Questions? Call 800-624-6242
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 1
Summary
BEYOND THE HIPAA PRIVACY RULE:
ENHANCING PRIVACY, IMPROVING
HEALTH THROUGH RESEARCH
Ethical health research and privacy protections both provide valuable
benefits to society. Health research is vital to improving human health and
health care—and protecting individuals involved in research from harm and
preserving their rights is essential to the conduct of ethical research. The pri-
mary justification for protecting personal privacy is to protect the interests
of individuals. In contrast, the primary justification for collecting personally
identifiable health information for health research is to benefit society. But it
is important to stress that privacy also has value at the societal level because
it permits complex activities, including research and public health activities,
to be carried out in ways that protect individuals’ dignity. It is also important
to note that health research can benefit individuals, for example, when it
facilitates access to new vaccines, therapies, improved diagnostics, and more
effective ways to prevent illness and deliver care.
The U.S. Department of Health and Human Services (HHS) developed
a set of federal standards for protecting the privacy of personal health
information under the Health Insurance Portability and Accountability Act
of 1996 (HIPAA).1 The HIPAA Privacy Rule set forth detailed regulations
1 The HIPAA Privacy Rule (“Standards for Privacy of Individually Identifiable Health Informa -
tion: Final Rule”) can be found at 45 Code of Federal Regulations (C.F.R.) parts 160 and 164.
http://www.hhs.gov/ocr/AdminSimpRegText.pdf (accessed August 2, 2008). A summary of the
HIPAA Privacy Rule, prepared by the HHS Office for Civil Rights, is available at http://www.
hhs.gov/ocr/privacysummary.pdf (accessed August 2, 2008).
�
OCR for page 2
� BEYOND THE HIPAA PRIVACY RULE
regarding the types of uses and disclosures of individuals’ personally identifi-
able health information—called “protected health information”—permitted
by “covered entities” (health plans, health care clearinghouses, and health
care providers who transmit information in electronic form in connection
with transactions for which HHS has adopted standards under HIPAA).2 A
major goal of the HIPAA Privacy Rule is to ensure that individuals’ health
information is properly protected while allowing the flow of information
needed to promote high-quality health care. The HIPAA Privacy Rule also
set out requirements for the conduct of health research.
The Institute of Medicine Committee on Health Research and the Pri-
vacy of Health Information (the committee) was charged with two principal
tasks3: (1) to assess whether the HIPAA Privacy Rule is having an impact
on the conduct of health research, defined broadly as “a systematic inves-
tigation, including research development, testing and evaluation, designed
to develop or contribute to generalizable knowledge”4; and (2) to propose
recommendations to facilitate the efficient and effective conduct of impor-
tant health research while maintaining or strengthening the privacy protec-
tions of personally identifiable health information.
The committee’s conclusion is that the HIPAA Privacy Rule does not
protect privacy as well as it should, and that, as currently implemented,
the HIPAA Privacy Rule impedes important health research. The commit-
tee found that the Privacy Rule (1) is not uniformly applicable to all health
research, (2) overstates the ability of informed consent to protect privacy
rather than incorporating comprehensive privacy protections, (3) conflicts
with other federal regulations governing health research, (4) is interpreted
differently across institutions, and (5) creates barriers to research and leads
to biased research samples, which generate invalid conclusions. In addition,
security breaches are a growing problem for health care databases. In devel-
oping its recommendations to improve this situation, the committee was
guided by three overarching goals: (1) improve the privacy and data security
of health information; (2) improve the effectiveness of health research; and
(3) improve the application of privacy protections for health research. A
summary of the committee’s recommendations is presented in Box S-1.
2 45
C.F.R. § 160.103 (2006).
3 The
study was funded by the National Institutes of Health, the National Cancer Institute,
the Robert Wood Johnson Foundation, the American Cancer Society, the American Heart
Association/American Stroke Association, the American Society for Clinical Oncology, the
Burroughs Welcome Fund, and C-Change.
