Proposed Revisions, Federal Register, 3/27/2002

Existing Language, Final Rule, 12/28/2000

[See AIS Side-by-Side, “Authorizations” for all changes to this section.]

(b) Implementation specifications: general requirements.

((b) Implementation specifications: general requirements.

[conforming changes to (b)(1)(i)and (ii) and (2)(ii)]

(1) Valid authorizations.

(i) A valid authorization is a document that contains the elements listed in paragraphs (c)(1) and (2) of this section.

(1) Valid authorizations.

(i) A valid authorization is a document that contains the elements listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f) of this section.

(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.

 (ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not be inconsistent with the elements required by this section.

(2) Defective authorizations.

[conforming changes to (b)(2)(ii)]

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:

(i) The expiration date has passed or the expiration event is known by the covered entity to have occurred;

[paragraph (iv) deleted and remaining paragraphs renumbered]

(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;

(v) Any material information in the authorization is known by the covered entity to be false.

(iv) The authorization lacks an element required by paragraph (c), (d), (e), or (f) of this section, if applicable;

(v) (iv) The authorization violates paragraph (b)(3) of this section, if applicable;

(vi) (v) Any material information in the authorization is known by the covered entity to be false

(3) Compound authorizations.

[No change to lead sentence]

[insert new (3)(i), regarding research studies]

(i) An authorization for the use or disclosure of protected health information for a specific research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research;

(3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows:

[(3)(i), below is deleted]

(i) An authorization for the use or disclosure of protected health information created for research that includes treatment of the individual may be combined as permitted by § 164.506(b)(4)(ii) or paragraph (f) of this section;

[No changes to (ii) and (iii)]

(ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes;

(iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations.

(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:

(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section;

(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:

(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization under paragraph (f) of this section;

(c) Implementation specifications: core elements and requirements.

(1) Core elements. A valid authorization under this section must contain at least the following elements:

[No changes proposed for (i) – (iii)]

(c) Implementation specifications: core elements and requirements.

(1) Core elements. A valid authorization under this section must contain at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure; 

(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The following statements meet the requirements for an expiration date or an expiration event if the appropriate conditions apply:

(A) The statement “end of the research study” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research.

(B) The statement “none” or similar language is sufficient if the authorization is for the covered entity to use or disclose protected health information for the creation and maintenance of a research database or research repository.

[original provisions (iv), (v), and (vi), below, are deleted and replaced]

(iv) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure;

(v) A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization;

(vi) A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by this rule;

(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

[(vii) renumbered (vi), combined with (viii), and revised.]

(vii) (vi) Signature of the individual and date.; and (viii) If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual.

[add new (2)]

(2) Required statement.

In addition to the core elements, the authorization must contain statement adequate to place the individual on notice of all of the following:

(i) The individual’s right to revoke the authorization in writing and either

(A) The exceptions to the right to revoke, and a description of how the individual may revoke the authorization; or

(B) To the extent that the information in paragraph (c)(2)(I)(A) of this section is included in the notice required by §164.520, a reference to the covered entity’s notice.

(ii) The ability of inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization by stating either:

(A) The covered entity may not condition treatment, payment, enrollment or eligibility or benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this rule.

(3)  Plain language requirement. The authorization must be written in plain language.

(2) (3)  Plain language requirement. The authorization must be written in plain language.

(4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.

[(d) and (e) are not relevant to research]

[(f) deleted in its entirety because of single authorization in §164.508(c).]

[(f), below, is deleted in its entirety]

(f) Implementation specifications: authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual.

