The Privacy Rule and Public
Health Research
The topic of research under the Privacy Rule is covered in depth in the
DHHS report, Protecting Personal Health Information in Research ---
Understanding the HIPAA Privacy Rule (6). The Privacy Rule provides
separate provisions for disclosure without individual authorization for
public health purposes and for certain research [45 CFR § 164.512(b)] [45
CFR § 164.512(i)]. Other federal law pertaining to research stresses the
importance of distinguishing between research and practice to ensure that
human subjects are appropriately protected [45 CFR Part 46]. For certain
activities, this distinction is not always clear. A full discussion of the
distinctions between public health practice and research is beyond the
scope of this document. However, CDC and others provide guidance in this
area (7--9).
Research Versus Practice
The definition of research is the same for the Privacy Rule and the
Common Rule (10) --- systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute to
generalizable knowledge. Research is designed to test a hypothesis, permit
conclusions to be drawn, and thereby to develop or contribute to
generalizable knowledge. The majority of public health activities (e.g.,
public health surveillance, and disease prevention and control projects)
are based on scientific evidence and data collection or analytic methods
similar to those used in research. However, they are not designed to
contribute to generalizable knowledge. Their primary purpose is to protect
the health of the population through such activities as disease
surveillance, prevention, or control.
The Belmont Report (11) defines practice as interventions
designed solely to enhance the well-being of a person, patient, or client,
and which have reasonable expectation of success. The report further
states that the purpose of medical or behavioral practice is to provide
diagnosis, preventive treatment, or therapy to particular patients. For
public health agencies, the patient is the community. Public health
practice activities (e.g., public health surveillance, disease control, or
program evaluation) are undertaken with the intent to benefit a specific
community, although occasionally they may provide unintended generalizable
benefits to others.
Some public health activities that are initially public health practice
may subsequently evolve into a research activity (e.g., an investigation
to determine the cause of an outbreak that incorporates a research study
evaluating the efficacy of a new drug to treat the illness). When that is
the case, the disclosures may be made initially under the public health
provisions of the Privacy Rule. But when the activity becomes an ongoing
research activity, the entity should consider application of the relevant
research disclosures provisions to continue to obtain information for this
purpose. Moreover, there may be cases where the activity is both research
and public health practice (e.g., an ongoing survey to monitor health
conditions in the population, data from which can also be analyzed for
research purposes). In those cases, disclosures may be made either under
the research provisions or the public health provisions, as appropriate
--- the covered entity need not comply with both sets of requirements.
|
