David Shalowitz, AB; David Wendler, PhD
Acknowledgments: The authors thank John Barton, Lindsay Hampson, and Mary McCabe for their helpful comments on earlier versions of this manuscript.
Potential Financial Conflicts of Interest: Employment: D. Shalowitz (National Institutes of Health), D. Wendler (National Institutes of Health).
Requests for Single Reprints: David Wendler, PhD, Department of Clinical Bioethics, NIH Clinical Center, Building 10, Room 1C118, Bethesda, MD 20892; e-mail, firstname.lastname@example.org.
Current Author Addresses: Mr. Shalowitz and Dr. Wendler: Department of Clinical Bioethics, NIH Clinical Center, Building 10, Room 1C118, Bethesda, MD 20892.
Shalowitz D, Wendler D. Informed Consent for Research and Authorization under the Health Insurance Portability and Accountability Act Privacy Rule: An Integrated Approach. Ann Intern Med. 2006;144:685-688. doi: 10.7326/0003-4819-144-9-200605020-00012
Download citation file:
Published: Ann Intern Med. 2006;144(9):685-688.
Researchers have found that implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is having a negative impact on clinical research. This impact traces, in part, to many research institutions complying with HIPAA by adding lengthy, complex language to their research consent documents. The addition of extensive language burdens institutional review boards and may undermine participants' understanding of the research in which they take part. Comparative analysis reveals, however, that the addition of lengthy text often is unnecessary. The U.S. federal requirements for informed consent for human subjects research and the HIPAA Privacy Rule's requirements for individual authorization overlap substantially. Hence, consent forms that satisfy the U.S. federal regulations for human subjects research need only minimal additional text to also satisfy the authorization requirements under the HIPAA Privacy Rule.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), calling for standards to protect individuals' health information (1). In response, the Department of Health and Human Services issued the Privacy Rule, which established national standards to protect such information (2). The Privacy Rule covers “protected” health information, that is, health information that is “individually identifiable,” including health information that contains 1 or more of 18 identifiers, such as names or Social Security numbers. With few exceptions, the Privacy Rule requires “covered entities” and their workforces to obtain individuals' signed authorization to use or disclose their protected health information for research purposes. Covered entities include health care providers that electronically transmit health information for insurance and billing purposes, suggesting that the Privacy Rule probably applies to most institutions that conduct clinical research.
Research institutions and institutional review boards often comply with the Privacy Rule by adding large amounts of text to research consent forms, burdening institutional review boards and possibly confusing research participants. Fortunately, covered entities may eliminate redundant language between authorization and consent forms (3) and, thus, may avoid these potential problems. In fact, consent forms that satisfy the regulations for clinical research (45 CFR §46 and 21 CFR §50 and §56) (4, 5) need only minimal additional text to also satisfy the authorization requirements under the Privacy Rule.
Except where prohibited by state law (6), the Privacy Rule allows combining of authorizations to use or disclose protected health information with research consent forms. When Privacy Rule authorizations are thus combined with research consent forms, approval of the combined form, including approval of the authorization language, falls to the relevant institutional review board. Many institutional review boards and institutions comply with the Privacy Rule by adding all the language required for authorization to research consent forms. This approach yields long and complicated forms.
In a recent survey of 100 top medical centers and 11 independent institutional review boards, researchers discovered that the authorization language used to satisfy the Privacy Rule has a median length of 744 words and is written at a median 12th-grade reading level (7). This wording is well above the eighth-grade reading level mandated by many institutional review boards (8) and the literacy level of most U.S. citizens (9). This complex language also seems inconsistent with the Privacy Rule's requirement that authorizations be written in “plain language.” In another survey of investigators and institutional review board personnel, researchers found that the addition of extensive language to satisfy the Privacy Rule's authorization requirements often confuses research participants, burdens the informed consent process, and undermines recruitment (10).
