Click for next page ( 246


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 245
6 A New Framework for Protecting Privacy in Health Research In the previous chapters of this report, the committee put forth several recommendations that aim to improve the Privacy Rule and associated guidance in order to ease the impact on health research while still protect- ing patient privacy. However, in the process of developing these recom- mendations, the committee recognized that the Privacy Rule’s research provisions have many serious limitations and concluded that a new, more uniform approach is needed to accomplish the dual challenge of protecting privacy while facilitating beneficial and responsible research. In this chap- ter, the committee recommends that the U.S. Department of Health and Human Services (HHS) exempt health research from the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and lays out the details of a bold and innovative framework for protecting privacy in health research. The overall purpose of this Institute of Medicine (IOM) study was to examine the effects of the HIPAA Privacy Rule on health research and to recommend improvements to the legislative and regulatory system accord- ingly. To achieve this task, the IOM convened a committee to include indi- viduals with a broad range of expertise and experience relevant to the stated goal of the project, including individuals with knowledge of the various fields of health research, privacy and human research protections, health law, health center administration, use and protection of electronic health information, and patient advocacy (see Chapter 1 for complete statement of task and the Front Matter for committee membership). The committee held a number of information-gathering meetings that were open to the public. During those meetings, the committee heard pre- 

OCR for page 245
 BEYOND THE HIPAA PRIVACY RULE sentations on privacy in research and public health; the use of information systems to protect privacy; the effect of the Privacy Rule on various research disciplines, including those that are exclusively information based, such as health services research; the Ontario health privacy law; harmonization of the Privacy Rule and the Common Rule (see Chapter 3); challenges associ- ated with the Privacy Rule’s regulation of biorepositories, databases, and future research; and the relationship between privacy and autonomy in health research. The committee also reviewed the information presented in an earlier IOM workshop on the same topic (IOM, 2006) and conducted an extensive review of the literature. Members of the public were permitted to submit relevant references and written comments on their experiences with the Privacy Rule’s regulation of research and to speak at the committee’s public meetings. In addition, because there was a paucity of quantitative and systematic data on the effect of the Privacy Rule on research, the com- mittee commissioned a number of large-scale, evidence-gathering projects to inform the committee’s deliberations (see Chapter 5 and Appendix B). After reviewing the available evidence, the committee concluded that a new framework for protecting privacy in health research is needed. The current system of regulating research and protecting privacy under the Privacy Rule is not working as well as it should to protect patient privacy in research, and as currently implemented, it impedes important research. The committee believes a different system could work better and provide improved privacy protections and stronger data security while also facilitat- ing beneficial and responsible research. In thinking about a new framework, the committee recognized that the goals of safeguarding privacy and enhancing health research are sometimes in tension. Stringent measures to safeguard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to pri- vacy. Yet the committee believes that there is a synergy between the two, that facilitating both is desirable, and that it is possible to strengthen certain privacy protections while still facilitating important health research. For that reason, the committee’s intent in developing the new framework was to advance both privacy and health research interests to the greatest extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, the new framework aims to strengthen health research regulations and practices that effectively safeguard personally identifiable health information, and to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health. This chapter reviews the major goals the committee agreed on during its deliberations and describes how they should be incorporated into a new regulatory system for health research and privacy. First, the chapter will

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY highlight the major problems with the Privacy Rule’s regulation of health research, as identified in the earlier chapters of the report. Second, the chapter will lay out the details of the new framework that the committee is recommending. Third, the committee will explain its rationale for develop- ing the proposed framework, address potential criticism of this model, and explain how the new framework avoids many of the problems associated with the Privacy Rule. REVIEW OF THE LIMITATIONS OF THE PRIVACY RULE In the earlier chapters of this report, the committee identified three overarching goals on which to ground the recommendations: (1) improve the privacy and data security of health information, (2) improve the effec- tiveness of health research, and (3) improve the application of privacy protections for health research (see Box 6-1). In the process of recommend- ing changes to the HIPAA Privacy Rule to achieve these three goals, the committee identified many serious problems with the current regulatory system. This section reviews the most serious problems with the Privacy Rule’s regulation of health research and protection of privacy in terms of these overarching goals. Improve the Privacy and Data Security of Health Information In the context of health research, the privacy goal entails the com- mitment to handle personal information of patients and research partici- pants in accordance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information1 is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (accountability). The Privacy Rule falls short of the privacy goal for health research in two important ways: (1) it overstates the ability of informed consent (authorization2) to protect privacy, and (2) it does not provide other meaningful methods of protecting privacy, such as effective security, accountability, and transparency. Overemphasis on Informed Consent The principle of autonomy currently dominates the ethical landscape for both medical care and clinical research in the United States and serves as 1 The term “personally identifiable health information” is used when discussing individual’s health data in a context independent of the HIPAA Privacy Rule or any other body of law. 2 In the Privacy Rule, the informed consent concept is referred to as “authorization.”

