and use of the PHI.
IRB Review Proceedings
IRB Composition
The Privacy Rule does not change the composition of an IRB. Under the HHS and FDA Protection of Human Subjects Regulations each IRB must have at least five members with varying backgrounds to promote complete and adequate review of research activities conducted by the institution. An IRB must be sufficiently qualified through the experience and expertise of its members, and the diversity of the members, including consideration of race, gender, and cultural backgrounds and sensitivity to such issues as community attitudes, to promote respect for its advice and counsel in safeguarding the rights and welfare of human subjects. The IRB must also be able to ascertain the acceptability of proposed research in terms of institutional commitments and regulations, applicable law, and standards of professional conduct and practice. No IRB may consist entirely of members of one profession. In addition, at least one member must not be affiliated with the institution (or part of the immediate family of a person affiliated with the institution). Furthermore, no IRB may have a member participate in the IRB's initial or continuing review of a project in which the member has a conflicting interest, except to provide information at the request of the IRB. Each IRB must include at least one member whose primary concerns are in scientific areas and at least one member whose primary concerns are in nonscientific areas. The Privacy Rule permits a covered entity to accept documentation of waiver or alteration approval from any qualified IRB or Privacy Board-not only the IRB overseeing the institution's research.
IRB Procedural Requirements
When acting upon a request to waive or alter the Authorization requirement, an IRB must follow the procedural requirements of the HHS Protection of Human Subjects Regulations and/or, if applicable, FDA regulations, including using either the normal review procedures (review by the convened IRB) or the expedited review procedures. The FDA Protection of Human Subjects Regulations also require the IRB to follow its established written procedures whether a request for a waiver or an alteration of the Authorization requirement is considered by a convened IRB or by an IRB under the expedited review procedures.
Review by the Convened IRB
When a request for a waiver or an alteration of the Authorization requirement is considered by the convened IRB, a majority of the IRB members must be present at the meeting, including at least one member whose primary concerns are in nonscientific areas. In order for an approval of a waiver or an alteration of the Privacy Rule's Authorization requirement to be effective, it must be approved by a majority of the IRB members present at the convened meeting. If a member of the IRB has a conflicting interest with respect to the PHI use and disclosure for which a waiver or an alteration approval is being sought, that member may not participate in the review.
Expedited Review
HHS and FDA have established categories3 of research that may be reviewed by an IRB through an expedited review procedure. Expedited review of a request for a waiver or an alteration of the Authorization requirement is permitted where the research activity is on the HHS or FDA list of approved categories and involves no more than minimal risks. In addition, 45 CFR 46.110 and 21 CFR 56.110 permit an IRB to use an expedited review procedure to review minor changes in previously approved research. A modification to a previously approved research protocol, which only involves the addition of an Authorization for the use or disclosure of PHI to the IRB-approved informed consent, may be reviewed by the IRB through an expedited review procedure, since this type of modification may be considered to be no more than a minor change to research. If expedited review procedures are appropriate for acting on the request, the review may be carried out by the IRB chair or by one or more experienced reviewers designated by the chair from among the IRB members. A member with a conflicting interest may not participate in an expedited review. If an IRB uses expedited review procedures, it must adopt methods for keeping all its members advised of requests for waivers or alterations of the Authorization requirement as well as those requests that have been granted under an expedited review procedure. If the head of the Federal department or agency (or his/her designee) regulating the research has restricted, suspended, terminated, or chosen not to authorize an institution or IRB to use expedited review procedures, the IRB cannot grant waivers or alterations of the Authorization requirement on an expedited basis.
Documentation of Authorization Waiver or Alteration Determinations
Before a covered entity may use or disclose PHI for research based on a waiver or an alteration of Authorization by an IRB, a covered entity must receive documentation showing the following:
- The identity of the approving IRB
- The date on which the waiver or alteration was approved
- A statement that the IRB has determined that all the specified criteria for a waiver or an alteration were met (see Waivers or Alterations of the Authorization Requirements)
- A brief description of the PHI for which use or access has been determined by the IRB to be necessary in connection with the specific research activity
- A statement that the waiver or alteration was reviewed and approved under either normal or expedited review procedures (see IRB Approval Proceedings)
- The required signature of the IRB chair or the chair's designee
As noted, the IRB's documentation of its approval must describe the PHI for which use or access has been determined to be necessary for the research. This would include stating, for example, that the waiver was limited to only certain information in a patient's medical record, instead of the entire record. If a covered entity uses or discloses PHI based on an IRB approval of a waiver or an alteration of the Authorization requirement, the covered entity must retain the IRB's documentation on which it relied for at least 6 years from the date the waiver or alteration was obtained, or the date when it was last in effect, whichever is later.
