Hostname: page-component-7c8c6479df-hgkh8 Total loading time: 0 Render date: 2024-03-26T12:15:00.326Z Has data issue: false hasContentIssue false

Currents in Contemporary Ethics: Research Privacy under HIPAA and the Common Rule

Published online by Cambridge University Press:  01 January 2021

Extract

For nearly twenty-five years, federal regulation of privacy issues in research involving human subjects was the primary province of the federal rule for Protection of Human Subjects (Common Rule). As of April 14, 2003, the compliance date for the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), however, the Common Rule and the Privacy Rule jointly regulate research privacy. Although, in theory, the Privacy Rule is intended to complement the Common Rule, there are several areas in which the rules diverge. In some instances the inconsistencies result in gaps in privacy protection; in other instances the inconsistencies result in added burdens on researchers without additional privacy protections. In all instances, the lack of harmonization of these rules has created confusion, frustration, and misunderstanding by researchers, research subjects, and institutional review boards (IRBs). In this article, I review the major provisions of the Privacy Rule for research, explain the areas in which the Privacy Rule and Common Rule differ, and conclude that the two rules should be revised to promote consistency and maximize privacy protections while minimizing the burdens on research.

Type
JLME Column
Copyright
Copyright © American Society of Law, Medicine and Ethics 2005

