Informed Consent for Research and Authorization under the Health Insurance Portability and Accountability Act Privacy Rule: An Integrated Approach

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), calling for standards to protect individuals' health information (1). In response, the Department of Health and Human Services issued the Privacy Rule, which established national standards to protect such information (2). The Privacy Rule covers protected health information, that is, health information that is individually identifiable, including health information that contains 1 or more of 18 identifiers, such as names or Social Security numbers. With few exceptions, the Privacy Rule requires covered entities and their workforces to obtain individuals' signed authorization to use or disclose their protected health information for research purposes. Covered entities include health care providers that electronically transmit health information for insurance and billing purposes, suggesting that the Privacy Rule probably applies to most institutions that conduct clinical research. Research institutions and institutional review boards often comply with the Privacy Rule by adding large amounts of text to research consent forms, burdening institutional review boards and possibly confusing research participants. Fortunately, covered entities may eliminate redundant language between authorization and consent forms (3) and, thus, may avoid these potential problems. In fact, consent forms that satisfy the regulations for clinical research (45 CFR 46 and 21 CFR 50 and 56) (4, 5) need only minimal additional text to also satisfy the authorization requirements under the Privacy Rule. The Additive Approach Except where prohibited by state law (6), the Privacy Rule allows combining of authorizations to use or disclose protected health information with research consent forms. When Privacy Rule authorizations are thus combined with research consent forms, approval of the combined form, including approval of the authorization language, falls to the relevant institutional review board. Many institutional review boards and institutions comply with the Privacy Rule by adding all the language required for authorization to research consent forms. This approach yields long and complicated forms. In a recent survey of 100 top medical centers and 11 independent institutional review boards, researchers discovered that the authorization language used to satisfy the Privacy Rule has a median length of 744 words and is written at a median 12th-grade reading level (7). This wording is well above the eighth-grade reading level mandated by many institutional review boards (8) and the literacy level of most U.S. citizens (9). This complex language also seems inconsistent with the Privacy Rule's requirement that authorizations be written in plain language. In another survey of investigators and institutional review board personnel, researchers found that the addition of extensive language to satisfy the Privacy Rule's authorization requirements often confuses research participants, burdens the informed consent process, and undermines recruitment (10). Increased complexity of research consent forms is worrisome given data showing that, even without additional privacy language, many participants cannot understand crucial aspects about the research in which they participate (11-15). Three extra pages of text, often written in complex language, may well increase participants' confusion and distract them from more important information, such as the risks of participation and their right to withdraw. Clinical investigators who work for covered entities can avoid the Privacy Rule's authorization requirements by removing personal identifiers from health information or obtaining a waiver of authorization. Yet a decision to remove identifiers can diminish the value of research studies. Removal of dates of birth or places of residence can make it impossible to conduct important epidemiologic studies or medical records research (16). Removal of identifiers also may prevent investigators from following up on unexpected findings (17). Furthermore, the Privacy Rule allows a waiver of authorization only when, among other things, it is not practicable to conduct the research without a waiver. Because investigators often are able to obtain individuals' authorization at the time of consent, most studies probably will not satisfy this requirement. Hence, they must obtain Privacy Rule authorization. Comparing the Privacy Rule and the Federal Regulations The Privacy Rule's 9 requirements for authorization (Table) can be divided into 3 groups: 1) items duplicated in the federal regulations for human subjects research; 2) items similar to a requirement in the federal regulations; and 3) items not included in the federal regulations. Table. Comparison of HIPAA Authorization Requirements and U.S. Federal Research Consent Requirements Privacy Rule Requirements Duplicated in the Federal Regulations The federal regulations and the Privacy Rule require that information given to participants be understandable and that participants provide their signature. The Privacy Rule requires that signatures be dated and that a copy of the signed authorization be provided to the participant. Although these requirements are not explicit in the federal regulations, it is common practice to date signatures and provide participants with copies of their signed consent forms. The Privacy Rule also mandates that individuals be informed of any consequences of a failure to provide authorization, including whether any treatment or payment is conditioned on their authorization. The federal regulations similarly require participants to be informed that their refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled (4). Privacy Rule Requirements Similar to a Requirement in the Federal Regulations The Privacy Rule mandates that researchers inform individuals of what protected health information is being collected and the purpose of the collection. These requirements are similar to the federal regulations' requirement that researchers describe the procedures and purposes of the research to participants. The Privacy Rule also mandates that researchers inform individuals that the research team may redisclose their health information and that information disclosed to others may not be protected by the Privacy Rule. In comparison, the federal regulations require that researchers inform participants of the extent to which their confidentiality will be maintained. The Privacy Rule states that researchers must inform participants of their right to revoke their authorization in writing, how to revoke it, and any exceptions to this right. This requirement is similar to the federal regulations' requirement that researchers inform participants that participation is voluntary and inform them how to withdraw. Privacy Rule Requirements Not Found in the Federal Regulations The Privacy Rule requires that individuals be informed of the persons authorized to access their protected health information and the persons to whom the information will be disclosed. The Privacy Rule also requires that individuals be told when, if ever, researchers will no longer be authorized to use their protected health information. An Integrated Approach to Combining Informed Consent and Authorization The present comparison reveals substantial overlap between the Privacy Rule's authorization requirements and the federal requirements for informed consent. This finding suggests that consent forms that satisfy the federal regulations need add only minimal additional text to comply with the Privacy Rule's authorization requirements. This integrated approach is consistent with the Department of Health and Human Services' statement that covered entities may eliminate redundant language between authorizations and consent forms (3). To implement this integrated approach, descriptions of the research procedures in combined forms should include what information is being collected, who is authorized to collect it, and the reasons for the collection. For example, to describe a study's screening procedures, the consent form might state that members of the research team will conduct tests of your heart to determine whether you are eligible to participate in this study. The combined form should also state whether this information will be retained, used, or disclosed after the study is completed. Second, when stating that research participation is voluntary, as required by the federal regulations, the combined form should explicitly mention the option to withdraw. The Privacy Rule allows investigators to use participants' protected health information until their authorization is withdrawn in writing or until the authorization expires. Hence, combined forms should recommend that participants withdraw in writing. Third, when explaining confidentiality protections, researchers should state on the combined form that the regulations may not protect individuals' health information after its disclosure. Finally, the Privacy Rule gives participants the right to access their protected health information. Hence, studies that require withholding certain information from participants, for instance, whether they are receiving drug or placebo, should state this on the combined form. These additions (Table) provide a checklist that investigators and institutional review boards can use to assess adherence to the Privacy Rule's authorization requirements. Conclusion Institutions and institutional review boards often comply with the Privacy Rule's authorization requirements by adding complex and lengthy text to research consent forms. Yet, the addition of extensive language is likely to confuse research participants already struggling to understand complicated research protocols. Fortunately, the Privacy Rule's authorization requirements and the federal requirements for informed consent overlap substantially. Consent forms that sat

