When acting upon a request to waive or alter the Authorization requirement, an IRB must follow the procedural requirements of the HHS Protection of Human Subjects Regulations and/or, if applicable, FDA regulations, including using either the normal review procedures (review by the convened IRB) or the expedited review procedures. The FDA Protection of Human Subjects Regulations also require the IRB to follow its established written procedures whether a request for a waiver or an alteration of the Authorization requirement is considered by a convened IRB or by an IRB under the expedited review procedures.
Review by the Convened IRB
When a request for a waiver or an alteration of the Authorization requirement is considered by the convened IRB, a majority of the IRB members must be present at the meeting, including at least one member whose primary concerns are in nonscientific areas. In order for an approval of a waiver or an alteration of the Privacy Rule's Authorization requirement to be effective, it must be approved by a majority of the IRB members present at the convened meeting. If a member of the IRB has a conflicting interest with respect to the PHI use and disclosure for which a waiver or an alteration approval is being sought, that member may not participate in the review.
Expedited Review
HHS and FDA have established categories 3 of research that may be reviewed by an IRB through an expedited review procedure. Expedited review of a request for a waiver or an alteration of the Authorization requirement is permitted where the research activity is on the HHS or FDA list of approved categories and involves no more than minimal risks. In addition, 45 CFR 46.110 and 21 CFR 56.110 permit an IRB to use an expedited review procedure to review minor changes in previously approved research. A modification to a previously approved research protocol, which only involves the addition of an Authorization for the use or disclosure of PHI to the IRB-approved informed consent, may be reviewed by the IRB through an expedited review procedure, since this type of modification may be considered to be no more than a minor change to research. If expedited review procedures are appropriate for acting on the request, the review may be carried out by the IRB chair or by one or more experienced reviewers designated by the chair from among the IRB members. A member with a conflicting interest may not participate in an expedited review. If an IRB uses expedited review procedures, it must adopt methods for keeping all its members advised of requests for waivers or alterations of the Authorization requirement as well as those requests that have been granted under an expedited review procedure. If the head of the Federal department or agency (or his/her designee) regulating the research has restricted, suspended, terminated, or chosen not to authorize an institution or IRB to use expedited review procedures, the IRB cannot grant waivers or alterations of the Authorization requirement on an expedited basis.
Documentation of Authorization Waiver or Alteration Determinations
Before a covered entity may use or disclose PHI for research based on a waiver or an alteration of Authorization by an IRB, a covered entity must receive documentation showing the following:
As noted, the IRB's documentation of its approval must describe the PHI for which use or access has been determined to be necessary for the research. This would include stating, for example, that the waiver was limited to only certain information in a patient's medical record, instead of the entire record. If a covered entity uses or discloses PHI based on an IRB approval of a waiver or an alteration of the Authorization requirement, the covered entity must retain the IRB's documentation on which it relied for at least 6 years from the date the waiver or alteration was obtained, or the date when it was last in effect, whichever is later.
Other provisions of applicable Federal law and regulations, as well as the written policies and procedures of a specific IRB, may require the IRB to create and maintain additional documentation of its actions on requests to approve a waiver or an alteration of the Privacy Rule's Authorization requirement.
Verification Requirements: Right to Rely
In some circumstances, IRBs and Privacy Boards will coexist. Where these boards coexist, the Privacy Rule requires approval of a waiver or an alteration of Authorization by only one of them. Furthermore, a covered entity may use or disclose PHI based on a waiver or an alteration of Authorization approved by any IRB or Privacy Board, without regard to the location or affiliation of the IRB or Privacy Board. The Privacy Rule permits a covered entity reasonably to rely on an IRB's or a Privacy Board's documentation granting a waiver or alteration of the Authorization requirement so long as the documentation is proper. The documentation on which the covered entity relies must be in writing and meet the signature and other requirements discussed in the Documentation of Authorization Waiver or Alteration Determinations section.
