Home Regulatory Issues Repository Regulations Privacy Rule

How does the Privacy Rule apply to repositories?

The Privacy Rule (HIPAA) requires an individual's consent for release of identifiable personal information electronically submitted by a covered healthcare entity and not exempt by the Rule. Tissue donors are usually also surgical patients who, in most cases, are covered by the Privacy Rule. This raises two issues for tissue collection procedures:

1. How can tissue staff comply with the Privacy Rule and prescreen surgical schedules with identified patient information in order to identify potential donors?
2. How can tissue staff comply with the Privacy Rule in contacting potential donors for an informed consent discussion?

Medical centers collecting tissue for research need to know, in advance of consent discussions, which patients might be eligible to be tissue donors. Specifically, tissue collection staff may need to screen information about surgical candidates (the type of surgery scheduled, type of tissue to be removed) in order to proceed with contacting potential donors. The Privacy Rule allows for this screening to occur provided that a limited data set is used for the screening of surgical lists and schedules that contained identifying patient information.

Once tissue staff identifies a potential tissue donor, a research nurse or similarly trained collection official needs to contact the individual for an informed consent discussion. In order to comply with the Privacy Rule, the individual must be notified by his/her physician (e.g., usually surgeon) that a research nurse may be contacting him/her (often by phone) to inquire about being a tissue donor.

The Rule does not apply to information typically stored at repositories. This is because repositories typically do not have identifiable personal information. In the tissue collection procedure, the donor's tissue and information is de-identified. The codes for linked tissue are typically at the collection site or at an escrow company.