cal information, will fall within the regulatory purview, and IRB review will be required. Thus, when medical information required for FDA donor suitability rules is collected (see below), human subjects protections are triggered unless the information is carefully coded and managed.

In addition to human subjects protections, if donor health information is attached to hES cell lines, federal privacy protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA; PL 104-191) might apply. The Privacy Rule of HIPAA might be applicable to hES cell research if the investigator obtains personal health information (PHI) on donors and the investigator is a “covered entity” (most likely a provider that transmits information in electronic format, such as a physician or hospital).7 The Privacy Rule would permit PHI obtained by the researcher to be “deidentified,” for example, statistical data would be aggregated or stripped of individual identifiers (45 CFR 164.514(b)) so that it could be used or disclosed without restriction.

If an hES cell investigator is employed by a covered entity and does not wish to “deidentify” PHI related to donors of somatic cells, gametes, or blastocysts (presumably because the identifying information may be expected to contribute relevant scientific information or assist in FDA review), HIPAA requires either of these

  • A valid “authorization” from the donor before the PHI is used or disclosed (45 CFR 164.508).

  • Appropriate documentation that an IRB or a privacy board has granted a waiver or alteration of the authorization requirement that satisfies 45 CFR 164.512(i).8

The criteria for approving an authorization waiver or alteration must be consistent with the criteria for IRB waiver of the informed consent:

  1. PHI is protected by a plan to guard against unauthorized disclosure, so there is no more than “minimal risk” to privacy;

  2. The research could not practicably be conducted without the requested waiver or alteration; and

  3. The research could not practicably be conducted without access to and use of the PHI (45 CFR164.512(i)(2)(ii)(A)-(C)).


See 65 Fed. Reg. 82,799 (Dec. 28, 2000) (defining covered entities).


An example of a situation in which a waiver of authorization requirements may be deemed appropriate by an IRB is a study that involves the use of PHI on numerous people whose contact information is unknown. The research would be impracticable to conduct if authorization were required, and an IRB could waive all the authorization requirements if the waiver criteria were satisfied. If the IRB approves such a waiver, the receipt of the requisite documentation of the approval permits a covered entity to use or disclose PHI in connection with a particular research project without authorization.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement