Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Overview of Conclusions and Recommendations Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health careâand protecting individuals involved in research from harm and preserving their rights is essential to the conduct of ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level because it permits complex activities, including research and public health activities, to be carried out in ways that protect individualsâ dignity. It is also important to note that health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care. The U.S. Department of Health and Human Services (HHS) developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 The HIPAA Privacy Rule set forth detailed regula- tions regarding the types of uses and disclosures of individualsâ personally identifiable health informationâcalled âprotected health informationââ permitted by âcovered entitiesâ (health plans, health care clearing houses, and health care providers who transmit information in electronic form in connection with transactions for which HHS has adopted standards under 1 The HIPAA Privacy Rule can be found at 45 Code of Federal Regulations (C.F.R.) parts 160 and 164 (2006).
BEYOND THE HIPAA PRIVACY RULE HIPAA).2 A major goal of the Privacy Rule is to ensure that individualsâ health information is properly protected while allowing the flow of infor- mation needed to promote high-quality health care. The Privacy Rule also set out requirements for the conduct of health research. The Institute of Medicine (IOM) Committee on Health Research and the Privacy of Health Information (the committee) was charged with two principal tasks3: (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly to include biomedi- cal research, epidemiological studies, and health services research, as well as studies of behavioral, social, and economic factors that affect health; and (2) to propose recommendations to enable the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information (Box O-1). The committeeâs conclusion is that the HIPAA Privacy Rule does not protect privacy as well as it should, and that, as currently implemented, the Privacy Rule impedes important health research. The committee found that the Privacy Rule (1) is not uniformly applicable to all health research, (2) overstates the ability of informed consent to protect privacy rather than incorporating comprehensive privacy protections, (3) conflicts with other federal regulations governing health research, (4) is interpreted differently across institutions, and (5) creates barriers to research and leads to biased research samples, which generate invalid conclusions. In addition, security breaches are a growing problem for health care databases. In this report, the committee presents its analysis and findings, along with several recom- mendations for accomplishing the dual goals of protecting health privacy while facilitating responsible and beneficial research. DEFINITIONS Definition of Privacy and Why Privacy Is Important The term âprivacyâ is used frequently, yet there is no universally accepted definition of the term, and there is considerable confusion about the meaning, value, and scope of the concept. The focus of the HIPAA Privacy Rule and the IOM committeeâs report are on the privacy of per- sonal health information. In this context, privacy pertains to the collection, storage, and use of personal information and addresses the question of who 2 45C.F.R. Â§ 160.103 (2006). 3 Thestudy was funded by the National Institutes of Health, the National Cancer Institute, the Robert Wood Johnson Foundation, the American Cancer Society, the American Heart Association/American Stroke Association, the American Society for Clinical Oncology, the Burroughs Wellcome Fund, and C-Change.
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS BOX O-1 Committee Statement of Task An Institute of Medicine committee will investigate the effects on health research of the Privacy Rule regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) section on Administrative Simplification and prepare a report. In conducting the study, the committee will: 1. Consider the range of study types, such as clinical trials, epidemiologic designs, research using tissue repositories and databases, public health research, and health services research, to the extent that available data and evidence allow; 2. Consider research carried out by the full range of sponsors: government, public and private academic, and for-profit sectors, including the pharmaceutical, biotechnology, and medical device industries; 3. Review provisions of the Privacy Rule relevant to health research, including those dealing with authorizations and accounting of disclosures of personal health information, deidentification of data, reviews preparatory to research, and others, and on reviewing them, may identify provisions that merit priority attention and analysis; 4. Consider issues of interpretation and implementation of the Privacy Rule, as well as of harmonization with overlapping provisions of the Common Rule and Food and Drug Administration regulations, which have existed much longer; 5. Examine the potential impact of the Rule on public health research, on the recruitment of research subjects for studies, on carrying out research interna- tionally, and on research using data and biomaterials in databases and tissue repositories; and 6. Consider the needs for privacy of identifiable personal health information and the value of such privacy to patients and the public. As data and evidence allow, the needs and benefits of patient privacy will be balanced against the needs, risks, and benefits of identifiable health information for various kinds of health research. The committee will formulate recommenda- tions for alterations or retention of the status quo accordingly. has access to personal information and under what conditions. Issues of privacy include whether specific types of data about an individual can be collected at all, as well as the justifications, if any, under which data col- lected for one purpose can be used for another purpose. Another important issue in privacy analysis is whether an individual has authorized particular uses of his or her personal information. Although privacy is often used interchangeably with the terms âcon- fidentialityâ and âsecurity,â they have distinct meanings. Confidentiality, though closely related to privacy, refers to the obligations of those who receive information in the context of an intimate relationship to respect the
BEYOND THE HIPAA PRIVACY RULE privacy interests of those to whom the data relate and to safeguard that information. Confidentiality addresses the issue of whether to keep infor- mation exchanged in that relationship from being disclosed to third parties. Thus, for example, confidentiality requires physicians not to disclose infor- mation shared with them by a patient in the course of a physicianâpatient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are considered breaches of confidentiality. Security, as defined by Turn and Ware in 1976, is âthe procedural and technical measures required to (a) prevent unauthorized access, modifica- tion, use, and dissemination of data stored or processed in a computer system, (b) prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm.â4 Currently existing, commonly deployed security measures help keep health records safe from unauthorized use, although no security measure can prevent an invasion of privacy by individuals who have authority to access a health record. American society places a high value on a private sphere protected from intrusion, and the bioethics principle of nonmaleficence5 requires safeguarding personal privacy. Breaches of an individualâs privacy and con- fidentiality may affect a personâs dignity and cause irreparable harm. When personally identifiable health information6 is disclosed to an employer, insurer, or family member, for example, the disclosure can result in stigma, embarrassment, and discrimination. Safeguarding privacy and confidential- ity are also important for both individuals and society. Individuals are less likely to participate in health research or other socially and individually beneficial activities, including candid and complete disclosures of sensitive information to their physicians, if they do not believe their privacy is being protected. However, it should also be noted that perceptions of privacy vary among individuals and groups. Information that is considered intensely private by one person may not be by others. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention, and cultural expectations. The bioethics principle of respect for persons places importance on indi- vidual autonomy or self-determination, which allows individuals to make decisions for themselves about matters that are important to their own well- being. U.S. society also places a high value on individual autonomy, and one 4 Turn, R., and W. H. Ware. 1976. Privacy and security issues in information systems. The RAND Paper Series. Santa Monica, CA: The RAND Corporation. 5 The ethical principle of doing no harm, based on the Hippocratic maxim, primum non nocere, first do no harm. 6 This term may encompass a broad range of information, including personal and family health history, physician notes and orders, test results, medication and immunization records, and documentation of surgeries or hospitalizations.
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS way to respect individuals is to ensure that they can make the choice about when, and whether, personal information (particularly sensitive informa- tion) can be shared with others. Many statutory and regulatory protections of privacy have attempted to incorporate these values and concerns through emphasis on the principles of fair information practices,7 which have been adopted in various forms at the international, federal, and state levels. The principles of fair information practices address issues such as data quality, limitations on collection and use, specification of purpose, security safeguards, openness of practices and poli- cies, individual participation, and accountability. They reflect a broad consen- sus about the need for standards to protect individual privacy and to facilitate information flows in an increasingly technology-dependent, global society. Definition of Health Research and Why Health Research Is Important Under both the HIPAA Privacy Rule and a federal regulation known as the Common Rule,8 âresearchâ is defined as âa systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.â This is a broad definition that may include biomedical research, epidemiological studies,9 and health ser- vices research,10 as well as studies of behavioral, social, and economic factors that affect health. Perhaps the most familiar form of health research is the clinical trial in which patients volunteer to participate in studies to test the efficacy of new medical interventions. Today, though, an increasingly large portion of health research is information based. More and more research entails the analysis of data and biological samples that were initially collected for one purpose and are now being used for another purpose such as research.11 7 The concept of fair information practices originated with the 1973 report of the Secretaryâs Advisory Committee on Automated Personal Data Systems, reporting to the Secretary of the U.S. Department of Health, Education, and Welfare, titled Records, Computers and the Rights of Citizens, http://epic.org/privacy/hew1973report/ (accessed August 3, 2008). 8 The Common Rule is a federal policy for the protection of human subjects adopted by 18 federal agencies and offices. 45 C.F.R. part 46, http://www.hhs.gov/ohrp/policy/common. html (accessed August 3, 2008). 9 Epidemiology is the study of the occurrence, distribution, and control of diseases in populations. 10 Health services research has been defined as a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financ- ing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations. 11 The National Committee on Vital and Health Statistics has noted that the term âsecond- ary usesâ of health data is ill defined and therefore urged abandoning it in favor of precise description of each use. Consequently, the IOM committee has chosen to minimize use of the term in this report.
0 BEYOND THE HIPAA PRIVACY RULE In the fields of epidemiology, health services research, and public health research, the use of existing data to conduct research is common. Existing data are analyzed to identify patterns of occurrences, determinants, and the natural history of disease; to evaluate health care interventions and services; to perform drug safety surveillance; and to perform some genetic and social studies. A prime example of the benefits of research using existing biological sam- ples and patientsâ records is the development of HerceptinÂ® (trastuzumab), a revolutionary new treatment for some kinds of breast cancer. In addition, many findings from research using patientsâ medical records have changed the practice of medicine. Examples of how health research based on data from medical records has informed and influenced national and other policy decisions abound. Just to cite a few: Research based on data from medical records underlies the estimate that tens of thousands of Americans die each year from medical errors in the hospital and has provided valuable informa- tion for reducing these medical errors by implementing health information technology, such as e-prescribing. Medical records research has documented that disparities and lack of access to care in inner cities and rural areas results in poorer health outcomes, and has demonstrated that specific pre- ventive services (e.g., mammography) substantially reduce mortality and morbidity at reasonable costs. Furthermore, such research has established a causal link between the nursing shortage and patient health outcomes by documenting that patients in hospitals with fewer registered nurses are hospitalized longer and are more likely to suffer complications, such as urinary tract infections and upper gastrointestinal bleeding. As the use of electronic medical records increases, the pace of medical records research is accelerating, and the opportunities to use these records to generate new knowledge about what works in health care are expanding. The varying methods of health research provide complementary insights. Although clinical trials can provide important information about the efficacy and adverse effects of medical interventions by controlling the variables that could impact the results of the study, feedback from real- world clinical experience is also crucial for comparing and improving the use of drugs, vaccines, medical devices, and diagnostics. The Food and Drug Administrationâs (FDAâs) approval of a drug for a particular indication, for example, is based on a series of controlled clinical trials, often with a few hundred to a few thousand patients. After a drug has received the FDAâs approval for marketing, however, it may be used by millions of people in many different contexts. Thus tracking clinical experience with the drug is important for identifying relatively rare adverse effects and for determining the effectiveness in different populations or circumstances. Like privacy, all of these health-related activities provide high value to society. Collectively, these activities can provide important information
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS about disease trends and risk factors, outcomes of treatment or public health interventions, functional abilities, patterns of care, and health care costs and utilization. They have led to significant discoveries, the develop- ment of new therapies, and a remarkable improvement in health care and public health.12 Thus, they provide a sense of hope for people with chronic, life-threatening, or fatal conditions. If the health research enterprise is impeded, or if it is less robust, important societal interests are adversely affected. THE HIPAA PRIVACY RULE The U.S. Congress passed HIPAA in 1996 with the primary goals of making health care delivery more efficient and increasing the number of Americans with health insurance coverage. The HIPAA Privacy Rule was developed by HHS under HIPAAâs administrative simplification provisions, which mandated the creation of privacy standards for âprotected health informationâ (PHI) in the absence of federal legislation. A major goal of the HIPAA Privacy Rule is to ensure that individualsâ health information is properly protected while allowing the flow of information needed to promote high-quality health care. Rec- ognizing that patientsâ health records also play an important role in health research, Congress wanted to ensure that the implementation of HIPAA would not impede health researchersâ continued access to data from health records. Responding to this objective, HHS attempted to create a system that mandates privacy protection for individually identifiable health infor- mation while allowing important uses of the information in health care and research. The HIPAA Privacy Rule sets forth detailed regulations regarding the types of uses and disclosures of âprotected health information,â defined as âindividually identifiable health informationâ that is held or transmitted by a âcovered entity.â Covered entities are health plans, health care clearing- houses, and health care providers who transmit information in electronic form in connection with a transaction for which HHS has developed a standard under HIPAA.13 A covered entity may not use or disclose PHI except either (1) as the Privacy Rule permits, or (2) as the individual who is the subject of the information (or the individualâs personal representa- tive) authorizes in writing. The Privacy Rule applies not only to health information exchanged or stored electronically, but also to PHI held by a 12 See Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) for a discussion on the benefits of health records research. 13 45 C.F.R. Â§ 160.103 (2006).
