Laws, regulations, and both regulatory and ethics committee guidance vary considerably across countries on the issue of return of individual research results (IRR) to study participants.
In general, three major topics need to be considered:
- Laws and regulations on permissible test results that may e returned by researchers
- Laws and regulations governing the individual’s right of access to personal information
- Privacy laws and regulations
In addition, issued guidance is often relevant and should be consulted.
In some countries, laws grant study participants broad access to their individual research results upon request; in other countries, laws may place restrictions on access. Further, the trustworthiness of the result itself (e.g., whether conducted in a research laboratory versus a clinical laboratory) is important.
If you are pursuing the return of IRR, make sure to identify individuals who know and can interpret the relevant laws, regulations, and guidance. Remember, these directives are constantly evolving.
Sections included on this page:
Selected US Regulations
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Requires covered entities to give individuals access to the patient information held in a designated record set
Clinical Laboratory Improvement Amendments of 1988 (CLIA)
Requires clinical laboratories to meet certain quality standards, to ensure reliability of the lab test results
Revised Common Rule
Requires that informed consent for research, as appropriate, include a statement regarding whether clinically relevant research results, including individual research results, will be disclosed to subjects, and if so, under what conditions (45 CFR 46.116(c)(8))
Genetic Information Nondiscrimination Act (GINA)
Prohibits discrimination on the basis of genetic information, affecting health insurance and employment
California Consumer Privacy Act (CCPA)
Requires business privacy policies to include information on consumers’ privacy rights and how to exercise them; amended to exempt any research as defined in HIPAA
Selected International Regulations
European Union’s General Data Protection Regulation (GDPR)
Requires the consent of subjects for data processing, data anonymization, data breach notifications, safe handling of the transfer of data across borders, etc; applies to “any information relating to an identified or identifiable natural person (‘data subject’)”
Personal Information Protection Law of the People’s Republic of China
Modeled on the GDPR, details privacy provisions for personal information focusing on the protection of Chinese citizens’ personally identifying information to protect the rights and interests of individuals, regulate personal information processing activities, and facilitate reasonable use of personal information
General Resources
U.S. HHS / OHRP: International Compilation of Human Research Standards
Enumerates over 1,000 laws, regulations, and guidelines that govern human subjects research in 130 countries
Implications of HIPAA and CLIA on the Return of Results
A regulatory conflict exists between HIPAA and CLIA
CLIA permits returning results to individuals for the “diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of, human beings” only if results are generated in a CLIA-certified laboratory.
Centers for Medicare and Medicaid Services (CMS) representatives appear to interpret this provision as prohibiting the return of results from a research laboratory and recommend referring an individual for re-testing (even if a potentially actionable result is found) at a CLIA-certified laboratory.
In contrast, HIPAA requires providing access to information held in the Designated Record Set (DRS), which may include research test results, depending on whether the test results are included in the covered entity’s medical record, billing record, or otherwise used to make decisions about the individual, such as determining whether to offer the individual enrollment in a research study.
These regulations conflict when research participants desire access to test results from a non-CLIA-certified research laboratory that exists within a HIPAA covered entity.
Joint HIPAA/CLIA Rule (2014):
With the intent of harmonizing CLIA and HIPAA on individuals’ access rights, a joint CMS/Office for Civil Rights (OCR) rule was issued in 2014.
- The Rule amended CLIA to permit CLIA-certified laboratories to give completed test results directly to a patient or the patient’s representative.
- The Rule amended HIPAA to require laboratories that are “covered entities” subject to HIPAA to provide patients access rights to their protected health information (PHI) held in a designated record set (DRS). The DRS includes a covered entity’s medical record, billing record, and other records that are used by the covered entity to make decisions about the individual.
- Regarding the return of IRR, this rule reduces barriers for participants to obtain CLIA-certified research results. The rule expresses support for a legal right of access to one’s personal results, but remains unclear as to the return of IRR from CLIA-exempt labs, even when those results exist in a HIPAA-covered DRS.
What should researchers do?
There are licensing requirements in many countries, including CLIA regulations in the US. Researchers should consult with their legal department for guidance on how to return IRR in any regulatory environment, including from CLIA-exempt labs in the US.
The Secretary’s Advisory Committee on Human Research Protections (SACHRP) has released recommendations on how to amend this regulatory conflict, which can be a starting point for organizations deciding how to approach. Recommendations and analysis have also been provided by the National Academies of Sciences, Engineering, and Medicine (NASEM).
In general, if a result is generated in a CLIA-approved lab, it can be shared in accordance with other details in the return of IRR plan. When creating the IRR plan in advance of study initiation, whether test results will require action should be considered. If they are likely to result in actionable results, they should be performed in a CLIA-approved lab. If that is not possible, a plan for rapid re-testing in a CLIA-approved lab is needed.
Reminder: why this matters
We encourage researchers not to get dissuaded by the complexity that may be introduced by returning IRR. We elaborate elsewhere about why to get started but will reiterate these points: returning IRR is rooted in ethical principles of research, meets participants’ wishes, shares the value created by their research participation, and anticipates/responds to evolving expectations about data transparency and ownership.
Take a look at how to get started.