Other provisions of applicable Federal law and regulations, as well as the written policies and procedures of a specific IRB, may require the IRB to create and maintain additional documentation of its actions on requests to approve a waiver or an alteration of the Privacy Rule's Authorization requirement.
Verification Requirements: Right to Rely
In some circumstances, IRBs and Privacy Boards will coexist. Where these boards coexist, the Privacy Rule requires approval of a waiver or an alteration of Authorization by only one of them. Furthermore, a covered entity may use or disclose PHI based on a waiver or an alteration of Authorization approved by any IRB or Privacy Board, without regard to the location or affiliation of the IRB or Privacy Board. The Privacy Rule permits a covered entity reasonably to rely on an IRB's or a Privacy Board's documentation granting a waiver or alteration of the Authorization requirement so long as the documentation is proper. The documentation on which the covered entity relies must be in writing and meet the signature and other requirements discussed in the Documentation of Authorization Waiver or Alteration Determinations section.
A covered entity's ability reasonably to rely on documentation of an Authorization waiver or alteration may be especially important for research projects taking place at multiple sites and/or requiring the use and disclosure of PHI created or maintained by more than one covered entity (collectively, multisite projects). Often, different IRBs are involved in multisite project reviews. For these situations, HHS has stated (65 Federal Register 82692, December 28, 2000) that a covered entity's responsibility is only to "obtain the documentation that one IRB or [P]rivacy [B]oard has approved the alteration or waiver of Authorization." (Emphasis added.) Consequently, the Privacy Rule allows a waiver or an alteration of Authorization obtained from a single IRB or Privacy Board to be used to obtain PHI in connection with multisite projects. However, HHS also recognizes that "covered entities may elect to require IRB or Privacy Board reviews before disclosing [PHI] to requesting researchers" (67 Federal Register 53232, August 14, 2002). The Privacy Rule does not require entities to change their practices with respect to how they address potential splits between review boards. However, HHS "strongly encourages researchers to notify IRBs and [P]rivacy [B]oards of any prior IRB or [P]rivacy [B]oard review of a research protocol" (65 Federal Register 82692, December 28, 2000).
A covered entity must limit the use or disclosure of PHI for research that is based on documentation of an approved waiver or alteration of Authorization to the minimum necessary to accomplish the intended purpose of the particular research protocol or project (see section 164.502(b) of the Privacy Rule). Documentation supporting an IRB's approval of a waiver or an alteration of Authorization must include a description of the PHI without access to and use of which the IRB has determined the research could not practicably be conducted. If an IRB has granted a waiver or an alteration of Authorization, a covered entity may rely, if such reliance is reasonable under the circumstances, on the IRB's documentation to satisfy itself that the requested PHI use or disclosure is limited to the minimum necessary for the stated research purpose (see section 164.514(d)(3)(iii) of the Privacy Rule). Such reliance is appropriate regardless of whether the documentation of waiver or alteration is obtained from an external IRB or associated with the covered entity relying on the documentation (see 67 Federal Register at 53198, August 14, 2002).
Research Uses and Disclosures Under Permissions Obtained Prior to the Privacy Rule's Compliance Date
Sections 164.532(a) and (c) of the Privacy Rule provide that, after the compliance date (for most covered entities, April 14, 2003), a covered entity may use or disclose an individual's PHI without an Authorization, or waiver or alteration of the Authorization requirement, in connection with ongoing research if specific conditions are met. For many such uses and disclosures of PHI in connection with ongoing research, a covered entity may rely on any one of the following that was obtained prior to the compliance date:
- An Authorization or other express legal permission from an individual to use or disclose PHI for research
- The informed consent of the individual to participate in the research
- A waiver by an IRB of informed consent in accordance with applicable laws and regulations governing informed consent, unless a new informed consent document after the compliance date is sought
The transition provisions also do not apply if any change is made after the compliance date to an informed consent, express legal permission, or IRB waiver for the research obtained before the compliance date that would make these prior permissions invalid. Under all these circumstances, an Authorization that complies with section 164.508 of the Privacy Rule is required unless the activity is otherwise permitted by the Privacy Rule without Authorization (e.g., through a waiver of Authorization).
