Three separate categories of US laws govern confidentiality issues in epidemiologic and outcomes research: the Federal Common Rule, the new federal medical privacy regulations promulgated under HIPAA, and the laws of various states.
EXISTING LAW
Three
separate categories of US laws govern confidentiality issues in epidemiologic
and outcomes research: the Federal Common Rule, the new federal medical privacy
regulations promulgated under HIPAA, and the laws of various states.
As
discussed more fully below, the Federal Common Rule11 was designed
to be a mechanism for protecting the interests of human subjects in federally
funded or regulated research. Congress did not enact a law regulating research
under its power to regulate matters affecting interstate commerce or even under
its authority to safeguard the rights and liberties of individuals under the
Constitution. Rather, the law is an expression of a federal policy not to spend
federal money on research that is not consistent with certain social values. As
a result, the applicability of the Common Rule, and the scope of authority of
the administering agencies, is somewhat odd. It applies to
·
research conducted by the 17 agencies that have adopted the
rule;
·
recipients of federal research grants as a condition of
awarding the grant;
·
research that is included in an application submit-ted to
the Food and Drug Administration (FDA) for approval of a drug, biologic or
certain devices and
·
all research conducted in or by an employee of an
institution that has filed an ‘assurance’ with the Department of Health and
Human Services, whether or not a specific project is federally funded.
Thus,
research conducted in private clinics or insti-tutions that do not have federal
grants or an assur-ance appears to fall outside the scope of the Common Rule,
as does research conducted by commercial research organizations that will not
be used in a regulatory submission, e.g. many epidemiologic and outcomes
studies. But, because the records of interest in epidemiologic research often
are those collected by institutions subject to the Common Rule, the would-be
researcher faces a tremendous catch-22: the research is not subject to the
regulation, and under the law, the researcher has no claim on the time or
resources of an IRB for obtaining review of the project or waiver of consent.
However, each of the multiple academic medical centres from which the
researcher wishes to obtain data is subject to the rule and must have the
proposal reviewed by its own IRB. For example an epidemiologic researcher who
wishes to analyze data from Johns Hopkins, Duke, M.D. Anderson and Stanford
University Medical Centers will have the project reviewed by four separate IRBs
each of which must approve the project and waive individual consent for it to
go forward. In reality, if the researcher is not affiliated with the
institution, it may be very difficult to get the IRB to review the proposal
without form-ing a collaborative relationship with someone affil-iated with
each institution who can get the project on the IRBs’ schedules or confining
one’s research to those institutions that already have such collabo-rative
arrangements. Neither is particularly compat-ible with sampling considerations
for epidemiologic research.
Moreover,
it is not clear that legal – and organizational – responsibility for review of
large, multisite epidemiologic studies appropriately should be delegated and
diffused in this manner, rather than being assumed by the research entity that
is account-able for use and security of the data.
The
federal privacy regulations under HIPAA estab-lish that ‘covered entities’ may
not use or disclose ‘protected health information’ except as permitted by the
privacy regulation.12 The regulation defines ‘covered entities’ to
include health care providers (e.g. doctors, hospitals, laboratories,
pharmaceuticals and clinics), health plans and health care clearing-houses.13
By requiring certain contractual terms in all covered entities’ contracts with
vendors, suppli-ers and anyone else who may process or come into contact with
protected health information in perform-ing services for the covered entity,
the regulation indi-rectly applies to business associates of covered entities
as well.
Under
the privacy regulation, only the following categories of uses and disclosures
of protected health information are permitted:
·
for purposes of treatment, payment and certain health
operations related to the individual’s treat-ment or payment, with notice of
these routine uses15;
·
for purposes unrelated to treatment, payment or health
operations, with the prior written authoriza-tion of the individual;
·
for certain specific purposes enumerated in the regu-lation,
including protecting the public health and conducting research under a waiver
of authorization, provided that applicable conditions are met.17
In
fact, the law expressly prohibits a covered entity from obtaining a blanket
authorization for future research use of records of health care or health
bene-fits; it also prohibits a covered entity from making the signing of any
authorization a condition of treat-ment of the individual. Moreover, even with respect
to permitted uses and disclosures, a covered entity may use or disclose only
the minimum necessary infor-mation to accomplish the intended purpose. Unless
every use or disclosure of information fits within one of these permitted
categories, the provider or health plan would be exposed to potential civil and
criminal penalties for supplying information to a researcher.
Many
people have suggested that the regula-tion should not affect epidemiologic and
outcomes research because it generally does not require access to ‘individually
identifiable’ information. The statute says that ‘individually identifiable
health information’ is any information, including demographic informa-tion
collected from an individual, that (1) is created or received by a health care
provider, health plan, employer or health care clearinghouse and (2) relates to
the past, present or future physical or mental health or condition of an
individual, the provision of health care to an individual, or the past, present
or future payment for the provision of health care to an indi-vidual and (1)
identifies the individual or (2) with respect to which there is a reasonable
basis to believe that the information can be used to identify the indi-vidual.20
Under the statute, information that does not fall within the category to be
considered ‘individually identifiable’ is not subject to the statutory, or
regulatory, requirements.
