In the United States, federal or state laws do not protect or mandate the sharing of viral sequence data or virus samples—hence, any sharing of such data and samples is done voluntarily and without concerns about possible regulatory barriers. In contrast, there are federal and state laws protecting clinical and epidemiological data. This chapter addresses governance and regulatory considerations related to these data, both in the United States and globally.
U.S. federal law does not currently require the sharing of clinical and epidemiological data with federal agencies to fight the pandemic. This is a consequence of the United States as a federal system, with primary public health legal authority inherent to states’ police powers. Depending on the jurisdiction, state law may require certain specified entities—such as health care professionals and laboratories—to report certain diseases to public health agencies and the form of the reports. While all states and territories regularly share aggregate data with the U.S. Centers for Disease Control and Prevention (CDC) for national public health surveillance purposes, sharing such data is voluntary and is typically limited to epidemiological data, not viral sequence data.
Consequently, absent a state law mandate, such sharing takes place voluntarily. Without funding to support the costs associated with gathering and preparing data to be disclosed to others (e.g., public health authorities and researchers), and without clear regulatory pathways and established infrastructure to support sharing, the sharing of data and biosamples is suboptimal. Additional potential barriers exist when obtaining or sharing information or biosamples from—and with—international sources.
Entities often cite privacy laws as a barrier to the sharing of data and biospecimens. However, as explained below, federal law expressly permits the sharing of data and biospecimens for public health and research purposes. Nevertheless, misconceptions and confusion about the law, hesitation to seek legal advice due to perceived or actual time or financial constraints, as well as general risk aversion, can create obstacles to sharing. Clear guidance on what federal law permits with respect to sharing, and examples of how sharing of data and biospecimens to fight coronavirus disease 2019 (COVID-19) in the United States is already occurring pursuant to these existing legal pathways can help eliminate those obstacles.
In addition to clarity, removing barriers to rapid and comprehensive clinical, epidemiological, and sequence data and biosamples will be dependent on national-level leadership and governance. This will likely require national-level leadership and planning to create supportive legal or strategic frameworks that instill principles of good governance, including accountability (clarifying authorities and responsibilities), transparency, equity, participation, and clear legal protections for individuals’ rights, including privacy and non-discrimination, and certainty as to their scope. This challenge is not only one faced by the United States. As COVID-19 has demonstrated, the rapid and comprehensive sharing of clinical, epidemiological, and sequence data is vital to global response.
The need for rapid and comprehensive viral sequence sharing may also serve as an opportunity for addressing barriers inherent in the federal system to data sharing. Given the national and interstate threat posed by a pandemic like COVID-19, there is an important rationale for shifting sharing from purely intrastate and voluntary to federal authorities, to interstate and federal data sharing, either through formalized voluntary agreements contingent on state consent (similar to arrangements in other federations), or through the U.S. Congress passing legislation that can be appropriately fixed under an enumerated federal head of power. Alternatively, this may be facilitated by terms of federal funding requirements for needed systems and infrastructure for data sharing or federal data sharing floor preemption laws, limited to the period during a public health emergency (explored in greater detail in the section on governance below).
The International Health Regulations (IHR, 2005) is a legally binding treaty that sets out countries’ obligations for preventing, detecting, and responding to international public health threats. Under the IHR, coun-
tries have the obligation to share with the World Health Organization (WHO) “timely, accurate, and sufficiently detailed public health information” including “case definitions, laboratory results, source and type of the risk, number of cases and deaths, [and] conditions affecting the spread of the disease” about potential public health emergencies of international concern (WHO, 2005). While not expressly required, in practice countries may interpret public health information to include viral genome sequences. At minimum, and as demonstrated in the first 2 weeks of January during the emergence of COVID-19, there is a normative expectation that countries share the genetic sequence of pathogens that may constitute a potential public health emergency of international concern (Rourke et al., 2020). The United States is a State Party to the IHR; however, it adopted a reservation that its obligations under the IHR are subject to the limitations of federalism, where obligations fall within state jurisdictions (Rourke et al., 2020). However, under international law this is unlikely to displace the federal government’s obligations under the IHR.
