Click for next page ( 16


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 15
Overview of Conclusions and Recommendations Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care—and protecting individuals involved in research from harm and preserving their rights is essential to the conduct of ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level because it permits complex activities, including research and public health activities, to be carried out in ways that protect individuals’ dignity. It is also important to note that health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care. The U.S. Department of Health and Human Services (HHS) developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 The HIPAA Privacy Rule set forth detailed regula- tions regarding the types of uses and disclosures of individuals’ personally identifiable health information—called “protected health information”— permitted by “covered entities” (health plans, health care clearing houses, and health care providers who transmit information in electronic form in connection with transactions for which HHS has adopted standards under 1 The HIPAA Privacy Rule can be found at 45 Code of Federal Regulations (C.F.R.) parts 160 and 164 (2006). 

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE HIPAA).2 A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of infor- mation needed to promote high-quality health care. The Privacy Rule also set out requirements for the conduct of health research. The Institute of Medicine (IOM) Committee on Health Research and the Privacy of Health Information (the committee) was charged with two principal tasks3: (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly to include biomedi- cal research, epidemiological studies, and health services research, as well as studies of behavioral, social, and economic factors that affect health; and (2) to propose recommendations to enable the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information (Box O-1). The committee’s conclusion is that the HIPAA Privacy Rule does not protect privacy as well as it should, and that, as currently implemented, the Privacy Rule impedes important health research. The committee found that the Privacy Rule (1) is not uniformly applicable to all health research, (2) overstates the ability of informed consent to protect privacy rather than incorporating comprehensive privacy protections, (3) conflicts with other federal regulations governing health research, (4) is interpreted differently across institutions, and (5) creates barriers to research and leads to biased research samples, which generate invalid conclusions. In addition, security breaches are a growing problem for health care databases. In this report, the committee presents its analysis and findings, along with several recom- mendations for accomplishing the dual goals of protecting health privacy while facilitating responsible and beneficial research. DEFINITIONS Definition of Privacy and Why Privacy Is Important The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and there is considerable confusion about the meaning, value, and scope of the concept. The focus of the HIPAA Privacy Rule and the IOM committee’s report are on the privacy of per- sonal health information. In this context, privacy pertains to the collection, storage, and use of personal information and addresses the question of who 2 45C.F.R. § 160.103 (2006). 3 Thestudy was funded by the National Institutes of Health, the National Cancer Institute, the Robert Wood Johnson Foundation, the American Cancer Society, the American Heart Association/American Stroke Association, the American Society for Clinical Oncology, the Burroughs Wellcome Fund, and C-Change.

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS BOX O-1 Committee Statement of Task An Institute of Medicine committee will investigate the effects on health research of the Privacy Rule regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) section on Administrative Simplification and prepare a report. In conducting the study, the committee will: 1. Consider the range of study types, such as clinical trials, epidemiologic designs, research using tissue repositories and databases, public health research, and health services research, to the extent that available data and evidence allow; 2. Consider research carried out by the full range of sponsors: government, public and private academic, and for-profit sectors, including the pharmaceutical, biotechnology, and medical device industries; 3. Review provisions of the Privacy Rule relevant to health research, including those dealing with authorizations and accounting of disclosures of personal health information, deidentification of data, reviews preparatory to research, and others, and on reviewing them, may identify provisions that merit priority attention and analysis; 4. Consider issues of interpretation and implementation of the Privacy Rule, as well as of harmonization with overlapping provisions of the Common Rule and Food and Drug Administration regulations, which have existed much longer; 5. Examine the potential impact of the Rule on public health research, on the recruitment of research subjects for studies, on carrying out research interna- tionally, and on research using data and biomaterials in databases and tissue repositories; and 6. Consider the needs for privacy of identifiable personal health information and the value of such privacy to patients and the public. As data and evidence allow, the needs and benefits of patient privacy will be balanced against the needs, risks, and benefits of identifiable health information for various kinds of health research. The committee will formulate recommenda- tions for alterations or retention of the status quo accordingly. has access to personal information and under what conditions. Issues of privacy include whether specific types of data about an individual can be collected at all, as well as the justifications, if any, under which data col- lected for one purpose can be used for another purpose. Another important issue in privacy analysis is whether an individual has authorized particular uses of his or her personal information. Although privacy is often used interchangeably with the terms “con- fidentiality” and “security,” they have distinct meanings. Confidentiality, though closely related to privacy, refers to the obligations of those who receive information in the context of an intimate relationship to respect the

