Both HHS regulations and HIPAA provide for certain protections aimed at guarding participants in medical research. Primary protection provided is the requirement for consent in most research studies to allow participants to be fully aware of how their information and contributions will be used.
HHS regulations on patient consent
HHS regulations require healthcare providers and researchers to provide individuals with detailed information regarding the specific treatment, study, or procedure. Consent must be obtained voluntarily, with individuals demonstrating the capacity to understand the provided information. Legally authorized representatives may provide consent on behalf of those unable to do so. Individuals can withdraw their consent at any time without facing adverse consequences.
See also: How HIPAA balances privacy with patient safety in crisis situations
The difference between passive and implied consent
- Passive consent: While the terms "passive" or "implied" consent are not explicitly mentioned in HHS regulations, they are sometimes used informally to describe situations where consent requirements have been altered or waived, or where the requirement to document consent has been waived or dispensed.
- Informed consent requirement: HHS regulations (45 CFR 46.116) state that no investigator can involve a human subject in research without obtaining legally effective informed consent from the subject or their legally authorized representative.
Altering a waiver of consent
Under certain conditions specified in the regulations (45 CFR 46.116(c) or (d)), an Institutional Review Board (IRB) can approve a consent procedure that does not include or alter some or all of the elements of informed consent from the patient or participant. In some cases, an IRB can also waive the requirement to obtain consent altogether.
HIPAA's Privacy Rule and patient authorization for research
In the context of research, the HIPAA Privacy Rule requires that individuals provide signed Authorizations for covered entities to use or disclose their protected health information (PHI) for research purposes. These Authorizations must include specific elements and statements to ensure individuals are fully informed about the research-related use of their PHI and any potential consequences.
See also: What is the HIPAA Privacy Rule?
Informed consent vs. authorization
While informed consent and authorization involve individuals granting permission for certain activities, informed consent is more comprehensive. It relates specifically to research participation or medical treatment, focusing on the individual's understanding and voluntary agreement. Authorization, as defined by the HIPAA Privacy Rule, is more narrowly focused on granting permission for the use or disclosure of PHI for specified purposes and recipients, primarily in healthcare-related or research contexts.
Required elements of consent
- Description of the PHI to be used or disclosed in a specific and meaningful manner.
- Identification of who can make the requested use or disclosure.
- Identification of who may use the PHI or to whom the covered entity may disclose it.
- A description of each purpose of the requested use or disclosure must be research study-specific.
- An expiration date or event related to the individual or the purpose of the use or disclosure.
- Signature of the individual or their personal representative, along with the date and a description of the representative's authority if applicable.
See also: HIPAA Compliant Email: The Definitive Guide
Kirsten Peremore