4 45 C.F.R. § 164.510 (2006).
OCR for page 3
�
SUMMARY
RECOMMENDATION I. DEVELOP A NEW APPROACH TO
PROTECTING PRIVACY IN ALL HEALTH RESEARCH
The committee’s first and foremost recommendation (Recommenda-
tion I) is that Congress should authorize HHS and other relevant federal
agencies to develop a new approach to protecting privacy in health research
that would apply uniformly to all health research. When this new approach
is implemented, HHS should exempt health research from the HIPAA Pri-
vacy Rule. The new approach should enhance privacy protections through
improved data security, increased transparency of activities and policies,
and greater accountability, while also allowing important health research
to be undertaken with appropriate oversight. The new approach should do
all of the following:
• Apply to any person, institution, or organization conducting health
research in the United States, regardless of the source of data or
funding.
• Entail clear, goal-oriented, rather than prescriptive, regulations.
• Require researchers, institutions, and organizations that store
health data to establish strong data security safeguards.
• Make a clear distinction between the privacy considerations that
apply to interventional research and research that is exclusively
information based.
• Facilitate greater use of data with direct identifiers removed in
health research, and implement legal sanctions to prohibit unauthor-
ized reidentification of information that has had direct identifiers
removed.
• Require ethical oversight of research when personally identifiable
health information is used without informed consent. HHS should
develop best practices for oversight that should consider:
o Measures taken to protect the privacy, security, and confiden-
tiality of the data;
o Potential harms that could result from disclosure of the data;
and
o Potential public benefits of the research.
• Certify institutions that have policies and practices in place to pro-
tect data privacy and security in order to facilitate important large-
scale information-based research for clearly defined and approved
purposes, without individual consent.
• Include federal oversight and enforcement to ensure regulatory
compliance.
OCR for page 4
� BEYOND THE HIPAA PRIVACY RULE
BOX S-1
Summary of the Committee’s Recommendations
The committee’s foremost recommendation is the following:
I. Congress should authorize HHS and other relevant federal agencies to
develop a new approach to protecting privacy that would apply uniformly
to all health research. When this new approach is implemented, HHS
should exempt health research from the HIPAA Privacy Rule.
→ Apply privacy, security, transparency, and accountability obligations to all health
records used in research.
If national policy makers choose to continue to rely on the HIPAA Privacy Rule
rather than adopt a new federal approach (Recommendation I), the committee
recommends the following:
II. HHS should revise the HIPAA Privacy Rule and associated guidance.
A. HHS should reduce variability in interpretations of the HIPAA Privacy
Rule in health research by covered entities, Institutional Review Boards
(IRBs) and Privacy Boards through revised and expanded guidance and
harmonization.
1. HHS should develop a dynamic, ongoing process to increase empirical
knowledge about current “best practices” for privacy protection in responsible
research using protected health information (PHI), and promote the use of
those best practices.
2. HHS should encourage greater use of partially deidentified data called “limited
datasets” and develop clear guidance on how to set up and comply with the
associated data use agreements more efficiently and effectively, in order to
enhance privacy in research by expanding use and usability of data with direct
identifiers removed.
3. HHS should clarify the distinctions between “research” and “practice” to ensure
appropriate IRB and Privacy Board oversight of PHI disclosures for these
activities.
4. HHS guidance documents should simplify the HIPAA Privacy Rule’s provisions
regarding the use of PHI in activities preparatory to research and harmonize
those provisions with the Common Rule, in order to facilitate appropriate
IRB and Privacy Board oversight of identification and recruitment of potential
research participants.
B. HHS should develop guidance materials to facilitate more effective
use of existing data and materials for health research and public health
purposes.