A covered entity's ability reasonably to rely on documentation of an Authorization waiver or alteration may be especially important for research projects taking place at multiple sites and/or requiring the use and disclosure of PHI created or maintained by more than one covered entity (collectively, multisite projects). Often, different IRBs are involved in multisite project reviews. For these situations, HHS has stated (65 Federal Register 82692, December 28, 2000) that a covered entity's responsibility is only to "obtain the documentation that one IRB or [P]rivacy [B]oard has approved the alteration or waiver of Authorization." (Emphasis added.) Consequently, the Privacy Rule allows a waiver or an alteration of Authorization obtained from a single IRB or Privacy Board to be used to obtain PHI in connection with multisite projects. However, HHS also recognizes that "covered entities may elect to require IRB or Privacy Board reviews before disclosing [PHI] to requesting researchers" (67 Federal Register 53232, August 14, 2002). The Privacy Rule does not require entities to change their practices with respect to how they address potential splits between review boards. However, HHS "strongly encourages researchers to notify IRBs and [P]rivacy [B]oards of any prior IRB or [P]rivacy [B]oard review of a research protocol" (65 Federal Register 82692, December 28, 2000).
A covered entity must limit the use or disclosure of PHI for research that is based on documentation of an approved waiver or alteration of Authorization to the minimum necessary to accomplish the intended purpose of the particular research protocol or project (see section 164.502(b) of the Privacy Rule). Documentation supporting an IRB's approval of a waiver or an alteration of Authorization must include a description of the PHI without access to and use of which the IRB has determined the research could not practicably be conducted. If an IRB has granted a waiver or an alteration of Authorization, a covered entity may rely, if such reliance is reasonable under the circumstances, on the IRB's documentation to satisfy itself that the requested PHI use or disclosure is limited to the minimum necessary for the stated research purpose (see section 164.514(d)(3)(iii) of the Privacy Rule). Such reliance is appropriate regardless of whether the documentation of waiver or alteration is obtained from an external IRB or associated with the covered entity relying on the documentation (see 67 Federal Register at 53198, August 14, 2002).
Research Uses and Disclosures Under Permissions Obtained Prior to the Privacy Rule's Compliance Date
Sections 164.532(a) and (c) of the Privacy Rule provide that, after the compliance date (for most covered entities, April 14, 2003), a covered entity may use or disclose an individual's PHI without an Authorization, or waiver or alteration of the Authorization requirement, in connection with ongoing research if specific conditions are met. For many such uses and disclosures of PHI in connection with ongoing research, a covered entity may rely on any one of the following that was obtained prior to the compliance date:
The transition provisions also do not apply if any change is made after the compliance date to an informed consent, express legal permission, or IRB waiver for the research obtained before the compliance date that would make these prior permissions invalid. Under all these circumstances, an Authorization that complies with section 164.508 of the Privacy Rule is required unless the activity is otherwise permitted by the Privacy Rule without Authorization (e.g., through a waiver of Authorization).
In some instances, express legal permissions, informed consents, or IRB-approved waivers of informed consents are not study specific. These permissions for research and waivers, if obtained before the compliance date, are grandfathered by the transition provisions even if provided for future unspecified research, subject to the conditions described above.
Frequently Asked Questions and Answers
Q: How does the scope of coverage of the HHS and FDA Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56) differ from that of the Privacy Rule (i.e., who and what is covered under each of these regulations)?
A: While the HHS Protection of Human Subjects Regulations and the Privacy Rule pertain to some of the same entities, the scope of coverage of these two regulations differs. The HHS Protection of Human Subjects Regulations apply to all research involving human subjects that is conducted or supported by any component of HHS, unless the research involves one or more of the categories of exempt research described under the HHS regulations at 45 CFR 46.101(b). FDA Protection of Human Subjects Regulations apply to research related to FDA-regulated products that involves one or more human subjects.
