IMPACT OF THE HIPAA PRIVACY RULE ON NIH PROCESSES INVOLVING THE REVIEW, FUNDING, AND PROGRESS MONITORING OF GRANTS, COOPERATIVE AGREEMENTS AND RESEARCH CONTRACTS RELEASE DATE: February 5, 2003 NOTICE: NOT-OD-03-025 National Institutes of Health (NIH) The purpose of this GUIDE notice is to provide an overview of how the HIPAA Privacy Rule may affect NIH processes involving the review, funding, and progress monitoring of grants, cooperative agreements and research contracts. The Department of Health and Human Services (DHHS) issued final modifications to the STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION, the "Privacy Rule," on August 14, 2002. The Privacy Rule is a federal regulation under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that governs the protection of individually identifiable health information. The Rule was enacted to increase the privacy protection of health information identifying individuals who are living or deceased, and to regulate known and unanticipated risks to privacy that may accompany the use and disclosure of personal health information. The Privacy Rule is not an NIH regulation. It is administered and enforced by the DHHS Office for Civil Rights (OCR). Those who must comply with the Privacy Rule, including some grantees and contractors, must do so by April 14, 2003 (with the exception of small health plans which have an extra year to comply). The OCR website (http://www.hhs.gov/ocr/) provides information on the Privacy Rule, including a complete Regulation Text for the Privacy Rule. I. The Privacy Rule and Research: Roles and Responsibilities Grant Applicants and Contract Offerors The Privacy Rule applies to researchers classified under the Rule as covered entities (i.e., a health care clearinghouse, health plan, or a health care provider that electronically transmits health information in connection with a transaction for which DHHS has adopted standards under HIPAA). The Rule may also affect researchers who obtain individually identifiable health information from covered entities through collaborative or contractual arrangements. Decisions about whether and how to implement the Privacy Rule reside with the researcher and his/her institution. A set of decision tools on "Am I a covered entity?" are available from the OCR website (http://www.hhs.gov/ocr/). Researchers should review this and other information on the Privacy Rule and then discuss with their appropriate institutional officials (e.g., Office of Research, legal counsel, etc.) to learn how the Rule applies to them, their organization, and their specific research project. OCR and the Department of Justice (DOJ) may impose civil or criminal penalties, respectively, on covered entities that fail to comply with the Rule. The roles of several Federal agencies regarding the Privacy Rule are described below: Office for Civil Rights (OCR) Oversight and civil enforcement responsibility for the Privacy Rule are under the auspices of OCR, DHHS. Department of Justice (DOJ) Enforcement of the criminal penalties for violations of the Privacy Rule is under the auspice of DOJ. National Institutes of Health (NIH) Development of educational materials for researchers, in collaboration with other DHHS research agencies, is the role of NIH. NIH is not involved in enforcing or monitoring compliance with the Privacy Rule. II. How the Privacy Rule may Impact the NIH Grant & Cooperative Agreement Application and Research Contract Processes A. New and Competing Continuation Grant & Cooperative Agreement Applications/Contract Proposals Review and Funding Grant and Cooperative Agreement Applications: When conducting investigator-initiated research that involves a covered entity the Privacy Rule may influence the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should continue to follow the instructions in the PHS 398 (http://grants.nih.gov/grants/funding/phs398/phs398.html) and discuss such issues, as needed, in the research plan and budget sections of the application. It is important to note that the Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR 46. Therefore, instructions in the Human Subjects section of the PHS 398 remain the same. Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects from research risks, and when appropriate, address these issues in the Human Subjects section of the research plan. New and competing continuation grant & cooperative agreement applications will continue to be evaluated using the existing review criteria found in PHS 398 and reviewers will continue to use the existing NIH Instructions to Reviewers for Evaluating Research Involving Human Subjects http://grants.nih.gov/grants/peer/hs_review_inst.pdf. Some Requests For Applications (RFAs) and Program Announcements (PAs) may request applications for specific areas of research and could indicate the need to provide a plan for acquiring or accessing data under the Privacy Rule. In such cases, the review criteria listed in the RFA or PA could be augmented to include adequacy of such plans and reviewers would evaluate these. NIH funding decisions for new and competing continuation grants and cooperative agreements will continue to be based on scientific merit, programmatic need, and availability of funds. Program staff will continue to discuss and seek resolution of issues or problems noted in the summary statement including issues noted regarding the effect of the Privacy Rule with investigators prior to funding. Research Contract Proposals: When performing research under a research contract that involves a covered entity, the Privacy Rule may affect the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should discuss the issues, as needed, in the technical and business proposal sections of the contract proposal. It is important to note that the Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR 46. Therefore, instructions in Section L of the solicitation remain the same. Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects from research risks, and when appropriate, address these issues in the Human Subjects section of the technical proposal. For new contract solicitations, reviewers will use the evaluation criteria set forth in Section M of the solicitation and continue to use the existing instructions found in Manual Chapter 6315-1 (http://www1.od.nih.gov/oma/manualchapters/contracts/6315-1/). Some Requests for Proposals (RFPs) could indicate the need to provide a plan for acquiring or accessing data under the Privacy Rule. In such cases, the review criteria listed in the RFP could be augmented to include adequacy of these plans and reviewers would evaluate these. NIH funding decisions for new research contracts will continue to be based on technical merit and cost. The technical evaluation report will include a discussion of issues and problems, including any noted regarding the Privacy Rule. The contracting officer will include these issues and problems during discussions held with offerors in the competitive range and seek resolution prior to award. B. Non-Competing Applications/Contracts Progress Monitoring Grants and Cooperative Agreements: During the period of award, principal investigators of grants and cooperative agreements communicate progress and issues about the research with NIH program and grants management staff in annual progress reports, as well as on as-needed bases. If situations are encountered that significantly delay the study, change the study design or procedures, or change the costs of the research, these issues should be communicated to NIH staff as soon as possible. This same practice applies to significant research delays or problems associated with acquiring or accessing data under the Privacy Rule; issues should be communicated to NIH staff. NIH staff will evaluate situations on a case-by-case basis. Research Contracts: During the contract period of performance, the contractor communicates progress and issues about the research to the contracting officer and project officer on a regular and as needed basis. If it encounters situations that significantly delay the study, change the study design or procedures, or change the costs of the research these should be communicated to NIH staff as soon as possible. In this same manner, significant research delays or problems associated with acquiring or accessing data under the Privacy Rule should be communicated to the contracting officer and project officer who will evaluate the situation on a case-by-case basis. III. Where to obtain information on the Privacy Rule As part of its oversight role, OCR is providing a number of publications on implementing the Privacy Rule through its web site at http://www.hhs.gov/ocr and http://www.hhs.gov/ocr/hipaa/. As the research community, DHHS, OCR, and NIH gain experience with implementation of the Rule, additional FAQ's and publications will be posted on these OCR web sites. NIH staff can provide assistance in locating educational materials on the Privacy Rule. For general questions about how the Privacy Rule may affect the review, funding, and progress monitoring of NIH grants, cooperative agreements and research contracts, please contact program and grants management staff in the NIH Institutes relevant to your area of scientific interest. Della M. Hann, Ph.D. Office of Extramural Research National Institutes of Health 9000 Rockville Pike Building 1, Room 152 Bethesda, MD 20892 Phone: (301) 402-2725 Fax: (301) 402-3469 E-Mail: hannd@od.nih.gov
Weekly TOC for this Announcement
NIH Funding Opportunities and Notices
| ||||||
Department of Health and Human Services (HHS) |
||||||
NIH... Turning Discovery Into Health® |