1. HHS should develop guidance that clearly states that individuals can autho-
rize use of PHI stored in databases or associated with biospecimen banks
for specified future research under the HIPAA Privacy Rule with IRB/Privacy
OCR for page 5
�
SUMMARY
Board oversight, as is allowed under the Common Rule, in order to facilitate
use of repositories for health research.
2. HHS should develop clear guidance for use of a single form that permits indi-
viduals to authorize use and disclosure of health information in a clinical trial
and to authorize the storage of their biospecimens collected in conjunction
with the clinical trial, in order to simplify authorization for interrelated research
activities.
3. HHS should clarify the circumstances under which DNA samples or sequences
are considered PHI, in order to facilitate appropriate use of DNA in health
research.
4. HHS should develop a mechanism for linking data from multiple sources so
that more useful datasets can be made available for research in a manner that
protects privacy, confidentiality, and security.
C. HHS should revise provisions of the HIPAA Privacy Rule that entail heavy
burdens for covered entities and impede research without providing sub-
stantive improvements in patient privacy.
1. HHS should reform the requirements for the accounting of disclosures of PHI
for research.
2. HHS should simplify the criteria that IRBs and Privacy Boards use in making
determinations for when they can waive the requirements to obtain authoriza-
tion from each patient whose PHI will be used for a research study, in order to
facilitate appropriate authorization requirements for responsible research.
Regardless of whether Recommendation I or II is implemented, the following rec-
ommendations, which are independent of the Privacy Rule, should be adopted:
III. Implement changes necessary for both policy options above (Recom-
mendations I and II).
A. All institutions (both covered entities and non-covered entities) in the
health research community should take strong measures to safeguard
the security of health data.
→ HHS should also support the development and use of new security technolo-
gies and self-evaluation standards.
B. HHS—or, as necessary, Congress—should provide reasonable protec-
tion against civil suits for members of Institutional Review Boards and
Privacy Boards who serve in good faith to encourage service on IRBs
and Privacy Boards.
→ But no protection for willful or wanton misconduct.
C. HHS and researchers should take steps to provide the public with more
information about health research by:
1. Disseminating research results to study participants and the public.
2. Educating the public about how research is done and what value it provides.
OCR for page 6
� BEYOND THE HIPAA PRIVACY RULE
Informative examples for such an approach include Ontario’s Personal
Health Information Protection Act (PHIPA)5 and a similar model recently
proposed in the United Kingdom.6 Ontario’s PHIPA shares a number of
similarities with the HIPAA Privacy Rule. In general, both rules require
the holder of personally identifiable health data to get informed consent
(referred to as authorization in the Privacy Rule) before using those data for
a purpose other than providing services directly related to the health care
of the patient. If a researcher wishes to use personally identifiable health
data without getting informed consent, both rules require the researcher
to obtain a waiver of informed consent approved by an independent ethics
board before the study begins.
However, the HIPAA Privacy Rule and PHIPA do have some key dif-
ferences. One major difference is that unlike the HIPAA Privacy Rule,
which applies privacy obligations unevenly across the health care sector,
PHIPA applies to health information custodians (HICs; e.g., providers,
hospitals, and pharmacies) that collect, use, and disclose personally iden-
tifiable health information, as well as to non-HICs that receive personally
identifiable health information from a HIC. Thus, the privacy protections
follow the data.
Another important difference is that PHIPA permits HICs to disclose
personally identifiable health information without consent to “prescribed
persons or entities” that have in place privacy practices, policies, and pro-
cedures approved by Ontario’s Information and Privacy Commissioner. The
prescribed persons or entities may then disclose information to researchers
either in deidentified form, or in identifiable form with approval of a
Research Ethics Board (Canadian equivalent of an Institutional Review
Board [IRB] or Privacy Board). Consistent with the principle of transpar-
ency, a prescribed entity must also make public a description of its functions
and a summary of its practices, policies, and procedures. A similar approach
was recommended in a report commissioned by the United Kingdom’s Prime
Minister on secondary uses of personal information. This report suggested
the creation of “safe harbors,” which have three defining characteristics:
(1) they provide a secure environment for processing personally identifiable
health data, (2) they are restricted to “approved researchers” who meet
relevant criteria, and (3) they implement penalties and allow for criminal
sanctions against researchers who abuse their access to personally identifi-
able data. The committee believes that such an approach, combined with
strong security measures, offers adequate privacy protections for personally
5 Personal
Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A;
Ontario Regulation 329/04.
