Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

6 A New Framework for Protecting Privacy in Health Research In the previous chapters of this report, the committee put forth several recommendations that aim to improve the Privacy Rule and associated guidance in order to ease the impact on health research while still protect- ing patient privacy. However, in the process of developing these recom- mendations, the committee recognized that the Privacy Rule’s research provisions have many serious limitations and concluded that a new, more uniform approach is needed to accomplish the dual challenge of protecting privacy while facilitating beneficial and responsible research. In this chap- ter, the committee recommends that the U.S. Department of Health and Human Services (HHS) exempt health research from the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and lays out the details of a bold and innovative framework for protecting privacy in health research. The overall purpose of this Institute of Medicine (IOM) study was to examine the effects of the HIPAA Privacy Rule on health research and to recommend improvements to the legislative and regulatory system accord- ingly. To achieve this task, the IOM convened a committee to include indi- viduals with a broad range of expertise and experience relevant to the stated goal of the project, including individuals with knowledge of the various fields of health research, privacy and human research protections, health law, health center administration, use and protection of electronic health information, and patient advocacy (see Chapter 1 for complete statement of task and the Front Matter for committee membership). The committee held a number of information-gathering meetings that were open to the public. During those meetings, the committee heard pre-  

 BEYOND THE HIPAA PRIVACY RULE sentations on privacy in research and public health; the use of information systems to protect privacy; the effect of the Privacy Rule on various research disciplines, including those that are exclusively information based, such as health services research; the Ontario health privacy law; harmonization of the Privacy Rule and the Common Rule (see Chapter 3); challenges associ- ated with the Privacy Rule’s regulation of biorepositories, databases, and future research; and the relationship between privacy and autonomy in health research. The committee also reviewed the information presented in an earlier IOM workshop on the same topic (IOM, 2006) and conducted an extensive review of the literature. Members of the public were permitted to submit relevant references and written comments on their experiences with the Privacy Rule’s regulation of research and to speak at the committee’s public meetings. In addition, because there was a paucity of quantitative and systematic data on the effect of the Privacy Rule on research, the com- mittee commissioned a number of large-scale, evidence-gathering projects to inform the committee’s deliberations (see Chapter 5 and Appendix B). After reviewing the available evidence, the committee concluded that a new framework for protecting privacy in health research is needed. The current system of regulating research and protecting privacy under the Privacy Rule is not working as well as it should to protect patient privacy in research, and as currently implemented, it impedes important research. The committee believes a different system could work better and provide improved privacy protections and stronger data security while also facilitat- ing beneficial and responsible research. In thinking about a new framework, the committee recognized that the goals of safeguarding privacy and enhancing health research are sometimes in tension. Stringent measures to safeguard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to pri- vacy. Yet the committee believes that there is a synergy between the two, that facilitating both is desirable, and that it is possible to strengthen certain privacy protections while still facilitating important health research. For that reason, the committee’s intent in developing the new framework was to advance both privacy and health research interests to the greatest extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, the new framework aims to strengthen health research regulations and practices that effectively safeguard personally identifiable health information, and to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health. This chapter reviews the major goals the committee agreed on during its deliberations and describes how they should be incorporated into a new regulatory system for health research and privacy. First, the chapter will 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY highlight the major problems with the Privacy Rule’s regulation of health research, as identified in the earlier chapters of the report. Second, the chapter will lay out the details of the new framework that the committee is recommending. Third, the committee will explain its rationale for develop- ing the proposed framework, address potential criticism of this model, and explain how the new framework avoids many of the problems associated with the Privacy Rule. REVIEW OF THE LIMITATIONS OF THE PRIVACY RULE In the earlier chapters of this report, the committee identified three overarching goals on which to ground the recommendations: (1) improve the privacy and data security of health information, (2) improve the effec- tiveness of health research, and (3) improve the application of privacy protections for health research (see Box 6-1). In the process of recommend- ing changes to the HIPAA Privacy Rule to achieve these three goals, the committee identified many serious problems with the current regulatory system. This section reviews the most serious problems with the Privacy Rule’s regulation of health research and protection of privacy in terms of these overarching goals. Improve the Privacy and Data Security of Health Information In the context of health research, the privacy goal entails the com- mitment to handle personal information of patients and research partici- pants in accordance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information1 is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (accountability). The Privacy Rule falls short of the privacy goal for health research in two important ways: (1) it overstates the ability of informed consent (authorization2) to protect privacy, and (2) it does not provide other meaningful methods of protecting privacy, such as effective security, accountability, and transparency. Overemphasis on Informed Consent The principle of autonomy currently dominates the ethical landscape for both medical care and clinical research in the United States and serves as 1 The term “personally identifiable health information” is used when discussing individual’s health data in a context independent of the HIPAA Privacy Rule or any other body of law. 2 In the Privacy Rule, the informed consent concept is referred to as “authorization.” 

 BEYOND THE HIPAA PRIVACY RULE BOX 6-1 The Committee’s Three Overarching Goals Improve the Privacy and Data Security of Health Information In the context of health research, protection of privacy includes a commit- ment to handle personal information of patients and research participants with meaningful privacy protections, including strong security measures, transparency, and accountability. This commitment extends to everyone who collects, uses, or has access to personally identifiable health information of patients and research participants. Practices of security, transparency, and accountability take on extraordinary importance in the health research setting: Researchers and other data users should disclose clearly how and why personally identifiable health information is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personal information is used appropriately and securely. In this manner, privacy protection will help to ensure research participant and public trust and confidence in medical research. Improve the Effectiveness of Health Research Research discoveries are central to achieving the goal of extending the quality of healthy lives. Research into causes of disease, methods for prevention, tech- niques for diagnosis, and new approaches to treatment has increased life expec- tancy, reduced infant mortality, limited the toll of infectious diseases, and improved outcomes for patients with heart disease, cancer, diabetes, and other chronic diseases. Patient-oriented clinical research that tests new ideas makes rapid medical and public health progress possible. Today the rate of discovery is accelerating, and we are at the precipice of a remarkable period of investigative promise made possible by new knowledge about the genetic underpinnings of disease. Genomic research is opening new possibilities for preventing illness and for developing safer, more effective medi- cal care that can be tailored for specific individuals. Further advances in relating genetic information to predispositions to disease and responses to treatments will require use of large amounts of existing health-related information and stored biological specimens. The increasing use of electronic medical records will fur- ther facilitate the generation of new knowledge through research and accelerate the pace of discovery. These efforts will require broad participation of patients in research to ensure that the results are valid and applicable to different segments of the population. Collaborative partnerships among communities of patients, their physicians, and teams of researchers to gain new scientific knowledge will bring tangible benefits for people in this country and around the world. 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY Improve the Application of Privacy Protections for Health Research The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of protected health information (PHI) by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including U.S. Department of Health and Human Services (HHS) regulations for the protection of human subjects (the Common Rule), Food and Drug Administration regulations pertaining to human subjects, and other applicable federal or state laws. Inconsistencies, for example, in federal regulations governing the deidentifica- tion of personally identifiable health information, obtaining individuals’ consent for future research, and the recruitment of research volunteers make it challenging for health researchers seeking to comply with all these regulations to undertake important research activities. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule. For example, the way in which Institutional Review Boards (IRBs) interpret the provisions when making deci- sions about authorization requirements varies across institutions, and often is quite conservative. Especially for multisite research and studies that are reviewed by both IRBs and Privacy Boards, the inconsistent interpretation and application of the Privacy Rule’s provisions pertaining to research can create barriers to research and even lead to the discontinuation of ongoing research studies. Adding yet another layer of complexity and variability for health researchers is a lack of clarity in the way the Privacy Rule applies to various types of health research or closely related health care practices. Moreover, there are significant gaps in who and what is covered by current federal research regulations. Whether a research activity is subject to the provisions of the Privacy Rule or the Common Rule depends on a number of factors, including the source of funding, the source of the data, and whether the researcher meets the definition of a covered entity. The situation in the United States is in stark contrast to the situation in most other countries, where uniform regulations apply to all research conducted in the country. The committee believes a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research. Improved clarity, harmonization, and uniform application of regulations governing health research are needed to align the interests and understandings of the research community, the custodians of PHI, and other stakeholders, so that implementa- tion of the privacy protections in health research can be achieved with accept- ability by all. 