In contrast, the Privacy Rule applies to "covered entities" that are defined in the regulations: (1) Health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. The Privacy Rule protects, with limited exceptions, individually identifiable health information when it is created or maintained by a covered entity.
Of note, certain research activities involving human subjects that are exempt under the HHS Protection of Human Subjects Regulations may still need to satisfy the requirements of the Privacy Rule.
Q: What constitutes "individually identifiable" information under the HHS Protection of Human Subjects Regulations versus under the Privacy Rule?
A: The HHS Protection of Human Subjects Regulations at 45 CFR 46.102(f) define a "human subject," in part, as a living individual about whom an investigator conducting research obtains "identifiable private information. Private information must be individually identifiable (i.e., the identity of the subject is or may be readily ascertained [emphasis added] by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects."
The Privacy Rule at section 160.103 defines "individually identifiable health information," in part, as ". information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual." In addition, the Privacy Rule at section 164.514 allows a covered entity to determine that health information is not individually identifiable using either (1) statistical verification as specified in the Privacy Rule or (2) by removing certain pieces of information from each record, as specified in the Privacy Rule, about the individual, relatives, employers, or household members of the individual and having no knowledge that the remaining information could be used alone or in combination with other information to identify the individual. Under the second method of de-identification, in general, unique identifying numbers, characteristics, or codes must be removed if the health information is to be considered to be de-identified unless permitted by the Privacy Rule as a re-identification code.
Q: Do HHS Protection of Human Subjects Regulations or the Privacy Rule consider information "individually identifiable" if the information is associated only with a code assigned for re-identification?
A: The Privacy Rule permits a covered entity to determine that health information is de-identified even if the health information has been assigned, and retains, a code or other means of record identification, provided that the code is not derived from or related to the information about the individual and could not be translated to identify the individual and the covered entity does not use or disclose the code for other purposes or disclose the mechanism for re-identification.
Under the HHS Protection of Human Subjects Regulations, if an investigator obtains private information about living individuals for research purposes and that private information retains a link to individually identifying information, such private information ordinarily would be considered by OHRP to be individually identifiable to the investigator. However, OHRP does not ordinarily consider such information to be individually identifiable to the investigator if (1) the investigator and the holder of the individually identifying information sign an agreement prohibiting the release of individually identifying information to the investigator under any circumstances, or (2) there are other legal requirements prohibiting the release of the link to the investigator.
Q: Who furnishes the description of the PHI to be included in the IRB's documentation?
A: The Privacy Rule does not state who furnishes the description of the PHI to be included in the IRB's documentation. However, the researcher requesting the waiver or alteration of the Privacy Rule's Authorization requirement from the IRB may be in the best position to adequately describe the PHI to be used and disclosed and would submit this information as part of the request for such approval. Regardless of who provides the description of the PHI, the IRB is the entity that decides whether or not and the extent to which a waiver or alteration of Authorization is granted, and, therefore, it is the IRB that makes the final decision regarding the description of the PHI to be included in the IRB's documentation.
Q: When must an IRB review and approve the language of an Authorization for use or disclosure of PHI related to human subjects research activities regulated by HHS Protection of Human Subjects Regulations at 45 CFR part 46 and FDA Protection of Human Subjects Regulations at 21 CFR parts 50 and 56?
A: The HHS Protection of Human Subjects Regulations do not expressly require that Privacy Rule Authorizations be reviewed or approved by the IRB. However, under HHS regulations at 45 CFR 46.117(a) and FDA regulations at 21 CFR 50.27(a), IRB review and approval is required for any document that contains the IRB-approved informed consent document for human subjects research. Therefore, if the Authorization language is part of the IRB-approved informed consent document, such as when the Authorization form is combined with an informed consent, the IRB is required to review such language.
