Skip to main content

Beyond the HIPAA Privacy Rule Enhancing Privacy, Improving Health Through Research (2009) / Chapter Skim
Currently Skimming:

6 A New Framework for Protecting Privacy in Health Research
Pages 245-284

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 245...
... To achieve this task, the IOM convened a committee to include individuals with a broad range of expertise and experience relevant to the stated goal of the project, including individuals with knowledge of the various fields of health research, privacy and human research protections, health law, health center administration, use and protection of electronic health information, and patient advocacy (see Chapter 1 for complete statement of task and the Front Matter for committee membership)
Read the entire page →
From page 246...
... The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, the new framework aims to strengthen health research regulations and practices that effectively safeguard personally identifiable health information, and to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health.
Read the entire page →
From page 247...
... it does not provide other meaningful methods of protecting privacy, such as effective security, accountability, and transparency. Overemphasis on Informed Consent The principle of autonomy currently dominates the ethical landscape for both medical care and clinical research in the United States and serves as 1 The term "personally identifiable health information" is used when discussing individual's health data in a context independent of the HIPAA Privacy Rule or any other body of law.
Read the entire page →
From page 248...
... Practices of security, transparency, and accountability take on extraordinary importance in the health research setting: Researchers and other data users should disclose clearly how and why personally identifiable health information is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personal information is used appropriately and securely. In this manner, privacy protection will help to ensure research participant and public trust and confidence in medical research.
Read the entire page →
From page 249...
... Inconsistencies, for example, in federal regulations governing the deidentifica tion of personally identifiable health information, obtaining individuals' consent for future research, and the recruitment of research volunteers make it challenging for health researchers seeking to comply with all these regulations to undertake important research activities. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule.
Read the entire page →
From page 250...
... Second, the move towards personalized medicine, and the potential improvements to population health and health care that could be developed based on a better understanding of the determinants of health and illness, have increased researchers' needs for personally identifiable health information. Under the Privacy Rule the concept of informed consent is extended beyond control of one's body, to control of one's health information in an attempt to address the historical lack of informational autonomy, and with the goal of protecting individuals against the nonphysical harm of unauthorized uses or disclosures of their protected health information.
Read the entire page →
From page 251...
... With a primary focus on informed consent in privacy laws, many entities that hold personal health data may have insufficient incentives to implement comprehensive privacy protections. If compliance with consent requirements frees the data holders from further privacy obligations, some organizations and researchers may be less likely to invest in privacyenhancing technologies or the infrastructure necessary to truly protect data.
Read the entire page →
From page 252...
... This will ensure that health information privacy protections are more robust and more likely to minimize the risks to personal privacy that result from the collection of personally identifiable health information. Failure to Incorporate Other Meaningful Privacy Protections Implementation of the Privacy Rule does not ensure that covered entities or the research community will adopt a full range of measures to protect data; the security, transparency, and accountability provisions have proven ineffectual.
Read the entire page →
From page 253...
... Also, for research involving groups of 50 or more, covered entities are only required to produce a general list of all protocols for which a person's protected health information may have been disclosed, but do not have to provide any more specific information. Therefore, the accounting for disclosures provision does not require covered entities to provide individuals with a clear description of how their health information is used, and does not provide individuals with the detailed information they may want (AHIC, 2007; Pritts, 2008)
Read the entire page →
From page 254...
... If the current approach to privacy protection in research under the Privacy Rule continues unchanged, these advances will be burdened and potentially delayed, and opportunities for medical progress may be lost. Alternative models The challenges described above are causing some leading scientists, legal experts, and privacy advocates to develop new paradigms for determining when personally identifiable health data, including biological samples, can be used for research.
Read the entire page →
From page 255...
... This would arguably address directly the risks of harm to the individuals involved when their personally identifiable health information is used for research, while recognizing the need for researchers' access to information in order to achieve the public's goals of improving individual and public health and advancing sci entific knowledge. Improve the Application of Privacy Protections for Health Research The goal of improving the application of privacy protections for health research stresses the need for consistent standards for the use and disclosure of personally identifiable health information in health research.
Read the entire page →
From page 256...
... Discrepancies with Other Rules That Regulate Research The Privacy Rule was intended to provide consistent standards in the United States for the use and disclosure of protected health information, including for research purposes. However, in the current state, the Privacy Rule is difficult to reconcile with HHS regulations for the Protection of Human Subjects (45 C.F.R.
