Under the "common rule," medical researchers in federally funded research programs are required to obtain written "informed consent" from patients to use identifiable information in research unless the consent requirement is waived by an Institutional Review Board, or IRB, which is a committee charged with protecting the rights of research subjects participating in federal research (allowed under certain limited circumstances). The rule is an outgrowth of the Nuremberg Code, which was adopted largely in response to medical experiments conducted on prisoners abroad during World War II. The common rule's primary purpose is to protect individual subjects from physical or psychological harm. New York State law is patterned after the common rule and is preempted by it to the extent that human subject research is conducted pursuant to, or in compliance with, federal policies and regulations.

Soon there will likely be new federal rules governing the confidentiality of health information itself, including health information obtained for research purposes. Pursuant to the Health Insurance Portability and Accountability Act, or HIPAA, the Department of Health and Human Services passed proposed privacy regulations in November 1999 (the privacy rule), that would govern the protection of electronically maintained or transmitted individually identifiable health information (this is called protected health information, or PHI. in the privacy rule). These regulations are expected to be finalized this fall. This article describes how the common rule requirement would change under the proposed privacy rule.The privacy rule will govern when PHI can be used or disclosed, including for medical research, by providers, such as hospitals, nursing homes, labs and physicians; health plans; and "clearinghouses" (known as covered entities under the rule).

Some of the privacy rule's fundamental changes affecting research include:

• Unlike the common rule, the privacy rule will protect all information used in research, whether the research is federally funded or not (the common rule protects information in federally funded research only).

• The privacy rule will govern the covered entity disclosing the information to a researcher or other entity, whereas the common rule governs the receipt or redisclosure of the information by the researcher. The researcher will be directly governed by the privacy rule only if the researcher is also a "provider" and thus a covered entity; otherwise it will be treated as a business partner of covered entities that have supplied it with such information. If a business partner, the researcher will have to enter into an agreement with the providers that are disclosing such information to the researcher to protect the PHI to the same degree as the providers do under the privacy rule.

• Generally the privacy rule requires specific authorization from the patient for use or disclosure of PHI unless such use or disclosure is for treatment, payment, or healthcare operations purposes.

• If the information is not being used or disclosed to the researcher for treatment purposes, then specific individual authorization of the patient is required unless such authorization is waived by an IRB or a privacy board (a new concept for those entities without IRBs, for example, if the research is not federally funded). The requirements for waiver of individual authorization under the privacy rule are different in some significant respects than the requirements for waiver of informed consent. The privacy rule requires that eight criteria be met before the IRB or PB can authorize waiver of the individual authorization requirement (the first four are taken from the common rule requirements for waiver of informed consent):

  1. Use/disclosure of the PHI involves only minimum risk to the subject

  2. The waiver will not adversely affect rights and welfare of the subjects of the research

  3. The research would be impracticable to conduct without the waiver

  4. When appropriate, subjects will be given additional pertinent information after participation

  5. The research could not practicably be conducted without access to and use of the protected health information

  6. The research is important enough to outweigh the privacy intrusion

  7. The researcher has an adequate plan to protect identifiers from improper use/disclosure

  8. The researcher has adequate plan to destroy identifiers at earliest opportunity unless health or research justifies retaining such identifiers

Jackie Huchenski is a Partner with Moses & Singer LLP. She is the chair of the Healthcare Group and a co-chair of the eHealth Practice. Linda Abdel-Malek is an Associate in the Healthcare Group.