Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
4 HIPAA, the Privacy Rule, and Its Application to Health Research This chapter provides an overview of the development of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and describes how it applies to health research. A section at the end of the chapter also describes the relationships between HIPAA and other federal and state laws. Because a great deal of health research in the United States is also subject to the Common Rule (described in Chapter 3), disparities between these two federal rules are also noted where relevant throughout the chapter. OVERVIEW OF HIPAA HIPAA was passed on August 21, 1996. It was intended to make health care delivery more efficient and to increase the number of Americans with health insurance coverage. These objectives were pursued through three main provisions of the Act: (1) the portability provisions, (2) the tax provi- sions, and (3) the administrative simplification provisions. Portability and Tax Provisions The portability provisions of HIPAA aimed to prevent individuals from losing health care coverage due to a preexisting condition when changing to a new employerâs health plan. The portability provisions also aimed to reduce the number of unemployed or self-employed individuals without health insurance by making it easier for individuals to purchase health insurance without their employer.
BEYOND THE HIPAA PRIVACY RULE Similarly, the tax provisions of HIPAA were also intended to make it easier for individuals to maintain health insurance. The tax provisions pursued this goal by modifying existing tax laws to make health insurance more affordable. HIPAA does not regulate the price of health insurance, but rather, it relies on tax breaks and other tax incentives to reduce health care costs (Chaikind et al., 2005). Administrative Simplification Provisions The administrative simplification provisions of HIPAA instructed the Secretary of the U.S. Department of Health and Human Services (HHS) to issue several regulations concerning the electronic transmission of health information. These provisions were included in the final version of HIPAA because health plans had requested federal legislation in this area from Congress. The use of electronic health information was expanding in the early 1990s, and the health care industry was unable to standardize the process and use of electronic health information without federal action.1 The security standards are one set of regulations mandated by the administrative simplification provisions of HIPAA. The Act instructed the Secretary of HHS to develop nationwide security standards and safeguards for the use of electronic health care information. The resulting HHS regu- lations spell out specific administrative, technical, and physical security procedures that healthcare plans, providers and clearinghouses must incor- porate into their operations to prevent unauthorized access, use, and dis- closure of protected health information (CMS, 2005). HHS published the final HIPAA Security Rule in the Federal Register on February 20, 2003. Health plans and providers were required to be in compliance with these measures by April 2004 (see Box 2-2). The administrative simplification provisions of HIPAA also directed the Secretary to develop standards for unique health identifiers for patients, employers, health plans, and providers. Unique health identifiers are national numbers that could be used to identify the individual or organiza- tion in standard health transactions. The Centers for Medicare & Medicaid Services (CMS) has issued standards for the unique health identifiers for employers and providers, and unique health identifiers for health plans are under development. However, Congress has prevented CMS from imple- menting a standard for the unique health identifier for patients by inserting language into the annual appropriations bill every year since HIPAA was enacted (Chaikind et al., 2005). Finally, the administrative simplification provisions of HIPAA man- dated the creation of privacy standards for the protection of personally 1 Personal communication, M. Wilder, Hogan and Hartson, March 17, 2007.
APPLICATION TO HEALTH RESEARCH identifiable medical information. Although privacy protections were not a primary objective of the Act, Congress recognized that advances in electronic technology could erode the privacy of health information, and included the privacy provision in HIPAA (IOM, 2006). In accordance with the administrative simplification provisions, HHS developed the Privacy Rule, which constitutes a broad-ranging federal health privacy regulation (see Table 4-1). Incorporating many of the basic fair information practices,2 the Privacy Rule generally restricts the use or disclosure of protected health information, except as permitted by the individual or as authorized or required by the Privacy Rule. Its provisions also impose on covered entities affirmative requirements to safeguard the information in their possession. The Privacy Rule gives individuals certain rights with respect to their health information (reviewed by Pritts, 2008). DEVELOPMENT OF THE PRIVACY RULE REGULATIONS Congress did not include detailed privacy requirements in HIPAA. The terms of HIPAA required the Secretary of HHS to submit detailed recom- mendations to Congress by August 1997 on ways to protect the privacy of personally identifiable health information. These recommendations were to include suggestions on ways to protect individualsâ rights concerning their personally identifiable health information, procedures for exercising such rights, and the uses and disclosures of information that should be authorized or required under HIPAA.3 If Congress did not enact privacy legislation within 3 years of the passage of HIPAA, the Act required the Secretary of HHS to issue privacy regulations for the protection of personally identifiable health information within 42 months of HIPAAâs enactment.4 In response to this mandate, HHS submitted recommendations for pro- tecting the privacy of personally identifiable health information to Congress in September 1997. In these recommendations, Secretary Shalala advocated for the passage of federal privacy legislation, rather than relying on HHS to pass a set of privacy regulations. Shalalaâs report stated, âThis report rec- ommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who service themâ (Shalala, 1997). Although numerous bills that attempted to address health information 2 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59923 (1999). 3 Health Insurance Portability and Accountability Act, 45 C.F.R. Â§ 264(a)â(b) (2006). 4 See 45 C.F.R. Â§ 264(c)(1) (2006).
BEYOND THE HIPAA PRIVACY RULE TABLE 4-1 Timeline of the HIPAA Privacy Rule Date Action August 1996 Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton September 1997 Donna Shalala, Secretary of the Department of Health and Human Services (HHS), made recommendations to Congress on the privacy standards mandated in HIPAA September 1999 Congress failed to enact federal privacy legislation within the 3-year time limit set by HIPAA November 1999 HHS issued a proposed version of the privacy regulation for public comment December 2000 HHS published the original Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information March 2002 HHS published a proposed modification to the Privacy Rule and accepted additional public comments August 2002 HHS published the Final Privacy Rule April 2003 Covered entities were required to be in compliance with the Privacy Rule (except small health plans) The Association of American Medical Colleges launched a survey examining how research has been affected by the Privacy Rule and proposed recommendations for changes to the Privacy Rule In South Carolina Medical Association v. Tommy Thompson, plaintiffs lost constitutional challenge to HIPAA March 2004 The National Committee on Vital and Health Statistics sent a letter to HHS giving detailed recommendations on ways to improve the Privacy Ruleâs application to research April 2004 Small health plans were required to be in compliance with the Privacy Rule September 2004 The Secretaryâs Advisory Committee on Human Research Protections sent a letter to the Secretary of HHS with recommendations for changes to the Privacy Rule as applied to research March 2005 In Citizens for Health v. Michael O. Leavitt, plaintiffs unsuccessfully challenged the Privacy Rule as being invalid privacy were introduced, Congress was unable to finalize privacy legislation on the time schedule mandated in HIPAA. During the 1999 congressional session alone, eight such bills were introduced. However, none of these bills was passed. As a result, Congress passed the responsibility of creating health privacy protections to HHS. Over the course of developing the current Privacy Rule, HHS went through four iterations of the Rule. HHS followed Secretary Shalalaâs 1997 recommendations to Congress in shaping the regulations (Redhead,
APPLICATION TO HEALTH RESEARCH 2001). First, HHS issued a proposed version of the Privacy Rule for public comment on November 3, 1999, that drew more than 50,000 comments (Stevens, 2000). Based on these comments, HHS issued the second version of the Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information, in December 2000.5 Before this version of the Privacy Rule could take effect, the Secretary of HHS was inundated with unsolicited public comments and criticism regarding the Privacy Rule. Health care insurers and providers were concerned that the Privacy Rule would make health care industry operations less efficient. They were particularly con- cerned about the requirement that they obtain authorization prior to mak- ing any routine disclosure of personally identifiable health information for health care operations, treatment, or payment. The comments received also suggested that this version of the Privacy Rule would prevent pharmacists from filling prescriptions and searching for potential drug interactions before patients arrived at pharmacies; interfere with providing emergency medicine in situations where it would be impossible to obtain patient authorization before treatment; and delay the scheduling and preparation of hospital procedures until the doctor could obtain patient authorization.6 In March 2002, HHS, under the Bush Administration, published a proposed modification to the Privacy Rule, which reopened the rule- making process and created a new period for submitting public comments. This version of the Privacy Rule drew more than 24,000 comments. Incor- porating the suggestions collected through the second notice of proposed rule-making period, HHS issued the final version of the Privacy Rule in August 14, 2002.7 This is the current, effective, and codified version of the Privacy Rule (45 C.F.R. parts 160 and 164). Most health care providers and health plans were required to be in compliance with this version of the Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance. OVERVIEW OF THE HIPAA PRIVACY RULE Entities Subject to the Privacy Rule The Privacy Rule applies to âcovered entities,â9 which are individuals or organizations that electronically transmit health information in the 5 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 65 Fed. Reg. 82461 (2000). 6 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 67 Fed. Reg. 53181, 53209 (2002). 7 See 67 Fed. Reg. 53181 (2002). 8 Some material in this section is adapted from a background paper by Pritts (2008). 9 See 45 C.F.R. Â§ 160.103 (2006).
BEYOND THE HIPAA PRIVACY RULE course of normal health care practices. Covered entities include health care providers, health plans, and health care clearinghouses. Health plans are entities that provide or pay the cost of medical care, such as private health insurers or managed care organizations, and governmental payors and health programs such as Medicaid, Medicare, or Veterans Affairs. Health care clearinghouses generally refer to billing services, and health care pro- viders include hospitals, doctors, and other health care professionals and facilities that provide treatment (Table 4-2). If an entity that meets one of the categories of a covered entity also performs functions unrelated to health care, it can become a hybrid entity by designating in writing its âhealth care components.â10 Only these health care components are then bound by the Privacy Rule. For example, if a university includes an academic medical center with a hospital, the entire university will be classified as a covered entity unless the university elects to be a hybrid entity by designating only the hospital as the health care component. By doing this, only the hospital has to comply with the Privacy Rule. The classification of researchers within a hybrid entity depends on the nature of the work performed (e.g., whether the researchers are within the health care component, providing health care, or conducting electronic transactions) (HHS, 2004c). Type of Information Protected The Privacy Rule protects all personally identifiable health informa- tion, known as protected health information (PHI), created or received by a covered entity. Personally identifiable health information is defined as information, including demographic information, that ârelates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care for the individualâ that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.â11 The Privacy Rule does not protect personally identifiable health infor- mation that is held or maintained by an organization other than a covered entity (HHS, 2004c). It also does not apply to information that has been deidentified in accordance with the Privacy Rule12 (see later section on Deidentified Information). 10 See 45 C.F.R. Â§ 164.105(a)(2)(iii)(c) (2006). 11 See 45 C.F.R. Â§ 160.103 (2006). 12 See 45 C.F.R. Â§ 164.502(d) (2006).
APPLICATION TO HEALTH RESEARCH TABLE 4-2 The Uneven Application of the HIPAA Privacy Rule: Examples of HIPAA Covered Entities and Non-Covered Entities Covered Entities Non-Covered Entities â¢ Health maintenance organizations â¢ Independent consent management (HMOs) companies â¢ Group health plans â¢ Contract research organizations â¢ Medicare and Medicaid programs â¢ Research foundations â¢ Veterans health care program â¢ Data warehousing/data management â¢ Civilian Health and Medical Program of companies the Uniformed Services â¢ Student health services (if they do not â¢ Indian Health Service program under the bill for services) Indian Health Care Improvement Act â¢ Pharmaceutical companies â¢ Pharmacies â¢ Researchers who are not employed by a â¢ Researchers who are employed by a covered entity covered entity â¢ Some universities (or parts of â¢ Some universities (or parts of universities, universities) such as health centers) â¢ A public health agency that does not â¢ A public health clinic that is part of a perform activities subject to the public health agency provisions of the Privacy Rule Restrictions on Use and Disclosure Covered entities may not use or disclose PHI except as permitted or required by the Privacy Rule.13 A covered entity may disclose PHI without the individualâs permission for treatment, payment, and health care opera- tions purposes. For other uses and disclosures, the Privacy Rule generally requires the individualâs written permission, which is an âauthorizationâ that must meet specific content requirements. The Privacy Rule then estab- lishes a number of exceptions to this general rule, allowing covered entities to use and disclose PHI without the individualâs authorization in certain situations. For example, the Privacy Rule permits the disclosure of PHI without the individualâs authorization in the following circumstances: To business associates14 â¢ For public health purposes as required by state and federal law15 â¢ â¢ To public agencies for health oversight activities, such as audits; 13 See 45 C.F.R. Â§ 164.502(a) (2006). A covered entity is required to make a reasonable effort to use and disclose only the minimum amount of PHI needed for the intended purpose. See 45 C.F.R. Â§ 164.502(b) (2006). 14 See 45 C.F.R. Â§ 164.506(e) (2006). 15 See 45 C.F.R. Â§ 164.510(b) (2006).