While the IHR do not currently contain an express obligation to share virus genome sequences, likely reforms of the IHR following the COVID-19 pandemic may serve as an opportunity for crystalizing potential obligations to share virus genome sequence data among countries and WHO (Rourke et al., 2020). In addition, ongoing negotiations in other international forums may have future implications for viral genome sharing, namely discussions at the Meeting of Parties for the Nagoya Protocol on Access to Genetic Resources and the Fair and Equitable Sharing of Benefits Arising from Their Utilization (2010).1 Researchers should be aware that more than 30 countries have implemented access and benefit-sharing legislation, which may include some countries’ requirements to obtain prior informed consent and negotiate mutually agreed terms for benefit sharing in exchange for access to pathogen samples, and may increasingly require similar arrangements for sequence data sharing (WHO, 2020).
Under the IHR, a country is required to keep confidential and process anonymously any information it collects or receives from another country or WHO, which refers to an identified or identifiable person, as required by national laws. The IHR permit countries to disclose and process personal data when it is essential for “assessing and managing” a public health risk, but countries must ensure that any personal data are processed fairly, lawfully, and consistently with a public health purpose; adequate, relevant, and not excessive; accurate; and not retained longer than necessary for the public health purpose. The IHR, including obligations to conduct surveillance, share information, and implement control measures, must also be
implemented in a manner consistent with human rights, which indirectly include the right to privacy and non-discrimination.
While there is no federal obligation to share virus genome sequences, there is a range of perceived and actual legal barriers under U.S. domestic law regarding clinical and epidemiological data sharing. Clarifying the application of these laws and communication with potential stakeholders (including public health departments and researchers) should be a priority. Below, the committee examines two federal laws commonly cited as barriers to data sharing—the Health Insurance Portability and Accountability Act (HIPAA) and the Common Rule—and clarifies the scope of their application as it relates to viral sequence sharing.
The regulations under HIPAA apply to many of the sources of data identified in this report. For example, HIPAA “covered entities” include most physician practices, hospitals, clinics, clinical laboratories, pharmacies, and health plans (CMS, 2020).2 HIPAA also covers contractors to those covered entities (also known as “business associates”) who also may be potential sources of data identified in this report (HHS, 2020d). Examples of potential business associate sources of clinical and epidemiological data are electronic medical record vendors and health information exchanges.
The HIPAA Privacy Rule establishes rules for the use and disclosure of identifiable health information (known as protected health information [PHI]). (Of note: HIPAA does not govern biospecimens; however, HIPAA would cover any PHI associated with such biospecimens.) The HIPAA Security Rule requires that any digital PHI be stored and transmitted securely, among other security safeguards; the Privacy Rule calls for the adoption of reasonable safeguards to protect PHI not subject to the Security Rule (e.g., paper PHI).
Disclosures to Public Health Authorities
The rules expressly permit the disclosure of PHI—identifiable information—to public health authorities (or contractors working on their behalf), without the need to first obtain the consent or authorization of the
2 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 160.103.
data subject. Specifically, covered entities may use or disclose PHI to “public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability, including but not limited to, … the conduct of public health surveillance, public health investigations, and public health interventions.”3 When the public health authority is also a HIPAA-covered entity, the authority is expressly permitted to use PHI for the above purposes.4 Ordinarily, business associates may similarly disclose PHI to public health authorities if their contracts with covered entities (known as business associate agreements) permit them to do so; however, the U.S. Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) recently exercised enforcement discretion to enable business associates to disclose information related to COVID-19 for public health purposes notwithstanding conflicting or unclear terms in their business associate agreements (HHS, 2020c). This announcement from OCR led to a private-sector effort to facilitate the collection and reporting of COVID-19-relevant data to public health authorities by a type of business associate—health information exchanges (HIEs)—across the country (HIEs across the nation largely facilitate the exchange of clinical information among health care providers for treatment purposes) (McClellan and Mostashari, 2020).
Uses and disclosures of PHI to public health authorities must meet the HIPAA Privacy Rule’s “minimum necessary” standard. Covered entities are required to make “reasonable efforts” to use, disclose, or request “only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.”5 Covered entities must develop policies to define what constitutes the minimum necessary for routine disclosures, or requests for information; however, entities are permitted to reasonably rely on requests from public officials as meeting the minimum necessary standard. Consequently, if public health authorities request PHI for COVID-19 purposes, covered entities (or business associates) may disclose PHI consistent with those requests.
