United States: Good News, Bad News: Bush Administration Issues Revised Privacy Rules

For those pundits who had announced the sky is falling when the Bush Administration issued revised privacy rules back on March 27, 2002, the sobering reality is here: The Revised HIPAA Final Privacy Rules (the "Revised Privacy Rules") published in the Federal Register on August 14, 2002, do not eliminate the fundamental privacy requirements of the original Privacy Rules published in the Federal Register on December 28, 2000 (the "Privacy Rules"), nor, do they extend the Privacy Rule’s compliance date of April 14, 2003. While the Revised Privacy Rules leave a number of issues settled, other questions remain unanswered. Although the Department of Health and Human Services (HHS) has indicated that guidance documents and "Q & As" will be issued in the future, these revisions represent the last privacy rule revisions at least until after the final rule’s compliance date. Accordingly, health care providers and those companies supporting health care provider activities should understand how the Revised Privacy Rules will impact provider operations in the very near future.

This alert summarizes the highlights of the Revised Privacy Rules from a health care provider perspective. Major topics covered are shown below:

General Changes to Standards Regarding Uses and Disclosures of PHI

General Rules—Uses and Disclosures of PHI

Special Issues: Clinical Research

Special Issues: Uses and Disclosure Regarding FDA-Regulated Products and Activities

De-Identification of PHI and Limited Data Set

Accounting of Disclosures of PHI

Special Issues: Business Associates

Miscellaneous Issues

A copy of the Revised Privacy Rules can be downloaded from this link: http://www.hhs.gov/ocr/hipaa/index.html - InitialGuidance

The Revised Privacy Rules eliminate the requirement that health care providers obtain a consent prior to using or disclosing protected health information (PHI) for treatment, payment or health care operations purposes and make such consents optional. Accordingly, under the Revised Privacy Rules, covered entities may obtain an individual’s consent if they choose; health care providers have complete discretion in designing that process. Although not required to obtain consent, any uses or disclosures of PHI for treatment, payment, or health care operations would still need to be consistent with the covered entity’s notice of privacy practices. Moreover, the removal of the consent requirement only applies to consents for treatment, payment, and health care operations; it does not alter the requirement to obtain an authorization for uses and disclosures of PHI not otherwise permitted by the Revised Privacy Rules.

Although the Revised Privacy Rules eliminate the mandatory consent requirement, they strengthen the Privacy Notice requirements by requiring health care providers with direct treatment relationships to make a good faith effort to obtain an individual’s written acknowledgement of receipt of the provider’s notice of privacy practices. Such an acknowledgement must be obtained no later than the first day on which services are delivered, even if the services are delivered electronically. (e.g., through the internet or otherwise). The Revised Privacy Rule clarifies that, during emergency treatment situations, the necessity to deliver the notice of privacy practices is delayed until reasonably practicable after the emergency situation has passed. The Revised Privacy Rules do not define the term "emergency," although they do clarify that non-emergency ambulance transports are not included within the definition. For patients scheduling "initial visits," HHS indicates that the notice may be provided at the time the patient arrives at the provider’s facility for his or her appointment/surgery, etc.

Compliance with the "good faith" requirement may be achieved in a particular case if the provider with a direct treatment relationship either: (1) obtains a written acknowledgment, or (2) documents what good faith efforts were used to obtain such an acknowledgment and why they failed. One such reason for failure may simply be that the individual refused to sign after being requested to do so (ala the against medical advice walk out from the ED). HHS clarifies that, with regard to e-health care providers, an electronic acknowledgement will suffice, but, that an electronic notation by a provider’s receptionist in the computer system will not.

With regard to the actual "notice" document, HHS provides little guidance. While, HHS confirms that health care providers that choose to use a consent form may design one form that includes both a consent and an acknowledgement of receipt of the privacy notice, HHS concluded that a model notice that would suit all providers would be difficult, if not impossible, to develop at the regulatory level. The Revised Privacy Rules do not eliminate the basic contents of the notice document as set forth in the Privacy Rules; however, the rules clarify that a provider may use a so-called "layered notice." For example, the Revised Privacy Rules note, a health care provider could satisfy the requirements by providing the individual with both a short notice that briefly summarizes the individual’s rights, as well as other information; and a longer notice, layered beneath the short notice, that contains all the elements required by the Privacy Rule. The Revised Privacy Rules also clarify that the privacy notice may be provided to either the individual receiving treatment or his or her personal representative.