BEYOND THE HIPAA PRIVACY RULE covered entity in any form or media, including electronic, paper, and oral communications.14 Although the HIPAA Privacy Rule applies to information uses and trans- actions necessary for the provision of health care, it is also applicable to a great deal of information used in health research. As already explained, the data in individualsâ medical records may be important or essential to some types of health research. When obtaining PHI from a covered entity to use in their research, health researchers are required to follow the provisions of the HIPAA Privacy Rule. The Privacy Rule permits a covered entity to use and disclose PHI for research purposes without an individualâs authoriza- tion if the covered entity obtains either (1) documentation that an alteration or waiver of the individualâs authorization for the use or disclosure of the information has been approved by an IRB or Privacy Board, or (2) specified representations from the researchers that the PHI is being used or disclosed solely for purposes preparatory to research, or for research using only the PHI of decedents. A covered entity may also use or disclose PHI without an individualâs authorization if the PHI is contained as part of a âlimited datasetâ from which specified direct identifiers have been removed, and the researcher enters into a data use agreement with the covered entity. THE COMMITTEEâS CHARGE AND THE OVERARCHING GOALS OF THE RECOMMENDATIONS The sponsors of this study asked the IOM to assess whether the HIPAA Privacy Rule implemented by HHS is impacting the conduct of health research, and requested that the IOM committee propose recommenda- tions to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information. To undertake this task, the IOM appointed a 15-member committee (Committee on Health Research and the Privacy of Health Information) with a broad range of expertise and experi- ence covering various fields of health research; privacy of health informa- tion; health law, regulation, and ethics; human research protections; health center administration; use and protection of electronic health information; and patient advocacy. As the study progressed and committee members began thinking about potential recommendations, they identified three general methods for improving the current system for safeguarding health information privacy: 14 Under the HIPAA Privacy Rule protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232(g), records described at 20 U.S.C. 1232(g)(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS (1) the provision of guidance from HHS and its Office for Civil Rights to Institutional Review Boards (IRBs), Privacy Boards, institutions, and other participants and stakeholders, which is the easiest way to achieve changes; (2) regulatory changes to the HIPAA Privacy Rule provisions, which can be done via HHS, but is more difficult than providing new guidance; and (3) statutory changes in HIPAA or other legislation at the federal or state level, which is the most difficult to accomplish, but may be necessary. The committee members decided to be as modest as possible in proposing rec- ommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information, with the goal of making it easier to effect change if policy makers agree with the proposals. Ultimately, committee members agreed to make two sets of recom- mendations. First, the committee proposes a bold, innovative, and more uniform approach to the dual challenge of protecting privacy while sup- porting beneficial and responsible research.15 Although a totally new approach may be harder to implement in the short term than more incremental changes, it might help to stimulate fresh ideas about the best ways to protect privacy and improve health research as the nation seeks the best way to support these two interconnected values over the next several years. Second, in the event that policy makers decide that HIPAA wasâand continues to beâthe most useful model for how to safeguard privacy in health research, the committee proposes a series of detailed proposals to improve the HIPAA Privacy Rule and associated guidance. There is no question that the goals of safeguarding privacy and enhanc- ing health research are sometimes in tension. Stringent measures to safe- guard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to privacy. Yet the committee believes that there is a synergy between the two, that promoting both is desirable, and that it is possible to strengthen certain privacy protections while still facili- tating important health research. For that reason, the committeeâs intent in developing its recommen- dations was to advance both privacy and health research interests to the extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, our recommendations are aimed at strengthening health research regula- tions and practices that effectively safeguard personally identifiable health information, while changing provisions of the HIPAA Privacy Rule or its interpretations that the committee found to be mostly formalistic or 15 Responsible health research is methodologically sound, is scientifically valid, protects the rights and interests of study subjects, and addresses a question or problem relevant to improving human health.
BEYOND THE HIPAA PRIVACY RULE ineffective. They also aim to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health. To facilitate beneficial health research while still ensuring adequate protection of patient privacy, the committee grounded its recommenda- tions in three fundamental goals: (1) improve the privacy and data security of health information; (2) improve the effectiveness of health research; and (3) improve the application of privacy protections for health research (Box O-2). These three basic goals are discussed further below. BOX O-2 Three Goals Underlying the Committeeâs Recommendations 1. Improve the privacy and data security of health information. 2. Improve the effectiveness of health research. 3. Improve the application of privacy protections for health research. Improve the Privacy and Data Security of Health Information In the context of health research, the privacy goal is the commitment to handle personal information of patients and research participants in accor- dance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (account- ability). This commitment extends to everyone who collects, uses, or has access to personal information of patients and research participants. Practices of security, transparency, and accountability take on extraordinary importance in the health research setting. Researchers and other data users should disclose clearly how and why personal informa- tion is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personal information is used appro- priately and securely. In this manner, privacy protection will help to ensure research participant and public trust and confidence in medical research. Improve the Effectiveness of Health Research Research discoveries are central to achieving the goal of extending the quality of healthy lives. Research into causes of disease, methods for
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS prevention, techniques for diagnosis, and new approaches to treatment has increased life expectancy, reduced infant mortality, limited the toll of infectious diseases, and improved outcomes for patients with heart disease, cancer, diabetes, and other diseases. Patient-oriented clinical research that tests new ideas makes medical and public health progress possible. Today the rate of discovery is accelerating, and science is at the preci- pice of a remarkable period of investigative promise made possible by new knowledge about the genetic underpinnings of disease. Genomic research is opening new possibilities for preventing illness and for developing safer, more effective medical care that may eventually be tailored for specific indi- viduals. Further advances in relating genetic information to predispositions to disease and responses to treatments will require use of large amounts of existing health-related information and stored biological specimens. The increasing use of electronic medical records will further facilitate the gen- eration of new knowledge through research and accelerate the pace of dis- covery. These efforts will require broad participation of patients in research and broad data sharing to ensure that the results are valid and applicable to different segments of the population. Collaborative partnerships among communities of patients, their physicians, and teams of researchers to gain new scientific knowledge will bring tangible benefits for people in this country and around the world. Improve the Application of Privacy Protections for Health Research The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protec- tion of human subjects (the Common Rule), FDA regulations pertaining to human subjects protections,16 and other applicable federal or state laws. For example, inconsistencies in federal regulations governing the deidentification of personal health information, obtaining individual con- sent for future research, and the recruitment of research volunteers make it challenging for health researchers to undertake important research activities while seeking to comply with all these regulations. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule. For example, the way in which IRBs and Privacy Boards interpret the provisions when making decisions about authoriza- tion requirements varies across institutions, and often is quite conservative. Especially for multisite research and studies that are reviewed by both IRBs 16 2 1 C.F.R. parts 50 and 56 (1988).
BEYOND THE HIPAA PRIVACY RULE and Privacy Boards, the inconsistent interpretation and application of the HIPAA Privacy Ruleâs provisions pertaining to research can create barriers to research and even lead to the discontinuation of ongoing research stud- ies, which squanders the contributions of research participants. Adding yet another layer of complexity and variability for health researchers is a lack of clarity in the way the HIPAA Privacy Rule applies to various types of health research or closely related health care practices. Moreover, there are significant gaps in who and what is covered by current federal research regulations. Whether a research activity is subject to the provisions of the Privacy Rule or the Common Rule depends on a number of factors, includ- ing the source of funding, the source of the data, and whether the researcher meets the definition of a covered entity. The situation in the United States is in stark contrast to the situation in most other countries, where uniform regulations apply to all research conducted in the country. The committee believes a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research. Improved clarity, harmonization, and uniform application of regulations governing health research are needed to align the interests and understandings of the research community, the custodians of PHI, and other stakeholders such as patients, so that implementation of the privacy protections in health research can be achieved with acceptability to all. THE COMMITTEEâS RECOMMENDATIONS The IOM Committee on Health Research and the Privacy of Health Information developed several recommendations with the intent of strength- ening the privacy protections of personally identifiable health information and facilitating the efficient and effective conduct of beneficial health research. A summary of the committeeâs recommendations is presented in Box O-3. The committeeâs first and foremost recommendation (Recommenda- tion I) is that Congress should authorize HHS and other relevant federal agencies to develop a new approach to ensuring privacy that would apply uniformly to all health research in the United States. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. This new approach, separate from the HIPAA Privacy Rule, should ensure privacy in health research by emphasizing security, accountability, and transparency while also allowing important health research to be undertaken with appropriate oversight. If national policy makers decide that the HIPAA Privacy Rule has been, and continues to be, a useful model for safeguarding privacy in health research, the committee also proposes as an alternative that HHS revise the current HIPAA Privacy Rule and the associated guid- ance. These revisions, which could also be implemented in the interim while a new, comprehensive approach is being developed, would address many of
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS the problems uncovered during the course of this study. HHS should develop guidance materials to reduce variability among IRBs and Privacy Boards in their interpretation of the HIPAA Privacy Rule as applied to research (Recommendation II.A); develop guidance materials to facilitate more effec- tive use of existing data and materials for health research and public health purposes (Recommendation II.B); and revise some provisions of the HIPAA Privacy Rule that currently hinder research but that do not provide meaning- ful privacy protections (Recommendation II.C). The committeeâs last set of recommendations, though not directly related to the HIPAA Privacy Rule, should be adopted in order to achieve the committeeâs overarching goals. The committee recommends that all health research institutions improve the secu- rity of personally identifiable health information (Recommendation III.A), that HHSâor, as necessary, Congressâprovide reasonable protection to IRB and Privacy Board members for good faith decisions to encourage service on IRBs (III.B), and that HHS and researchers take steps to disseminate health research results more broadly, and to inform the public about the nature of health research and its value to individuals and society as a whole (Recom- mendation III.C). Adopting this set of recommendations will be important regardless of whether Option I or II is implemented. In the remaining pages of this overview, the abbreviated recommenda- tions of the IOM committee, shown in Box O-3, are presented in fuller detail. I. Develop a New Approach to Protecting Privacy in All Health Research Background The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy pro- tections in health research under the Common Rule, but the HIPAA Privacy Rule has numerous limitations of its own. In proposing the Privacy Rule, HHS acknowledged that, ideally, it would have preferred to regulate health researchers directly by extending the protections of the Common Rule to research that is not federally supported and by imposing additional criteria for the waiver of patient authorization for the use of personally identifiable health information in research.17 But HHS recognized that it did not have the authority to do this. For that reason, HHS attempted to protect the health information released to researchers indirectly (but within the scope 17 U.S.Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59968 (1999).
