NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.

Cover of Beyond the HIPAA Privacy Rule

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

Show details

6A New Framework for Protecting Privacy in Health Research

In the previous chapters of this report, the committee put forth several recommendations that aim to improve the Privacy Rule and associated guidance in order to ease the impact on health research while still protecting patient privacy. However, in the process of developing these recommendations, the committee recognized that the Privacy Rule’s research provisions have many serious limitations and concluded that a new, more uniform approach is needed to accomplish the dual challenge of protecting privacy while facilitating beneficial and responsible research. In this chapter, the committee recommends that the U.S. Department of Health and Human Services (HHS) exempt health research from the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and lays out the details of a bold and innovative framework for protecting privacy in health research.

The overall purpose of this Institute of Medicine (IOM) study was to examine the effects of the HIPAA Privacy Rule on health research and to recommend improvements to the legislative and regulatory system accordingly. To achieve this task, the IOM convened a committee to include individuals with a broad range of expertise and experience relevant to the stated goal of the project, including individuals with knowledge of the various fields of health research, privacy and human research protections, health law, health center administration, use and protection of electronic health information, and patient advocacy (see Chapter 1 for complete statement of task and the Front Matter for committee membership).

The committee held a number of information-gathering meetings that were open to the public. During those meetings, the committee heard pre sentations on privacy in research and public health; the use of information systems to protect privacy; the effect of the Privacy Rule on various research disciplines, including those that are exclusively information based, such as health services research; the Ontario health privacy law; harmonization of the Privacy Rule and the Common Rule (see Chapter 3); challenges associated with the Privacy Rule’s regulation of biorepositories, databases, and future research; and the relationship between privacy and autonomy in health research. The committee also reviewed the information presented in an earlier IOM workshop on the same topic (IOM, 2006) and conducted an extensive review of the literature. Members of the public were permitted to submit relevant references and written comments on their experiences with the Privacy Rule’s regulation of research and to speak at the committee’s public meetings. In addition, because there was a paucity of quantitative and systematic data on the effect of the Privacy Rule on research, the committee commissioned a number of large-scale, evidence-gathering projects to inform the committee’s deliberations (see Chapter 5 and Appendix B).

After reviewing the available evidence, the committee concluded that a new framework for protecting privacy in health research is needed. The current system of regulating research and protecting privacy under the Privacy Rule is not working as well as it should to protect patient privacy in research, and as currently implemented, it impedes important research. The committee believes a different system could work better and provide improved privacy protections and stronger data security while also facilitating beneficial and responsible research.

In thinking about a new framework, the committee recognized that the goals of safeguarding privacy and enhancing health research are sometimes in tension. Stringent measures to safeguard privacy can make it harder to conduct high-quality research, and research itself can pose a threat to privacy. Yet the committee believes that there is a synergy between the two, that facilitating both is desirable, and that it is possible to strengthen certain privacy protections while still facilitating important health research.

For that reason, the committee’s intent in developing the new framework was to advance both privacy and health research interests to the greatest extent possible. The committee understands that the lines are not neat, the questions are complex, and the challenges are formidable. Nevertheless, the new framework aims to strengthen health research regulations and practices that effectively safeguard personally identifiable health information, and to facilitate data collection and use for beneficial and high-quality health research, with appropriate oversight, to advance knowledge about human health.

This chapter reviews the major goals the committee agreed on during its deliberations and describes how they should be incorporated into a new regulatory system for health research and privacy. First, the chapter will highlight the major problems with the Privacy Rule’s regulation of health research, as identified in the earlier chapters of the report. Second, the chapter will lay out the details of the new framework that the committee is recommending. Third, the committee will explain its rationale for developing the proposed framework, address potential criticism of this model, and explain how the new framework avoids many of the problems associated with the Privacy Rule.

REVIEW OF THE LIMITATIONS OF THE PRIVACY RULE

In the earlier chapters of this report, the committee identified three overarching goals on which to ground the recommendations: (1) improve the privacy and data security of health information, (2) improve the effectiveness of health research, and (3) improve the application of privacy protections for health research (see Box 6-1). In the process of recommending changes to the HIPAA Privacy Rule to achieve these three goals, the committee identified many serious problems with the current regulatory system. This section reviews the most serious problems with the Privacy Rule’s regulation of health research and protection of privacy in terms of these overarching goals.

Box Icon

BOX 6-1

The Committee’s Three Overarching Goals. Improve the Privacy and Data Security of Health Information In the context of health research, protection of privacy includes a commitment to handle personal information (more...)

Improve the Privacy and Data Security of Health Information

In the context of health research, the privacy goal entails the commitment to handle personal information of patients and research participants in accordance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information1 is used (transparency), and legally enforceable obligations to ensure information is secure and used appropriately (accountability). The Privacy Rule falls short of the privacy goal for health research in two important ways: (1) it overstates the ability of informed consent (authorization2) to protect privacy, and (2) it does not provide other meaningful methods of protecting privacy, such as effective security, accountability, and transparency.

Overemphasis on Informed Consent

The principle of autonomy currently dominates the ethical landscape for both medical care and clinical research in the United States and serves as the justification for the doctrine of informed consent (i.e., authorization) in the Privacy Rule. Historically, informed consent was based on the idea that “every human being of adult years and sound mind has a right to determine what shall be done with his own body.”3 It was primarily considered a protection against physical harm, permitting informed, competent patients to refuse unwanted medical interventions, to choose among medically available alternatives, and to make choices that conflict with the wishes of family members or the recommendations of physicians (Buchanan, 1999; Lo, in press). Under this system, a great deal of information-based health research was conducted using personally identifiable health records without the informed consent of the persons whose records were used.

Several recent developments have brought attention to this practice, and have focused attention on the historical absence of patient autonomy in information-based research. First, the increased used of electronic health records has made it significantly easier for researchers to access large quantities of personally identifiable data. Second, the move towards personalized medicine, and the potential improvements to population health and health care that could be developed based on a better understanding of the determinants of health and illness, have increased researchers’ needs for personally identifiable health information.

Under the Privacy Rule the concept of informed consent is extended beyond control of one’s body, to control of one’s health information in an attempt to address the historical lack of informational autonomy, and with the goal of protecting individuals against the nonphysical harm of unauthorized uses or disclosures of their protected health information. However, consent (authorization) itself cannot achieve the separate aim of privacy protection. The Privacy Rule, as currently defined and operationalized in practice, does not provide effective privacy safeguards for information-based research because of an over-reliance on informed consent, rather than comprehensive privacy protections.

The Limitations of Relying on Consent to Protect Privacy

As has been described above, the protection of medical privacy in the data processing environment requires the adoption of comprehensive privacy protections, which establish a variety of obligations on entities that collect and use personal information. These obligations to safeguard privacy, such as security, transparency, and accountability, are independent of patient consent. In fact, preventing the secondary use of personal data is the only privacy obligation that consent can potentially address. However, informed consent has recently been put forward as an alternative to the adoption of comprehensive privacy protections, with the practical consequence that many privacy obligations are ignored (Allen, 2007; Rotenberg, 2001; Solove et al., 2006) (see the section on Other Federal Actions for examples of currently proposed bills). This section describes some of the major limitations of relying heavily on informed consent to protect informational privacy, as is done in the HIPAA Privacy Rule, rather than requiring the implementation of a full range of privacy protections.