0 BEYOND THE HIPAA PRIVACY RULE inspections; civil, criminal, or administrative proceedings; and other activities necessary for the oversight of the health care system16 To law enforcement officials17 â¢ â¢ For judicial and administrative proceedings, if the request for infor- mation is made through a court order18 For research19 â¢ Most of these permitted uses and disclosures are subject to detailed conditions. For example, the Privacy Rule allows covered entities to disclose PHI without individual authorization to its âbusiness associates,â which are defined as persons or entities that perform, on behalf of the covered entity, certain functions or services20 that require the use or disclosure of PHI, provided adequate safeguards are in place.21 As a general rule, these safeguards take the form of a business associate agreement whereby the business associate agrees not to use or disclose the PHI it receives except as permitted by the agreement or by law (Box 4-1). In the case of public health practice, the Privacy Rule notes that there is a legitimate need for public health authorities and others working to ensure the health and safety of the public to have access to PHI. As a result, the Privacy Rule permits, but does not require,22 covered entities to disclose PHI without authorization for specified public health purposes (Box 4-2). Disclosures for research are discussed in detail in subsequent sections of this chapter. Individual Rights The Privacy Rule also confers rights on individuals with respect to their PHI (reviewed by Pritts, 2008). Under the Privacy Rule, individuals have the right to23: â¢ Receive a notice of privacy practices from a health care provider or a health plan that must, among other things, inform patients of 16 See 45 C.F.R. Â§ 164.510(c) (2006). 17 See 45 C.F.R. Â§ 164.510(f) (2006). 18 See 45 C.F.R. Â§ 164.510(d) (2006). 19 See 45 C.F.R. Â§ 164.512 (2006). 20 Some common functions that business associates perform for covered entities include recruiting subjects, data analysis, processing, or administration; utilization review; quality assurance; and practice management. 21 See 45 C.F.R. Â§ 164.502(e) (2006). 22 Only states have the authority to require mandatory public health reporting. 23 See 45 C.F.R. Â§ 164.520 (2006).
APPLICATION TO HEALTH RESEARCH BOX 4-1 Business Associate Agreements A covered entity must obtain assurances in writing that the business associate will: (1) use the information only for the purposes for which it was engaged by the covered entity; (2) safeguard the information from misuses; and (3) help the covered entity comply with some of the covered entityâs duties under the Privacy Rule. Business associate agreements must include: â¢ A description of the permitted and required uses of the PHI by the business associate. â¢ A statement that the business associate will not use or disclose the PHI other than as permitted or required by the contract, or as required by law. â¢ A statement that the business associate will use appropriate safeguards to pre- vent the use or disclosure of PHI other than as provided for by the contract. SOURCE: 45 C.F.R. Â§ 160.103 (2006). BOX 4-2 The HIPAA Privacy Rule and Public Health Practice The Privacy Rule defines public authorities as any âfederal, tribal, or local agency or person or entity acting under a grant of authority or contract with the agency, including state and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration.â A covered entity can release PHI to a public health authority, without authoriza- tion or waiver of authorization, in the following circumstances: â¢ Monitoring health threats and diseases â¢ Child abuse or neglect â¢ Products regulated by the FDA â¢ Persons at risk of contracting or spreading a disease â¢ Workplace surveillance State laws may also permit or require the release of PHI for activities other than those listed above. SOURCES: 45 C.F.R. Â§ 164.501 (2006); 45 C.F.R. 164.512(b)(i)â(v) (2006); 45 C.F.R. 160.203(c) (2006).
BEYOND THE HIPAA PRIVACY RULE the anticipated uses and disclosures of their health information that may be made without the patientsâ consent or authorization.24 See and obtain a copy of their own health information.25 â¢ â¢ Request an amendment of information that is incomplete or inaccurate.26 â¢ Obtain an accounting of certain disclosures that the covered entity made of their PHI over the past 6 years.27 HIPAA AND RESEARCH Although health research was not a focus of HIPAA, Congress rec- ognized the important role that health records play in conducting health research and wanted to ensure that privacy protections would not impede researchersâ continued access to such data. This is reflected in two House Reports on HIPAA with identical language, stating: âThe conferees recognize that certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual. Examples of such use of information include . . . the transfer of information from a health plan to an organization for the sole purpose of conducting health care-related research. As health plans and providers continue to focus on outcomes research and innovation, it is important that the exchange and aggregated use of health care data be allowedâ (U.S. Congress, 1996a,b). In creating the current research provisions of the Privacy Rule, HHS considered several options. One option considered was exempting PHI used in research from the regulations, but HHS rejected this option, noting some reported shortcomings of the protection of the privacy and confidential- ity of health information in research (reviewed by Pritts, 2008).28 A U.S. General Accounting Office report prepared in anticipation of federal health privacy legislation noted that confidentiality protections were not a major thrust of the Common Rule, and oversight boards tended to give confiden- tiality less attention than other research risks because they had the flexibil- ity to decide when it was appropriate to review confidentiality protection issues (GAO, 1999). The report noted that although â[t]he actual number of instances in which patient privacy is breached is not fully known . . . in 24 See 45 C.F.R. Â§ 164.520 (2006). 25 See 45 C.F.R. Â§ 164.524 (2006). 26 See 45 C.F.R. Â§ 164.526 (2006). 27 See 45 C.F.R. Â§ 164.528 (2006). 28 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997) (hereinafter âSecretary Recommendationsâ); 64 Fed. Reg. 59918, 59968 (1999); 65 Fed. Reg. 82461, 82691 (2000).
APPLICATION TO HEALTH RESEARCH an NIH [National Institutes of Health] sponsored study, IRB [Institutional Review Board] chairs reported that complaints about the lack of privacy and confidentiality were among the most common complaints made by research subjects.â In addition, the compliance staff of the HHS Office for Protection from Research Risks (now Office of Human Research Protec- tions) related that they had investigated several allegations involving human subjects protection violations resulting from a breach of confidentiality over the past several years and that the complaints related to (1) research subject to IRB review and (2) research outside federal protection (GAO, 1999). HHS also considered requiring researchers to obtain individual autho- rization in all situations where a covered entity might want to disclose PHI for research. But this option would have made many research projects nearly impossible to carry out. Instead, HHS created the current system, which attempted to protect individual privacy while still allowing research- ers access to data. In proposing the Privacy Rule, HHS acknowledged that ideally, it would have preferred to directly regulate researchers by extending the pro- tections of the Common Rule to nonfederally funded research and imposing additional criteria for the waiver of authorization in research.29 However, HHS recognized that it did not have the authority to do so, and therefore, it attempted to protect the health information released to researchers indi- rectly (but within the scope of its limited authority) by imposing disclosure restrictions on covered entities. The following sections provide a detailed overview of the Privacy Rule provisions regulating research, along with comparisons to the provisions of the Common Rule (see Chapter 3 for a general overview of the Com- mon Rule). Research Uses and Disclosures with Individual Authorization Individuals may voluntarily authorize the use and disclosure of their PHI for essentially any reason, including for research purposes. To be valid under the Privacy Rule, an authorization must be âspecific and meaningfulâ30âthat is, it must provide a clear description of the infor- mation to be used or disclosed. The authorization must also be written in plain language, and contain core elements (e.g., signature of the indi- vidual, description of purpose of requested use or disclosure) and state- ments addressing the individualâs right to revoke authorization, as well as 29 See Secretary Recommendations (1997) and 64 Fed. Reg. 59918, 59968 (1999). 30 See 45 C.F.R. Â§ 164.508(c)(1)(i) (2006).
BEYOND THE HIPAA PRIVACY RULE circumstances under which services or payment may be conditioned on signing the authorization.31 Authorization under the Privacy Rule differs from informed consent in research (reviewed by Pritts, 2008). Authorization states how, why, and to whom the PHI will be used and/or disclosed for research, and seeks permis- sion for that use or disclosure. In contrast, informed consent describes the potential risks and benefits of research and seeks permission to involve the subject, although it also provides research participants with a description of how the confidentiality of the research records will be protected. The Privacy Rule permits, but does not require, review of authorization forms by an IRB or a Privacy Board (see Box 4-3). In contrast, under the Common Rule, IRBs are required to review and approve informed consent documents for human subjects research. However, if the authorization is combined in the same document as the informed consent document, then IRB approval must be sought for the combination (HHS, 2004c). Authorization of Future Research Under the Common Rule, it is permissible to obtain patient consent for future research with biological samples or information stored in databases, with oversight by an IRB, if such future uses are described in sufficient detail to allow an informed consent. Historically, IRBs typically have tried to craft informed consent language on a case-by-case basis to allow for some measure of consent to future, largely unspecified research uses, but also to require some level of detail with respect to the categories of types of uses of the information or specimens, and to emphasize confidentiality protections for identified data and tissues (Barnes and Heffernan, 2004). For example, a consent form may specify that the tissue will be kept for research to learn about, prevent, or treat the type of cancer that affects the subject. However, such language is too general to comply with the more strin- gent HIPAA authorization requirements. Under the Privacy Rule, authoriza- tions for the use or disclosure of PHI must include â[a] description of each purpose of the requested use or disclosure.â32 In the August 2002 Final Rule, HHS commented that research-related purposes described in the authorization must be âstudy specificâ and indicated that authorizations for âunspecified future researchâ would be considered overly broad and 31 A sa general rule, covered entities may not condition the provision of treatment payment or eligibility for benefits on the provision of an authorization (with the exception of research- related treatment). See 45 C.F.R. Â§ 164.508(b)(4) (2006). 32 See 45 C.F.R. Â§ 164.508(c)(1)(iv) (2006).
APPLICATION TO HEALTH RESEARCH BOX 4-3 IRBs and Privacy Boards Institutional Review Boards (IRBs) and Privacy Boards have different scopes of review. The Common Rule requires IRBs to review research projects involving human subjects for risk of harm to the subjects and to ensure that the appropri- ate process of informed consent is followed for all research participants. The Privacy Rule added to IRBsâ jurisdiction by giving them the responsibility of grant- ing waivers of authorization. In contrast, Privacy Boards did not exist under the Common Rule. Privacy Boards were created by the Privacy Rule and only have authority to review applications for waivers of authorization. The Privacy Rule did not change the IRB membership requirements from the Common Rule (see also Box 3-3). Privacy Boards have similar membership requirements to IRBs, and must be made up of members with varying back- grounds and have appropriate professional competency to review the research protocol. There must be one member who is not affiliated with any entity conduct- ing or sponsoring the research project and not related to any person who is affili- ated with any of these entities. Also, all members with conflicts of interest must be removed. SOURCE: 45 C.F.R. Â§ 164.512(i)(1)(i)(A) and (B) (2006). invalid.33 In other words, HHS regards all future uses of PHI as inherently nonspecific, and the Privacy Rule does not permit an individual to grant authorization to nonspecific research. For example, the creation and maintenance of a biospecimen bank or database is considered a specific research activity under the Privacy Rule, but authorization for any future studies undertaken with the data or mate- rials cannot be sought at the time of collection. However, the process of recontacting individuals whose biospecimens are stored to obtain consent for each and every research project for which the samples could be used is widely viewed as impractical, if not impossible, especially as more and more samples are collected. This situation can be quite problematic for studies using stored biological samples (Barnes and Heffernan, 2004; Bledsoe, 2004; Rosati, 2008; Rothstein, 2005). HHS received comments suggesting that general descriptions of future research could meet the requirement of âmeaningful and specificâ autho- rization, but HHS noted that the Privacy Rule does not require IRB or Privacy Board review of uses and disclosures made with individual authori- 33 See 67 Fed. Reg. 53181, 53226 (2002).