BEYOND THE HIPAA PRIVACY RULE BOX O-3 Summary of the Committeeâs Recommendations The committeeâs foremost recommendation is the following: I. Congress should authorize HHS and other relevant federal agencies to develop a new approach to protecting privacy that would apply uniformly to all health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. â Apply privacy, security, transparency, and accountability obligations to all health records used in research. If national policy makers choose to continue to rely on the HIPAA Privacy Rule rather than adopt a new federal approach (Recommendation I), the committee recommends the following: II. HHS should revise the HIPAA Privacy Rule and associated guidance. A. HHS should reduce variability in interpretations of the HIPAA Privacy Rule in health research by covered entities, IRBs, and Privacy Boards through revised and expanded guidance and harmonization. 1. HHS should develop a dynamic, ongoing process to increase empirical knowledge about current âbest practicesâ for privacy protection in responsible research using protected health information (PHI), and promote the use of those best practices. 2. HHS should encourage greater use of partially deidentified data called âlimited datasetsâ and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identifiers removed. 3. HHS should clarify the distinctions between âresearchâ and âpracticeâ to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities. 4. HHS guidance documents should simplify the HIPAA Privacy Ruleâs provisions regarding the use of PHI in activities preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants. B. HHS should develop guidance materials to facilitate more effective use of existing data and materials for health research and public health purposes. 1. HHS should develop guidance that clearly states that individuals can autho- rize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB/Privacy
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS Board oversight, as is allowed under the Common Rule, in order to facilitate use of repositories for health research. 2. HHS should develop clear guidance for use of a single form that permits indi- viduals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their biospecimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities. 3. HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research. 4. HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security. C. HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede research without providing sub- stantive improvements in patient privacy. 1. HHS should reform the requirements for the accounting of disclosures of PHI for research. 2. HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authoriza- tion from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research. Regardless of whether Recommendation I or II is implemented, the following rec- ommendations, which are independent of the Privacy Rule, should be adopted: III. Implement changes necessary for both policy options above (Recom- mendations I and II). A. All institutions (both covered entities and non-covered entities) in the health research community should take strong measures to safeguard the security of health data. â HHS should also support the development and use of new security technolo- gies and self-evaluation standards. B. To encourage service on Institutional Review Boards, HHSâor, as neces- sary, Congressâshould provide reasonable protection against civil suits for members of Institutional Review Boards and Privacy Boards who serve in good faith. â But no protection for willful or wanton misconduct. C. HHS and researchers should take steps to provide the public with more information about health research by: 1. Disseminating research results to study participants and the public. 2. Educating the public about how research is done and what value it provides.
0 BEYOND THE HIPAA PRIVACY RULE of its limited authority) by imposing restrictions on information disclosures by covered entities. The National Committee on Vital and Health Statistics (NCVHS) and others have noted the limitations of the HIPAA Privacy Rule and have called for stronger protections of health privacyânotably, by expanding the purview of the Privacy Rule beyond the current covered entities. The IOM committee believes an even bolder change is needed. The number of studies using medical records to address important questions about health and disease is likely to increase with the growing availability of electronic records. As the volume and importance of digital personal health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect personally identifiable health information in the health research set- ting. Thus, the IOM committee recommends developing a new framework to both protect individualsâ privacy and facilitate responsible and beneficial health research. Recommendation I: Congress should authorize HHS and other rel- evant federal agencies to develop a new approach to protecting privacy in health research that would apply uniformly to all health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach should enhance privacy protections through improved data security, increased transparency of activities and policies, and greater accountability while also allowing important health research to be undertaken with appro- priate oversight. The new approach should do all of the following: Apply to any person, institution, or organization conducting health â¢ research in the United States, regardless of the source of data or funding. Entail clear, goal-oriented, rather than prescriptive, regulations. â¢ Require researchers, institutions, and organizations that store â¢ health data to establish strong data security safeguards. Make a clear distinction between the privacy considerations that â¢ apply to interventional research and research that is exclusively information based. Facilitate greater use of data with direct identifiers removed in â¢ health research, and implement legal sanctions to prohibit unauthor- ized reidentification of information that has had direct identifiers removed. Require ethical oversight of research when personally identifiable â¢ health information is used without informed consent. HHS should develop best practices for oversight that should consider:
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS Measures taken to protect the privacy, security, and confiden- o tiality of the data; o Potential harms that could result from disclosure of the data; and o Potential public benefits of the research. Certify institutions that have policies and practices in place to pro- â¢ tect data privacy and security in order to facilitate important large- scale information-based research for clearly defined and approved purposes, without individual consent. Include federal oversight and enforcement to ensure regulatory â¢ compliance. Rationale The committee concluded that the HIPAA Privacy Rule impedes impor- tant health research and does not protect privacy as well as it should. Rather than offering an effective and comprehensive approach to solving the real problems of protecting privacy while ensuring the vitality of the national research agenda, the Privacy Rule often focuses on formalistic issues. A new approach to protecting the privacy of personally identifiable information used in health research should both provide strong and effec- tive protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the publicâs health. It should do so in a way that does not burden individuals with a flurry of health privacy notices and consent forms, or burden our health care system with a new level of bureaucracy and expense. A new framework developed by HHS and other relevant agencies that emphasizes privacy, security, accountability, and transparency and is applicable to all health research in the United States would eliminate confu- sion, reduce variability, facilitate responsible research, and enhance trust in the research enterprise. Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research. The committee favors an approach in which both ethical health research and privacy protections are supported. Informative examples for such an approach include Ontarioâs Personal Health Information Protec- tion Act (PHIPA)18 and a similar model recently proposed in the United 18 PersonalHealth Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04.
BEYOND THE HIPAA PRIVACY RULE Kingdom.19 Ontarioâs PHIPA shares a number of similarities with the HIPAA Privacy Rule. In general, both rules require the holder of personally identifiable health data to obtain informed consent (referred to as autho- rization in the Privacy Rule) before using those data for a purpose other than providing services directly related to the health care of the patient. If a researcher wishes to use personally identifiable health data without obtaining informed consent, both rules require the researcher to obtain a waiver of informed consent approved by an independent ethics board before the study begins. However, the HIPAA Privacy Rule and PHIPA do have some key dif- ferences. One major difference is that unlike the HIPAA Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA applies to health information custodians (HICs; e.g., providers, hospitals, and pharmacies) that collect, use, and disclose personally iden- tifiable health information, as well as to non-HICs that receive personally identifiable health information from a HIC. Thus, the privacy protections follow the data. Another important difference is that PHIPA permits HICs to disclose personally identifiable health information without consent to âprescribed persons or entities,â who must have in place practices, policies, and pro- cedures approved by Ontarioâs Information and Privacy Commissioner to protect the privacy and confidentiality of personally identifiable health information it receives and maintains. The prescribed persons or entities may then disclose information to researchers either in deidentified form, or in identifiable form with approval of a Research Ethics Board (Canadian equivalent of an IRB or Privacy Board). Consistent with the principle of transparency, a prescribed entity must also make public a description of its functions and a summary of its practices, policies, and procedures. A similar approach to prescribed entities was recommended in a report commissioned by the United Kingdomâs Prime Minister on secondary uses of personal information. This report suggested the creation of âsafe harbors,â which have three defining characteristics: (1) they provide a secure environment for processing personally identifiable health data, (2) they are restricted to âapproved researchersâ who meet relevant criteria, and (3) they imple- ment penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data. The committee believes that such an approach, combined with strong security measures, offers adequate privacy protections for personally identifiable health information in information-based health research, while greatly expanding research opportunities. 19 Ina report commissioned by the United Kingdomâs Prime Minister on secondary uses of personal information.