Although HIPAA expressly permits the disclosure of identifiable PHI to public health authorities, many entities still feel more comfortable disclosing information stripped of identifiers out of an abundance of caution (or potentially due to a misunderstanding of what HIPAA allows). The HIPAA Privacy Rule also permits the use and disclosure of a limited dataset, which is still PHI but has been rendered less identifiable by the removal of 16 com-
3 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. CFR § 164.512(b)(1).
4 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.512(b)(2).
5 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.502(b) and 164.514(d).
mon identifiers, for public health purposes.6 The recipient must enter into a data use agreement that establishes the permitted uses and disclosures of the information and prohibits re-identification or contact of individuals in the dataset. The committee heard testimony of one example of sharing of data for COVID-19 efforts using a HIPAA limited dataset.
Data that have been “de-identified” in accordance with the HIPAA Privacy Rule are no longer covered by HIPAA and can be used and disclosed without limitation. As a result, entities often seek to meet the HIPAA de-identification standards prior to disclosing data, even to public health authorities. HIPAA establishes two methodologies for de-identifying PHI. The safe harbor methodology requires the removal of 18 categories of identifiers and no actual knowledge that the recipient of the data can re-identify it. The statistical or expert methodology requires someone with statistical expertise to determine that the dataset, in the hands of the intended recipient, is at very low risk of re-identification. De-identification per either methodology does not require execution of a data use agreement.
The committee heard testimony regarding the challenges of reliably linking data across multiple sources when the data are de-identified using the safe harbor methodology. Because the safe harbor requires the removal of fields that can be useful for linking data, this suggests that the disclosure of limited datasets, or identifiable PHI, may be more effective for sharing data to combat COVID-19. Also, linking of data, de-identified using statistician or expert methodology, may facilitate linking (Datavant, 2018).
Disclosures Required by Law
HIPAA also expressly permits PHI to be disclosed where such disclosure is required by another state or federal law.7 For example, if a state or locality were to enact an order mandating disclosure of information related to severe acute respiratory coronavirus 2 (SARS-CoV-2), a covered entity (or business associate) could make such a disclosure to the extent consistent with such law. The minimum necessary standard does not apply to such disclosures;8 as a result, entities may disclose in accordance with legal mandates without needing to consider whether such disclosure meets the minimum necessary standard.
6 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.514(e).
7 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.512(a).
8 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.514(d).
Uses and Disclosures for Research
HIPAA permits PHI to be used or disclosed for “research” purposes.9 “Research” is defined as a “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”10 Disclosures of PHI for research typically require prior authorization of the individual; however, this requirement can be waived or altered by a Privacy Board or an Institutional Review Board (IRB) if the following conditions are met:
- The use or disclosure of PHI involves no more than minimal risk to individual privacy;
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of PHI.11
HIPAA also permits limited datasets (see above) to be used or disclosed for research purposes, as long as the researcher has executed the required data use agreement. Similarly, data de-identified per HIPAA’s standards can be used or disclosed for any purpose, including research. The same issues identified above regarding linking de-identified data across data sources could apply here as well.
Distinction Between Public Health and Research
Although HIPAA defines what constitutes a “research” use or disclosure, HIPAA does not define what constitutes a “public health” use or disclosure. This could cause obstacles due to confusion over which rules to follow in disclosing data related to COVID-19 and SARS-CoV-2. However, OCR, which has oversight over the HIPAA privacy and security regulations, has issued guidance making clear that any disclosures to public health authorities (which includes the National Institutes of Health)—whether for public health practice or for research purposes—would be permitted under the Privacy Rule provisions governing disclosures to public health authorities (HHS, 2020a). As a result, HIPAA’s research provisions would govern uses or disclosures of information of COVID-19-related data for analytics purposes when those disclosures are for “generalizable knowledge” and
9 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.512(i).
10 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.501.
11 Health Insurance Portability and Accountability Act of 1996, H.R. 3103, 110 Stat. 1936, 104 P.L. 191. 45 CFR § 164.512(i)(2)(ii).
to entities other than public health authorities or contractors working on their behalf.