In some instances, express legal permissions, informed consents, or IRB-approved waivers of informed consents are not study specific. These permissions for research and waivers, if obtained before the compliance date, are grandfathered by the transition provisions even if provided for future unspecified research, subject to the conditions described above.
Frequently Asked Questions and Answers
Q: How does the scope of coverage of the HHS and FDA Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56) differ from that of the Privacy Rule (i.e., who and what is covered under each of these regulations)?
A: While the HHS Protection of Human Subjects Regulations and the Privacy Rule pertain to some of the same entities, the scope of coverage of these two regulations differs. The HHS Protection of Human Subjects Regulations apply to all research involving human subjects that is conducted or supported by any component of HHS, unless the research involves one or more of the categories of exempt research described under the HHS regulations at 45 CFR 46.101(b). FDA Protection of Human Subjects Regulations apply to research related to FDA-regulated products that involves one or more human subjects.
In contrast, the Privacy Rule applies to "covered entities" that are defined in the regulations: (1) Health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. The Privacy Rule protects, with limited exceptions, individually identifiable health information when it is created or maintained by a covered entity.
Of note, certain research activities involving human subjects that are exempt under the HHS Protection of Human Subjects Regulations may still need to satisfy the requirements of the Privacy Rule.
Q: What constitutes "individually identifiable" information under the HHS Protection of Human Subjects Regulations versus under the Privacy Rule?
A: The HHS Protection of Human Subjects Regulations at 45 CFR 46.102(f) define a "human subject," in part, as a living individual about whom an investigator conducting research obtains "identifiable private information...Private information must be individually identifiable (i.e., the identity of the subject is or may be readily ascertained [emphasis added] by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects."
The Privacy Rule at section 160.103 defines "individually identifiable health information," in part, as "...information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual." In addition, the Privacy Rule at section 164.514 allows a covered entity to determine that health information is not individually identifiable using either (1) statistical verification as specified in the Privacy Rule or (2) by removing certain pieces of information from each record, as specified in the Privacy Rule, about the individual, relatives, employers, or household members of the individual and having no knowledge that the remaining information could be used alone or in combination with other information to identify the individual. Under the second method of de-identification, in general, unique identifying numbers, characteristics, or codes must be removed if the health information is to be considered to be de-identified unless permitted by the Privacy Rule as a re-identification code.
Q: Do HHS Protection of Human Subjects Regulations or the Privacy Rule consider information "individually identifiable" if the information is associated only with a code assigned for re-identification?
A: The Privacy Rule permits a covered entity to determine that health information is de-identified even if the health information has been assigned, and retains, a code or other means of record identification, provided that the code is not derived from or related to the information about the individual and could not be translated to identify the individual and the covered entity does not use or disclose the code for other purposes or disclose the mechanism for re-identification.
Under the HHS Protection of Human Subjects Regulations, if an investigator obtains private information about living individuals for research purposes and that private information retains a link to individually identifying information, such private information ordinarily would be considered by OHRP to be individually identifiable to the investigator. However, OHRP does not ordinarily consider such information to be individually identifiable to the investigator if (1) the investigator and the holder of the individually identifying information sign an agreement prohibiting the release of individually identifying information to the investigator under any circumstances, or (2) there are other legal requirements prohibiting the release of the link to the investigator.
Q: Who furnishes the description of the PHI to be included in the IRB's documentation?
A: The Privacy Rule does not state who furnishes the description of the PHI to be included in the IRB's documentation. However, the researcher requesting the waiver or alteration of the Privacy Rule's Authorization requirement from the IRB may be in the best position to adequately describe the PHI to be used and disclosed and would submit this information as part of the request for such approval. Regardless of who provides the description of the PHI, the IRB is the entity that decides whether or not and the extent to which a waiver or alteration of Authorization is granted, and, therefore, it is the IRB that makes the final decision regarding the description of the PHI to be included in the IRB's documentation.
Q: When must an IRB review and approve the language of an Authorization for use or disclosure of PHI related to human subjects research activities regulated by HHS Protection of Human Subjects Regulations at 45 CFR part 46 and FDA Protection of Human Subjects Regulations at 21 CFR parts 50 and 56?