Generally, neither HHS regulations at 45 CFR part 46 nor FDA regulations at 21 CFR parts 50 and 56 require that stand-alone Authorizations (i.e., Authorizations that are not incorporated into the informed consent document) for use or disclosure of PHI be reviewed and approved by the IRB. However, FDA regulations at 21 CFR 56.108(a) mandate such review if required by the IRB's written procedures. In the exercise of ongoing enforcement discretion, however, with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval.
The Privacy Rule does not require IRBs to review or approve Authorizations used for research or other disclosures; it only requires that the Authorization comply with the requirements of the Privacy Rule at section 164.508. For OCR guidance on this topic, see http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf.
Q: Does the Privacy Rule require IRBs to review and/or approve Authorizations, either as stand-alone documents (i.e., Authorizations that are not combined with informed consent documents) or when combined with informed consent?
A: No.
Q: Do FDA regulations require IRBs to review and/or approve stand-alone Authorizations, i.e., Authorizations that are not combined with informed consent documents?
A: No. FDA regulations do not specifically require IRBs to review and/or approve stand-alone Authorizations. However, FDA regulations governing IRBs require, in pertinent part, that IRBs adopt and follow written procedures for reviewing clinical research. See 21 CFR 56.108(a). Pursuant to this provision, IRBs that have written procedures requiring them to review all written materials provided to potential research subjects must review and approve stand-alone Authorizations, even though such review is not otherwise required under the Privacy Rule, HHS Protection of Human Subjects Regulations, or FDA regulations governing IRBs. However, in the exercise of ongoing enforcement discretion with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval. For OCR guidance on this topic, see http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf.
Q: Do international guidelines require IRBs to review and/or approve stand-alone Authorizations, i.e., Authorizations that are not combined with informed consent documents?
A: No. The International Conference on Harmonisation (ICH) Good Clinical Practice: Consolidated Guideline (E6) states, for example, "Before initiating a trial, the investigator/institution should have written and dated approval/favourable opinion from the IRB/IEC [Independent Ethics Committee] for the trial protocol, written informed consent form, consent form updates, subject recruitment procedures (e.g., advertisements), and any other written information to be provided to subjects." (Emphasis added.) (See ICH E6 4.4.1.) This language recommends, but does not require, such review. In general, the ICH Good Clinical Practice guidelines are recommendations, not legal requirements. As such, they are not subject to enforcement by U.S. authorities.
Q: How does the composition of IRBs vary from that of Privacy Boards?
A: The HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.107 and 21 CFR 56.107, respectively, require, among other things, that IRBs have at least five members with varying backgrounds to promote complete and adequate review of research activities commonly conducted by the institution. The IRB must be sufficiently qualified through the experience and expertise of its members, and the diversity of members, including consideration of race, gender, and cultural backgrounds and sensitivity to such issues as community attitudes, to promote respect for its advice and counsel in safeguarding the rights and welfare of human subjects. The IRB must also be able to ascertain the acceptability of proposed research in terms of institutional commitments and regulations, applicable law, and standards of professional conduct and practice. The IRB must also include at least one member whose primary concerns are in scientific areas, and at least one member whose primary concerns are in nonscientific areas. In addition, the IRB must include at least one member who is not otherwise affiliated with the institution and who is not part of the immediate family of a person affiliated with the institution.
The Privacy Rule, at section 164.512(i)(1)(i)(B), requires that a Privacy Board have members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests and include at least one member who is not affiliated with any entity conducting or sponsoring the research and not related to any person who is affiliated with any of these entities. In addition, a Privacy Board may not have any member participating in a review of any project in which the member has a conflict of interest.
Of note, covered entities may reasonably rely on documentation from an IRB that satisfies the membership requirements of the HHS or FDA Protection of Human Subjects Regulations in order to use or disclose PHI without Authorization, as permitted by the Privacy Rule at section 164.512(i)(1)(i).
Q: How do the requirements regarding members with conflicting interests vary between IRBs under the HHS and FDA Protection of Human Subjects Regulations, and the Privacy Boards under the Privacy Rule?