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE privacy interests of those to whom the data relate and to safeguard that information. Confidentiality addresses the issue of whether to keep infor- mation exchanged in that relationship from being disclosed to third parties. Thus, for example, confidentiality requires physicians not to disclose infor- mation shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are considered breaches of confidentiality. Security, as defined by Turn and Ware in 1976, is “the procedural and technical measures required to (a) prevent unauthorized access, modifica- tion, use, and dissemination of data stored or processed in a computer system, (b) prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm.”4 Currently existing, commonly deployed security measures help keep health records safe from unauthorized use, although no security measure can prevent an invasion of privacy by individuals who have authority to access a health record. American society places a high value on a private sphere protected from intrusion, and the bioethics principle of nonmaleficence5 requires safeguarding personal privacy. Breaches of an individual’s privacy and con- fidentiality may affect a person’s dignity and cause irreparable harm. When personally identifiable health information6 is disclosed to an employer, insurer, or family member, for example, the disclosure can result in stigma, embarrassment, and discrimination. Safeguarding privacy and confidential- ity are also important for both individuals and society. Individuals are less likely to participate in health research or other socially and individually beneficial activities, including candid and complete disclosures of sensitive information to their physicians, if they do not believe their privacy is being protected. However, it should also be noted that perceptions of privacy vary among individuals and groups. Information that is considered intensely private by one person may not be by others. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention, and cultural expectations. The bioethics principle of respect for persons places importance on indi- vidual autonomy or self-determination, which allows individuals to make decisions for themselves about matters that are important to their own well- being. U.S. society also places a high value on individual autonomy, and one 4 Turn, R., and W. H. Ware. 1976. Privacy and security issues in information systems. The RAND Paper Series. Santa Monica, CA: The RAND Corporation. 5 The ethical principle of doing no harm, based on the Hippocratic maxim, primum non nocere, first do no harm. 6 This term may encompass a broad range of information, including personal and family health history, physician notes and orders, test results, medication and immunization records, and documentation of surgeries or hospitalizations.

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS way to respect individuals is to ensure that they can make the choice about when, and whether, personal information (particularly sensitive informa- tion) can be shared with others. Many statutory and regulatory protections of privacy have attempted to incorporate these values and concerns through emphasis on the principles of fair information practices,7 which have been adopted in various forms at the international, federal, and state levels. The principles of fair information practices address issues such as data quality, limitations on collection and use, specification of purpose, security safeguards, openness of practices and poli- cies, individual participation, and accountability. They reflect a broad consen- sus about the need for standards to protect individual privacy and to facilitate information flows in an increasingly technology-dependent, global society. Definition of Health Research and Why Health Research Is Important Under both the HIPAA Privacy Rule and a federal regulation known as the Common Rule,8 “research” is defined as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.” This is a broad definition that may include biomedical research, epidemiological studies,9 and health ser- vices research,10 as well as studies of behavioral, social, and economic factors that affect health. Perhaps the most familiar form of health research is the clinical trial in which patients volunteer to participate in studies to test the efficacy of new medical interventions. Today, though, an increasingly large portion of health research is information based. More and more research entails the analysis of data and biological samples that were initially collected for one purpose and are now being used for another purpose such as research.11 7 The concept of fair information practices originated with the 1973 report of the Secretary’s Advisory Committee on Automated Personal Data Systems, reporting to the Secretary of the U.S. Department of Health, Education, and Welfare, titled Records, Computers and the Rights of Citizens, http://epic.org/privacy/hew1973report/ (accessed August 3, 2008). 8 The Common Rule is a federal policy for the protection of human subjects adopted by 18 federal agencies and offices. 45 C.F.R. part 46, http://www.hhs.gov/ohrp/policy/common. html (accessed August 3, 2008). 9 Epidemiology is the study of the occurrence, distribution, and control of diseases in populations. 10 Health services research has been defined as a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financ- ing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations. 11 The National Committee on Vital and Health Statistics has noted that the term “second- ary uses” of health data is ill defined and therefore urged abandoning it in favor of precise description of each use. Consequently, the IOM committee has chosen to minimize use of the term in this report.

OCR for page 15
0 BEYOND THE HIPAA PRIVACY RULE In the fields of epidemiology, health services research, and public health research, the use of existing data to conduct research is common. Existing data are analyzed to identify patterns of occurrences, determinants, and the natural history of disease; to evaluate health care interventions and services; to perform drug safety surveillance; and to perform some genetic and social studies. A prime example of the benefits of research using existing biological sam- ples and patients’ records is the development of Herceptin® (trastuzumab), a revolutionary new treatment for some kinds of breast cancer. In addition, many findings from research using patients’ medical records have changed the practice of medicine. Examples of how health research based on data from medical records has informed and influenced national and other policy decisions abound. Just to cite a few: Research based on data from medical records underlies the estimate that tens of thousands of Americans die each year from medical errors in the hospital and has provided valuable informa- tion for reducing these medical errors by implementing health information technology, such as e-prescribing. Medical records research has documented that disparities and lack of access to care in inner cities and rural areas results in poorer health outcomes, and has demonstrated that specific pre- ventive services (e.g., mammography) substantially reduce mortality and morbidity at reasonable costs. Furthermore, such research has established a causal link between the nursing shortage and patient health outcomes by documenting that patients in hospitals with fewer registered nurses are hospitalized longer and are more likely to suffer complications, such as urinary tract infections and upper gastrointestinal bleeding. As the use of electronic medical records increases, the pace of medical records research is accelerating, and the opportunities to use these records to generate new knowledge about what works in health care are expanding. The varying methods of health research provide complementary insights. Although clinical trials can provide important information about the efficacy and adverse effects of medical interventions by controlling the variables that could impact the results of the study, feedback from real- world clinical experience is also crucial for comparing and improving the use of drugs, vaccines, medical devices, and diagnostics. The Food and Drug Administration’s (FDA’s) approval of a drug for a particular indication, for example, is based on a series of controlled clinical trials, often with a few hundred to a few thousand patients. After a drug has received the FDA’s approval for marketing, however, it may be used by millions of people in many different contexts. Thus tracking clinical experience with the drug is important for identifying relatively rare adverse effects and for determining the effectiveness in different populations or circumstances. Like privacy, all of these health-related activities provide high value to society. Collectively, these activities can provide important information