0 BEYOND THE HIPAA PRIVACY RULE the justification for the doctrine of informed consent (i.e., authorization) in the Privacy Rule. Historically, informed consent was based on the idea that “every human being of adult years and sound mind has a right to determine what shall be done with his own body.”3 It was primarily considered a protection against physical harm, permitting informed, competent patients to refuse unwanted medical interventions, to choose among medically avail- able alternatives, and to make choices that conflict with the wishes of family members or the recommendations of physicians (Buchanan, 1999; Lo, in press). Under this system, a great deal of information-based health research was conducted using personally identifiable health records without the informed consent of the persons whose records were used. Several recent developments have brought attention to this practice, and have focused attention on the historical absence of patient autonomy in information-based research. First, the increased used of electronic health records has made it significantly easier for researchers to access large quan- tities of personally identifiable data. Second, the move towards personal- ized medicine, and the potential improvements to population health and health care that could be developed based on a better understanding of the determinants of health and illness, have increased researchers’ needs for personally identifiable health information. Under the Privacy Rule the concept of informed consent is extended beyond control of one’s body, to control of one’s health information in an attempt to address the historical lack of informational autonomy, and with the goal of protecting individuals against the nonphysical harm of unau- thorized uses or disclosures of their protected health information. However, consent (authorization) itself cannot achieve the separate aim of privacy protection. The Privacy Rule, as currently defined and operationalized in practice, does not provide effective privacy safeguards for information- based research because of an over-reliance on informed consent, rather than comprehensive privacy protections. The Limitations of Relying on Consent to Protect Privacy As has been described above, the protection of medical privacy in the data processing environment requires the adoption of comprehensive privacy protections, which establish a variety of obligations on entities that collect and use personal information. These obligations to safeguard privacy, such as security, transparency, and accountability, are independent of patient consent. In fact, preventing the secondary use of personal data is the only privacy obligation that consent can potentially address. However, 3 Statedby Justice Benjamin Cardozo in Schloendorff v. Society of New York Hospital, 105 N.E. 92 (N.Y. 1914). 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY informed consent has recently been put forward as an alternative to the adoption of comprehensive privacy protections, with the practical conse- quence that many privacy obligations are ignored (Allen, 2007; Rotenberg, 2001; Solove et al., 2006) (see the section on Other Federal Actions for examples of currently proposed bills). This section describes some of the major limitations of relying heavily on informed consent to protect infor- mational privacy, as is done in the HIPAA Privacy Rule, rather than requir- ing the implementation of a full range of privacy protections. With a primary focus on informed consent in privacy laws, many entities that hold personal health data may have insufficient incentives to implement comprehensive privacy protections. If compliance with con- sent requirements frees the data holders from further privacy obligations, some organizations and researchers may be less likely to invest in privacy- enhancing technologies or the infrastructure necessary to truly protect data. This emphasis also creates few reasons for organizations to make their activities transparent or to create institutional accountability (AHIC, 2008; Cate, 2008; CDT, 2008a,b; U.S. Congress, 2008a). In addition, although informed consent can allow patients to control whether their information is used for any secondary purposes, such as research, few patients are sufficiently informed to make educated decisions about how their data should be used (Schneider, 2006). Studies indicate that many consumers do not read the details of informed consent forms, which are often lengthy documents, and even when they do read the forms they often do not comprehend all the details (Cate, 2008). Two separate stud- ies have found that many consumers mistake the existence of any privacy policy for a guarantee that information will be strongly protected and with- held from outside persons, even if the consent says differently (Good et al., 2005; Turow et al., 2007). This difficulty is magnified by the fact that often patients are asked to give informed consent at a time when they are not in good health and are not motivated or lack the ability to make these kinds of complicated decisions (CDT, 2008b; U.S. Congress, 2008a). Relying heavily on informed consent rather than comprehensive privacy obligations may also lead to a shift from substantive privacy protections toward costly procedural requirements that actually provide consumers with few meaningful choices, especially if informed consent is required as a condition of obtaining services (Cate, 2008; Thomas and Walport, 2008). Data holders may offer blanket consents to shield themselves from liability without actually providing any substantial privacy protection. In these situations patients lack reasonable alternatives and are forced to relinquish control over how their health information is used (CDT, 2008a,b; Thomas and Walport, 2008; U.S. Congress, 2008a,b). In the case of medical records research, it is questionable as to whether a reliance on informed consent actually fosters patient confidentiality and 

 BEYOND THE HIPAA PRIVACY RULE protection (AMS, 2006, 2008; Casarett et al., 2005; Thomas and Walport, 2008). For example, if individuals must be contacted each time their records may be used in a particular study in order to obtain informed consent, as the Privacy Rule requires, such contact could be considered intrusive and counter to the tenets of confidentiality. Also, a common methodological approach to studying disease is to compare people with a particular disease to people who do not have that disease—known as a case-control study. But people may become alarmed if they are asked to consent to their records being used in such a study on a particular disease (e.g., cancer) for which they have not been diagnosed (Casarett et al., 2005). Because of these limitations, the committee believes it is important to shift the focus in privacy protections toward a set of more comprehensive privacy obligations. This will ensure that health information privacy pro- tections are more robust and more likely to minimize the risks to personal privacy that result from the collection of personally identifiable health information. Failure to Incorporate Other Meaningful Privacy Protections Implementation of the Privacy Rule does not ensure that covered enti- ties or the research community will adopt a full range of measures to protect data; the security, transparency, and accountability provisions have proven ineffectual. As highlighted in Chapter 2, the HIPAA Security Rule does lay out a number of security requirements that covered entities must implement for protecting electronic protected health information. However, despite this regulation, there have been a number of highly publicized examples of data security breaches in health research, most often due to stolen or misplaced computers containing health data. A recent survey conducted by Campus Computing Project found that from 2006 to 2007, colleges of all types saw a 3.6 percent increase in the number of stolen computers with sensitive data. This problem was most prevalent at major research universi- ties (Foster, 2008). Also, a report from the Identity Theft Resource Center found that identity thefts are up 69 percent for the first half of 2008, com- pared to the same time period in 2007, and so the consequences of security breaches are more likely to lead to tangible harm than previously believed (ITRC, 2008). These facts suggest that holders of personally identifiable health data should be required to implement security safeguards beyond what is provided for under the current HIPAA Security Rule. In addition, as discussed in Chapter 4, it has been argued that the current interpretation of the Privacy Rule has not successfully resulted in accountability for misuses and unauthorized disclosures of protected health information. The regulation provides both civil and criminal penalties for covered entities that breach the Privacy Rule, but enforcement of the Pri- 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY vacy Rule has been criticized as inadequate. To date, there have been no civil penalties imposed against any covered entity and only three criminal prosecutions, despite the fact that between April 2003 and August 2008, more than 38,000 complaints were received by HHS regarding alleged violations of the Privacy Rule. HHS has not provided information on how many of these alleged violations are in the context of health research (HHS, 2008a; Rahman, 2006). On July 18, 2008, HHS required a monetary pay- ment to settle potential violations of the Privacy and Security Rules for the first time, signaling that HHS may start to take a more assertive approach to enforcement of the Privacy and Security Rules in the future (HHS, 2008b). This agreement was in response to the covered entity allowing backup tapes, optical disks, and laptops—containing unencrypted protected health information on 386,000 patients—to be stolen or lost. Finally, the accounting for disclosures provision of the Privacy Rule was intended to make covered entities’ actions open and transparent (discussed in Chapter 4). This provision gives individuals the right to receive a list of certain disclosures that a covered entity has made of their protected health information in the past 6 years, including disclosures made for research purposes.4 However, this requirement has numerous exceptions. Also, for research involving groups of 50 or more, covered entities are only required to produce a general list of all protocols for which a person’s protected health information may have been disclosed, but do not have to provide any more specific information. Therefore, the accounting for disclosures provision does not require covered entities to provide individuals with a clear description of how their health information is used, and does not provide individuals with the detailed information they may want (AHIC, 2007; Pritts, 2008). At the same time, survey data show that this provision is a considerable administrative obligation for covered entities, and is rarely requested by patients (AHIMA, 2006; see also Chapter 4). Improve the Effectiveness of Health Research The health research goal emphasizes the importance of research in extending high-quality, healthy lives, and in leading to improved methods for prevention, diagnosis, and treatment. Unfortunately, the available evi- dence indicates that the current interpretation and implementation of the Privacy Rule has had an unintended negative impact on health research. As discussed in Chapter 5, the Privacy Rule, as interpreted and implemented by covered entities, has: 4 See 45 C.F.R. § 164.528 (2006). 

