Editor's note: This practice brief supersedes the 2011 practice brief "Regulations Governing Research."
The US Department of Health
and Human Services (HHS) and other federal agencies and departments
including the Office for Human Research Protections, Department of Education,
the National Science Foundation, and the Consumer Product Safety Commission
jointly promulgated regulations now known as the "common rule"
regarding the protection of human subjects involved in research. For purposes of these regulations, "research" is defined as "a systematic investigation
including research development, testing, and evaluation designed to
develop or contribute to generalizable knowledge."1
This practice brief reviews
the federal regulations that affect research and the requirements regarding
the use and protection of an individual's information.
Federal
Regulations Regarding Research
The Common Rule is a basic set of protections for all human subjects of research conducted or supported by HHS. The common rule requires, among other
things, that an institutional review board (IRB) review all research
protocols under its purview even if informed consent to participate
in the research study or protocol is to be obtained from individual
participants.
Certain research activities
are exempt from HHS and common rule oversight, including "research
involving the collection or study of existing data, documents, records,
pathological specimens, or diagnostic specimens, if these sources are
publicly available or if the information is recorded by the investigator
in such a manner that subjects cannot be identified, directly or through
identifiers linked to the subjects."2
However, research involving
human subjects is generally regulated under the common rule. According
to HHS regulations, "human subjects" are defined as "living
individuals about whom an investigator conducting research obtains either
data throughout intervention or interaction with the individual or identifiable
private information." Research involving existing databases or
abstract data from medical records falls under the same rules relating
to access of protected health information (PHI).3
The Food and Drug Administration
(FDA) also imposes similar regulations on research involving human subjects. For FDA purposes, "human subject"
means "an individual who is or becomes a participant in research,
either as a recipient of the test article or as a control. A subject
may be either a healthy individual or a patient."4
Each institution engaged in
research covered by the common rule and conducted or supported by a
federal department or agency must provide written assurance satisfactory
to the department or agency head that it will comply with the common
rule's requirements. While completely private funding for research may
exist, it is not common, nor is it under federal control, and the common
rule requirements do not apply. If an organization meets the definition
of covered entity (CE) for purposes of HIPAA and does not otherwise
participate in federally funded research, only HIPAA's research rules
would apply. If, however, an organization meets the CE definition under
HIPAA, conducts federally funded research, and has given written assurances
of compliance with the common rule, it must adhere to both sets of regulations.
Minimum Provisions
The common rule requires that
research be reviewed and approved by an IRB and subject to continuing
review by the IRB. At a minimum, the organization conducting research
must provide:
- A statement of principles
governing the institution in the discharge of its responsibilities for
protecting the rights and welfare of human subjects of research conducted
at or sponsored by the institution
- Designation of an
IRB, including sufficient staff to support the IRB's review
and record-keeping duties
- A list of IRB members
identified by name, earned degrees, representative capacity, indications
of experience such as board certifications and licenses sufficient to
describe each member's chief anticipated contributions to IRB deliberations
- Written procedures
that the IRB will follow for conducting review of research and for reporting
its findings and actions to the investigator and the institution; for
determining which projects require review more often than annually and
which projects need verification from sources other than the investigators
that no material changes have occurred since previous IRB review; and
for ensuring prompt reporting to the IRB of proposed changes in a research
activity
- Written procedures
for ensuring prompt reporting to the IRB, appropriate institutional
officials, and the federal authority of any unanticipated problems involving
risks to subjects or others, any serious or continuing noncompliance,
or any suspension or termination of IRB approval
IRB Membership
The composition of the IRB
is also dictated by regulation. Each organization must ensure the IRB
has at least five members with varying backgrounds to promote complete
and adequate review of research activities commonly conducted by the
organization. The IRB shall be sufficiently qualified through the experience,
expertise, and diversity of the members, including consideration of
race, gender, and cultural backgrounds and sensitivity to issues such
as community attitudes, to promote respect for its advice and counsel
in safeguarding the rights and welfare of human subjects.