BEYOND THE HIPAA PRIVACY RULE zation, and thus covered entities would be left to decide whether or not the initial authorization was broad enough to cover subsequent research.34 The HHS response went on to note that authorization for future research would not be required if a waiver of authorization was granted for a subsequent study by an IRB or a Privacy Board (see the section regarding Waiver of Authorization). However, the committee recommends that this discordance between the Privacy Rule and the Common Rule be eliminated through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in a biospecimen bank or database, and if an IRB or Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization and poses no greater than minimal risk to the privacy of individuals (Wendler, 2006). Future consent for research is ethically valid if appropriate security measures are in place, donors have the right to withdraw consent, and new studies are reviewed and approved by an IRB or Privacy Board (Hansson et al., 2006). Furthermore, a prohi- bition on future consent actually limits individual autonomy. If individuals desire to authorize the use of their PHI for future research, they should be able to do so. Compound Authorization If a covered entity plans to collect and store PHI in a research reposi- tory in conjunction with a clinical trial, HHS has stated that the HIPAA authorization for storage of the PHI in the repository must be separate from the HIPAA authorization for disclosure of PHI associated with participa- tion in the clinical trial. HHS came to this conclusion through a complex series of interpretive steps (reviewed by Rosati, 2008). First, it is generally not permissible to condition treatment on the provision of an authoriza- tion, although the Privacy Rule does permit a covered entity to condition treatment in a clinical trial on signing an authorization.35 Second, although the Privacy Rule generally permits researchers to combine an authoriza- tion form with any other type of written permission (including another authorization), the Privacy Rule prohibits combining authorizations where the covered entity conditions the provision of treatment on signing only one of the authorizations, but not the other.36 Because HHS has concluded that collection of PHI for a clinical trial and for a repository are separate research activities, researchers cannot condition participation in the clini- 34 Id. 35 See 45 C.F.R. Â§ 164.508(b)(4)(i) (2006). 36 See 45 C.F.R. Â§ 164.508(b)(3) (2006).
APPLICATION TO HEALTH RESEARCH cal trial on signing authorization to include PHI in the repository (HHS, 2004d). Thus, HHS has determined that the two authorizations cannot be combined in one form unless the form has separate signature lines for each authorization, and the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the con- tribution of PHI to the repository. Ideally, all relevant information pertaining to authorization should be integrated into one simple document, but there is much confusion about these complex provisions of the HIPAA Privacy Rule (Rosati, 2008). Misperceptions about restrictions on individualsâ ability to provide com- pound authorization for the related activities of clinical trial participation and biospecimen donation are widespread. Some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. The excess paperwork that results is burdensome for patients, can reduce the informed nature of authorization by confusing patients, and may reduce patient participation in research. The committee believes that guidance from HHS to clearly indicate that a single authorization form with two signature lines is permissible in such circumstances would reduce variability and increase the informed nature of authorization. Research Uses and Disclosures Without Individual Authorization Documented IRB or Privacy Board Approval of Such Use or Disclosure In crafting the Privacy Rule, HHS acknowledged that it is not always possible to obtain authorization for using or disclosing PHI for research, particularly in fields such as health services research and epidemiological research, where thousands of records may be involved (Pritts, 2008). It also recognized the potential for selection bias (see Box 3-8) when authorization is required. In light of these factors, HHS concluded that there were circum- stances under which it is appropriate to disclose PHI for research without authorization. HHS noted, however, â[T]he privilege of using individually identifiable health information for research purposes without individual authorization requires that the information be used and disclosed under strict conditions that safeguard individualsâ confidentiality.â37 One situation in which the Privacy Rule permits a covered entity to use and disclose PHI for research purposes without obtaining authorization from each patient is when an IRB or a Privacy Board (Box 4-3) reviews a 37 See 64 Fed. Reg. 59918, 59967 (1999).
BEYOND THE HIPAA PRIVACY RULE research proposal to use PHI and determines whether to grant a âwaiverâ of authorization to the researcher for that particular research protocol.38 The Privacy Rule sets out complex standards for IRBs and Privacy Boards to apply in deciding whether to grant a waiver of authorization for a particular research study. The IRBs and Privacy Boards must determine whether a study meets all of the following criteria39: (A) The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (1) An adequate plan to protect the identifiers from improper use and disclosure; (2) An adequate plan to destroy the identifiers at the earliest oppor- tunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (3) Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart; (B) The research could not practicably be conducted without the waiver or alteration; and (C) The research could not practicably be conducted without access to and use of the PHI. An IRB or a Privacy Board may waive the authorization requirement in whole or in part. A complete waiver of authorization means that no authorization is required for the covered entity to use and disclose PHI. A partial waiver means that the IRB or Privacy Board determined that a covered entity does not need authorization for the uses and disclosure of the PHI for one part of a research project, but does need to obtain authoriza- tion from patients for another part of the project. For example, an IRB or a Privacy Board often grants a partial waiver to allow PHI to be disclosed to researchers to access PHI to identify potential subjects for a study. However, if only a partial waiver of authorization is granted, the researchers will need to obtain HIPAA authorization before the PHI for each individual patient is used for the research project. An IRB or Privacy Board may also approve a request for an alteration that removes some, but not all, required elements of an authorization, using the same criteria for a waiver of authorization. 38 See 45 C.F.R. Â§ 164.512(i)(1)(i) (2006). 39 See 45 C.F.R. Â§ 164.512(i)(2)(ii) (2006).
APPLICATION TO HEALTH RESEARCH The final and codified provisions above share only some of the language used in the Common Rule40 to determine whether it is allowable to alter the elements of informed consent or to waive the requirement of obtain- ing informed consent. This difference can create a challenge for the IRB decision-making process (Rothstein, 2005). The concept of âpracticabilityâ is used in both the Common Rule and in the HIPAA authorization criteria, but there is no guidance as to what factors (e.g., feasibility or cost) should be considered in determining whether the criteria are met (IOM, 2006; IPPC, 2008; Rothstein, 2005). HHS commentary in the December 2000 Final Rule briefly mentioned cost as one factor that could be considered in determining practicability41 (HHS, 2000), but guidance documents do not define what is âpracticableâ or âimpracticable.â As a result, institutions apply varying standards indepen- dently, often too conservatively to allow even low-risk research to proceed (see also Chapter 5). For example, some institutions interpret impracticable as ânot at all possibleâ and require researchers to demonstrate that a study will fail without a waiver of authorization. Moreover, stakeholders across the board, from researchers to individual patients, have questioned the meaning of the âpracticabilityâ standard (Pritts et al., 2008; Tovino, 2004). One focus group study indicated that patients may find it appropriate to consider two factors in determining whether it is practicable to conduct the research without the waiver of authorization: whether having to contact each patient first would (1) make the study less scientifically valid or (2) make the results less useful in improving medical care (i.e., would produce selection bias) (Pritts et al., 2008). There are also no clear standards regarding what constitutes adequate protection of privacy, or what constitutes a minimal risk to privacy. The concept of minimal risk implies that there is a risk threshold, above which protections should be stricter. However, clearly defining the threshold is problematic. The terms âadequate planâ and âadequate written assuranceâ are highly subjective, and thus different institutions are likely to set varying thresholds for âminimal risk.â Thus, to facilitate appropriate authoriza- tion requirements for responsible research, the committee recommends that HHS simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain autho- rization from each patient whose PHI will be used for a research study. In the 2000 version of the Privacy Rule, one of the criteria for waiver of authorization was that âthe privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individual, and the importance of the knowledge that may rea- 40 See 45 C.F.R. Â§ 116(d) (2005). 41 See 65 Fed. Reg. 82461, 82697 (2000).
0 BEYOND THE HIPAA PRIVACY RULE sonably be expected to result from the research.â42 In 2002, HHS deleted this criterion from the Final Rule, stating that it was âunnecessarily dupli- cative of other provisions to protect patientsâ confidentiality interests.â43 It may have been more appropriate to retain this criterion and omit the criteria for impracticability. If the current waiver criteria are to be retained, the IOM committee believes that a clear and reasonable definition of practicability, along with specific case examples of what should or should not be considered imprac- ticable or of minimal risk, could perhaps reduce variability and overly conservative interpretation of these provisions. Simplification or clarification of the waiver criteria would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards. Covered entities are permitted to rely on a waiver of authorization approved by a single IRB or Privacy Board with jurisdiction. However, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the request- ing researcher, regardless of whether another IRB or Privacy Board already granted a waiver of authorization. This leads to delays and variability in the protocol at different sites (see also Chapter 5). Simplification would also be very helpful for smaller or community-based institutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations. Activities Preparatory to Research A second situation where a covered entity is permitted to use and disclose PHI without obtaining authorization is for activities that are preparatory to research.44 Review by an IRB or a Privacy Board is also not required for activities preparatory to research. A covered entity may permit researchers to look through its medical records in order to develop research protocols and to aid the recruitment of research participants if it obtains from the researcher representations that the information sought is necessary for the research pur- pose, that information will be reviewed only for the stated purposes prepara- tory to research, and that no PHI will be removed from the covered entity by the researcher in the course of the review45 (HHS, 2004a,c). Many research studies, especially those focused on rare conditions with limited eligible patient populations, rely on large-scale medical chart reviews and searches of patient databases to identify patients who might 42 See 65 Fed. Reg. 82461, 82816 (2000). 43 See 67 Fed. Reg. 53181, 53229 (2002). 44 See 45 C.F.R. Â§ 164.512(i)(1)(ii) (2006). 45 See 45 C.F.R. Â§ 164.512(ii) (2006).
