How Do Other Privacy Protections Interact
With the Privacy Rule?
Key Points:
- In addition to the Privacy Rule, State and other Federal laws and regulations, such as HHS regulations for protecting human subjects, continue to govern research when applicable.
State Laws and Regulations
In general, the Privacy Rule overrides (or preempts) State laws relating to the privacy of health information that are contrary to the Rule. Any provision of State law that is not contrary to a provision of the Privacy Rule will remain in full force and effect, so that covered entities will continue to have to follow such State laws in addition to the Privacy Rule. However, even where a State law is contrary to the Privacy Rule, there are certain exceptions where the Privacy Rule will not override the contrary State law. For example, State laws that relate to the privacy of individually identifiable health information and are both contrary to and more stringent than the Privacy Rule will continue to stand. In addition, contrary laws and procedures established under State law that provide for reporting of disease or injury, child abuse, birth or death, or for conducting public health surveillance, investigation, and intervention also are not overridden by the Privacy Rule.
State Law - A constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.
Federal Laws and Regulations
Much of the biomedical and behavioral research conducted in the United States is governed either by the rule entitled “Federal Policy for the Protection of Human Subjects” (also known as the “Common Rule,” which is codified for HHS at subpart A of Title 45 CFR Part 46)1,2 and/or the Food and Drug Administration’s (FDA) Protection of Human Subjects Regulations at Title 21 CFR Parts 50 and 56.3 FDA, a component of HHS, has additional human subject protection regulations, which apply to research involving products regulated by FDA. Although these human subject regulatory requirements, which apply to most Federally funded and to some privately funded research, include protections to help ensure the privacy of subjects and the confidentiality of information, the intent of the Privacy Rule, among other things, is to supplement these protections by requiring covered entities to implement specific measures to safeguard the privacy of individually identifiable health information. The Privacy Rule does not replace or act in lieu of these human subject protection regulations, so some researchers who are also (or who work for) covered entities may find themselves responsible for complying with multiple sets of regulations. For purposes of this booklet, some distinctions among the Privacy Rule, the HHS Protection of Human Subjects Regulations, and the FDA Protection of Human Subjects Regulations are outlined. To the extent that a covered entity is also a Federally assisted drug abuse program, the covered entity is also subject to the Confidentiality of Alcohol and Drug Abuse Patient Records4 regulation. It may therefore be necessary for covered entities to properly use and disclose individually identifiable health information in compliance with both sets of regulations. Educational materials on the relationship between the Privacy Rule and the Confidentiality of Alcohol and Drug Abuse Patient Records regulation as they relate to research are described in a separate document at the Substance Abuse and Mental Health Administration (SAMHSA) Web site http://www.hipaa.samhsa.gov/
The HHS Protection of Human Subjects Regulations – Regulations intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS.
The FDA Protection of Human Subjects Regulations – Regulations intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction.
Certificates of Confidentiality
Certificates of Confidentiality offer an important protection for the privacy of research study participants by protecting identifiable research information from forced disclosure (e.g., through a subpoena or court order). The certificates allow investigators and others with access to research records to refuse to disclose information that could identify research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the Federal, State, or local level. Certificates of Confidentiality may be granted by the National Institutes of Health (NIH), the Centers for Disease Control and Prevention (CDC), the FDA, and other Federal agencies for studies that collect information that, if disclosed, could damage subjects’ financial standing, employability, insurability, or reputation, or have other adverse consequences. By protecting researchers and institutions from forced disclosure of such information, Certificates of Confidentiality help achieve research objectives and promote participation in research studies.
The Privacy Rule and Certificates of Confidentiality afford distinct privacy protections for research subjects. The Privacy Rule does not protect against all forced disclosure since it permits disclosures required by law, for example. Certificates of Confidentiality are legal protections that do protect against forced disclosure by giving their holders a legal basis for refusing to disclose information, which, absent the certificate, they would be obliged to disclose.
Area of Distinction |
HIPAA Privacy Rule |
HHS Protection of Human Subjects Regulations Title 45 CFR Part 46 |
FDA Protection of Human Subjects Regulations Title 21 CFR Parts 50 and 56 |
Overall Objective |
Establishes a Federal floor of privacy protections for most individually identifiable health information by establishing conditions for its use and disclosure by certain health care providers, health plans, and health care clearinghouses. |
To protect the rights and welfare of human subjects involved in research conducted or supported by HHS. Not specifically a privacy regulation. |
To protect the rights, safety and welfare of subjects involved in clinical investigations regulated by FDA under 21 U.S.C. 355(i) and 21 U.S.C. 360g(j). Not specifically a privacy regulation. |
Applicability |
Applies to HIPAA-defined covered entities, regardless of the source of funding. |
Applies to human subjects research conducted or supported by HHS. |
Applies to research involving products regulated by FDA. Federal support is not necessary for FDA regulations to be applicable. When research subject to FDA jurisdiction is federally funded, both the HHS Protection of Human Subjects Regulations and the FDA Protection of Human Subjects Regulations apply. |
1 The Federal Policy for the Protection of Human Subjects (the “Common Rule” was adopted in 1991 by 15 Federal departments and agencies and was published at 50 Federal Register 28002-28032 (1991), and subsequently adopted by the Social Security Administration by Statute and the Central Intelligence Agency by Executive Order.
2 Title 45 of the Code of Federal Regulations, Part 46 at http://ohrp.osophs.dhhs.gov/humansubjects/guidance/45cfr46.htm.
3 Title 21 of the Code of Federal Regulations, Part 50 at http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/showCFR.cfm?CFRPart=50&showFR=1, Part 56 at http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/showCFR.cfm?CFRPart=56&showFR=1. Additional requirements are found in Title 21 of the Code of Federal Regulations, Part 312 at http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=312&showFR=1, and Part 812 at http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=812&showFR=1.
4 Title 42 of the Code of Federal Regulations, Part 2 at http://www.access.gpo.gov/nara/cfr/waisidx_02/42cfr2_02.html