I n 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), calling for standards to protect individuals' health information (1). In response, the Department of Health and Human Services issued the Privacy Rule, which established national standards to protect such information (2). The Privacy Rule covers "protected" health information, that is, health information that is "individually identifiable," including health information that contains 1 or more of 18 identifiers, such as names or Social Security numbers. With few exceptions, the Privacy Rule requires "covered entities" and their workforces to obtain individuals' signed authorization to use or disclose their protected health information for research purposes. Covered entities include health care providers that electronically transmit health information for insurance and billing purposes, suggesting that the Privacy Rule probably applies to most institutions that conduct clinical research.
Research institutions and institutional review boards often comply with the Privacy Rule by adding large amounts of text to research consent forms, burdening institutional review boards and possibly confusing research participants. Fortunately, covered entities may eliminate redundant language between authorization and consent forms (3) and, thus, may avoid these potential problems. In fact, consent forms that satisfy the regulations for clinical research (45 CFR §46 and 21 CFR §50 and §56) (4,5) need only minimal additional text to also satisfy the authorization requirements under the Privacy Rule.

THE "ADDITIVE" APPROACH
Except where prohibited by state law (6), the Privacy Rule allows combining of authorizations to use or disclose protected health information with research consent forms. When Privacy Rule authorizations are thus combined with research consent forms, approval of the combined form, including approval of the authorization language, falls to the relevant institutional review board. Many institutional review boards and institutions comply with the Privacy Rule by adding all the language required for authorization to research consent forms. This approach yields long and complicated forms.
In a recent survey of 100 top medical centers and 11 independent institutional review boards, researchers discovered that the authorization language used to satisfy the Privacy Rule has a median length of 744 words and is written at a median 12th-grade reading level (7). This wording is well above the eighth-grade reading level mandated by many institutional review boards (8) and the literacy level of most U.S. citizens (9). This complex language also seems inconsistent with the Privacy Rule's requirement that authorizations be written in "plain language." In another survey of investigators and institutional review board personnel, researchers found that the addition of extensive language to satisfy the Privacy Rule's authorization requirements often confuses research participants, burdens the informed consent process, and undermines recruitment (10).
Increased complexity of research consent forms is worrisome given data showing that, even without additional privacy language, many participants cannot understand crucial aspects about the research in which they participate (11)(12)(13)(14)(15). Three extra pages of text, often written in complex language, may well increase participants' confusion and distract them from more important information, such as the risks of participation and their right to withdraw.
Clinical investigators who work for covered entities can avoid the Privacy Rule's authorization requirements by removing personal identifiers from health information or obtaining a waiver of authorization. Yet a decision to remove identifiers can diminish the value of research studies. Removal of dates of birth or places of residence can make it impossible to conduct important epidemiologic studies or medical records research (16). Removal of identifiers also may prevent investigators from following up on unexpected findings (17). Furthermore, the Privacy Rule allows a waiver of authorization only when, among other things, it is not "practicable" to conduct the research without a waiver. Because investigators often are able to obtain individuals' authorization at the time of consent, most studies probably will not satisfy this requirement. Hence, they must obtain Privacy Rule authorization.