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS about disease trends and risk factors, outcomes of treatment or public health interventions, functional abilities, patterns of care, and health care costs and utilization. They have led to significant discoveries, the develop- ment of new therapies, and a remarkable improvement in health care and public health.12 Thus, they provide a sense of hope for people with chronic, life-threatening, or fatal conditions. If the health research enterprise is impeded, or if it is less robust, important societal interests are adversely affected. THE HIPAA PRIVACY RULE The U.S. Congress passed HIPAA in 1996 with the primary goals of making health care delivery more efficient and increasing the number of Americans with health insurance coverage. The HIPAA Privacy Rule was developed by HHS under HIPAA’s administrative simplification provisions, which mandated the creation of privacy standards for “protected health information” (PHI) in the absence of federal legislation. A major goal of the HIPAA Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of information needed to promote high-quality health care. Rec- ognizing that patients’ health records also play an important role in health research, Congress wanted to ensure that the implementation of HIPAA would not impede health researchers’ continued access to data from health records. Responding to this objective, HHS attempted to create a system that mandates privacy protection for individually identifiable health infor- mation while allowing important uses of the information in health care and research. The HIPAA Privacy Rule sets forth detailed regulations regarding the types of uses and disclosures of “protected health information,” defined as “individually identifiable health information” that is held or transmitted by a “covered entity.” Covered entities are health plans, health care clearing- houses, and health care providers who transmit information in electronic form in connection with a transaction for which HHS has developed a standard under HIPAA.13 A covered entity may not use or disclose PHI except either (1) as the Privacy Rule permits, or (2) as the individual who is the subject of the information (or the individual’s personal representa- tive) authorizes in writing. The Privacy Rule applies not only to health information exchanged or stored electronically, but also to PHI held by a 12 See Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) for a discussion on the benefits of health records research. 13 45 C.F.R. § 160.103 (2006).

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE covered entity in any form or media, including electronic, paper, and oral communications.14 Although the HIPAA Privacy Rule applies to information uses and trans- actions necessary for the provision of health care, it is also applicable to a great deal of information used in health research. As already explained, the data in individuals’ medical records may be important or essential to some types of health research. When obtaining PHI from a covered entity to use in their research, health researchers are required to follow the provisions of the HIPAA Privacy Rule. The Privacy Rule permits a covered entity to use and disclose PHI for research purposes without an individual’s authoriza- tion if the covered entity obtains either (1) documentation that an alteration or waiver of the individual’s authorization for the use or disclosure of the information has been approved by an IRB or Privacy Board, or (2) specified representations from the researchers that the PHI is being used or disclosed solely for purposes preparatory to research, or for research using only the PHI of decedents. A covered entity may also use or disclose PHI without an individual’s authorization if the PHI is contained as part of a “limited dataset” from which specified direct identifiers have been removed, and the researcher enters into a data use agreement with the covered entity. THE COMMITTEE’S CHARGE AND THE OVERARCHING GOALS OF THE RECOMMENDATIONS The sponsors of this study asked the IOM to assess whether the HIPAA Privacy Rule implemented by HHS is impacting the conduct of health research, and requested that the IOM committee propose recommenda- tions to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information. To undertake this task, the IOM appointed a 15-member committee (Committee on Health Research and the Privacy of Health Information) with a broad range of expertise and experi- ence covering various fields of health research; privacy of health informa- tion; health law, regulation, and ethics; human research protections; health center administration; use and protection of electronic health information; and patient advocacy. As the study progressed and committee members began thinking about potential recommendations, they identified three general methods for improving the current system for safeguarding health information privacy: 14 Under the HIPAA Privacy Rule protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232(g), records described at 20 U.S.C. 1232(g)(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS (1) the provision of guidance from HHS and its Office for Civil Rights to Institutional Review Boards (IRBs), Privacy Boards, institutions, and other participants and stakeholders, which is the easiest way to achieve changes; (2) regulatory changes to the HIPAA Privacy Rule provisions, which can be done via HHS, but is more difficult than providing new guidance; and (3) statutory changes in HIPAA or other legislation at the federal or state level, which is the most difficult to accomplish, but may be necessary. The committee members decided to be as modest as possible in proposing rec- ommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information, with the goal of making it easier to effect change if policy makers agree with the proposals. Ultimately, committee members agreed to make two sets of recom- mendations. First, the committee proposes a bold, innovative, and more uniform approach to the dual challenge of protecting privacy while sup- porting beneficial and responsible research.15 Although a totally new approach may be harder to implement in the short term than more incremental changes, it might help to stimulate fresh ideas about the best ways to protect privacy and improve health research as the nation seeks the best way to support these two interconnected values over the next several years. Second, in the event that policy makers decide that HIPAA was—and continues to be—the most useful model for how to safeguard privacy in health research, the committee proposes a series of detailed proposals to improve the HIPAA Privacy Rule and associated guidance. There is no question that the goals of safeguarding privacy and enhanc- ing health research are sometimes in tension. Stringent measures to safe- guard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to privacy. Yet the committee believes that there is a synergy between the two, that promoting both is desirable, and that it is possible to strengthen certain privacy protections while still facili- tating important health research. For that reason, the committee’s intent in developing its recommen- dations was to advance both privacy and health research interests to the extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, our recommendations are aimed at strengthening health research regula- tions and practices that effectively safeguard personally identifiable health information, while changing provisions of the HIPAA Privacy Rule or its interpretations that the committee found to be mostly formalistic or 15 Responsible health research is methodologically sound, is scientifically valid, protects the rights and interests of study subjects, and addresses a question or problem relevant to improving human health.

