42 CFR § 2.52 - Scientific research.
(a) Use and disclosure of patient identifying information. Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be used or disclosed for the purposes of the recipient conducting scientific research if:
(1) The person designated as director or managing director, or person otherwise vested with authority to act as chief executive officer or their designee, of a part 2 program or other lawful holder of data under this part, makes a determination that the recipient of the patient identifying information is:
(i) A HIPAA covered entity or business associate that has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with 45 CFR 164.508 or 164.512(i), as applicable;
(ii) Subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), and provides documentation either that the researcher is in compliance with the requirements of 45 CFR part 46, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.104) or any successor regulations;
(iii) Subject to the FDA regulations regarding the protection of human subjects (21 CFR parts 50 and 56) and provides documentation that the research is in compliance with the requirements of the FDA regulations, including the requirements related to informed consent or an exception to, or waiver of, consent (21 CFR part 50) and any successor regulations; or
(iv) Any combination of a HIPAA covered entity or business associate, and/or subject to the HHS regulations regarding the protection of human subjects, and/or subject to the FDA regulations regarding the protection of human subjects; and has met the requirements of paragraph (a)(1)(i), (ii) (iii), and/or (iv) of this section, as applicable.
(2) The part 2 program or other lawful holder of data under this part is a HIPAA covered entity or business associate, and the use or disclosure is made in accordance with the requirements at 45 CFR 164.512(i).
(3) If neither paragraph (a)(1) or (2) of this section apply to the receiving or disclosing party, this section does not apply.
(b) Requirements for researchers. Any person conducting scientific research using patient identifying information obtained under paragraph (a) of this section:
(1) Is fully bound by the regulations in this part and, if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the regulations in this part.
(2) Must not redisclose patient identifying information except back to the person from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.
(3) May include data under this part in research reports only in aggregate form in which patient identifying information has been de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient.
(4) Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under § 2.16.
(5) Must retain records in compliance with applicable federal, state, and local record retention laws.
(c) Data linkages—(1) Researchers. Any person conducting scientific research using patient identifying information obtained under paragraph (a) of this section that requests linkages to data sets from a data repository(ies) holding patient identifying information must:
(i) Have the request reviewed and approved by an Institutional Review Board (IRB) registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. Upon request, the researcher may be required to provide evidence of the IRB approval of the research project that contains the data linkage component.
(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.
(iii) Ensure that patient identifying information is not redisclosed for data linkage purposes other than as provided in this paragraph (c).
(2) Data repositories. For purposes of this section, a data repository is fully bound by the provisions of part 2 upon receipt of the patient identifying data and must:
(i) After providing the researcher with the linked data, destroy or delete the linked data from its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16 Security for records.
(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.