 BEYOND THE HIPAA PRIVACY RULE • Increased the cost and time needed to conduct a research project from start to finish • Made recruitment of research participants more difficult • Increased the likelihood of selection bias and made it more difficult to produce generalizable findings • Increased research participants’ confusion regarding their rights and protections • Led researchers to abandon important studies • Created new barriers to the use of patient specimens collected dur- ing clinical trials or treatment • Failed to create an effective way for researchers to conduct studies using data with direct identifiers removed These negative consequences are particularly problematic in light of recent trends in health care and research. Since the Privacy Rule was imple- mented, health data have assumed an even greater role in health research, and will become more essential as health care administration moves toward personalized medicine, in which preventive and therapeutic interventions are tailored to the individual characteristics of patients. Developing drug therapies and treatment protocols that focus on smaller and smaller subsets of the population based on genetic makeup or health history and envi- ronmental exposures requires access to more and more personal data to conduct effective health research. In addition, burgeoning health care costs and increasing limitations on expenditures by health care plans highlight the need for health services research to better determine which patients benefit from current approaches and which patients may even be harmed. If the current approach to privacy protection in research under the Privacy Rule continues unchanged, these advances will be burdened and potentially delayed, and opportunities for medical progress may be lost. Alternative models The challenges described above are causing some lead- ing scientists, legal experts, and privacy advocates to develop new para- digms for determining when personally identifiable health data, including biological samples, can be used for research. The recognition that a primary focus on consent is not always meaningful or protective of privacy, and that it impedes important information-based research, is gaining acknowledg- ment in the United Kingdom and in other countries in Europe, as well as the United States (AMS, 2006, 2008; Thomas and Walport, 2008). The committee reviewed several alternative models and took them into consid- eration in the development of the proposed new framework for protecting privacy in health research. • Reciprocity, Solidarity, and Mutuality Models. These models 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY seek to address the situation where there is no consent for future research uses (whether specified or unspecified). Proponents of the reciprocity model argue that by accepting the benefit of past medical research (which is intrinsic in the use of medical ser- vices), patients inherently agree to allow the use of their health information in future research for the common good (Knoppers and Chadwick, 2005; Liu, 2007). Critics of this approach argue that voluntary altruism by past research participants imposes no reciprocal obligation on the larger community (Jonas, 1991). Pro- ponents of the solidarity model similarly argue that individual ties to society and social relationships require individuals to partici- pate in research without informed consent for the common good (Chadwick and Berg, 2001). The mutuality model is based on the insurance industry’s concept of individuals entering a pool for sharing losses and known risks. In the research context, mutuality requires individuals to pool their health information for the benefit of all, rather than provide for discretionary control of individual information (Knoppers and Chadwick, 2005). • Harms-Based Model. The harms-based model seeks to narrowly tailor the restrictions that are applied to the use of personally identi- fiable health information based on the specific risks associated with unauthorized use of that information. There are two categories of potential harm commonly cited with respect to unauthorized uses of personally identifiable health information: (1) discrimination and stigmatization and (2) erosion of trust leading to compromises in health care (NCVHS, 2007). For example, such an approach would logically call for the adoption of nondiscrimination legislation and a requirement that entities with a legitimate need for personally identifiable health information secure the information against further unauthorized access. This would arguably address directly the risks of harm to the individuals involved when their personally identifiable health information is used for research, while recognizing the need for researchers’ access to information in order to achieve the public’s goals of improving individual and public health and advancing sci- entific knowledge. Improve the Application of Privacy Protections for Health Research The goal of improving the application of privacy protections for health research stresses the need for consistent standards for the use and disclosure of personally identifiable health information in health research. The extent of privacy protections should not depend on the holder of the personally identifiable health information, the source of the data, or what type of fund- 

 BEYOND THE HIPAA PRIVACY RULE ing is supporting the research project. In addition, all institutions required to comply with the privacy protections should ideally interpret and implement them in a consistent manner. Major problems identified with the Privacy Rule’s regulation of research under this principle include: (1) discrepancies between the Privacy Rule and other rules and regulations relevant to health research, (2) the Privacy Rule’s limitation in scope, and (3) large variations in interpretation and implementation by covered entities. Discrepancies with Other Rules That Regulate Research The Privacy Rule was intended to provide consistent standards in the United States for the use and disclosure of protected health information, including for research purposes. However, in the current state, the Privacy Rule is difficult to reconcile with HHS regulations for the Protection of Human Subjects (45 C.F.R. 46), the Food and Drug Administration human subjects regulation (21 C.F.R. parts 50 and 56), and other applicable federal and state laws. For example, the provisions governing data deidentification, consent for future research, and recruitment of research volunteers vary among these regulations, making important research activities more chal- lenging to undertake (see Chapter 4). Limitation in Scope The Privacy Rule pertains only to covered entities; thus this regula- tion does not apply uniformly to all health research in the United States (see Chapter 4). Similarly, as described in Chapter 3, the Common Rule only applies to research conducted or supported by the U.S. government (although its influence is broader because most institutions that accept federal funds sign a federalwide assurance to abide by the Common Rule requirements in all research conducted at the institution, regardless of funding source). Because both of these Rules are limited in scope, there are significant gaps in whom and what is covered by current federal research regulations. This is in stark contrast to most other countries, in which research regulations are not limited by provisions regarding funding or par- ticular health care transactions, but instead apply to all research conducted in that country (Casarett et al., 2005). Differences in Interpretation Because the Privacy Rule is such a complex regulation, there is sub- stantial variation across institutions in how the Privacy Rule has been interpreted and implemented (see Chapter 5). For example, the way in which Institutional Review Boards (IRBs) and Privacy Boards interpret 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY the concepts of impracticability and minimal risk when making decisions about authorization requirements varies across institutions, and often is quite conservative (see Chapter 4). Inconsistent interpretation and applica- tion of the Privacy Rule research provisions by IRBs, Privacy Boards, and covered entities that hold the protected health information, especially for multisite research and studies that are reviewed by multiple IRBs and Pri- vacy Boards, can create barriers to research such as variations in protocol at different institutions and, at times, discontinuation of studies. A lack of clarity in how the Privacy Rule applies to various types of health research or closely related health care practices adds another layer of complexity and variability (see Chapter 3). In fact, some covered entities are reluctant to permit access to data for research even when all provisions of the Privacy Rule are followed, out of fear of misinterpreting the Privacy Rule (Casarett et al., 2005; Rothstein, 2005). THE NEW FRAMEWORK Given the clear limitations of the HIPAA Privacy Rule, the commit- tee concluded that a new approach to the regulation of health research is needed. The committee favors an approach in which both individual privacy and the societal value of research are carefully considered and supported. To achieve this goal, the committee identified a number of key concepts (CIHR, 2005; Gostin, 2001) to incorporate into the new frame- work, including: • All researchers should be required to follow the same set of privacy rules. • Whenever possible, information-based research should be done using health data with direct identifiers removed. • Access to personally identifiable health data without patient con- sent should require impartial, outside scientific and ethical review that considers: — Measures taken to protect the privacy, security, and confiden- tiality of the data; — Potential harms that could result from disclosure of the data; and — Potential public benefits of the research. • Researchers should identify and document research objectives to justify the data they wish to use and/or collect. • Researchers, institutions, and organizations that store personally identifiable health data should establish security safeguards and set limits on access to data. • Researchers who violate individuals’ privacy should be penalized. 

 BEYOND THE HIPAA PRIVACY RULE These concepts are intended to support the beneficial use of existing health data, as well as the collection and use of health data for research purposes, while protecting individuals’ privacy. Examples of Informative Models One informative example that incorporates many of the privacy prin- ciples listed above is Ontario’s Personal Health Information Protection Act (PHIPA).5 This provincial law governs the manner in which “personal health information”6 is collected, used, and disclosed within the Ontario health care system. PHIPA only applies to the province of Ontario (not the entire country) and operates in a universal health care system, so the legislation as a whole may not be easily transferable to the United States. However, many of the major concepts in PHIPA influenced the committee’s deliberations regarding the new framework. PHIPA shares a number of similarities with the Privacy Rule (Table 6-1). In general, both regulations require the holder of personally identifiable health data to obtain informed consent (referred to as authorization in the Privacy Rule)7 before using any personally identifiable health information for a purpose other than providing services directly related to health care of the patient. If a researcher wishes to use personally identifiable health data without informed consent, both regulations require the researcher to obtain a waiver of informed consent approved by an independent ethics board prior to the start of the study. Despite these similarities, the Privacy Rule and PHIPA have some key differences that are important in research. One major difference is that unlike the Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA implements a more uniform approach. PHIPA applies to health information custodians (HICs) (e.g., providers, hospitals, and pharmacies) who collect, use, and disclose personal health informa- tion and to non-HICs when they receive personal health information from a HIC. This means that the privacy protections follow the data, even after the data are no longer held by a HIC. All health researchers are required to comply with PHIPA when using personal health information. In contrast, the Privacy Rule fails to provide individuals with privacy protections if their information is held by an entity other than a covered entity. Only some researchers qualify as covered entities or are employed by covered entities 5 Personal Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04. 6 PHIPA defines personal health information as “identifying information about an individual in oral or recorded form” (PHIPA, Section 4). 7 The remainder of this chapter uses the term “informed consent” to refer to the requirement of obtaining permission to use personally identifiable data. 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY TABLE 6-1 The HIPAA Privacy Rule Versus PHIPA HIPAA Privacy Rule PHIPA Entities Covered entities: Includes health • Health information custodians Regulated care providers, health plans, and (HICs) that collect, use and health care clearinghouses that disclose personal health electronically transmit health information (PHI) information in the course of • Non-health information normal health care practices custodians who receive personal health information from an HIC Information Protected health information PHI: Identifying information about Protected (PHI): All personally identifiable an individual in oral or recorded health information created or form that: received by a covered entity • Relates to his or her physical or mental health • Relates to providing health care • Relates to the donation of a body part or bodily substance Consent Express consent is required for In general, HICs must obtain the collection, use, and disclosure express consent to share PHI of PHI to researchers, except if outside the health care system, or to waived by an International share PHI for any purpose other Review Board (IRB) or Privacy than one related to providing health Board (express consent must be care (NOTE: Express consent may in writing) be oral or written) Disclosures to Covered entities may disclose Disclosure of PHI for research Researchers PHI to researchers without requires approval of researcher’s Without obtaining authorization in the research plan by a Research Ethics Consent following circumstances: Board (REB) • They have documentation that Researchers must agree to: an IRB or Privacy Board • Comply with the conditions waived the authorization imposed by the REB requirement • Use PHI only for purpose set out • For activities that are in the research plan preparatory to research • Not publish information in a • For research on decedents form that could identify an • Where the data are part of a individual limited dataset and the • Not disclose information unless researcher enters into a data required by law and subject to use agreement prescribed exceptions and • The information is deidentified additional requirements • Not make contact or attempt to make contact with the individual unless the HIC first obtains consent • Notify the HIC of any breach • Comply with the agreement entered into with the HIC continued 

