Incorporating the New HIPAA Privacy Rules into Medical Device Trials

Originally Published MDDI July 2001HIPAA  Medical device manufacturers who sponsor clinical trials have reason for concern when it comes to the need for a fast, smooth trial process.

Nancy J. Stark

July 1, 2001

13 Min Read
Incorporating the New HIPAA Privacy Rules into Medical Device Trials

Originally Published MDDI July 2001


Medical device manufacturers who sponsor clinical trials have reason for concern when it comes to the need for a fast, smooth trial process.

Nancy J. Stark and Erica Heath

0107d114a.jpgAdvances in information technology have enabled electronic storage of medical information, resulting in the potential for indiscriminate transfer of and unauthorized access to highly private and sensitive medical information. The new privacy regulations for health information, 45 CFR Part 164—Security and Privacy, will create a significant time delay for companies sponsoring clinical research. The timeline for clinical research may extend as long as 2–4 months as investigators apply to institutional review boards (IRBs) for permission to access medical records. The regulations set forth rules for the protection of individually identifiable health information in the United States, and were passed to protect the privacy of citizens while supporting continued advances in medicine. They stem from HIPAA, the Health Insurance Portability and Accountability Act of 1996.

The privacy rules are intended to protect the medical records, health insurance claims, billing records, and related medical information (e.g., case report forms) that are generated and processed by health plans, healthcare clearinghouses, and healthcare providers (e.g., clinical trial investigators). The responsibility of enforcement lies with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Violators are subject to civil and criminal penalties. Several states have extensive rules on patient privacy. The federal rules do not preempt state privacy laws if those are more protective.

The rules provide an important benefit to sponsors wishing to bring European data into the United States. The European Union Directive on Data Protection prohibits EU countries from permitting the transfer of personal data to another country without ensuring that an "adequate level of protection" exists in the other country. Compliance with the new privacy rules allows a sponsor to "fairly and correctly" self-certify that it complies with the directive's principles.1

Three important features of the new rules are that healthcare providers must seek authorization from patients—or waivers of authorization from IRBs—in order to examine medical records (Section 164.508), de-identified medical information is not protected (Section 164.514[a]), and patients have the right to access and copy their medical records at any time (Section 164.524). While device manufacturers are not directly regulated, this article examines how these three features will affect medical device clinical trials.


While investigators will continue to have access to the medical records of patients under their direct care, they are now required to obtain written authorization from patients not under their direct care in order to access their medical information. Alternatively, investigators may apply to an IRB or privacy board for a waiver of authorization. The need for authorization or a waiver will present challenges to certain areas of clinical research.

Protocol Design. Many device manufacturers consult with investigators during the protocol development stage. The new rules will affect an investigator's ability to review medical records for hypotheses development, study design, subject selection criteria, protocol preparation, or other activities conducted in preparation for research.

Estimation of Enrollment Capabilities. Many sponsors ask investigators to estimate enrollment capabilities in order to plan study timelines and determine the number of investigative sites needed. Investigators commonly review the medical records of patients within their practice groups, or ask a laboratory for a list of patients whose laboratory values are above a certain range, then use the information to estimate enrollment capabilities.

Subject Recruitment. Investigators commonly review the medical records of patients previously treated by their practice groups. In large hospital settings, study coordinators may frequent the clinic areas, observing patients who come in for treatment. Those who appear to meet recruitment criteria (e.g., all patients who share common characteristics or who are receiving a particular procedure) are approached for study enrollment and have their medical records reviewed.

Authorization and Informed Consent. Authorization under Section 164.508(a) includes elements above and beyond those required by the informed consent regulations (21 CFR Part 50). The authorization, which grants access to the subject's existing medical records, is distinct from the informed consent form, which signifies that a subject has volunteered to participate in research. How-ever, an authorization may be incorporated into an informed consent form by the simple addition of the following elements within the document or as a separate section:

  • Description of medical information involved.

