IMPACT OF THE HIPAA PRIVACY RULE ON NIH PROCESSES INVOLVING THE REVIEW, 
FUNDING, AND PROGRESS MONITORING OF GRANTS, COOPERATIVE AGREEMENTS AND 
RESEARCH CONTRACTS 

RELEASE DATE:  February 5, 2003

NOTICE:  NOT-OD-03-025

National Institutes of Health (NIH)

The purpose of this GUIDE notice is to provide an overview of how the 
HIPAA Privacy Rule may affect NIH processes involving the review, 
funding, and progress monitoring of grants, cooperative agreements and 
research contracts.  

The Department of Health and Human Services (DHHS) issued final 
modifications to the STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE 
HEALTH INFORMATION, the "Privacy Rule," on August 14, 2002. The Privacy 
Rule is a federal regulation under the Health Insurance Portability and 
Accountability Act (HIPAA) of 1996 that governs the protection of 
individually identifiable health information. The Rule was enacted to 
increase the privacy protection of health information identifying 
individuals who are living or deceased, and to regulate known and 
unanticipated risks to privacy that may accompany the use and 
disclosure of personal health information. The Privacy Rule is not an 
NIH regulation. It is administered and enforced by the DHHS Office for 
Civil Rights (OCR). Those who must comply with the Privacy Rule, 
including some grantees and contractors, must do so by April 14, 2003 
(with the exception of small health plans which have an extra year to 
comply). The OCR website (http://www.hhs.gov/ocr/) provides information 
on the Privacy Rule, including a complete Regulation Text for the 
Privacy Rule.

I. The Privacy Rule and Research: Roles and Responsibilities

Grant Applicants and Contract Offerors – The Privacy Rule applies to 
researchers classified under the Rule as covered entities (i.e., a 
health care clearinghouse, health plan, or a health care provider that 
electronically transmits health information in connection with a 
transaction for which DHHS has adopted standards under HIPAA). The Rule 
may also affect researchers who obtain individually identifiable health 
information from covered entities through collaborative or contractual 
arrangements. Decisions about whether and how to implement the Privacy 
Rule reside with the researcher and his/her institution. A set of 
decision tools on "Am I a covered entity?" are available from the OCR 
website (http://www.hhs.gov/ocr/). Researchers should review this and 
other information on the Privacy Rule and then discuss with their 
appropriate institutional officials (e.g., Office of Research, legal 
counsel, etc.) to learn how the Rule applies to them, their 
organization, and their specific research project. OCR and the 
Department of Justice (DOJ) may impose civil or criminal penalties, 
respectively, on covered entities that fail to comply with the Rule.

The roles of several Federal agencies regarding the Privacy Rule are 
described below:

Office for Civil Rights (OCR) – Oversight and civil enforcement 
responsibility for the Privacy Rule are under the auspices of OCR, DHHS.  

Department of Justice (DOJ) – Enforcement of the criminal penalties for 
violations of the Privacy Rule is under the auspice of DOJ.

National Institutes of Health (NIH) – Development of educational 
materials for researchers, in collaboration with other DHHS research 
agencies, is the role of NIH. NIH is not involved in enforcing or 
monitoring compliance with the Privacy Rule. 

II. How the Privacy Rule may Impact the NIH Grant & Cooperative 
Agreement Application and Research Contract Processes

A. New and Competing Continuation Grant & Cooperative Agreement 
Applications/Contract Proposals – Review and Funding

Grant and Cooperative Agreement Applications:

When conducting investigator-initiated research that involves a covered 
entity the Privacy Rule may influence the environment in which the 
research takes place. As a result, implementing the Privacy Rule may 
affect the feasibility, design, and cost of the research. As with any 
issue that can affect feasibility, design, and cost, researchers should 
continue to follow the instructions in the PHS 398 
(https://grants.nih.gov/grants/funding/phs398/phs398.html) and discuss 
such issues, as needed, in the research plan and budget sections of the 
application.

It is important to note that the Privacy Rule does not replace or act 
in lieu of existing regulations for the protection of human subjects 
found in 45 CFR 46.  Therefore, instructions in the Human Subjects 
section of the PHS 398 remain the same. Researchers should continue to 
consider issues of privacy and confidentiality as they affect the 
adequacy of protections of human subjects from research risks, and when 
appropriate, address these issues in the Human Subjects section of the 
research plan.

New and competing continuation grant & cooperative agreement 
applications will continue to be evaluated using the existing review 
criteria found in PHS 398 and reviewers will continue to use the 
existing NIH Instructions to Reviewers for Evaluating Research 
Involving Human Subjects 
https://grants.nih.gov/grants/peer/hs_review_inst.pdf. 