0 BEYOND THE HIPAA PRIVACY RULE TABLE 6-1 Continued HIPAA Privacy Rule PHIPA Waiver of The use or disclosure of PHI An REB shall consider the matters Informed involves no more than a minimal that it deems relevant, including: Consent/ risk to the privacy of individuals, • Whether the objectives of the Authorization based on, at least, the presence of research can reasonably be Standard the following elements: accomplished without using the • An adequate plan to protect PHI that is to be disclosed the identifiers from improper • Whether, at the time the research use and disclosure is conducted, adequate • An adequate plan to destroy safeguards will be in place to the identifiers at the earliest protect the privacy of the opportunity consistent with individuals whose PHI is being conduct of the research, unless disclosed and to preserve the there is a health or research confidentiality of the information justification for retaining the • The public interest in conducting identifiers the research and in protecting the • An adequate written assurance privacy of the individuals whose that PHI will not be reused or PHI is being disclosed disclosed to any other person • Whether obtaining the consent of or entity the individuals whose PHI is And, the research could not being disclosed would be practicably be conducted without impractical the waiver or alteration And, the research could not practicably be conducted without access to and use of PHI Immunity None HICs and their agents are protected from liability for acts done and omissions made in good faith and reasonably in the circumstances in the exercise of powers or duties under PHIPA 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY TABLE 6-1 Continued HIPAA Privacy Rule PHIPA Certified None HICs may disclose PHI to a Entities “prescribed person or entity” without consent, for purposes of compiling or maintaining a registry of PHI intended to facilitate or improve the provision of health care, and for the purpose of analyzing or compiling statistical information with respect to the management, evaluation, or monitoring of the allocation of resources to, or planning for, all or part of the health system. Information compiled by “prescribed persons and entities” is permitted to be used for research, but must follow the same research rules as HICs in using or disclosing PHI for research Deidentification There are two methods to To “deidentify,” in relation to the deidentify information: PHI of an individual, means to • Under the statistical method, a remove any information that statistician or person with identifies the individual or for which appropriate training verifies it is reasonably foreseeable in the that enough identifiers have circumstances that it could be been removed that the risk of utilized, either alone or with other identification of the individual information, to identify the is very small individual, and “deidentification” • Under the safe harbor method has a corresponding meaning. HICs data is considered deidentified and prescribed persons and entities if the covered entity removes must exercise their own judgment in 18 specified personal removing identifiers identifiers from the data and are directly regulated by the Privacy Rule; for others, the Privacy Rule regulates access to protected health information held by covered entities but the researchers themselves are not subject to the provisions. A second major difference is the Privacy Rule and PHIPA’s treat- ment of deidentified information. Deidentified information is outside the scope of both rules. However, PHIPA provides a more vague definition of “deidentified” than the Privacy Rule, defining it to mean the removal of “any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or 

 BEYOND THE HIPAA PRIVACY RULE with other information, to identify the individual.”8 Because of the lack of specificity in the definition, and the fact that the Ontario Information and Privacy Commissioner has not issued any guidance on the deidentifica- tion process, HICs are required to exercise judgment in determining when enough identifiers have been removed that the information is deidentified. Many HICs take a very conservative approach to the disclosure of personal- level, deidentified information for research and require Research Ethics Board approval (Canadian equivalent of an IRB or Privacy Board).9 In contrast, the Privacy Rule provides two very detailed methods of deidenti- fying health information: (1) the safe harbor method, and (2) the statistical method (see Chapter 4). If a covered entity complies with either of these methods, it may disclose the deidentified information to researchers without IRB or Privacy Board approval. A third major difference is that under PHIPA, HICs are permitted to disclose personal health information without consent to “prescribed per- sons or entities” that are prescribed by the legislation, including registries compiled or maintained for purposes of facilitating or improving the provi- sion of health care or that relate to the storage or donation of body parts or bodily substances. In order to be designated as a prescribed person or entity, the person or entity must have in place practices, policies, and pro- cedures to protect the privacy of individuals whose personal health infor- mation it receives and to maintain the confidentiality of such information. These practices, policies, and procedures must be reviewed and approved by Ontario’s Information and Privacy Commissioner (IPC), an individual appointed by the Ontario Legislature, every 3 years. Prescribed persons and entities must also make public a description of the functions of the registry and a summary of its practices, policies, and procedures. Currently, five registries are designated as a “prescribed person” under PHIPA.10 Once personal health information is held by a prescribed entity, the entity may use and disclose the information for research purposes in accor- dance with the normal rules and restrictions on HICs disclosing informa- tion for research—including the requirement for approval by a Research Ethics Board if the information is in identifiable form. There are several advantages for researchers in obtaining information from prescribed enti- ties, rather than other HICs. Prescribed entities collect personal health information from a wide range of sources and can link and match the per- 8 PHIPA, Section 47(1) (2007). 9 Personalcommunication, Ann Cavoukian, Ontario’s Office of the Information and Privacy Commissioner, October 20, 2008. 10 The Cardiac Care Network of Ontario (Registry of Cardiac Services), INSCYTE (Infor- mation System for Cytology), The Canadian Stroke Network (Canadian Stroke Registry), Cancer Care Ontario (Colorectal Cancer Screening Registry), and Hamilton Health Sciences Corporation (Critical Care Information System). 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY sonal health information longitudinally. In addition, there is little danger of selection bias, because informed consent is not required in the collection of the data. Prescribed entities very rarely need to disclose information in identifiable form for research, because researchers are given data that is already aggregated and linked. PHIPA instructs the prescribed entities to use their judgment in determining if information is deidentified. However, as noted above, all prescribed entities must have their policies and practices reviewed by the IPC, including their policies for the deidentification of data. As a result, prescribed entities are confident in their deidentification process, and researchers obtaining data from prescribed persons are rarely required to obtain informed consent or Research Ethics Board approval. Recently, a similar approach to prescribed entities was recommended in a report commissioned by the United Kingdom’s Prime Minister on sec- ondary uses of personal information. This report suggested the creation of “safe harbors,” which have three defining characteristics: (1) they provide a secure environment for processing personally identifiable health data, (2) they are restricted to “approved researchers” who meet relevant criteria, and (3) they implement penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data (Thomas and Walport, 2008). The United Kingdom approach is also comparable to PHIPA, because both models incorporate the concept that personally identifiable informa- tion should only be disclosed for health research when the research is ben- eficial to the public and has scientific merit. PHIPA instructs Research Ethics Boards to consider both “the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose PHI is being disclosed” when reviewing research plans. The United Kingdom model identifies the principle of proportionality, defined as “an objective judgment as to whether the benefits outweigh the risks,” as a key consid- eration when deciding whether personal information may or may not be shared for health research (Thomas and Walport, 2008). There is also a precedence for weighing scientific merit in the United States—as previously noted in Box 4-5, Centers for Medicare & Medicaid’s (CMS’s) Privacy Boards are instructed to “balance the potential risks to the beneficiary con- fidentiality with the probable benefits gained from the completed research,” as well as to consider the researchers’ demonstrated expertise and experi- ence in conducting such a study. The committee believes an approach similar to PHIPA and the recently proposed model from the United Kingdom, combined with strong security measures, offers adequate privacy protections for personally identifiable health information, while greatly expanding research opportunities. In particular, the prescribed entity/safe harbor concept offers a useful way to conduct medical records research and effectively protect patient pri- 