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE ineffective. They also aim to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health. To facilitate beneficial health research while still ensuring adequate protection of patient privacy, the committee grounded its recommenda- tions in three fundamental goals: (1) improve the privacy and data security of health information; (2) improve the effectiveness of health research; and (3) improve the application of privacy protections for health research (Box O-2). These three basic goals are discussed further below. BOX O-2 Three Goals Underlying the Committee’s Recommendations 1. Improve the privacy and data security of health information. 2. Improve the effectiveness of health research. 3. Improve the application of privacy protections for health research. Improve the Privacy and Data Security of Health Information In the context of health research, the privacy goal is the commitment to handle personal information of patients and research participants in accor- dance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (account- ability). This commitment extends to everyone who collects, uses, or has access to personal information of patients and research participants. Practices of security, transparency, and accountability take on extraordinary importance in the health research setting. Researchers and other data users should disclose clearly how and why personal informa- tion is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personal information is used appro- priately and securely. In this manner, privacy protection will help to ensure research participant and public trust and confidence in medical research. Improve the Effectiveness of Health Research Research discoveries are central to achieving the goal of extending the quality of healthy lives. Research into causes of disease, methods for

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS prevention, techniques for diagnosis, and new approaches to treatment has increased life expectancy, reduced infant mortality, limited the toll of infectious diseases, and improved outcomes for patients with heart disease, cancer, diabetes, and other diseases. Patient-oriented clinical research that tests new ideas makes medical and public health progress possible. Today the rate of discovery is accelerating, and science is at the preci- pice of a remarkable period of investigative promise made possible by new knowledge about the genetic underpinnings of disease. Genomic research is opening new possibilities for preventing illness and for developing safer, more effective medical care that may eventually be tailored for specific indi- viduals. Further advances in relating genetic information to predispositions to disease and responses to treatments will require use of large amounts of existing health-related information and stored biological specimens. The increasing use of electronic medical records will further facilitate the gen- eration of new knowledge through research and accelerate the pace of dis- covery. These efforts will require broad participation of patients in research and broad data sharing to ensure that the results are valid and applicable to different segments of the population. Collaborative partnerships among communities of patients, their physicians, and teams of researchers to gain new scientific knowledge will bring tangible benefits for people in this country and around the world. Improve the Application of Privacy Protections for Health Research The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protec- tion of human subjects (the Common Rule), FDA regulations pertaining to human subjects protections,16 and other applicable federal or state laws. For example, inconsistencies in federal regulations governing the deidentification of personal health information, obtaining individual con- sent for future research, and the recruitment of research volunteers make it challenging for health researchers to undertake important research activities while seeking to comply with all these regulations. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule. For example, the way in which IRBs and Privacy Boards interpret the provisions when making decisions about authoriza- tion requirements varies across institutions, and often is quite conservative. Especially for multisite research and studies that are reviewed by both IRBs 16 2 1 C.F.R. parts 50 and 56 (1988).