In addition to possessing the
professional competence necessary to review specific research activities,
the IRB must be able to ascertain the acceptability of proposed research
in terms of institutional commitments and regulations, applicable law,
and standards of professional conduct and practice. IRB membership must
be diverse, with members from the scientific and non-scientific community
represented. At least one member must not be affiliated with the organization
and the IRB may invite individuals with competence in special areas
to assist in the review of issues that require expertise in addition
to that available on the IRB.
Expedited Review
Not all areas of research must
undergo scrutiny of the full IRB membership. A process known as "expedited
review" has been established for research activities that present
no more than minimal risk to human subjects and that involve procedures
listed in the categories below. The IRB chairperson may request expedited
review by one or more experienced reviewers designated by the chairperson
from among members of the IRB. Each IRB that uses an expedited review
procedure must ensure that all members are advised of research proposals
that have been approved under the expedited review procedure.
It is important to note that
expedited reviews may not be used where identification of the subjects
or their responses would reasonably place them at risk of criminal or
civil liability or be damaging to their financial standing, employability,
insurability, or reputation; nor should it be used when identification
could be stigmatizing, unless reasonable and appropriate protections
are implemented so that risks related to invasion of privacy and breach
of confidentiality are no greater than minimal. Requirements for informed
consent (or its waiver, alteration, or exception) apply to both expedited
and full IRB review.
A list of potential expedited
reviews is listed below:
- Clinical studies
of drugs and medical devices only when an investigational new drug
application is not required or research on medical devices for which
an investigational device exemption application is not required
- Collection of
blood samples by finger stick, heel stick, ear stick, or venipuncture
from certain classes of persons
- Prospective collection
of biological specimens for research purposes by noninvasive means
such as hair or sputum samples
- Collection of data
through noninvasive procedures such as physical sensors that
are applied to the surface of the body
- Research involving
materials (data, documents, records, or specimens) that have been
collected, or will be collected, solely for nonresearch purposes (such
as medical treatment or diagnosis)
- Collection of
data from voice, video, digital, or image recordings made for research
purposes
- Research on individual
or group characteristics or behavior or research employing survey,
interview, oral history, focus group, program evaluation, human factors
evaluation, or quality assurance methodologies
- Continuing review
of research previously approved by the convened IRB
- Continuing review
of research, not conducted under an investigational new drug application
or investigational device exemption, where categories two through eight
do not apply but the IRB has determined and documented at a convened
meeting that the research involves no greater than minimal risk
and no additional risks have been identified
Informed Consent
A research investigator may
not involve a human being as a subject in research unless the investigator
has obtained a legally effective informed consent from the research
subject. The information that is given to the research subject must
be in plain language and contain at least the following:
- A statement that
the study involves research, an explanation of the purposes of the
research, the expected duration of the subject's participation,
a description of the procedures to be followed, and identification of
any procedures that are experimental
- A description of
any reasonably foreseeable risks or discomforts to the subject
- A description of
any benefits to the subject or to others that may reasonably
be expected from the research
- A disclosure of
appropriate alternative procedures or courses of treatment, if any,
that might be advantageous to the subject
- A statement describing
the extent, if any, to which confidentiality of records identifying
the subject will be maintained
- For research involving
more than minimal risk, an explanation as to whether any compensation
and an explanation as to whether any medical treatments are available
if injury occurs and, if so, what they consist of or where further information
may be obtained
- Contact information
for answers to pertinent questions about the research and research subjects'
rights and in the event of a research-related injury to the subject
- A statement that
participation is voluntary, refusal to participate will involve
no penalty or loss of benefits to which the subject is otherwise entitled,
and the subject may discontinue participation at any time without penalty
or loss of benefits to which the subject is otherwise entitled
If appropriate and necessary,
one or more of the following elements of information may also be provided
to the research subject:
- A statement that
the particular treatment or procedure may involve risks to the subject
(or to the embryo or fetus, if the subject is or may become pregnant),
which are currently unforeseeable
- Anticipated circumstances
under which the subject's participation may be terminated by the investigator
without regard to the subject's consent
- Any additional costs
to the subject that may result from participation in the research
- The consequences
of a subject's decision to withdraw from the research and procedures
for orderly termination of participation by the subject
- A statement that
significant new findings developed during the course of the research
that may relate to the subject's willingness to continue participation
will be provided to the subject
- The approximate
number of subjects involved in the study
General information on informed
research consent can be found at 45 CFR 46.116(a)(8) and 45 CFR 46.116(b)(2)
and (4) in the Federal Register.