 BEYOND THE HIPAA PRIVACY RULE vacy and confidentiality by facilitating greater use of deidentified data in research. Also, PHIPA, the United Kingdom model, and the CMS focus on only permitting the disclosure of personally identifiable information for socially beneficial research that has scientific merit ensures that approved research projects address important health questions and utilizes a scien- tifically rigorous methodology. In addition, PHIPA’s focus on transparency, by requiring prescribed persons and entities to post their research purpose, policies, and procedures, is consistent with desirable comprehensive privacy protections. The Committee’s Recommendation The committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new approach to ensuring privacy in health research. When this new approach is implemented, HHS should exempt health research from the Privacy Rule. The committee suggests a two-part practical approach to protecting health information privacy because there are fundamental differences between information-based research and direct, interventional human subjects research. First, congres- sional action should be taken to require all interventional research (e.g., Phase I–III clinical trials) to comply with the Common Rule, regardless of funding source. This would eliminate current gaps in oversight and pro- vide protection for all patients who consent to participate in interventional clinical trials. In addition, all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures, as recommended in Chapter 2. Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study, as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent (as recommended in Chapter 4). Second, Congress should authorize HHS and other relevant federal agencies to develop a new approach to uniform, goal-oriented oversight of information-based research, with a focus on best practices in privacy, security, and transparency as in PHIPA and the proposed United Kingdom model (CIHR, 2005; Thomas and Walport, 200) and minimizing ineffective and burdensome administrative tasks. This new approach should include a mechanism by which some programs or institutions could be certified by HHS or another accrediting body, similar to a prescribed entity as in PHIPA or a “safe harbor” as in the United Kingdom model. Such certi- fied entities could then collect and analyze personally identifiable health information for clearly defined and approved purposes, without individual consent. Because of the administrative requirements in becoming certified, 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY this option is most appropriate for disease registries and other very large scale research databases. The regulations should require specific privacy safeguards for certified entities, including mandatory privacy training for all staff/researchers; signing of confidentiality agreements; privacy breach policies and procedures; and mandatory privacy impact assessments. In addition, the regulations should require certified entities to publicize the scope and purpose of their data collection (e.g., the types of studies that may be undertaken with the data). The regulations could also require enti- ties to provide details on what their database will not be used for, to assure the public that certain types of activities will not be conducted. Certified entities could also link personally identifiable data from mul- tiple sources (see discussion on linking in Chapter 4) and then provide aggregated datasets to researchers with direct identifiers removed (see dis- cussion on deidentified data and limited datasets in Chapter 4) (AMS, 2008; Thomas and Walport, 2008). Aggregation would generate more complete datasets for analysis and thus lead to more meaningful research results. Data with direct identifiers removed would protect patient privacy in research and would also streamline research efforts by eliminating the need to undergo ethics board review, which is not required for research using deidentified data under the Privacy Rule, PHIPA, or the United King- dom model. To further protect privacy, unauthorized reidentification of information that has had direct identifiers removed should be prohibited by law, and violators should face legal sanctions. In addition, researchers receiving information with direct identifiers removed should be required to establish security safeguards and to set limits on access to data. In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This ethics oversight board could perhaps entail a new body specifically formulated to review medical records research, rather than rely- ing on traditional IRBs that were created to review interventional research. If researchers seek a waiver of informed consent, an ethics oversight board should consider the measures the researchers have proposed to take to protect the privacy, security, and confidentiality of the data, the potential harms that could result from disclosure of the data, and the potential public benefits of the proposed research study. Privacy should not automatically be a more compelling interest than improving health care. However, even research with little risk to privacy should not be conducted if the study has little scientific merit or anticipated public benefit. Under this new system, HHS should implement real consequences for any researcher or institution that mishandles personally identifiable health information, regardless of whether it is obtained through informed consent 

 BEYOND THE HIPAA PRIVACY RULE or under a waiver of informed consent. In order to facilitate consistent application of this option, HHS should issue clear guidance and best prac- tices (as recommended in Chapter 4) on how to assess the potential harm, the proposed measures to protect privacy and confidentiality, and the potential public benefits of a research study, as has been done under PHIPA. For example, the Canadian Institute for Health Information has developed best privacy practices for research to provide guidance for determining whether or not a waiver of consent is warranted (CIHR, 2005). The primary focus of many IRBs in reviewing research protocols in the past has been on risks to the physical safety of research participants. There is a great deal of variability in whether and how IRBs consider the public benefit and scientific merit of research proposals. But the first rule of ethi- cal research is that the research must have scientific value—meaning that it addresses an important question of human health and is designed and conducted using methodology that is appropriate and rigorous. The scien- tific merit of research varies by project, just as the potential risk to privacy of research varies across different protocols. The committee believes that when making decisions about whether a research protocol that entails the disclosure of personally identifiable information should go forward, ethi- cal oversight boards should take all these factors—potential risks/harms to research participants’ privacy as well as scientific merit and potential public benefit of the research proposal—into consideration. In 2001, a previous IOM committee, the Committee on Assessing the System for Protecting Human Research Subjects, recommended that “human research participant protection programs” use distinct mechanisms for initial, focused reviews of scientific merit and financial conflicts of inter- est and that these reviews should precede and inform the comprehensive ethical review of research studies. Ethical oversight board members them- selves may not have the expertise to assess the merit of diverse research studies, but they should have access to evaluations by scientific review com- mittees or funder peer review panels. Input regarding the scientific value of studies from these experts would help ethical oversight boards assess the anticipated benefits of a proposed research project. The Role of Informed Consent in the New Framework Informed consent is intended to achieve two purposes: (1) protect research participants from harm and (2) provide respect for the person (including the person’s privacy, religious beliefs, cultural preferences, and world views). As outlined above, the framework maintains a requirement for informed consent for all interventional clinical research. The purpose of informed consent in this type of research is mainly to protect research participants from harm by providing a description of the potential risks and 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY benefits of the study and to seek permission to involve the subject. Although privacy protection is a component of the risk/benefit considerations, the main focus traditionally has been on physical harms. One study found that confidentiality is one of the least important considerations for potential research participants in deciding whether to participate in interventional clinical research (Tait et al., 2002). However, it is important to note that interventional researchers are expected to follow the principles of medical ethics, which require that infor- mation disclosed in the course of medical treatment is kept as confidential as possible. Moreover, the committee’s framework includes the recommen- dation that strong security safeguards be required for any data collected in conjunction with an interventional study. The framework’s permission of future consent for researchers’ use of data and biological materials, actually increases individuals’ ability to exercise control over their personally identi- fiable information. Under the Privacy Rule, the requirement to obtain a new authorization form signed for each research study means that most future studies actually proceed under a waiver of authorization, and individuals are deprived of all input into future uses of their information (Nosowsky and Giordano, 2006). Thus, informed consent in this context addresses protection from both physical harm and dignitary harm. In contrast, in information-based research that relies solely on medical records and stored biospecimens, the research participant faces no risk of physical harm. In this context, informed consent is intended to ensure that individuals are able to exercise control over their personally identifiable health information that is held by third parties, and to give individuals the right to determine whether their personally identifiable health information can be used in a particular research project (or a series of such projects, if consent for future research is permitted). However, a universal require- ment for informed consent can lead to invalid results, because of significant differences between patients who do or do not grant consent, and missed opportunities to advance medical science because it can be prohibitively costly and difficult to obtain consent for studies that require analysis of very large datasets. As a result, the framework includes two alternatives to requiring informed consent that can be used in certain circumstances (i.e., disclosure to a certified entity and waiver of informed consent by an ethics oversight board), which are intended to facilitate research that is in the public inter- est. For research that makes use of these two alternatives, the framework counterbalances the absence of informed consent with an increase in secu- rity, transparency, and accountability protections by: (1) requiring certified entities to protect the privacy and confidentiality of personally identifiable health information records in a manner that is approved by an outside party (HHS or a different body), (2) requiring certified entities to fully disclose 

 BEYOND THE HIPAA PRIVACY RULE what research is being conducted with its data, (3) requiring ethics oversight review for research that uses personally identifiable data under a waiver of informed consent, (4) implementing clear and consistent consequences for researchers who are responsible for privacy or security breaches, and (5) encouraging the development and use of improved security protections for use in health research. Public opinion polls indicate that a significant portion of the public would prefer to control all access to their medical records via informed consent. However, as noted above, a universal requirement for informed consent would impede important health research and lead to biased, ungeneralizable results, to the detriment of society. The committee believes that the new framework provides strong protections for data privacy and security, beyond that currently provided under the Privacy Rule, while increasing the opportunities for important health research by offering an alternative to informed consent under certain circumstances. The Belmont Report, one of the most influential reports on the advance- ment of human research participant protections, recognizes that principles of respect for persons and autonomy are not absolutes and must be considered along with other ethical principles. It acknowledges that there may be com- pelling reasons to limit autonomy, providing that “To show lack of respect for an autonomous agent is to repudiate that person’s considered judgments, to deny an individual the freedom to act on those considered judgments, or to withhold information necessary to make a considered judgment, when there are no compelling reasons to do so” (emphasis added) (HEW, 1979). Similarly, a 1994 IOM report argued that existing health information, stored in medical records and biospecimen banks, should be released to research- ers without informed consent if such studies were regarded as being in the public’s interest (IOM, 1994). If society seeks to derive the benefits of medical research in the form of improved health and health care, information should be shared to achieve that societal benefit (Chadwick and Berg, 2001; Knoppers and Chadwick, 2005; Liu, 2007), and governing regulations should support the use of such information. Recent reports from the United Kingdom have come to a similar conclusion and recommend that the law allow the use of personally identifiable health information without consent if the use of that informa- tion is necessary and the potential benefits to society outweigh the individual risks (AMS, 2006, 2008; Thomas and Walport, 2008). In the committee’s proposed new framework, the greater emphasis on ensuring the security pro- tections of personally identifiable health information, facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research should help to foster its acceptability. Nonetheless, to implement this new framework, effective communication with the public 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY regarding the value of this model will be important to address concerns and gain acceptance, as recommended in Chapter 3. THE NEW FRAMEWORK ADDRESSES THE OVERARCHING GOALS The committee supports its argument in favor of implementing a new framework for protecting privacy in health research by outlining how this approach achieves the committee’s three overarching goals: (1) improving the privacy and data security of health information, (2) improving the effectiveness of health research, and (3) improving the application of pri- vacy protections for health research (see Box 6-1). The committee believes many of the limitations of the current federal regulation of research can be improved or solved by the proposed framework. Improving the Privacy and Data Security of Health Information The new framework includes a number of mechanisms to improve the protection of research participants’ privacy and security in health research. First, the privacy of research participants is improved because the new framework applies to all institutions and all health researchers who col- lect, use, and disclose personally identifiable health information. Similar to Ontario’s PHIPA, this means that the privacy protections follow the data. No matter what entity or individual holds the personally identifiable data, the same set of privacy safeguards are required. Second, the new framework maintains the requirement that researchers obtain informed consent for all interventional clinical research and strengthens the security protections of data collected in the course of a clinical trial. The new framework also permits research participants in interventional, clinical research to provide informed consent for future research uses of their data and biological materials collected as part of the study. The privacy of these individuals is protected by requiring an IRB to review any future studies and to determine that the future uses are not incompatible with the original informed consent. This aspect of the new framework actually promotes individuals’ ability to exercise control over their personally identifiable information. As stated above, the requirement in the Privacy Rule that researchers must obtain new authorization for every use of protected health information means that most future studies proceed under a waiver of authorization, and individuals are deprived of all input into future uses of their information (Nosowsky and Giordano, 2006). Third, the new framework protects privacy by maintaining the default requirement that researchers must obtain informed consent to use person- 