  • Statement of when the authorization expires (e.g., date of the end of the study or date when the possibility of sponsor audit ends).

  • Statement that treatment, payment, or enrollment in a health plan or eligibility for benefits is not conditioned upon signing.

  • Description of information that will not be disclosed to legal or public health authorities other than FDA (e.g., if the study included a test for sexually transmitted disease, the presence of disease would have to be disclosed to local health authorities).


Under Section 164.512(i)(1)(ii), an IRB or privacy board may waive the requirement for patient authorization under certain conditions. If an investigator establishes that the use or disclosure of protected health information is solely to prepare a research protocol or other work preparatory to research, that no information will be removed from the premises (unless the information has been de-identified), and that access to the information is necessary to conduct the research, authorization may be waived by an IRB or privacy board. Eight requirements must be met in order for this to occur (Section 164.512[i][2][ii]):

  • Use or disclosure is of minimal risk to patients.

  • Privacy rights and welfare of patients are not adversely affected.

  • The research cannot be done without the waiver.

  • The research cannot be done without access to the health information.

  • Privacy risks are reasonable in relation to benefits.

  • There is an adequate plan to protect identifiers.

  • There is an adequate plan to destroy identifiers at the earliest opportunity.

  • There are written assurances that information will not be used or disclosed for other purposes.

These are, of course, subjective conditions. The right to privacy will always be adversely affected when a third party is allowed to review an individual's medical records, and the reviewing board may have a different opinion from the investigator concerning the ability to accomplish the goal without the waiver.

Permit to Disclose Medical History Use. Once a subject is enrolled in a clinical study, investigators and sponsors will want access to his or her medical history for inclusion in the study database. This use and disclosure goes beyond the scope of a waiver. The waiver only gives the investigator access to medical records for the purposes of preparing for research, not for actually doing the research or transcribing information. In this situation an investigator must obtain authorization from the subject even if the subject is under the investigator's direct care.


Diagnostics research commonly takes advantage of de-identified medical information; for example, to establish the prevalence of a disease or condition. Medical information that is de-identified is not protected (Section 164.502[d]). The use or disclosure of de-identified information does not require authorization or a waiver of authorization.

Medical information is considered de-identified if it meets the requirements of Section 164.514(a). The rules provide for two mechanisms of de-identifying information: a statistician (or other person familiar with methods for rendering information not individually identifiable) may determine that the risk of an individual being identified is small, or the following elements may be stripped from the data:

  • Names.

  • Zip codes.

  • Dates.

  • Telephone numbers.

  • Fax numbers.

  • Electronic mail addresses.

  • Social security numbers.

  • Medical record numbers.

  • Health plan beneficiary numbers.

  • Account numbers.

  • Certificate/license numbers.

  • Vehicle identifiers and serial numbers, including license plate numbers.

  • Device identifiers and serial numbers.

  • Internet universal resource locators (URLs).

  • Internet protocol (IP) address numbers.

  • Biometric identifiers, including finger-prints and voiceprints.

  • Full-face photographic images and any comparable images.

  • Any other unique identifying number, characteristic, or code.

Leftover Tissue Samples. Information moving from investigator to sponsor is not the only thing that must be de-identified. Information moving from laboratory to laboratory must also undergo this process. For example, if leftover blood, urine, or other tissue samples are shipped to a central laboratory for use in a study, patient identifiers should be stripped from the specimen tubes and the tubes identified by a code number. The code should not be derived from information about the individual or be translatable, and the investigator may not use or disclose the code (Section 164.514[c]). (Under the Common Rule—the clinical research regulations that are followed by federal agencies other than FDA— de-identified information is called de-linked information. For details see 45 CFR Part 46.101[b][2],[4].)