The federal rules governing research on human subjects—otherwise known as the Common Rule—apply to research using identifiable biospecimens and data.12 The Common Rule applies to federally funded human subjects research but also governs health care entities that receive federal funding for some research and have agreed to follow the Common Rule for all research on human subjects, regardless of funding source (HHS, 2020b).
The Common Rule applies only to research—defined similarly as that term is defined in HIPAA; it does not apply to uses and disclosures of data to public health authorities (or their contractors) for “public health surveillance.”13 Unlike with respect to HIPAA, the definition of “public health surveillance” is not interpreted to mean any activity conducted by a public health authority, including research activities. However, the definition of public health surveillance is quite broad and arguably supports the collection and analysis of data and biospecimens by public health authorities. Public health surveillance includes
The collection and testing of information or biospecimens, conducted, supported, requested, ordered, required, or authorized by a public health authority. Such activities are limited to those necessary to allow a public health authority to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance (including trends, signals, risk factors, patterns in diseases, or increases in injuries from using consumer products). Such activities include those associated with providing timely situational awareness and priority setting during the course of an event or crisis that threatens public health (including natural or man-made disasters).
To the extent it is necessary for data sources or recipients to distinguish between public health surveillance or practice and research for purposes of compliance with law, resources exist to help inform this distinction (Hodge and Gostin, 2004).
The Common Rule requires that research using identifiable biospecimens and data be approved by an IRB. In general, the Common Rule also requires prior informed consent for research uses of identifiable biospecimens and data—but the requirement can be waived or altered by an IRB using criteria similar (but not the same as) those for HIPAA:
12 The Common Rule. 45 CFR § 46.
13 The Common Rule. 45 CFR § 46.102(1)(2).
- The research involves no more than minimal risk to the participants;
- The research could not practicably be carried out without the waiver or alteration;
- If the research involves identifiable information, the research could not practicably be carried out without the identifiable information;
- The waiver will not adversely affect the rights and welfare of the participants; and
- Whenever appropriate, the participants will be provided with additional pertinent information after participating.14
Under the Common Rule certain types of secondary research uses of identifiable biospecimens and data are exempt from the requirements of the Common Rule (although an IRB determines whether the conditions for these exemptions have been met). Secondary research involves research on biospecimens or data that were originally collected or generated for a non-research purpose—such as for clinical purposes and/or for reporting to public health (the information collected to study SARS-CoV-2 is likely to all be secondary data, not generated solely for purposes of SARS-CoV-2 research). As a result, these exemptions may be particularly useful for conducting SARS-CoV-2 and COVID-19 research. For example, secondary research uses of identifiable information or biospecimens are exempt if:
The information (including information about biospecimens) is recorded by the investigator in such a manner that the identity of the human subjects cannot readily be ascertained directly or through identifiers linked to the subjects, the investigator does not contact the subjects, and the investigator will not re-identify the subjects.15
Also exempt is research using identifiable information that is governed by HIPAA (e.g., research conducted by a covered entity).16
The Common Rule was recently revised to include a new pair of exemptions that allow for the creation of research-ready databases of identifiable biospecimens and information under a broad consent; then subsequent research uses would need to be submitted for IRB review but would not require re-consent of the participants.17 The researcher must obtain a limited IRB determination that:
- The researcher has obtained broad consent meeting new Common Rule requirements;