OCR for page 245
 BEYOND THE HIPAA PRIVACY RULE BOX 6-1 The Committee’s Three Overarching Goals Improve the Privacy and Data Security of Health Information In the context of health research, protection of privacy includes a commit- ment to handle personal information of patients and research participants with meaningful privacy protections, including strong security measures, transparency, and accountability. This commitment extends to everyone who collects, uses, or has access to personally identifiable health information of patients and research participants. Practices of security, transparency, and accountability take on extraordinary importance in the health research setting: Researchers and other data users should disclose clearly how and why personally identifiable health information is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personal information is used appropriately and securely. In this manner, privacy protection will help to ensure research participant and public trust and confidence in medical research. Improve the Effectiveness of Health Research Research discoveries are central to achieving the goal of extending the quality of healthy lives. Research into causes of disease, methods for prevention, tech- niques for diagnosis, and new approaches to treatment has increased life expec- tancy, reduced infant mortality, limited the toll of infectious diseases, and improved outcomes for patients with heart disease, cancer, diabetes, and other chronic diseases. Patient-oriented clinical research that tests new ideas makes rapid medical and public health progress possible. Today the rate of discovery is accelerating, and we are at the precipice of a remarkable period of investigative promise made possible by new knowledge about the genetic underpinnings of disease. Genomic research is opening new possibilities for preventing illness and for developing safer, more effective medi- cal care that can be tailored for specific individuals. Further advances in relating genetic information to predispositions to disease and responses to treatments will require use of large amounts of existing health-related information and stored biological specimens. The increasing use of electronic medical records will fur- ther facilitate the generation of new knowledge through research and accelerate the pace of discovery. These efforts will require broad participation of patients in research to ensure that the results are valid and applicable to different segments of the population. Collaborative partnerships among communities of patients, their physicians, and teams of researchers to gain new scientific knowledge will bring tangible benefits for people in this country and around the world.

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY Improve the Application of Privacy Protections for Health Research The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of protected health information (PHI) by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including U.S. Department of Health and Human Services (HHS) regulations for the protection of human subjects (the Common Rule), Food and Drug Administration regulations pertaining to human subjects, and other applicable federal or state laws. Inconsistencies, for example, in federal regulations governing the deidentifica- tion of personally identifiable health information, obtaining individuals’ consent for future research, and the recruitment of research volunteers make it challenging for health researchers seeking to comply with all these regulations to undertake important research activities. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule. For example, the way in which Institutional Review Boards (IRBs) interpret the provisions when making deci- sions about authorization requirements varies across institutions, and often is quite conservative. Especially for multisite research and studies that are reviewed by both IRBs and Privacy Boards, the inconsistent interpretation and application of the Privacy Rule’s provisions pertaining to research can create barriers to research and even lead to the discontinuation of ongoing research studies. Adding yet another layer of complexity and variability for health researchers is a lack of clarity in the way the Privacy Rule applies to various types of health research or closely related health care practices. Moreover, there are significant gaps in who and what is covered by current federal research regulations. Whether a research activity is subject to the provisions of the Privacy Rule or the Common Rule depends on a number of factors, including the source of funding, the source of the data, and whether the researcher meets the definition of a covered entity. The situation in the United States is in stark contrast to the situation in most other countries, where uniform regulations apply to all research conducted in the country. The committee believes a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research. Improved clarity, harmonization, and uniform application of regulations governing health research are needed to align the interests and understandings of the research community, the custodians of PHI, and other stakeholders, so that implementa- tion of the privacy protections in health research can be achieved with accept- ability by all.

OCR for page 245
0 BEYOND THE HIPAA PRIVACY RULE the justification for the doctrine of informed consent (i.e., authorization) in the Privacy Rule. Historically, informed consent was based on the idea that “every human being of adult years and sound mind has a right to determine what shall be done with his own body.”3 It was primarily considered a protection against physical harm, permitting informed, competent patients to refuse unwanted medical interventions, to choose among medically avail- able alternatives, and to make choices that conflict with the wishes of family members or the recommendations of physicians (Buchanan, 1999; Lo, in press). Under this system, a great deal of information-based health research was conducted using personally identifiable health records without the informed consent of the persons whose records were used. Several recent developments have brought attention to this practice, and have focused attention on the historical absence of patient autonomy in information-based research. First, the increased used of electronic health records has made it significantly easier for researchers to access large quan- tities of personally identifiable data. Second, the move towards personal- ized medicine, and the potential improvements to population health and health care that could be developed based on a better understanding of the determinants of health and illness, have increased researchers’ needs for personally identifiable health information. Under the Privacy Rule the concept of informed consent is extended beyond control of one’s body, to control of one’s health information in an attempt to address the historical lack of informational autonomy, and with the goal of protecting individuals against the nonphysical harm of unau- thorized uses or disclosures of their protected health information. However, consent (authorization) itself cannot achieve the separate aim of privacy protection. The Privacy Rule, as currently defined and operationalized in practice, does not provide effective privacy safeguards for information- based research because of an over-reliance on informed consent, rather than comprehensive privacy protections. The Limitations of Relying on Consent to Protect Privacy As has been described above, the protection of medical privacy in the data processing environment requires the adoption of comprehensive privacy protections, which establish a variety of obligations on entities that collect and use personal information. These obligations to safeguard privacy, such as security, transparency, and accountability, are independent of patient consent. In fact, preventing the secondary use of personal data is the only privacy obligation that consent can potentially address. However, 3 Statedby Justice Benjamin Cardozo in Schloendorff v. Society of New York Hospital, 105 N.E. 92 (N.Y. 1914).