6 In a report commissioned by the United Kingdom’s Prime Minister on secondary uses of
personal information.
OCR for page 7
�
SUMMARY
identifiable health information in information-based health research, while
greatly expanding research opportunities.
The committee’s new framework entails a two-part practical approach
to protecting health information privacy because there are fundamental
differences between information-based research (e.g., using medical records
or stored biological samples) and direct, interventional human subjects
research. Applying the same human subjects protections in these two dif-
ferent scenarios is neither appropriate nor justifiable. Promoting individual
autonomy is essential when a person’s health care or participation in clini-
cal research is considered. The purpose of informed consent in this type
of research is mainly to protect research participants from physical harm
by providing a description of the potential risks and benefits of the study.
In contrast, in information-based research that relies solely on medical
records and stored biospecimens, the research participant faces no risk of
direct physical harm. In this context, informed consent (authorization) is
intended to ensure that individuals are able to exercise control over their
personal information that is held by third parties, and to give individuals
the right to determine whether their personal information can be used in
a particular research project (or a series of such projects, if consent for
future research is permitted). Because of these fundamental differences
between information-based research and direct, interventional human sub-
jects research, the committee makes a clear distinction between the privacy
considerations that apply to interventional research and research that is
exclusively information based.
First, the committee recommends that all interventional research,
regardless of funding source and support, should be required to comply
with the Common Rule,7 and all researchers who gain access to personally
identifiable health information as part of the interventional research should
be required to protect that information with strong security measures.
Research participants should be allowed to provide consent for future
research uses of data and biological materials collected as part of the inter-
ventional study as long as an IRB reviews and approves the future uses,
ensuring that the new study is not incompatible with the original consent.
Second, the committee recommends that HHS and other relevant fed-
eral agencies develop a new approach to uniform, goal-oriented oversight
of information-based research, with a focus on best practices in privacy,
security, and transparency as in PHIPA and the proposed United Kingdom
model. This new approach should include a mechanism by which some
programs or institutions could be certified by HHS or another accredit-
ing body, similar to a prescribed entity as in PHIPA or a safe harbor as in
7 The “Common Rule” is the term used by 18 federal agencies who have adopted the same
regulations governing the protection of human subjects of research.
OCR for page 8
� BEYOND THE HIPAA PRIVACY RULE
the United Kingdom model. Such entities could then collect and analyze
personally identifiable health information for clearly defined and approved
purposes, without individual consent. Because of the administrative require-
ments in becoming certified, this option is most appropriate for disease
registries and other very large scale research databases. Certified entities
could also aggregate personally identifiable data from multiple sources, and
then provide data to researchers with direct identifiers removed, under strict
security requirements. This would facilitate greater use of data with direct
identifiers removed in research because the aggregated datasets would be
more complete and thus would lead to more accurate conclusions. To fur-
ther protect privacy, unauthorized reidentification of information that has
had direct identifiers removed should be prohibited by law, and violators
should face legal sanctions.
In cases where researchers cannot use data with direct identifiers
removed, and personally identifiable health information is needed for
research, approval and oversight by an ethics oversight board should be
required, partially analogous to what is now done under the HIPAA Privacy
Rule and PHIPA. This board could perhaps entail a new body specifi-
cally formulated to review medical records research, rather than relying
on traditional IRBs that were created to review interventional research.