Consequently, while the Revised Privacy Rules eliminate the consent requirements, the trade-off for health care providers is that the privacy notice must be provided at the initial moment of treatment and a signed acknowledgement must be retained in the provider’s records.

In conjunction with the elimination of mandatory consent requirements, HHS has issued a number of favorable clarifications on permissible uses and disclosures of PHI without an authorization for purposes of treatment, payment and health care operations. First, with respect to treatment, the Revised Privacy Rules expressly clarify that the rules should not prohibit routine communications by and among health care providers for treatment purposes. For example, a primary care provider, who is a covered entity under the Privacy Rule, may send a copy of an individual’s medical record to a specialist who needs the information to treat the same individual--no authorization would be required; however, as discussed below, the provider should limit the amount of PHI furnished to the minimum necessary, and where applicable, abide by any reasonable requests for confidential communications and any agreed-to restrictions.

Second, with respect to payment activities, the Revised Privacy Rules clarify that a covered entity may disclose PHI to another covered entity or any other health care provider for the payment activities of the entity that receives the information. Consequently, a covered entity may provide necessary elements of PHI, such as social security number, address, etc., to another health care provider so that the provider may seek payment for any health care services furnished to the individual. HHS rejected commenters suggestions that a covered entity obtain assurances from non-covered providers, prior to disclosure of PHI for payment purposes, that the recipient will not use PHI for any other purpose or disclose it to others; however, again, HHS reminds providers that the Privacy Rules require a covered entity to apply the minimum necessary standard to any disclosures made under this exception.

Third, with respect to health care operations, the Revised Privacy Rules clarify that a covered entity may disclose PHI about an individual to another covered entity for certain health care operations purposes of the covered entity that receives the information if each covered entity has or had a relationship with the individual who is the subject of the information. "Health care operations" include QA/QI activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs, and accreditation, certification, licensing, or credentialing activities. The Revised Privacy Rules also add that the "health care operations" exception encompasses the sharing of PHI with another covered entity for health care fraud and abuse detection and compliance programs. Importantly, disclosures for health care operations of another entity is permitted only to the extent that each entity has, or has had, a relationship with the individual. Where the relationship between the individual and the covered entity has ended, a disclosure of PHI about the individual would only be allowed if related it to the past relationship. If the covered entity does not have a relationship with the individual, then either (1) an authorization must be obtained; or (2) the health care provider may be able to receive the new "limited data set," a more narrow band of health information that will not be considered PHI.

Lastly, the revised rules reiterate that covered entities participating in an organized health care arrangement (OHCA) may share PHI for the health care operations of the OHCA without the condition that each health care provider in the OHCA have a relationship with the individual. HHS notes that in order for ‘sharing’ to occur within the OHCA, the covered entities participating in the OHCA must use either a joint privacy notice or a separate privacy notice. If they choose to utilize a joint privacy notice, that notice will cover more than one covered entity in the OHCA and will permit each entity of the OHCA to share PHI with each other as necessary to carry out treatment, payment or health care operations relating to the OHCA. In the alternative, if each covered entity in the OHCA elects to have separate notices, the notices will need to reflect in sufficient detail the particular uses and disclosures including the fact that the covered entity will share PHI with other members of the OHCA.

On the whole, these favorable clarifications should allow most typical health care provider functions to continue without individual authorization. It is not, however a ‘free ride’--the covered health care provider must make good faith efforts to obtain written acknowledgement of the privacy notice at the initial moment of treatment and must apply and implement the minimum necessary standard to disclosures made under these exceptions.

The Revised Privacy Rules simultaneously strengthen protections against the unauthorized use of PHI for marketing purposes and expand certain exceptions to the definition of marketing so as to protect common types of communications between health care providers and their patients. The general rule is relatively easy to understand: Covered Entities must obtain authorization before any "marketing" communications are made to individuals. Covered entities will no longer be able to engage in "marketing" communications by simply meeting the disclosure and opt-out provisions in the Final Rule. Under the Revised Privacy Rules, "marketing" means "to make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." HHS indicates that this is not an "intent-based" standard—if, on the face of the communication, it encourages individuals to purchase or use products or services, the communication will be deemed "marketing" and, thus, unless an exception applies, an authorization must be obtained.