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY informed consent has recently been put forward as an alternative to the adoption of comprehensive privacy protections, with the practical conse- quence that many privacy obligations are ignored (Allen, 2007; Rotenberg, 2001; Solove et al., 2006) (see the section on Other Federal Actions for examples of currently proposed bills). This section describes some of the major limitations of relying heavily on informed consent to protect infor- mational privacy, as is done in the HIPAA Privacy Rule, rather than requir- ing the implementation of a full range of privacy protections. With a primary focus on informed consent in privacy laws, many entities that hold personal health data may have insufficient incentives to implement comprehensive privacy protections. If compliance with con- sent requirements frees the data holders from further privacy obligations, some organizations and researchers may be less likely to invest in privacy- enhancing technologies or the infrastructure necessary to truly protect data. This emphasis also creates few reasons for organizations to make their activities transparent or to create institutional accountability (AHIC, 2008; Cate, 2008; CDT, 2008a,b; U.S. Congress, 2008a). In addition, although informed consent can allow patients to control whether their information is used for any secondary purposes, such as research, few patients are sufficiently informed to make educated decisions about how their data should be used (Schneider, 2006). Studies indicate that many consumers do not read the details of informed consent forms, which are often lengthy documents, and even when they do read the forms they often do not comprehend all the details (Cate, 2008). Two separate stud- ies have found that many consumers mistake the existence of any privacy policy for a guarantee that information will be strongly protected and with- held from outside persons, even if the consent says differently (Good et al., 2005; Turow et al., 2007). This difficulty is magnified by the fact that often patients are asked to give informed consent at a time when they are not in good health and are not motivated or lack the ability to make these kinds of complicated decisions (CDT, 2008b; U.S. Congress, 2008a). Relying heavily on informed consent rather than comprehensive privacy obligations may also lead to a shift from substantive privacy protections toward costly procedural requirements that actually provide consumers with few meaningful choices, especially if informed consent is required as a condition of obtaining services (Cate, 2008; Thomas and Walport, 2008). Data holders may offer blanket consents to shield themselves from liability without actually providing any substantial privacy protection. In these situations patients lack reasonable alternatives and are forced to relinquish control over how their health information is used (CDT, 2008a,b; Thomas and Walport, 2008; U.S. Congress, 2008a,b). In the case of medical records research, it is questionable as to whether a reliance on informed consent actually fosters patient confidentiality and

OCR for page 245
 BEYOND THE HIPAA PRIVACY RULE protection (AMS, 2006, 2008; Casarett et al., 2005; Thomas and Walport, 2008). For example, if individuals must be contacted each time their records may be used in a particular study in order to obtain informed consent, as the Privacy Rule requires, such contact could be considered intrusive and counter to the tenets of confidentiality. Also, a common methodological approach to studying disease is to compare people with a particular disease to people who do not have that disease—known as a case-control study. But people may become alarmed if they are asked to consent to their records being used in such a study on a particular disease (e.g., cancer) for which they have not been diagnosed (Casarett et al., 2005). Because of these limitations, the committee believes it is important to shift the focus in privacy protections toward a set of more comprehensive privacy obligations. This will ensure that health information privacy pro- tections are more robust and more likely to minimize the risks to personal privacy that result from the collection of personally identifiable health information. Failure to Incorporate Other Meaningful Privacy Protections Implementation of the Privacy Rule does not ensure that covered enti- ties or the research community will adopt a full range of measures to protect data; the security, transparency, and accountability provisions have proven ineffectual. As highlighted in Chapter 2, the HIPAA Security Rule does lay out a number of security requirements that covered entities must implement for protecting electronic protected health information. However, despite this regulation, there have been a number of highly publicized examples of data security breaches in health research, most often due to stolen or misplaced computers containing health data. A recent survey conducted by Campus Computing Project found that from 2006 to 2007, colleges of all types saw a 3.6 percent increase in the number of stolen computers with sensitive data. This problem was most prevalent at major research universi- ties (Foster, 2008). Also, a report from the Identity Theft Resource Center found that identity thefts are up 69 percent for the first half of 2008, com- pared to the same time period in 2007, and so the consequences of security breaches are more likely to lead to tangible harm than previously believed (ITRC, 2008). These facts suggest that holders of personally identifiable health data should be required to implement security safeguards beyond what is provided for under the current HIPAA Security Rule. In addition, as discussed in Chapter 4, it has been argued that the current interpretation of the Privacy Rule has not successfully resulted in accountability for misuses and unauthorized disclosures of protected health information. The regulation provides both civil and criminal penalties for covered entities that breach the Privacy Rule, but enforcement of the Pri-