A: The HHS Protection of Human Subjects Regulations do not expressly require that Privacy Rule Authorizations be reviewed or approved by the IRB. However, under HHS regulations at 45 CFR 46.117(a) and FDA regulations at 21 CFR 50.27(a), IRB review and approval is required for any document that contains the IRB-approved informed consent document for human subjects research. Therefore, if the Authorization language is part of the IRB-approved informed consent document, such as when the Authorization form is combined with an informed consent, the IRB is required to review such language.
Generally, neither HHS regulations at 45 CFR part 46 nor FDA regulations at 21 CFR parts 50 and 56 require that stand-alone Authorizations (i.e., Authorizations that are not incorporated into the informed consent document) for use or disclosure of PHI be reviewed and approved by the IRB. However, FDA regulations at 21 CFR 56.108(a) mandate such review if required by the IRB's written procedures. In the exercise of ongoing enforcement discretion, however, with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval.
The Privacy Rule does not require IRBs to review or approve Authorizations used for research or other disclosures; it only requires that the Authorization comply with the requirements of the Privacy Rule at section 164.508. For OCR guidance on this topic, see http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf.
Q: Does the Privacy Rule require IRBs to review and/or approve Authorizations, either as stand-alone documents (i.e., Authorizations that are not combined with informed consent documents) or when combined with informed consent?
A: No.
Q: Do FDA regulations require IRBs to review and/or approve stand-alone Authorizations, i.e., Authorizations that are not combined with informed consent documents?
A: No. FDA regulations do not specifically require IRBs to review and/or approve stand-alone Authorizations. However, FDA regulations governing IRBs require, in pertinent part, that IRBs adopt and follow written procedures for reviewing clinical research. See 21 CFR 56.108(a). Pursuant to this provision, IRBs that have written procedures requiring them to review all written materials provided to potential research subjects must review and approve stand-alone Authorizations, even though such review is not otherwise required under the Privacy Rule, HHS Protection of Human Subjects Regulations, or FDA regulations governing IRBs. However, in the exercise of ongoing enforcement discretion with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval. For OCR guidance on this topic, see http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf.
Q: Do international guidelines require IRBs to review and/or approve stand-alone Authorizations, i.e., Authorizations that are not combined with informed consent documents?
A: No. The International Conference on Harmonisation (ICH) Good Clinical Practice: Consolidated Guideline (E6) states, for example, "Before initiating a trial, the investigator/institution should have written and dated approval/favourable opinion from the IRB/IEC [Independent Ethics Committee] for the trial protocol, written informed consent form, consent form updates, subject recruitment procedures (e.g., advertisements), and any other written information to be provided to subjects." (Emphasis added.) (See ICH E6 4.4.1.) This language recommends, but does not require, such review. In general, the ICH Good Clinical Practice guidelines are recommendations, not legal requirements. As such, they are not subject to enforcement by U.S. authorities.
Q: How does the composition of IRBs vary from that of Privacy Boards?
A: The HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.107 and 21 CFR 56.107, respectively, require, among other things, that IRBs have at least five members with varying backgrounds to promote complete and adequate review of research activities commonly conducted by the institution. The IRB must be sufficiently qualified through the experience and expertise of its members, and the diversity of members, including consideration of race, gender, and cultural backgrounds and sensitivity to such issues as community attitudes, to promote respect for its advice and counsel in safeguarding the rights and welfare of human subjects. The IRB must also be able to ascertain the acceptability of proposed research in terms of institutional commitments and regulations, applicable law, and standards of professional conduct and practice. The IRB must also include at least one member whose primary concerns are in scientific areas, and at least one member whose primary concerns are in nonscientific areas. In addition, the IRB must include at least one member who is not otherwise affiliated with the institution and who is not part of the immediate family of a person affiliated with the institution.
The Privacy Rule, at section 164.512(i)(1)(i)(B), requires that a Privacy Board have members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests and include at least one member who is not affiliated with any entity conducting or sponsoring the research and not related to any person who is affiliated with any of these entities. In addition, a Privacy Board may not have any member participating in a review of any project in which the member has a conflict of interest.
Of note, covered entities may reasonably rely on documentation from an IRB that satisfies the membership requirements of the HHS or FDA Protection of Human Subjects Regulations in order to use or disclose PHI without Authorization, as permitted by the Privacy Rule at section 164.512(i)(1)(i).
Q: How do the requirements regarding members with conflicting interests vary between IRBs under the HHS and FDA Protection of Human Subjects Regulations, and the Privacy Boards under the Privacy Rule?