Waiver of Informed Consent
An IRB has the power to dispense
with the need for written consent from the research subject. The IRB
may approve a process that does not include, or which alters, some or
all of the elements of informed consent set forth above or may waive
the requirement to obtain informed consent provided the IRB finds and
documents that:
- The research is
to be conducted by or is subject to the approval of state or local government
officials and is designed to study, evaluate, or otherwise examine public
benefit or service programs; procedures for obtaining benefits or services
under those programs; possible changes in or alternatives to those programs
or procedures; or possible changes in methods or levels of payment for
benefits or services under those programs
- The research could
not practicably be carried out without the waiver or alteration
An IRB may also approve a consent
procedure that does not include, or which alters, some or all of the
elements of informed consent or waive the requirement to obtain informed
consent if the IRB has documented evidence presented to it that:
- The research involves
no more than minimal risk to the subjects
- The waiver or alteration
will not adversely affect the rights and welfare of the subjects
- The research could
not practicably be carried out without the waiver or alteration
- Whenever appropriate,
the subjects will be provided with additional pertinent information
after participation
An IRB may also waive the requirement
for the investigator to obtain a signed consent form for some or all
subjects if it finds either that:
- The only record
linking the subject and the research would be the consent document and
the principal risk would be potential harm resulting from a breach of
confidentiality; each subject will be asked whether the subject wants
documentation linking the subject with the research, and the subject's
wishes will govern.
- The research
presents no more than minimal risk of harm to subjects and involves
no procedures for which written consent is normally required outside
of the research context.
While waiver or alteration
of consent or authorization may be allowed, these threshold determinations
by and through an IRB must take place. For example, even an investigator
who wants to use an existing database to create a mailing to recruit
participants into a study will require an IRB review to ensure that
the minimal risk determinations are appropriately made. And in cases
in which the written documentation of informed consent or authorization
requirement is waived, the IRB may still require the investigator to
provide research subjects with a written statement regarding the research.
IRB/Privacy Board Approval
HIPAA allows for research without
individual authorization, under the following conditions (45 CFR 164.512
(i)(1)(i)):
- An IRB, established
in accordance with relevant CFRs, has approved the waiver or alteration
of the individual authorization required by Section 164.508 for use
or disclosure of PHI
- The privacy board
includes:
- A varied membership
with appropriate professional competency to adequately review the research
request and evaluate the effect of the research on an individual's privacy
rights
- At least one member
who is not associated with the CE, the researcher, or sponsor of research,
and not related to anyone associated with the CE, researcher, or sponsor
of research
- No members who participate
in the review of any project while having a conflict of interest
The IRB or privacy board must
upon the approval of the research:
- Document the date
the alteration or waiver of authorization was approved
- State that the alteration
or waiver of authorization satisfies the three criteria in the rule
- Briefly describe
the PHI to be used or accessed
- Document that the
alteration or waiver of authorization has been reviewed and approved
under normal or expedited review procedures
- Record the signature
of the chair or acting chair of the IRB or privacy board, as applicable
For an IRB or privacy board
to approve a waiver of authorization, three criteria must be met:
- There is no more
than a minimal risk to the privacy of individuals included in the research
- The research could
not be conducted without the waiver of authorization or alteration
- The research could
not be conducted without access to and use of the PHI5
Preparatory to Research
Under HIPAA's requirements,
a CE does not need to obtain an authorization for use and disclosure
of PHI when the use is preparatory to research and the researcher documents
that:
- The use of PHI is
to prepare a research protocol or another similar purpose
- No PHI will be removed
from the CE by the researcher
- The PHI is necessary
for research purposes
Decedent Information
A CE does not need to obtain
an authorization for use and disclosure of PHI when the use is regarding
a decedent. The researcher must document the use of PHI is for research
and that the PHI is necessary for the research purpose. The research
must also document the death of the individuals if the CE requests it. Though the Omnibus Rule states that a decedent's health information is no longer considered PHI after 50 years, the organization may still request a proof of death prior to releasing the information if they do not have a record of the patient's death.
