National Institutes of Health U.S. Department of Health and Human Services
Federal Policy Recommendations Including HIPAA
The NIH Health Insurance Portability and Accountability Act of 1996 (HIPAA) [hhs.gov] required HHS to develop standards for protecting the privacy of individually identifiable health information from inappropriate use and disclosure. The resulting Privacy Rule [hhs.gov] came into effect on April 14, 2003. Within the Privacy Rule, genetic information is treated as all other "Protected Health Information." The Privacy Rule does not preempt more stringent state law, therefore, there are many state laws that prevail over the Privacy Rule.
In the mid 1990s, the National Human Genome Research Institute (NHGRI) and the National Action Plan on Breast Cancer (NAPBC) co-sponsored an initiative to address privacy and confidentiality of information in genetics research. Following previous successful collaborations to address genetic discrimination in health insurance and employment, NHGRI and NAPBC initiated an assessment of the protections for confidentiality in genetics research.
A workshop on privacy in genetics research was held on Sept. 16 and 17 in Bethesda, Md. The purpose of this workshop was to address key unresolved issues identified at a June 1997 Planning Meeting and to develop a set of policy recommendations.
NHGRI Policy Recommendations on Research Privacy Guidelines
Privacy protections for experimental research data in which health care is not delivered should exceed the protections established for medical records. Rules for third-party access to medical records should not be uniformly applied to experimental research data.
Researchers should not place individually identifiable experimental research data not utilized for health care in the medical record.
Informed consent for research participation should include information about all potential disclosures of research information and the nature and magnitude of the risks from such disclosures. Adequate measures to ensure compliance and punish violations should be in place.
Current practices to protect confidentiality of experimental research data should be studied and best practices should be developed.
Protections similar to Certificates of Confidentiality should be developed to protect research subjects from compelled disclosure of research results.
Research participants should have access to experimental research data except when:
The information includes information obtained under a promise of confidentiality, is about another person, and patient inspection would cause harm to another individual;
Access to the information may reasonably be expected to endanger the life or physical safety of the research participant or anyone else;
Access would break the "masking" of the study or otherwise significantly interfere with the conduct or results of the study; or
The research results are of unproven clinical validity, and the IRB has judged that there is no benefit to the research subjects. In such circumstances, the informed consent must explicitly state that individual research results will not be shared.