A: The HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.107(e) and 21 CFR 56.107(e), respectively, prohibit an IRB member who has a conflicting interest from participating in an initial or continuing review or approval of research, except to provide information at the request of the IRB.
Similarly, the Privacy Rule, at section 164.512(i)(1)(i)(B)(3), prohibits a Privacy Board member from participating in a review of any project in which the member has a conflicting interest.
Q: How do the criteria to alter or waive informed consent under 45 CFR part 46 differ from criteria to alter or waive Authorization under the Privacy Rule?
A: Under 45 CFR 46.116(d), an IRB may approve a consent procedure that does not include, or which alters, some or all of the elements of informed consent specified in this section, or may waive the requirements to obtain informed consent, provided the IRB finds and documents that the following criteria have been met:
In addition, 45 CFR 46.116(c) also permits an IRB to approve a consent procedure which does not include, or which alters, some or all of the elements of informed consent or to waive the requirement to obtain informed consent, provided the IRB finds and documents the following:
Under the Privacy Rule at section 164.512(i)(1)(i), a covered entity may use or disclose PHI for a research study without Authorization from the research participant if the covered entity obtains documentation that an alteration or waiver of the research participants' Authorization for use or disclosure of information for research purposes has been approved by an IRB or a Privacy Board. Among other requirements under section 164.512(i), a covered entity must obtain a statement that an IRB or a Privacy Board has determined that the alteration or waiver, in whole or in part, of Authorization satisfies the following three criteria in the Privacy Rule:
Q: Under the HHS regulations at 45 CFR part 46 and FDA regulations at 21 CFR part 56, can an IRB use an expedited review procedure to review and approve a modification to a previously approved informed consent document where the modification involves only the addition of an Authorization for use or disclosure of PHI?
A: Yes. For research protocols previously approved by the IRB, the addition to the IRB-approved informed consent document of language regarding Authorization for use or disclosure of PHI may be considered no more than a minor change to the research and, as a result, may be reviewed by the IRB under an expedited review procedure, in accordance with the requirements of HHS regulations at 45 CFR 46.110 and FDA regulations at 21 CFR 56.110.
Q: Do HHS regulations at 45 CFR part 46 and FDA regulations at 21 CFR parts 50 and 56 permit the IRB to review and approve the insertion of Authorization language as a single modification that applies to the informed consent documents of multiple protocols previously approved by the IRB?
A: Yes, when Authorizations for use or disclosure of PHI will be incorporated into previously approved informed consent documents for a series of protocols, and the Authorizations are composed entirely of identical template language, the IRB may approve the insertion of the Authorization language as a single modification that applies to the entire series of protocols.
However, when Authorizations for use or disclosure of PHI will be incorporated into previously approved informed consent documents for a series of protocols and the Authorization statements include protocol-specific information unique to each protocol, the IRB should review and approve the insertion of the Authorization language separately for each protocol.
In both cases, an expedited review procedure may be used.
Q: When do the requirements under HHS regulations at 45 CFR part 46 related to IRB review and informed consent apply to "preparatory to research" activities as permitted by the Privacy Rule at section 164.512(i)(1)(ii)?
A: HHS Protection of Human Subjects Regulations at 45 CFR part 46 do not reference "preparatory to research" activities.
HHS regulations at 45 CFR 46.102(d) define "research" as "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge." (Emphasis added.)
HHS regulations at 45 CFR 46.102(f) define "human subject" as
a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual or (2) identifiable private information. Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.
When a "preparatory to research" activity (i) involves human subjects research, as defined above; (ii) is conducted or supported by HHS or conducted under an applicable OHRP-approved assurance; and (iii) does not meet the criteria for exemption under HHS regulations at 45 CFR 46.101(b), the research must be reviewed and approved by an IRB in accordance with HHS regulations at 45 CFR 46.109(a). In addition, informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. However, under HHS Protection of Human Subjects Regulations at 45 CFR 46.116(c) and (d), an IRB may approve a consent procedure for such a "preparatory to research" activity that does not include, or that alters, some or all of the elements of informed consent, or may waive the requirements to obtain informed consent for such a "preparatory to research" activity if certain criteria are satisfied.