14 The Common Rule. 45 CFR § 46.117.
15 The Common Rule. 45 CFR § 46.111(4)(ii).
16 The Common Rule. 45 CFR § 46.111(4)(iii).
17 The Common Rule. 45 CFR § 46.111(7)–(8).
- Such consent is documented (or the need for documentation is waived by the IRB); and
- If there is a change made in the way the identifiable information is stored and maintained, there are adequate measures taken to protect participants’ privacy and the confidentiality of the data.18
The broad consent for storing and maintaining identifiable information or biospecimens for secondary research must meet the following requirements:
- Provides a general description of the types of research that may be conducted with data or biospecimens from the participant (which must be sufficient that a reasonable person would expect the types of research to be conducted with the data);
- Describes the information or biospecimens that might be used in research, whether the information or biospecimens might be shared for research purposes, and the types of institutions or researchers who might conduct the research;
- Describes the period of time the database is to be maintained;
- Includes a statement that the participant will not be informed of the details of any specific research studies using his or her data or biospecimens, including purposes that he or she might not have chosen to consent to if he or she had the option to do so;
- Includes a statement that no clinically relevant research results will be shared with the participant unless it is certain that such results will always be shared;
- Includes a statement that participation in the database is voluntary and that there is no penalty or loss of benefits for refusal to participate (and that the individual can discontinue participation prospectively at any time);
- Includes disclosure of any reasonably foreseeable risks or discomforts, as well as disclosure of any benefits to the subject or others;
- Includes the extent to which confidentiality of records will be maintained; and
- Includes information about whom to contact with further questions or if the participant thinks he or she may have suffered a research-related injury.19
If identifiable biospecimens are collected, the broad consent must include the following (if appropriate):
18 The Common Rule. 45 CFR § 46.111(a)(8).
19 The Common Rule. 45 CFR § 46.116(d)(1).
- A statement that the participant’s biospecimens (even if identifiers are removed) may be used for commercial profit and whether the participant will or will not share in this profit; and
- Whether the research might include whole genome sequencing (i.e., sequencing of a human germline or somatic specimen with the intent to generate the genome or exome sequence of that specimen). Note that this requirement refers to the sequencing of human DNA, not the sequencing of viral genetic material.
Once these data are stored and maintained pursuant to the above exemption, subsequent research uses of that data are also exempt from the Common Rule, so long as an IRB, under limited review, determines that the research to be conducted is within the scope of the broad consent obtained for storage and maintenance (or approves a waiver or alteration of consent), and the investigator does not include return of research results in the study plan (although such individual results can be returned where required by law).20
Finally, data and biospecimens that are not identifiable—for example, where the identity of the participant cannot be readily ascertained—are not considered to be human subjects research under the Common Rule.21 The Common Rule did not adopt the HIPAA de-identification standards; consequently, there is often some question about when data and biospecimens are not considered to be subject to the Common Rule. Researchers will typically seek a determination from an IRB regarding whether research is not covered by the Common Rule. (Of note: the Common Rule calls for federal departments and agencies covered by the Common Rule to reexamine the meaning of identifiable information and identifiable biospecimens,22 but no additional guidance has been issued.)
Atypical Data Sources and State Law
20 The Common Rule. 45 CFR § 46.111(8).
21 The Common Rule. 45 CFR § 46.101–102.
22 The Common Rule. 45 CFR § 46.102(7).
ductive and sexual health data—information that may be less important to studying SARS-CoV-2 and COVID-19 (of note: federal law provides heightened privacy protections for identifiable substance abuse treatment information when maintained by federally supported substance abuse treatment programs), requiring informed consent prior to disclosure for most purposes.23 California’s new privacy law—the California Consumer Privacy Act24—covers a broad scope of information (not just particularly sensitive types of data); however, its applicability is limited to for-profit companies that meet certain thresholds for data collection or monetization (Gold and Hennessey, 2019; Wolf et al., 2019).
Sharing of data and viral genome sequences is crucial during a national public health emergency. There is a critical role for the federal government to play in coordinating and leading the sharing of such data between states and to the federal government. Given the interstate threat posed by a national public health emergency, this could serve as a moment to shift sharing from purely intrastate and voluntary to federal authorities, to interstate and federal sharing—through state consent and agreement (similar to arrangements in other federations like Australia and Canada) or if such an arrangement would appropriately fit under the scope of constitutionally granted federal authorities. An example potential trigger for this shift is the declaration of a federal public health emergency by the Secretary of HHS under 42 USC § 319, which waives certain other laws as the U.S. Congress determines to enable a national response to a public health emergency. These data-sharing and reporting processes should be clearly established and resourced as an urgent matter, and prior to an emergency. Without a clear and urgent public health rationale, changing reporting processes during an emergency should be avoided, and emergencies should not justify not complying with principles of good governance, including data transparency. Current examples include the release of goods from the national stockpile, permitting emergency use authorizations for medications, or waivers of Medicaid requirements. This would require the U.S. Congress to adopt legislation enabling this and could be an opportunity to provide a legislative framework, cognizant of states’ public health powers and the constitutional limits on the federal government’s law-making powers, that streamlines data sharing.