If researchers seek a waiver of patient consent, an ethics oversight board
should consider the measures the researchers propose to take to protect
the privacy and confidentiality of the data, the potential harms that could
result from disclosure of the data, and the potential public benefits of the
proposed research study. In order to facilitate consistent application of this
option, HHS will need to develop clear guidance and best practices on how
to assess the potential harm, the proposed measures to protect privacy and
confidentiality, and the potential public benefits of a research study, as has
been done under PHIPA.
Although expectations regarding privacy vary among different demo-
graphic groups, public opinion polls suggest that a significant portion of the
American public would like to control all access to their medical records
for research via an individual consent mechanism. However, obligations to
implement comprehensive privacy protections—such as security, transpar-
ency, and accountability—are independent of patient consent. Moreover,
the committee concluded, based on considerable testimony and other evi-
dence, that a universal requirement for informed consent can lead to invalid
results because of significant differences between patients who do or do not
grant consent, and missed opportunities to advance medical science because
it can be prohibitively costly and difficult to obtain consent for studies that
require analysis of very large datasets. As a result, the committee’s new
framework includes two alternatives to consent that can be used in certain
circumstances (e.g., disclosure to a certified entity and waiver of informed
OCR for page 9
�
SUMMARY
consent by an ethics review board), which are intended to facilitate research
that is socially beneficial and to protect privacy through increased security,
transparency, and accountability.
If society seeks to derive the benefits of medical research in the form of
improved health and health care, information should be shared to achieve
that greater good, and governing regulations should support the use of
such information, with appropriate oversight. In the committee’s proposed
new framework, the greater emphasis on ensuring the security protections
of personally identifiable health information (as in the committee’s Recom-
mendation III.A), facilitating research using data with direct identifiers
removed, and ensuring the scientific merits of any proposed research in the
new framework should help to foster its acceptability. Nonetheless, effective
communication with the public about how health research is done and the
value it provides (the committee’s Recommendation III.C) will be important
to address concerns and gain acceptance.
RECOMMENDATION II. REVISE THE PRIVACY
RULE AND ASSOCIATED GUIDANCE
If this comprehensive new approach is not implemented (or, for the
interim while the new framework is being developed), the committee pro-
poses as an alternative that HHS revise the current HIPAA Privacy Rule
and the associated guidance. These revisions would address some of the
problems uncovered during the course of this study.
Recommendation II.A. The committee recommends that HHS develop
guidance materials to reduce variability among IRBs and Privacy Boards
in their interpretation of the HIPAA Privacy Rule as applied to research.
One of the weaknesses in the current privacy protection system is that there
is extreme variability in the regulatory interpretations and approval deci-
sions among IRBs and Privacy Boards. Regulatory language often is not
easily understandable and is subject to wide interpretation. Thus local IRBs
and Privacy Boards interpret state and federal regulations independently,
resulting in a great deal of variation in how the regulations are imple-
mented. To address this problem, the committee developed four specific
recommendations.
First, HHS should develop a dynamic, ongoing process to increase empir-
ical knowledge about current “best practices” for privacy protection in
responsible research using protected health information (PHI), and promote
use of those best practices. To accomplish this, HHS should regularly convene
consensus development conferences in collaboration with health research
stakeholders to collect and evaluate current practices in privacy protection.
Second, HHS should encourage greater use of partially deidentified
data called “limited datasets” and develop clear guidance on how to set
OCR for page 10
�0 BEYOND THE HIPAA PRIVACY RULE
up and comply with the associated data use agreements (DUAs) more
efficiently and effectively. Currently, there is pervasive confusion regarding
the conditions of DUAs and how recipients may meet those conditions. As
a result, in some health care settings, the burden of establishing a DUA
prevents research from going forward. At the other extreme, some covered
entities sign DUAs as a matter of course, providing little meaningful privacy
protection to the patient.