0 BEYOND THE HIPAA PRIVACY RULE ally identifiable data for research. If researchers wish to use personally identifiable data without obtaining informed consent for information-based research, they are required to identify and document their research objec- tives to an ethics oversight board, and they must identify the measures by which they will protect the privacy, security, and confidentiality of the data. The ethics oversight boards provide impartial review, and are only permit- ted to waive informed consent after considering the measures to protect the privacy, security, and confidentiality of the data; the risk of harm in conducting the research; and the potential public benefit of the research study. Fourth, the new framework protects privacy by creating certified entities that facilitate researchers use of data with direct identifiers removed. One of the major problems with the deidentification provisions of the Privacy Rule is the difficulty in linking data from multiple sources to generate more com- plete datasets or to follow patient outcomes longitudinally (see Chapter 5 for more details). The new framework’s certified entity concept provides a solution to this problem; certified entities are able to link and match person- ally identifiable information longitudinally from multiple sources and can then disclose data with direct identifiers removed to researchers. Because the data provided by certified entities with direct identifiers removed has already been linked and aggregated, it is more useful for research. Thus, researchers will be able to make greater use of deidentified datasets and will need access to personally identifiable data in fewer situations. Privacy is improved because there are fewer risks to privacy when researchers do not access or use personally identifiable data. In addition, the privacy of data held by certified entities is protected because certified entities are required to have their privacy and security policies approved and re-approved on a regular basis by an outside party (HHS or a different body). Certified entities are also required to implement specific privacy safeguards including mandatory privacy training for all staff/researchers, signing of confidentiality agreements, privacy breach poli- cies and procedures, mandatory privacy impact assessments, and security safeguards and limits on access to data. Finally, the new framework protects privacy in health research by requiring the implementation of comprehensive privacy protections, includ- ing transparency, accountability, and security. Transparency is improved by the new framework’s requirement that certified entities publicize the scope and purpose of their data collection and provide information on what uses of their data will not be permitted. Transparency is also achieved by requiring researchers to describe in detail their research plans and objec- tives (either to potential research participants or to the ethics oversight board) and to justify the data they wish to use and/or collect. Account- ability is improved by the new framework because it requires Congress and HHS to implement clear and consistent consequences for researchers 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY who are responsible for privacy or security breaches. The new framework also includes provisions for penalizing any individuals who attempt to re- identify data that has had its direct identifiers removed. Security is improved in the new framework because all holders of health data, both personally identifiable data and data with direct identifiers removed, are required to implement security safeguards, as described in Chapter 2, and to set limits on access to data. The committee also believes that the increased emphasis on accountability in the new framework will encourage researchers and other stakeholders to invest money in developing privacy-enhancing tech- nologies for use in research, to reduce the risk of accidental breaches and the associated consequences. Improving the Effectiveness of Health Research The new framework is intended to provide a method of regulating health research, including the protection of individual privacy, in a way that mini- mizes impediments to beneficial research. First, allowing patients to consent to the future use of specimens collected during the course of an interventional study or treatment will reduce many barriers to researchers’ use of existing biospecimen banks. Patient privacy is protected by requiring any future uses of these specimens to be approved by an IRB, which should determine whether a proposed study has scientific merit, implements appropriate pri- vacy protections, and is not incompatible with the original consent. Second, the creation of certified entities that can receive personally identifiable health information for information-based research without patient informed consent, similar to PHIPA’s prescribed entities and the United Kingdom’s safe harbors (Thomas and Walport, 2008), will result in more complete and representative datasets, and thus will result in more generalizable results. The creation of certified entities will also facilitate research using data with direct identifiers removed. As stated above, under the current system, researchers cannot link datasets from multiple covered entities without a unique identifier. If a certified entity performed this task, researchers could make greater use of data without identifiers. Third, the goal-oriented framework with a focus on best practices should aid the work of both researchers and IRBs and reduce the variability across different institutions. For example, it should be easier for IRBs to make appropriate decisions regarding waivers of informed consent because the framework’s goal is to allow beneficial research to be conducted if com- prehensive privacy and security safeguards are in place and privacy risks are minimized. Identification and dissemination of best practices in privacy protection for various types of health research would help delineate what IRBs should do to facilitate responsible research, rather than just defining what is permissible. 

 BEYOND THE HIPAA PRIVACY RULE Finally, the committee believes this framework will reduce some of the research costs and time that have increased since the Privacy Rule was implemented because the framework is designed to make research oversight more uniform and to reduce administrative burdens. Improving the Application of Privacy Protections for Health Research A recent report by the National Committee on Vital and Health Statistics (NCVHS) recognized the importance of having nationally uni- form privacy protections for all secondary uses of health data, including research. The report criticized the Privacy Rule’s reliance on the cov- ered entity construct and creation of business associate agreements to PHI (NCVHS, 2007). The framework proposed by the IOM committee addresses this criticism of the Privacy Rule, and provides for a compre- hensive regulation of research that applies to all researchers and protects all personally identifiable health data in research. It eliminates a primary problem of harmonization of privacy protections because the framework is intended to be the only regulation governing researchers’ use of health data. In addition, the implementation of this framework would improve the clarity of privacy protections because currently much of the confusion is due to the Privacy Rule’s complicated interactions with other existing privacy regulations, such as the Common Rule. One potential challenge under the new framework is the need to define health research and to distinguish interventional research from information- based research. HHS will need to develop clear guidelines to help research- ers and ethics oversight boards consistently make this distinction. The identification and dissemination by HHS of best practices in research pro- tections (as recommended in Chapter 5) will be important to ensure greater uniformity of goal-oriented research oversight and to ensure that the frame- work is implemented in a way that facilitates research without undermining individual privacy. In addition, there will be some administrative burden in certifying and overseeing the certified entities. RELEVANCE OF THE RECOMMENDATION TO OTHER FEDERAL ACTIONS The committee’s recommendation for a new framework to regulate health research is particularly timely because new actions at the federal level are being considered or have already been taken to protect the pri- vacy of electronic health records. These developments raise new concerns about potential impacts on health research. The committee believes this proposal will stimulate fresh ideas about the best ways to protect privacy 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY and improve research as the nation addresses these two interrelated values over the next several years. An example of one of the recent developments affecting research is the Department of Veterans Affairs’ (VA’s) August 2007 directive. Outlining new conditions under which it would release data from VA hospitals to state central cancer registries, the directive requires states to sign a data use agreement with the VA and to agree to implement privacy and security protections above and beyond the protections required in the HIPAA Pri- vacy and Security Rules. Among other requirements, state registries must agree not to release VA cancer data to persons outside the registry or to reuse the data for any purpose other than for maintaining cancer statistics (Kolata, 2007b). Each state has a law establishing cancer surveillance programs that col- lect information on every patient who is diagnosed with cancer in that state. Also, the National Cancer Institute (NCI) collects cancer statistics from 17 U.S. regions in order to track national cancer rates. Prior to the VA direc- tive, the state cancer surveillance programs and the NCI included informa- tion gathered from VA hospitals. However, as of October 10, 2007, only a small percentage of the states had signed the VA directive, and most cancer surveillance programs were missing data on veterans (Kolata, 2007a). In addition, the VA directive stipulates that researchers who want to use cancer statistics from VA hospitals must either obtain permission from the VA Under Secretary of Health or collaborate with a VA researcher on the project. Health researchers are finding it hard to conduct cancer research under these conditions, which makes it difficult to find VA researchers willing to col- laborate on specific projects. The directive also complicates the IRB approval process, often requiring researchers to obtain approval from their local IRB, the cancer registry IRB, and the VA Under Secretary (Kolata, 2007b). In addition, cancer researchers who either cannot meet the VA requirements or choose not to go through the additional procedural requirements, and do not include VA data in their study, risk having their results compromised by selection bias (see Chapter 5, section on Selection Bias). Several recently proposed bills that address the use of electronic medi- cal records also contain language regarding health privacy and health research (Table 6-2). In 2004, President Bush issued an executive order calling for the wide- spread adoption of an interoperable electronic health record system within 10 years, arguing that health information technology (HIT) is a means of addressing rising health care costs and improving the quality and efficiency of health care (Bush, 2004). In response, HHS has awarded a number of HIT grants to gather information on privacy and security issues in HIT, solicited recommendations from NCVHS, and created the American Health 