A: The HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.107(e) and 21 CFR 56.107(e), respectively, prohibit an IRB member who has a conflicting interest from participating in an initial or continuing review or approval of research, except to provide information at the request of the IRB.
Similarly, the Privacy Rule, at section 164.512(i)(1)(i)(B)(3), prohibits a Privacy Board member from participating in a review of any project in which the member has a conflicting interest.
Q: How do the criteria to alter or waive informed consent under 45 CFR part 46 differ from criteria to alter or waive Authorization under the Privacy Rule?
A: Under 45 CFR 46.116(d), an IRB may approve a consent procedure that does not include, or which alters, some or all of the elements of informed consent specified in this section, or may waive the requirements to obtain informed consent, provided the IRB finds and documents that the following criteria have been met:
- The research involves no more than minimal risk to the subject.
- The waiver or alteration will not adversely affect the rights and welfare of the subjects.
- The research could not practicably be carried out without the waiver or alteration.
- Whenever appropriate, the subjects will be provided with additional pertinent information after participation.
In addition, 45 CFR 46.116(c) also permits an IRB to approve a consent procedure which does not include, or which alters, some or all of the elements of informed consent or to waive the requirement to obtain informed consent, provided the IRB finds and documents the following:
- The research or demonstration project is to be conducted by or is subject to the approval of state or local government officials and is designed to study, evaluate, or otherwise examine public benefit or service programs, and certain aspects of these programs as specified at 45 CFR 46.116(c)(1).
- The research could not practicably be carried out without the waiver or alteration.
Under the Privacy Rule at section 164.512(i)(1)(i), a covered entity may use or disclose PHI for a research study without Authorization from the research participant if the covered entity obtains documentation that an alteration or waiver of the research participants' Authorization for use or disclosure of information for research purposes has been approved by an IRB or a Privacy Board. Among other requirements under section 164.512(i), a covered entity must obtain a statement that an IRB or a Privacy Board has determined that the alteration or waiver, in whole or in part, of Authorization satisfies the following three criteria in the Privacy Rule:
- The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless a health or research justification for retaining the identifiers or such retention is otherwise required by law
- Adequate written assurances that the PHI will not be reused or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule
- The research could not practicably be conducted without the waiver or alteration.
- The research could not practicably be conducted without access to and use of the PHI.
Q: Under the HHS regulations at 45 CFR part 46 and FDA regulations at 21 CFR part 56, can an IRB use an expedited review procedure to review and approve a modification to a previously approved informed consent document where the modification involves only the addition of an Authorization for use or disclosure of PHI?
A: Yes. For research protocols previously approved by the IRB, the addition to the IRB-approved informed consent document of language regarding Authorization for use or disclosure of PHI may be considered no more than a minor change to the research and, as a result, may be reviewed by the IRB under an expedited review procedure, in accordance with the requirements of HHS regulations at 45 CFR 46.110 and FDA regulations at 21 CFR 56.110.
Q: Do HHS regulations at 45 CFR part 46 and FDA regulations at 21 CFR parts 50 and 56 permit the IRB to review and approve the insertion of Authorization language as a single modification that applies to the informed consent documents of multiple protocols previously approved by the IRB?
A: Yes, when Authorizations for use or disclosure of PHI will be incorporated into previously approved informed consent documents for a series of protocols, and the Authorizations are composed entirely of identical template language, the IRB may approve the insertion of the Authorization language as a single modification that applies to the entire series of protocols.
However, when Authorizations for use or disclosure of PHI will be incorporated into previously approved informed consent documents for a series of protocols and the Authorization statements include protocol-specific information unique to each protocol, the IRB should review and approve the insertion of the Authorization language separately for each protocol.
In both cases, an expedited review procedure may be used.
Q: When do the requirements under HHS regulations at 45 CFR part 46 related to IRB review and informed consent apply to "preparatory to research" activities as permitted by the Privacy Rule at section 164.512(i)(1)(ii)?
A: HHS Protection of Human Subjects Regulations at 45 CFR part 46 do not reference "preparatory to research" activities.
HHS regulations at 45 CFR 46.102(d) define "research" as "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge." (Emphasis added.)
HHS regulations at 45 CFR 46.102(f) define "human subject" as
a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual or (2) identifiable private information... Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.
