The HIPAA/HITECH Omnibus Final Rule: Implications for Clinical Research

Jul 26, 2013
By Applied Clinical Trials Editors

Editor's Note: You can now view part II of this article here.

On January 23, 2013, the Department of Health and Humans Services (HHS) published the Omnibus Final Rule (Final Rule) as a modification to the “HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act of 2008.”

As stated by HHS, “the Final Rule is needed to strengthen the privacy and security provisions established under HIPAA for PHI and harmonize certain requirements with those under HHS’s Human Subject Protections regulations.”

Although the Final Rule is a welcome response to concerns by the research community that the current Privacy Rule encumbers research and diverges from the HHS’s Human Subject Protections regulations for future research, the provisions of the Final Rule that modify the current Privacy Rule are likely to have significant implications for clinical research.

The Privacy Rule

Under the current Privacy Rule, researchers are permitted to conduct research on subjects and patients, if the Covered Entity with whom they are affiliated abides the standards for the use of an individual’s protected health information (PHI).
Under the Privacy Rule:

  • A Covered Entity is any health plan, health care clearinghouse and health care provider that transmit PHI in electronic form.
  • A Business Associate is a person or entity which performs certain functions or services on behalf of a Covered Entity. Researchers, Institutional Review Boards (IRBs) and CROs who perform research activities on behalf of a Covered Entity are not Business Associates.
  • A Covered Entity is permitted to use and disclose PHI for research purpose without individual authorization by obtaining approval from an IRB.
  • A Covered Entity is permitted to use and disclose PHI to its Business Associates.
  • A Covered Entity may permit researchers to review PHI without individual authorization during activities preparatory to research or to assist in study recruitment.
  • A Covered Entity must obtain an individual authorization for certain non-research PHI uses and disclosures. Such uses requiring an individual authorization include uses and disclosure of psychotherapy notes and uses and disclosures for purposes of marketing. 
  • The Final Rule

    The Final Rule became effective on March 26, 2013.

    The provisions of the Final Rule that are likely to impact on research conduct are related to compound authorizations--authorization for future research use and the use of a deceased person’s PHI.

    Compound Authorizations

    • The current Privacy Rule prohibits a Covered Entity from combining an authorization for research that conditions research-related treatment upon the signing of the authorization (conditioned authorization) with an authorization for research that does not condition treatment upon the signing of an authorization
    • The Final Rule allows a Covered Entity to combine conditioned and unconditioned authorizations for research, provided that the compound authorization differentiates between the conditioned and un-conditioned research components, and allows the individual the option to opt-in to the unconditioned research activities. Compound authorizations may be used for any type of research activities, including optional sub-studies, and secondary future use of data, except where the research involves the use and/or disclosure of psychotherapy notes.
    • These changes give Covered Entities, researchers and IRBs discretion regarding how authorizations distinguish between conditioned and unconditioned activities. They are likely to allow Covered Entities to combine authorizations for use and disclosure of PHI for clinical trials and related tissue and data banking activities, as well as in other research situations. 

      Authorization for Future Research Use

      • Under the current Privacy Rule, authorizations for the use of PHI in research must be study specific.
      • The Final Rule allows an authorization for the use of PHI in research that is not study specific, provided it includes description of each purpose of the requested use.  An authorization for the use of PHI for future research purposes must describe those purposes in a manner such that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research.
      • These changes are likely to give Covered Entities, researchers, and IRBs flexibility to determine how to adequately describe the future research purpose, the information to be used or disclosed for future research, and the recipients of the PHI for future research.  However, since these changes have not been tested, HHS may issue additional guidance with respect to revocations of authorizations for future research uses.

        Deceased Person PHI

        • The current Privacy Rule requires covered entities to safeguard the privacy of a deceased person's PHI indefinitely, in the same manner required for the PHI of living individuals.  If an authorization is required for a particular use or disclosure of PHI, the covered entity must obtain the authorization from the deceased person's personal representative.
        • The Final Rule modifies the privacy protections applicable to a deceased person’s PHI and any information that would otherwise constitute PHI of a deceased person, ceases to be PHI 50 years after the death of the deceased person.
        • This declassification is likely to benefit research since beyond the 50 years authorization from living individuals related to the deceased person is no longer required.


          The provisions of the Final Rule have significant implications for clinical research:

          • The changes concerning compound authorizations are likely to alleviate administrative burdens on clinical trial subjects and researchers and facilitate harmonization with the Common Rule and global requirements for research documentation.
          • The revised interpretation regarding authorization for future research use are likely to remove barriers on the ability to use data for future research purposes – some of which cannot even be contemplated at the time the data is gathered, but which could hold great promise to advance science and medical care.
          • The declassification as "PHI" of certain information of deceased persons over time will ease researchers' ability to perform research using such information.
          • Going Forward

            Covered Entities have until September 23, 2013, to come into full compliance with the Final Rule.

            In addition, Covered Entities should keep abreast of future regulatory developments and guidance on these and other issues, such as revocation of authorizations of use of PHI for future research use, additional guidance related to research use of genetic information, and harmonization of the Final Rule with the standards for informed consent.

            Future regulatory developments and guidance may be found on and

            Lina Genovesi, PhD, JD


            lorem ipsum