Access to Tissue Banks. If samples in tissue banks are de-identified, investigators may have unlimited access for use and disclosure of the samples and related information. Again, samples and information should be identified by a code number that should not be derived from information about the individual or be translatable, and the investigator may not use or disclose the code. (Section 164.514[c]). Many institutions have a separate consent form that is boilerplate and allows access to coded tissue for research purposes. Increasingly, IRBs agree that if there is identifiable data there needs to be consent; if the identity link is severed, no consent is required.2

Creating Patient Registries. Many device manufacturers request assistance from investigators in the creation of patient registries. Registry information is used for various purposes, such as tracking complications that occur in patients who have received treatment with a particular device. Unless the device is a tracked device under 21 CFR Part 821, either registry information must be de-identified at the time of creation or patient authorization must be obtained prior to use and disclosure of the data.


Because patients have the right to view their medical records at any time, a subject could request to see the source documents or case report forms even before a clinical study is concluded. Medical records may include reports of tests, procedures, diagnoses, progress notes, and other source records related to the diagnosis and treatment of a patient. Premature disclosure of data to individual subjects might bias the study's outcome. For example, bias might occur if the study was blinded and access to case report forms would unblind the patient, or if knowledge of laboratory or test results could influence a subject's future responses.

Sponsors may wish to add one more element to an informed consent form, stating when a subject may have access to individual study results. A sponsor does not have the right to permanently withhold medical information from a subject. The privacy rules do not specifically discuss research records, which consist of records from research in which the patient has participated.


Access to medical records of deceased individuals is an important component of some medical device research. An example is in vitro diagnostics research, where tissue samples may be collected from individuals who are deceased. Disclosure of research data for a deceased person might allow for identification of living relatives, especially in this era of genetic research. Until now, regulations governing clinical research did not consider deceased individuals to be "human subjects," and informed consent from living relatives or a personal representative was not required.3

The new privacy rules consider medical records of deceased individuals to be protected. Under Section 164.512(i)(1)(iii), investigators may apply to an IRB or privacy board for a waiver or may obtain authorization to access medical records of a deceased person from their personal representative. It is worth noting that the National Bioethics Advisory Committee (Rockville, MD) may recommend a revision to the definition of human subjects with regard to research on biological of the deceased, but no report has yet been issued.


Permitted Disclosure. Disclosure of protected medical information is permitted in certain situations required by FDA, without prior authorization from the individual under Section 164.512(b)(1)(iii). Thus, the new privacy rules do not prevent a sponsor of clinical research from reporting adverse events to FDA. Manufacturers may track products as required under 21 CFR Part 821, or locate and notify individuals to enable product recalls, repairs, or replacement without prior patient authorization. They may also conduct postmarketing surveillance without authorization from subjects, as long as the study is conducted to comply with FDA rules or at the direction of FDA.

Identification of Case Report Forms. Many investigators identify case report forms by both an identification number and the subject's initials. This practice can continue under the privacy rules, as long as the elements of authorization are included in the consent form. The authorization elements are intended to make it clear to the subject that identified medical records may be used by or disclosed to a sponsor.


The new privacy rules are about 80 pages in length and the preamble is another 700 pages—not an insignificant amount of information to learn and incorporate into practice. Sponsors should be prepared for a period of confusion on the part of investigators and IRBs during the transition period before the rules require absolute compliance on April 13, 2003.


1. Preamble to 45 CFR Part 164—Security and Privacy, Federal Register 65 FR:82487– 82488.

2. Research Involving Human Biological Materials: Ethical Issues and Policy Guidance (Rockville MD: National Bioethics Advisory Commission, August 1999).

3. Office for Protection from Research Risks, "Human Subject Regulations Decision Charts." Chart 1: Definition of Human Subject at 45 CFR Part 46.102(f); available from Internet:


European Parliament, Protection of Individual with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC, in Official Journal L 281 (November 23, 1995): 31–50.

"Standards for Privacy of Individually Identifiable Health Information"; information available from Internet: through

Copyright ©2001 Medical Device & Diagnostic Industry

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like