(1) Required elements. Except as otherwise permitted by § 164.512(i), a covered entity that creates protected health information for the purpose, in whole or in part, of research that includes treatment of individuals must obtain an authorization for the use or disclosure of such information. Such authorization must:

(i) For uses and disclosures not otherwise permitted or required under this subpart, meet the requirements of paragraphs (c) and (d) of this section; and

(ii) Contain:

(A) A description of the extent to which such protected health information will be used or disclosed to carry out treatment, payment, or health care operations;

(B) A description of any protected health information that will not be used or disclosed for purposes permitted in accordance with §§ 164.510 and 164.512, provided that the covered entity may not include a limitation affecting its right to make a use or disclosure that is required by law or permitted by § 164.512(j)(1)(i); and

(C) If the covered entity has obtained or intends to obtain the individual’s consent under § 164.506, or has provided or intends to provide the individual with a notice under § 164.520, the authorization must refer to that consent or notice, as applicable, and state that the statements made pursuant to this section are binding.

(2) Optional procedure. An authorization under this paragraph may be in the same document as:

(i) A consent to participate in the research;

(ii) A consent to use or disclose protected health information to carry out treatment, payment, or health care operations under § 164.506; or

(iii) A notice of privacy practices under § 164.520.

Existing Language, Final Rule, 12/28/2000

[See AIS Side-by-Side, “Consent” for other changes to this section.]

(i) Standard: uses and disclosures for research purposes.

[No changes proposed for (i)(1)]

(i) Standard: uses and disclosures for research purposes.

(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:

(i) Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either:

(A) An Institutional Review Board (IRB), established in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or

(B) A privacy board that:

(1) Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests;

(2) Includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and

(3) Does not have any member participating in a review of any project in which the member has a conflict of interest.

(ii) Reviews preparatory to research. The covered entity obtains from the researcher representations that:

(A) Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;

(B) No protected health information is to be removed from the covered entity by the researcher in the course of the review; and

(C) The protected health information for which use or access is sought is necessary for the research purposes.

(iii) Research on decedent’s information. The covered entity obtains from the researcher:

(A) Representation that the use or disclosure is sought is solely for research on the protected health information of decedents;

(B) Documentation, at the request of the covered entity, of the death of such individuals; and

(C) Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. 

(2) Documentation of waiver approval.

[No changes through (2)(i)]

(2) Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following:

(i) Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved;

[significant revisions to (i)(2)(ii), Waiver Criteria]

(ii) Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

(A) The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

(1) An adequate plan to protect the identifiers from improper use and disclosure;

(2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

(3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

[new language regarding waiver criteria]

(B) The research could not practicably be conducted without the waiver or alteration; and

(C) The research could not practicably be conducted without access to and use of the protected health information.

[significant revisions to (i)(2)(ii)]

(ii) Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

(A) The use or disclosure of protected health information involves no more than minimal risk to the individuals;

[(B) and (C) below, are deleted; replaced with new language regarding waiver criteria]

(B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

(C) The research could not practicably be conducted without the alteration or waiver;

[No changes in (D), (E), (F) (G) and (H).]

(D) The research could not practicably be conducted without access to and use of the protected health information;

(E) The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

(F) There is an adequate plan to protect the identifiers from improper use and disclosure;

(G) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and

(H) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.

[No changes in (iii) – (v)]

(iii) Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or privacy board has determined, pursuant to paragraph (i)(2)(ii)(D) of this section;

(iv) Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:

(A) An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110);

(B) A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section;

(C) A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and

(v) Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board, as applicable.

Existing Language, Final Rule, 12/28/2000

(c) Implementation specification: Effect of prior permission for research.

Notwithstanding any provisions in §§164.508 and 164.512(i), a covered entity may use or disclose, for a specific research study, protected health information that it created or received either before or after the applicable compliance date of this subpart, provided that there is no agreed-to restriction in accordance with §164.522(a) and that the covered entity has obtained, prior to the applicable compliance date, either:

(1) The authorization or other express legal permission from an individual to use or disclose protected health information for the research study;

(2) The informed consent of the individual to participate in the research study; or

(3) A waiver, by an IRB, of informed consent t for the research study, in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity must obtain authorization in accordance with §164.508 if, after the compliance date, informed consent is sought from an individual participating in the research study.

[New provision]