APPLICATION TO HEALTH RESEARCH be eligible for and might benefit from a particular study. Sufficient patient enrollment in a timely fashion is essential to ensure the meaningfulness and reliability of the research results. However, confusion regarding what is per- mitted under this component of the Privacy Rule is widespread (SACHRP, 2004), and surveys and studies indicate that patient recruitment has become more difficult and costly under the varying interpretations of the Privacy Rule (see Chapter 5). HHS has issued multiple guidance statements on this topic, but these statements, some of which have been contradictory, have failed to eliminate confusion (reviewed by SACHRP, 2004). According to current HHS guid- ance on the Privacy Rule, researchers (both internal and external to a cov- ered entity) may conduct a review of medical records under the preparatory to research exception. However, only internal researchers (an employee or member of the covered entityâs workforce) may contact potential subjects about the possibility of enrolling in a study under this provision of the Privacy Rule. HHS guidance on the Privacy Rule indicates that external researchers are not allowed under the preparatory to research exception to record or remove contact information of patients from a covered entity. External researchers must get an IRB/Privacy Board approved waiver of authorization to perform any recruitment activities. This creates an arti- ficial distinction between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rule, which requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB (HHS, 2003). Thus, the Privacy Rule per- mits conduct that is prohibited by the Common Rule (Rothstein, 2005). IRBs historically have required all communications about an avail- able research study to come from the individualâs caregivers, not from an investigator unknown to the potential subjects (SACHRP, 2004). Moreover, research shows that patients prefer to be approached by their clinician or an associated nurse as opposed to a stranger (Damschroder et al., 2007; Kass et al., 2003; Robling et al., 2004; Westin, 2007; Willison et al., 2007), and HHS has reported that most allegations of violations of the Privacy Rule related to research come from patients upset at receiving recruitment calls from unknown researchers (Heide, 2007). According to the Secretaryâs Advisory Committee on Human Research Protections (SACHRP), âThe consequence of these confused and complex interpretations of research recruitment requirements has been to layer unnec- essary, and extremely burdensome, tasks onto human subjects research. It appears, for example, that in some institutions, boilerplate business associate contracts are being signed, and that template applications for partial waivers of authorization are being routinely granted, as methods of perfunctory compliance with these confusing Privacy Rule requirements. Another effect
BEYOND THE HIPAA PRIVACY RULE of the enormous confusion has been that other institutions are hesitant to permit many recruitment activities critical to the continuation of the research enterprise, out of fear that they are in some way misinterpreting the govern- mentâs current positions on research recruitment. SACHRP is very concerned that the bureaucratic complexities here undermine, rather than enhance, the attention that needs to be paid to the welfare and interests of subjects in the research recruitment processâ (SACHRP, 2004). The IOM committee believes that new guidance documents from HHS that clarify and simplify the rules for activities preparatory to research, and harmonize them with the Common Ruleâby requiring IRB/Privacy Board approval for all researchers (internal and external) prior to contact- ing potential subjectsâwould help to eliminate this confusion and facilitate ethical research that protects patient privacy. Research on Protected Health Information of Decedents The third situation where a covered entity is permitted to disclose PHI without authorization is for research using the PHI of decedents. Covered entities are not required to obtain authorization from the personal repre- sentative or next of kin to conduct research on a decedentâs PHI, nor are they required to receive a waiver of authorization. These provisions are similar to the Common Rule, which defines a âhuman subjectâ as a âliving individual.â46 However, the Privacy Rule does require that researchers make several representations, either in writing or orally, to the covered entity prior to the covered entity granting the researcher access to a decedentâs PHI. These representations include: â¢ The use or disclosure being sought is solely for research on the PHI of decedents â¢ The PHI is necessary for research â¢ The death of the individual is documented, if requested by the covered entity47 Apparently some covered entities interpret the Privacy Rule more con- servatively by requiring researchers to obtain authorization from next of kin, or a waiver of authorization from an IRB or Privacy Board, in order to access the PHI of decedents (Ness, 2007).48 46 See45 C.F.R. Â§ 102(f) (2005). 47 See45 C.F.R. Â§ 164.512(i)(1)(iii) (2006). 48 Personal communication, J. Bailey-Wilson, National Institutes of Health, National Human Genome Research Institute, April 29, 2007. Personal communication, Rachel Nosowsky, Miller, Canfield, Paddock and Stone, PLC, October 23, 2008.
APPLICATION TO HEALTH RESEARCH Deidentified Information Researchers can also access deidentified health information stored by covered entities without obtaining authorization, waiver of authorization, or IRB/Privacy Board approval. Deidentified information does not qualify as PHI, and therefore is not protected under the Privacy Ruleâit can be disclosed to researchers at any time (HHS, 2004c). The Privacy Rule offers two methods to deidentify personal health information. Under the statisti- cal method, a statistician or person with appropriate training verifies that enough identifiers have been removed that the risk of identification of the individual is very small. Under the âsafe harborâ method, data are consid- ered deidentified if the covered entity removes 18 specified personal identi- fiers from the data (Box 4-4).49 In the process of deidentifying information, the covered entity may assign a code to the deidentified information so that it may reidentify it, but the code may not be derived from information related to the individual (e.g., Social Security number). Furthermore, the covered entity may not disclose the key to the code to anyone else.50 These provisions of the Privacy Rule are based on the federal statistical agenciesâ policy of using statistical methods to assess and protect the confidentiality of individualsâ data they collect and release (Interagency Confidentiality and Data Access Group, 1999; Subcommittee on Disclosure Limitation Methodology, 1994). These provisions are more stringent than those of the Common Rule, leading to situations in which some coded data might be subject to the Privacy Rule, but not the Common Rule (Rothstein, 2005). The Common Rule does not apply to research if âthe identity of the subject is [not] or may [not] be readily ascertained by the investigator or associated with the information accessed by the researcherâ (see Chapter 3).51 In practice, this can mean that a covered entity may no longer routinely disclose for research data that have been anonymized according to the Common Rule (Pritts, 2008). This discrepancy between deidentification standards under the two rules can give rise to situations in which research with anonymized data that are exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individualsâ authorization of disclosure for the use of their information for research purposes is appropriate under the Privacy Rule. But because IRBs have not had to review these protocols in the past, they may find it difficult to make appropriate decisions about waivers. The Privacy Rule restrictions put greater emphasis on the possibility that health data could be reidentified using publicly available databases. 49 See 45 C.F.R. Â§ 164.514(b) (2006). 50 See 45 C.F.R. Â§ 164.514(c) (2006). 51 See 45 C.F.R. Â§ 46.102(f) (2005).
BEYOND THE HIPAA PRIVACY RULE BOX 4-4 HIPAA âSafe Harborâ Deidentification Method The HIPAA âsafe harborâ method of deidentification requires that each of the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed from medical record information in order for the records to be considered deidentified: 1. Names. 2. All geographical subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geocodes, except for the initial three digits of a ZIP Code, if according to the current publicly avail- able data from the Bureau of the Census: (1) the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people is changed to 000. 3. All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death) and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 4. Phone numbers. 5. Fax numbers. 6. Electronic mail addresses. 7. Social Security numbers. 8. Medical record numbers. 9. Health plan beneficiary numbers. 10. Account numbers. 11. Certificate/license numbers. 12. Vehicle identifiers and serial numbers, including license plate numbers. 13. Device identifiers and serial numbers. 14. Web Uniform Resource Locators. 15. Internet Protocol address numbers. 16. Biometric identifiers, including finger and voice prints. 17. Full-face photographic images and any comparable images. 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data). SOURCE: 45 C.F.R. Â§ 164.514(b) (2006). Determining what information can be released without inappropriately compromising the privacy of the individual respondents is inherently a statistical issue (Fienberg, 2005) (see also discussion on privacy-preserving data mining and statistical disclosure limitation in Chapter 2). Record linkage technology has advanced rapidly in the past 10 years, and large
APPLICATION TO HEALTH RESEARCH public list searches are readily available for integration with âdeidentifiedâ data, making it easier to reidentify data than when the Common Rule was implemented (De Wolf et al., 2006; Pritts, 2008). For example, an academic exercise showed that it was possible to identify the names and addresses of 97 percent of the registered voters in Cambridge, Massachusetts, using the birth date and full postal code (Sweeney, 1997). In a nonacademic set- ting, New York Times reporters were also able to identify âanonymousâ AOL clients whose search habits had been posted on the web for research projects by linking their search history to other available data (Barbarq and Zeller, 2006). Studies indicate that even after removal of the 18 identifiers required under the safe harbor method of the Privacy Rule, recipients could reiden- tify individuals in a study dataset with a moderately high expectation of accuracy by applying only diagnosis and medication combinations (Clause et al., 2004). In short, even the Privacy Ruleâs deidentification standard may not be stringent enough to protect the anonymity of data in todayâs tech- nological environment (Pritts, 2008). However, strong security measures (as recommended in Chapter 2) and the implementation of legal sanctions against the unauthorized reidentification of deidentified data (as recom- mended in subsequent sections of this chapter) may be more effective in protecting privacy than more stringent deidentification standards. Limited Datasets Many researchers have argued that removal of all 18 data categories as required by the HIPAA Privacy Ruleâs deidentification standards can render the dataset unusable for many research projects (Casarett et al., 2005; HHS, 2002; Kulynych and Korn, 2002; SACHRP, 2004) (see also Chapter 5).52 For example, general areas of origin, residence, and work may be essential to epidemiological and other studies of topics such as disease incidence. Likewise, treatment dates are essential information for determining treat- ment effects, including adverse side effects. Concerns were also raised that deidentification would impede longitudinal studies, and subsequent research has indicated that information deidentified using the safe harbor method of removing all of the listed identifiers results in lost chronological spacing of episodes of care (Clause et al., 2004). Because of these concerns, some stakeholders urged HHS âto permit covered entities to disclose PHI for research if the protected information is facially deidentified, that is, stripped of direct identifiers, so long as the research entity provides assurances that it will not use or disclose the infor- mation for purposes other than research and will not identify or contact 52 See 67 Fed. Reg. 53181, 53232 (2002).
BEYOND THE HIPAA PRIVACY RULE the individuals who are subjects of the information.â53 Others were more specific and requested that the Privacy Rule be amended to allow the use of keyed-hash message authentication code (HMAC), asserting that this mechanism would be valuable for researchers because it allows the recipient to link clinical information about the individual from multiple entities over time. In direct response to these requests, HHS modified the Privacy Rule and created a category54 of partially deidentified data called the âlimited dataset,â which may be used and disclosed for research without obtaining individual authorization or IRB/Privacy Board approval.55 To qualify as a limited dataset, 16 of the more direct identifiersâ such as names, addresses, Social Security numbers, and medical telephone numbersâmust be removed from the data. However, the following ele- ments may be included in a limited dataset: city, state, ZIP Code, elements of date, and other numbers, characteristics, or codes not listed as direct identifiers in the regulation (including HMAC). A limited dataset may be created by a covered entity or the covered entity can enter into a business associate agreement with another party, including the intended recipient, to create the limited dataset on its behalf.56 To disclose a limited dataset for research without individual authori- zation, the covered entity must enter into a data use agreement with the recipient. These contracts specify the recipient of the limited dataset and require the recipient to agree to a number of conditions, including: â¢ Not to use or disclose the limited dataset other than as permitted by the agreement or as required by law â¢ To use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement â¢ To report to the covered entity any use or disclosure of the infor- mation not provided for by the data use agreement of which the recipient becomes aware â¢ To ensure that any agents to whom the recipient provides the lim- ited dataset agree to the same restrictions and conditions as the original recipient â¢ Not to identify the information or contact the individuals whose records are included in the dataset57 53 See 67 Fed. Reg. 53181, 53234 (2002). 54 See 45 C.F.R. Â§ 164.514(e)(3)(i) (2006). 55 See 67 Fed. Reg. 53181, 53234 (2002). 56 See 45 C.F.R. Â§ 164.514(e)(3)(ii) (2006). 57 See 45 C.F.R. Â§ 164.514(e)(1) (2006).
APPLICATION TO HEALTH RESEARCH Although some researchers have indicated that the use of limited data- sets may be âenticingâ (Pace et al., 2005), there do not appear to be any studies about the use of limited datasets in the United States (Pritts, 2008). France reportedly uses the equivalent of limited datasets from numerous hospitals to conduct epidemiologic research (Berman, 2002), but the French health care system and legal environment are quite different than in the United States. In testimony at an Institute of Medicine workshop on the HIPAA Privacy Rule and health research, legal experts noted the shortcom- ings of the limited dataset (IOM, 2006). For example, in some health care settings, it can be challenging to identify an individual who will sign a data use agreement on behalf of the covered entity and thus manage the contract according to the perceived risk and obligation to monitor how that lim- ited dataset is used. At the other extreme, it was noted that some covered entities were signing data use agreements as a matter of course, and thus providing little meaningful privacy protection to the patient (IOM, 2006). Thus, the committee recommends that HHS encourage greater use of limited datasets and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively. Linking Data from Multiple Sources A single database may not provide a complete picture of a patientâs con- dition or health history, so combining information from multiple sources is often necessary (IOM, 2000). HHS stated that one intent of the limited dataset provisions was to permit data to be used and disclosed in a coded manner such that the recipient of the data could link one personâs data longitudinally over multiple settings.58 However, linking data continues to be problematic for researchers under the HIPAA Privacy Rule (IOM, 2006; IPPC, 2008). The Privacy Rule addresses data aggregation only with respect to health care operations,59 not research. However, it is possible in prin- ciple under the Privacy Rule for a researcher to aggregate PHI from multiple covered entities with authorization or IRB/Privacy Board waiver of authorization. Obtaining individualsâ authorization for research that entails the review of thousands of medical records is unrealistic, though, and even with a waiver of authorization, covered entities with large datasets are often reluctant to allow researchers access to PHI, as noted above (see also Chapters 5 and 6). More commonly, data are provided to researchers with direct identifiers removed. But because datasets from multiple sources cannot be linked to generate a more complete record of 58 See 67 Fed. Reg. 53181, 53235 (2002). 59 See 45 C.F.R. Â§ 164.501 and 164.504(e)(2)(i) (2006).