The sharing of viral sequence data and associated information should be guided by national-level leadership to create supportive legal or strategic
23 Confidentiality of Substance Use Disorder Patient Records. 42 CFR § 2.
frameworks that instill principles of good governance. This includes embedding clear accountability processes that clarify authorities and responsibilities; the principles of transparency, equity, and participation; and clear and certain legal protections for public health agencies, researchers, and individuals’ rights.
RECOMMENDATION 3. The U.S. Department of Health and Human Services should establish an effective and sustainable science-driven leadership and governance structure for the use of SARS-CoV-2 genome sequences in addressing critical national public health and basic science issues, develop a national strategy, and ensure the funding needed for successful execution of the strategy.
- Leaders of this effort must have sufficient authorities and responsibilities to ensure that key issues are identified and prioritized, representative data are generated, and barriers to data sharing are diminished.
- A national strategy for SARS-CoV-2 genome sequences linked to clinical and epidemiological data should be developed that articulates goals, priorities, and a path for achieving them.
- A board with diverse relevant expertise should be established with broad authority to oversee and advise the national strategy for SARS-CoV-2 genome sequences linked to clinical and epidemiological data, and the delivery of actionable data for related investigations.
Although federal law permits the sources of data and biospecimens to disclose these materials to public health authorities, and to make them available for research—often without the need to obtain an individual’s consent—confusion about the law, and conservative interpretations due to fear of running afoul of the law, translate into genuine obstacles to sharing. This includes how shared data, or public health research findings from shared data, are managed, reported, and described. This is particularly relevant where such information may contribute to stigma or discrimination against individuals (such as when a case is the first identified in an outbreak) or groups of individuals (such as individuals from one geographic location or population group).
The committee heard testimony about the reluctance to collect “identifiable” data and biospecimens due to concerns about being responsible for stewarding such highly sensitive data. At the same time, the committee also heard testimony about the challenges of linking data across data silos due to lack of a universal patient identifier and because methods to de-identify
data (e.g., the HIPAA safe harbor method) can impact data utility and also create obstacles to linkage. In a pandemic, when time is of the essence, uncertainty provides an unacceptable drag on our national response.
As noted above, federal law already provides HHS with authority to waive certain aspects of HIPAA when the Secretary of HHS declares a public health emergency (ASPR, 2019a). However, the HIPAA provisions that are permitted to be waived largely impact the delivery of clinical care; waiver of such provisions will not create more efficient reporting of data or sharing of biospecimens. In response to the limitations on its waiver authority, HHS has instead selectively issued enforcement discretion to facilitate greater data sharing to fight the pandemic; for example, OCR issued guidance to permit HIPAA business associates to share PHI with public health authorities, notwithstanding any conflicting terms in their business associate agreements (HHS, 2020c).
Detailed guidance from HHS—both with respect to the application of HIPAA and the Common Rule—has the potential to significantly improve sharing of data and biospecimens. Official communications from regulators can significantly reduce uncertainty about how such sharing can occur. Ideally, such guidance should be detailed, describing clear pathways for data and biospecimen sharing and providing illustrative examples, and be updated promptly over time to respond to new questions and concerns. In the absence of the U.S. Congress granting broader waiver authority to HHS, the department could use its enforcement discretion more broadly to cut through red tape to achieve greater sharing of clinical data and biospecimens to power the national response to threats posed by SARS-CoV-2 and COVID-19 in the short term—and to establish pathways that enable the sharing of biospecimens and data to combat the next national infectious disease threat. Such enforcement discretion should have a clear trigger—and an end point.
For example, upon a triggering event such as the declaration of a national public health emergency by the Secretary of HHS, sharing of a limited dataset of PHI with public health authorities or their designees, by covered entities or business associates, could be expressly deemed to be in compliance with the HIPAA Privacy Rule, either without the need for a data use agreement or upon execution of a single standard data use agreement provided by HHS, and without regard to contrary provisions in a business associate agreement. Such disclosures need to be required to be done securely, including by leveraging existing secure pathways for public health and clinical data reporting (e.g., HIEs and certified electronic medical records). To assure the data that are shared are sufficient (and to meet minimum necessary determinations), CDC could publish from time to time the minimum datasets to be shared—and OCR should deem these datasets to constitute “minimum necessary” for purposes of the Privacy Rule.