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE in an AOD report. Furthermore, HHS has noted that “making a set of records available for review by a third party constitutes a disclosure of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record.” The AOD provision of the HIPAA Privacy Rule provides an exception for research involving groups of 50 or more subjects by allowing the covered entity to develop a general list of all protocols for which a person’s PHI may have been disclosed. Even then, however, there is a considerable administrative obligation to generate such a list. Furthermore, in many medical facilities, a general list of protocols is extensive and thus relatively meaningless to a particular patient. The AOD provision of the HIPAA Privacy Rule places a heavy admin- istrative burden on health systems and health services research that achieves little in terms of protecting privacy. Moreover, HHS has provided no guid- ance to covered entities about practical ways to fulfill this requirement in an efficient manner. On the basis of testimony in 2004, the Secretary’s Advisory Committee on Human Research Protections concluded that the cost and burden of compliance with the HIPAA Privacy Rule’s AOD requirements were so high that institutions were likely to accept the risk of noncompliance rather than incur the cost of compliance. Annual surveys of health care privacy officers undertaken by the Ameri- can Health Information Management Association (AHIMA) since 2004 have similarly found that many facilities report difficulties with the AOD requirement. Such surveys have also found that the demand for AOD reports by individuals is extremely low. Two thirds of health care privacy officers participating in the survey reported receiving no requests at all. Nearly one third of respondents indicated that they would like to see a change to the AOD provision of the HIPAA Privacy Rule—the most frequently cited provi- sion among all respondents and the most frequently cited provision by far among respondents with more than 20,000 admissions/discharges per year. On the basis of these results, AHIMA concluded that “for many, this [AOD] provision is not only burdensome but also significantly inefficient.”37 Robust safeguards are already in place to protect the privacy of PHI disclosures in health research via IRBs and Privacy Boards. As the health care system moves toward broader implementation of electronic health records, however, automatic tracking of audit trails will be important to incorporate. Technology advances will likely make automatic AOD track- ing feasible, affordable, and widely available in the future. Until then, the committee recommends that disclosures of PHI made for health research 37 American Health Information Management Association, 2006, The State of HIPAA Privacy and Security Compliance, http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance. pdf (accessed April 20, 2008).

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS and public health purposes be exempted from the HIPAA Privacy Rule’s AOD requirement. Recommendation II.C.2: HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research. If HHS decides to retain the current waiver criteria, HHS should • provide clear and reasonable definitions of terms used in those criteria, such as “minimal risk” to the privacy of individuals (in the first criterion) and “impracticable” (in the second and third criteria). HHS should also provide specific case examples of what should or should not be considered impracticable or of minimal risk. Rationale Under the HIPAA Privacy Rule, researchers seeking to use PHI in medical records for research must obtain authorization from each patient unless an IRB or a Privacy Board makes a determination that a waiver of individual authorization is warranted. For many types of research with medical records, making that determination is a challenge for IRBs and Privacy Boards. Many studies involve thousands of records, making indi- vidual authorization unrealistic. But the criteria in the HIPAA Privacy Rule that IRBs and Privacy Boards apply in making these decisions are complex and very subjective. Currently, IRBs and Privacy Boards must use three criteria in consider- ing whether to approve a waiver of individual authorization for the use of PHI in research.38 The first criterion is that the use or disclosure of PHI in the research involves no more than a “minimal risk” to the privacy of individuals. The Privacy Rule lists three elements that must be present in making this determination: (1) “an adequate plan to protect the identifiers from improper use and disclosure;” (2) “an adequate plan to destroy the identifiers;” and (3) “adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI is otherwise permissible.” However, the decision about what is “adequate” is highly subjective, and thus different institutions are likely to set varying thresholds for “minimal risk.” 38 45 C.F.R. § 164.512(i)(2)(ii) (2006).

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE The other two criteria that IRBs or Privacy Boards currently must use in considering whether to approve a waiver of individual authorization are (1) that “the research could not practicably be conducted without the waiver;” and (2) that the “research could not practicably be conducted without access to and use of PHI”39 (as opposed to deidentified data or a limited dataset). The concept of practicability is used in both the Common Rule and in the HIPAA authorization criteria, but what is “practicable” or “impracticable” has never been adequately defined by the HHS Office for Human Research Protections or the HHS Office for Civil Rights (e.g., with regard to cost/feasibility). Not surprisingly, therefore, institutions apply varying definitions independently, often too conservatively to allow even low-risk research to proceed. Some institutions interpret the term imprac- ticable to mean not at all possible and even require researchers to demon- strate that a study will fail without a waiver of authorization. The lack of clarity leads to a great deal of variability across institutions and impedes research. Patients have also questioned the meaning of the term. Simplification or clarification by HHS of the criteria that IRBs or Pri- vacy Boards must use in deciding whether to approve a waiver of individual authorization would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards. Cov- ered entities are permitted to rely on a waiver of authorization approved by a single IRB or Privacy Board with jurisdiction. Currently, however, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regard- less of whether another IRB or Privacy Board already granted a waiver of authorization. This practice leads to delays and variability in the protocol at different sites. Simplification of the criteria for approval of waivers by IRBs and Pri- vacy Boards would also be helpful for smaller or community-based institu- tions that do not have internal counsel or regulatory affairs specialists, and thus are more likely to opt out of research that requires decisions about authorizations. With better guidance, all covered entities would have more confidence in their decisions and might be more willing to rely on a lead IRB or Privacy Board’s decision in the case of multi-institutional studies. If HHS decides to retain the three criteria that IRBs or Privacy Boards currently use in deciding whether to approve a waiver of individual autho- rization, however, the committee recommends that HHS provide clear and reasonable definitions of the vague terms used in those criteria. Specifically, HHS should define what constitutes “minimal risk” to the privacy of indi- viduals (in the first criterion) and define what constitutes “impracticable” (in the second and third criteria). HHS should also provide specific case 39 Id.