Limited Data Sets
A CE and a researcher may enter
into an agreement for use of a limited data set (Section 164.514(e))
only for the purposes of research, public health, or healthcare operations.
A limited data set is data with the following 16 direct identifiers
of the individual, or of relatives, employers, or household members
of the individual excluded or removed:
- Name
- Address
- Telephone number
- Fax number
- E-mail address
- Social Security
number
- Medical record number
- Health plan beneficiary
number
- Account numbers
- Certificate/ license
numbers
- Vehicle identification
numbers and license plate numbers
- Device identifiers
and serial numbers
- Web universal resource
locators (URLs)
- Internet protocol
(IP) address numbers
- Biometric identifiers,
including finger and voice prints
- Full face photographic
images and any comparable images
The limited data use agreement
must document the permitted uses and disclosures of the information,
who is permitted to use or receive the limited data set, and that the
researcher agrees to:
- Not use or further
disclose the information according to the terms of the agreement
- Use appropriate
safeguards to prevent misuse or inappropriate disclosure
- Report to the CE
any misuse or inappropriate disclosure
- Ensure that any
agents, including a subcontractor, agree to the terms and conditions
of the limited data use agreement
- Not identify the
information or contact the individuals
Privacy
and Research
The HIPAA privacy rule builds
on the existing federal research protections. When research is performed without
individual authorization, the CE must obtain one of the following:
- IRB or privacy board
approval in accordance with provisions above
- Representations
from the researcher that the use or disclosure of the PHI is solely
to prepare a research protocol for similar purposes preparatory to research
- Representations
from the researcher that use or disclosure is solely for research on
the PHI of decedents
- Limited data set
use agreement entered into by both the CE and researcher
Organizations must ensure that
research activities include mechanisms to keep PHI confidential. They
must:
- Determine if the
IRB will make decisions regarding access to PHI.
- If the organization
has not sanctioned an IRB, it should establish a privacy board to make
determinations regarding access to PHI for research beyond healthcare
operations.
- Determine how PHI
requests for preparatory research activities will be addressed.
- Determine how decedent
PHI requests will be addressed.
- Determine if they
will accept approvals from an outside IRB.
- Educate IRB or privacy
board members on privacy and security policies and procedures.
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules outline new standards for the sale of PHI, compound authorizations for research, and authorizing future research use and disclosure. It also clarifies that researchers, IRBs, and privacy boards are not business associates.
Sale of PHI and Research
The prohibition on sale of PHI states that a CE must obtained a valid authorization for any disclosure of PHI which it receives remuneration in exchange for any PHI. The authorization must have a statement that the disclosure will result in remuneration to the covered entity.
A research exception can be found in section 164.502(A), which states that if the purpose of the exchange of PHI is for research (as described in sections CFR 164.512 (i) or 164.514 (e)) and the price charged reflects a reasonable cost-based fee for the preparation and transmittal of the data for such purpose, no authorization is required.
Research Authorizations
Compound authorizations (164.508(b)(3)(i) and (iii)) have been amended to allow compound (conditioned and unconditioned) authorizations for research. The research authorization must clearly differentiate between the conditioned and unconditioned research components. Individuals must be able to easily opt out of the unconditioned research activities. This provision does not apply to psychotherapy notes.