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS Health research increasingly relies on the review of information about patientsâ actual experiences with treatments to determine the risks and benefits of drugs and other therapies, in addition to traditional interven- tional and comparative clinical trials with patients. Regulations under a new approach to ensuring privacy in health should acknowledge the fact that research based exclusively on information (e.g., using medical records or stored biological samples) is not the same as direct, interven- tional human subjects research. For that reason, applying the same human subjects protections in these two different scenarios is neither appropriate nor justifiable. Promoting individual autonomy is essential when a personâs health care or participation in clinical research is considered. The purpose of informed consent in this type of research is mainly to protect research participants from physical harm by providing a description of the potential risks and benefits of the study. In contrast, in information-based research that relies solely on medical records and stored biospecimens, the research participant faces no risk of direct physical harm. In this context, informed consent (authorization) is intended to ensure that individuals are able to exercise control over their personal information that is held by third par- ties, and to give individuals the right to determine whether their personal information can be used in a particular research project (or a series of such projects, if consent for future research is permitted). Because of these fundamental differences between information-based research and direct, interventional human subjects research, the committee suggests a two-part practical approach to protecting health information privacy. First, all interventional research, regardless of funding source and support, should be required to comply with the Common Rule and all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures. Research participants should be allowed to provide consent for future research uses of data and biologi- cal materials collected as part of the interventional study as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent. Second, a new approach to uniform, goal-oriented oversight of information-based research should be developed by HHS and other rel- evant federal agencies, with a focus on best practices in privacy, security, and transparency as in PHIPA and the proposed United Kingdom model. This new approach should include a mechanism by which some programs or institutions could be certified by HHS or another accrediting body, similar to a prescribed entity as in PHIPA or a safe harbor as in the United Kingdom model. Such entities could then collect and analyze personally identifiable health information for clearly defined and approved purposes, without individual consent. Because of the administrative requirements in
BEYOND THE HIPAA PRIVACY RULE becoming certified, this option is most appropriate for disease registries and other very large scale research databases. Certified entities could also aggregate personally identifiable data from multiple sources, and then pro- vide data to researchers with direct identifiers removed, under strict security requirements. This would facilitate greater use of data with direct identi- fiers removed in research because the aggregated datasets would be more complete and thus would lead to more accurate conclusions. To further protect privacy, unauthorized reidentification of information that has had direct identifiers removed should be prohibited by law, and violators should face legal sanctions. In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics oversight board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This oversight board could perhaps entail a new body spe- cifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research. If researchers seek a waiver of patient consent, an ethics oversight board should consider the measures to be taken to protect the privacy and confidentiality of the data, the potential harms that could result from disclosure of the data, and the potential public benefits of the proposed research study. In order to facilitate consistent application of this option, HHS will need to develop clear guidance and best practices on how to assess the potential harm, the proposed measures to protect privacy and confidentiality, and the potential public benefits of a research study, as has been done under PHIPA. There is a great deal of variability in whether and how IRBs and other ethical oversight boards consider the public benefit and scientific merit of research proposals. But the first rule of ethical research is that the research must have scientific valueâmeaning that it addresses an important ques- tion of human health and is designed and conducted using methodology that is appropriate and rigorous. The scientific merit of research varies by project, just as the potential risk to privacy of research varies across different protocols. The committee believes that when making decisions about whether a research protocol that entails the disclosure of personally identifiable information should go forward, ethical oversight boards should take all of these factorsâpotential risks/harms to research participantsâ pri- vacy as well as scientific merit and potential public benefit of the research proposalâinto consideration. A previous IOM committee on Assessing the System for Protecting Human Research Subjects recommended that âhuman research participant protection programsâ use distinct mechanisms for initial reviews of scien- tific merit and that these reviews should precede and inform the compre- hensive ethical review of research studies. Ethical oversight board members
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS themselves may not have the expertise to assess the merit of diverse research studies, but they should have access to evaluations by scientific review com- mittees or funder peer review panels, which would help them assess the anticipated benefits of a proposed research project. Although expectations regarding privacy vary among different demo- graphic groups, public opinion polls suggest that a significant portion of the American public would like to control all access to their medical records for research via an individual consent mechanism. However, obligations to implement comprehensive privacy protectionsâsuch as security, transpar- ency, and accountabilityâare independent of patient consent. Moreover, the committee concluded, based on considerable testimony and other evidence, that a universal requirement for informed consent can lead to invalid results because of significant differences between patients who do or do not grant consent, and to missed opportunities to advance medical science because it can be prohibitively costly and difficult to obtain consent for studies that require analysis of very large datasets. As a result, the committeeâs new framework includes two alternatives to consent that can be used in certain circumstances (e.g., disclosure to a certified entity and waiver of informed consent by an ethics review board), which are intended to facilitate research that is socially beneficial and to protect privacy through increased security, transparency, and accountability. If society seeks to derive the benefits of medical research in the form of improved health and health care, information should be shared to achieve that greater good, and governing regulations should support the use of such information, with appropriate oversight. In the committeeâs proposed new framework, the greater emphasis on ensuring the security protections of personally identifiable health information, facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research in the new framework should help to foster its accept- ability. Nonetheless, effective communication with the public about how health research is done and the value it provides (the committeeâs Recom- mendation III.C below) will be important to address concerns and gain acceptance. The committeeâs proposal for a new approach to ensuring privacy in health research that is uniformly applicable to all health research in the United States is especially timely because Congress has shown considerable interest in producing new legislation to facilitate the implementation of a nationwide health information technology system. Such a system has been hailed as a means of addressing rising health care costs and improving the quality and efficiency of health care, but privacy concerns are emerging as a primary obstacle to the implementation of such a nationwide system. Some legislative proposals would follow the HIPAA model of privacy protections, while others would require different or additional approaches to ensure
BEYOND THE HIPAA PRIVACY RULE the privacy of electronic health records. A nationwide health information technology system has the potential to accelerate health research by mak- ing large amounts of health data available to study and thus could lead to major advances in medicine. Nevertheless, caution is warranted in devel- oping new regulations because the adoption of new, restrictive regulations might actually impede health research, to the great detriment of patients and society. If Recommendation I is not implemented and the nation continues to rely on the HIPAA Privacy Rule for protecting privacy in health research, the committee proposes an alternative set of recommendations (Recom- mendations II.AâC) that could address some of the problems uncovered during the course of this study, by improving the HIPAA Privacy Rule and associated guidance. II. Revise the Privacy Rule and Associated Guidance Recommendation II.A: HHS should reduce variability in interpreta- tions of the HIPAA Privacy Rule in health research by covered entities, IRBs, and Privacy Boards through revised and expanded guidance and harmonization. Background One of the weaknesses in the current privacy protection system is that there is extreme variability in the regulatory interpretations and approval decisions among IRBs and Privacy Boards. Regulatory language often is not easily understandable and is subject to wide interpretation. Thus local IRBs and Privacy Boards interpret state and federal regulations independently, resulting in a great deal of variation in how the regulations are implemented. For example, projects that are similar in design and intent may be granted a waiver of individual authorization by some IRBs and Privacy Boards, but not others, on the basis of differing interpretations of the Privacy Ruleâs waiver criteria. In addition, some IRBs and Privacy Boards may conflate the Common Rule and Privacy Rule, or apply the research provisions of the Privacy Rule to activities for which they are not applicable, such as public health practice or the operation of cancer registries. Furthermore, in the case of the HIPAA Privacy Rule, covered entities that disclose PHI are regulated, not the health researchers who receive the information. As a result, covered entities, as well as IRBs and Privacy Boards, may be reluctant to permit disclosures of PHI that would allow health research to go forward, even in situations where it is ethically and legally justified. Lacking sufficient guidance from HHS, IRBs and Privacy Boards sometimes interpret the HIPAA Privacy Rule too conservatively out
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS of concern that a particular health research activity might result in institu- tional noncompliance with the Privacy Rule. HHS intended to allow IRBs and Privacy Boards to have some local control in implementing and interpreting the HIPAA Privacy Rule as it applies to the use and disclosure of PHI for research. The committeeâs recommendations below are intended not to reduce the decision-making powers and flexibility of local IRBs and Privacy Boards, but rather to make it easier for IRBs and Privacy Boards to review research proposals fairly and quickly. Additional guidance and clarification from HHS on the specific points listed below, along with specific case examples to help delineate what is or is not permissible under the Privacy Rule, would make it easier for IRBs and Privacy Boards to make the appropriate review decisions. Recommendation II.A.1: HHS should develop a dynamic, ongoing process to increase empirical knowledge about current âbest practicesâ for privacy protection in responsible research using PHI, and promote use of those best practices. HHS should regularly convene consensus development conferences â¢ in collaboration with health research stakeholders to collect and evaluate current practices in privacy protection in order to identify and disseminate best practices. Stakeholders can then enable and encourage researchers to use â¢ these best practices in designing and conducting research involving the use of PHI. Rationale There are many diverse approaches to health research. The broad array of methods and data sources for such research presents a challenge to IRBs and Privacy Boards that must determine how various state and federal regu- lations apply to each research protocol. Uncertainty about how the various regulations apply to a given protocol can lead to overly conservative deci- sions by these boards, making it more difficult for some important health research to go forward. For example, some covered entities misinterpret the Privacy Rule by requiring researchers to obtain authorization from next of kin in order to access the PHI of decedents, which is not required under the provisions. Such factors contribute to the tremendous variability in the decisions made by IRBs and Privacy Boards. Current guidance from HHS addresses only what is permissible under the HIPAA Privacy Rule; the guidance does not identify best practices. A dynamic, ongoing process for the identification and dissemination of best practices in privacy protection for various types of health research by HHS
BEYOND THE HIPAA PRIVACY RULE would facilitate reviews by IRBs and Privacy Boards and lead to more consistent and appropriate decisions. HHS guidance materials with best practices and models or templates for things such as the patient authoriza- tion form, waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. Such guid- ance materials should be written as clearly and simply as possible, using an inclusive, dynamic, and transparent development process, and should override all prior guidance documents. The committee believes that a proactive role by HHS in disseminating guidance changes to IRBs and Privacy Boards is essential. This endeavor could perhaps be accomplished as an activity of the National Institutes of Health Roadmap for Medical Research under the direction of the HHS Office for Civil Rights. An informative precedent for the dissemination efforts might be the Health Resources and Services Administrationâs devel- opment of the National Practitioner Data Bank (NPDB) Guidebook,20 an activity established through Title IV of the Healthcare Quality Improvement Act of 1986. The NPDB Guidebook, which is frequently updated, provides many case examples of what should be done in various situations. Stakeholdersâincluding researchers; research institutions, IRBs, and Privacy Boards; sponsors of research; public health practitioners and agen- cies; patient and consumer organizations; and privacy expertsâcould have considerable influence on the adoption of best practices once they have been identified, so they could help to make privacy protections and IRB/Privacy Board decisions more uniform. For example, Requests for Proposals and other funding mechanisms could be more instructive on the requirements for the protection of privacy. Many academic researchers depend on their ability to procure funding from a source external to their institutions, and research sponsors have obli- gations to protect research participants. Thus, major nonfederal funders of health research could be a powerful force for adherence to ethical guidelines even in the absence of strong federal regulations and enforcement. Organi- zations whose primary missions are focused on promoting responsible and ethical researchâsuch as PRIM&R (Public Responsibility in Medicine and Research) and the Association for the Accreditation of Human Research Protection Programs, Inc., which serve as primary educational vehicles for IRB professionals and offer certification programsâcould also contribute much to this dynamic and ongoing process. Increased participation in these 20 Division of Quality Assurance, Health Resources and Services Administration, National Practitioner Data Bank Guidebook, Rockville, MD, http://www.npdb-hipdb.hrsa.gov/ npdbguidebook.html (accessed August 1, 2008).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS organizations by research investigators in particular could extend under- standing of regulatory requirements and foster national discourse about issues of interpretation and application of the HIPAA Privacy Rule. Recommendation II.A.2: HHS should encourage greater use of par- tially deidentified data called âlimited datasetsâ and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively, in order to enhance privacy in research by expanding use and usability of data with direct identi- fiers removed. Rationale The HIPAA Privacy Rule and the Common Rule both exempt from their provisions research using health data from which personal identifiers have been removed. Because the two rules define personally identifiable information and deidentification differently, however, there is a discrepancy between what research involving existing data is exempt from the Common Rule and what research is exempt from the Privacy Rule. The standard for deidentification as defined in the Common Rule is that the identity of the subject may not be readily ascertained by the health researcher (e.g., âanonymizedâ datasets with no direct identifiers included).21 Thus, health research using information recorded in such a manner that sub- jects cannot be readily identified is exempt from the Common Rule.22 Under the HIPAA Privacy Rule, there are two ways to deidentify health information so that it is exempt from the Privacy Rule. One is to remove 18 specified identifiers that identify or could provide a reasonable basis to identify an individual, including both direct identifiers (e.g., name, address, medical records number, Social Security number, health plan beneficiary number) and indirect identifiers (e.g., dates of service and geographic sub- divisions smaller than a state).23 The second way is to have a qualified stat- istician determine that the risk is very small that any identifiers present on a given data file could be used alone, or in combination with other available information, to identify an individual.24 This discrepancy between deidentification standards under the two rules can give rise to situations in which research with anonymized data that is exempt from IRB oversight under the Common Rule may still 21 4 5 C.F.R. Â§ 46.102(f)(2) (2006). 22 45 C.F.R. Â§ 46.101(b)(4) (2006). 23 45 C.F.R. Â§ 164.514(b) (2006). There are no restrictions on the use or disclosure of dei- dentified health information. 24 Id.
