Below is a summary of some of the key provisions relevant to investigators and research sites included in the recently enacted, bipartisan 21st Century Cures Act, including human subjects protections and the privacy and security of health information used in clinical research.  Among other requirements, the Act:

*requires the Department of Health and Human Services (HHS) to harmonize the U.S. Food and Drug Administration (FDA) Human Subjects Regulations with the HHS Human Subject Regulations (the Common Rule), which should help streamline research that falls under both sets of regulations;

*requires the harmonization of financial conflict-of-interest disclosure policies and regulations of research funding agencies, including minimum reporting thresholds, and the implementation of other measures by HHS to reduce administrative burdens on researchers;

*modifies FDA regulations to allow informed consent to be waived or altered for clinical research that “poses no more than minimal risk” and includes “appropriate safeguards” which are required to be promulgated by HHS, bringing the FDA regulations in line with the Common Rule; and

*allows research sites to use central IRBs for all research studies, including those involving medical devices.

Privacy and Security Protections

Identifiable Sensitive Information (ISI) and Certificates of Confidentiality:  HHS is now required to issue certificates of confidentiality to investigators that requires the protection of the privacy of subjects in federally-funded research where identifiable, sensitive information is collected, including but not limited to mental health research, or research the use and effect of alcohol or other psychoactive drugs.  In the past, the certificates had been discretionary.  In addition, HHS may grant certificates of confidentiality in its discretion in non-federally funded research upon application by researchers.

Expanded Definition of ISI:  The Act also expands the definition of ISI to include not only identifiable information, but also information for which there is “at least a very small risk, as determined by current scientific practices or statistical methods that some combination of the information, the request, and other available data sources could be used to deduce the identity of the individual.”

Remote Access Not Prohibited by HIPAA: HHS is required to issue guidance within a year to clarify that remote access to protected health information (PHI) for the purposes of research is not prohibited by the Health Insurance Portability and Accountability Act (HIPAA) restriction on the removal of PHI by researchers, as long as privacy and security safeguards required by HIPAA are in place and the researchers do not copy or otherwise retain the PHI.

Authorizations:  the Act requires HHS to issue guidance regarding authorizations for the use of PHI for future research purposes; clarifying the circumstances under which it would be appropriate to provide an annual reminder or notice to a study subject of their right to revoke authorization; and clarifying appropriate mechanisms for a study subject to revoke authorization for future research purposes.

Working Group Addressing the Use of PHI in Research:  the Act provides for a working group to study and report on the use of PHI in research, addressing among other things:  barriers to research related to current restrictions on the use and disclosure of PHI; notification to individuals of a breach of privacy; whether additional notice should be required when an individual’s PHI will be used or disclosed for research; and opportunities for individuals to set preferences for how their PHI is used.

Data Sharing Among NIH Award Recipients:  NIH can now require grant recipients to share scientific data, but this must be done in compliance with all laws protecting human subjects, including the privacy and security of their PHI.