TABLE 6-2 Health Information Technology (HIT) Bills from the 110th Congress  Proposed Bill Main Purpose(s) Privacy Provisions Research Provisions Status Wired for Health To enhance the • Establishes an advisory body • Gives researchers access to In the Senate: Care Quality Act adoption of a to provide policy advice to the deidentified patient • Approved by the Health, (S 1693), nationwide, U.S. Department of Health enrollment data, Education, Labor and sponsored by interoperable health and Human Services (HHS) reimbursement claims, and Pensions Committee on Sens. Kennedy information on the protection of survey data maintained by 6/07 [D-NY] and Enzi technology (HIT) personally identifiable health HHS or its contractors • Sen. Kennedy filed a written [R-WY]; system, and to information, including ways • Also gives researchers report on 10/07 Promoting improve the quality to notify individuals if their access to deidentified data • Placed on the unanimous Health and reduce the costs information is wrongfully maintained by the federal consent calendar for a vote Information of health care disclosed government or government without debate or Technology (HR • Organizations competing for contractors where feasible possibility of amendment 3800), sponsored federal HIT grants must • In general, research is still by Rep. Eshoo protect the privacy and governed by the HIPAA In the House: Referred to the [D-CA] security of health information Privacy Rule Committee on Energy and and preserve an audit record Commerce • Expands the definition of “covered entity” under HIPAA to include operators of HIT systems 

Independent To encourage the • Participation in an IHRT must • Researchers may only Referred to the House Health Record creation, use, and be voluntary access an individual’s health Committee on Energy and Trust Act of maintenance of • IHRTs must have privacy data stored in an IHRT Commerce, and to the 2007 (HR 2991), electronic health protection agreements, which when given express Committee on Ways and sponsored by records in govern the access and transfer informed consent, and Means Reps. Ryan [D- independent health of individuals’ data researchers may only access OH] and Moore records trusts • Requires express informed those portions of the record [D-KS] (IHRTs), and to consent before individuals’ as specified by the provide a secure and information can be disclosed participant privacy-protected • Gives IHRTs a fiduciary duty framework in which to act for the benefit and health records are interests of its participants; only made available penalties for breach include by the affirmative loss of certification, fines of consent of $50,000 or less, prison terms individuals of 5 years or less • Requires an audit trail to be maintained • Provides for individual notification of all breaches  continued 

TABLE 6-2 Continued  Proposed Bill Main Purpose(s) Privacy Provisions Research Provisions Status TRUST in Health To ensure privacy, • Outlines specific requirements • Leaves the HIPAA Privacy Referred to the House Information Act security, and for maintaining a HIT system Rule in place for health Committees on Energy and of 2008 (HR confidentiality in the that is private, secure, and research Commerce, Ways and Means, 5442), sponsored creation of a confidential • Requires HHS to prepare a Education and Labor, and by Rep. Markey nationwide, • Provides consumers with Report to Congress on Financial Services [D-MA] interoperable health specific privacy rights whether informed consent information • Requires express informed should be required for the infrastructure, and consent before individuals’ use of personal health to provide for the information can be disclosed information in research, strong enforcement for most purposes and under what of these rights by • Creates an individual right of circumstances creating criminal action for knowing or • As soon as reasonably and civil penalties negligent violations of the Act possible, researchers who • Authorizes states’ attorney receives personal health generals to bring civil actions information must remove on behalf of residents or destroy information that would enable an individual to be identified, unless otherwise approved by an IRB • HHS will provide IRBs with periodic review and technical assistance 

Health To ensure the • Creates the Office of Health • Leaves the HIPAA Privacy Read twice and referred to the Information privacy of health Information Privacy to Rule in place for health Senate Health, Education, Privacy and information, to establish privacy and security research Labor and Pensions Security Act (S promote the use of standards for HIT products • Requires HHS to prepare a Committee on 7/18/2007 1814), sponsored deidentified and to outline punishments Report to Congress on by Sens. Leahy information in for violations whether informed consent [D-VT] and health research, and • Provides consumers with should be required for the Kennedy [D-MA] to provide for the specific privacy rights use of personal health strong enforcement • Requires express informed information in research, of these rights by consent before individuals’ and under what creating criminal information can be disclosed circumstances and civil penalties for most purposes • As soon as reasonably • Creates an individual right of possible, researchers who action for knowing violations receive personal health of the Act information must remove or destroy information that would enable an individual to be identified, unless otherwise approved by an IRB • HHS will provide IRBs with periodic review and technical assistance  continued 

TABLE 6-2 Continued  Proposed Bill Main Purpose(s) Privacy Provisions Research Provisions Status Health To encourage the • Provides for individual • Directs the Office of the Currently in draft form Information use of HIT, develop notification of all breaches National Coordinator of Technology Act technical standards, • Requires HHS to designate an Health Information (HR 6357), and improve the individual in each regional Technology to “facilitate sponsored by quality and reduce office to offer guidance and health research and health Reps. Dingell [D- the costs of health education to covered entities, care quality” MI], Barton [R- care business associates, and the • Directs HHS to issue TX], Pallone public on the rights and guidance on how to best [D-NJ], and Deal responsibilities related to PHI implement the [R-GA] • Encourages the use of limited deidentification standards datasets in the HIPAA Privacy Rule • Requires an audit trail to be maintained 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY Information Community to provide policy advice (AHIC, 2006; GAO, 2007; NCVHS, 2006). But privacy concerns are emerging as a primary obstacle to implement- ing a nationwide HIT system, with many privacy and consumer groups pushing for tighter privacy protections than offered under the Privacy Rule. In a 2006 poll, 62 percent of respondents stated that the use of electronic health records would pose new risks to privacy, and 42 percent answered that the privacy risks of HIT outweigh expected benefits (Harris Interactive, 2007). Another poll found that 80 percent of Americans say they are very concerned about identity theft or fraud in an HIT system (Markle Foun- dation, 2006). The Government Accountability Office recently released a report that legitimized these concerns and criticized HHS for failing to define an overall approach for protecting privacy in a nationwide HIT system (GAO, 2007). To address the privacy concerns, Congress has proposed a number of bills intended to advance the implementation of an HIT system and at the same time protect individual privacy11 (see Table 6-2). Several of these bills include new restrictions and rules governing researchers’ access to person- ally identifiable health information. It is unclear whether any of these bills will pass or what requirements a final law might include. However, because a nationwide HIT system has the potential to facilitate health research by making large amounts of health data available to study, and thus could lead to major advances in medicine, caution is warranted. Adoption of new, restrictive regulations might impede health research, to the detriment of patients and society. Therefore, a closer examination of some concepts that have been incorporated into these proposed bills, including autonomy and informed consent, is warranted. At the same time, it is clear there is a need to develop privacy safeguards that anticipate the risk of extensive electronic recordkeeping, as well as the growing problems of identity theft and security breaches. CONCLUSIONS AND RECOMMENDATIONS The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy protections in health research under the Common Rule. But the Privacy Rule has numerous limitations of its own. In proposing the Privacy Rule, HHS acknowledged that, ideally, it would have preferred to regulate health researchers directly by extending the protections of the Common 11 A number of bills from the 110th Congress also address the implementation of HIT, but do not include comprehensive privacy or research provisions, including HR 1368, S 1408, and S 1455. 

0 BEYOND THE HIPAA PRIVACY RULE Rule to research that is not federally supported and by imposing additional criteria for the waiver of patient informed consent for the use of person- ally identifiable health information in research.12 But HHS recognized it did not have the authority to do this. For that reason, HHS attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing restrictions on information disclosures by covered entities. NCVHS and others have noted the limita- tions of the Privacy Rule and have called for stronger protections of health privacy—notably, by expanding the purview of the Privacy Rule beyond the current covered entities. However, the IOM committee believes an even bolder change is needed. The number of studies using medical records to address important ques- tions about health and disease will likely increase with the growing avail- ability of electronic health records. As the volume and importance of digital personally identifiable health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect health information in the health research setting. Thus, the IOM committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new framework for ensuring privacy that would apply uniformly to all health research and that will both protect individuals’ privacy and facilitate responsible and beneficial health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach would enhance privacy protections through improved data privacy and security, increased transparency of activities and policies, and greater accountability. The new approach should do all the following: • Apply to any person, institution, or organization conducting health research in the United States, regardless of the source of data or funding. • Entail clear, goal-oriented, rather than prescriptive, regulations. • Require researchers, institutions, and organizations that store health data to establish strong data security safeguards. • Make a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based. 12 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) (for a discussion on the benefits of health records research). 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY • Facilitate greater use of data with direct identifiers removed in health research, and implement legal sanctions to prohibit unauthorized reidentification of information that has had direct identifiers removed. • Require ethical oversight of research when personally identifiable health information is used without informed consent. HHS should develop best practices for oversight that should consider: — Measures taken to protect the privacy, security, and confiden- tiality of the data; — Potential harms that could result from disclosure of the data; and — Potential public benefits of the research. • Certify institutions that have policies and practices in place to pro- tect data privacy and security in order to facilitate important large- scale information-based research for clearly defined and approved purposes, without individual consent. • Include federal oversight and enforcement to ensure regulatory compliance. A new approach to protecting the privacy of personally identifi- able information used in health research that emphasizes privacy, secu- rity, accountability, and transparency and that is applicable to all health research in the United States would eliminate the research community’s confusion, reduce institutional variability in research privacy practices, facilitate responsible research, and enhance the public’s trust in the research enterprise. Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research. The new framework developed by HHS and other relevant federal agencies should provide strong and effective protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the public’s health. And it should do so in a way that does not burden indi- viduals with a flurry of health privacy notices and consent forms, or burden our health care system with a new level of bureaucracy and expense. REFERENCES AHIC (American Health Information Community). 2006. Letter to Michael Leavitt. http:// www.ncvhs.hhs.gov/061030lt.pdf (accessed September 3, 2008). 