Some Requests For Applications (RFAs) and Program Announcements (PAs) 
may request applications for specific areas of research and could 
indicate the need to provide a plan for acquiring or accessing data 
under the Privacy Rule. In such cases, the review criteria listed in 
the RFA or PA could be augmented to include adequacy of such plans and 
reviewers would evaluate these. 

NIH funding decisions for new and competing continuation grants and 
cooperative agreements will continue to be based on scientific merit, 
programmatic need, and availability of funds.  Program staff will 
continue to discuss and seek resolution of issues or problems noted in 
the summary statement – including issues noted regarding the effect of 
the Privacy Rule – with investigators prior to funding.  

Research Contract Proposals:

When performing research under a research contract that involves a 
covered entity, the Privacy Rule may affect the environment in which 
the research takes place.  As a result, implementing the Privacy Rule 
may affect the feasibility, design, and cost of the research. As with 
any issue that can affect feasibility, design, and cost, researchers 
should discuss the issues, as needed, in the technical and business 
proposal sections of the contract proposal.

It is important to note that the Privacy Rule does not replace or act 
in lieu of existing regulations for the protection of human subjects 
found in 45 CFR 46.  Therefore, instructions in Section L of the 
solicitation remain the same. Researchers should continue to consider 
issues of privacy and confidentiality as they affect the adequacy of 
protections of human subjects from research risks, and when 
appropriate, address these issues in the Human Subjects section of the 
technical proposal.

For new contract solicitations, reviewers will use the evaluation 
criteria set forth in Section M of the solicitation and continue to use 
the existing instructions found in Manual Chapter 6315-1
(http://www1.od.nih.gov/oma/manualchapters/contracts/6315-1/).  Some 
Requests for Proposals (RFPs) could indicate the need to provide a plan 
for acquiring or accessing data under the Privacy Rule. In such cases, 
the review criteria listed in the RFP could be augmented to include 
adequacy of these plans and reviewers would evaluate these.

NIH funding decisions for new research contracts will continue to be 
based on technical merit and cost. The technical evaluation report will 
include a discussion of issues and problems, including any noted 
regarding the Privacy Rule. The contracting officer will include these 
issues and problems during discussions held with offerors in the 
competitive range and seek resolution prior to award.  

B. Non-Competing Applications/Contracts – Progress Monitoring

Grants and Cooperative Agreements:

During the period of award, principal investigators of grants and 
cooperative agreements communicate progress and issues about the 
research with NIH program and grants management staff in annual 
progress reports, as well as on as-needed bases. If situations are 
encountered that significantly delay the study, change the study design 
or procedures, or change the costs of the research, these issues should 
be communicated to NIH staff as soon as possible. This same practice 
applies to significant research delays or problems associated with 
acquiring or accessing data under the Privacy Rule; issues should be 
communicated to NIH staff. NIH staff will evaluate situations on a 
case-by-case basis.

Research Contracts:

During the contract period of performance, the contractor communicates 
progress and issues about the research to the contracting officer and 
project officer on a regular and as needed basis. If it encounters 
situations that significantly delay the study, change the study design 
or procedures, or change the costs of the research these should be 
communicated to NIH staff as soon as possible. In this same manner, 
significant research delays or problems associated with acquiring or 
accessing data under the Privacy Rule should be communicated to the 
contracting officer and project officer who will evaluate the situation 
on a case-by-case basis.

III. Where to obtain information on the Privacy Rule

As part of its oversight role, OCR is providing a number of 
publications on implementing the Privacy Rule through its web site at 
http://www.hhs.gov/ocr and http://www.hhs.gov/ocr/hipaa/.  As the 
research community, DHHS, OCR, and NIH gain experience with 
implementation of the Rule, additional FAQ's and publications will be 
posted on these OCR web sites. 

NIH staff can provide assistance in locating educational materials on 
the Privacy Rule. For general questions about how the Privacy Rule may 
affect the review, funding, and progress monitoring of NIH grants, 
cooperative agreements and research contracts, please contact program 
and grants management staff in the NIH Institutes relevant to your area 
of scientific interest.

Della M. Hann, Ph.D.
Office of Extramural Research
National Institutes of Health
9000 Rockville Pike
Building 1, Room 152
Bethesda, MD 20892
Phone: (301) 402-2725
Fax: (301) 402-3469
E-Mail: hannd@od.nih.gov


Return to Volume Index

Return to NIH Guide Main Index


Office of Extramural Research (OER) - Home Page Office of Extramural
Research (OER)
  National Institutes of Health (NIH) - Home Page National Institutes of Health (NIH)
9000 Rockville Pike
Bethesda, Maryland 20892
  Department of Health and Human Services (HHS) - Home Page Department of Health
and Human Services (HHS)
  USA.gov - Government Made Easy


Note: For help accessing PDF, RTF, MS Word, Excel, PowerPoint, Audio or Video files, see Help Downloading Files.