When a "preparatory to research" activity (i) involves human subjects research, as defined above; (ii) is conducted or supported by HHS or conducted under an applicable OHRP-approved assurance; and (iii) does not meet the criteria for exemption under HHS regulations at 45 CFR 46.101(b), the research must be reviewed and approved by an IRB in accordance with HHS regulations at 45 CFR 46.109(a). In addition, informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. However, under HHS Protection of Human Subjects Regulations at 45 CFR 46.116(c) and (d), an IRB may approve a consent procedure for such a "preparatory to research" activity that does not include, or that alters, some or all of the elements of informed consent, or may waive the requirements to obtain informed consent for such a "preparatory to research" activity if certain criteria are satisfied.
The Privacy Rule permits, under section 164.512(i)(1)(ii), a covered entity to provide investigators with access to PHI for purposes preparatory to research, such as for identifying potential human subjects to aid in study recruitment, among other things. Such access is permitted provided that the covered entity receives certain required representations from the researcher and the researcher does not remove any PHI from the covered entity during the course of the review.
Activities in which an investigator obtains and records individually identifiable health information for purposes of identifying potential human subjects to aid in study recruitment, among other things, involve human subjects research under the HHS regulations at 45 CFR part 46 and would not satisfy the criteria for any exemption under HHS regulations at 45 CFR 46.101(b). As a result, if such activities are conducted or supported by HHS or conducted under an applicable OHRP-approved assurance, the research activities must be reviewed and approved by an IRB in accordance with HHS regulations at 45 CFR 46.109(a). In addition, informed consent of the subjects, about whom identifiable private information (e.g., health information) is being obtained, must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively.
For example, if an investigator who is covered by an applicable OHRP-approved assurance obtains and records identifiable private information from medical records for the purpose of contacting these individuals to determine if they would be interested in participating in a research study, this activity constitutes human subjects research, and thus, would require either (1) that subjects' informed consent be sought as required by the HHS regulations at 45 CFR 46.116, or (2) that the IRB approve an informed consent procedure which does not include or which alters some or all of the elements of informed consent, or waive the requirement to obtain informed consent in accordance with the provisions of the HHS regulations at 45 CFR 46.116(c) or (d). Informed consent also must be documented in accordance with, and to the extent required by, the HHS regulations at 45 CFR 46.117.
Similarly, if such an investigator obtains and records identifiable private information to develop a database of potential research subjects for future research studies, this activity is also human subjects research as defined in 45 CFR part 46, and thus would need to meet the requirements of the HHS regulations as discussed above.
The above interpretation does not conflict in any way with OCR's interpretation of the Privacy Rule. It should be noted that Authorization for use or disclosure of PHI provided for under the Privacy Rule and legally effective informed consent for research provided for under HHS regulations at 45 CFR 46.116 and 46.117 are not the same.
Furthermore, the Privacy Rule does not override any requirements of 45 CFR part 46, and vice versa. In situations where both 45 CFR part 46 and the Privacy Rule are applicable, institutions must adhere to both sets of regulations.
Q: Under certain circumstances, the "preparatory to research" provision at section 164.512(i)(1)(ii) of the Privacy Rule permits covered entities to use or disclose PHI for purposes preparatory to research. What kinds of activities are considered "preparatory to research"?
A: Covered entities that obtain certain required representations from a researcher may use and disclose PHI for activities preparatory to research that include, but are not limited to the following:
- Preparing a research protocol
- Assisting in the development of a research hypothesis
- Aiding in research recruitment, such as identifying prospective research participants who would meet the eligibility criteria for enrollment into a research study
Under these provisions, no PHI may be removed from the covered entity during the course of the review.
Q: If, under the "preparatory to research" provisions, a researcher identifies subjects who meet the study's eligibility criteria, how can the researcher contact the potential participant to obtain Authorization?
A: Under the "preparatory to research" provision, covered entities may use and disclose to researchers PHI to aid in study recruitment. They may allow a researcher to identify, but not contact, potential study participants. To contact potential study participants, a researcher may do so, without Authorization from the individual, under the following circumstances:
- If the researcher is a workforce member of a covered entity, the researcher may contact the potential study participant, as part of the covered entity's health care operations, for the purposes of seeking Authorization. Alternatively, the covered entity may contract with a researcher as a business associate to assist in contacting individuals on behalf of the covered entity to obtain their Authorizations.
- If the covered entity obtains documentation that an IRB has partially waived the Authorization requirement to disclose PHI to a researcher for recruitment purposes, the covered entity could disclose to the researcher that PHI necessary for the researcher to contact the individual.