Increased complexity of research consent forms is worrisome given data showing that, even without additional privacy language, many participants cannot understand crucial aspects about the research in which they participate (11-15). Three extra pages of text, often written in complex language, may well increase participants' confusion and distract them from more important information, such as the risks of participation and their right to withdraw.
Clinical investigators who work for covered entities can avoid the Privacy Rule's authorization requirements by removing personal identifiers from health information or obtaining a waiver of authorization. Yet a decision to remove identifiers can diminish the value of research studies. Removal of dates of birth or places of residence can make it impossible to conduct important epidemiologic studies or medical records research (16). Removal of identifiers also may prevent investigators from following up on unexpected findings (17). Furthermore, the Privacy Rule allows a waiver of authorization only when, among other things, it is not “practicable” to conduct the research without a waiver. Because investigators often are able to obtain individuals' authorization at the time of consent, most studies probably will not satisfy this requirement. Hence, they must obtain Privacy Rule authorization.
The Privacy Rule's 9 requirements for authorization (Table) can be divided into 3 groups: 1) items duplicated in the federal regulations for human subjects research; 2) items similar to a requirement in the federal regulations; and 3) items not included in the federal regulations.
The federal regulations and the Privacy Rule require that information given to participants be understandable and that participants provide their signature. The Privacy Rule requires that signatures be dated and that a copy of the signed authorization be provided to the participant. Although these requirements are not explicit in the federal regulations, it is common practice to date signatures and provide participants with copies of their signed consent forms. The Privacy Rule also mandates that individuals be informed of any consequences of a failure to provide authorization, including whether any treatment or payment is conditioned on their authorization. The federal regulations similarly require participants to be informed that their “refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled” (4).
The Privacy Rule mandates that researchers inform individuals of what protected health information is being collected and the purpose of the collection. These requirements are similar to the federal regulations' requirement that researchers describe the procedures and purposes of the research to participants. The Privacy Rule also mandates that researchers inform individuals that the research team may redisclose their health information and that information disclosed to others may not be protected by the Privacy Rule. In comparison, the federal regulations require that researchers inform participants of the extent to which their confidentiality will be maintained. The Privacy Rule states that researchers must inform participants of their right to revoke their authorization in writing, how to revoke it, and any exceptions to this right. This requirement is similar to the federal regulations' requirement that researchers inform participants that participation is voluntary and inform them how to withdraw.
The Privacy Rule requires that individuals be informed of the persons authorized to access their protected health information and the persons to whom the information will be disclosed. The Privacy Rule also requires that individuals be told when, if ever, researchers will no longer be authorized to use their protected health information.
The present comparison reveals substantial overlap between the Privacy Rule's authorization requirements and the federal requirements for informed consent. This finding suggests that consent forms that satisfy the federal regulations need add only minimal additional text to comply with the Privacy Rule's authorization requirements. This integrated approach is consistent with the Department of Health and Human Services' statement that covered entities may eliminate redundant language between authorizations and consent forms (3).
To implement this integrated approach, descriptions of the research procedures in combined forms should include what information is being collected, who is authorized to collect it, and the reasons for the collection. For example, to describe a study's screening procedures, the consent form might state that “members of the research team will conduct tests of your heart to determine whether you are eligible to participate in this study.” The combined form should also state whether this information will be retained, used, or disclosed after the study is completed.
Second, when stating that research participation is voluntary, as required by the federal regulations, the combined form should explicitly mention the option to withdraw. The Privacy Rule allows investigators to use participants' protected health information until their authorization is withdrawn in writing or until the authorization expires. Hence, combined forms should recommend that participants withdraw in writing. Third, when explaining confidentiality protections, researchers should state on the combined form that the regulations may not protect individuals' health information after its disclosure. Finally, the Privacy Rule gives participants the right to access their protected health information. Hence, studies that require withholding certain information from participants, for instance, whether they are receiving drug or placebo, should state this on the combined form. These additions (Table) provide a checklist that investigators and institutional review boards can use to assess adherence to the Privacy Rule's authorization requirements.