With a primary focus on informed consent in privacy laws, many entities that hold personal health data may have insufficient incentives to implement comprehensive privacy protections. If compliance with consent requirements frees the data holders from further privacy obligations, some organizations and researchers may be less likely to invest in privacy-enhancing technologies or the infrastructure necessary to truly protect data. This emphasis also creates few reasons for organizations to make their activities transparent or to create institutional accountability (AHIC, 2008; Cate, 2008; CDT, 2008a; U.S. Congress, 2008a).

In addition, although informed consent can allow patients to control whether their information is used for any secondary purposes, such as research, few patients are sufficiently informed to make educated decisions about how their data should be used (Schneider, 2006). Studies indicate that many consumers do not read the details of informed consent forms, which are often lengthy documents, and even when they do read the forms they often do not comprehend all the details (Cate, 2008). Two separate studies have found that many consumers mistake the existence of any privacy policy for a guarantee that information will be strongly protected and withheld from outside persons, even if the consent says differently (Good et al., 2005; Turow et al., 2007). This difficulty is magnified by the fact that often patients are asked to give informed consent at a time when they are not in good health and are not motivated or lack the ability to make these kinds of complicated decisions (CDT, 2008b; U.S. Congress, 2008a).

Relying heavily on informed consent rather than comprehensive privacy obligations may also lead to a shift from substantive privacy protections toward costly procedural requirements that actually provide consumers with few meaningful choices, especially if informed consent is required as a condition of obtaining services (Cate, 2008; Thomas and Walport, 2008). Data holders may offer blanket consents to shield themselves from liability without actually providing any substantial privacy protection. In these situations patients lack reasonable alternatives and are forced to relinquish control over how their health information is used (CDT, 2008a; Thomas and Walport, 2008; U.S. Congress, 2008a,b).

In the case of medical records research, it is questionable as to whether a reliance on informed consent actually fosters patient confidentiality and protection (AMS, 2006 , 2008; Casarett et al., 2005; Thomas and Walport, 2008). For example, if individuals must be contacted each time their records may be used in a particular study in order to obtain informed consent, as the Privacy Rule requires, such contact could be considered intrusive and counter to the tenets of confidentiality. Also, a common methodological approach to studying disease is to compare people with a particular disease to people who do not have that disease—known as a case-control study. But people may become alarmed if they are asked to consent to their records being used in such a study on a particular disease (e.g., cancer) for which they have not been diagnosed (Casarett et al., 2005).

Because of these limitations, the committee believes it is important to shift the focus in privacy protections toward a set of more comprehensive privacy obligations. This will ensure that health information privacy protections are more robust and more likely to minimize the risks to personal privacy that result from the collection of personally identifiable health information.

Failure to Incorporate Other Meaningful Privacy Protections

Implementation of the Privacy Rule does not ensure that covered entities or the research community will adopt a full range of measures to protect data; the security, transparency, and accountability provisions have proven ineffectual. As highlighted in Chapter 2, the HIPAA Security Rule does lay out a number of security requirements that covered entities must implement for protecting electronic protected health information. However, despite this regulation, there have been a number of highly publicized examples of data security breaches in health research, most often due to stolen or misplaced computers containing health data. A recent survey conducted by Campus Computing Project found that from 2006 to 2007, colleges of all types saw a 3.6 percent increase in the number of stolen computers with sensitive data. This problem was most prevalent at major research universities (Foster, 2008). Also, a report from the Identity Theft Resource Center found that identity thefts are up 69 percent for the first half of 2008, compared to the same time period in 2007, and so the consequences of security breaches are more likely to lead to tangible harm than previously believed (ITRC, 2008). These facts suggest that holders of personally identifiable health data should be required to implement security safeguards beyond what is provided for under the current HIPAA Security Rule.

In addition, as discussed in Chapter 4, it has been argued that the current interpretation of the Privacy Rule has not successfully resulted in accountability for misuses and unauthorized disclosures of protected health information. The regulation provides both civil and criminal penalties for covered entities that breach the Privacy Rule, but enforcement of the Pri vacy Rule has been criticized as inadequate. To date, there have been no civil penalties imposed against any covered entity and only three criminal prosecutions, despite the fact that between April 2003 and August 2008, more than 38,000 complaints were received by HHS regarding alleged violations of the Privacy Rule. HHS has not provided information on how many of these alleged violations are in the context of health research (HHS, 2008a; Rahman, 2006). On July 18, 2008, HHS required a monetary payment to settle potential violations of the Privacy and Security Rules for the first time, signaling that HHS may start to take a more assertive approach to enforcement of the Privacy and Security Rules in the future (HHS, 2008b). This agreement was in response to the covered entity allowing backup tapes, optical disks, and laptops—containing unencrypted protected health information on 386,000 patients—to be stolen or lost.

Finally, the accounting for disclosures provision of the Privacy Rule was intended to make covered entities’ actions open and transparent (discussed in Chapter 4). This provision gives individuals the right to receive a list of certain disclosures that a covered entity has made of their protected health information in the past 6 years, including disclosures made for research purposes.4 However, this requirement has numerous exceptions. Also, for research involving groups of 50 or more, covered entities are only required to produce a general list of all protocols for which a person’s protected health information may have been disclosed, but do not have to provide any more specific information. Therefore, the accounting for disclosures provision does not require covered entities to provide individuals with a clear description of how their health information is used, and does not provide individuals with the detailed information they may want (AHIC, 2007; Pritts, 2008). At the same time, survey data show that this provision is a considerable administrative obligation for covered entities, and is rarely requested by patients (AHIMA, 2006; see also Chapter 4).

Improve the Effectiveness of Health Research

The health research goal emphasizes the importance of research in extending high-quality, healthy lives, and in leading to improved methods for prevention, diagnosis, and treatment. Unfortunately, the available evidence indicates that the current interpretation and implementation of the Privacy Rule has had an unintended negative impact on health research. As discussed in Chapter 5, the Privacy Rule, as interpreted and implemented by covered entities, has:

  • Increased the cost and time needed to conduct a research project from start to finish
  • Made recruitment of research participants more difficult
  • Increased the likelihood of selection bias and made it more difficult to produce generalizable findings
  • Increased research participants’ confusion regarding their rights and protections
  • Led researchers to abandon important studies
  • Created new barriers to the use of patient specimens collected during clinical trials or treatment
  • Failed to create an effective way for researchers to conduct studies using data with direct identifiers removed

These negative consequences are particularly problematic in light of recent trends in health care and research. Since the Privacy Rule was implemented, health data have assumed an even greater role in health research, and will become more essential as health care administration moves toward personalized medicine, in which preventive and therapeutic interventions are tailored to the individual characteristics of patients. Developing drug therapies and treatment protocols that focus on smaller and smaller subsets of the population based on genetic makeup or health history and environmental exposures requires access to more and more personal data to conduct effective health research. In addition, burgeoning health care costs and increasing limitations on expenditures by health care plans highlight the need for health services research to better determine which patients benefit from current approaches and which patients may even be harmed. If the current approach to privacy protection in research under the Privacy Rule continues unchanged, these advances will be burdened and potentially delayed, and opportunities for medical progress may be lost.

Alternative models The challenges described above are causing some leading scientists, legal experts, and privacy advocates to develop new paradigms for determining when personally identifiable health data, including biological samples, can be used for research. The recognition that a primary focus on consent is not always meaningful or protective of privacy, and that it impedes important information-based research, is gaining acknowledgment in the United Kingdom and in other countries in Europe, as well as the United States (AMS, 2006 , 2008; Thomas and Walport, 2008). The committee reviewed several alternative models and took them into consideration in the development of the proposed new framework for protecting privacy in health research.