The Privacy Rule permits, under section 164.512(i)(1)(ii), a covered entity to provide investigators with access to PHI for purposes preparatory to research, such as for identifying potential human subjects to aid in study recruitment, among other things. Such access is permitted provided that the covered entity receives certain required representations from the researcher and the researcher does not remove any PHI from the covered entity during the course of the review.
Activities in which an investigator obtains and records individually identifiable health information for purposes of identifying potential human subjects to aid in study recruitment, among other things, involve human subjects research under the HHS regulations at 45 CFR part 46 and would not satisfy the criteria for any exemption under HHS regulations at 45 CFR 46.101(b). As a result, if such activities are conducted or supported by HHS or conducted under an applicable OHRP-approved assurance, the research activities must be reviewed and approved by an IRB in accordance with HHS regulations at 45 CFR 46.109(a). In addition, informed consent of the subjects, about whom identifiable private information (e.g., health information) is being obtained, must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively.
For example, if an investigator who is covered by an applicable OHRP-approved assurance obtains and records identifiable private information from medical records for the purpose of contacting these individuals to determine if they would be interested in participating in a research study, this activity constitutes human subjects research, and thus, would require either (1) that subjects' informed consent be sought as required by the HHS regulations at 45 CFR 46.116, or (2) that the IRB approve an informed consent procedure which does not include or which alters some or all of the elements of informed consent, or waive the requirement to obtain informed consent in accordance with the provisions of the HHS regulations at 45 CFR 46.116(c) or (d). Informed consent also must be documented in accordance with, and to the extent required by, the HHS regulations at 45 CFR 46.117.
Similarly, if such an investigator obtains and records identifiable private information to develop a database of potential research subjects for future research studies, this activity is also human subjects research as defined in 45 CFR part 46, and thus would need to meet the requirements of the HHS regulations as discussed above.
The above interpretation does not conflict in any way with OCR's interpretation of the Privacy Rule. It should be noted that Authorization for use or disclosure of PHI provided for under the Privacy Rule and legally effective informed consent for research provided for under HHS regulations at 45 CFR 46.116 and 46.117 are not the same.
Furthermore, the Privacy Rule does not override any requirements of 45 CFR part 46, and vice versa. In situations where both 45 CFR part 46 and the Privacy Rule are applicable, institutions must adhere to both sets of regulations.
Q: Under certain circumstances, the "preparatory to research" provision at section 164.512(i)(1)(ii) of the Privacy Rule permits covered entities to use or disclose PHI for purposes preparatory to research. What kinds of activities are considered "preparatory to research"?
A: Covered entities that obtain certain required representations from a researcher may use and disclose PHI for activities preparatory to research that include, but are not limited to the following:
Under these provisions, no PHI may be removed from the covered entity during the course of the review.
Q: If, under the "preparatory to research" provisions, a researcher identifies subjects who meet the study's eligibility criteria, how can the researcher contact the potential participant to obtain Authorization?
A: Under the "preparatory to research" provision, covered entities may use and disclose to researchers PHI to aid in study recruitment. They may allow a researcher to identify, but not contact, potential study participants. To contact potential study participants, a researcher may do so, without Authorization from the individual, under the following circumstances:
Q: The Privacy Rule requires that Authorization for PHI uses and disclosures for research purposes be research trial or study specific. May research sponsors and researchers who are covered entities continue to obtain informed consent from research participants under the HHS or FDA Protection of Human Subjects Regulations to conduct a limited class of unspecified future research?