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

45 C.F.R. Part 46, Subpart A (2004). The Common Rule was originally published on January 26, 1981, and it became effective July 27, 1981. 46 Fed. Reg. 8366 (1981).Google Scholar
Pub. L. No. 104-191, 42 U.S.C. §§ 300gg – 300gg-2 (2004).Google Scholar
Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160, 164 (2004).Google Scholar
Title II, subtitle F, §§ 261–264 (“Administrative Simplification”).Google Scholar
65 Fed. Reg. 82,463 (2000).CrossRefGoogle Scholar
Pub. L. No. 104-191, § 264.Google Scholar
65 Fed. Reg. 82,462–82,829 (2000).CrossRefGoogle Scholar
45 C.F.R. § 164.534 (2004).Google Scholar
67 Fed. Reg. 53,181 (2002).CrossRefGoogle Scholar
U.S. Government Accountability Office, “Health Information: First-Year Experiences under the Federal Privacy Rule 19” (2004), available at <www.gao.gov/cgi-bin/getrpt?GAO-04-965> (last visited February 24, 2005) [hereinafter GAO]; National Committee on Vital and Health Statistics, “Letters to Secretary Tommy G. Thompson, September 27, 2002 and November 25, 2002,” available at <www.ncvhs.hhs.gov> (last visited February 24, 2005).+(last+visited+February+24,+2005)+[hereinafter+GAO];+National+Committee+on+Vital+and+Health+Statistics,+“Letters+to+Secretary+Tommy+G.+Thompson,+September+27,+2002+and+November+25,+2002,”+available+at++(last+visited+February+24,+2005).>Google Scholar
See, e.g., National Committee on Vital and Health Statistics, “Letter to Secretary Tommy G. Thompson,” (March 5, 2004), available at <www.ncvhs.gov/040305.2htm> (last visited February 24, 2005) (excuse to avoid public health reporting).+(last+visited+February+24,+2005)+(excuse+to+avoid+public+health+reporting).>Google Scholar
GAO, supra note 10, at 20–21.Google Scholar
45 C.F.R. § 160.102 (2004).Google Scholar
45 C.F.R. § 160.103 (2004) (definition of health plan).Google Scholar
45 C.F.R. § 160.103 (2004) (definition of health information).Google Scholar
Under the Privacy Rule, individuals may request limitations on the use and disclosure of protected health information, but covered entities are not required to agree to the request. 45 C.F.R. § 164.522 (2004).Google Scholar
U.S. Department of Health and Human Services, Office for Civil Rights, “Guidance on Standards for Privacy of Individually Identifiable Health Information” at 7–9 (December 3, 2002), available at <www.hhs.gov/ocr/hipaa/privacy.html> (last visited February 24, 2005).+(last+visited+February+24,+2005).>Google Scholar
45 C.F.R. § 164.520(c)(2) (2004).Google Scholar
45 C.F.R. § 164.508(a) (2004).CrossRefGoogle Scholar
45 C.F.R. § 164.524 (2004).Google Scholar
45 C.F.R. § 164.526 (2004).Google Scholar
45 C.F.R. § 164.528 (2004).CrossRefGoogle Scholar
45 C.F.R. § 160.306 (2004); U.S. Department of Health and Human Services, Office for Civil Rights, “How to File a Health Information Privacy Complaint with the Office for Civil Rights,” available at <http://www.os.hhs.gov/ocr/privacyhowtofile.htm> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
45 C.F.R. § 46.103 (2004).CrossRefGoogle Scholar
U.S. Department of Health and Human Services, “Office for Human Research Protections: Compliance Oversight,” available at <www.hhs.gov/ohrp/compliance/index.html#overview> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
45 C.F.R. § 160.202 (2004) (Privacy Rule).Google Scholar
U.S. Department of Health and Human Services, National Institutes of Health, “How Do Other Privacy Protections Interact with the Privacy Rule?” available at <http://privacyruleandresearch.nih.gov/pr_05.asp> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
45 C.F.R. § 164.501 (2004) (Privacy Rule); 45 C.F.R. § 102(d) (2004) (Common Rule).Google Scholar
U.S. Department of Health and Human Services, “Research Repositories, Databases, and the HIPAA Privacy Rule” (2004), available at <http://privacyruleandresearch.nih.gov/research_repositories.asp> (last visited February 24, 2005); U.S. Department of Health and Human Services, Office for Protection from Research Risks, “Issues to Consider in the Research Use of Stored Data or Tissues” (1997), available at <www.hhs.gov/ohrp/humansubjects/guidance/reposit.htm> (last visited February 7, 2005).+(last+visited+February+24,+2005);+U.S.+Department+of+Health+and+Human+Services,+Office+for+Protection+from+Research+Risks,+“Issues+to+Consider+in+the+Research+Use+of+Stored+Data+or+Tissues”+(1997),+available+at++(last+visited+February+7,+2005).>Google Scholar
U.S. Department of Health and Human Services, National Institutes of Health, “Clinical Research and the HIPAA Privacy Rule,” at 12 (2004), available at <http://privacyruleandresearch.hih.gov/clin_research.asp> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
U.S. Department of Health and Human Services, National Institutes of Health, “How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule?” at 12, available at <http://privacyruleandresearch.nih.gov/pr_08.asp> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
45 C.F.R. § 116(d) (2004).Google Scholar
45 C.F.R. § 164.512(l)(2)(ii) (2004).Google Scholar
45 C.F.R. § 102(f) (2004).Google Scholar
45 C.F.R. § 164.502(f) (2004).Google Scholar
45 C.F.R. § 164.512(l)(iii) (2004).Google Scholar
45 C.F.R. § 164.514(b) (2004).Google Scholar
45 C.F.R. § 164.514(e) (2004).Google Scholar
U.S. Department of Health and Human Services, Office for Human Research Protections, “Guidance on Research Involving Coded Private Information or Biological Specimens” (2004), available at <www.hhs.gov/ohrp/humansubjects/guidance/cdebid.pdf> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
National Committee on Vital and Health Statistics (NCVHS), “Letter to Secretary Tommy G. Thompson,” March 5, 2004, available at <www.ncvhs.hhs.gov/0440305/2.htm> (last visited February 7, 2005).+(last+visited+February+7,+2005).>Google Scholar
Research Repositories, Databases, and the HIPAA Privacy Rule, supra note 29, at 12.Google Scholar
45 C.F.R. § 46.116 (2004).CrossRefGoogle Scholar
See Wolf, L. E. and Lo, B., “Untapped Potential: IRB Guidance for the Ethical Research Use of Stored Biological Materials,” IRB: Ethics & Human Research 26, no. 4 (2004): 18. See generally National Bioethics Advisory Commission, Research Involving Human Biological Materials: Ethical Issues and Policy Guidance, vol. 1, at 63 (1999).CrossRefGoogle Scholar
How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule? supra note 32, at 4.Google Scholar
Clinical Research and the HIPAA Privacy Rule, supra note 30, at 12.Google Scholar
NCVHS Letter to Secretary Thompson, , supra note 42.Google Scholar
45 C.F.R. § 46.116(a)(8) (2004).CrossRefGoogle Scholar
Clinical Research and the HIPAA Privacy Rule, supra note 30, at 4.Google Scholar
45 C.F.R. § 164.502(b) (2004).Google Scholar
45 C.F.R. § 164.502a(b)(2)(iii) (2004).Google Scholar
Research Repositories, Databases, and the HIPAA Privacy Rule, supra note 29, at 5.Google Scholar
Clinical Research and the HIPAA Privacy Rule, supra note 30, at 17–18.Google Scholar
Id. at 18. Research records maintained by a non-covered entity also would not be considered part of a designated record set.Google Scholar