0 BEYOND THE HIPAA PRIVACY RULE require a decision by an IRB or a Privacy Board to determine if a waiver of individualsâ authorization of disclosure for the use of their information for research purposes is appropriate under the Privacy Rule. However, IRBs have not had to review these protocols in the past, and they may have dif- ficulty in making appropriate decisions about waivers. The HIPAA Privacy Ruleâs restrictions put greater emphasis on the pos- sibility that deidentified health data could be reidentified using publicly avail- able databases. Record linkage technology has advanced rapidly in the past 10 years, making reidentification of data easier now than when the Common Rule was implemented. Yet many researchers maintain that removing all 18 data categories required by the HIPAA Privacy Rule can render a dataset unusable for research. Several organizationsâincluding the Secretaryâs Advi- sory Committee on Human Research Protections (SACHRP), NCVHS, and the Association of American Medical Collegesâhave recommended chang- ing the HIPAA Privacy Rule to reduce the number of identifiers that must be removed for a dataset to be considered deidentified and thus exempt from IRB and Privacy Board oversight if used in health research. Some elements of the 18 identifiers (e.g., ZIP Codes, geographic subdivisions, and dates of service or tissue collection) do not directly identify individuals, and are essential for some types of health research, such as epidemiology or studies of disease incidence. In 2002, in response to the concerns that had been raised, HHS modi- fied the HIPAA Privacy Rule to create a category of partially deidentified data called the âlimited dataset,â in which health information that is stripped of the 16 most direct identifiers can be used and disclosed for research without obtaining individualsâ authorization or an IRB/Privacy Board waiver if the covered entity enters into a data use agreement (DUA) with the recipient of the data.25 Geographic subdivisions (other than street addresses) and dates and other numbers, characteristics, or codes not listed as direct identifiers in the regulation can be included in a limited dataset, making it more useful for research. Currently, however, there is pervasive confusion regarding the condi- tions of DUAs and how recipients may meet those conditions. As a result, in some health care settings, the burden of establishing a DUA prevents research from going forward. However, at the other extreme, some covered entities sign DUAs as a matter of course, providing little meaningful privacy protection to the patient. The committee recommends that HHS ameliorate this situation by issuing clear guidance on how to set up and comply with data use agreements more efficiently and effectively, with a goal-oriented focus on the safeguards that researchers should use to protect individualsâ privacy. 25 45 C.F.R. Â§ 164.514(e)(3)(i) (2006).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS Recommendation II.A.3: HHS should clarify the distinctions between âresearchâ and âpracticeâ to ensure appropriate IRB and Privacy Board oversight of PHI disclosures for these activities. HHS should consult with relevant stakeholders to develop standard â¢ criteria for IRBs and Privacy Boards to use when making distinc- tions between health research and related endeavors such as public health practice and quality improvement practices. These criteria should be evaluated regularly by HHS to ensure that the criteria are helpful and producing the desired outcomes. Rationale The HIPAA Privacy Rule makes a somewhat artificial distinction between health research and some closely related activities, such as public health and quality improvement activities, which also may involve collec- tion and analysis of PHI. Under the Privacy Rule (as well as the Common Rule), these activities, which aim to protect the publicâs health and improve the quality of patient care, are considered health care âpracticeâ rather than health research. HHS considered public health and quality improvement activities important enough to give them special status under federal regulations by permitting them to be undertaken without authorization or an IRB/Privacy Board waiver of authorization. Yet it can be a challenge for IRBs and Privacy Boards, researchers, health care practitioners, and research par- ticipants to distinguish among activities that are or are not subject to the various provisions of the Privacy Rule (and the Common Rule). Inappro- priate decisions may prevent important activities from being undertaken or could potentially allow disclosures of PHI that are not permitted under the regulations. A number of models outlining the criteria IRBs and Privacy Boards should use to distinguish practice and research have been proposed to address these difficulties. One recent model, for example, provides a detailed checklist for IRBs and Privacy Boards to use in determining whether an activity is (1) public health âresearchâ that must comply with the research provisions of the Privacy Rule, or (2) public health âpracticeâ that does not need IRB or Privacy Board review.26 The committee believes that standardizing the criteria is essential to support the conduct of these important health care activities. For that reason, the committee recommends that HHS convene the relevant stake- holders to develop standard criteria for IRBs and Privacy Boards to use when making decisions about whether protocols entail research or prac- 26 See Chapter 3 for a complete discussion of this model.
BEYOND THE HIPAA PRIVACY RULE tice, using the available models above as examples. The regulation should have enough flexibility to allow important activities to go forward with appropriate levels of oversight. In addition, it will be important to evalu- ate whether these criteria are effective in aiding IRB/Privacy Board reviews of proposed protocols and whether they lead to appropriate IRB/Privacy Board decisions. Recommendation II.A.4: HHS guidance documents should simplify the HIPAA Privacy Ruleâs provisions regarding the use of PHI in activi- ties preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants. Rationale Many research studies, especially those focused on rare conditions with limited eligible patient populations, rely on large-scale medical chart reviews and searches of patient databases to identify patients who might be eligible for and might benefit from a particular study. Sufficient patient enrollment in a timely fashion is essential to ensure the meaningfulness and reliability of the research results. Researchers may also need to examine medical records in order to develop useful and appropriate research designs and protocols. The HIPAA Privacy Rule has some specific provisions that allow a cov- ered entity to use or disclose PHI without an individualâs authorization if the information is to be used for research. One provision allows a covered entity to use and disclose PHI without an individualâs authorization if the covered entity obtains the following representations from the researcher: (1) the use or disclosure of the information is solely to prepare a research protocol or is otherwise preparatory to research; (2) the researcher will not remove any PHI from the covered entity; and (3) the PHI for which access is sought is necessary for the research.27 However, there is widespread confu- sion regarding what is permitted under this provision of the Privacy Rule. Surveys and studies also indicate that recruiting patients for research has become more difficult and costly under the HIPAA Privacy Rule. HHS has issued multiple guidance statements to help address this con- fusion, but these guidance statements, some of which have been contradic- tory, have failed to solve the problem. According to current HHS guidance on the Privacy Rule, researchers (both internal and external to a covered entity) may conduct a review of 27 4 5 C.F.R. Â§ 164.512(i)(1)(ii) (2006).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS medical records under the Privacy Ruleâs exception that allows the use and disclosure of PHI without an individualâs authorization if the information is being used by a researcher for activities preparatory to research. However, HHS guidance also specifies that only internal researchers (an employee or member of the covered entityâs workforce) may contact potential research participants about the possibility of enrolling in a study under this provi- sion of the Privacy Rule. External researchers are not allowed to record or remove patient contact information from a covered entity. They must get a partial waiver from an IRB or Privacy Board to perform any recruitment activities. This interpretation of the Privacy Rule creates an artificial distinc- tion between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rule, which requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB. Thus, the HIPAA Privacy Rule permits conduct that is prohibited by the Common Rule. According to SACHRP, HHS statements regarding these provisions for activities preparatory to research have led to âenormous confusion,â and many âinstitutions are hesitant to permit many recruitment activities critical to the continuation of the research enterprise, out of fear that they are in some way misinterpreting the governmentâs current positions on research recruitment.â In 2004 SACHRP indicated that it was âvery concerned that the bureaucratic complexities here undermine, rather than enhance, the attention that needs to be paid to the welfare and interests of subjects in the research recruitment process.â To address these issues, the committee recommends that all researchers (including those internal to the covered entity) be required to obtain IRB approval (as required under the Common Rule) prior to contacting potential research participants. When making a decision about whether to approve research projects, the IRB should review and consider the investigatorâs plans for contacting patients, and ensure that the information will be used only for research projects approved by the IRB and will not be disclosed elsewhere. The committee believes that IRBs can protect research partici- pants, including their privacy and confidentiality interests, but as noted in Recommendation II.A.1, educational outreach by HHS is needed to address misunderstandings of these provisions. Recommendation II.B: HHS should develop guidance materials to facilitate effective use of existing data and materials for health research and public health purposes.
BEYOND THE HIPAA PRIVACY RULE Background Many institutions create and maintain databases with patient health information or repositories with biological materials collected from patients. These databases and biospecimen banks are used for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments. Current interpretations of provisions of the HIPAA Privacy Rule some- times make it difficult to effectively use these valuable resources for health research. Currently, for example, HHS interprets the Privacy Rule as pro- hibiting patient authorization for future research use of PHI associated with the individualsâ biospecimens collected in the course of a clinical trial or treatment by covered entities. Such interpretations of the HIPAA Privacy Rule create confusion and unnecessary burdens for patients and researchers alike and lead to lost opportunity by impeding important health research. Furthermore, because such interpretations are inconsistent with the Common Rule, they lead to inequities between covered entities and non-covered entities that hold databases and biospecimen banks. The committeeâs four specific recommendations below are intended to facilitate important health research by maximizing the usefulness of patient data associated with biospecimen banks and in research databases, thereby allowing novel hypotheses to be tested with existing data and materials as knowledge and technology improve. The recommendations would align interpretation of the HIPAA Privacy Rule with the Common Rule on several points, simplify or clarify the relevant processes in research, and develop new tools for data aggregation. Recommendation II.B.1: HHS should develop guidance that clearly states that individuals can authorize use of PHI stored in databases or associated with biospecimen banks for specified future research under the HIPAA Privacy Rule with IRB oversight, as is allowed under the Common Rule, to facilitate use of repositories for health research. Future uses should be described in sufficient detail to allow indi- â¢ viduals to give informed consent. IRBs should determine that the new research is not incompatible â¢ with the initial consent. Rationale Databases and biospecimen banks, once created, offer a cost-effective resource of information for rapidly addressing new health research ques-
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS tions as technologies and knowledge advance. Collecting the data and biospecimens necessary to address each new research question as it arises would take years, or even decades, at great expense. Thus, the pace and efficiency of medical progress is enhanced significantly by using established resources whenever feasible. When new potential prognostic markers of disease are identified, for example, they must be validated by studying the markers in many patients over the course of the disease. Examining samples stored in biobanks, where disease progression has already been recorded over many years, is a fast and relatively inexpensive way of determining whether the marker has promise for clinical use and warrants further investigation. The provisions of the HIPAA Privacy Rule, as interpreted by HHS, may impede research with established biospecimen banks and databases. The Privacy Rule requires an individualâs authorization for the use or dis- closure of protected information to describe, with specificity, the purpose of the proposed use or disclosure of such information.28 HHS regards all future uses of PHI as nonspecificâand therefore ineligible for inclusion in an authorization for the collection and storage of biological materials and data. In contrast, the Common Rule makes it possible to obtain individualsâ consent to future use or disclosure of their health information for health research, with IRB oversight, as long as any intended future use is described in sufficient detail to allow informed consent. HHS has maintained that allowing individuals to authorize future uses of their PHI could leave decisions about future research projects at the discretion of covered entities, because the HIPAA Privacy Rule, unlike the Common Rule, does not require IRB or Privacy Board review of research uses and disclosures made with individual authorization.29 For that reason, HHS requires that individuals be recontacted to obtain their authoriza- tion for the use or disclosure of their existing data and biospecimens for any additional research studies undertaken unless the researchers obtain a waiver or alteration of individual authorization. Recontacting individuals to obtain their additional authorization is very impractical. Even when another contact is possible, the process can be intrusive and burdensome for patients and their families. As long as an IRB is overseeing the research, obtaining individualsâ authorization for future use of their information in existing databases and biospecimen banks in health research should be adequate for protecting privacy. One way to overcome the discordance between the Privacy Rule and the Common Rule would be for HHS to issue guidance explicitly stat- ing that future research may go forward if the following conditions are 28 4 5 C.F.R. Â§ 164.508 (2006). 29 Id.