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS examples of what should or should not be considered impracticable or of minimal risk to reduce variability and overly conservative interpretations. III. Implement Changes Necessary for Both Policy Options Above (Recommendations I and II) Regardless of whether Recommendation I or II is implemented, the following recommendations, which are independent of the Privacy Rule, should be adopted. Strong security measures are essential to effective pri- vacy protection, willingness to serve in IRBs is important for ensuring appropriate oversight of research, and the public should be provided with more information about health research. Recommendation III.A: All institutions (both covered entities and non- covered entities) in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information should take strong measures to safeguard the security of health data. For example, institutions could: Appoint a security officer responsible for assessing data protection • needs and implementing solutions and staff training. Make greater use of encryption and other techniques for data • security. Include data security experts on IRBs. • Implement a breach notification requirement, so that patients may • take steps to protect their identity in the event of a breach. Implement layers of security protection to eliminate single points • of vulnerability to security breaches. In addition, the federal government should support the development and use of: Genuine privacy-enhancing techniques that minimize or eliminate • the collection of personally identifiable data. Standardized self-evaluations and security audits and certification • programs to help institutions achieve the goal of safeguarding the security of personal health data. Rationale Effective health privacy protections require effective data security measures. Protecting the privacy of research participants and maintain- ing the confidentiality of their data have always been imperative to most

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE researchers and a fundamental tenet of clinical research. Recently, however, several highly publicized examples of stolen or misplaced computers con- taining health data have heightened the public’s concerns about privacy. Such events pose problems not only for patient privacy, but also for health research, because public trust is essential for patients to be willing to par- ticipate in research. Moreover, data security is a key component of compre- hensive privacy protections. Thus, the committee recommends improving the security of personally identifiable health information. The HIPAA Security Rule (which entails a set of regulatory provisions separate from the Privacy Rule) already sets a floor for data security stan- dards within covered entities, but not all institutions that conduct health research are subject to HIPAA regulations. Moreover, the security protec- tions intended by the HIPAA Security Rule may not be sufficient to prevent breaches. The committee recommends that all institutions conducting health research undertake measures to strengthen data protections. Given the recent spate of lost or stolen laptops containing patient health information, for example, encryption should be required for all laptops and removable media containing such data. There are differences among the missions and activities of institutions in the health research community, however, so some flexibility in the implementation of specific security measures will be necessary. Examples of security standards and guidelines already exist in some sectors, but they are not widely applied in academic settings. The National Institute of Standards and Technology (NIST), for example, has developed standards and guidance for the implementation of the Federal Information Security Management Act of 2002, which was meant to bolster computer and network security within the federal government and affiliated par- ties (e.g., government contractors). The NIST standards include minimum security requirements for information and information systems, as well as guidance for assessing and selecting appropriate security controls for information systems, for determining security control effectiveness, and for certifying and accrediting information systems.40 HHS, working through its Office of the National Coordinator for Health Information Technology,41 could play an important role in develop- ing or adapting standards for health research applications, then encourage and facilitate broader use of such standards in the health research commu- 40 National Institute of Standards and Technology (NIST), Federal Information Security Management Act Implementation Project Website, updated November 1, 2007, http://csrc. nist.gov/groups/SMA/fisma/index.html (accessed August 1, 2008). 41 Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, Office of the National Coordinator: Mission, http://www.hhs. gov/healthit/onc/mission/ (accessed August 1, 2008).

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS nity. The issue of the security of health data will continue to grow in impor- tance as the health care industry moves toward widespread implementation of electronic health records, and Congress has already proposed numerous bills to facilitate and regulate that transition. As noted in the committee’s recommendation about the requirements for the accounting of disclosures of PHI for research above (Recommendation II.C.1), advances in informa- tion technology will likely make it easier to implement measures such as audit trails and access controls in the future. Enhancing security could reduce the risk of data theft and reinforce the public’s trust in the research community by diminishing anxiety about the potential for unintentional disclosure of information. The publication of best practices and outreach to all stakeholders by HHS, combined with a cooperative approach to compliance with security standards such as self- evaluation and audit programs, would promote progress in this area. As noted in Recommendation II.A.1, research sponsors could also play a role in fostering the adoption of best practices in data security. Recommendation III.B: HHS—or, as necessary, Congress—should provide reasonable protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for deci- sions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule, in order to encourage service on Institutional Review Boards and Privacy Boards. The limitation on liability for members of IRBs and Privacy Boards should not include protection for willful and wanton misconduct in reviewing the research, but should instead be reserved for good-faith decisions, backed by min- utes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule. Rationale IRBs, Privacy Boards, and institutions have enormous responsibility in determining whether health research projects are planned and conducted in a way that minimizes or eliminates the potential risk to human research participants, including both direct physical harms and nonphysical harms (e.g., breach of privacy). The workload of IRBs and the complexity of their work have been steadily increasing as a result of new and evolving require- ments for research regulation and documentation, including the HIPAA Privacy Rule. Surveys and studies indicate that the IRB review process has become more lengthy and difficult since implementation of the Privacy Rule, which may increase opportunity costs due to delayed or undiscovered research findings that might improve health. Effective oversight of health research depends on the recruitment of

