Certificates
of Confidentiality & the HIPAA Privacy Rule
This
draft guidance describes the extent to which federal Certificates
of Confidentiality ("Certificates") protect
the privacy of individually identifiable information,
and the likely effects of the federal HIPAA Privacy Rule
on those protections.
1)
Certificate's Protection: A Certificate protects those
with access to research data from being compelled to identify
research subjects in any "Federal, State, or local
civil, criminal, administrative, legislative, or other
proceedings," with limited exceptions. 42 CFR 2a.7(a).
Identifying information is defined broadly to include
name, address, identifying numbers, and any other information
that alone or in combination could "reasonably lead
directly or indirectly by reference to other information"
to identify the subject. Id. 2a.2(g). (Note that the Certificate
protects not only health care information, but all identifying
information.)
2)
Exceptions: A Certificate does not protect researchers
from disclosing identifiable information in the following
circumstances: (1) the subject consents to a disclosure;
(2) the researcher voluntarily discloses the information
(e.g., in compelling circumstances where the subject or
a third party is at risk); (3) HHS requests information
for an audit, program evaluation, or investigation; or
(4) the Federal Food, Drug, and Cosmetic Act or its regulations
require disclosure. Id. 2a.7(b).
3)
State Reporting Requirements: It is unclear whether
the federal Certificate's protections against disclosure
of identifiable information trump every state law or rule
requiring reporting of such information. Case-by-case
review is therefore advisable.
4)
Duration of Protection: A Certificate permanently
protects identifying information about research subjects
if they enroll while the Certificate is in effect. Id.
2a.8. The Certificate has an expiration date, though,
so if researchers plan to enroll subjects after that date,
they must secure an extension or inform new subjects that
they will not have this protection. A Certificate does
not extend to material changes in the research unless
the researchers obtain approval from the agency issuing
the Certificate.
5)
HIPAA Privacy Rule: The Privacy Rule regulates the
use and disclosure of individually identifiable health
care information. A Certificate also protects the privacy
of identifiable information. In many cases, both sets
of rules work together to protect privacy, but that may
not always be true. Draft guidance follows that construes
the rules so that both are given effect if possible. This
guidance may change if NIH or another agency provides
clarification. Note that these guidelines compare only
the Certificate of Confidentiality regulations with the
Privacy Rule; other specific federal or state legal requirements
may also affect disclosure issues, but those will need
case-by-case review.
GENERAL GUIDELINES
(a)
If a Certificate permits disclosure and the Privacy
Rule permits disclosure, then disclosure generally is
permitted (though it may be subject to authorization).
Ex.:
(i) Researcher learns that a child in a study is being
abused. Identifiable information may be disclosed, because
the Certificate permits voluntary disclosure of identifiable
information (but the consent form should explain this
possibility and its limitations, e.g., to extremely compelling
circumstances), and the Privacy Rule permits disclosure
of a report of child abuse to an appropriate government
authority without authorization. (ii) Researcher learns
that a subject in a mental illness study plans to kill
his wife with a knife kept in his dresser. This would
seem to be a permissible voluntary disclosure in a Certificate-covered
study, and no authorization is needed under the Privacy
Rule to avert a serious threat to a person's health or
safety.
(b)
If a Certificate permits disclosure and the Privacy
Rule requires disclosure, then disclosure should be made.
Ex.:
(i) Subject requests identifiable information from a study,
because it may pertain to treatment. Identifiable information
may be disclosed under a specific Certificate exception
(see #2 above) and the Privacy Rule's right of access
to the designated record set. (ii) HHS requests identifiable
information for a compliance audit. Identifiable information
may be disclosed under a specific Certificate exception
and the Privacy Rule's required disclosures.
(c)
If a Certificate permits (but does not require)
disclosure and the Privacy Rule prohibits disclosure,
then no disclosure generally should be made.
Ex.:
Researcher learns that a terminally ill subject in a study
of depression is depressed about dying without repairing
his relationship with his ex-wife. Researcher feels ethical
desire to contact the ex-wife to explain the situation.
The Privacy Rule prohibits this disclosure without authorization,
so no disclosure of identifiable health care information
should be made without the subject's written authorization.
(d)
If a Certificate prohibits disclosure and the Privacy
Rule permits (but does not require) disclosure,
then disclosure generally cannot be made.
Ex.:
A state legislative committee holding hearings on treatment
and rehabilitation of drug users demands data from Certificate-covered
studies. The committee probably cannot compel disclosure
of such data, unless it requests only deidentified data.
(Further review would be needed if the committee, for
example, could point to a specific state law mandating
disclosure.)
(e)
If a Certificate prohibits disclosure, the Privacy
Rule permits disclosure for state reporting requirements,
and a state law or regulation requires disclosure
of identifiable health care information, then the particular
circumstances will need review.
Ex.:
(i) Researcher studying psychological effects of possible
anthrax exposure to local postal workers realizes that
one may have anthrax. State regulation requires immediate
reporting with identifiable information to agency. (ii)
Researcher studying nurses to determine exposure to occupational
injury learns of a needlestick injury to a nurse treating
patients with infectious diseases. State regulation requires
reporting identifiable information concerning occupational
injuries to an agency. (It is possible in both cases that
clinicians would report these separately from the researchers,
so the potential tension with the Certificate depends
on the circumstances.)
(f)
If a Certificate prohibits disclosure and the Privacy
Rule prohibits disclosure, then generally no disclosure
should be made.
(g)
Another scenario in theory is that a Certificate prohibits
disclosure and the Privacy Rule requires disclosure.
It is difficult to think of a situation in which this
would occur. The Privacy Rule requires disclosure
only to (i) an individual upon request in certain circumstances
(and a Certificate permits such disclosure), and (ii)
to HHS to investigate or determine a covered entity's
compliance with the Privacy Rule (and a Certificate permits
disclosure to HHS for audit, investigation, and program
evaluation purposes).
This
chart summarizes the guidelines above concerning disclosures.
Note again that particular circumstances may need review
if other federal or state legal requirements are invoked:
DISCLOSURE |
PRIVACY
RULE
PERMITS |
PRIVACY
RULE
REQUIRES |
PRIVACY
RULE
PROHIBITS |
Certificate
Permits |
may
disclose(but may
require authorization) |
should
disclose |
cannot
disclose |
Certificate
Prohibits |
generally
should not disclose,
but may need case-by-case
review |
[theoretical
only?] |
cannot
disclose |
|