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY vacy Rule has been criticized as inadequate. To date, there have been no civil penalties imposed against any covered entity and only three criminal prosecutions, despite the fact that between April 2003 and August 2008, more than 38,000 complaints were received by HHS regarding alleged violations of the Privacy Rule. HHS has not provided information on how many of these alleged violations are in the context of health research (HHS, 2008a; Rahman, 2006). On July 18, 2008, HHS required a monetary pay- ment to settle potential violations of the Privacy and Security Rules for the first time, signaling that HHS may start to take a more assertive approach to enforcement of the Privacy and Security Rules in the future (HHS, 2008b). This agreement was in response to the covered entity allowing backup tapes, optical disks, and laptops—containing unencrypted protected health information on 386,000 patients—to be stolen or lost. Finally, the accounting for disclosures provision of the Privacy Rule was intended to make covered entities’ actions open and transparent (discussed in Chapter 4). This provision gives individuals the right to receive a list of certain disclosures that a covered entity has made of their protected health information in the past 6 years, including disclosures made for research purposes.4 However, this requirement has numerous exceptions. Also, for research involving groups of 50 or more, covered entities are only required to produce a general list of all protocols for which a person’s protected health information may have been disclosed, but do not have to provide any more specific information. Therefore, the accounting for disclosures provision does not require covered entities to provide individuals with a clear description of how their health information is used, and does not provide individuals with the detailed information they may want (AHIC, 2007; Pritts, 2008). At the same time, survey data show that this provision is a considerable administrative obligation for covered entities, and is rarely requested by patients (AHIMA, 2006; see also Chapter 4). Improve the Effectiveness of Health Research The health research goal emphasizes the importance of research in extending high-quality, healthy lives, and in leading to improved methods for prevention, diagnosis, and treatment. Unfortunately, the available evi- dence indicates that the current interpretation and implementation of the Privacy Rule has had an unintended negative impact on health research. As discussed in Chapter 5, the Privacy Rule, as interpreted and implemented by covered entities, has: 4 See 45 C.F.R. § 164.528 (2006).

OCR for page 245
 BEYOND THE HIPAA PRIVACY RULE • Increased the cost and time needed to conduct a research project from start to finish • Made recruitment of research participants more difficult • Increased the likelihood of selection bias and made it more difficult to produce generalizable findings • Increased research participants’ confusion regarding their rights and protections • Led researchers to abandon important studies • Created new barriers to the use of patient specimens collected dur- ing clinical trials or treatment • Failed to create an effective way for researchers to conduct studies using data with direct identifiers removed These negative consequences are particularly problematic in light of recent trends in health care and research. Since the Privacy Rule was imple- mented, health data have assumed an even greater role in health research, and will become more essential as health care administration moves toward personalized medicine, in which preventive and therapeutic interventions are tailored to the individual characteristics of patients. Developing drug therapies and treatment protocols that focus on smaller and smaller subsets of the population based on genetic makeup or health history and envi- ronmental exposures requires access to more and more personal data to conduct effective health research. In addition, burgeoning health care costs and increasing limitations on expenditures by health care plans highlight the need for health services research to better determine which patients benefit from current approaches and which patients may even be harmed. If the current approach to privacy protection in research under the Privacy Rule continues unchanged, these advances will be burdened and potentially delayed, and opportunities for medical progress may be lost. Alternative models The challenges described above are causing some lead- ing scientists, legal experts, and privacy advocates to develop new para- digms for determining when personally identifiable health data, including biological samples, can be used for research. The recognition that a primary focus on consent is not always meaningful or protective of privacy, and that it impedes important information-based research, is gaining acknowledg- ment in the United Kingdom and in other countries in Europe, as well as the United States (AMS, 2006, 2008; Thomas and Walport, 2008). The committee reviewed several alternative models and took them into consid- eration in the development of the proposed new framework for protecting privacy in health research. • Reciprocity, Solidarity, and Mutuality Models. These models