Congress,
the US Department of Health and Human Services Regulatory, privacy advocates,
the research community and others have wrestled with the defini-tion of what
characteristics of data create a ‘reasonable basis to believe’ that it could be
used to identify the individual. What would be a reasonable standard? On one
extreme are researchers and public health advo-cates who might argue that all
data should be consid-ered exempt if the key ‘direct identifiers’ are removed.
From this perspective, the importance of research using these data outweighs
the low probability that these data might be used (or misused) to re-identify
individual patients. On the other end of the spectrum are experts in database
manipulation who advise that any database, even with the complete removal of
iden-tifiers, could potentially be overlain with other data sources and through
probability matching on certain information fields, could be used to re-identify some percentage of individuals. These
assertions, together with the fears of some privacy advocates, have led some to
conclude that even if the researcher has no interest in knowing the patients’
identities, no intent to link the files to other files for this purpose and
estab-lishes physical and procedural safeguards to make it difficult or
impossible for employees to do so, the mere possibility that files could theoretically
be linked to re-identify patients is a privacy risk to society that should not
be permitted.
For
its part, in implementing this definition, the Department of Health and Human
Services seems to have listened to the database experts and created an extremely
high standard for information to be consid-ered as falling outside the category
of individually identifiable health information. It specifically defined such
information as ‘de-identified’. It chose to use statistical probability – as
determined by a statisti-cian – to establish the permissible practices that can
be used to establish a ‘reasonable basis to believe’.
The
agency’s approach is firmly grounded in the art and science of database
manipulation. It does not ask whether
a reasonable person looking at the data fields on an individual record could
discern who the person is or how to contact him or her. The regulation does not
take into consideration who will use the data, for what purpose or the security
arrangements for protect-ing the data from being accessed by unauthorized
individuals or from being used to identify individuals. Rather, it asks whether
the data fields that appear in a data set also appear in databases that are
generally available and which therefore could
be used by some-one who is attempting to identify data subjects. Exam-ples
of such generally available databases include state drivers license data, voter
registration lists, the telephone book, birth records, credit reports and so
on. Because the construction and renting of databases of all kinds has been
prevalent in US society, this approach to de-identification presents
considerable challenges.
The
regulation offers a ‘safe harbour’ method in which the covered entity must (1)
have no actual knowledge that the information could be used alone or in
combination with other information to iden-tify participants and (2) all of the following must be removed
from the data:
·
names;
·
all geographic subdivisions smaller than a state, including
street address, city, county and precinct,
·
zip code and their equivalent geocodes (the initial three
digits of zip codes may be used if the result-ing geographical area contains
more than 20 000 people or, for areas with less, the initial three digits of
the zip code must be changed to 000);
·
all elements of date (except year) for dates directly
related to an individual, including birth date, admission date, discharge date,
date of death and all ages over 89 and all elements of dates indica-tive of
such age, unless aggregated into a single category of age 90 or older;
·
telephone and fax numbers;
·
e-mail addresses;
·
social security, medical record, health plan benefi-ciary
and account numbers;
·
certificate and license numbers;
·
vehicle identifiers and serial numbers, including license
plate numbers;
·
device identifiers and serial numbers;
·
web universal resource locators (URLs);
·
Internet protocol (IP) address numbers;
·
biometric identifiers, including finger and voice prints;
·
full face photographic images and any comparable images and
·
any other unique
identifying number, characteristic or code.
Some
of the data fields in the list, such as social secu-rity number, e-mail
address, telephone number and the like, offer a fairly ready way to find out
who a data subject is.21 The other fields chosen for stripping appear
a list of fields that a database expert would find to be useful for
triangulating databases to zero in on identi-fied cases. Removal of all the
fields listed in the regula-tion is the only ‘safe harbour’ for any data to be
outside the regulation’s prohibitions on use or disclosure.
The
only alternative to the safe harbour is for a statistician to find that the
‘risk is very small that the information could be used by an anticipated
recipient to identify an individual who is the subject of the information’ (42
C.F.R. 164.514(a)(1)(i)). Under this ‘statistical’ method, a database can be
considered ‘de-identified’
(a)if
person with appropriate knowledge of and expe-rience with generally accepted
statistical and scientific principles and methods for rendering information not
individually identifiable:
(i)Applying such principles and methods, deter-mines that
the risk is very small that the infor-mation could be used, alone or in
combination with other reasonably available information, by an anticipated recipient
to identify an individual who is a subject of the information; and
(ii)Documents
the methods and results of the analy-sis that justify such determination.
As
the rule is constructed, the inclusion of a patient-related date of any kind in
a data set appears auto-matically to transform the data into protected health
information. As a result, unless a statistician makes the risk finding,
transmission of data including dates to anyone would be a technical violation
of the regu-lation. Likewise, ‘county’ and ‘zip code’ are in the list of fields
that are automatically considered to be ‘identifiers’ that must be removed for
data to fit the de-identification ‘safe harbour’. In fact, unless each patient
authorizes the disclosure or unless a statistician renders a risk opinion, an
overly strict reading of the regulation would make the disclo-sure of a table
of frequencies that includes any of the suspect fields a disclosure of
protected health information, particularly if the cell sizes are modest.