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards. But the increasing workload and complexity of IRB and Privacy Board service have made it difficult to recruit and retain knowledgeable IRB and Privacy Board members and to ensure time for the ethical reflection necessary to make appropriate decisions about human research projects. Moreover, because of the growth over the past decade of lawsuits naming individual IRB members as defendants, fear of penalties and civil suits can be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards. Such fears could also lead IRB and Privacy Board members to be overly conserva- tive in their decisions about research proposals brought before them. Members of IRBs and Privacy Boards are generally indemnified by their institutions, but they are not immune from being named in a suit. Therefore, they might still have to devote time and resources to defending themselves for decisions made by an IRB or Privacy Board on which they served. Members of IRBs or Privacy Boards who receive limited protection against lawsuits may be less likely to interpret the HIPAA Privacy Rule too conservatively. Providing this type of limitation on liability for IRB and Privacy Board members would be similar to the precedent of protection for peer review members under state laws and under the Health Care Quality Improve- ment Act of 1986. A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of ethical boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances. In addition to reducing over interpretation of the HIPAA Privacy Rule in health research, such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards, as they should be more willing to accept the decision of a lead IRB or Privacy Board. Indeed, mov- ing in the direction of national IRBs/Privacy Boards, as is encouraged by the National Cancer Institute for cancer clinical trials, might further reduce overly conservative interpretation of the HIPAA Privacy Rule. Finally, it should be noted that HHS policy is to seek compliance with the HIPAA Privacy Rule first, rather than penalties, when a concern is brought to its attention. Institutions might be less inclined to interpret the HIPAA Privacy Rule too conservatively if this policy were stated more clearly in guidance materials provided by HHS. Thus, even without the enactment of a new protective statute for IRB and Privacy Board members, simple clarification and clear communication of the way HHS will enforce the HIPAA Privacy Rule and seek penalties would be helpful. Recommendation III.C: HHS and researchers should take steps to pro- vide the public with more information about health research.

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS Background Surveys indicate that the vast majority of Americans believe health research is important, and are interested in the findings of research studies. The majority of patients also appear to be willing to participate in health research, either by volunteering for a study to test a medical intervention or by allowing access to their medical records or stored biospecimens, under certain conditions. Their willingness to participate in research is dependent on trust in researchers to safeguard the rights and well-being of patients, including assurance of privacy and confidentiality, and the belief that the research is a worthwhile endeavor that warrants their involve- ment. Yet patients often lack information about how health research is conducted and are rarely informed about research results that may have a direct impact on their health. The committee’s two recommendations below address the public’s desire for more information about health research and are important components in fulfilling two of the committee’s overarching goals of the report: (1) improving the privacy and data security of health information, and (2) improving the effectiveness of health research. Both recommendations could be accomplished by HHS and the health research community without any changes to HIPAA or the Privacy Rule by making them a condition of funding from HHS and other research sponsors and by providing additional funds to cover the cost. Recommendation III.C.1: Health researchers should make greater efforts to inform study participants and the public about the results of research and the relevance and importance of those results. Researchers should inform interested research participants (who • granted authorization for a particular study) with a simplified sum- mary of the results at the conclusion of a research study. HHS should encourage registration of trials and other studies in • public databases, particularly when research is conducted with a waiver of authorization. Rationale Empirical evidence indicates that people want to be informed about research results, and ethicists have long recommended this kind of feedback and community involvement. In addition, the IOM committee identified transparency—the responsibility to disclose clearly how and why personally identifiable information is being collected—as an important component of comprehensive privacy protections. An IOM report in 2002 titled Respon- sible Research: A Systems Approach to Protecting Research Participants

OCR for page 15
0 BEYOND THE HIPAA PRIVACY RULE recommended improved communication with the public and research par- ticipants to ensure that the protection process is open and accessible to all interested parties, noting that transparency is best achieved by providing graded levels of information and guidance to interested parties. Effective communication could also build the public’s trust in the research community, which is important because trust is necessary for the public’s continued participation in research under both the HIPAA Privacy Rule and the committee’s new framework. Learning about clinically rel- evant findings from a study in which a patient has participated could make patients feel more integrated into the process and could encourage more patients to participate in future studies. Moreover, if the study results indi- cate that an altered course of care is warranted, direct feedback about these results could lead to improved health care for study participants. Thus, the committee recommends that when patients grant authori- zation for their medical records to be used in a particular study, health researchers should make greater efforts at the conclusion of the study to inform study participants about the results, and the relevance and impor- tance of those results. Broader adoption of electronic medical records may be helpful in accomplishing this goal, but multiple impediments, beyond cost and technology, may prevent delivery of meaningful feedback to par- ticipants. Although some guidelines for providing and explaining study results to research participants have been proposed, they differ in details because limited data are available on this subject, and thus standards are lacking. A summary of the results alone, while necessary and reasonable, can be seen as a token, and also raises questions about issues such as how best to write summaries and how to present research with uninformative outcomes. HHS should also encourage registration of trials and other studies in public databases, particularly when research is conducted with a waiver of authorization as a way to make information about research studies more broadly available to the public. Numerous clinical trial registries already exist, and registration has increased in recent years. The National Library of Medicine established a clinical trials registry42 in 2000, which has expanded to serve as the FDA’s required site for submissions about clini- cal trials subject to the FDA databank requirement and now also includes information from several other trial registries. The FDA Amendments Act of 2007 expanded the scope of required registrations and provided the first federally funded trials results database. In fall 2005, the International Com- mittee of Medical Journal Editors adopted a policy requiring prospective trial registration as a precondition for publication. The development of clinical trial registries is an important first step toward providing high-quality clinical trial information to the public. Cur- 42 See http://clinicaltrials.gov (accessed August 6, 2008).