BEYOND THE HIPAA PRIVACY RULE a patientâs health history without a unique identifier, such datasets often are of minimal value to researchers and are not frequently used. A third party may also collect PHI from covered entities and aggregate the data for research by establishing business associate agreements (BAs) with the various data sources, but in practice, BAs are used infrequently for this purpose (AcademyHealth, 2008). This approach is complicated and impractical to set up for individual research projects. Moreover, BAs can be established by covered entities to gain competitive advantage, rather than to collaborate in research. The committee believes that a better approach would be to establish secure, trusted, nonconflicted intermediaries that could develop a protocol, or key, for routinely linking data without direct identifiers from different sources and then provide more complete and useful deidentified datasets to researchers. One way this could be accomplished, for example, might be through data warehouses that are certified for the purpose of linking data from different sources (IOM, 2000). The organizations responsible for such linking would be required to use strong security measures and would main- tain the details about how this linkage was done, should another research team need to recreate the linked dataset. Using such intermediaries would increase patient privacy protections and allay concerns of covered entities, and thus would facilitate greater use of health data for research and also lead to more meaningful study results. CMS provides a similar service for Medicare and Medicaid data, via contractors who create standardized data files that are tailored for research (Box 4-5). The agency has begun pilot projects to aggregate Medicare claims data with data from commercial health plans and, in some cases, Medicaid, in order to calculate and report quality measures for physician groups. A broader effort to link data from diverse sources has been initiated by the Agency for Healthcare Research and Quality (AHRQ), called the National Health Data Stewardship Entity.60 AHRQ is also involved in implementing the Patient Safety and Quality Improvement Act of 2005, which encourages creation of Patient Safety Organizations to receive information from hos- pitals, doctors, and health care providers on a privileged and confidential basis, for analysis and aggregation.61 Although the purpose of the latter two initiatives is for monitoring health care quality, they could provide a model for data aggregation applicable to health research as well. The HIPAA administrative simplification provisions specifically pro- vided for the creation of a unique individual identifier, but work on this project has been halted because there is a great deal of controversy regard- ing how it could be implemented without comprising individual privacy. 60 National Health Data Stewardship: Request for Information, 72 Fed. Reg. 30803 (2007). 61 Patient Safety and Quality Improvement: Final Rule, 73 Fed. Reg. 70732 (2008).
APPLICATION TO HEALTH RESEARCH BOX 4-5 The Chronic Conditions Warehouse Section 723 of the Medicare Prescription Drug, Improvement, and Moderniza- tion Act of 2003 instructed the Secretary of the U.S. Department of Health and Human Services to make Medicare data more readily available to researchers studying chronic illness in the Medicare population, with the intent to help âidentify areas for improving the quality of care provided to chronically ill Medicare benefi- ciaries, [and] reduce program spending.â The Centers for Medicare & Medicaid Services (CMS) contracted with the Iowa Foundation for Medical Care to create the Chronic Conditions Warehouse (CCW) to implement the requirements of the Act. The Data: The CCW contains fee-for-services claims, enrollment/eligibility, and assessment data. Researchers can efficiently access data on 21 predefined chronic health conditions, such as diabetes, breast cancer, Alzheimerâs, and depression. Data files can also be extracted for other cohorts on request. Every data file includes a unique, encrypted CCW beneficiary identifier that allows the researcher to link a beneficiaryâs data across data sources and types within the CCW system. The Process: A researcher must submit to CMS a data release request that includes a research design and objectives, which are reviewed by a CMS Privacy Board to ensure that the project will assist CMS âin monitoring, managing, and improving the Medicare and Medicaid programs or the services provided to ben- eficiaries.â The Privacy Board is instructed to âbalance the potential risks to the beneficiary confidentiality with the probable benefits gained from the completed research,â as well as to consider the researchersâ demonstrated expertise and experience in conducting such a study. Once the request for data release is approved, the researcher must sign a CMS data use agreement that describes how the data can be used and how the data should be destroyed or returned to CMS at the conclusion of the study. If a researcher wishes to publish the study results, the manuscript must be submitted to CMS for review prior to publication to ensure that the privacy of all beneficiaries is maintained. SOURCES: CMS (2008); IFMC (2008). Federal agencies are also under pressure from the Office of Management and Budget to reduce the use of Social Security numbers as unique identi- fiers. But the development of some type of linking key (not based on Social Security numbers) would make linkages more efficient, standardized, and reliable and less costly. Moreover, this type of linkage could greatly facili- tate many types of information research, provide more extensive health histories and facilitate public health surveillance, and improve quality of care (HHS, 1998; Hillestad et al., 2008).
0 BEYOND THE HIPAA PRIVACY RULE Genetic Information and the Privacy Rule Research involving genetic information presents perhaps some of the most challenging areas for protecting the privacy of health information (Bregman-Eschet, 2006; Farmer and Godard, 2007; Greely, 2007; NBAC, 1999). With recent technological advances in biomedical research, it is now possible to learn a great deal about disease processes and individ- ual variations in treatment effectiveness or susceptibility to disease from genetic analyses because the DNA sequences comprising a personâs genome strongly influence a personâs health. New knowledge of the human genome, combined with advances in computing capabilities, are expected to help decipher the roles that genetics and the environment play in the origins of complex but common human diseases, such as cancer, heart disease, and diabetes. In this genomic age of health research, patient samples stored in biospecimen banks can provide a wealth of information for addressing long-standing questions about health and disease, and efforts are underway to create large genomic databases for that purpose (Adams, 2008; Greely, 2007; Lowrance, 2002; Lowrance and Collins, 2007). However, it is par- ticularly difficult to assess the potential harms to individuals who are the subjects of research in these rapidly advancing areas (NBAC, 1999; Pritts, 2008), and precedent does not appear to provide sufficient guidance in this relatively uncharted territory (Lowrance, 2002; Lowrance and Collins, 2007). Moreover, HHS has not issued clear guidance on how the Privacy Rule applies to DNA samples or sequences (IOM, 2005). HHS guidance documents indicate that tissue or blood itself is not protected under the Privacy Rule unless it contains or is associated with HIPAA identifiers (HHS, 2004b). HHS has further stated that the results of an analysis of blood or tissue, if containing or associated with personally identifiable information, would be PHI. However, the research community remains uncertain about whether genetic information accompanying bio- specimens is protected under the Privacy Rule because the list of identifiers includes âbiometric identifiersâ and âunique identifying characteristicsâ62 (NCVHS, 2004). The European Union, which has a more restrictive privacy regime than the United States, does not consider DNA in and of itself to be a direct identifier (DPWP, 2007). Genetic information does not itself identify an individual in the absence of other identifying information. However, in some circumstances, a personâs genetic code could be construed as a unique identifier in that it could be used to match a sequence in another biospeci- men bank or databank that does include identifiers (Lin et al., 2004; Malin and Sweeney, 2004). 62 See 45 C.F.R. Â§ 164.514 (2006).
APPLICATION TO HEALTH RESEARCH As genetic information becomes more prevalent in research and health care, the latter scenario is more likely to occur. For example, in January 2008, the NIH began requiring data from the Genome Wide Associa- tion Study63 to be submitted to a central databank in an anonymous and aggregated form. That database was publicly accessible until August 2008 when officials at NIH removed the database from the public Website, cit- ing concerns about patient confidentiality (Couzin, 2008; Zerhouni and Nabel, 2008). Those concerns stemmed from a study showing that a new type of DNA analysis could confirm the identity of an individual in a pool of similarly masked data if that personâs genetic profile was already known (Homer et al., 2008). NIH intends to move the aggregate genotype data to a secure, controlled-access database with policies for review and approval of data access requests (Zerhouni and Nabel, 2008). Also, as we enter the era of personalized medicine, genetic informa- tion is more likely to be included in a personâs health records. But at the same time, realization of the promises of personalized medicine will require research on DNA from a great many diverse individuals whose medical histories are well documented. Therefore, the committee believes that the establishment of consistent standards for use and protection of genetic information is important and advocates a focus on strong security measures. To facilitate appropriate use of DNA in health research, the committee recommends that HHS clarify the circumstances under which DNA samples or sequences are considered PHI. In addition, it recommends the adoption of strict prohibitions on the unauthorized reidentification of individuals by anyone from DNA sequences. Regardless of how genetic information is regulated under the HIPAA Privacy Rule, a federal prohibition of genetic discrimination is necessary to allay privacy concerns and diminish potential negative consequences of unintended disclosure of genetic information. Many people are concerned about genetic discriminationâthe misuse of genetic information by insur- ance companies, employers, and others to make decisions based on a personâs DNAâso it is important both to protect the privacy of genetic information and to protect people against such discrimination. The Genetic Information Nondiscrimination Act (GINA), recently signed into law, hope- fully will begin to address some of these concerns. Accounting of Research Disclosures The âaccounting of disclosuresâ provision of the HIPAA Privacy Rule gives individuals the right to receive a list of certain disclosures that a cov- ered entity has made of their PHI in the past 6 years, including disclosures 63 See http://www.genome.gov/20019523/.
BEYOND THE HIPAA PRIVACY RULE made for research purposes.64 The accounting of disclosures (AOD) must also include certain substantive information related to each disclosure, including the date of the disclosure, the identity of the person who received the information, a description of the information disclosed, and a statement of the purpose of the disclosure. The AOD requirement was intended âas a means for the individual to find out the nonroutine purposes for which his or her PHI was disclosed by the covered entity, so as to increase the individualâs awareness of persons or entities other than the individualâs health care provider or health plan in possession of this information.â65 This requirement does not actually protect privacy; it merely requires covered entities to record disclosures that have already happened. In addition, the AOD requirement does not constitute an audit trail, as there are numerous exceptions to the require- ment, including disclosures for health care operations, pursuant to an authorization, as part of a limited dataset, for national security or intelli- gence purposes, and to correctional institutions or law enforcement official. Therefore, AOD cannot provide individuals with some of the information they may want, such as a list of employees who looked at their medical record when they were in the hospital (AHIC, 2007; Pritts, 2008). Disclosures made for research purposes under a waiver of authoriza- tion, or for public health purposes as required by law, must be included in the AOD. In fact, HHS has noted that âmaking a set of records available for review by a third party constitutes a disclosure of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record.â The Privacy Rule has an exception for research involv- ing groups of 50 or more subjects, which allows the generation of a general list of all protocols for which a personâs PHI may have been disclosed, but even in that case, there is a considerable administrative obligation. Fur- thermore, in many medical facilities, that list is very extensive, and thus is relatively meaningless to a particular patient. This aspect of the Privacy Rule places a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. Moreover, HHS has not given covered entities any guidance on practical ways to fulfill this requirement in an efficient manner. Annual surveys of health care privacy officers undertaken by the American Health Information Management Association (AHIMA) since 2004 have found that many facilities report difficulties with the AOD requirement (AHIMA, 2006). Furthermore, the surveys have found that the demand for AOD is extremely low. Two-thirds of respondents reported receiving no requests at all. Nearly a third indicated that they would like to see a change 64 See 45 C.F.R. Â§ 164.528 (2006). 65 See 67 Fed. Reg. 53181, 53245 (2002).