Unfortunately, responsibility for deciding whether data meet these criteria is
placed on the physicians, hospitals and health plans that are subject to
enforce-ment penalties if they wrongfully disclose protected health
information. As a result, unless statisticians develop a robust new business of
delivering opin-ions regarding the probability of re-identification of
databases that include various dates, data that meet the de-identification safe
harbour are virtually useless for sound and informative epidemiologic or outcomes
research.
The
privacy regulation prohibits covered entities from using or disclosing
protected health information for research purposes without an individual’s
written authorization or a waiver of authorization in accord with the
regulation. The regulation explicitly provides that using information for
research is not one of the activities that is permitted under the arrangements
for using and disclosing information for treatment, payment and health care
operations. ‘Authorization’ to use information for research is required – in addi-tion to the requirements under the
Federal Common Rule relating to
‘informed consent’ of the subject to participate in the research protocol – as
discussed more fully below. Likewise, the criteria for waiver of authorization
under the privacy regulation are differ-ent from and in addition to the
criteria for waiver of informed consent under the Common Rule.
The
privacy regulation specifies the required element for a valid authorization. To
be effective, an autho-rization must include, among other elements
·
a specific description of the information to be used or
disclosed;
·
specific identification of the person or entity with whom or
to whom the covered entity may make the requested use or disclosure;
·
an expiration date;
·
a specific description of the purpose of the use or
disclosure;
·
an explanation of how the individual may revoke the
authorization;
·
a statement that the information disclosed may be subject to
redisclosure by the researcher and no longer protected by the federal
regulation and
·
whether the covered entity will receive either direct or
indirect remuneration from a third party for making the disclosure, a statement
to this effect.
The
authorization must contain all the elements speci-fied in the privacy
regulation, as well as any disclo-sures or elements required by any applicable
state law, unless an IRB or privacy board grants a waiver of authorization or
of the form of authorization with respect to one or more elements in accord
with the regulation’s waiver criteria.
In
lieu of asking individuals to authorize the disclo-sure of their protected
health information, the covered entity may seek waiver of the authorization
require-ment from an IRB established in accordance with the Common Rule or from
a specially constituted privacy board. Either entity may grant a waiver of
autho-rization if the research protocol meets the privacy regulation’s waiver
criteria. These criteria resemble the Common Rule criteria for waiver of
informed consent, discussed more fully below. However, the differences in type
of risk and the findings, as well as the different purposes served by informed
consent as opposed to the HIPAA authorization, have proved to be a significant
source of confusion and administrative complexity for IRBs.
The
medical privacy regulation became effective as of 14 April 2001. Because the
regulation supple-ments but does not supersede the Common Rule, all data-only
research that also is subject to the Common Rule must comply with requirements
to have an IRB consider both a waiver
of informed consent to participate in research and a waiver of authorization
under the privacy regulation.
Under
the Common Rule, deceased individuals are not considered ‘human subjects’.28
Absent state laws or institutional policies to the contrary, research using the
records of deceased persons does not require IRB approval or an IRB waiver of
informed consent. The privacy regulation, in contrast, includes deceased
persons as ‘individuals’, whose privacy is protected by the regulation. The
regulation states that a covered entity can provide access to records of
deceased individuals only if it obtains representations from the researcher
that the information sought will be used only for research purposes and is
necessary for these purposes.29 In addition, the covered entity, at
its discretion, may require the researcher to document the death of the
individuals whose protected health information is sought. Alternatively, an IRB
or privacy board could waive authorization with respect to deceased individuals
under the regulation’s criteria for waiver.
In
promulgating the final HIPAA medical privacy rule, the Secretary of Health and
Human Services established an additional provision for data research using
medical records in which ‘facially de-identified data’ could be made available
for research and public health purposes under a data use agreement in which the
researcher promises to protect the privacy of the data subjects and safeguard
the data from use or disclosure for impermissible purposes.
When
this proposed modification was announced, many in the research community
applauded the possi-ble revisions as achieving a more appropriate balanc-ing of
the public interest in research and public health with the public interest in
protecting the privacy of data subjects. However, some expressed concern that
even these arrangements for de-personalized, confi-dential use of facts
compromise the privacy interests of the data subjects. In effect, the data use
agree-ment binding the researcher was not believed to be adequate legal
protection from the potential privacy risk that might result from a
researcher’s violation of the provisions of the data use agreement.
As
a result, the final regulation was a compro-mise: it is a hybrid of the
protection provided by de-identification and the protection provided by the
data use agreement binding the researcher not to use or disclose the data for
purposes other than those spec-ified in the agreement. Unfortunately, the
regulation specifically prohibits the use of this mechanism for research if a
medical device serial number is included in the record to be reviewed – even if
the agreement prohibits the researcher from using or disclosing the serial
number in a way that would identify individ-uals. Thus, although this approach
holds promise as a foundation for workable privacy protections that permit bona
fide research, the HIPAA framework and authority is too fragmented to provide
the necessary legal foundation.
Related Topics
TH 2019 - 2024 pharmacy180.com; Developed by Therithal info.