Read the entire page →
From page 257...
... • Researchers, institutions, and organizations that store personally identifiable health data should establish security safeguards and set limits on access to data. • Researchers who violate individuals' privacy should be penalized.
Read the entire page →
From page 258...
... 7 before using any personally identifiable health information for a purpose other than providing services directly related to health care of the patient. If a researcher wishes to use personally identifiable health data without informed consent, both regulations require the researcher to obtain a waiver of informed consent approved by an independent ethics board prior to the start of the study.
Read the entire page →
From page 259...
... information in the course of • Non-health information normal health care practices custodians who receive personal health information from an HIC Information Protected health information PHI: Identifying information about Protected (PHI) : All personally identifiable an individual in oral or recorded health information created or form that: received by a covered entity • Relates to his or her physical or mental health • Relates to providing health care • Relates to the donation of a body part or bodily substance Consent Express consent is required for In general, HICs must obtain the collection, use, and disclosure express consent to share PHI of PHI to researchers, except if outside the health care system, or to waived by an International share PHI for any purpose other Review Board (IRB)
Read the entire page →
From page 260...
... 0 BEYOND THE HIPAA PRIVACY RULE TABLE 6-1 Continued HIPAA Privacy Rule PHIPA Waiver of The use or disclosure of PHI An REB shall consider the matters Informed involves no more than a minimal that it deems relevant, including: Consent/ risk to the privacy of individuals, • Whether the objectives of the Authorization based on, at least, the presence of research can reasonably be Standard the following elements: accomplished without using the • An adequate plan to protect PHI that is to be disclosed the identifiers from improper • Whether, at the time the research use and disclosure is conducted, adequate • An adequate plan to destroy safeguards will be in place to the identifiers at the earliest protect the privacy of the opportunity consistent with individuals whose PHI is being conduct of the research, unless disclosed and to preserve the there is a health or research confidentiality of the information justification for retaining the • The public interest in conducting identifiers the research and in protecting the • An adequate written assurance privacy of the individuals whose that PHI will not be reused or PHI is being disclosed disclosed to any other person • Whether obtaining the consent of or entity the individuals whose PHI is And, the research could not being disclosed would be practicably be conducted without impractical the waiver or alteration And, the research could not practicably be conducted without access to and use of PHI Immunity None HICs and their agents are protected from liability for acts done and omissions made in good faith and reasonably in the circumstances in the exercise of powers or duties under PHIPA
Read the entire page →
From page 261...
... HICs data is considered deidentified and prescribed persons and entities if the covered entity removes must exercise their own judgment in 18 specified personal removing identifiers identifiers from the data and are directly regulated by the Privacy Rule; for others, the Privacy Rule regulates access to protected health information held by covered entities but the researchers themselves are not subject to the provisions. A second major difference is the Privacy Rule and PHIPA's treatment of deidentified information.
Read the entire page →
From page 262...
... Prescribed persons and entities must also make public a description of the functions of the registry and a summary of its practices, policies, and procedures. Currently, five registries are designated as a "prescribed person" under PHIPA.10 Once personal health information is held by a prescribed entity, the entity may use and disclose the information for research purposes in accordance with the normal rules and restrictions on HICs disclosing information for research -- including the requirement for approval by a Research Ethics Board if the information is in identifiable form.
Read the entire page →
From page 263...
... Privacy Boards are instructed to "balance the potential risks to the beneficiary confidentiality with the probable benefits gained from the completed research," as well as to consider the researchers' demonstrated expertise and experience in conducting such a study. The committee believes an approach similar to PHIPA and the recently proposed model from the United Kingdom, combined with strong security measures, offers adequate privacy protections for personally identifiable health information, while greatly expanding research opportunities.
Read the entire page →
From page 264...
... This would eliminate current gaps in oversight and provide protection for all patients who consent to participate in interventional clinical trials. In addition, all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures, as recommended in Chapter 2.
Read the entire page →
From page 265...
... In addition, researchers receiving information with direct identifiers removed should be required to establish security safeguards and to set limits on access to data. In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA.
Read the entire page →
From page 266...
... on how to assess the potential harm, the proposed measures to protect privacy and confidentiality, and the potential public benefits of a research study, as has been done under PHIPA. For example, the Canadian Institute for Health Information has developed best privacy practices for research to provide guidance for determining whether or not a waiver of consent is warranted (CIHR, 2005)
Read the entire page →
From page 267...
... For research that makes use of these two alternatives, the framework counterbalances the absence of informed consent with an increase in security, transparency, and accountability protections by: (1) requiring certified entities to protect the privacy and confidentiality of personally identifiable health information records in a manner that is approved by an outside party (HHS or a different body)
