Regulations

The Office for Human Research Protections (OHRP) provides leadership in the protection of the rights, welfare, and wellbeing of human subjects involved in research conducted or supported by the U.S. Department of Health and Human Services (HHS). OHRP is part of the Office of the Assistant Secretary for Health in the Office of the Secretary of HHS.

OHRP provides clarification and guidance, develops educational programs and materials, maintains regulatory oversight, and provides advice on ethical and regulatory issues in biomedical and behavioral research. OHRP also supports the Secretary’s Advisory Committee on Human Research Protections (SACHRP), which advises the HHS Secretary on issues related to protecting human subjects in research.

Title 45 CFR 46: Protection of Human Subjects
Policy guidance and documents
Inclusion of Children - Policy Implementation (NIH)
Certificates of Confidentiality
OHRP Frequently Asked Questions

The Food and Drug Administration (FDA) is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices.

Informed Consent (guidance)
21 CFR Part 50 - Protection of Human Subjects
21 CFR Part 56 - Institutional Review Boards
21 CFR Part 312 - Investigational New Drug Applications (INDs)
21 CFR Part 812 - Investigational Device Exemptions (IDEs)
Information Sheet Guidance for IRBs, Investigators and Sponsors

• Significant Risk and Nonsignificant Risk Medical Device Studies
• FDA Guidance FAQs on Form 1572, Updated, May 2010

Summary of Investigator Responsibilities IRB Frequently Asked Questions
Clinical Trials and Human Subject Protections - Guidance, resources, good clinical practices (GCPs)
Good Clinical Practice (ICH) - Summary of Investigator Responsibilities (PDF)
Good Clinical Practice - International Conference on Harmonisation Consolidated Guidance (PDF)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations, including the Privacy Rule and the Security Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act, govern the way certain health information is collected, maintained, used, and disclosed. The Privacy Rule establishes a set of safeguards on certain types of health information known as protected health information, or PHI. HIPAA is designed to protect individual’s privacy and to inform patients and research subjects how their health information is used and disclosed. See list of 18 PHI identifiers (PDF).

HIPAA requires specified language in the informed consent for the collection, use and/or disclosure of PHI for research. See the HIPAA Authorization template in order to comply with HIPAA requirements, this additional language should be added to the Confidentially Section of the Informed Consent form.

HIPAA Certifications

Reviews Preparatory to Research

Reviews Preparatory to Research Certain activities involving the use/disclosure of PHI are permitted without Authorization. The “preparatory to research” provision allows researchers to use PHI for limited purposes, such as a feasibility assessment (e.g., whether a sufficient population exists to conduct research). However, the Privacy Rule does not permit the researcher to remove PHI. To comply with HIPAA Privacy Rule and human subject’s regulations, researchers are permitted to review PHI, but identifiers may not be recorded. To conduct a review preparatory to research, a researcher must provide CERTIFY all of the following representations:

• The use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research
• PHI will not be removed in the course of review
• The PHI for which use or access is requested is necessary for the research

INVESTIGATOR’S ACCESS PREPARATORY TO RESEARCH

Research Involving Deceased Individuals

The Privacy Rule provides protections to living and deceased individuals. To use decedents’ PHI for research purposes, a researcher must CERTIFY all of the following:

• Representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
• Representation that the PHI is necessary for the research
• Documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought.

Note: If the participant population contains both living and deceased individuals, the requirements for Authorization (or waiver or alteration) apply.

RESEARCH INVOLVING DECEASED INDIVIDUALS

 De-Identification Certification

DE-IDENTIFICATION CERTIFICATION FORM

Training

Faculty, fellows, staff, and students participating in human subjects research involving Protected Health Information (PHI) is required to complete the HIPAA Research tutorial. Training must be completed before participating in human subjects research involving PHI.

HIPAA: Research FAQs:

What about research data that has already been collected?

According to HIPAA, such data is grandfathered in.

How will HIPAA impact human subjects who are already enrolled in a research study?

Subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.

What are the HIPAA standards for human subjects research?

There are four ways to perform HIPAA compliant research. They are:

1. Obtain subject Authorization
2. Obtain a waiver of authorization from the IRB
3. Use of de-identified information
4. Use of limited data set

What about reviews preparatory to research?

Investigators may review PHI without subject authorization to prepare a research protocol or for similar purposes preparatory to research. Also, research on decedent's information involving PHI do not require subject authorization. However, both activities must be approved by the IRB.

What are the new research documents required by HIPAA?

HIPAA compliant research documents include:

1. Authorization (HIPAA language template form - to be inserted in the consent form)
2. Waiver of Authorization
3. Data use agreement

These forms will be made available as they become available and can also be obtained through the IRB.

What about releasing data outside of the USA Health System?

Intentional releases of research data outside USA must be made clear in the research study documents submitted for IRB approval. Such releases should be described within the authorization portion of the informed consent. Upon IRB approval, then such releases are permitted. Disclosures for studies involving de-identified information of a limited data set are also permitted.

For additional information, please contact the Office of Research Compliance and Assurance at (251) 460-6625 or email dlayton@southalabama.edu

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

The Protection of Pupil Rights Amendment (PPRA) is a federal law that sets forth additional requirements in elementary and/or secondary public schools when certain activities are conducted (e.g., survey, analysis, physical examinations) or if funded by the Department of Education (e.g., survey, analysis, or evaluation).

GDPR Regulation

International Compilation of Human Research Protections (OHRP) - listing laws, regulations, and guidelines on human subjects research in over 100 countries and standards from international and regional organizations.