For research to be approved by IRBs, the protocol must include, when appropriate, adequate provisions to protect the privacy interests of research participants and the confidentiality of research data pursuant to 45 CFR 46.111(a)(7) and 21 CFR 56.111(a)(7). In addition, if a protocol involves the use of Protected Health Information (PHI), IRBs must assure that the protocol satisfies the requirements of the HIPAA Privacy Rule, including any waiver or alteration of HIPAA authorization under 45 CFR Parts 160 and 164.
When reviewing protocols and determining the necessary provisions for protecting participants' privacy interests and/or confidentiality of data, the IRB should make an assessment of the risk/benefit ratio of the research in regards to privacy and confidentiality issues, including whether the risks of breach of participants' privacy interests and confidentiality of data are commensurate with the benefits to participants and the risks of everyday life and whether measures for mitigating those risks are necessary for approval of the research. Please note the following definitions:
Privacy refers to a person's desire to control the access of others to him or herself. For example, research participants may not want to be seen entering a place that might stigmatize them, such as an addiction-counseling center that is clearly identified as such by signs on the front of the building.
Confidentiality refers to the researcher's agreement with the participant about how the research participant's identifiable private information will be handled, managed, and disseminated.
Depending of the situation, the consequences of an inadvertent breach of privacy can be significant for subjects, as well as others, and result in emotional trauma for subjects or their families, damage to reputations, adverse effects on insurability or employability, legal consequences for subjects, or life threatening circumstances. In order to evaluate the type and level of risks to subjects and others, the IRB should obtain the following information from the investigator in order to determine whether the provisions to protect participants' privacy interests and/or confidentiality of data are adequate:
The National Institutes of Health (NIH) issues Certificates of Confidentiality (CoC) to protect identifiable research information from forced disclosure. A CoC allows an investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.
Certificates can be used for biomedical, behavioral, clinical, or other types of research that are sensitive. In sensitive research, disclosure of identifying information could have adverse consequences for research participants or damage their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include, but are not limited to, collection of the following:
The HIPAA Privacy Rule (the Privacy Rule) is a set of federal regulations providing protections for the confidentiality of health information used in clinical practice, research, and the operations of health care facilities. The intended purpose of the Privacy Rule is to ensure that health information confidentiality risks are minimized. In addition, the Privacy Rule requires the training of researchers in the protection of confidential health information.
The Privacy Rule protects "individually identifiable health information," referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:
The Privacy Rule applies to the use or disclosure of PHI for research purposes and will require one or more of the following actions and documentation:
Of note, the Privacy Rule supplements and expands Common Rule regulation of human subjects research.
The HIPAA Privacy Rule and the Common Rule regulations have different standards for determining what constitutes identifiable information.
The Common Rule provides a definition for information that is individually identifiable: "...the identity of the subject is or may readily be ascertained by the investigator or associated with the information" [45 CFR 46.102(f)].
The HIPAA Privacy Rule, rather than providing a definition, lists 18 specific identifiers that may identify an individual. These identifiers include name, medical record number and dates, such as birth date and dates of service.
Therefore, for research studies in which both the Common Rule and the HIPAA Privacy Rule apply, the different standards must be applied to determine whether information is identifiable. Subsequently, it's possible for the IRB to determine that the information is not individually identifiable under the Common Rule, but is identifiable per the HIPAA Privacy Rule. For example, a large dataset that contains no identifiers other than a date of service (e.g. date of CT scan) would be considered identifiable under the HIPAA Privacy Rule; however, if the IRB determines the identity of the subject is not readily ascertained by the investigator, it would not fit the definition of individually identifiable per the Common Rule.