Institutions and institutional review boards often comply with the Privacy Rule's authorization requirements by adding complex and lengthy text to research consent forms. Yet, the addition of extensive language is likely to confuse research participants already struggling to understand complicated research protocols. Fortunately, the Privacy Rule's authorization requirements and the federal requirements for informed consent overlap substantially. Consent forms that satisfy the federal regulations for human subjects research need only minimal additional text to also satisfy the Privacy Rule's authorization requirements. Limiting the amount of text added to consent forms through this integrated approach has the potential to increase research participants' understanding of their privacy rights without sacrificing comprehension of their research participation. This integrated approach also may relieve institutional review boards of the burdens of reviewing complex and lengthy boilerplate authorization language in consent forms.
The In the Clinic® slide sets are owned and copyrighted by the American College of Physicians (ACP). All text, graphics, trademarks, and other intellectual property incorporated into the slide sets remain the sole and exclusive property of the ACP. The slide sets may be used only by the person who downloads or purchases them and only for the purpose of presenting them during not-for-profit educational activities. Users may incorporate the entire slide set or selected individual slides into their own teaching presentations but may not alter the content of the slides in any way or remove the ACP copyright notice. Users may make print copies for use as hand-outs for the audience the user is personally addressing but may not otherwise reproduce or distribute the slides by any means or media, including but not limited to sending them as e-mail attachments, posting them on Internet or Intranet sites, publishing them in meeting proceedings, or making them available for sale or distribution in any unauthorized form, without the express written permission of the ACP. Unauthorized use of the In the Clinic slide sets will constitute copyright infringement.
King K. Holmes
University of Washington
May 2, 2006
Congratulations for this well reasoned contribution.
David A. Gorelick
National Institute on Drug Abuse
May 28, 2006
The HIPAA Privacy Rule and research consent documents
To the Editor: Shalowitz and Wendler (1) provide some helpful suggestions for reducing the length and complexity of research consent documents that also comply with Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements. However, I believe that one of their recommendations is not as straightforward as they present.
Shalowitz and Wendler (1) suggest that research consent documents incorporate the HIPAA requirement that revocation of authorization (i.e., consent to research participation) be in writing. They acknowledge that written revocation of consent is not a requirement of the federal regulations for human research subject protection (45 CFR 46), but do not address how adding a requirement for written withdrawal might influence the voluntariness of continued research participation. One can easily construct scenarios for biomedical research in which only oral communication is possible or practical for at least a certain time interval. For example, the subject might be lying enclosed within a scanning device for several hours. A requirement for written, rather than oral, withdrawal might force subjects to temporarily continue participation after they had decided to withdraw, at least until the procedure was completed and writing was possible again. This seems to contradict the spirit, if not the letter, of 45 CFR 46.
My impression is that current clinical research practice is to promptly honor oral requests from subjects to withdraw from research participation, or to at least suspend further procedures pending a fuller discussion with the subject. A brief review of several IRB web sites found none that required written withdrawal from research participation. Imposing such a requirement is one recommendation that would not enhance human research subject protection.
Reference 1. Shalowitz D & Wendler D. Informed consent for research and authorization under the Health Insurance Portability and Accountability Act privacy rule: An integrated approach. Ann Int Med 2006;144:685-688.
June 29, 2006
We agree with Dr. Gorelick that the right to withdrawal from research participation is a vital safeguard, and investigators should respect research participants' decision to withdrawal, no matter how it is expressed. We did not mean to suggest otherwise. Rather, we recommended that, when applicable, research participants should be informed that the HIPAA Privacy Rule allows investigators to continue to use individuals' protected health information until they withdrawal their authorization for such use in writing.
Healthcare Delivery and Policy.
Results provided by:
Copyright © 2016 American College of Physicians. All Rights Reserved.
Print ISSN: 0003-4819 | Online ISSN: 1539-3704
Conditions of Use
This PDF is available to Subscribers Only