  • Reciprocity, Solidarity, and Mutuality Models. These models seek to address the situation where there is no consent for future research uses (whether specified or unspecified). Proponents of the reciprocity model argue that by accepting the benefit of past medical research (which is intrinsic in the use of medical services), patients inherently agree to allow the use of their health information in future research for the common good (Knoppers and Chadwick, 2005; Liu, 2007). Critics of this approach argue that voluntary altruism by past research participants imposes no reciprocal obligation on the larger community (Jonas, 1991). Proponents of the solidarity model similarly argue that individual ties to society and social relationships require individuals to participate in research without informed consent for the common good (Chadwick and Berg, 2001). The mutuality model is based on the insurance industry’s concept of individuals entering a pool for sharing losses and known risks. In the research context, mutuality requires individuals to pool their health information for the benefit of all, rather than provide for discretionary control of individual information (Knoppers and Chadwick, 2005).
  • Harms-Based Model. The harms-based model seeks to narrowly tailor the restrictions that are applied to the use of personally identifiable health information based on the specific risks associated with unauthorized use of that information. There are two categories of potential harm commonly cited with respect to unauthorized uses of personally identifiable health information: (1) discrimination and stigmatization and (2) erosion of trust leading to compromises in health care (NCVHS, 2007). For example, such an approach would logically call for the adoption of nondiscrimination legislation and a requirement that entities with a legitimate need for personally identifiable health information secure the information against further unauthorized access. This would arguably address directly the risks of harm to the individuals involved when their personally identifiable health information is used for research, while recognizing the need for researchers’ access to information in order to achieve the public’s goals of improving individual and public health and advancing scientific knowledge.

Improve the Application of Privacy Protections for Health Research

The goal of improving the application of privacy protections for health research stresses the need for consistent standards for the use and disclosure of personally identifiable health information in health research. The extent of privacy protections should not depend on the holder of the personally identifiable health information, the source of the data, or what type of fund ing is supporting the research project. In addition, all institutions required to comply with the privacy protections should ideally interpret and implement them in a consistent manner. Major problems identified with the Privacy Rule’s regulation of research under this principle include: (1) discrepancies between the Privacy Rule and other rules and regulations relevant to health research, (2) the Privacy Rule’s limitation in scope, and (3) large variations in interpretation and implementation by covered entities.

Discrepancies with Other Rules That Regulate Research

The Privacy Rule was intended to provide consistent standards in the United States for the use and disclosure of protected health information, including for research purposes. However, in the current state, the Privacy Rule is difficult to reconcile with HHS regulations for the Protection of Human Subjects (45 C.F.R. 46), the Food and Drug Administration human subjects regulation (21 C.F.R. parts 50 and 56), and other applicable federal and state laws. For example, the provisions governing data deidentification, consent for future research, and recruitment of research volunteers vary among these regulations, making important research activities more challenging to undertake (see Chapter 4).

Limitation in Scope

The Privacy Rule pertains only to covered entities; thus this regulation does not apply uniformly to all health research in the United States (see Chapter 4). Similarly, as described in Chapter 3, the Common Rule only applies to research conducted or supported by the U.S. government (although its influence is broader because most institutions that accept federal funds sign a federalwide assurance to abide by the Common Rule requirements in all research conducted at the institution, regardless of funding source). Because both of these Rules are limited in scope, there are significant gaps in whom and what is covered by current federal research regulations. This is in stark contrast to most other countries, in which research regulations are not limited by provisions regarding funding or particular health care transactions, but instead apply to all research conducted in that country (Casarett et al., 2005).

Differences in Interpretation

Because the Privacy Rule is such a complex regulation, there is substantial variation across institutions in how the Privacy Rule has been interpreted and implemented (see Chapter 5). For example, the way in which Institutional Review Boards (IRBs) and Privacy Boards interpret the concepts of impracticability and minimal risk when making decisions about authorization requirements varies across institutions, and often is quite conservative (see Chapter 4). Inconsistent interpretation and application of the Privacy Rule research provisions by IRBs, Privacy Boards, and covered entities that hold the protected health information, especially for multisite research and studies that are reviewed by multiple IRBs and Privacy Boards, can create barriers to research such as variations in protocol at different institutions and, at times, discontinuation of studies. A lack of clarity in how the Privacy Rule applies to various types of health research or closely related health care practices adds another layer of complexity and variability (see Chapter 3). In fact, some covered entities are reluctant to permit access to data for research even when all provisions of the Privacy Rule are followed, out of fear of misinterpreting the Privacy Rule (Casarett et al., 2005; Rothstein, 2005).

THE NEW FRAMEWORK

Given the clear limitations of the HIPAA Privacy Rule, the committee concluded that a new approach to the regulation of health research is needed. The committee favors an approach in which both individual privacy and the societal value of research are carefully considered and supported. To achieve this goal, the committee identified a number of key concepts (CIHR, 2005; Gostin, 2001) to incorporate into the new framework, including:

  • All researchers should be required to follow the same set of privacy rules.
  • Whenever possible, information-based research should be done using health data with direct identifiers removed.
  • Access to personally identifiable health data without patient consent should require impartial, outside scientific and ethical review that considers:
    • —Measures taken to protect the privacy, security, and confidentiality of the data;
    • —Potential harms that could result from disclosure of the data; and
    • —Potential public benefits of the research.
  • Researchers should identify and document research objectives to justify the data they wish to use and/or collect.
  • Researchers, institutions, and organizations that store personally identifiable health data should establish security safeguards and set limits on access to data.
  • Researchers who violate individuals’ privacy should be penalized.

These concepts are intended to support the beneficial use of existing health data, as well as the collection and use of health data for research purposes, while protecting individuals’ privacy.

Examples of Informative Models

One informative example that incorporates many of the privacy principles listed above is Ontario’s Personal Health Information Protection Act (PHIPA).5 This provincial law governs the manner in which “personal health information”6 is collected, used, and disclosed within the Ontario health care system. PHIPA only applies to the province of Ontario (not the entire country) and operates in a universal health care system, so the legislation as a whole may not be easily transferable to the United States. However, many of the major concepts in PHIPA influenced the committee’s deliberations regarding the new framework.

PHIPA shares a number of similarities with the Privacy Rule (Table 6-1). In general, both regulations require the holder of personally identifiable health data to obtain informed consent (referred to as authorization in the Privacy Rule)7 before using any personally identifiable health information for a purpose other than providing services directly related to health care of the patient. If a researcher wishes to use personally identifiable health data without informed consent, both regulations require the researcher to obtain a waiver of informed consent approved by an independent ethics board prior to the start of the study.

TABLE 6-1. The HIPAA Privacy Rule Versus PHIPA.

TABLE 6-1

The HIPAA Privacy Rule Versus PHIPA.

Despite these similarities, the Privacy Rule and PHIPA have some key differences that are important in research. One major difference is that unlike the Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA implements a more uniform approach. PHIPA applies to health information custodians (HICs) (e.g., providers, hospitals, and pharmacies) who collect, use, and disclose personal health information and to non-HICs when they receive personal health information from a HIC. This means that the privacy protections follow the data, even after the data are no longer held by a HIC. All health researchers are required to comply with PHIPA when using personal health information. In contrast, the Privacy Rule fails to provide individuals with privacy protections if their information is held by an entity other than a covered entity. Only some researchers qualify as covered entities or are employed by covered entities and are directly regulated by the Privacy Rule; for others, the Privacy Rule regulates access to protected health information held by covered entities but the researchers themselves are not subject to the provisions.