BEYOND THE HIPAA PRIVACY RULE met: (1) the individualâs authorization describes the types or categories of research that may be conducted with the PHI stored in the database or biobank; and (2) an IRB determines that the proposed new research is not incompatible with the initial consent and authorization, and poses no more than a minimal risk. Because science is evolving quickly, one cannot adequately anticipate what knowledge will be gained in the future. Significant opportunities for beneficial research could be lost without some revisions in the current interpretation of this portion of the HIPAA Privacy Rule. Databases and biospecimen banks created and maintained with federal funds, in particular, should be used for multiple studies as often as feasible, especially given the high cost of developing such repositories and the high value of investigating and comparing multiple scientific questions from the same pool of data. Recommendation II.B.2: HHS should develop clear guidance for use of a single form that permits individuals to authorize use and disclosure of health information in a clinical trial and to authorize the storage of their biospecimens collected in conjunction with the clinical trial, in order to simplify authorization for interrelated research activities. Rationale Informed consent and authorization are essential for the protection of individuals who volunteer to participate in clinical trials. Thus, it is impera- tive that the informed consent and authorization documents are easily understood and meaningful to the individuals involved. Ideally, all relevant information should be integrated into one simple document. The HIPAA Privacy Ruleâs complex provisions have generated mis- perceptions about restrictions on individualsâ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation. Such misperceptions can diminish the informed nature of consent and authorization because they can lead to patient confusion and misunderstanding. HHS has stated that if a covered entity plans to collect and store biospecimens in a research repository in conjunc- tion with a clinical trial, individualsâ authorization for storage of the PHI associated with the repository must be separate from authorization for disclosure of the PHI associated with participation in the clinical trial. HHS arrived at this interpretation through a series of steps. First, it is generally not permissible to condition treatment on an individualâs authorization for the use of PHI, although the HIPAA Privacy Rule does permit a covered entity to condition treatment in a clinical trial on sign-
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS ing an authorization.30 Second, although the HIPAA Privacy Rule gener- ally permits researchers to combine an authorization form with any other type of written permission (including another authorization), it prohibits researchers from combining authorizations where the covered entity condi- tions the provision of treatment on signing only one of the authorizations, but not the other.31 Because HHS has concluded that collection of PHI for a clinical trial and for a repository are separate research activities, researchers cannot condition participation in the clinical trial on signing authorization to include PHI in a repository.32 Currently, therefore, the two authorizations cannot be combined in one form unless (1) the form has separate signature lines for each authoriza- tion, and (2) the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository in order to receive treatment in a clinical trial. There is much confusion about these provisions of the HIPAA Privacy Rule, and some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. The excess paperwork that results is burdensome for patients; can reduce the informed nature of authorization by confusing patients; and may reduce patient participation in research. Guidance from HHS to clearly indicate that a single authorization form with two signature lines is permissible in such circumstances would reduce variability and increase the informed nature of authorization. Recommendation II.B.3: HHS should clarify the circumstances under which DNA samples or sequences are considered PHI, in order to facilitate appropriate use of DNA in health research. Rationale With recent technological advances in biomedical research, it is now possible to learn a great deal about disease processes and individual varia- tions in treatment effectiveness or susceptibility to disease from genetic analyses because the DNA sequences that make up a personâs genome strongly influence a personâs health. In this genomic age of health research, patient blood and tissue samples stored in biospecimen banks can provide a 30 4 5C.F.R. Â§ 164.508(b)(4)(i) (2006). 31 45 C.F.R. Â§ 164.508(b)(3) (2006). 32 National Institutes of Health, Research Repositories, Databases, and the HIPAA Privacy Rule, January 2004, http://privacyruleandresearch.nih.gov/pdf/research_repositories_final.pdf (accessed August 1, 2008).
BEYOND THE HIPAA PRIVACY RULE wealth of information for addressing long-standing questions about health and disease. But HHS has not yet issued clear guidance on how the HIPAA Privacy Rule applies to DNA samples or sequences. HHS guidance documents indicate that blood or tissue samples themselves are not protected under HIPAA unless they contain or are associated with the 18 personal identifiers specified by the HIPAA Privacy Rule. In addition, HHS has stated that the results of an analysis of blood or tissue, if containing or associated with individually identifiable information, would be PHI. Yet the research com- munity remains uncertain about whether genetic information accompany- ing biospecimens is protected under the HIPAA Privacy Rule because the list of HIPAA identifiers includes vague terms such as âbiometric identifiersâ and âunique identifying characteristics.â33 Genetic information does not itself identify an individual in the absence of other identifying information. Even the European Union, which has a more restrictive privacy regime than the United States, does not consider DNA in and of itself to be a direct identifier.34 In some circumstances, however, a personâs genetic code could be construed as a unique identifier in that it could be used to match sequence in another biospecimen bank or databank that does include identifiers. As genetic information becomes more prevalent in research and health care, the latter scenario is more likely to occur. As health care enters the era of personalized medicine, for example, genetic information is more likely to be included in a personâs health records. But at the same time, realization of the promises of person- alized medicine will require research on DNA from a great many diverse individuals whose medical history is well documented. The committee believes that establishing consistent standards for the use and protection of genetic information is important. The committee advocates a focus on strong security measures and recommends the adop- tion of strict prohibitions on the unauthorized reidentification of individuals from DNA sequences, by anyone. Regardless of how genetic information is regulated under the HIPAA Privacy Rule, a federal prohibition of genetic discrimination is necessary to allay privacy concerns and diminish potential negative consequences of unintended disclosure of genetic information. Many people are concerned about genetic discriminationâthe misuse of genetic information by insur- ance companies, employers, and others to make decisions based on a personâs DNA. Thus, in addition to protecting the privacy of individualsâ 33 4 5C.F.R. Â§ 164.514 (2006). 34 Article 29 Data Protection Working Party, European Union, âOpinion 4/2007 on the Concept of Personal Data,â WP 136, adopted June 27, 2007, http://ec.europa.eu/justice_home/ fsj/privacy/docs/wpdocs/2007/wp136_en.pdf (accessed August 1, 2008).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS genetic information, it is important to protect people against genetic dis- crimination. The hope is that the Genetic Information Nondiscrimination Act of 2008, recently signed into law, will begin to address some of these concerns. Recommendation II.B.4: HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security. Rationale Because a single database may not provide a complete picture of a patientâs condition or health history, it is often necessary to combine infor- mation about a patient from multiple sources. However, the way in which the HIPAA Privacy Rule has been interpreted and implemented has made linking data from diverse sources for research purposes more difficult. Thus, the Privacy Rule impedes health research and compromises the value and reliability of research that is undertaken. Under the HIPAA Privacy Rule, it is possible in principle for a researcher to aggregate PHI from multiple covered entities with individual authoriza- tion or with an IRB or Privacy Boardâs waiver of such authorization. Obtaining individualsâ authorization for research that entails the review of thousands of medical records is unrealistic, though, and even with a waiver of authorization, covered entities with large datasets are now often reluc- tant to allow researchers access to PHI. More commonly, covered entities provide data to researchers with direct identifiers removed. Because datasets from multiple sources cannot be linked to generate a more complete record of a patientâs health history without a unique identifier, though, datasets with direct identifiers removed are often of minimal value to researchers and are not frequently used. A third party may collect PHI from covered entities and aggregate the data for research by establishing business associ- ate agreements with the various data sources, but in practice, such agree- ments are used infrequently for this purpose because they are complicated and impractical to set up for individual research projects. The committee believes a better approach would be to establish secure, trusted intermediaries that could develop a protocol, or key, for routinely linking health data from different sources, and then provide more complete and useful datasets with the identifiers removed to researchers. One way this could be accomplished, for example, might be through data ware- houses that are certified for the purpose of linking data from different sources. The organizations responsible for such linking would be required to use strong security measures and would maintain the details about how
0 BEYOND THE HIPAA PRIVACY RULE the linkage was done, should another research team need to recreate the linked dataset. Using such intermediaries would facilitate greater use of health data with direct identifiers removed for research and lead to more meaningful study results while also increasing patient privacy protections and allaying concerns of covered entities. Some federal agencies are already developing mechanisms for linking information from different sources. The Centers for Medicare & Medicaid Services (CMS), for example, provides a linking service for Medicare and Medicaid data via contractors that create standardized data files tailored for research. CMS also has begun pilot projects to aggregate Medicare claims data with data from commercial health plans and, in some cases, Medicaid, in order to calculate and report quality measures for physician groups. A broader effort to link data from diverse sources, called the National Health Data Stewardship Entity, has been initiated by the federal Agency for Healthcare Research and Quality (AHRQ). AHRQ is also involved in implementing the Patient Safety and Quality Improvement Act of 2005, which encourages creation of Patient Safety Organizations to receive infor- mation from hospitals, doctors, and health care providers on a privileged and confidential basis, for analysis and aggregation. Even though the pur- pose of these two AHRQ initiatives is to monitor health care quality,35,36 they could provide a model for data aggregation that is potentially appli- cable to health research. The administrative simplification provisions of HIPAA specifically pro- vided for the creation of a unique individual identifier that would permit the linking of data from different sources, but work on developing such an identifier has been halted because there is a great deal of controversy regarding how it could be implemented without compromising individual privacy. In addition, federal agencies are under pressure from the Office of Budget and Management to reduce the use of Social Security numbers as unique identifiers. Nevertheless, it is clear that the development of some type of linking key (not based on Social Security numbers) would make linkages among databases more efficient, standardized, and reliable, and less costly. Moreover, this type of linkage could greatly facilitate many types of information research and improve quality of care. Recommendation II.C. HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede 35 National Health Data Stewardship, Request for Information, 72 Fed. Reg. 30803 (June 4, 2007). 36 Agency for Healthcare Research and Quality, U.S. Department of Health and Human Services, Patient Safety Organizations Website, http://www.pso.ahrq.gov (accessed August 1, 2008); Patient Safety and Quality Improvement Act, Notice of Proposed Rulemaking, 73 Fed. Reg. 8112 (February 12, 2008).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS research without providing substantive improvements in patient privacy. Background For some provisions of the HIPAA Privacy Rule, the burdens are heavy and the privacy protections are small. Such provisions may need to be reconsidered if society is to derive maximal benefits from health research. The committee recommends revising two components of the HIPAA Privacy Rule that are very burdensome with respect to the level of privacy protec- tion they afford. Recommendation II.C.1: HHS should reform the requirements for the accounting of disclosures (AOD) of PHI for research. The HIPAA Privacy Rule should permit covered entities to inform â¢ patients in advance that PHI might be used for health research with IRB/Privacy Board oversight or for public health purposes. Accordingly, the Privacy Rule should be revised to exempt disclo- sures of PHI made for research and public health purposes from the Privacy Ruleâs accounting of disclosures requirements. As an alternative to AOD, to ensure transparency, institutions should maintain a list, accessible to the public, of all studies approved by an IRB/Privacy Board. Rationale Under the HIPAA Privacy Rule, individuals have a right to receive an accounting of disclosures, a list of all disclosures of their PHI by a covered entity or the covered entityâs business associates in the past 6 years. Accord- ing to HHS, the AOD provision of the HIPAA Privacy Rule was intended âas a means for the individual to find out the nonroutine purposes for which his or her PHI was disclosed by the covered entity, so as to increase the individualâs awareness of persons or entities other than the individualâs health care provider or health plan in possession of this information.â The AOD requirement does not constitute an audit trail, though, because the provision has numerous exceptionsâincluding disclosures of PHI for health care operations, pursuant to an authorization, as part of a limited dataset, for national security or intelligence purposes, and to correctional institu- tions or law enforcement officials. Disclosures of PHI by covered entities for research purposes under a waiver of individual authorization approved by an IRB or a Privacy Board, or for public health purposes as required by law, must be included
