In a report released in draft form on February 4, the Institute of Medicine asserts that the current version of the HIPAA Privacy Rule doesn't do enough to protect privacy and simultaneously hampers research. The Institute accordingly recommends fundamental changes to the way that research is performed. These changes, if implemented, would eliminate the application of the HIPAA Privacy Rule to research activities and create a separate approach that would govern privacy, security, and accountability for all health-related research. The report, Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, can be obtained from the National Academies Press website at www.nap.edu.
This report should serve as a reminder that the HIPAA Privacy Rule does in fact impose restrictions on certain types of research activities. For example, the holder of protected health information ("PHI") must obtain an authorization (complying with 45 C.F.R. Section 164.508) before using that PHI for research purposes, unless a waiver of informed consent that is approved by either an independent ethics board or institutional review board ("IRB") is obtained before research begins. 45 C.F.R. Section 164.512(i)(1)(i) Also, research preparatory to activity is limited under the Privacy Rule and may not involve the removal of any PHI from the covered entity. 45 C.F.R. Section 164.512(i)(1)(ii). Finally, disclosures for purposes of research that do not require patient authorization (or for which a patient authorization was not obtained) must be accounted for in the covered entity's disclosure log as a disclosure without patient authorization. 45 C.F.R. Section 164.528.
We have observed throughout the course of many HIPAA engagements that covered entities without an IRB or any other formal research activities continue to mention research in their notices of privacy practice. We strongly recommend that such references be deleted, as there is no way that such a covered entity could comply with the Privacy Rule and permit such a use or disclosure of patient PHI.