A second major difference is the Privacy Rule and PHIPA’s treatment of deidentified information. Deidentified information is outside the scope of both rules. However, PHIPA provides a more vague definition of “deidentified” than the Privacy Rule, defining it to mean the removal of “any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.”8 Because of the lack of specificity in the definition, and the fact that the Ontario Information and Privacy Commissioner has not issued any guidance on the deidentification process, HICs are required to exercise judgment in determining when enough identifiers have been removed that the information is deidentified. Many HICs take a very conservative approach to the disclosure of personal-level, deidentified information for research and require Research Ethics Board approval (Canadian equivalent of an IRB or Privacy Board).9 In contrast, the Privacy Rule provides two very detailed methods of deidentifying health information: (1) the safe harbor method, and (2) the statistical method (see Chapter 4). If a covered entity complies with either of these methods, it may disclose the deidentified information to researchers without IRB or Privacy Board approval.

A third major difference is that under PHIPA, HICs are permitted to disclose personal health information without consent to “prescribed persons or entities” that are prescribed by the legislation, including registries compiled or maintained for purposes of facilitating or improving the provision of health care or that relate to the storage or donation of body parts or bodily substances. In order to be designated as a prescribed person or entity, the person or entity must have in place practices, policies, and procedures to protect the privacy of individuals whose personal health information it receives and to maintain the confidentiality of such information. These practices, policies, and procedures must be reviewed and approved by Ontario’s Information and Privacy Commissioner (IPC), an individual appointed by the Ontario Legislature, every 3 years. Prescribed persons and entities must also make public a description of the functions of the registry and a summary of its practices, policies, and procedures. Currently, five registries are designated as a “prescribed person” under PHIPA.10

Once personal health information is held by a prescribed entity, the entity may use and disclose the information for research purposes in accordance with the normal rules and restrictions on HICs disclosing information for research—including the requirement for approval by a Research Ethics Board if the information is in identifiable form. There are several advantages for researchers in obtaining information from prescribed entities, rather than other HICs. Prescribed entities collect personal health information from a wide range of sources and can link and match the per sonal health information longitudinally. In addition, there is little danger of selection bias, because informed consent is not required in the collection of the data. Prescribed entities very rarely need to disclose information in identifiable form for research, because researchers are given data that is already aggregated and linked. PHIPA instructs the prescribed entities to use their judgment in determining if information is deidentified. However, as noted above, all prescribed entities must have their policies and practices reviewed by the IPC, including their policies for the deidentification of data. As a result, prescribed entities are confident in their deidentification process, and researchers obtaining data from prescribed persons are rarely required to obtain informed consent or Research Ethics Board approval.

Recently, a similar approach to prescribed entities was recommended in a report commissioned by the United Kingdom’s Prime Minister on secondary uses of personal information. This report suggested the creation of “safe harbors,” which have three defining characteristics: (1) they provide a secure environment for processing personally identifiable health data, (2) they are restricted to “approved researchers” who meet relevant criteria, and (3) they implement penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data (Thomas and Walport, 2008).

The United Kingdom approach is also comparable to PHIPA, because both models incorporate the concept that personally identifiable information should only be disclosed for health research when the research is beneficial to the public and has scientific merit. PHIPA instructs Research Ethics Boards to consider both “the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose PHI is being disclosed” when reviewing research plans. The United Kingdom model identifies the principle of proportionality, defined as “an objective judgment as to whether the benefits outweigh the risks,” as a key consideration when deciding whether personal information may or may not be shared for health research (Thomas and Walport, 2008). There is also a precedence for weighing scientific merit in the United States—as previously noted in Box 4-5, Centers for Medicare & Medicaid’s (CMS’s) Privacy Boards are instructed to “balance the potential risks to the beneficiary confidentiality with the probable benefits gained from the completed research,” as well as to consider the researchers’ demonstrated expertise and experience in conducting such a study.

The committee believes an approach similar to PHIPA and the recently proposed model from the United Kingdom, combined with strong security measures, offers adequate privacy protections for personally identifiable health information, while greatly expanding research opportunities. In particular, the prescribed entity/safe harbor concept offers a useful way to conduct medical records research and effectively protect patient pri vacy and confidentiality by facilitating greater use of deidentified data in research. Also, PHIPA, the United Kingdom model, and the CMS focus on only permitting the disclosure of personally identifiable information for socially beneficial research that has scientific merit ensures that approved research projects address important health questions and utilizes a scientifically rigorous methodology. In addition, PHIPA’s focus on transparency, by requiring prescribed persons and entities to post their research purpose, policies, and procedures, is consistent with desirable comprehensive privacy protections.

The Committee’s Recommendation

The committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new approach to ensuring privacy in health research. When this new approach is implemented, HHS should exempt health research from the Privacy Rule. The committee suggests a two-part practical approach to protecting health information privacy because there are fundamental differences between information-based research and direct, interventional human subjects research. First,congressional action should be taken to require all interventional research (e.g., Phase I–III clinical trials) to comply with the Common Rule, regardless of funding source. This would eliminate current gaps in oversight and provide protection for all patients who consent to participate in interventional clinical trials. In addition, all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures, as recommended in Chapter 2. Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study, as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent (as recommended in Chapter 4).

Second, Congress should authorize HHS and other relevant federal agencies to develop a new approach to uniform, goal-oriented oversight of information-based research, with a focus on best practices in privacy, security, and transparency as in PHIPA and the proposed United Kingdom model (CIHR, 2005; Thomas and Walport, 2008) and minimizing ineffective and burdensome administrative tasks. This new approach should include a mechanism by which some programs or institutions could be certified by HHS or another accrediting body, similar to a prescribed entity as in PHIPA or a “safe harbor” as in the United Kingdom model. Such certified entities could then collect and analyze personally identifiable health information for clearly defined and approved purposes, without individual consent. Because of the administrative requirements in becoming certified, this option is most appropriate for disease registries and other very large scale research databases. The regulations should require specific privacy safeguards for certified entities, including mandatory privacy training for all staff/researchers; signing of confidentiality agreements; privacy breach policies and procedures; and mandatory privacy impact assessments. In addition, the regulations should require certified entities to publicize the scope and purpose of their data collection (e.g., the types of studies that may be undertaken with the data). The regulations could also require entities to provide details on what their database will not be used for, to assure the public that certain types of activities will not be conducted.

Certified entities could also link personally identifiable data from multiple sources (see discussion on linking in Chapter 4) and then provide aggregated datasets to researchers with direct identifiers removed (see discussion on deidentified data and limited datasets in Chapter 4) (AMS, 2008; Thomas and Walport, 2008). Aggregation would generate more complete datasets for analysis and thus lead to more meaningful research results. Data with direct identifiers removed would protect patient privacy in research and would also streamline research efforts by eliminating the need to undergo ethics board review, which is not required for research using deidentified data under the Privacy Rule, PHIPA, or the United Kingdom model. To further protect privacy, unauthorized reidentification of information that has had direct identifiers removed should be prohibited by law, and violators should face legal sanctions. In addition, researchers receiving information with direct identifiers removed should be required to establish security safeguards and to set limits on access to data.

In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This ethics oversight board could perhaps entail a new body specifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research. If researchers seek a waiver of informed consent, an ethics oversight board should consider the measures the researchers have proposed to take to protect the privacy, security, and confidentiality of the data, the potential harms that could result from disclosure of the data, and the potential public benefits of the proposed research study. Privacy should not automatically be a more compelling interest than improving health care. However, even research with little risk to privacy should not be conducted if the study has little scientific merit or anticipated public benefit.