APPLICATION TO HEALTH RESEARCH to the AOD provisionsâthe most frequently cited Privacy Rule provision among all respondents, and by far among those with more than 20,000 admissions/discharges per year. Based on these results, AHIMA concluded that âfor many, this provision is not only burdensome but also significantly inefficient.â The National Committee on Vital and Health Statistics (NCVHS), the Association of American Medical Colleges (AAMC), and SACHRP have all recommended changes to the AOD provisions (see Appendix A). Witnesses at the first public hearing held by the NCVHS Subcommittee on Privacy and Confidentiality, held in August 2001, suggested that covered entities were likely to refuse to share PHI because of the burden of the AOD provisions. NCVHS stated that it supported an individualâs right to an AOD, but sug- gested that HHS issue guidance to provide covered entities with ways to fulfill this requirement in a convenient and practical manner. To date, no efforts have been undertaken to identify organizations that have success- fully implemented the AOD requirement, or the practices that they have put in place (Pritts, 2008). Case reports gathered for AAMCâs database also indicated that this pro- vision is a tremendous burden to providers and researchers and has resulted in many covered entities refusing to make PHI available to researchers. AAMC recommended that the AOD requirement be eliminated for research, if IRB/Privacy Board approval is given, asserting that most AOD do not provide any meaningful information to the individual and that it would be better to investigate any questionable disclosures as they occur. SACHRP made a similar recommendation, stating that the Privacy Rule imposes sufficient privacy protections without applying this portion of the Privacy Rule to research. Indeed, SACHRP concluded that the cost and burden of compliance with AOD requirements was so high that institutions were likely to accept the risk of noncompliance rather than incur the cost of compliance. Noting that researchers must establish a certain standard of privacy protections before an IRB or a Privacy Board will grant a waiver of authorization, or before a covered entity will permit a researcher to access PHI preparatory to research, SACHRP recommended that covered entities should inform patients in the HIPAA âNotice of Privacy Practicesâ that their PHI may be used and disclosed for research purposes without their authorization if sufficient privacy safeguards are in place. The IOM com- mittee concurs, and recommends that HHS reform the requirements for the accounting of disclosures of protected health information for research. In the interest of transparency, institutions should maintain a list, accessible to the public, of all studies approved by an IRB or Privacy Board, in place of the AOD requirement. However, as the health care system moves toward broader implementation of electronic health records, automatic tracking of audit trails will be an important component to incorporate.
BEYOND THE HIPAA PRIVACY RULE ENFORCEMENT OF THE PRIVACY RULE The Privacy Rule sets out both civil and criminal penalties for covered entities that breach the Rule.66 The civil penalty provision allows a $100 fine per violation for disclosure made in error, with a maximum fine of up to $25,000 per year. The criminal penalties for persons who knowingly obtain or disclose personally identifiable information include fines of up to $50,000 and imprisonment for up to 1 year. If the crime is committed under false pretenses, the individual or organization faces fines up to $100,000 and 5 years of imprisonment. Penalties for the sale or use of PHI for commercial advantage, personal gain, or malicious harm are fines of up to $250,000 and 10 years of imprisonment. The Privacy Rule does not provide for a private right of action by patients or research participants.67 Thus, an individual whose privacy is violated under the Privacy Rule cannot sue the covered entity or individual who breached his or her privacy. Rather, an individual can file a claim with HHSâs Office for Civil Rights (OCR). OCR is in charge of enforcement and decides whether and when to pursue a regulatory investigation and penal- ties against a covered entity (Stevens, 2003). In addition, it is important to note that this does not prevent an individual from pursuing a private right of action under state law (Pritts, 2008). The Compliance and Enforcement regulations stress cooperative com- pliance over the imposition of penalties (reviewed by Pritts, 2008). The regulations specifically provide that the Secretary will, to the extent practi- cable, seek the cooperation of the covered entity in obtaining compliance.68 If an investigation indicates a failure to comply, the regulations provide that the Secretary will first attempt to resolve the matter by informal means.69 Such informal resolutions include demonstrating compliance, a completed corrective action plan, or a resolution agreement (HHS, 2007).70 Only if a covered entity does not take action to resolve the noncompliance will HHS contemplate imposing civil monetary penalties on the covered entity.71 66 See 45 C.F.R. part 160, subparts C and E (2006). 67 See, for example, Doe v. Bd. of Trustees of Univ. of Illinois, 429 F. Supp. 2d 930, 944 (N.D. Ill. 2006); Poli v. Mt. Valleyâs Health Ctrs., Inc., 2006 U.S. Dist. LEXIS 2559, No. 05-2015, 2006 WL 83378, at 13-14 (E.D. Cal. January 11, 2006); Haranzo v. Depât of Rehabilitative Servs., 2005 U.S. Dist. LEXIS 27302, No. 7:04-CV-00326, 2005 WL 3019240, at 4 (W.D. Va. November 10, 2005); Dominic J. v. Wyo. Valley West High Sch., 362 F. Supp. 2d 560, 573 (M.D. Pa. 2005); Univ. of Colo. Hosp. Auth. v. Denver Publ. Co., 340 F. Supp. 2d 1142 (D. Colo. 2004); OâDonnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1179-80 (D. Wyo. 2001). 68 See 45 C.F.R. Â§160.304 (2006). 69 See 45 C.F.R. Â§160.312(a)(1) (2006). 70 Id. 71 Id.
APPLICATION TO HEALTH RESEARCH Also, a covered entity that is itself in compliance with the Privacy Rule will not be held liable for the actions of a business associate that breaches the terms of its business associate agreement. A covered entity that knows of a pattern of activity or practice of a business associate that constitutes a material breach of its contract must take reasonable steps to cure the breach or end the violation.72 If such efforts are unsuccessful, the covered entity must terminate the contract if feasible.73 If termination is not feasible, the covered entity must report the problem to the Secretary.74 So long as a covered entity complies with these procedures, it is not liable for the actions of its business associates and will not be assessed civil monetary penalties (HHS, 2006).75 Between April 2003 and March 2008, OCR received more than 33,000 complaints alleging violations of the Privacy Rule (Barr, 2008). Most of the complaints have been filed against health care providers, including physi- cian practices, general hospitals, pharmacies, and outpatient clinics, and largely deal with health information uses, disclosures, and safeguards. The number of complaints OCR has received that relate to research is unclear (NCVHS, 2005). In the majority of cases, OCR determined that the com- plaint did not present an eligible case for enforcement, either because OCR lacked jurisdiction, the complaint was untimely, or the activity did not violate the Privacy Rule. To date, there have been no civil penalties imposed against any cov- ered entity for breaching the Privacy Rule. Similarly, there have only been three criminal prosecutions under the Privacy Rule of individuals involved in medical identity theft (Rahman, 2006).76 In spite of this enforcement record, many covered entities remain hesitant to share health information due to concerns about liability (Pritts, 2008). In surveys, many providers and payors self-report that they are not in compliance with the Privacy Rule. In a recent survey by Phoenix Health Systems, 20 percent of providers and 13 percent of payors reported that they have had insufficient incentives to incur the cost of implementing all the requirements of the Privacy Rule. In the survey, none of the participat- ing providers was able to show that it had complied with every provision of the Privacy Rule. Payors only reported doing marginally better (Phoenix Health Systems, 2006). In surveys by AHIMA, about 40 percent of hospi- tals and health systems reported full compliance with HIPAA regulations, while about 15 percent believed they were less than 85 percent compliant (AHIMA, 2006). More than half the respondents indicated that resources 72 See 45 C.F.R. Â§ 164.504(e)(1)(ii) (2006). 73 Id. 74 Id. 75 See45 C.F.R. Â§ 160.402(b) (2006). 76 SeeU.S. v. Gibson, 2004 WL 2188280 (W.D. Wash. 2004) and U.S. v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division.
BEYOND THE HIPAA PRIVACY RULE were the most significant barrier to full privacy compliance, noting a par- ticular need to support education and training of new staff. RELATIONSHIP BETWEEN HIPAA AND OTHER LAWS Federal Research Statutes Several other federal statutes regulate research and affect the types of research projects that can be carried out in the United States. The federal regulations most relevant to health research are the Common Rule77 and the Food and Drug Administration (FDA) Protection of Human Subjects Regulations, which have similar origins and intent78 (see Chapter 3). Both the Common Rule and the FDA regulations are concerned primarily with the physical risks to humans associated with participation in a research study. Neither set of regulations provides detailed and prescriptive regula- tions for the protection of privacy (HHS, 2002). Nonetheless, there are numerous instances in which the Privacy Rule and the Common Rule diverge, as described above. General Federal Laws The Privacy Rule also often interacts with other federal laws. In the preamble to the Privacy Rule, HHS stated that there should be few instances where the Privacy Rule conflicts with existing statutes or regulations. Where potential conflicts do exist, HHS stated that an attempt should be made to resolve the conflict so that both laws apply. For example, if a statute or regulation permits the dissemination of PHI, but the Privacy Rule prohibits the use or disclosure of PHI without authorization, the covered entity is able to comply with both sets of laws. The entity could obtain HIPAA authorization prior to disseminating the information as permitted by the other law (HHS, 2000). The fact that a covered entity is permitted to use or disclose PHI âas required by lawâ under the Privacy Rule reduces a number of potential conflicts between the Privacy Rule and other federal rules.79 HHS pro- vided an example to explain this point. If a previous statute or regulation requires a specific use or disclosure of PHI that the Privacy Rule appears to prohibit, the section of the Privacy Rule that permits uses or disclosures âas required by lawâ would allow this disclosure to be made. Also, HHS specifically stated that if a statute or regulation prohibits a use or disclo- 77 See 45 C.F.R. part 46(a) (2005). 78 See 21 C.F.R. parts 50 and 56 (2008). 79 See 45 C.F.R. Â§ 164.512(a) (2006).
APPLICATION TO HEALTH RESEARCH sure of PHI that the Privacy Rule permits, the earlier, more specific statute applies (HHS, 2000). As a result, covered entities are often subject to both the Privacy Rule and other federal statutes and regulations simultaneously. In many situa- tions, researchers must comply with the Privacy Rule and the Common Rule or the FDA Protection of Human Subjects Regulations. Medicare providers must comply with the requirements of the Privacy Rule and the Privacy Act of 1974. Health care providers in schools, colleges, and uni- versities must comply with the Privacy Rule and the Family Educational Rights and Privacy Act. Substance abuse treatment facilities must comply with the Privacy Rule and the Substance Abuse Confidentiality provisions of the Public Health Service Act, Section 543 and its regulations. There are innumerable examples where the Privacy Rule and another federal statute both must be followed (HHS, 2000). State Laws Similar to the Privacy Ruleâs relationship to other federal statutes, the relationship between the Privacy Rule and state privacy laws is also com- plicated. In general, the Privacy Rule preempts contrary state laws relat- ing to the privacy of health information. Generally, this means that if it is impossible for a covered entity to comply with both the Privacy Rule and the state law in question, the Privacy Rule will be applied in the situation and the state law will be considered void.80 This general rule has three exceptions. First, any state law that is not contrary to the Privacy Rule is not preempted. If it is possible for a covered entity to comply with both the Privacy Rule and the state law simultane- ously, there is no preemption of the state law, and the covered entity must comply with both sets of privacy rules. Second, state laws that are contrary to the Privacy Rule, but provide more protection to the privacy of health information, are not preempted by the Privacy Rule. The Privacy Rule sets a national floor for the protection of PHI, not a national ceiling. More stringent means that the state law: (1) prohibits or restricts a use or disclosure in circumstances that would be permitted under HIPAA; (2) permits greater rights of access or amendment for the individual who is the subject of the PHI; (3) provides an individual with a greater amount of information regarding disclosure, rights, and rem- edies; (4) narrows the scope or duration of any legal permission to use PHI, or increases the privacy protections afforded to PHI; (5) provides for the retention or reporting of more detailed information for longer durations; 80 See 45 C.F.R. part 160, subpart B (2006).
