Privacy Legislation and Regulations
The Centers for Disease Control (CDC) provides technical support and education to CDC employees, grantees, partners, and state and local health departments on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Family Educational Rights and Privacy Act (FERPA), and other privacy laws and regulations.
In addition, CDC issues Certificates of Confidentiality and Assurances of Confidentiality, which protect an individual’s personal information and protects against compulsory legal disclosure of sensitive data.
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to facilitate health insurance reform, implement standards for the transfer of health data, and protect the privacy of healthcare consumers.
The HIPAA Privacy Rule (45 CFR Parts 160 and 164) regulates the use and disclosure of individually identifiable health information, called protected health information (PHI), by entities subject to the Privacy Rule, called covered entities. Health plans, health care clearinghouses, and providers who transmit health information in electronic form in connection with specified transactions are covered entities. The Privacy Rule protects all PHI that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral) by a covered entity or its business associate, but excludes certain educational and employment records.
The Privacy Rule generally prohibits the use or disclosure of PHI without the written authorization of the individual. There are several exceptions to this requirement including an exception for public health. Without individual authorization a covered entity may disclose PHI to a public health authority that is legally authorized to collect information for the purposes of preventing or controlling disease, injury, or disability including, but not limited to reporting of disease, injury, and vital events, and conducting public health surveillance, investigations and interventions. The Privacy Rule also permits disclosures that are required by law. It contains separate provisions for disclosure when the disclosure is for research.
The Privacy Rule gives individuals certain rights in respect to their health information including, but not limited to the right to inspect and request corrections or amendments to their PHI. The Privacy Rule requires covered entities to notify individuals or their privacy rights and how their PHI will be used and disclosed.
For more information:
The Office for Civil Rights has oversight and enforcement responsibilities for the Privacy Rule. The website contains the text of the HIPAA Privacy Rule, comprehensive guidance and answers to hundreds of questions.
CDC and the U.S. Department of Health and Human Services published guidance on the HIPAA Privacy Rule and public health.Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. Health care information is generally part of the education record. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their child’s education record. These rights include the right to inspect and request corrections to the record. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.
FERPA generally prohibits the disclosure of any personally identifiable information contained in an education record without the appropriate written consent. There are limited exceptions to this requirement.
For more information:
The U.S. Department of Education website contains the text of FERPA and comprehensive information on the law.
Certificate of Confidentiality
Certificates of Confidentiality are issued by the Centers for Disease Control and Prevention (CDC) to protect the privacy of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects with a research project. Certificates of Confidentiality are issued to institutions or universities where the research is conducted. They allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.
Identifying information is broadly defined as any item or combination of items in the research data that could lead directly or indirectly to the identification of a research subject.
By protecting researchers and institutions from being compelled to disclose information that would identify research participants, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by assuring privacy to subjects.Statutory AuthorityUnder section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) the Secretary of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the Centers for Disease Control and Prevention (CDC).
Persons authorized by the CDC to protect the privacy of research subjects may not be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.Extent and Limitations of CoverageCertificates can be used for biomedical, behavioral, clinical or other types of research that is sensitive. Research data is sensitive when disclosure of identifying information could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include but are not limited to the following:
- Collecting genetic information;
- Collecting information on psychological well-being of subjects;
- Collecting information on subjects' sexual attitudes, preferences or practices;
- Collecting data on substance abuse or other illegal risk behaviors;
- Studies where subjects may be involved in litigation related to exposures under study (e.g., environmental or occupational exposures).
In general, certificates are issued for single, well-defined research projects rather than groups or classes of projects.
A Certificate of Confidentiality protects personally identifiable information about subjects in the research project while the Certificate is in effect. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. The Certificate will state the date upon which it becomes effective and the date upon which it expires. A Certificate of Confidentiality protects all information identifiable to any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. An extension of coverage must be requested if the research extends beyond the expiration date of the original Certificate. However, the protection afforded by the Certificate is permanent. All personally identifiable information maintained about participants in the project while the Certificate is in effect is protected in perpetuity. Some projects are ineligible for a Certificate of Confidentiality. Not eligible for a Certificate are projects that are:
- not research,
- not collecting personally identifiable information,
- not reviewed and approved by the IRB as required by the guidelines, or
- collecting information that if disclosed would not significantly harm or damage the participant.