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY seek to address the situation where there is no consent for future research uses (whether specified or unspecified). Proponents of the reciprocity model argue that by accepting the benefit of past medical research (which is intrinsic in the use of medical ser- vices), patients inherently agree to allow the use of their health information in future research for the common good (Knoppers and Chadwick, 2005; Liu, 2007). Critics of this approach argue that voluntary altruism by past research participants imposes no reciprocal obligation on the larger community (Jonas, 1991). Pro- ponents of the solidarity model similarly argue that individual ties to society and social relationships require individuals to partici- pate in research without informed consent for the common good (Chadwick and Berg, 2001). The mutuality model is based on the insurance industry’s concept of individuals entering a pool for sharing losses and known risks. In the research context, mutuality requires individuals to pool their health information for the benefit of all, rather than provide for discretionary control of individual information (Knoppers and Chadwick, 2005). • Harms-Based Model. The harms-based model seeks to narrowly tailor the restrictions that are applied to the use of personally identi- fiable health information based on the specific risks associated with unauthorized use of that information. There are two categories of potential harm commonly cited with respect to unauthorized uses of personally identifiable health information: (1) discrimination and stigmatization and (2) erosion of trust leading to compromises in health care (NCVHS, 2007). For example, such an approach would logically call for the adoption of nondiscrimination legislation and a requirement that entities with a legitimate need for personally identifiable health information secure the information against further unauthorized access. This would arguably address directly the risks of harm to the individuals involved when their personally identifiable health information is used for research, while recognizing the need for researchers’ access to information in order to achieve the public’s goals of improving individual and public health and advancing sci- entific knowledge. Improve the Application of Privacy Protections for Health Research The goal of improving the application of privacy protections for health research stresses the need for consistent standards for the use and disclosure of personally identifiable health information in health research. The extent of privacy protections should not depend on the holder of the personally identifiable health information, the source of the data, or what type of fund-

OCR for page 245
TABLE 6-2 Health Information Technology (HIT) Bills from the 110th Congress  Proposed Bill Main Purpose(s) Privacy Provisions Research Provisions Status Wired for Health To enhance the • Establishes an advisory body • Gives researchers access to In the Senate: Care Quality Act adoption of a to provide policy advice to the deidentified patient • Approved by the Health, (S 1693), nationwide, U.S. Department of Health enrollment data, Education, Labor and sponsored by interoperable health and Human Services (HHS) reimbursement claims, and Pensions Committee on Sens. Kennedy information on the protection of survey data maintained by 6/07 [D-NY] and Enzi technology (HIT) personally identifiable health HHS or its contractors • Sen. Kennedy filed a written [R-WY]; system, and to information, including ways • Also gives researchers report on 10/07 Promoting improve the quality to notify individuals if their access to deidentified data • Placed on the unanimous Health and reduce the costs information is wrongfully maintained by the federal consent calendar for a vote Information of health care disclosed government or government without debate or Technology (HR • Organizations competing for contractors where feasible possibility of amendment 3800), sponsored federal HIT grants must • In general, research is still by Rep. Eshoo protect the privacy and governed by the HIPAA In the House: Referred to the [D-CA] security of health information Privacy Rule Committee on Energy and and preserve an audit record Commerce • Expands the definition of “covered entity” under HIPAA to include operators of HIT systems

OCR for page 245
Independent To encourage the • Participation in an IHRT must • Researchers may only Referred to the House Health Record creation, use, and be voluntary access an individual’s health Committee on Energy and Trust Act of maintenance of • IHRTs must have privacy data stored in an IHRT Commerce, and to the 2007 (HR 2991), electronic health protection agreements, which when given express Committee on Ways and sponsored by records in govern the access and transfer informed consent, and Means Reps. Ryan [D- independent health of individuals’ data researchers may only access OH] and Moore records trusts • Requires express informed those portions of the record [D-KS] (IHRTs), and to consent before individuals’ as specified by the provide a secure and information can be disclosed participant privacy-protected • Gives IHRTs a fiduciary duty framework in which to act for the benefit and health records are interests of its participants; only made available penalties for breach include by the affirmative loss of certification, fines of consent of $50,000 or less, prison terms individuals of 5 years or less • Requires an audit trail to be maintained • Provides for individual notification of all breaches  continued

OCR for page 245
TABLE 6-2 Continued  Proposed Bill Main Purpose(s) Privacy Provisions Research Provisions Status TRUST in Health To ensure privacy, • Outlines specific requirements • Leaves the HIPAA Privacy Referred to the House Information Act security, and for maintaining a HIT system Rule in place for health Committees on Energy and of 2008 (HR confidentiality in the that is private, secure, and research Commerce, Ways and Means, 5442), sponsored creation of a confidential • Requires HHS to prepare a Education and Labor, and by Rep. Markey nationwide, • Provides consumers with Report to Congress on Financial Services [D-MA] interoperable health specific privacy rights whether informed consent information • Requires express informed should be required for the infrastructure, and consent before individuals’ use of personal health to provide for the information can be disclosed information in research, strong enforcement for most purposes and under what of these rights by • Creates an individual right of circumstances creating criminal action for knowing or • As soon as reasonably and civil penalties negligent violations of the Act possible, researchers who • Authorizes states’ attorney receives personal health generals to bring civil actions information must remove on behalf of residents or destroy information that would enable an individual to be identified, unless otherwise approved by an IRB • HHS will provide IRBs with periodic review and technical assistance

