Appendix D
The IOM Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule
RECOMMENDATIONS SUMMARY
The committee’s foremost recommendation is the following:
-
Congress should authorize HHS and other relevant federal agencies to develop a new approach to protecting privacy that would apply uniformly to all health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule.
-
Apply privacy, security, transparency, and accountability obligations to all health records used in research.
-
If national policy makers choose to continue to rely on the HIPAA Privacy Rule rather than adopt a new federal approach (Recommendation I), the committee recommends the following:
-
HHS should revise the HIPAA Privacy Rule and associated guidance.
-
HHS should reduce variability in interpretations of the HIPAA Privacy Rule in health research by covered entities, IRBs, and Privacy Boards through revised and expanded guidance and harmonization.
-
HHS should develop a dynamic, ongoing process to increase empirical knowledge about current “best practices” for privacy protection in responsible research using protected health information (PHI), and promote the use of those best practices.
-
-
-
HHS should encourage greater use of partially deidentified data called “limited datasets” and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identifiers removed.
-
HHS should clarify the distinctions between “research” and “practice” to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities.
-
HHS guidance documents should simplify the HIPAA Privacy Rule’s provisions regarding the use of PHI in activities preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.
-
-
HHS should develop guidance materials to facilitate more effective use of existing data and materials for health research and public health purposes.
-
HHS should develop guidance that clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB/Privacy Board oversight, as is allowed under the Common Rule, in order to facilitate use of repositories for health research.
-
HHS should develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their bio-specimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities.
-
HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research.
-
HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security.
-
-
HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede research without providing substantive improvements in patient privacy.
-
-
HHS should reform the requirements for the accounting of disclosures of PHI for research.
-
HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research.
-
Regardless of whether Recommendation I or II is implemented, the following recommendation, which are independent of the Privacy Rule, should be adopted:
-
Implement changes necessary for both policy options above (Recommendations I and II).
-
All institutions (both covered entities and non-covered entities) in the health research community should take strong measures to safeguard the security of health data.
-
HHS should also support the development and use of new security technologies and self-evaluation standards.
-
-
To encourage service on Institutional Review Boards, HHS—or, as necessary, Congress—should provide reasonable protection against civil suits for members of Institutional Review Boards and Privacy Boards who serve in good faith.
-
But no protection for willful or wanton misconduct.
-
-
HHS and researchers should take steps to provide the public with more information about health research by:
-
Disseminating research results to study participants and the public.
-
Educating the public about how research is done and what value it provides.
-