While Certificates protect against involuntary disclosure, investigators should note that research subjects might voluntarily disclose their research data or information. Subjects may disclose information to physicians or other third parties. They may also authorize in writing the investigator to release the information to insurers, employers, or other third parties. In such cases, researchers may not use the Certificate to refuse disclosure. Moreover, researchers are not prevented from the voluntary disclosure of matters such as child abuse, reportable communicable diseases, or subject's threatened violence to self or others. (For information on communicable disease reporting policy, see Notifiable Disease Reporting with Confidentiality Certificates). However, if the researcher intends to make any voluntary disclosures, the consent form must specify such disclosure.
Certificates do not authorize researchers to refuse to disclose information about subjects if authorized DHHS personnel request such information for an audit or program evaluation. Neither can researchers refuse to disclose such information if it is required to be disclosed by the Federal Food, Drug, and Cosmetic Act.
In the informed consent form, investigators should tell research subjects that a Certificate is in effect. Subjects should be given a fair and clear explanation of the protection that it affords, including the limitations and exceptions noted above. Every research project that includes human research subjects should explain how identifiable information will be used or disclosed, regardless of whether or not a Certificate is in effect. The Office of Human Subjects Protection (OHRP) provides guidance on the content of informed consent documents. For additional information, see http://www.hhs.gov/ohrp/irb/irb_chapter3.htm
Assurance of Confidentiality
An Assurance of Confidentiality is a formal confidentiality protection authorized under Section 308(d) of the Public Health Service Act. It is used for projects conducted by CDC staff or contractors that involve the collection or maintenance of sensitive identifiable or potentially identifiable information. This protection allows CDC programs to assure individuals and institutions involved in research or non-research projects that those conducting the project will protect the confidentiality of the data collected. The legislation states that no identifiable information may be used for any purpose other than the purpose for which it was supplied unless such institution or individual has consented to that disclosure.
Under section 308(d) of the Public Health Service Act surveys conducted by the National Center for Health Statistics (NCHS) as part of their authorizing legislation are automatically protected by an Assurance of Confidentiality. In addition, Assurances of Confidentiality may be issued to projects conducted by all other CDC components, after formal application to and approval by the CDC Confidentiality Review Group has been obtained.
Information about institutions and/or individuals of research or non-research projects that involve the collection or maintenance of sensitive identifiable or potentially identifiable information and for which an Assurance of Confidentiality has been approved is protected. At CDC, the 308(d) assurance has most often been used to protect sensitive identifiable data for non-research projects, but has also been used for research studies collecting sensitive identifiable data.
Extent and Limitations of Coverage
Protected information includes identifiable or potentially identifiable information on institutions or individuals who are the subjects of research or non-research studies with an approved Assurance of Confidentiality.
Disclosures can be made without individual authorization only for purposes stated at the time of data collection or specifically consented to thereafter by each of the parties who were provided the promise of confidentiality.
CDC Confidentiality Review Group
The CDC Confidentiality Review Group (CRG) is comprised of representatives from the Office of the General Counsel (OGC), a key management official from the Office of the Chief Science Officer, the NCHS Confidentiality Officer, the Chair of the NIOSH (Cincinnati) Human Subjects Review Board, two senior level epidemiologists, and is chaired by the CDC Confidentiality Officer.
Confidentiality applications are formally reviewed by a minimum of three CRG members (always including a representative from OGC and two others on a rotating basis). Members of the CRG review the protocol, relying upon the approval of the local IRB, but also looking carefully at the protocol from a perspective of what the project is trying to achieve, whether the design addresses the project’s purposes, whether the data are in fact sensitive and identifiable or potentially identifiable, how the data are handled and protected, and whether the need for the additional protections of confidentiality is adequately demonstrated. The consent form is carefully reviewed and applicants must agree to return to the IRB for approval of the addition of CDC’s confidentiality advisement language to that form when CRG approval has been obtained.
Certificates and Assurances of Confidentiality do not take the place of good data security or clear policies and procedures for data protection, which are essential to the protection of participants' privacy. Investigators should take appropriate steps to safeguard data and findings. Unauthorized individuals must not access the data or learn the identity of participants.