OCR for page 245
Health To ensure the • Creates the Office of Health • Leaves the HIPAA Privacy Read twice and referred to the Information privacy of health Information Privacy to Rule in place for health Senate Health, Education, Privacy and information, to establish privacy and security research Labor and Pensions Security Act (S promote the use of standards for HIT products • Requires HHS to prepare a Committee on 7/18/2007 1814), sponsored deidentified and to outline punishments Report to Congress on by Sens. Leahy information in for violations whether informed consent [D-VT] and health research, and • Provides consumers with should be required for the Kennedy [D-MA] to provide for the specific privacy rights use of personal health strong enforcement • Requires express informed information in research, of these rights by consent before individuals’ and under what creating criminal information can be disclosed circumstances and civil penalties for most purposes • As soon as reasonably • Creates an individual right of possible, researchers who action for knowing violations receive personal health of the Act information must remove or destroy information that would enable an individual to be identified, unless otherwise approved by an IRB • HHS will provide IRBs with periodic review and technical assistance  continued

OCR for page 245
TABLE 6-2 Continued  Proposed Bill Main Purpose(s) Privacy Provisions Research Provisions Status Health To encourage the • Provides for individual • Directs the Office of the Currently in draft form Information use of HIT, develop notification of all breaches National Coordinator of Technology Act technical standards, • Requires HHS to designate an Health Information (HR 6357), and improve the individual in each regional Technology to “facilitate sponsored by quality and reduce office to offer guidance and health research and health Reps. Dingell [D- the costs of health education to covered entities, care quality” MI], Barton [R- care business associates, and the • Directs HHS to issue TX], Pallone public on the rights and guidance on how to best [D-NJ], and Deal responsibilities related to PHI implement the [R-GA] • Encourages the use of limited deidentification standards datasets in the HIPAA Privacy Rule • Requires an audit trail to be maintained

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY Information Community to provide policy advice (AHIC, 2006; GAO, 2007; NCVHS, 2006). But privacy concerns are emerging as a primary obstacle to implement- ing a nationwide HIT system, with many privacy and consumer groups pushing for tighter privacy protections than offered under the Privacy Rule. In a 2006 poll, 62 percent of respondents stated that the use of electronic health records would pose new risks to privacy, and 42 percent answered that the privacy risks of HIT outweigh expected benefits (Harris Interactive, 2007). Another poll found that 80 percent of Americans say they are very concerned about identity theft or fraud in an HIT system (Markle Foun- dation, 2006). The Government Accountability Office recently released a report that legitimized these concerns and criticized HHS for failing to define an overall approach for protecting privacy in a nationwide HIT system (GAO, 2007). To address the privacy concerns, Congress has proposed a number of bills intended to advance the implementation of an HIT system and at the same time protect individual privacy11 (see Table 6-2). Several of these bills include new restrictions and rules governing researchers’ access to person- ally identifiable health information. It is unclear whether any of these bills will pass or what requirements a final law might include. However, because a nationwide HIT system has the potential to facilitate health research by making large amounts of health data available to study, and thus could lead to major advances in medicine, caution is warranted. Adoption of new, restrictive regulations might impede health research, to the detriment of patients and society. Therefore, a closer examination of some concepts that have been incorporated into these proposed bills, including autonomy and informed consent, is warranted. At the same time, it is clear there is a need to develop privacy safeguards that anticipate the risk of extensive electronic recordkeeping, as well as the growing problems of identity theft and security breaches. CONCLUSIONS AND RECOMMENDATIONS The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy protections in health research under the Common Rule. But the Privacy Rule has numerous limitations of its own. In proposing the Privacy Rule, HHS acknowledged that, ideally, it would have preferred to regulate health researchers directly by extending the protections of the Common 11 A number of bills from the 110th Congress also address the implementation of HIT, but do not include comprehensive privacy or research provisions, including HR 1368, S 1408, and S 1455.

OCR for page 245
0 BEYOND THE HIPAA PRIVACY RULE Rule to research that is not federally supported and by imposing additional criteria for the waiver of patient informed consent for the use of person- ally identifiable health information in research.12 But HHS recognized it did not have the authority to do this. For that reason, HHS attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing restrictions on information disclosures by covered entities. NCVHS and others have noted the limita- tions of the Privacy Rule and have called for stronger protections of health privacy—notably, by expanding the purview of the Privacy Rule beyond the current covered entities. However, the IOM committee believes an even bolder change is needed. The number of studies using medical records to address important ques- tions about health and disease will likely increase with the growing avail- ability of electronic health records. As the volume and importance of digital personally identifiable health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect health information in the health research setting. Thus, the IOM committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new framework for ensuring privacy that would apply uniformly to all health research and that will both protect individuals’ privacy and facilitate responsible and beneficial health research. When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach would enhance privacy protections through improved data privacy and security, increased transparency of activities and policies, and greater accountability. The new approach should do all the following: • Apply to any person, institution, or organization conducting health research in the United States, regardless of the source of data or funding. • Entail clear, goal-oriented, rather than prescriptive, regulations. • Require researchers, institutions, and organizations that store health data to establish strong data security safeguards. • Make a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based. 12 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) (for a discussion on the benefits of health records research).