Under this new system, HHS should implement real consequences for any researcher or institution that mishandles personally identifiable health information, regardless of whether it is obtained through informed consent or under a waiver of informed consent. In order to facilitate consistent application of this option, HHS should issue clear guidance and best practices (as recommended in Chapter 4 ) on how to assess the potential harm, the proposed measures to protect privacy and confidentiality, and the potential public benefits of a research study, as has been done under PHIPA. For example, the Canadian Institute for Health Information has developed best privacy practices for research to provide guidance for determining whether or not a waiver of consent is warranted (CIHR, 2005).

The primary focus of many IRBs in reviewing research protocols in the past has been on risks to the physical safety of research participants. There is a great deal of variability in whether and how IRBs consider the public benefit and scientific merit of research proposals. But the first rule of ethical research is that the research must have scientific value—meaning that it addresses an important question of human health and is designed and conducted using methodology that is appropriate and rigorous. The scientific merit of research varies by project, just as the potential risk to privacy of research varies across different protocols. The committee believes that when making decisions about whether a research protocol that entails the disclosure of personally identifiable information should go forward, ethical oversight boards should take all these factors—potential risks/harms to research participants’ privacy as well as scientific merit and potential public benefit of the research proposal—into consideration.

In 2001, a previous IOM committee, the Committee on Assessing the System for Protecting Human Research Subjects, recommended that “human research participant protection programs” use distinct mechanisms for initial, focused reviews of scientific merit and financial conflicts of interest and that these reviews should precede and inform the comprehensive ethical review of research studies. Ethical oversight board members themselves may not have the expertise to assess the merit of diverse research studies, but they should have access to evaluations by scientific review committees or funder peer review panels. Input regarding the scientific value of studies from these experts would help ethical oversight boards assess the anticipated benefits of a proposed research project.

The Role of Informed Consent in the New Framework

Informed consent is intended to achieve two purposes: (1) protect research participants from harm and (2) provide respect for the person (including the person’s privacy, religious beliefs, cultural preferences, and world views). As outlined above, the framework maintains a requirement for informed consent for all interventional clinical research. The purpose of informed consent in this type of research is mainly to protect research participants from harm by providing a description of the potential risks and benefits of the study and to seek permission to involve the subject. Although privacy protection is a component of the risk/benefit considerations, the main focus traditionally has been on physical harms. One study found that confidentiality is one of the least important considerations for potential research participants in deciding whether to participate in interventional clinical research (Tait et al., 2002).

However, it is important to note that interventional researchers are expected to follow the principles of medical ethics, which require that information disclosed in the course of medical treatment is kept as confidential as possible. Moreover, the committee’s framework includes the recommendation that strong security safeguards be required for any data collected in conjunction with an interventional study. The framework’s permission of future consent for researchers’ use of data and biological materials, actually increases individuals’ ability to exercise control over their personally identifiable information. Under the Privacy Rule, the requirement to obtain a new authorization form signed for each research study means that most future studies actually proceed under a waiver of authorization, and individuals are deprived of all input into future uses of their information (Nosowsky and Giordano, 2006). Thus, informed consent in this context addresses protection from both physical harm and dignitary harm.

In contrast, in information-based research that relies solely on medical records and stored biospecimens, the research participant faces no risk of physical harm. In this context, informed consent is intended to ensure that individuals are able to exercise control over their personally identifiable health information that is held by third parties, and to give individuals the right to determine whether their personally identifiable health information can be used in a particular research project (or a series of such projects, if consent for future research is permitted). However, a universal requirement for informed consent can lead to invalid results, because of significant differences between patients who do or do not grant consent, and missed opportunities to advance medical science because it can be prohibitively costly and difficult to obtain consent for studies that require analysis of very large datasets.

As a result, the framework includes two alternatives to requiring informed consent that can be used in certain circumstances (i.e., disclosure to a certified entity and waiver of informed consent by an ethics oversight board), which are intended to facilitate research that is in the public interest. For research that makes use of these two alternatives, the framework counterbalances the absence of informed consent with an increase in security, transparency, and accountability protections by: (1) requiring certified entities to protect the privacy and confidentiality of personally identifiable health information records in a manner that is approved by an outside party (HHS or a different body), (2) requiring certified entities to fully disclose what research is being conducted with its data, (3) requiring ethics oversight review for research that uses personally identifiable data under a waiver of informed consent, (4) implementing clear and consistent consequences for researchers who are responsible for privacy or security breaches, and (5) encouraging the development and use of improved security protections for use in health research.

Public opinion polls indicate that a significant portion of the public would prefer to control all access to their medical records via informed consent. However, as noted above, a universal requirement for informed consent would impede important health research and lead to biased, ungeneralizable results, to the detriment of society. The committee believes that the new framework provides strong protections for data privacy and security, beyond that currently provided under the Privacy Rule, while increasing the opportunities for important health research by offering an alternative to informed consent under certain circumstances.

The Belmont Report, one of the most influential reports on the advancement of human research participant protections, recognizes that principles of respect for persons and autonomy are not absolutes and must be considered along with other ethical principles. It acknowledges that there may be compelling reasons to limit autonomy, providing that “To show lack of respect for an autonomous agent is to repudiate that person’s considered judgments, to deny an individual the freedom to act on those considered judgments, or to withhold information necessary to make a considered judgment, when there are no compelling reasons to do so” (emphasis added) (HEW, 1979). Similarly, a 1994 IOM report argued that existing health information, stored in medical records and biospecimen banks, should be released to researchers without informed consent if such studies were regarded as being in the public’s interest (IOM, 1994).

If society seeks to derive the benefits of medical research in the form of improved health and health care, information should be shared to achieve that societal benefit (Chadwick and Berg, 2001; Knoppers and Chadwick, 2005; Liu, 2007), and governing regulations should support the use of such information. Recent reports from the United Kingdom have come to a similar conclusion and recommend that the law allow the use of personally identifiable health information without consent if the use of that information is necessary and the potential benefits to society outweigh the individual risks (AMS, 2006 , 2008; Thomas and Walport, 2008). In the committee’s proposed new framework, the greater emphasis on ensuring the security protections of personally identifiable health information, facilitating research using data with direct identifiers removed, and ensuring the scientific merits of any proposed research should help to foster its acceptability. Nonetheless, to implement this new framework, effective communication with the public regarding the value of this model will be important to address concerns and gain acceptance, as recommended in Chapter 3.

THE NEW FRAMEWORK ADDRESSES THE OVERARCHING GOALS

The committee supports its argument in favor of implementing a new framework for protecting privacy in health research by outlining how this approach achieves the committee’s three overarching goals: (1) improving the privacy and data security of health information, (2) improving the effectiveness of health research, and (3) improving the application of privacy protections for health research (see Box 6-1). The committee believes many of the limitations of the current federal regulation of research can be improved or solved by the proposed framework.

Improving the Privacy and Data Security of Health Information

The new framework includes a number of mechanisms to improve the protection of research participants’ privacy and security in health research. First, the privacy of research participants is improved because the new framework applies to all institutions and all health researchers who collect, use, and disclose personally identifiable health information. Similar to Ontario’s PHIPA, this means that the privacy protections follow the data. No matter what entity or individual holds the personally identifiable data, the same set of privacy safeguards are required.