 BEYOND THE HIPAA PRIVACY RULE AHIC. 2007. Confidentiality, privacy, and security workgroup, summary of the th web conference. http://137.187.25.8/healthit/ahic/materials/summary/cpssum_100407.html (accessed August 27, 2008). AHIC. 2008. Confidentiality, privacy & security workgroup draft recommendation letter from September , 00. http://www.hhs.gov/healthit/ahic/materials/08_08/cps/rec_letter. html (accessed September 19, 2008). AHIMA (American Health Information Management Association). 2006. The state of HIPAA privacy and security compliance. http://www.ahima.org/emerging_issues/ 2006StateofHIPAACompliance.pdf (accessed April 20, 2008). Allen, A. 2007. Allen’s privacy law and society. Eagan, MN: Thomson-West. AMS (Academy of Medical Sciences). 2006. Personal data for public good: Using health information in medical research. http://www.acmedsci.ac.uk/images/project/Personal.pdf (accessed August 28, 2008). AMS. 2008. Submission to data sharing review. http://www.acmedsci.ac.uk/download. php?file=/images/publication/120341733123.pdf (accessed September 4, 2008). Buchanan, A. 1999. An ethical framework for biological samples policy, National Bioethics Advisory Committee commissioned paper. In Research involving human biological mate- rials: Ethical issues and policy guidance. Vol. II. Washington, DC: National Bioethics Advisory Commission. Pp. B1–B31. Bush, G. W. 2004. Executive Order 13335.  Fed. Reg. 0. Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco- epidemiological research In Pharmacoepidemiology, 4th ed., edited by B. L. Strom. West Sussex, England: John Wiley & Sons, Ltd. Pp. 417–432. Cate, F. 2008 (unpublished). The autonomy trap. CDT (Center for Democracy & Technology). 2008a. Beyond consumer consent: Why we need a comprehensive approach to privacy in a networked world. http://www.cdt.org/ healthprivacy/20080221consentbrief.pdf (accessed September 4, 2008). CDT. 2008b. Comprehensive privacy and security: Critical for health information technology. Version 1.0. http://www.cdt.org/healthprivacy/20080514HPframe.pdf (accessed Septem- ber 4, 2008). Chadwick, R., and K. Berg. 2001. Solidarity and equity: New ethical frameworks for genetic databases. Nature 2:318–321. CIHR (Canadian Institutes of Health Research). 2005. CIHR best practices for protecting privacy in health research. Ottawa, Ontario: Public Works and Government Services Canada. Foster, A. L. 2008. Increase in stolen laptops endangers data security. The Chronicle of Higher Education July 4. GAO (Government Accountability Office). 2007. Health information technology: Early efforts initiated but comprehensive privacy approach needed for national strategy. Washington, DC: GAO. Good, N., R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan. 2005. Stopping spyware at the gate: A user study of privacy, notice and spyware. http://cups.cs.cmu.edu/soups/2005/2005proceedings/p43-good.pdf (accessed September 4, 2008). Gostin, L. O. 2001. Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis 9:321. Harris Interactive. 2007. The benefits of electronic medical records sound good, but privacy could become a difficult issue. http://www.harrisinteractive.com/news/printerfriend/index. asp?NewsID=1174 (accessed April 3, 2007). 

 A NEW FRAMEWORK FOR PROTECTING PRIVACY HEW (Department of Health, Education and Welfare). 1979. The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research. http://ohsr. od.nih.gov/guidelines/belmont.html (accessed August 21, 2008). HHS. 2008a. Compliance and enforcement: Privacy Rule enforcement highlights. http://www. hhs.gov/ocr/privacy/enforcement/ (accessed July 23, 2008). HHS. 2008b. Resolution agreement. http://www.hhs.gov/ocr/privacy/enforcement/agreement. pdf (accessed October 3, 2008). IOM (Institute of Medicine). 1994. Health data in the information age: Use, disclosure, and privacy. Washington, DC: National Academy Press. IOM. 2006. Effect of the HIPAA Privacy Rule on health research: Proceedings of a work- shop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. ITRC (Identity Theft Resource Center). 2008. Security breaches. http://www.idtheftcenter. org/artman2/publish/lib_survey/ITRC_2008_Breach_List_printer.shtml (accessed July 22, 2008). Jonas, H. 1991. Philosophical reflections on experimenting with human subjects. In Biomedi- cal ethics, edited by T. A. Mappes and J. S. Zembaty. New York: Oxford University Press. Pp. 215–219. Knoppers, B. M., and R. Chadwick. 2005. Human genetic research: Emerging trends in ethics. Nature Reviews Genetics 6:75–79. Kolata, G. 2007a. How data on cancer are collected and used. The New York Times, October 10. Kolata, G. 2007b. States and V.A. at odds on cancer data. The New York Times, October 10. Liu, E. T. 2007. The importance of research using personal information for scientific discovery and the reduction of disease, in personal information for biomedical research. Annex A. http://www.bioethics-singapore.org/uploadfile/20013%20PMPI%20Annex%20A-3.pdf (accessed September 4, 2008). Lo, B. 2009 (in press). Resolving ethical dilemmas: A guide for clinicians. 4th ed. Philadelphia, PA: Lippincott Williams & Wilkins. Markle Foundation. 2006. Survey finds Americans want electronic personal health informa- tion to improve own health care. http://www.markle.org/downloadable_assets/research_ doc_120706.pdf (accessed September 4, 2008). NCVHS (National Committee on Vital and Health Statistics). 2006. Functional requirements needed for the initial definition of a nationwide health information network. http://www. ncvhs.hhs.gov/061030lt.pdf (accessed September 4, 2008). NCVHS. 2007. Enhanced protections for uses of health data: A stewardship framework for “secondary uses” of electronically collected and transmitted health data. http://ncvhs.hhs. gov/071221lt.pdf (accessed December 19, 2007). Nosowsky, R., and T. Giordano. 2006. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine 57:575–590. Pritts, J. 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. http://www.iom. edu/CMS/3740/43729/53160.aspx (accessed March 15, 2008). Rahman, N. 2006. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society 2(3):685. Rotenberg, M. 2001. Fair information practices and the architecture of privacy: (what Larry doesn’t get). Stanford Technology Law Review 1. http://stlr.stanford.edu/STLR/ Articles/01_STLR_1 (accessed November 6, 2008). 

284 BEYOND THE HIPAA PRIVACY RULE Rothstein, M. A. 2005. Research privacy under HIPAA and the Common Rule. Journal of Law, Medicine & Ethics 33(1):154–159. Schneider, C. E. 2006. After autonomy. Wake Forest Law Review 41(2):411–444. Solove, D. J., M. Rotenberg, and P. M. Schwartz. 2006. Information privacy law. 2nd ed. New York: Aspen Publishers. Tait, A. R., T. Voepel-Lewis, A. Robinson, and S. Malviya. 2002. Priorities for disclosure of the elements of informed consent for research: A comparison between parents and investigators. Paediatric Anaesthesia 12:332–336. Thomas, R., and M. Walport. 2008. Data sharing review report. http://www.justice.gov.uk/ docs/data-sharing-review.pdf (accessed September 4, 2008). Turow, J., D. K. Mulligan, and C. J. Hoofnagle. 2007. Consumers fundamentally misunderstand the online advertising marketplace. http://groups.ischool.berkeley.edu/samuelsonclinic/ files/annenberg_samuelson_advertising.pdf (accessed September 4, 2008). U.S. Congress, House of Representatives, Energy and Commerce Committee. 2008a. Discus- sion draft of health information technology and privacy legislation. Statement of Deven cGraw, Director, Health Privacy Project, Center for Democracy & Technology. June 4. M U.S. Congress, House of Representatives, Energy and Commerce Committee. 2008b. Discus- sion Draft of Health Information Technology and Privacy Legislation. Statement of Byron Thames, AARP Board of Directors. June 4.