Exclusions from marketing will accommodate a number of typical health care provider-patient communications. Specifically, a health care provider is not engaged in marketing activities when it communicates to individuals about: (1) a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; (2) the individual’s treatment; or (3) case management or care coordination for that individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to that individual.

In response to what some had perceived as a potential "loophole," marketing is defined expressly to include "an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service." In other words, a health care provider may not cloak a disclosure of PHI under the guise of a "business associate" agreement if the ultimate recipient of the information intends to use the PHI to market its own products or services. Importantly, this does not preclude a covered entity from engaging a business associate to assist the covered entity with certain types of communications excepted from the definition of marketing (i.e., sending refill or other reminders on behalf of the provider) nor would it preclude a covered entity from using a business associate to conduct a marketing communication about the provider’s products and services if the provider has obtained authorization to make such communication in accordance with the rule’s requirements. The limitation simply prevents furnishing PHI to a third-party (even with a formal business associate agreement) who intends to market its own products and services with the information received.

The Revised Privacy Rules make clear that the marketing exclusions are not dependant upon whether the health care provider or other covered entity receives remuneration for the communication made. HHS concludes that the receipt of remuneration does not, for example, transform a treatment communication into a commercial promotion of a product or service. For example, notes HHS, "health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication. The covered entity also is able to engage a legitimate business associate to assist it in making these permissible communications. It is only in situations where, in the guise of a business associate, an entity other than the covered entity is promoting its own products using protected health information it has received from, and for which it has paid, the covered entity, that the remuneration will place the activity within the definition of ‘marketing’." That being said, a valid authorization for marketing purposes must state whether the provider involves the receipt of direct or indirect remuneration from a third party.

Further complicating the marketing analysis is the fact that, even if the communication is considered "marketing" and, therefore generally requires authorization, the Revised Privacy Rules make clear that an authorization is not required (1) when the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value. With regard to the "face-to-face exception," HHS rejected commenters requests to extend this exception to communications by telephone, mail and other common carriers, fax machines or via the Internet. This exclusion, notes HHS, is narrowly crafted to protect only true face-to-face communications between health care providers and their patients.

With regard to newsletters frequently provided by health care providers to their patients, the Revised Privacy Rules provide that covered entities may make such communications without authorization so long as the content of the communication is not marketing. Newsletters that, for example, merely promote health in a general manner and do not promote a specific product or service from a particular provider would not meet the definition of marketing. Communications in this area include mailings reminding women to get an annual mammogram, mailings providing information about how to lower cholesterol, mailings about new developments in health care (e.g., new diagnostic tools) and, mailings about health or wellness classes, support groups, and health fairs. Importantly, HHS clarifies that a covered entity is permitted to use PHI in a database for communications that are either excepted from or that do not meet the definition of "marketing", without individual authorization. For example, HHS notes, "a hospital may use protected health information in an existing database to distribute information about the services it provides, or to distribute a newsletter with general health or wellness information that does not promote a particular product or service." While this would seem to capture the vast majority of general newsletter format communications, it appears that a targeted newsletter to individuals with a specific disease (e.g., cancer) which promotes the availability of a new service offered by the provider (i.e., a new outpatient chemotherapy or diagnostic center) could only be provided if specific authorization had been obtained from the individual. Of course, a health care provider remains free to discuss new programs and services with a patient (that would be considered marketing) without authorization if done so in a face-to-face setting. Presumably, at that time, providers could ask for an authorization from the patient to provide targeted mailings to that patient in the future. In the short run, however, this may create some problems for health care providers that target patients with newsletters, letters or other mailings if the communication encourages the recipient to use the product or service.

Again, the Revised Privacy Rules repeat a seminal theme that is essential to an understanding of this rule: the Privacy Rule requires individual authorization for uses and disclosures of PHI for purposes that are not otherwise permitted or required under the Rule. Consequently, every HIPAA analysis begins with the simple question—does the use or disclosure of PHI fit within an exception? If not, then authorization must be obtained. The Revised Privacy Rules ostensibly simplify the authorization provisions by consolidating the implementation specifications for authorizations into a single set of criteria that apply to all authorizations.

The so-called ‘core elements’ of the authorization remain substantially the same, although, HHS clarifies that while authorizations must contain a description of each purpose of the requested use or disclosure, the statement "at the request" of the individual is a sufficient description of the purpose when an individual initiates the authorization and does not elect to provide a statement of the purpose. Consequently, if a patient asks a provider to furnish an entire copy of the individual’s medical record to a given individual or entity, the individual need not explain why and the provider need only document this minimal statement.