BEYOND THE HIPAA PRIVACY RULE in an AOD report. Furthermore, HHS has noted that âmaking a set of records available for review by a third party constitutes a disclosure of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record.â The AOD provision of the HIPAA Privacy Rule provides an exception for research involving groups of 50 or more subjects by allowing the covered entity to develop a general list of all protocols for which a personâs PHI may have been disclosed. Even then, however, there is a considerable administrative obligation to generate such a list. Furthermore, in many medical facilities, a general list of protocols is extensive and thus relatively meaningless to a particular patient. The AOD provision of the HIPAA Privacy Rule places a heavy admin- istrative burden on health systems and health services research that achieves little in terms of protecting privacy. Moreover, HHS has provided no guid- ance to covered entities about practical ways to fulfill this requirement in an efficient manner. On the basis of testimony in 2004, the Secretaryâs Advisory Committee on Human Research Protections concluded that the cost and burden of compliance with the HIPAA Privacy Ruleâs AOD requirements were so high that institutions were likely to accept the risk of noncompliance rather than incur the cost of compliance. Annual surveys of health care privacy officers undertaken by the Ameri- can Health Information Management Association (AHIMA) since 2004 have similarly found that many facilities report difficulties with the AOD requirement. Such surveys have also found that the demand for AOD reports by individuals is extremely low. Two thirds of health care privacy officers participating in the survey reported receiving no requests at all. Nearly one third of respondents indicated that they would like to see a change to the AOD provision of the HIPAA Privacy Ruleâthe most frequently cited provi- sion among all respondents and the most frequently cited provision by far among respondents with more than 20,000 admissions/discharges per year. On the basis of these results, AHIMA concluded that âfor many, this [AOD] provision is not only burdensome but also significantly inefficient.â37 Robust safeguards are already in place to protect the privacy of PHI disclosures in health research via IRBs and Privacy Boards. As the health care system moves toward broader implementation of electronic health records, however, automatic tracking of audit trails will be important to incorporate. Technology advances will likely make automatic AOD track- ing feasible, affordable, and widely available in the future. Until then, the committee recommends that disclosures of PHI made for health research 37 American Health Information Management Association, 2006, The State of HIPAA Privacy and Security Compliance, http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance. pdf (accessed April 20, 2008).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS and public health purposes be exempted from the HIPAA Privacy Ruleâs AOD requirement. Recommendation II.C.2: HHS should simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study, in order to facilitate appropriate authorization requirements for responsible research. If HHS decides to retain the current waiver criteria, HHS should â¢ provide clear and reasonable definitions of terms used in those criteria, such as âminimal riskâ to the privacy of individuals (in the first criterion) and âimpracticableâ (in the second and third criteria). HHS should also provide specific case examples of what should or should not be considered impracticable or of minimal risk. Rationale Under the HIPAA Privacy Rule, researchers seeking to use PHI in medical records for research must obtain authorization from each patient unless an IRB or a Privacy Board makes a determination that a waiver of individual authorization is warranted. For many types of research with medical records, making that determination is a challenge for IRBs and Privacy Boards. Many studies involve thousands of records, making indi- vidual authorization unrealistic. But the criteria in the HIPAA Privacy Rule that IRBs and Privacy Boards apply in making these decisions are complex and very subjective. Currently, IRBs and Privacy Boards must use three criteria in consider- ing whether to approve a waiver of individual authorization for the use of PHI in research.38 The first criterion is that the use or disclosure of PHI in the research involves no more than a âminimal riskâ to the privacy of individuals. The Privacy Rule lists three elements that must be present in making this determination: (1) âan adequate plan to protect the identifiers from improper use and disclosure;â (2) âan adequate plan to destroy the identifiers;â and (3) âadequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI is otherwise permissible.â However, the decision about what is âadequateâ is highly subjective, and thus different institutions are likely to set varying thresholds for âminimal risk.â 38 45 C.F.R. Â§ 164.512(i)(2)(ii) (2006).
BEYOND THE HIPAA PRIVACY RULE The other two criteria that IRBs or Privacy Boards currently must use in considering whether to approve a waiver of individual authorization are (1) that âthe research could not practicably be conducted without the waiver;â and (2) that the âresearch could not practicably be conducted without access to and use of PHIâ39 (as opposed to deidentified data or a limited dataset). The concept of practicability is used in both the Common Rule and in the HIPAA authorization criteria, but what is âpracticableâ or âimpracticableâ has never been adequately defined by the HHS Office for Human Research Protections or the HHS Office for Civil Rights (e.g., with regard to cost/feasibility). Not surprisingly, therefore, institutions apply varying definitions independently, often too conservatively to allow even low-risk research to proceed. Some institutions interpret the term imprac- ticable to mean not at all possible and even require researchers to demon- strate that a study will fail without a waiver of authorization. The lack of clarity leads to a great deal of variability across institutions and impedes research. Patients have also questioned the meaning of the term. Simplification or clarification by HHS of the criteria that IRBs or Pri- vacy Boards must use in deciding whether to approve a waiver of individual authorization would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards. Cov- ered entities are permitted to rely on a waiver of authorization approved by a single IRB or Privacy Board with jurisdiction. Currently, however, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regard- less of whether another IRB or Privacy Board already granted a waiver of authorization. This practice leads to delays and variability in the protocol at different sites. Simplification of the criteria for approval of waivers by IRBs and Pri- vacy Boards would also be helpful for smaller or community-based institu- tions that do not have internal counsel or regulatory affairs specialists, and thus are more likely to opt out of research that requires decisions about authorizations. With better guidance, all covered entities would have more confidence in their decisions and might be more willing to rely on a lead IRB or Privacy Boardâs decision in the case of multi-institutional studies. If HHS decides to retain the three criteria that IRBs or Privacy Boards currently use in deciding whether to approve a waiver of individual autho- rization, however, the committee recommends that HHS provide clear and reasonable definitions of the vague terms used in those criteria. Specifically, HHS should define what constitutes âminimal riskâ to the privacy of indi- viduals (in the first criterion) and define what constitutes âimpracticableâ (in the second and third criteria). HHS should also provide specific case 39 Id.
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS examples of what should or should not be considered impracticable or of minimal risk to reduce variability and overly conservative interpretations. III. Implement Changes Necessary for Both Policy Options Above (Recommendations I and II) Regardless of whether Recommendation I or II is implemented, the following recommendations, which are independent of the Privacy Rule, should be adopted. Strong security measures are essential to effective pri- vacy protection, willingness to serve in IRBs is important for ensuring appropriate oversight of research, and the public should be provided with more information about health research. Recommendation III.A: All institutions (both covered entities and non- covered entities) in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information should take strong measures to safeguard the security of health data. For example, institutions could: Appoint a security officer responsible for assessing data protection â¢ needs and implementing solutions and staff training. Make greater use of encryption and other techniques for data â¢ security. Include data security experts on IRBs. â¢ Implement a breach notification requirement, so that patients may â¢ take steps to protect their identity in the event of a breach. Implement layers of security protection to eliminate single points â¢ of vulnerability to security breaches. In addition, the federal government should support the development and use of: Genuine privacy-enhancing techniques that minimize or eliminate â¢ the collection of personally identifiable data. Standardized self-evaluations and security audits and certification â¢ programs to help institutions achieve the goal of safeguarding the security of personal health data. Rationale Effective health privacy protections require effective data security measures. Protecting the privacy of research participants and maintain- ing the confidentiality of their data have always been imperative to most
BEYOND THE HIPAA PRIVACY RULE researchers and a fundamental tenet of clinical research. Recently, however, several highly publicized examples of stolen or misplaced computers con- taining health data have heightened the publicâs concerns about privacy. Such events pose problems not only for patient privacy, but also for health research, because public trust is essential for patients to be willing to par- ticipate in research. Moreover, data security is a key component of compre- hensive privacy protections. Thus, the committee recommends improving the security of personally identifiable health information. The HIPAA Security Rule (which entails a set of regulatory provisions separate from the Privacy Rule) already sets a floor for data security stan- dards within covered entities, but not all institutions that conduct health research are subject to HIPAA regulations. Moreover, the security protec- tions intended by the HIPAA Security Rule may not be sufficient to prevent breaches. The committee recommends that all institutions conducting health research undertake measures to strengthen data protections. Given the recent spate of lost or stolen laptops containing patient health information, for example, encryption should be required for all laptops and removable media containing such data. There are differences among the missions and activities of institutions in the health research community, however, so some flexibility in the implementation of specific security measures will be necessary. Examples of security standards and guidelines already exist in some sectors, but they are not widely applied in academic settings. The National Institute of Standards and Technology (NIST), for example, has developed standards and guidance for the implementation of the Federal Information Security Management Act of 2002, which was meant to bolster computer and network security within the federal government and affiliated par- ties (e.g., government contractors). The NIST standards include minimum security requirements for information and information systems, as well as guidance for assessing and selecting appropriate security controls for information systems, for determining security control effectiveness, and for certifying and accrediting information systems.40 HHS, working through its Office of the National Coordinator for Health Information Technology,41 could play an important role in develop- ing or adapting standards for health research applications, then encourage and facilitate broader use of such standards in the health research commu- 40 National Institute of Standards and Technology (NIST), Federal Information Security Management Act Implementation Project Website, updated November 1, 2007, http://csrc. nist.gov/groups/SMA/fisma/index.html (accessed August 1, 2008). 41 Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, Office of the National Coordinator: Mission, http://www.hhs. gov/healthit/onc/mission/ (accessed August 1, 2008).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS nity. The issue of the security of health data will continue to grow in impor- tance as the health care industry moves toward widespread implementation of electronic health records, and Congress has already proposed numerous bills to facilitate and regulate that transition. As noted in the committeeâs recommendation about the requirements for the accounting of disclosures of PHI for research above (Recommendation II.C.1), advances in informa- tion technology will likely make it easier to implement measures such as audit trails and access controls in the future. Enhancing security could reduce the risk of data theft and reinforce the publicâs trust in the research community by diminishing anxiety about the potential for unintentional disclosure of information. The publication of best practices and outreach to all stakeholders by HHS, combined with a cooperative approach to compliance with security standards such as self- evaluation and audit programs, would promote progress in this area. As noted in Recommendation II.A.1, research sponsors could also play a role in fostering the adoption of best practices in data security. Recommendation III.B: HHSâor, as necessary, Congressâshould provide reasonable protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for deci- sions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule, in order to encourage service on Institutional Review Boards and Privacy Boards. The limitation on liability for members of IRBs and Privacy Boards should not include protection for willful and wanton misconduct in reviewing the research, but should instead be reserved for good-faith decisions, backed by min- utes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule. Rationale IRBs, Privacy Boards, and institutions have enormous responsibility in determining whether health research projects are planned and conducted in a way that minimizes or eliminates the potential risk to human research participants, including both direct physical harms and nonphysical harms (e.g., breach of privacy). The workload of IRBs and the complexity of their work have been steadily increasing as a result of new and evolving require- ments for research regulation and documentation, including the HIPAA Privacy Rule. Surveys and studies indicate that the IRB review process has become more lengthy and difficult since implementation of the Privacy Rule, which may increase opportunity costs due to delayed or undiscovered research findings that might improve health. Effective oversight of health research depends on the recruitment of