OCR for page 15
 OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS rently, however, there is no centralized system for disseminating informa- tion about clinical trials of drugs or other interventions. Thus, patients and their health care providers have difficulty identifying ongoing studies. Moreover, some trials are still exempt from registration and data reporting. An additional limitation of clinical trial databases is that noninterventional studies (including observational studies that play an increasingly critical role in biomedical research) are not generally included. Because many non- interventional studies are conducted with a waiver of authorization, includ- ing those studies in a registry could be an important method for increasing public knowledge of those studies. Recommendation III.C.2: HHS and the health research community should work to educate the public about how health research is done, and what value it provides. Rationale Health research provides a community benefit by determining the most effective treatments and by developing new therapies. Interventional clini- cal trials are the most visible of the various types of health research, but a great deal of informative health research entails analysis of thousands of patient records to better understand human diseases, to determine treat- ment effectiveness, and to identify adverse side effects of therapies. This form of research is likely to increase in frequency as the availability of elec- tronic health records continues to expand. As medicine moves toward the goal of personalized medicine, research results will be even more likely to be directly relevant to patients, but more study participants will be needed to derive meaningful results. However, many patients probably are not aware that their medical records are being used in database research. Moreover, surveys show that many patients desire not only notice, but also the opportunity to decide about whether to consent to such research with medical records. As noted in Recommendation III.A, strengthening security protections of health data should reduce the risk of security breaches and their potential negative con- sequences, and thus should help to alleviate patient concerns in this regard. But educating patients about how health research is conducted, monitored, and reported could also help to increase patients trust in the research com- munity, which is important for the public’s continued participation under both the HIPAA Privacy Rule and the committee’s new framework. In addition, an educated public could also decrease the potential for biased research samples. A universal requirement to obtain authorization for medical records research can lead to a biased study sample, and thus inaccurate conclusions, because those who decline to participate may be more or less likely than average to have a particular health problem. A

OCR for page 15
 BEYOND THE HIPAA PRIVACY RULE study sample may also be biased if certain members are underrepresented or overrepresented relative to others in the population. A biased sample is problematic, because any statistic computed from that sample has the potential to be consistently erroneous, and thus, conclusions drawn from a biased sample are likely to be invalid. Conveying to the public the impor- tance of health care improvements derived from medical records research and stressing the negative impact of incomplete datasets on research find- ings may increase the public’s participation in research and their willing- ness to support information-based research that is conducted with IRB or Privacy Board oversight and a waiver of patient authorization. There are numerous examples of important research findings from medical records research that would not have been possible if direct patient consent and authorization were always required, including the finding that infants exposed to diethylstilbestrol (DES) during the first trimester of pregnancy had an increased risk of breast, vaginal, and cervical cancer and reproductive anomalies as adults. Studies of medical records also led to the discovery that folic acid supplementation during pregnancy can prevent neural tube defects. Thus, HHS and the health research community should work to edu- cate the public about how research is done, and what value it provides. All stakeholders, including professional organizations, nonprofit funders, and patient organizations, have different interests and responsibilities to make sure their constituencies are well informed, but coordination and identifica- tion of best practices by HHS would be helpful. For example, the American Society of Clinical Oncology and the American Heart Association already have some online resources to help patients gather information about research that may be relevant to their conditions. Research is needed to identify which segments of the population would be receptive to and benefit from various types of information about how research is done and its value in order to create and implement an effective education plan. Greater use of community-based participatory research, in which community-based organizations or groups bring community members into the research process as partners to help design studies and disseminate the knowledge gained,43 would also help achieve this goal. These groups help researchers to design activities that the community is likely to value and to recruit research participants, by using the knowledge of the community to understand health problems. They also inform community members about how the research is done and what comes out of it, with the goal of provid- ing immediate community benefits from the results when possible. 43 Agency for Healthcare Research and Quality, U.S. Department of Health and Human Ser- vices, Creating Partnerships, Improving Health: The Role of Community-Based Participatory Research, June 2003, http://www.ahrq.gov/research/cbprrole.htm (accessed August 1, 2008).