In addition to the ‘core elements,’ a valid authorization must contain the following notifications (1) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke and a description of how to exercise this revocation right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be redisclosed by the recipient. HHS notes that, while the rule prohibits the conditioning of treatment, payment, enrollment in a health plan, or eligibility for benefits on obtaining an authorization, the rule continues to include exceptions for research-related treatment, eligibility for benefits and enrollment in a health plan, and health care solely for creating PHI for disclosure to a third party. In these limited situations, an authorization may be demanded by the covered entity.

With regard to the statement regarding the potential for redisclosure, HHS states that this does not require an analysis of the risk for redisclosure, but may be a general statement that the health information may no longer be protected by the Privacy Rule once it is disclosed by the covered entity. Covered entities are, of course, free to provide a more detailed explanation regarding the potential for redisclosure and may, for example in the research context, refer to the privacy protections that the researcher will provide for the data.

Psychotherapy notes continue to receive heightened protections under the Revised Privacy Rules. The Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual’s authorization to use or disclose psychotherapy notes; nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. The Revised Privacy Rules note that, while providers are permitted to ask the individual if they may disclose psychotherapy notes, the provider must explain in very clear terms that the individual remains free to refuse to authorize the disclosure and that such refusal will have no effect on either the provision of treatment or the individual’s coverage under, any payment claims by, the health plan.

Lastly, HHS reiterates that a covered entity generally may not combine an authorization with any other type of document, such as a notice of privacy practices or a written voluntary consent, with some exceptions discussed below.

The Revised Privacy Rules explicitly permit certain incidental uses and disclosures that occur as a result of an otherwise permitted use or disclosure under the Privacy Rule. An incidental use or disclosure would be a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure under the Privacy Rule. An incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards as required by the Privacy Rules and implemented the minimum necessary standard, where applicable. Importantly, a use or disclosure that occurs when the covered entity has failed to implement reasonable safeguards or the minimum necessary standard is not an incidental use or disclosure and is not permitted.

By way of example, the Revised Privacy Rules note that, a hospital that permits an employee to have unimpeded access to patients’ medical records, where such access is not necessary for the employee to do her job, is not applying the minimum necessary standard and, therefore, any incidental use or disclosure that results from this practice would be unlawful under the Privacy Rule. Additionally, a covered entity that asks for a patient’s health history on the waiting room sign-in sheet is not abiding by the minimum necessary requirements and, therefore, any incidental disclosure of such information that results from this practice would also be unlawful under the Privacy Rule.

Consistent with general themes throughout the Revised Privacy Rules, HHS notes that the Privacy Rule should not impede essential health care communications and practices. According to HHS, while this provision is, not designed to eliminate the need to take precautions to avoid being overheard, it will allow incidental uses and disclosures where such precautions have been taken. Importantly, HHS does not attempt to define the key concept of "reasonable safeguards." Rather, HHS states that "each covered entity should assess the nature of the protected health information it holds, and the nature and scope of its business, and implement safeguards that are reasonable for its particular circumstances." Those desiring black and white guidelines may find little solace in these guidelines; however, from an enforcement perspective, this will provide greater flexibility to providers in developing their own internal guidelines so as to comply with the Privacy Rule.

The Privacy Rule generally requires covered entities to make reasonable efforts to limit the use and disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. In plain English, the rule requires that covered entities do not ask for or disclose more information than is necessary for the purpose of treatment, payment or health care operations. The Revised Privacy Rules include a number of technical modifications for clarity. On a more substantive basis, the Revised Privacy Rules exempt from the minimum necessary standards any uses or disclosures for which the covered entity has received a valid authorization that satisfies the requirements of the Privacy Rules. In other words, if an individual has given a valid authorization to disclose certain information to a third-party, the health care provider need not apply the minimum necessary standard to the disclosure of such information.

Of course, the unwitting trap for health care providers within this exception lies in the fact that the authorization must be valid in accordance with the rules’ provisions. Among other requirements, a valid authorization must include a description of the information to be used and disclosed that identifies the information in a specific and meaningful fashion and, further, that the authorization be written in plain language. If the individual does not understand the authorization request or the authorization document does not meet the ‘core elements,’ then the health care provider would not be able to rely upon this exception to the minimum necessary standards.

