lem. The panel's report will provide guidance to assist IRBs that review HSR, organizations that are not required to use IRBs but may still be concerned with balancing privacy and data access in such research, and health services researchers themselves.
Dr. Fitzmaurice continued that the DHHS is directed under the Health Insurance Portability and Accountability Act to promulgate federal regulations governing the privacy of personal health information. The proposed regulations allow the release of individually identifiable health data and information for use in research, under appropriate conditions. Current and proposed regulations would set conditions for safeguards that researchers must observe. Oversight mechanisms described in the proposed federal regulations on health privacy (Department of Health and Human Services, 1999) depend on the current IRB system but also would require complementary oversight bodies, called “privacy boards”(see Box 2-1); that would oversee the protection of personal health information in research not covered (by regulation or voluntarily) by the current IRB system—non-federally funded research for the most part.
Mr. John Fanning of the ASPE (also a sponsor of the project) provided further context for the workshop. Mr. Fanning pointed out that many sets of principles pertaining to privacy protection have already been published, but these principles may fail to provide practical guidance to investigators and IRBs concerned with HSR.1 In addition, he noted, little information is available regarding actual practices and procedures whereby the principles are implemented by IRBs. Such information is needed in order for IRBs to improve their oversight of HSR. In particular, Mr. Fanning explained, the agencies sponsoring the project believe that identification of best practices of IRBs in reviewing HSR could provide helpful guidance to other IRBs, as well as to organizations that are not required to have IRBs review health services research but wish to ensure that confidentiality and privacy are adequately protected in HSR.
The location of the boundaries of HSR, in the focus of the present project, has been an additional and difficult question. The regulations now in place define “research” as an activity intended to result in generalizable knowledge. However, it is often difficult to draw a line between HSR and other activities that use personal health information in databases, such as internal efforts at quality assurance, business planning, or marketing.
In the discussion immediately following the presentations, committee members highlighted their concerns about focusing on the protection of privacy in the context of research while ignoring very similar activities using databases that contain personal health information when undertaken for business or administrative purposes. The sponsors ' representatives replied that the Common Rule applies only to the oversight of research, not to these other activities. Thus, although the appropriate use of personal health information for purposes other than research is an important question that the nation has to address, the current project is intended to address only the more limited but still important topic of HSR.
Because different groups are developing principles to address different problems, or at least to address problems in different contexts, the sets of principles do not directly overlap in many instances —in particular, not mentioning a principle is not evidence that an organization would oppose it. These different perspectives make for difficult comparison (though see Buckovich, 1999). See, for example, GHPP, 1999; ISPE, 1997; Lowrance, 1997; AAMC, 1997; JHITA (web page), PhRMA (web page).