BEYOND THE HIPAA PRIVACY RULE or (6) provides greater privacy protection for the individual with respect to any other matter. The third exception to the general preemption rule is in the public health arena. State laws that are contrary to the Privacy Ruleâbut provide for the reporting of disease or injury, child abuse, birth, or death, or for conducting public health surveillance, investigation, and interventionâare not preempted by the Privacy Rule. States are permitted to set their own rules regarding what type of information can be collected by public health agents and how that information is used (HHS, 2004c). Applying this preemption rule and determining what privacy laws must be followed in any given state can be a difficult task for covered entities. All states provide some protection for the privacy of health information. However, they differ greatly in what type of protection they provide, and thus, interact differently with the federal Privacy Rule. To successfully conduct a preemption analysis, a covered entity must become familiar with both the state laws and the Privacy Rule, interpret how the state and federal regulations interact with each other, and correctly determine the situations in which the Privacy Rule preempts state law. Many of the provisions in the Privacy Rule do not have directly corresponding provisions in state laws. This makes comparing the two sets of rules a technical and tedious task. One of the main impediments to a covered entity complying with the Privacy Rule is likely the lack of understanding of what the Privacy Rule actually requires in each state (Pritts, 2002). CONCLUSIONS AND RECOMMENDATIONS The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protec- tion of human subjects (the Common Rule), FDA regulations pertaining to human subjects,81 and other applicable federal or state laws. Inconsistencies, for example, in federal regulations and their inter- pretations governing the deidentification of personal health information, obtaining individualsâ consent for future research, and the recruitment of research volunteers make it challenging for health researchers seeking to comply with all these regulations to undertake important research activities. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule (see also Chapter 5). Additional guidance from HHS, along with some changes in interpreta- 81 See 21 C.F.R. parts 50 and 56 (2008).
APPLICATION TO HEALTH RESEARCH tion by HHS, would reduce misunderstandings of the Privacy Rule provi- sions by covered entities, IRBs, and Privacy Boards and help to harmonize federal regulations governing health research, which would in turn reduce complexity for researchers and covered entities, and thereby help to ensure consistent and appropriate privacy protections for patients. Thus, HHS should develop revised and expanded guidance materials for the Privacy Rule. For example, HHS should develop guidance to clearly state that future research with repositories can go forward under the Privacy Rule with IRB/Privacy Board oversight. Many institutions create and maintain data- bases with patient health information as well as repositories with biological materials collected from patients, and use them for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments. Once created, these collections offer a cost-effective resource for rapidly addressing new research ques- tions as technologies and knowledge advance. Collecting the samples and data necessary to address each new research question as it arises could take years, or even decades, at great expense. Thus, the pace and efficiency of medical progress is significantly enhanced by using established resources whenever feasible. Under the Common Rule, it is permissible to obtain patient consent for future research, with IRB oversight, as long as such future uses are described in sufficient detail to allow an informed consent. However, the provisions of the Privacy Rule, as interpreted by HHS, have made it more difficult to effectively use these valuable resources for research. As a result, patients must be recontacted to obtain individual authorization for any additional studies undertaken with the data and samples collected unless the researchers obtain a waiver or alteration of authorization from an IRB or a Privacy Board. Recontacting patients for additional authorization is not only impractical, but even in those instances when it is possible, it can be intrusive and burdensome for patients and their families. The committee believes that authorization for future use of these databases and biospecimen banks should be appropriate for protecting pri- vacy as long as there is an IRB or a Privacy Board overseeing the research. Thus, HHS should eliminate the discordance between the Privacy Rule and the Common Rule through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in the biospecimen bank and if an IRB or a Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization, and poses no greater than minimal risk. Because science is evolving very quickly, one cannot adequately antici- pate what knowledge will be gained in the future, and significant opportu- nities for beneficial research could be lost without some alterations to the
0 BEYOND THE HIPAA PRIVACY RULE way in which this portion of the Privacy Rule is interpreted. Databanks and biospecimen banks created and maintained with federal funds in particular should be used for multiple studies as often as feasible, given the high cost of such activities and the high value of investigating and comparing mul- tiple scientific questions from the same pool of data. Additional guidance from HHS is also needed to clarify the circum- stances under which DNA samples or sequences are considered PHI. The research community remains uncertain about whether genetic information accompanying biospecimens is protected under HIPAA because the list of HIPAA identifiers includes âbiometric identifiersâ and âunique identifying characteristics.â82 Although genetic information does not itself identify an individual, a personâs genetic code could be construed as a unique identifier in that it could be used to match sequence in another biospecimen bank or databank that does include identifiers. As genetic information becomes more prevalent in research and health care, concerns regarding genetic privacy and discrimination are likely to intensify. Thus, the establishment of consistent standards for use and protection of genetic information is important. The committee advocates a focus on strong security measures, with the goal of realizing the full potential of personalized medicine. In addition, unauthorized reidentification of individuals from DNA sequences, by anyone, should be strictly prohibited. The committee also recommends that HHS issue guidance to clearly indicate that when researchers seek to store data and materials collected in conjunction with a clinical trial, a single authorization form with two sig- nature lines is permissible if the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository. Informed consent and authorization are essential for the protection of individuals who volunteer to participate in clinical trials. Thus, it is imperative that the informed consent and authorization documents are easily understood and meaningful to the indi- viduals involved. Ideally, all relevant information should be integrated into one simple document, but the HIPAA Privacy Ruleâs complex provisions have generated misperceptions about restrictions on individualsâ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation, and some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. Such misperceptions can diminish the informed nature of consent and authorization because they can lead to patient confusion and misunderstanding. HHS should also simplify the procedures for the identification and recruitment of potential research participants and harmonize them with the 82 See 45 C.F.R. Â§ 164.514 (2006).
APPLICATION TO HEALTH RESEARCH Common Rule. The provisions regarding these activities that are prepara- tory to research are complex, confusing, and actually provide less privacy protection than the Common Rule. The committee believes that IRBs and Privacy Boards can protect research participants, including their privacy and confidentiality interests, and thus recommends that IRB/Privacy Board approval (as required under the Common Rule) should be required for all researchers (internal and external to the covered entity) prior to contact- ing potential subjects. When making a decision about whether to approve research projects, the IRB or Privacy Board should review and consider the investigatorâs plans for contacting patients, and also ensure that the information will be used only for research projects approved by the IRB or Privacy Board and not be disclosed to anyone else. HHS should also take steps to facilitate greater use of data with direct identifiers removed. Because the Privacy Rule and the Common Rule define personally identifiable information and deidentification differently, there is a discrepancy between what research is exempt from the Common Rule and what research is exempt from the Privacy Rule. This discrepancy can give rise to situations in which research with anonymized data that are exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individualsâ authori- zation for the use of their information for research purposes is appropriate under the Privacy Rule. Also, there appears to be a great deal of confusion about how to meet conditions of data use agreements for limited datasets, which have been stripped of the 16 most direct identifiers and can be used and disclosed for research without obtaining individualsâ authorization or an IRB/Privacy Board waiver of authorization. HHS could help to ameliorate this situa- tion by issuing clear guidance on how to set up and comply with data use agreements more efficiently and effectively. New tools are also needed to facilitate important health research by allowing new hypotheses to be tested with existing data. One major chal- lenge of using data from which direct identifiers have been removed is that a patientâs health information is rarely stored in one single location, and data from multiple sources cannot be linked to generate a more complete record of a patientâs health history without a unique identifier. As a result, these datasets often are of minimal value to researchers and are not fre- quently used. A trusted intermediary that could link data from different sources and then provide more complete and useful deidentified datasets to researchers would facilitate the greater use of health data for research and lead to more meaningful study results while also increasing patient privacy protections and allaying concerns of covered entities. Thus, HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects
BEYOND THE HIPAA PRIVACY RULE privacy, confidentiality, and security. Similar efforts have been initiated by AHRQ for the purpose of monitoring health care quality. The committee also concluded that for some provisions of the Privacy Rule the burdens are heavy and the privacy protections are small. Recon- sideration of such provisions may be necessary if society is to derive maxi- mal benefits from health research. In particular, the required accounting of disclosures entails a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. The committee recommends that the Privacy Rule permit medical facilities to inform patients in advance that PHI might be used for health research (with IRB/Privacy Board oversight) or for public health purposes, and the Privacy Rule should be altered to exempt these activities from AOD requirements. Robust safeguards are already in place to protect the privacy of PHI disclosures in health research via IRBs and Privacy Boards. As the health care system moves toward broader implementation of electronic health records, however, automatic tracking of audit trails will be important to incorporate. Technology advances will likely make automatic AOD track- ing feasible, affordable, and widely available in the future. Until then, the committee recommends that disclosures of PHI made for health research and public health purposes be exempted from the HIPAA Privacy Ruleâs AOD requirement. However, in the interest of transparency, institutions should maintain a list, accessible to the public, of all studies approved by its IRB or Privacy Board. HHS should also simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study. If the current criteria for waiver of authorization are to be retained, a clear and reasonable definition of impracticability from HHS, along with specific case examples of what should or should not be consid- ered impracticable or of minimal risk, could reduce variability and overly conservative interpretations among IRBs and Privacy Boards. Case examples should help delineate what IRBs and Privacy Boards should do to facilitate research, rather than just defining what is permis- sible. For example, it is appropriate to allow use of registries, clinical data- bases, and biospecimen banks for justifiable scientific inquiries. HHS should clearly state that IRBs and Privacy Boards should not impede research that is permissible under the Privacy Rule without a compelling concern (for example, if participant solicitation plans are inappropriate or if the princi- pal investigator is unqualified). Simplification or clarification of the waiver criteria would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards, and for smaller or community-based insti-
APPLICATION TO HEALTH RESEARCH tutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations. With better guidance, all covered entities would have more confidence in their decisions, and might be more willing to rely on a lead IRB/Privacy Board decision in the case of multi-institutional studies. REFERENCES AcademyHealth. 2008. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on AcademyHealth survey results. Adams, R. 2008. Progress vs. privacy. CQ Weekly May 26, 1404. AHIC (American Health Information Community). 2007. Confidentiality, privacy, and security workgroup, summary of the th web conference. http://18.104.22.168/healthit/ahic/ materials/summary/cpssum_100407.html (accessed August 27, 2008). AHIMA (American Health Information Management Association). 2006. The state of HIPAA privacy and security compliance. http://www.ahima.org/emerging_issues/ 2006StateofHIPAACompliance.pdf (accessed April 20, 2008). Barbarq, M., and T. Zeller, Jr. 2006. Confidentiality issues for data miners. Artificial Intel- ligence in Medicine 26:25â36. Barnes, M., and K. G. Heffernan. 2004. The âfuture usesâ dilemma: Secondary uses of data and materials by researchers and commercial research sponsors. Medical Research Law and Policy Report 3:440â452. Barr, S. 2008. HIPAA enforcement of Privacy Rule stresses voluntary compliance, HHS official says. BNA Privacy and Security Law Report 7(13):479. Berman, J. J. 2002. Confidentiality issues for data miners. Artificial Intelligence in Medicine 26(1):25â36. Bledsoe, M. 2004. HIPAA models for repositories. ISBER Newsletter: International Society for Biological and Environmental Repositories 4(1):1â4. Bregman-Eschet, Y. 2006. Genetic databases and biobanks: Who controls our genetic privacy? Santa Clara Computer & High Technology Law Journal 23:1. Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco- epidemiological research. In Pharmacoepidemiology, 4th ed., edited by B. L. Strom. West Sussex, England: John Wiley & Sons, Ltd. Pp. 417â432. Chaikind, H., J. Hearne, B. Lyke, and C. S. Redhead. 2005. CRS report for congress: The Health Insurance Portability and Accountability Act (HIPAA) of : Overview and guidance on frequently asked questions. http://www.law.umaryland.edu/marshall/ crsreports/crsdocuments/RL3163401242005.pdf (accessed August 27, 2005). Clause, S. L., D. M. Triller, C. P. H. Bornhorst, R. A. Hamilton, and L. E. Cosler. 2004. Con- forming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy 61(10):1025â1031. CMS (Centers for Medicare & Medicaid Services). 2005. Overview: Security standards. http:// www.cms.hhs.gov/SecurityStandard/ (accessed March 27, 2007). CMS. 2008. Criteria for review of requests for CMS research identifiable data. http://www. cms.hhs.gov/PrivProtectedData/02_Criteria.asp#TopOfPage (accessed April 23, 2008). Couzin, J. 2008. Whole-genome data not anonymous, challenging assumptions. Science 321:1278.