While health care providers need not apply the minimum necessary standard where a valid authorization has been received, HHS clarifies that the Revised Privacy Rule does not require a covered entity to use and disclose PHI pursuant to an authorization. If a covered health care provider is concerned that a request for an individual’s medical records (including psychotherapy notes) is not warranted or is excessive, HHS states that "the provider may consult with the individual to determine whether or not the authorization is consistent with the individual’s wishes." This seems to suggest that covered health care providers may but need not conduct their own independent review of an individual’s request to release PHI.

The Revised Privacy Rules eliminate the term "reasonably ensure" in this standard in response to concerns that this term connoted an absolute, strict standard which is inconsistent with HHS’ general position that the standard be reasonable and flexible to the unique circumstances of the covered entity. Covered health care providers, therefore, will need to develop their own policies and procedures based upon their own assessment of what types of PHI is reasonably necessary for a particular purpose given the characteristics of the business and their workforce. Again, for those looking for bright-line rules, the Revised Privacy Rules do not provide a one-size-fits-all answer. Each covered health care provider will need to develop policies around the types of medical care that they provide and the types of information that is needed to render that care. In complex integrated health care systems, the minimum necessary standard may apply differently in different care settings. Indeed, HHS recognizes that, in some cases, the release of an individual’s entire medical record may be necessary for treatment, payment or health care operations purposes, including disease management purposes; however, HHS does not believe that disclosure of a patient’s entire medical record is always justified for such purposes.

One area of important clarification is in the area of requests for PHI by another covered entity to a covered health care provider. HHS clarifies that the Privacy Rule permits a covered entity to reasonably rely on another covered entity’s request for PHI as the minimum necessary for the intended disclosure. At the same token, HHS notes that the covered entity holding the information always retains the discretion to make its own minimum necessary determinations. What constitutes "reasonable reliance" is unclear and providers will need to apply some common sense guidelines in this area. Whereas, it may be reasonable to rely upon the request of a patient’s primary care physician to obtain copies of the entire medical record, it may be unreasonable to rely upon the request for the entire medical record if a patient’s orthopedic surgeon requests the same.

The Revised Privacy Rules confirm that the Privacy Rule exempts from minimum necessary standard any data elements that are required in any standard transactions. However, HHS notes that when optional data elements are requested, the minimum necessary standard would apply. For example, HHS notes that the standard transactions adopted for the outpatient pharmacy sector use optional data elements which are specified by the third-party payer for payment of its particular pharmacy claims. Here, HHS states "the minimum necessary standard applies to the payer’s request for such information" and that "a pharmacist is permitted to rely on the payer’s request for information, if reasonable to do so, as the minimum necessary for the intended disclosure." Again, the language "if reasonable to do so," suggests that providers’ reliance on third-party requests for information is not unfettered—common sense and clear internal policies must be developed in this area.

HHS makes a number of technical changes to the Privacy Rules so as to ensure that the rules will continue to defer to State law or other applicable law and to remain neutral to the extent possible. In general, if a covered entity complies with State and other applicable laws regarding the disclosure of, or access to, a minor’s PHI to, or by, a parent it will also be in compliance with the Revised Privacy Rules.

Specifically, the Revised Privacy Rules provide that state and other applicable laws explicitly requiring, permitting or prohibiting disclosure of PHI to a parent control the contemplated disclosure. Second, with respect to access to PHI by a parent, the Revised Privacy Rules again provide that state and other applicable laws explicitly requiring, permitting or prohibiting access to PHI by a parent control the requested access. The Revised Privacy Rules clarify that, when state law is silent on access to PHI and the parent requesting such access is not the child’s personal representative, a covered entity is permitted discretion on whether to permit a parent access to their child’s PHI. Even then, however, that discretion must be exercised by a health care professional acting in a professional capacity.

In some instances, the resolution of whether state law or HIPAA controls a contemplated disclosure of PHI to a parent, or access to PHI by a parent, may require the assistance of counsel. By deferring to state and other applicable laws, HHS underscores its belief that States retain the power to define the rights of parents with respect to their minor children without interference from the Federal Privacy Rules.

The Revised Privacy Rules generally simplify the authorization requirements in connection with clinical research by eliminating the distinction between research that involves treatment and research that does not. The Revised Privacy Rule requires a single set of authorization requirements for all uses and disclosures, including those for research purposes, and permits an authorization for the use or disclosure of PHI to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research.