Read the entire page →
From page 268...
... . In the committee's proposed new framework, the greater emphasis on ensuring the security protections of personally identifiable health information, facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research should help to foster its acceptability.
Read the entire page →
From page 269...
... Improving the Privacy and Data Security of Health Information The new framework includes a number of mechanisms to improve the protection of research participants' privacy and security in health research. First, the privacy of research participants is improved because the new framework applies to all institutions and all health researchers who collect, use, and disclose personally identifiable health information.
Read the entire page →
From page 270...
... Finally, the new framework protects privacy in health research by requiring the implementation of comprehensive privacy protections, including transparency, accountability, and security. Transparency is improved by the new framework's requirement that certified entities publicize the scope and purpose of their data collection and provide information on what uses of their data will not be permitted.
Read the entire page →
From page 271...
... Patient privacy is protected by requiring any future uses of these specimens to be approved by an IRB, which should determine whether a proposed study has scientific merit, implements appropriate privacy protections, and is not incompatible with the original consent. Second, the creation of certified entities that can receive personally identifiable health information for information-based research without patient informed consent, similar to PHIPA's prescribed entities and the United Kingdom's safe harbors (Thomas and Walport, 2008)
Read the entire page →
From page 272...
... . The framework proposed by the IOM committee addresses this criticism of the Privacy Rule, and provides for a comprehensive regulation of research that applies to all researchers and protects all personally identifiable health data in research.
Read the entire page →
From page 273...
... . Several recently proposed bills that address the use of electronic medical records also contain language regarding health privacy and health research (Table 6-2)
Read the entire page →
From page 274...
... personally identifiable health HHS or its contractors • Sen. Kennedy filed a written [R-WY]
Read the entire page →
From page 275...
... (IHRTs) , and to consent before individuals' as specified by the provide a secure and information can be disclosed participant privacy-protected • Gives IHRTs a fiduciary duty framework in which to act for the benefit and health records are interests of its participants; only made available penalties for breach include by the affirmative loss of certification, fines of consent of $50,000 or less, prison terms individuals of 5 years or less • Requires an audit trail to be maintained • Provides for individual notification of all breaches  continued
Read the entire page →
From page 276...
... interoperable health specific privacy rights whether informed consent information • Requires express informed should be required for the infrastructure, and consent before individuals' use of personal health to provide for the information can be disclosed information in research, strong enforcement for most purposes and under what of these rights by • Creates an individual right of circumstances creating criminal action for knowing or • As soon as reasonably and civil penalties negligent violations of the Act possible, researchers who • Authorizes states' attorney receives personal health generals to bring civil actions information must remove on behalf of residents or destroy information that would enable an individual to be identified, unless otherwise approved by an IRB • HHS will provide IRBs with periodic review and technical assistance
Read the entire page →
From page 277...
... Leahy information in for violations whether informed consent [D-VT] and health research, and • Provides consumers with should be required for the Kennedy [D-MA]
Read the entire page →
From page 278...
... , and improve the individual in each regional Technology to "facilitate sponsored by quality and reduce office to offer guidance and health research and health Reps. Dingell [D- the costs of health education to covered entities, care quality" MI]
Read the entire page →
From page 279...
... . Several of these bills include new restrictions and rules governing researchers' access to personally identifiable health information.
Read the entire page →
From page 280...
... As the volume and importance of digital personally identifiable health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect health information in the health research setting. Thus, the IOM committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new framework for ensuring privacy that would apply uniformly to all health research and that will both protect individuals' privacy and facilitate responsible and beneficial health research.
Read the entire page →
From page 281...
... Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research. The new framework developed by HHS and other relevant federal agencies should provide strong and effective protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the public's health.
Read the entire page →
From page 282...
... 2005. CIHR best practices for protecting privacy in health research.
Read the entire page →
From page 283...
... 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research.
Read the entire page →
From page 284...
... 2008b. Discus sion Draft of Health Information Technology and Privacy Legislation.
Read the entire page →

Key Terms

  • health information
  • health research
  • informed consent
  • personally identifiable
  • identifiable health

  • hipaa privacy
  • privacy protections
  • protecting privacy
  • health data
  • covered entities

  • direct identifiers
  • identifiers removed
  • personal health
  • protected health
  • identifiable data

  • certified entities
  • comprehensive privacy
  • research participants
  • ethics oversight
  • electronic health

  • data security
  • security safeguards
  • health researchers
  • research provisions
  • common rule

  • ethics board
  • oversight board
  • medical records
  • health records
  • information privacy


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.