Second, the new framework maintains the requirement that researchers obtain informed consent for all interventional clinical research and strengthens the security protections of data collected in the course of a clinical trial. The new framework also permits research participants in interventional, clinical research to provide informed consent for future research uses of their data and biological materials collected as part of the study. The privacy of these individuals is protected by requiring an IRB to review any future studies and to determine that the future uses are not incompatible with the original informed consent. This aspect of the new framework actually promotes individuals’ ability to exercise control over their personally identifiable information. As stated above, the requirement in the Privacy Rule that researchers must obtain new authorization for every use of protected health information means that most future studies proceed under a waiver of authorization, and individuals are deprived of all input into future uses of their information (Nosowsky and Giordano, 2006).

Third, the new framework protects privacy by maintaining the default requirement that researchers must obtain informed consent to use person ally identifiable data for research. If researchers wish to use personally identifiable data without obtaining informed consent for information-based research, they are required to identify and document their research objectives to an ethics oversight board, and they must identify the measures by which they will protect the privacy, security, and confidentiality of the data. The ethics oversight boards provide impartial review, and are only permitted to waive informed consent after considering the measures to protect the privacy, security, and confidentiality of the data; the risk of harm in conducting the research; and the potential public benefit of the research study.

Fourth, the new framework protects privacy by creating certified entities that facilitate researchers use of data with direct identifiers removed. One of the major problems with the deidentification provisions of the Privacy Rule is the difficulty in linking data from multiple sources to generate more complete datasets or to follow patient outcomes longitudinally (see Chapter 5 for more details). The new framework’s certified entity concept provides a solution to this problem; certified entities are able to link and match personally identifiable information longitudinally from multiple sources and can then disclose data with direct identifiers removed to researchers. Because the data provided by certified entities with direct identifiers removed has already been linked and aggregated, it is more useful for research. Thus, researchers will be able to make greater use of deidentified datasets and will need access to personally identifiable data in fewer situations. Privacy is improved because there are fewer risks to privacy when researchers do not access or use personally identifiable data.

In addition, the privacy of data held by certified entities is protected because certified entities are required to have their privacy and security policies approved and re-approved on a regular basis by an outside party (HHS or a different body). Certified entities are also required to implement specific privacy safeguards including mandatory privacy training for all staff/researchers, signing of confidentiality agreements, privacy breach policies and procedures, mandatory privacy impact assessments, and security safeguards and limits on access to data.

Finally, the new framework protects privacy in health research by requiring the implementation of comprehensive privacy protections, including transparency, accountability, and security. Transparency is improved by the new framework’s requirement that certified entities publicize the scope and purpose of their data collection and provide information on what uses of their data will not be permitted. Transparency is also achieved by requiring researchers to describe in detail their research plans and objectives (either to potential research participants or to the ethics oversight board) and to justify the data they wish to use and/or collect. Accountability is improved by the new framework because it requires Congress and HHS to implement clear and consistent consequences for researchers who are responsible for privacy or security breaches. The new framework also includes provisions for penalizing any individuals who attempt to reidentify data that has had its direct identifiers removed. Security is improved in the new framework because all holders of health data, both personally identifiable data and data with direct identifiers removed, are required to implement security safeguards, as described in Chapter 2, and to set limits on access to data. The committee also believes that the increased emphasis on accountability in the new framework will encourage researchers and other stakeholders to invest money in developing privacy-enhancing technologies for use in research, to reduce the risk of accidental breaches and the associated consequences.

Improving the Effectiveness of Health Research

The new framework is intended to provide a method of regulating health research, including the protection of individual privacy, in a way that minimizes impediments to beneficial research. First, allowing patients to consent to the future use of specimens collected during the course of an interventional study or treatment will reduce many barriers to researchers’ use of existing biospecimen banks. Patient privacy is protected by requiring any future uses of these specimens to be approved by an IRB, which should determine whether a proposed study has scientific merit, implements appropriate privacy protections, and is not incompatible with the original consent.

Second, the creation of certified entities that can receive personally identifiable health information for information-based research without patient informed consent, similar to PHIPA’s prescribed entities and the United Kingdom’s safe harbors (Thomas and Walport, 2008), will result in more complete and representative datasets, and thus will result in more generalizable results. The creation of certified entities will also facilitate research using data with direct identifiers removed. As stated above, under the current system, researchers cannot link datasets from multiple covered entities without a unique identifier. If a certified entity performed this task, researchers could make greater use of data without identifiers.

Third, the goal-oriented framework with a focus on best practices should aid the work of both researchers and IRBs and reduce the variability across different institutions. For example, it should be easier for IRBs to make appropriate decisions regarding waivers of informed consent because the framework’s goal is to allow beneficial research to be conducted if comprehensive privacy and security safeguards are in place and privacy risks are minimized. Identification and dissemination of best practices in privacy protection for various types of health research would help delineate what IRBs should do to facilitate responsible research, rather than just defining what is permissible.

Finally, the committee believes this framework will reduce some of the research costs and time that have increased since the Privacy Rule was implemented because the framework is designed to make research oversight more uniform and to reduce administrative burdens.

Improving the Application of Privacy Protections for Health Research

A recent report by the National Committee on Vital and Health Statistics (NCVHS) recognized the importance of having nationally uniform privacy protections for all secondary uses of health data, including research. The report criticized the Privacy Rule’s reliance on the covered entity construct and creation of business associate agreements to PHI (NCVHS, 2007). The framework proposed by the IOM committee addresses this criticism of the Privacy Rule, and provides for a comprehensive regulation of research that applies to all researchers and protects all personally identifiable health data in research. It eliminates a primary problem of harmonization of privacy protections because the framework is intended to be the only regulation governing researchers’ use of health data. In addition, the implementation of this framework would improve the clarity of privacy protections because currently much of the confusion is due to the Privacy Rule’s complicated interactions with other existing privacy regulations, such as the Common Rule.

One potential challenge under the new framework is the need to define health research and to distinguish interventional research from information-based research. HHS will need to develop clear guidelines to help researchers and ethics oversight boards consistently make this distinction. The identification and dissemination by HHS of best practices in research protections (as recommended in Chapter 5) will be important to ensure greater uniformity of goal-oriented research oversight and to ensure that the framework is implemented in a way that facilitates research without undermining individual privacy. In addition, there will be some administrative burden in certifying and overseeing the certified entities.

RELEVANCE OF THE RECOMMENDATION TO OTHER FEDERAL ACTIONS

The committee’s recommendation for a new framework to regulate health research is particularly timely because new actions at the federal level are being considered or have already been taken to protect the privacy of electronic health records. These developments raise new concerns about potential impacts on health research. The committee believes this proposal will stimulate fresh ideas about the best ways to protect privacy and improve research as the nation addresses these two interrelated values over the next several years.

An example of one of the recent developments affecting research is the Department of Veterans Affairs’ (VA’s) August 2007 directive. Outlining new conditions under which it would release data from VA hospitals to state central cancer registries, the directive requires states to sign a data use agreement with the VA and to agree to implement privacy and security protections above and beyond the protections required in the HIPAA Privacy and Security Rules. Among other requirements, state registries must agree not to release VA cancer data to persons outside the registry or to reuse the data for any purpose other than for maintaining cancer statistics (Kolata, 2007b).

Each state has a law establishing cancer surveillance programs that collect information on every patient who is diagnosed with cancer in that state. Also, the National Cancer Institute (NCI) collects cancer statistics from 17 U.S. regions in order to track national cancer rates. Prior to the VA directive, the state cancer surveillance programs and the NCI included information gathered from VA hospitals. However, as of October 10, 2007, only a small percentage of the states had signed the VA directive, and most cancer surveillance programs were missing data on veterans (Kolata, 2007a).

