Contract professionals and human research data privacy: federal regulations on the privacy rights of human research participants have a major impact on those institutions funded with federal dollars.(Cover Story)

Federal regulations that affect the privacy rights of human research participants are constantly evolving. These regulations have a major impact on organizations that conduct research, in particular, those institutions funded with federal dollars.

Contract professionals who work in health care research specifically need to understand the privacy regulations to ensure organizational compliance. Privacy requirements affect the contracts professional in the management of prime government contracts and grants, as well as in the procurement of goods and services. To comply with "the letter and the spirit of the law," it is imperative that the contracts professional understand the effect of privacy regulations.

This article examines various privacy regulations, including the National Research Act, the Privacy Act, rulings by the Office of Management and Budget (OMB), and the National Institutes of Health (NIH). It also takes a brief look at the effect of the Health Insurance Portability and Accountability Act (HIPAA). Table 1 on page 10 provides an overview of all these regulations, as a good reference tool.

Evolution of Federal Privacy Regulations

A variety of laws, regulations, and policies provide a backdrop for the requirements regarding the privacy rights of individuals. Historical regulations include decisions from the Federal Policy for the Protection of Research Subjects, Office of Human Research Protection, the Privacy Act of 1974, and OMB Circular A-110 (1999). A recent decision from NIH on data-sharing affects proposal preparation after October 1, 2003, as well as how organizations react to Freedom of Information Act (FOIA) requests. The new HIPAA is also a far-reaching regulation that affects health care nationwide.

[ILLUSTRATION OMITTED]

[ILLUSTRATION OMITTED]

Understanding the historical context will help the contracts professional determine how privacy regulations must be woven into proposals, contracts, and the daily practice of the research community.

The Privacy Act of 1974

The Privacy Act of 1974 provides for the protection of individuals' records kept in a system of records. It requires government agencies to design, develop, or operate a system of records on individuals to accomplish an agency function. A government agency, as defined in the act, is "Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government." (1) The Privacy Act requires that an agency collect information only to the extent necessary and relevant to accomplish its purpose and at that with certain exceptions. For example, no agency can disclose any record that is contained in a system of records without the prior consent of the individual to whom the record pertains.

The Privacy Act is implemented through systems notices either by Congress or by a particular agency. When the government agency wants to release information, it must file a notice of system records. These notices are kept in a database and filed in the Federal Register. Contracts professionals should be aware of any systems notices mandated by their particular funding agency, and of any notice of system records that may apply to data collected by their institution.

The Privacy Act was an attempt to protect the health records of patients. However, the Privacy Act applies only to government agencies. Eric Wymore, writing for the Hamline Journal of Public Law and Policy, stated, "While this law provides some protection of individual medical records, the protection falls short, as only information kept by government agencies is covered.... Since most medical information resides outside governmental agencies, the Privacy Act is of little help in protecting the privacy of most medical records." (2) The Privacy Act does not reach far enough to affect the health care records of individuals, when generated in a nongovernmental clinic or hospital.

The National Research Act

A number of codes govern the responsible conduct of human subject research, especially in the medical field. One such code is the Nuremberg Code of 1947, whose first and absolute principle is that the voluntary consent of the human subject is essential. Other codes include the Helsinki Declaration of 1965, which binds the physician to the concept, "The health of my patient will be my first consideration," and the International Code of Medical Ethics that declares, "A physician shall act only in the patient's interest when providing medical care." (4)

These codes were formalized in the 1970s by the United States Department of Health, Education, and Welfare. In July 1974, the National Research Act--also known as The Common Rule--and the Federal Policy for the Protection of Human Subjects was signed into law. This act created the National Commission for the Protection of Human …