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY • Facilitate greater use of data with direct identifiers removed in health research, and implement legal sanctions to prohibit unauthorized reidentification of information that has had direct identifiers removed. • Require ethical oversight of research when personally identifiable health information is used without informed consent. HHS should develop best practices for oversight that should consider: — Measures taken to protect the privacy, security, and confiden- tiality of the data; — Potential harms that could result from disclosure of the data; and — Potential public benefits of the research. • Certify institutions that have policies and practices in place to pro- tect data privacy and security in order to facilitate important large- scale information-based research for clearly defined and approved purposes, without individual consent. • Include federal oversight and enforcement to ensure regulatory compliance. A new approach to protecting the privacy of personally identifi- able information used in health research that emphasizes privacy, secu- rity, accountability, and transparency and that is applicable to all health research in the United States would eliminate the research community’s confusion, reduce institutional variability in research privacy practices, facilitate responsible research, and enhance the public’s trust in the research enterprise. Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research. The new framework developed by HHS and other relevant federal agencies should provide strong and effective protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the public’s health. And it should do so in a way that does not burden indi- viduals with a flurry of health privacy notices and consent forms, or burden our health care system with a new level of bureaucracy and expense. REFERENCES AHIC (American Health Information Community). 2006. Letter to Michael Leavitt. http:// www.ncvhs.hhs.gov/061030lt.pdf (accessed September 3, 2008).

OCR for page 245
 BEYOND THE HIPAA PRIVACY RULE AHIC. 2007. Confidentiality, privacy, and security workgroup, summary of the th web conference. http://137.187.25.8/healthit/ahic/materials/summary/cpssum_100407.html (accessed August 27, 2008). AHIC. 2008. Confidentiality, privacy & security workgroup draft recommendation letter from September , 00. http://www.hhs.gov/healthit/ahic/materials/08_08/cps/rec_letter. html (accessed September 19, 2008). AHIMA (American Health Information Management Association). 2006. The state of HIPAA privacy and security compliance. http://www.ahima.org/emerging_issues/ 2006StateofHIPAACompliance.pdf (accessed April 20, 2008). Allen, A. 2007. Allen’s privacy law and society. Eagan, MN: Thomson-West. AMS (Academy of Medical Sciences). 2006. Personal data for public good: Using health information in medical research. http://www.acmedsci.ac.uk/images/project/Personal.pdf (accessed August 28, 2008). AMS. 2008. Submission to data sharing review. http://www.acmedsci.ac.uk/download. php?file=/images/publication/120341733123.pdf (accessed September 4, 2008). Buchanan, A. 1999. An ethical framework for biological samples policy, National Bioethics Advisory Committee commissioned paper. In Research involving human biological mate- rials: Ethical issues and policy guidance. Vol. II. Washington, DC: National Bioethics Advisory Commission. Pp. B1–B31. Bush, G. W. 2004. Executive Order 13335.  Fed. Reg. 0. Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco- epidemiological research In Pharmacoepidemiology, 4th ed., edited by B. L. Strom. West Sussex, England: John Wiley & Sons, Ltd. Pp. 417–432. Cate, F. 2008 (unpublished). The autonomy trap. CDT (Center for Democracy & Technology). 2008a. Beyond consumer consent: Why we need a comprehensive approach to privacy in a networked world. http://www.cdt.org/ healthprivacy/20080221consentbrief.pdf (accessed September 4, 2008). CDT. 2008b. Comprehensive privacy and security: Critical for health information technology. Version 1.0. http://www.cdt.org/healthprivacy/20080514HPframe.pdf (accessed Septem- ber 4, 2008). Chadwick, R., and K. Berg. 2001. Solidarity and equity: New ethical frameworks for genetic databases. Nature 2:318–321. CIHR (Canadian Institutes of Health Research). 2005. CIHR best practices for protecting privacy in health research. Ottawa, Ontario: Public Works and Government Services Canada. Foster, A. L. 2008. Increase in stolen laptops endangers data security. The Chronicle of Higher Education July 4. GAO (Government Accountability Office). 2007. Health information technology: Early efforts initiated but comprehensive privacy approach needed for national strategy. Washington, DC: GAO. Good, N., R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan. 2005. Stopping spyware at the gate: A user study of privacy, notice and spyware. http://cups.cs.cmu.edu/soups/2005/2005proceedings/p43-good.pdf (accessed September 4, 2008). Gostin, L. O. 2001. Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis 9:321. Harris Interactive. 2007. The benefits of electronic medical records sound good, but privacy could become a difficult issue. http://www.harrisinteractive.com/news/printerfriend/index. asp?NewsID=1174 (accessed April 3, 2007).