In addition, the VA directive stipulates that researchers who want to use cancer statistics from VA hospitals must either obtain permission from the VA Under Secretary of Health or collaborate with a VA researcher on the project. Health researchers are finding it hard to conduct cancer research under these conditions, which makes it difficult to find VA researchers willing to collaborate on specific projects. The directive also complicates the IRB approval process, often requiring researchers to obtain approval from their local IRB, the cancer registry IRB, and the VA Under Secretary (Kolata, 2007b). In addition, cancer researchers who either cannot meet the VA requirements or choose not to go through the additional procedural requirements, and do not include VA data in their study, risk having their results compromised by selection bias (see Chapter 5, section on Selection Bias).

Several recently proposed bills that address the use of electronic medical records also contain language regarding health privacy and health research (Table 6-2).

TABLE 6-2. Health Information Technology (HIT) Bills from the 110th Congress.

TABLE 6-2

Health Information Technology (HIT) Bills from the 110th Congress.

In 2004, President Bush issued an executive order calling for the widespread adoption of an interoperable electronic health record system within 10 years, arguing that health information technology (HIT) is a means of addressing rising health care costs and improving the quality and efficiency of health care (Bush, 2004). In response, HHS has awarded a number of HIT grants to gather information on privacy and security issues in HIT, solicited recommendations from NCVHS, and created the American Health Information Community to provide policy advice (AHIC, 2006; GAO, 2007; NCVHS, 2006).

But privacy concerns are emerging as a primary obstacle to implementing a nationwide HIT system, with many privacy and consumer groups pushing for tighter privacy protections than offered under the Privacy Rule. In a 2006 poll, 62 percent of respondents stated that the use of electronic health records would pose new risks to privacy, and 42 percent answered that the privacy risks of HIT outweigh expected benefits (Harris Interactive, 2007). Another poll found that 80 percent of Americans say they are very concerned about identity theft or fraud in an HIT system (Markle Foundation, 2006). The Government Accountability Office recently released a report that legitimized these concerns and criticized HHS for failing to define an overall approach for protecting privacy in a nationwide HIT system (GAO, 2007).

To address the privacy concerns, Congress has proposed a number of bills intended to advance the implementation of an HIT system and at the same time protect individual privacy11 (see Table 6-2). Several of these bills include new restrictions and rules governing researchers’ access to personally identifiable health information. It is unclear whether any of these bills will pass or what requirements a final law might include. However, because a nationwide HIT system has the potential to facilitate health research by making large amounts of health data available to study, and thus could lead to major advances in medicine, caution is warranted. Adoption of new, restrictive regulations might impede health research, to the detriment of patients and society. Therefore, a closer examination of some concepts that have been incorporated into these proposed bills, including autonomy and informed consent, is warranted. At the same time, it is clear there is a need to develop privacy safeguards that anticipate the risk of extensive electronic recordkeeping, as well as the growing problems of identity theft and security breaches.

CONCLUSIONS AND RECOMMENDATIONS

The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy protections in health research under the Common Rule. But the Privacy Rule has numerous limitations of its own. In proposing the Privacy Rule, HHS acknowledged that, ideally, it would have preferred to regulate health researchers directly by extending the protections of the Common Rule to research that is not federally supported and by imposing additional criteria for the waiver of patient informed consent for the use of personally identifiable health information in research.12 But HHS recognized it did not have the authority to do this. For that reason, HHS attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing restrictions on information disclosures by covered entities. NCVHS and others have noted the limitations of the Privacy Rule and have called for stronger protections of health privacy—notably, by expanding the purview of the Privacy Rule beyond the current covered entities.

However, the IOM committee believes an even bolder change is needed. The number of studies using medical records to address important questions about health and disease will likely increase with the growing availability of electronic health records. As the volume and importance of digital personally identifiable health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect health information in the health research setting. Thus, the IOM committee recommends that Congress authorize HHS and other relevant federal agencies to develop a new framework for ensuring privacy that would apply uniformly to all health research and that will both protect individuals’ privacy and facilitate responsible and beneficial health research.

When this new approach is implemented, HHS should exempt health research from the HIPAA Privacy Rule. The new approach would enhance privacy protections through improved data privacy and security, increased transparency of activities and policies, and greater accountability. The new approach should do all the following:

  • Apply to any person, institution, or organization conducting health research in the United States, regardless of the source of data or funding.
  • Entail clear, goal-oriented, rather than prescriptive, regulations.
  • Require researchers, institutions, and organizations that store health data to establish strong data security safeguards.
  • Make a clear distinction between the privacy considerations that apply to interventional research and research that is exclusively information based.
  • Facilitate greater use of data with direct identifiers removed in health research, and implement legal sanctions to prohibit unauthorized reidentification of information that has had direct identifiers removed.
  • Require ethical oversight of research when personally identifiable health information is used without informed consent. HHS should develop best practices for oversight that should consider:
    • —Measures taken to protect the privacy, security, and confidentiality of the data;
    • —Potential harms that could result from disclosure of the data; and
    • —Potential public benefits of the research.
  • Certify institutions that have policies and practices in place to protect data privacy and security in order to facilitate important large-scale information-based research for clearly defined and approved purposes, without individual consent.
  • Include federal oversight and enforcement to ensure regulatory compliance.

A new approach to protecting the privacy of personally identifiable information used in health research that emphasizes privacy, security, accountability, and transparency and that is applicable to all health research in the United States would eliminate the research community’s confusion, reduce institutional variability in research privacy practices, facilitate responsible research, and enhance the public’s trust in the research enterprise. Clear and simple regulations that are less subject to varying interpretation by ethical oversight boards, as well as federal oversight and enforcement of regulatory compliance, will be important to consistently and efficiently ensure privacy and instill trust while enabling important research.

The new framework developed by HHS and other relevant federal agencies should provide strong and effective protection for often-sensitive personally identifiable health information and facilitate scientific discovery and medical innovation necessary to save lives and enhance the quality of the public’s health. And it should do so in a way that does not burden individuals with a flurry of health privacy notices and consent forms, or burden our health care system with a new level of bureaucracy and expense.