Q: The Privacy Rule requires that Authorization for PHI uses and disclosures for research purposes be research trial or study specific. May research sponsors and researchers who are covered entities continue to obtain informed consent from research participants under the HHS or FDA Protection of Human Subjects Regulations to conduct a limited class of unspecified future research?
A: Yes, under certain limited circumstances, the HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.116 and 21 CFR 50.25, respectively, permit an IRB-approved informed consent to be broader than for a specific research study. For example, when obtaining biological or tissue specimens from living individuals to create a repository established and maintained for research purposes, the IRB-approved informed consent document may include a description of the specific types of research to be conducted using the data and specimens maintained for the repository. In addition, for future research that involves the study of individually identifiable information maintained for the repository, an IRB may determine that the original informed consent for the creation of the research repository satisfies the requirements of 45 CFR part 46 and/or 21 CFR part 50 for the conduct of future research, provided that the future research now being proposed was adequately described in the original informed consent. For some tissue repositories, the specific type of research that may be done in the future on donated biological and tissue specimens was unknown when the tissue was donated but sufficiently anticipated and described to satisfy 45 CFR part 46 or 21 CFR part 50. However, the informed consent information describing the nature and purposes of the research should be as specific as possible.
The Privacy Rule does not override or modify the HHS or FDA Protection of Human Subjects Regulations on informed consent. Rather, these Federal regulations must be construed together where more than one applies. Under the Privacy Rule, an Authorization governs the use of PHI by a covered entity for research and the purposes and conditions for which a covered entity may disclose PHI to a researcher. Therefore, an Authorization, whether combined with an IRB-approved consent (as permitted in the Privacy Rule at section 164.508(b)(3)(i)) or separate, could not be for future unspecified research. Rather, the Authorization would need to describe the research purpose of the use or disclosure, required by section 164.508 of the Privacy Rule, which must be research trial or study specific. Even where an Authorization is combined with an IRB-approved informed consent, the Authorization would need to be limited in such a way, even though the HHS and FDA Protection of Human Subjects Regulations would permit the IRB-approved informed consent document to also describe the certain unspecified types of research that may be conducted in the future using the data and specimens maintained for the repository. Thus, uses and disclosures for such future research would require an additional Authorization, except as permitted without Authorization, under section 164.512(i) (e.g., with a waiver of Authorization) or 164.514(e) (i.e., as a limited data set with a data use agreement).
Q: May research sponsors and researchers who are NOT covered entities continue to obtain informed consent from research participants under the HHS or FDA Protection of Human Subjects Regulations to conduct a limited class of unspecified future research even though the Privacy Rule requires that Authorizations for research be research trial or study specific?
A: Research sponsors and researchers who are not covered entities or not workforce members of a covered entity are not required to comply with the Privacy Rule. However, research sponsors and researchers may be subject to the HHS and/or FDA Protection of Human Subjects Regulations, which are not modified or replaced by the Privacy Rule. Thus, research sponsors and researchers may, to the extent permitted by the HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.116 and 21 CFR 50.25, respectively, continue to obtain informed consent from research participants under these regulations to conduct a limited class of unspecified future research.
Q: Do the HHS or FDA Protection of Human Subjects Regulations require IRBs to oversee the compliance of investigators with the Privacy Rule?
A: No. Neither the HHS nor FDA Protection of Human Subjects Regulations require IRBs to oversee investigators' compliance with the Privacy Rule.
Q: Will OHRP or FDA assess compliance with the requirements of the Privacy Rule during their compliance oversight evaluations pertaining to the HHS or FDA Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively)?
A: No. Since neither OHRP nor FDA enforce the Privacy Rule, OHRP will not assess compliance with the Privacy Rule during compliance oversight evaluations, and FDA will not assess compliance with the requirements of the Privacy Rule during inspections to determine compliance with their respective regulations.
1 Including 21 CFR 56.108 and 45 CFR 46.108.
2 Including 21 CFR 56.110 and 45 CFR 46.110.
3 These categories are published and updated in the Federal Register. The current list of categories has been published at 63 Federal Register 60364 (November 9, 1998). A copy of the list is available at http://ohrp.osophs.dhhs.gov/humansubjects/guidance/expedited98.htm and http://www.fda.gov/oc/ohrt/irbs/expeditedreview.html.
NIH Publication Number 03-5428 August 2003