The Revised Privacy Rules allow so-called "no-end date" authorizations, an exception to the general rule that all authorizations must include an expiration date. The statement "end of the research study," "none" or similar language is sufficient to meet this requirement for an expiration date or event where the authorization is for a use or disclosure of protected health information for research. The Revised Privacy Rules clarify that, while patients are permitted to revoke their authorization after they commence participation in a clinical research study, covered entities may continue using and disclosing PHI that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. Under the Privacy Rules, an individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. In the research context, this provision permits the continued use and disclosure of PHI already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. However, HHS states that the "reliance exception" would not permit a covered entity to continue disclosing additional PHI to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization.

The Revised Privacy Rules retain the requirement that, to be a valid research authorization, the document must describe each purpose of the requested use or disclosure described in the authorization form specific to the research study. HHS recognizes that, in the past, some authorizations have not been "study-specific" and that sometimes they authorize the use or disclosure of PHI for future unspecified research— accordingly, the Privacy Rules permit covered entities to rely on an express legal permission, informed consent, or an IRB-approved waiver of informed consent for future unspecified research, provided the legal permission, informed consent or IRB-approved waiver was obtained prior to the compliance date of the Final Privacy Rules. HHS rejected commenters requests to broaden the authorization’s "description of the required use or disclosure" in the clinical research context in a manner that would have allowed future research unspecified research analysis. Accordingly, if re-analysis of PHI is desired in the future, the clinical research must either (1) obtain a new authorization from the individual (which would be highly unlikely); or (2) obtain a waiver from the authorization requirements from an IRB or Privacy Board. As a number of commenters have noted, this will prove difficult for clinical research organizations in multi-state researcher protocols.

Lastly, the Revised Privacy Rules make clear that researchers are not business associates. This remains true, notes HHS, even in those instances where the covered entity "has hired the researcher to perform research on the covered entity’s own behalf because research is not a covered function or activity." Notwithstanding the above, a covered entity must enter into a data use agreement, as required by prior to disclosing the new "limited data set" for research purposes to a researcher as described below.

In the Revised Privacy Rules, HHS has adopted all of the revisions listed in the March 2002 proposed rules. Those revisions were designed to eliminate concerns over the redundancy and internal inconsistency of the original 8 waiver requirements. To remedy those concerns, HHS replaced the original 8 waiver requirements with 3 simpler ones. Accordingly, before a covered entity may use or disclose PHI for research purposes without an individual’s authorization it will be required to obtain documentation of all of the following waiver criteria:

1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

1. An adequate plan to protect the identifiers from improper use and disclosure;
2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as require by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by this subpart;

2. The research could not practicably be conducted without the waiver or alteration; and
3. The research could not practicably be conducted without access to and use of the PHI.

HHS believes that these requirements safeguard patient privacy, require attention to details sometimes overlooked by IRBs, and are compatible with the Common Rule. HHS is aware that IRBs may initially struggle with interpreting the 3 criteria; consequently, it intends to release guidance documents further explaining them in the near future. Until such time, IRBs and Privacy Boards may develop policies and procedures consistent with the waiver criteria above.

The Revised Privacy Rules adopt all of the research transition proposals from the March 2002 proposed rules. In sum, this means that covered entities may use or disclose PHI created or received for a specific research study prior to, and after, the April 14, 2003 compliance date if (1) an authorization or other express legal permission from an individual to use or disclose PHI for the study; (2) informed consent of the individual to participate in the research study; or (3) a waiver by an IRB of informed consent for the research study in accordance with the Common Rule or the FDA’s human subject protection regulations has been obtained.

In essence, this means that new authorizations for ongoing research studies will not have to be obtained after April 14, 2003. However, HHS clarifies that even if a researcher obtains an IRB waiver before April 14, 2003, an authorization would still be required if the researcher obtains informed consent at a later date. The Revised Privacy Rules also eliminate distinctions in the application of these transition provisions based upon whether the research includes treatment and whether the research was conducted with an individual’s legal permission or an IRB approved waiver. Note, however, HHS rejected some commenters requests to create a ‘grandfather’ clause that would have broadened the transition provisions by permitting covered entities to rely upon an express legal permission or informed consent that was not signed by the individual prior to the compliance date.