A: Yes, under certain limited circumstances, the HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.116 and 21 CFR 50.25, respectively, permit an IRB-approved informed consent to be broader than for a specific research study. For example, when obtaining biological or tissue specimens from living individuals to create a repository established and maintained for research purposes, the IRB-approved informed consent document may include a description of the specific types of research to be conducted using the data and specimens maintained for the repository. In addition, for future research that involves the study of individually identifiable information maintained for the repository, an IRB may determine that the original informed consent for the creation of the research repository satisfies the requirements of 45 CFR part 46 and/or 21 CFR part 50 for the conduct of future research, provided that the future research now being proposed was adequately described in the original informed consent. For some tissue repositories, the specific type of research that may be done in the future on donated biological and tissue specimens was unknown when the tissue was donated but sufficiently anticipated and described to satisfy 45 CFR part 46 or 21 CFR part 50. However, the informed consent information describing the nature and purposes of the research should be as specific as possible.
The Privacy Rule does not override or modify the HHS or FDA Protection of Human Subjects Regulations on informed consent. Rather, these Federal regulations must be construed together where more than one applies. Under the Privacy Rule, an Authorization governs the use of PHI by a covered entity for research and the purposes and conditions for which a covered entity may disclose PHI to a researcher. Therefore, an Authorization, whether combined with an IRB-approved consent (as permitted in the Privacy Rule at section 164.508(b)(3)(i)) or separate, could not be for future unspecified research. Rather, the Authorization would need to describe the research purpose of the use or disclosure, required by section 164.508 of the Privacy Rule, which must be research trial or study specific. Even where an Authorization is combined with an IRB-approved informed consent, the Authorization would need to be limited in such a way, even though the HHS and FDA Protection of Human Subjects Regulations would permit the IRB-approved informed consent document to also describe the certain unspecified types of research that may be conducted in the future using the data and specimens maintained for the repository. Thus, uses and disclosures for such future research would require an additional Authorization, except as permitted without Authorization, under section 164.512(i) (e.g., with a waiver of Authorization) or 164.514(e) (i.e., as a limited data set with a data use agreement).
Q: May research sponsors and researchers who are NOT covered entities continue to obtain informed consent from research participants under the HHS or FDA Protection of Human Subjects Regulations to conduct a limited class of unspecified future research even though the Privacy Rule requires that Authorizations for research be research trial or study specific?
A: Research sponsors and researchers who are not covered entities or not workforce members of a covered entity are not required to comply with the Privacy Rule. However, research sponsors and researchers may be subject to the HHS and/or FDA Protection of Human Subjects Regulations, which are not modified or replaced by the Privacy Rule. Thus, research sponsors and researchers may, to the extent permitted by the HHS and FDA Protection of Human Subjects Regulations at 45 CFR 46.116 and 21 CFR 50.25, respectively, continue to obtain informed consent from research participants under these regulations to conduct a limited class of unspecified future research.
Q: Do the HHS or FDA Protection of Human Subjects Regulations require IRBs to oversee the compliance of investigators with the Privacy Rule?
A: No. Neither the HHS nor FDA Protection of Human Subjects Regulations require IRBs to oversee investigators' compliance with the Privacy Rule.
Q: Will OHRP or FDA assess compliance with the requirements of the Privacy Rule during their compliance oversight evaluations pertaining to the HHS or FDA Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively)?
A: No. Since neither OHRP nor FDA enforce the Privacy Rule, OHRP will not assess compliance with the Privacy Rule during compliance oversight evaluations, and FDA will not assess compliance with the requirements of the Privacy Rule during inspections to determine compliance with their respective regulations.
1 Including 21 CFR 56.108 and 45 CFR 46.108.
2 Including 21 CFR 56.110 and 45 CFR 46.110.
3 These categories are published and updated in the Federal Register. The current list of categories has been published at 63 Federal Register 60364 (November 9, 1998). A copy of the list is available at http://ohrp.osophs.dhhs.gov/humansubjects/guidance/expedited98.htm and http://www.fda.gov/oc/ohrt/irbs/expeditedreview.html.