Compound authorizations for research can include an authorization for use of PHI in a clinical trial and optional sub-studies or biospecimen banking that also permits future secondary use of the data (to the extent the authorization meets the future use requirements). Authorizations are still allowed to be combined with the informed consent documents for the research study.
Authorizations for future research use or disclosure (164.508(c)(1)(iv)) still follow the HIPAA authorization elements. The "purpose" interpretation has changed for research. An authorization for uses and disclosures of PHI for future research must adequately describe what the individual is to expect when his or her PHI may be used or disclosed for future research. In addition, the description of the PHI may include information collected beyond the time of the original study.
Withdrawal
from Research
On September 21,2010, the Office
for Human Research Protections published additional guidance regarding
withdrawal of subjects from research. The guidance is based
off 45 CFR 46.116(a)(8), which states that subjects have the right to
withdraw from or discontinue participation in research studies at any
time. The Office for Human Research Protections recommends that investigators
always plan for the possibility that subjects will withdraw from research.
If a subject decides to withdraw from a study the investigator must
discontinue all activities including:
- Interacting with
the subject in order to obtain data for the study
- Obtaining additional
identifiable private information about the subject by collecting or
receiving information from any source
- Obtaining additional
identifiable private information about the subject by observing or recording
private behavior without direct intervention (e.g., using video cameras)
Notes
1. US Department of Health
and Human Services. "Protection
of Human Subjects." Code of Federal Regulations, 2009. 45 CFR, Part 46.
2. "Protection of Human Subjects," Section 101.
3. "Protection of Human Subjects," Section 102.
4. US Department of Health
and Human Services. "Food
and Drugs." Code of Federal Regulations, 2002. 21 CFR, Part 56, Section 102.
5. Office for Civil Rights.
"Medical
Privacy?National Standards to Protect the Privacy of Personal Health
Information."
Section "Research."
References
Amatayakul, Margret. "Another
Layer of Regulations: Research Under HIPAA." Journal of AHIMA
74, no. 1 (2003): 16A-16D.
Office for Human Research Protections. "Guidance on Withdrawal of Subjects from Research: Data Retention and Other Related Issues" Federal Register 75, no. 182 (Sept. 21, 2010): 57469-70.
Updated (2013) by
Diana Warner, MS, RHIA, CHPS, FAHIMA
Update Acknowledgements:
Angela Dinh Rose, MHA, RHIA, CHPS
Beth Liette MS, RHIA
Deanna Panzarella, CHPS
Cheryl Rogers, RHIA, CDIP, CCDS
Rayna Scott, MS, RHIA, CHDA
Kim Turtle Dudgeon, RHIT, HIT Pro-IS/TS CMT
Lou Ann Wiedemann, MS, RHIA, CDIP, FAHIMA, CPEHR
Update (2011) by
Patricia Cunningham, MS, RHIA
Acknowledgements
Rebecca Clayton, RHIT, CCS
Jan DeSpiegelaere, MBA, RHIA, CCS, FAHIMA
Angela Dinh, MHA, RHIA, CHPS
Julie Dooling, RHIT
Stacy Jowers Dorris, MBA, RHIA, CPHQ
Renato L. Estrella, MSHA, RHIA, FAHIMA
Lisa Fink, MBA, RHIA, CPHQ
Gwen Jimenez, RHIA
Mona Nabers, MBA, RHIA
Lori Nobles, RHIA
Debi Primeau, RHIA, FAHIMA, MA
Mary Stanfill, MBI, RHIA, CCS, CCS-P,
FAHIMA
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, FAHIMA,
CPEHR
Allison Viola, MBA, RHIA
Original (2003)
Prepared by
Jill Burrington-Brown, MS,
RHIA
Dorothy G. Wagg, JD, RHIA, CHP
Acknowledgments
(original)
Beth Hjort, RHIA, CHP
Harry Rhodes, MBA, RHIA
Article citation:
AHIMA Practice Brief. "Regulations Governing Research (2013 update) - Retired"
(Updated May 2013) |