Similarly, the HHS Office for Human Research Protections could issue written guidance to confirm such reporting and disclosures of biospecimens or viral sequence data to public health authorities (or their designees) pursuant to a declared public health emergency to be not human subjects research (and thus not covered by the Common Rule). These are but two examples; HHS could work with SARS-CoV-2 experts to determine needed sharing pathways and issue guidance that facilitates such sharing.
Public health authorities (or contractors acting on their behalf) could subsequently make available de-identified (per HIPAA standards) data for the further conduct of research by public and private entities into SARS-CoV-2 and COVID-19. To enable such data to be linkable across data silos, HHS could work with the private sector to quickly disseminate best practices on linking data in privacy protective ways, such as through the use of one-way hashing techniques.
To assure that such data are handled in ways that can be trusted by the public, public health authorities should commit to abiding by applicable privacy, confidentiality, security, non-discrimination, and civil rights laws, and be transparent with the public about their data collection initiatives (while still being allowed to take advantage of the waiver of the Paperwork Reduction Act requirements that is frequently granted during national emergencies) (ASPR, 2019b). There is also an important opportunity to assess whether other existing federal laws insufficiently enable viral sequence sharing with a federal authority, and appropriate voluntary agreements between states and the federal government, federal funding requirements, or federal data sharing floor preemption laws, during a public health emergency.
ASPR (Office of the Assistant Secretary for Preparedness and Response). 2019a. 1135 waivers. https://www.phe.gov/Preparedness/legal/Pages/1135-waivers.aspx (accessed July 7, 2020).
ASPR. 2019b. Public health emergency declaration. https://www.phe.gov/Preparedness/legal/Pages/phedeclaration.aspx (accessed July 7, 2020).
CMS (Centers for Medicare & Medicaid Services). 2020. Are you a covered entity? https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity (accessed July 7, 2020).
Datavant. 2018. Overview of Datavant’s de-identification and linking technology for structured data. Datavant. https://datavant.com/wp-content/uploads/2018/05/Datavant_De-Identifying-and-Linking-Structured-Data-Whitepaper.pdf (accessed August 20, 2020).
Gold, K., and J. Hennessey. 2019. CCPA: What health care, biotech and life sciences companies should know now. https://iapp.org/news/a/ccpa-round-up-what-health-care-biotech-and-life-sciences-companies-should-know-now (accessed July 7, 2020).
HHS (U.S. Department of Health and Human Services). 2020a. Does the HIPAA Privacy Rule’s public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)? https://www.hhs.gov/hipaa/for-professionals/faq/297/does-the-hipaa-public-health-provision-permit-covered-entities-to-disclose-information-to-authorities/index.html (accessed July 7, 2020).
HHS. 2020b. Human subject regulations decision charts. https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts/index.html (accessed July 7, 2020).
HHS. 2020c. OCR announces notification of enforcement discretion to allow uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-of-enforcement-discretion.html (accessed July 7, 2020).
HHS. 2020d. Summary of the HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (accessed July 7, 2020).
Hodge, J., and L. Gostin. 2004. Public health practice vs. research. Atlanta, GA: Council of State and Territorial Epidemiologists.
McClellan, M., and F. Mostashari. 2020. Data interoperability and exchange to support COVID-19 containment. Washington, DC: Duke-Margolis Center for Health Policy.
Rourke, M., M. Eccleston-Turner, A. Phelan, and L. Gostin. 2020. Policy opportunities to enhance sharing for pandemic research. Science 368(6492):716–718.
WHO (World Health Organization). 2005. International health regulations. Geneva, Switzerland: WHO Press.
WHO. 2020. Pandemic influenza preparedness (PIP) framework: Draft report on Decision WHA72 (12) 1(b). Geneva, Switzerland: World Health Organization.
Wolf, L., E. Brown, R. Kerr, G. Razick, G. Tanner, B. Duvall, S. Jones, J. Brackney, and T. Posada. 2019. The web of legal protections for participants in genomic research. Health Matrix: Journal of Law-Medicine. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3328892 (accessed July 27, 2020).