HHS should encourage greater use of partially deidentified data called “limited datasets” and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identifiers removed.
HHS should clarify the distinctions between “research” and “practice” to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities.
HHS guidance documents should simplify the HIPAA Privacy Rule’s provisions regarding the use of PHI in activities preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.
HHS should develop guidance materials to facilitate more effective use of existing data and materials for health research and public health purposes.
HHS should develop guidance that clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB/Privacy Board oversight, as is allowed under the Common Rule, in order to facilitate use of repositories for health research.
HHS should develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their bio-specimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities.
HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research.
HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security.
HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede research without providing substantive improvements in patient privacy.