BEYOND THE HIPAA PRIVACY RULE qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards. But the increasing workload and complexity of IRB and Privacy Board service have made it difficult to recruit and retain knowledgeable IRB and Privacy Board members and to ensure time for the ethical reflection necessary to make appropriate decisions about human research projects. Moreover, because of the growth over the past decade of lawsuits naming individual IRB members as defendants, fear of penalties and civil suits can be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards. Such fears could also lead IRB and Privacy Board members to be overly conserva- tive in their decisions about research proposals brought before them. Members of IRBs and Privacy Boards are generally indemnified by their institutions, but they are not immune from being named in a suit. Therefore, they might still have to devote time and resources to defending themselves for decisions made by an IRB or Privacy Board on which they served. Members of IRBs or Privacy Boards who receive limited protection against lawsuits may be less likely to interpret the HIPAA Privacy Rule too conservatively. Providing this type of limitation on liability for IRB and Privacy Board members would be similar to the precedent of protection for peer review members under state laws and under the Health Care Quality Improve- ment Act of 1986. A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of ethical boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances. In addition to reducing over interpretation of the HIPAA Privacy Rule in health research, such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards, as they should be more willing to accept the decision of a lead IRB or Privacy Board. Indeed, mov- ing in the direction of national IRBs/Privacy Boards, as is encouraged by the National Cancer Institute for cancer clinical trials, might further reduce overly conservative interpretation of the HIPAA Privacy Rule. Finally, it should be noted that HHS policy is to seek compliance with the HIPAA Privacy Rule first, rather than penalties, when a concern is brought to its attention. Institutions might be less inclined to interpret the HIPAA Privacy Rule too conservatively if this policy were stated more clearly in guidance materials provided by HHS. Thus, even without the enactment of a new protective statute for IRB and Privacy Board members, simple clarification and clear communication of the way HHS will enforce the HIPAA Privacy Rule and seek penalties would be helpful. Recommendation III.C: HHS and researchers should take steps to pro- vide the public with more information about health research.
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS Background Surveys indicate that the vast majority of Americans believe health research is important, and are interested in the findings of research studies. The majority of patients also appear to be willing to participate in health research, either by volunteering for a study to test a medical intervention or by allowing access to their medical records or stored biospecimens, under certain conditions. Their willingness to participate in research is dependent on trust in researchers to safeguard the rights and well-being of patients, including assurance of privacy and confidentiality, and the belief that the research is a worthwhile endeavor that warrants their involve- ment. Yet patients often lack information about how health research is conducted and are rarely informed about research results that may have a direct impact on their health. The committeeâs two recommendations below address the publicâs desire for more information about health research and are important components in fulfilling two of the committeeâs overarching goals of the report: (1) improving the privacy and data security of health information, and (2) improving the effectiveness of health research. Both recommendations could be accomplished by HHS and the health research community without any changes to HIPAA or the Privacy Rule by making them a condition of funding from HHS and other research sponsors and by providing additional funds to cover the cost. Recommendation III.C.1: Health researchers should make greater efforts to inform study participants and the public about the results of research and the relevance and importance of those results. Researchers should inform interested research participants (who â¢ granted authorization for a particular study) with a simplified sum- mary of the results at the conclusion of a research study. HHS should encourage registration of trials and other studies in â¢ public databases, particularly when research is conducted with a waiver of authorization. Rationale Empirical evidence indicates that people want to be informed about research results, and ethicists have long recommended this kind of feedback and community involvement. In addition, the IOM committee identified transparencyâthe responsibility to disclose clearly how and why personally identifiable information is being collectedâas an important component of comprehensive privacy protections. An IOM report in 2002 titled Respon- sible Research: A Systems Approach to Protecting Research Participants
0 BEYOND THE HIPAA PRIVACY RULE recommended improved communication with the public and research par- ticipants to ensure that the protection process is open and accessible to all interested parties, noting that transparency is best achieved by providing graded levels of information and guidance to interested parties. Effective communication could also build the publicâs trust in the research community, which is important because trust is necessary for the publicâs continued participation in research under both the HIPAA Privacy Rule and the committeeâs new framework. Learning about clinically rel- evant findings from a study in which a patient has participated could make patients feel more integrated into the process and could encourage more patients to participate in future studies. Moreover, if the study results indi- cate that an altered course of care is warranted, direct feedback about these results could lead to improved health care for study participants. Thus, the committee recommends that when patients grant authori- zation for their medical records to be used in a particular study, health researchers should make greater efforts at the conclusion of the study to inform study participants about the results, and the relevance and impor- tance of those results. Broader adoption of electronic medical records may be helpful in accomplishing this goal, but multiple impediments, beyond cost and technology, may prevent delivery of meaningful feedback to par- ticipants. Although some guidelines for providing and explaining study results to research participants have been proposed, they differ in details because limited data are available on this subject, and thus standards are lacking. A summary of the results alone, while necessary and reasonable, can be seen as a token, and also raises questions about issues such as how best to write summaries and how to present research with uninformative outcomes. HHS should also encourage registration of trials and other studies in public databases, particularly when research is conducted with a waiver of authorization as a way to make information about research studies more broadly available to the public. Numerous clinical trial registries already exist, and registration has increased in recent years. The National Library of Medicine established a clinical trials registry42 in 2000, which has expanded to serve as the FDAâs required site for submissions about clini- cal trials subject to the FDA databank requirement and now also includes information from several other trial registries. The FDA Amendments Act of 2007 expanded the scope of required registrations and provided the first federally funded trials results database. In fall 2005, the International Com- mittee of Medical Journal Editors adopted a policy requiring prospective trial registration as a precondition for publication. The development of clinical trial registries is an important first step toward providing high-quality clinical trial information to the public. Cur- 42 See http://clinicaltrials.gov (accessed August 6, 2008).
OVERVIEW OF CONCLUSIONS AND RECOMMENDATIONS rently, however, there is no centralized system for disseminating informa- tion about clinical trials of drugs or other interventions. Thus, patients and their health care providers have difficulty identifying ongoing studies. Moreover, some trials are still exempt from registration and data reporting. An additional limitation of clinical trial databases is that noninterventional studies (including observational studies that play an increasingly critical role in biomedical research) are not generally included. Because many non- interventional studies are conducted with a waiver of authorization, includ- ing those studies in a registry could be an important method for increasing public knowledge of those studies. Recommendation III.C.2: HHS and the health research community should work to educate the public about how health research is done, and what value it provides. Rationale Health research provides a community benefit by determining the most effective treatments and by developing new therapies. Interventional clini- cal trials are the most visible of the various types of health research, but a great deal of informative health research entails analysis of thousands of patient records to better understand human diseases, to determine treat- ment effectiveness, and to identify adverse side effects of therapies. This form of research is likely to increase in frequency as the availability of elec- tronic health records continues to expand. As medicine moves toward the goal of personalized medicine, research results will be even more likely to be directly relevant to patients, but more study participants will be needed to derive meaningful results. However, many patients probably are not aware that their medical records are being used in database research. Moreover, surveys show that many patients desire not only notice, but also the opportunity to decide about whether to consent to such research with medical records. As noted in Recommendation III.A, strengthening security protections of health data should reduce the risk of security breaches and their potential negative con- sequences, and thus should help to alleviate patient concerns in this regard. But educating patients about how health research is conducted, monitored, and reported could also help to increase patients trust in the research com- munity, which is important for the publicâs continued participation under both the HIPAA Privacy Rule and the committeeâs new framework. In addition, an educated public could also decrease the potential for biased research samples. A universal requirement to obtain authorization for medical records research can lead to a biased study sample, and thus inaccurate conclusions, because those who decline to participate may be more or less likely than average to have a particular health problem. A
BEYOND THE HIPAA PRIVACY RULE study sample may also be biased if certain members are underrepresented or overrepresented relative to others in the population. A biased sample is problematic, because any statistic computed from that sample has the potential to be consistently erroneous, and thus, conclusions drawn from a biased sample are likely to be invalid. Conveying to the public the impor- tance of health care improvements derived from medical records research and stressing the negative impact of incomplete datasets on research find- ings may increase the publicâs participation in research and their willing- ness to support information-based research that is conducted with IRB or Privacy Board oversight and a waiver of patient authorization. There are numerous examples of important research findings from medical records research that would not have been possible if direct patient consent and authorization were always required, including the finding that infants exposed to diethylstilbestrol (DES) during the first trimester of pregnancy had an increased risk of breast, vaginal, and cervical cancer and reproductive anomalies as adults. Studies of medical records also led to the discovery that folic acid supplementation during pregnancy can prevent neural tube defects. Thus, HHS and the health research community should work to edu- cate the public about how research is done, and what value it provides. All stakeholders, including professional organizations, nonprofit funders, and patient organizations, have different interests and responsibilities to make sure their constituencies are well informed, but coordination and identifica- tion of best practices by HHS would be helpful. For example, the American Society of Clinical Oncology and the American Heart Association already have some online resources to help patients gather information about research that may be relevant to their conditions. Research is needed to identify which segments of the population would be receptive to and benefit from various types of information about how research is done and its value in order to create and implement an effective education plan. Greater use of community-based participatory research, in which community-based organizations or groups bring community members into the research process as partners to help design studies and disseminate the knowledge gained,43 would also help achieve this goal. These groups help researchers to design activities that the community is likely to value and to recruit research participants, by using the knowledge of the community to understand health problems. They also inform community members about how the research is done and what comes out of it, with the goal of provid- ing immediate community benefits from the results when possible. 43 Agency for Healthcare Research and Quality, U.S. Department of Health and Human Ser- vices, Creating Partnerships, Improving Health: The Role of Community-Based Participatory Research, June 2003, http://www.ahrq.gov/research/cbprrole.htm (accessed August 1, 2008).