Third, HHS should clarify the somewhat artificial distinction it has
made between “research” and “practice” to ensure appropriate IRB and
Privacy Board oversight of PHI disclosures for these closely related activi-
ties. This will require HHS to consult with relevant stakeholders to develop
standard criteria for IRBs and Privacy Boards to use when making distinc-
tions between health research and related endeavors, such as public health
practice and quality improvement practices. These criteria should be evalu-
ated regularly by HHS to ensure that the criteria are helpful and producing
the desired outcomes.
Fourth, HHS should simplify the guidance regarding the use of PHI in
activities preparatory to research and harmonize these provisions with the
Common Rule. The committee recommends that all researchers (including
those internal to a covered entity) be required to obtain IRB approval (as
required under the Common Rule) prior to contacting potential research
participants. When making a decision about whether to approve research
projects, the IRB should review and consider the investigator’s plans for
contacting patients, and ensure that the information will be used only
for research projects approved by the IRB and will not be disclosed
elsewhere.
Recommendation II.B. The committee recommends that HHS develop
guidance materials to facilitate more effective use of existing data and
materials for health research and public health purposes. Many institutions
create and maintain databases with patient health information or reposito-
ries with biological materials collected from patients. These databases and
biospecimen banks are used for many types of health research, including
studies to understand diseases or to compare patient outcomes following
different treatments. Current interpretations of provisions of the HIPAA
Privacy Rule sometimes make it difficult to effectively use these valuable
resources for health research. The committee developed four specific recom-
mendations to facilitate important health research by maximizing the use-
fulness of patient data associated with biospecimen banks and in research
databases, thereby allowing novel hypotheses to be tested with existing
data and materials as knowledge and technology improve. The recom-
mendations would align interpretation of the HIPAA Privacy Rule with the
Common Rule on several points, simplify or clarify the relevant processes
in research, and develop new tools for data aggregation.
OCR for page 11
��
SUMMARY
First, the committee recommends that HHS develop guidance which
clearly states that individuals can authorize use of PHI stored in databases
or associated with biospecimen banks for specified future research under
the HIPAA Privacy Rule with IRB oversight, as is allowed under the Com-
mon Rule. Future uses should be described in sufficient detail to allow
individuals to give informed consent, and researchers should be required
to have IRBs determine that the new research is not incompatible with the
initial consent. Second, the committee recommends that HHS develop clear
guidance for use of a single form that permits individuals to authorize use
and disclosure of health information in a clinical trial and to authorize the
storage of their biospecimens collected in conjunction with the clinical trial.
This will simplify the authorization process for interrelated research activi-
ties by integrating all relevant information into one simple document.
Third, the committee recommends that HHS clarify the circumstances
under which DNA samples or sequences are considered PHI. Genetic infor-
mation does not itself identify an individual in the absence of other identify-
ing information. However, in some circumstances, a person’s genetic code
could be construed as a unique identifier in that it could be used to match a
sequence in another biospecimen bank or databank that does include identi-
fiers. The committee advocates a focus on strong security measures and the
adoption of strict prohibitions and legal sanctions against the unauthorized
reidentification of individuals from DNA sequences, by anyone.
Fourth, HHS should develop a mechanism for linking data from mul-
tiple sources so that more useful datasets can be made available for research
in a manner that protects privacy, confidentiality, and security. One way this
could be accomplished, for example, might be through data warehouses
that are certified for the purpose of linking data from different sources. The
organizations responsible for such linking would be required to use strong
security measures and would maintain the details about how the linkage was
done, should another research team need to recreate the linked dataset.
Recommendation II.C. The committee recommends that HHS revise
provisions of the HIPAA Privacy Rule that currently hinder research but
do not provide substantive privacy protections. First, HHS should reform
the requirements for the accounting of disclosures (AOD) of PHI made
for research and public health purposes. Until technology advances make
automatic AOD tracking feasible, affordable, and widely available, the
HIPAA Privacy Rule should permit covered entities to inform patients in
advance that PHI might be used for health research with IRB/Privacy Board
oversight or for public health purposes. As an alternative to AOD, to ensure
transparency, institutions should maintain a list, accessible to the public, of
all studies approved by an IRB/Privacy Board.