OCR for page 245
 A NEW FRAMEWORK FOR PROTECTING PRIVACY HEW (Department of Health, Education and Welfare). 1979. The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research. http://ohsr. od.nih.gov/guidelines/belmont.html (accessed August 21, 2008). HHS. 2008a. Compliance and enforcement: Privacy Rule enforcement highlights. http://www. hhs.gov/ocr/privacy/enforcement/ (accessed July 23, 2008). HHS. 2008b. Resolution agreement. http://www.hhs.gov/ocr/privacy/enforcement/agreement. pdf (accessed October 3, 2008). IOM (Institute of Medicine). 1994. Health data in the information age: Use, disclosure, and privacy. Washington, DC: National Academy Press. IOM. 2006. Effect of the HIPAA Privacy Rule on health research: Proceedings of a work- shop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. ITRC (Identity Theft Resource Center). 2008. Security breaches. http://www.idtheftcenter. org/artman2/publish/lib_survey/ITRC_2008_Breach_List_printer.shtml (accessed July 22, 2008). Jonas, H. 1991. Philosophical reflections on experimenting with human subjects. In Biomedi- cal ethics, edited by T. A. Mappes and J. S. Zembaty. New York: Oxford University Press. Pp. 215–219. Knoppers, B. M., and R. Chadwick. 2005. Human genetic research: Emerging trends in ethics. Nature Reviews Genetics 6:75–79. Kolata, G. 2007a. How data on cancer are collected and used. The New York Times, October 10. Kolata, G. 2007b. States and V.A. at odds on cancer data. The New York Times, October 10. Liu, E. T. 2007. The importance of research using personal information for scientific discovery and the reduction of disease, in personal information for biomedical research. Annex A. http://www.bioethics-singapore.org/uploadfile/20013%20PMPI%20Annex%20A-3.pdf (accessed September 4, 2008). Lo, B. 2009 (in press). Resolving ethical dilemmas: A guide for clinicians. 4th ed. Philadelphia, PA: Lippincott Williams & Wilkins. Markle Foundation. 2006. Survey finds Americans want electronic personal health informa- tion to improve own health care. http://www.markle.org/downloadable_assets/research_ doc_120706.pdf (accessed September 4, 2008). NCVHS (National Committee on Vital and Health Statistics). 2006. Functional requirements needed for the initial definition of a nationwide health information network. http://www. ncvhs.hhs.gov/061030lt.pdf (accessed September 4, 2008). NCVHS. 2007. Enhanced protections for uses of health data: A stewardship framework for “secondary uses” of electronically collected and transmitted health data. http://ncvhs.hhs. gov/071221lt.pdf (accessed December 19, 2007). Nosowsky, R., and T. Giordano. 2006. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine 57:575–590. Pritts, J. 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. http://www.iom. edu/CMS/3740/43729/53160.aspx (accessed March 15, 2008). Rahman, N. 2006. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society 2(3):685. Rotenberg, M. 2001. Fair information practices and the architecture of privacy: (what Larry doesn’t get). Stanford Technology Law Review 1. http://stlr.stanford.edu/STLR/ Articles/01_STLR_1 (accessed November 6, 2008).

OCR for page 245
284 BEYOND THE HIPAA PRIVACY RULE Rothstein, M. A. 2005. Research privacy under HIPAA and the Common Rule. Journal of Law, Medicine & Ethics 33(1):154–159. Schneider, C. E. 2006. After autonomy. Wake Forest Law Review 41(2):411–444. Solove, D. J., M. Rotenberg, and P. M. Schwartz. 2006. Information privacy law. 2nd ed. New York: Aspen Publishers. Tait, A. R., T. Voepel-Lewis, A. Robinson, and S. Malviya. 2002. Priorities for disclosure of the elements of informed consent for research: A comparison between parents and investigators. Paediatric Anaesthesia 12:332–336. Thomas, R., and M. Walport. 2008. Data sharing review report. http://www.justice.gov.uk/ docs/data-sharing-review.pdf (accessed September 4, 2008). Turow, J., D. K. Mulligan, and C. J. Hoofnagle. 2007. Consumers fundamentally misunderstand the online advertising marketplace. http://groups.ischool.berkeley.edu/samuelsonclinic/ files/annenberg_samuelson_advertising.pdf (accessed September 4, 2008). U.S. Congress, House of Representatives, Energy and Commerce Committee. 2008a. Discus- sion draft of health information technology and privacy legislation. Statement of Deven cGraw, Director, Health Privacy Project, Center for Democracy & Technology. June 4. M U.S. Congress, House of Representatives, Energy and Commerce Committee. 2008b. Discus- sion Draft of Health Information Technology and Privacy Legislation. Statement of Byron Thames, AARP Board of Directors. June 4.