BEYOND THE HIPAA PRIVACY RULE Damschroder, L. J., J. L. Pritts, M. A. Neblo, R. J. Kalarickal, J. W. Creswell, and R. A. Hayward. 2007. Patients, privacy and trust: Patientsâ willingness to allow researchers to access their medical records. Social Science & Medicine 64(1):223â235. De Wolf, V. A., J. E. Sieber, P. M. Steel, and A. O. Zarate. 2006. Part II: HIPAA and disclosure risk issues. IRB: Ethics and Human Research 28(1):6â11. DPWP (Data Protection Working Party). 2007. Opinion /00 on the concept of personal data. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf (accessed August 28, 2008). Farmer, Y., and B. Godard. 2007. Public health genomics (PHG): From scientific consider- ations to ethical integration. Genomics, Society and Policy 3:14â27. Fienberg, S. E. 2005. Confidentiality and disclosure limitation. Encyclopedia of Social Mea- surement 1:463â469. GAO (Government Accounting Office). 1999. Medical records privacy: Access needed for health research but oversight of privacy protections is limited. Washington, DC: GAO. Greely, H. 2007. The uneasy ethical and legal underpinnings of large-scale genomic biobanks. Annual Review of Genomics and Human Genetics 8:346. Hansson, M., J. Dillner, C. Bartram, J. Carlson, and G. Helgesson. 2006. Should donors be allowed to give broad consent to future biobank research? Lancet Oncology 7(3):266â269. Heide, C. 2007. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the HIPAA Privacy Rule & research: Update from HHS Office for Civil Rights. HHS (Department of Health and Human Services). 1998. White paper on unique identifiers. HHS. 2000. Standards for privacy of individually identifiable health information; Final Rule. Fed. Reg. . HHS. 2002. OCR guidance explaining significant aspects of the Privacy Rule. http://www.hhs. gov/ocr/hipaa/privacy.html (accessed August 27, 2008). HHS. 2003. Institutional review boards and the HIPAA Privacy Rule. http://privacyruleandresearch. nih.gov/pdf/IRB_Factsheet.pdf (accessed August 21, 2008). HHS. 2004a. Clinical research and the HIPAA Privacy Rule. http://privacyruleandresearch. nih/gov/pdf/clin_research.asp (accessed August 27, 2008). HHS. 2004b. Guidance on research involving coded private information or biological speci- mens. http://www.hhs.gov/ohrp/humansubjects/guidance/cdebiol.pdf (accessed August 21, 2008). HHS. 2004c. Protecting personal health information in research: Understanding the HIPAA Privacy Rule. http://privacyruleandresearch.nih.gov/pr_02.asp (accessed April 17, 2007). HHS. 2004d. Research repositories, databases, and the HIPAA Privacy Rule. http:// privacyruleandresearch.nih.gov/research_repositories.asp (accessed August 27, 2008). HHS. 2006. Frequently asked questions: Is a covered entity liable for, or required to moni- tor, the actions of its business associates? http://www.hhs.gov/hipaafaq/providers/ business/236.html (accessed August 27, 2008). HHS. 2007. How OCR enforces the HIPAA Privacy Rule. http://www.hhs.gov/ocr/privacy/ enforcement/hipaarule.html (accessed August 27, 2008). Hillestad, R., J. H. Bigelow, B. Chaudhry, P. Dreyer, M. D. Greenberg, R. C. Meili, M. S. Ridgely, J. Rothenberg, and R. Taylor. 2008. Identity crisis: An examination of the costs and benefits of a unique patient identifier for the U.S. health care system. RAND Corporation. Homer, N., S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson, D. A. Stephan, S. F. Nelson, and D. W. Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS Genetics 4(8):e1000167. doi:10.1371/journal.pgen.1000167.
APPLICATION TO HEALTH RESEARCH IFMC (Iowa Foundation for Medical Care). 2008. Chronic condition data warehouse: User manual. Version 1.3. http://www.ccwdata.org/downloads/CCW%20User%20Manual. pdf (accessed August 27, 2008). Interagency Confidentiality and Data Access Group. 1999. Checklist on disclosure potential of proposed data releases. http://www.fcsm.gov/committees/cdac/checklist_799.doc (ac- cessed January 13, 2009). IOM (Institute of Medicine). 2000. Protecting data privacy in health services research. Wash- ington, DC: National Academy Press. IOM. 2005. Implications of genomics for public health: Workshop summary. Washington, DC: The National Academies Press. IOM. 2006. Effect of the HIPAA Privacy Rule on health research: Proceedings of a work- shop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. IPPC (International Pharmaceutical Privacy Consortium). 2008. Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research. Kass, N. E., M. R. Natowicz, S. C. Hull, R. R. Faden, L. Plantinga, L. O. Gostin, and J. Slutsman. 2003. The use of medical records in research: What do patients want? Journal of Law, Medicine & Ethics 31:429â433. Kulynych, J., and D. Korn. 2002. The effect of the new federal medical-Privacy Rule on research. New England Journal of Medicine 346(3):201â204. Lin, Z., A. B. Owen, and R. B. Altman. 2004. Genomic research and human subject privacy. Science 305(5681):183. Lowrance, W. W. 2002. Learning from experience, privacy and the secondary use of data in health research. London: The Nuffield Trust. Lowrance, W. W., and F. S. Collins. 2007. Identifiability in genomic research. Science 317:600â602. Malin, B., and L. Sweeney. 2004. How (not) to protect genomic data privacy in a distributed network: Using trail re-identification to evaluate and design anonymity protection sys- tems. Journal of Biomedical Informatics 37:179â192. NBAC (National Bioethics Advisory Commission). 1999. Research involving human biological materials: Ethical issues and policy guidance, report and recommendations. Vol. 1. Rockville, MD: NBAC. NCVHS (National Committee on Vital and Health Statistics). 2004. Letter to Secretary Thompsonârecommendation on the effect of the Privacy Rule. http://ncvhs.hhs.gov/ 040305l2.htm (accessed August 27, 2008). NCVHS. 2005. Seventh annual report to congress on the implementation of the administra- tive simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). http://ncvhs.hhs.gov/050908rpt.htm (accessed August 27, 2008). Ness, R. 2007. Influence on the HIPAA Privacy Rule on health research. JAMA 298(18): 2164â2170. Pace, W. D., E. W. Staton, and S. Holcomb. 2005. Practice-based research network studies in the age of HIPAA. Annals of Family Medicine 3(Supp. 1):S38âS45. Phoenix Health Systems. 2006. US healthcare industry HIPAA compliance survey results: Summer 00. http://www.hipaadvisory.com/action/surveynew/ (accessed April 5, 2007). Pritts, J. 2002. Testimony before the National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality: Implementation of the federal standards for privacy of individually identifiable health information. http://www.ncvhs.hhs.gov/ 021030p6.htm (accessed August 27, 2008).
BEYOND THE HIPAA PRIVACY RULE Pritts, J. 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. http://www.iom. edu/CMS/3740/43729/53160.aspx (accessed March 15, 2008). Pritts, J., M. Neblo, L. Damschroder, and R. Hayward. 2008. Veteransâ views on balancing privacy and research in medicine: A deliberative democratic study. Michigan State Uni- versity Journal of Medicine and Law 12:17â31. Rahman, N. 2006. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society 2(3):685. Redhead, C. S. 2001. CRS report for congress: Health information standards, privacy and security: HIPAAâs administrative simplification regulations. Washington, DC: Congres- sional Research Service. Robling, M. R., K. Hood, H. Houston, R. Pill, J. Fay, and H. M. Evans. 2004. Public attitudes towards the use of primary care patient record data in medical research without consent: A qualitative study. Journal of Medical Ethics 30:104â109. Rosati, K. 2008. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the chal- lenges with biorepositories, databases, and future research. Rothstein, M. A. 2005. Research privacy under HIPAA and the Common Rule. Journal of Law, Medicine & Ethics 33(1):154â159. SACHRP (Secretaryâs Advisory Committee on Human Research Protections). 2004. Letter to Secretary Thompson. http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html (accessed August 27, 2008). Shalala, D. E. 1997. Confidentiality of individually-identifiable health information: Recom- mendations of the Secretary of Health and Human Services, pursuant to section of the Health Insurance Portability and Accountability Act of . http://aspe.hhs.gov/ admnsimp/pvcrec0.htm (accessed August 27, 2008). Stevens, G. M. 2000. CRS report for Congress: Summary of the proposed rule for the privacy of individually identifiable health information. Washington, DC: Congressional Research Service. Stevens, G. M. 2003. CRS report for Congress: Compliance with the HIPAA medical Privacy Rule. Washington, DC: Congressional Research Service. Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology. 1994. Statistical policy working paper : Report on statistical disclosure limitation methodology. http://www.ciser.cornell.edu/NYCRDC/helpful_links/WP-22- OMB-totalreport.pdf (accessed January 13, 2009). Sweeney, L. 1997. Weaving technology and policy together to maintain confidentiality. Journal of Law, Medicine & Ethics 25:98â110. Tovino, S. A. 2004. The use and disclosure of protected health information for research under the HIPAA Privacy Rule: Unrealized patient autonomy and burdensome government regulation. South Dakota Law Review 49(3):447â502. U.S. Congress, House of Representatives, Committee of Conference. Health Insurance Porta- bility and Accountability Act of . 104th Cong., 2d Sess. July 31, 1996. U.S. Congress, House of Representatives, Committee on Ways and Means. Health Coverage Availability and Affordability Act of . 104th Cong., 2d Sess. March 25, 1996. Wendler, D. 2006. One-time general consent for research on biological samples: Is it compat- ible with the Health Insurance Portability and Accountability Act? Archives of Internal Medicine 166(14):1449â1452. Westin, A. 2007. How the public views privacy and health research. http://www.iom.edu/ Object.File/Master/48/528/%20Westin%20IOM%20Srvy%20Rept%2011-1107.pdf (accessed November 11, 2007).
APPLICATION TO HEALTH RESEARCH Willison, D. J., L. Schwartz, J. Abelson, C. Charles, M. Swinton, D. Northrup, and L. Thabane. 2007 (September 25â28). Alternatives to project-specific consent for access to personal information for health research. What do Canadians think? Paper presented at 29th International Conference of Data Protection and Privacy Commissioners, Montreal, Canada. Zerhouni, E. A., and E. G. Nabel. 2008. Protecting aggregate genomic data. Science 322:44.