In addition, HHS should simplify the criteria that IRBs and Pri-
vacy Boards use in determining whether to waive the requirement that
OCR for page 12
�� BEYOND THE HIPAA PRIVACY RULE
researchers obtain authorization from each patient whose PHI will be
used in a research study. If HHS decides to retain the current waiver
criteria, HHS should provide clear and reasonable definitions to the vague
terms used in the waiver criteria (i.e., what constitutes “minimal risk” to
the privacy of individuals and what constitutes “impracticable”), as well
as providing specific case examples. This would be especially helpful for
multi-institutional studies, which fall under the jurisdiction of multiple
IRBs or Privacy Boards.
RECOMMENDATION III. IMPLEMENT CHANGES
NECESSARY FOR BOTH POLICY OPTIONS
ABOVE (RECOMMENDATIONS I AND II)
The committee’s last set of recommendations do not directly relate to
the HIPAA Privacy Rule, but should be adopted in order to achieve the
committee’s overarching goals under both policy options described above
(the new framework or revisions to the HIPAA Privacy Rule and associated
guidance).
Recommendation III.A. The committee recommends that all health
research institutions improve the security of personally identifiable health
information. For example, institutions could: appoint a security officer
responsible for assessing data protection needs and implementing solutions
and staff training; make greater use of encryption and other techniques for
data security; include data security experts on IRBs; implement a breach
notification requirement, so that patients may take steps to protect their
identity in the event of a breach; and implement layers of security protec-
tion to eliminate single points of vulnerability to security breaches. In addi-
tion, the federal government should support (1) the development and use of
genuine privacy-enhancing techniques that minimize or eliminate the col-
lection of personally identifiable data, and (2) standardized self-evaluations
and security audits and certification programs to help institutions achieve
the goal of safeguarding the security of personal health data.
Recommendation III.B. The committee also recommends that HHS—
or, as necessary, Congress—provide reasonable protection against civil suits
brought pursuant to state or federal laws for members of IRBs and Privacy
Boards for decisions made within the scope of their responsibilities under
the HIPAA Privacy Rule and the Common Rule. The limitation on liability
should not include protection for willful and wanton misconduct in review-
ing the research, but should instead be reserved for good-faith decisions,
backed by minutes or other evidence. Effective oversight of health research
depends on the recruitment of qualified and knowledgeable volunteers to
serve on IRBs and Privacy Boards. But the increasing workload and com-
plexity of IRB and Privacy Board service have made it difficult to recruit
OCR for page 13
��
SUMMARY
and retain knowledgeable IRB members and to ensure time for the ethical
reflection necessary to make appropriate decisions about human research
projects. Moreover, because of the growth over the past decade of lawsuits
naming individual IRB members as defendants, fear of penalties and civil
suits can be a significant deterrent in recruiting qualified volunteers to serve
on IRBs and Privacy Boards.
Recommendation III.C. Finally, the committee recommends that HHS
and researchers take steps to provide the public with more information
about health research. Surveys indicate that the vast majority of Americans
believe health research is important, and they are interested in the findings
of research studies. Yet patients often lack information about how health
research is conducted and are rarely informed about research results that
may have a direct impact on their health. The committee recommends that
researchers inform interested research participants (who granted authori-
zation for a particular study) with a simplified summary of the results at
the conclusion of a research study. HHS should also encourage researchers
to register their trials and other studies in public databases, particularly
when the research is being conducted under a waiver of authorization. In
addition, HHS and the health research community should work to educate
the public about how research is done, and what value it provides. These
recommendations could be accomplished without any changes to HIPAA
or the Privacy Rule by making them a condition of funding for research
grants from HHS and other research sponsors, and by providing additional
funds to cover the cost.
OCR for page 14