COMPARING THE PRIVACY RULE AND THE FEDERAL REGULATIONS
The Privacy Rule's 9 requirements for authorization (Table) can be divided into 3 groups: 1) items duplicated in the federal regulations for human subjects research; 2) items similar to a requirement in the federal regulations; and 3) items not included in the federal regulations.

Privacy Rule Requirements Duplicated in the Federal Regulations
The federal regulations and the Privacy Rule require that information given to participants be understandable and that participants provide their signature. The Privacy Rule requires that signatures be dated and that a copy of the signed authorization be provided to the participant. Although these requirements are not explicit in the federal regulations, it is common practice to date signatures and provide participants with copies of their signed consent forms. The Privacy Rule also mandates that individuals be informed of any consequences of a failure to provide authorization, including whether any treatment or payment is conditioned on their authorization. The federal regulations similarly require participants to be informed that their "refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled" (4).

Privacy Rule Requirements Similar to a Requirement in the Federal Regulations
The Privacy Rule mandates that researchers inform individuals of what protected health information is being collected and the purpose of the collection. These requirements are similar to the federal regulations' requirement that researchers describe the procedures and purposes of the research to participants. The Privacy Rule also mandates that researchers inform individuals that the research team may redisclose their health information and that information disclosed to others may not be protected by the Privacy Rule. In comparison, the federal regulations require that researchers inform participants of the extent to

Distinct requirements
Persons authorized to use or disclose information and those to whom the information will be disclosed (29)

None
Describe those who will use the health information (e.g., "the research team") Expiration date or event for authorization or statement that authorization does not expire (30)

None
Explain how long the health information will be kept (may be kept indefinitely) * HIPAA ϭ Health Insurance Portability and Accountability Act. † Checklist describes the modifications needed to ensure that consent forms that satisfy the U.S. federal regulations for human subjects research also comply with the HIPAA Privacy Rule's authorization requirements. ‡ Although not explicitly mandated by federal research consent requirements, it is common practice to ask participants to date their signatures.
Academia and Clinic HIPAA Authorization and Informed Consent which their confidentiality will be maintained. The Privacy Rule states that researchers must inform participants of their right to revoke their authorization in writing, how to revoke it, and any exceptions to this right. This requirement is similar to the federal regulations' requirement that researchers inform participants that participation is voluntary and inform them how to withdraw.

Privacy Rule Requirements Not Found in the Federal Regulations
The Privacy Rule requires that individuals be informed of the persons authorized to access their protected health information and the persons to whom the information will be disclosed. The Privacy Rule also requires that individuals be told when, if ever, researchers will no longer be authorized to use their protected health information.

AN INTEGRATED APPROACH TO COMBINING INFORMED CONSENT AND AUTHORIZATION
The present comparison reveals substantial overlap between the Privacy Rule's authorization requirements and the federal requirements for informed consent. This finding suggests that consent forms that satisfy the federal regulations need add only minimal additional text to comply with the Privacy Rule's authorization requirements. This integrated approach is consistent with the Department of Health and Human Services' statement that covered entities may eliminate redundant language between authorizations and consent forms (3).
To implement this integrated approach, descriptions of the research procedures in combined forms should include what information is being collected, who is authorized to collect it, and the reasons for the collection. For example, to describe a study's screening procedures, the consent form might state that "members of the research team will conduct tests of your heart to determine whether you are eligible to participate in this study." The combined form should also state whether this information will be retained, used, or disclosed after the study is completed.
Second, when stating that research participation is voluntary, as required by the federal regulations, the combined form should explicitly mention the option to withdraw. The Privacy Rule allows investigators to use participants' protected health information until their authorization is withdrawn in writing or until the authorization expires. Hence, combined forms should recommend that participants withdraw in writing. Third, when explaining confidentiality protections, researchers should state on the combined form that the regulations may not protect individuals' health information after its disclosure. Finally, the Privacy Rule gives participants the right to access their protected health information. Hence, studies that require withholding certain information from participants, for instance, whether they are receiving drug or placebo, should state this on the combined form. These additions (Table) provide a checklist that investigators and institutional review boards can use to assess adherence to the Privacy Rule's authorization requirements.

CONCLUSION
Institutions and institutional review boards often comply with the Privacy Rule's authorization requirements by adding complex and lengthy text to research consent forms. Yet, the addition of extensive language is likely to confuse research participants already struggling to understand complicated research protocols. Fortunately, the Privacy Rule's authorization requirements and the federal requirements for informed consent overlap substantially. Consent forms that satisfy the federal regulations for human subjects research need only minimal additional text to also satisfy the Privacy Rule's authorization requirements. Limiting the amount of text added to consent forms through this integrated approach has the potential to increase research participants' understanding of their privacy rights without sacrificing comprehension of their research participation. This integrated approach also may relieve institutional review boards of the burdens of reviewing complex and lengthy boilerplate authorization language in consent forms.