REFERENCES

  1. AHIC (American Health Information Community) Letter to Michael Leavitt. 2006. [accessed September 3, 2008]. http://www.ncvhs.hhs.gov/061030lt.pdf .
  2. AHIC. Confidentiality, privacy, and security workgroup, summary of the 14th web conference. 2007. [accessed August 27, 2008]. http://137.187.25.8/healthit/ahic/materials/summary/cpssum_100407.html .
  3. AHIC. Confidentiality, privacy & security workgroup draft recommendation letter from September 23, 2008. 2008. [accessed September 19, 2008]. http://www.hhs.gov/healthit/ahic/materials/08_08/cps/rec_letter.html .
  4. AHIMA (American Health Information Management Association) The state of HIPAA privacy and security compliance. 2006. [accessed April 20, 2008]. http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf .
  5. Allen A. Allen’s privacy law and society. Eagan, MN: Thomson-West; 2007.
  6. AMS (Academy of Medical Sciences) Personal data for public good: Using health information in medical research. 2006. [accessed August 28, 2008]. http://www.acmedsci.ac.uk/images/project/Personal.pdf .
  7. AMS. Submission to data sharing review. 2008. [accessed September 4, 2008]. http://www.acmedsci.ac.uk/download.php?file=/images/publication/120341733123.pdf .
  8. Buchanan A. Research involving human biological materials: Ethical issues and policy guidance. II. Washington, DC: National Bioethics Advisory Commission; 1999. An ethical framework for biological samples policy, National Bioethics Advisory Committee commissioned paper; pp. B1–B31.
  9. Bush GW. Executive Order 13335. 69 Fed. Reg. 24059. 2004
  10. Casarett D, Karlawish J, Andrews E, Caplan A. Bioethical issues in pharmacoepidemiological research. In: Strom BL, editor. Pharmacoepidemiology. West Sussex, England: John Wiley & Sons, Ltd.; 2005. pp. 417–432.
  11. Cate F. The autonomy trap. 2008
  12. CDT (Center for Democracy & Technology) Beyond consumer consent: Why we need a comprehensive approach to privacy in a networked world. 2008a. [accessed September 4, 2008]. http://www.cdt.org/healthprivacy/20080221consentbrief.pdf .
  13. CDT. Comprehensive privacy and security: Critical for health information technology. 2008b. [accessed September 4, 2008]. http://www.cdt.org/healthprivacy/20080514HPframe.pdf .
  14. Chadwick R, Berg K. Solidarity and equity: New ethical frameworks for genetic databases. Nature. 2001;2:318–321. [PubMed: 11283704]
  15. CIHR (Canadian Institutes of Health Research) CIHR best practices for protecting privacy in health research. Ottawa, Ontario: Public Works and Government Services Canada; 2005.
  16. Foster AL. Increase in stolen laptops endangers data security. The Chronicle of Higher Education. 2008 July 4
  17. GAO (Government Accountability Office) Health information technology: Early efforts initiated but comprehensive privacy approach needed for national strategy. Washington, DC: GAO; 2007.
  18. Good N, Dhamija R, Grossklags J, Thaw D, Aronowitz S, Mulligan D, Konstan J. Stopping spyware at the gate: A user study of privacy, notice and spyware. 2005. [accessed September 4, 2008]. http://cups.cs.cmu.edu/soups/2005/2005proceedings/p43-good.pdf .
  19. Gostin LO. Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis. 2001;9:321. [PubMed: 11794835]
  20. Harris Interactive. The benefits of electronic medical records sound good, but privacy could become a difficult issue. 2007. [accessed April 3, 2007]. http://www.harrisinteractive.com/news/printerfriend/index.asp?NewsID=1174 .
  21. HEW (Department of Health, Education and Welfare) The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research. 1979. [accessed August 21, 2008]. http://ohsr.od.nih.gov/guidelines/belmont.html .
  22. HHS. Compliance and enforcement: Privacy Rule enforcement highlights. 2008a. [accessed July 23, 2008]. http://www.hhs.gov/ocr/privacy/enforcement/
  23. HHS. Resolution agreement. 2008b. [accessed October 3, 2008]. http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf .
  24. IOM (Institute of Medicine) Health data in the information age: Use, disclosure, and privacy. Washington, DC: National Academy Press; 1994.
  25. IOM. Effect of the HIPAA Privacy Rule on health research: Proceedings of a workshop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press; 2006.
  26. ITRC (Identity Theft Resource Center) Security breaches. 2008. [accessed July 22, 2008]. http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List_printer.shtml .
  27. Jonas H. Philosophical reflections on experimenting with human subjects. In: Mappes TA, Zembaty JS, editors. Biomedical ethics. New York: Oxford University Press; 1991. pp. 215–219.
  28. Knoppers BM, Chadwick R. Human genetic research: Emerging trends in ethics. Nature Reviews Genetics. 2005;6:75–79. [PubMed: 15630423]
  29. Kolata G. How data on cancer are collected and used. The New York Times. 2007a October 10
  30. Kolata G. States and V.A. at odds on cancer data. The New York Times. 2007b October 10
  31. Liu ET. The importance of research using personal information for scientific discovery and the reduction of disease, in personal information for biomedical research. 2007 [accessed September 4, 2008]; http://www.bioethics-singapore.org/uploadfile/20013%20PMPI%20Annex%20A-3.pdf .
  32. Lo B. Resolving ethical dilemmas: A guide for clinicians. 4. Philadelphia, PA: Lippincott Williams & Wilkins; 2009. in press.
  33. Markle Foundation. Survey finds Americans want electronic personal health information to improve own health care. 2006. [accessed September 4, 2008]. http://www.markle.org/downloadable_assets/research_doc_120706.pdf .
  34. NCVHS (National Committee on Vital and Health Statistics) Functional requirements needed for the initial definition of a nationwide health information network. 2006. [accessed September 4, 2008]. http://www.ncvhs.hhs.gov/061030lt.pdf .
  35. NCVHS. Enhanced protections for uses of health data: A stewardship framework for “secondary uses” of electronically collected and transmitted health data. 2007. [accessed December 19, 2007]. http://ncvhs.hhs.gov/071221lt.pdf .
  36. Nosowsky R, Giordano T. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine. 2006;57:575–590. [PubMed: 16409167]
  37. Pritts J. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. 2008. [accessed March 15, 2008]. http://www.iom.edu/CMS/3740/43729/53160.aspx .
  38. Rahman N. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society. 2006;2(3):685.
  39. Rotenberg M. Fair information practices and the architecture of privacy: (what Larry doesn’t get) Stanford Technology Law Review 1. 2001. [accessed November 6, 2008]. http://stlr.stanford.edu/STLR/Articles/01_STLR_1 .

The term “personally identifiable health information” is used when discussing individual’s health data in a context independent of the HIPAA Privacy Rule or any other body of law.

In the Privacy Rule, the informed consent concept is referred to as “authorization.”

Stated by Justice Benjamin Cardozo in Schloendorff v. Society of New York Hospital, 105 N.E. 92 (N.Y. 1914).

See 45 C.F.R. § 164.528 (2006).

Personal Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04.

PHIPA defines personal health information as “identifying information about an individual in oral or recorded form” (PHIPA, Section 4).

The remainder of this chapter uses the term “informed consent” to refer to the requirement of obtaining permission to use personally identifiable data.

PHIPA, Section 47(1) (2007).

Personal communication, Ann Cavoukian, Ontario’s Office of the Information and Privacy Commissioner, October 20, 2008.

The Cardiac Care Network of Ontario (Registry of Cardiac Services), INSCYTE (Information System for Cytology), The Canadian Stroke Network (Canadian Stroke Registry), Cancer Care Ontario (Colorectal Cancer Screening Registry), and Hamilton Health Sciences Corporation (Critical Care Information System).

A number of bills from the 110th Congress also address the implementation of HIT, but do not include comprehensive privacy or research provisions, including HR 1368, S 1408, and S 1455.

U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) (for a discussion on the benefits of health records research).

Footnotes

1

The term “personally identifiable health information” is used when discussing individual’s health data in a context independent of the HIPAA Privacy Rule or any other body of law.

2

In the Privacy Rule, the informed consent concept is referred to as “authorization.”

3

Stated by Justice Benjamin Cardozo in Schloendorff v. Society of New York Hospital, 105 N.E. 92 (N.Y. 1914).

4

See 45 C.F.R. § 164.528 (2006).

5

Personal Health Information Protection Act, Statutes of Ontario 2004, Ch. 3, Schedule A; Ontario Regulation 329/04.

6

PHIPA defines personal health information as “identifying information about an individual in oral or recorded form” (PHIPA, Section 4).

7

The remainder of this chapter uses the term “informed consent” to refer to the requirement of obtaining permission to use personally identifiable data.

8

PHIPA, Section 47(1) (2007).

9

Personal communication, Ann Cavoukian, Ontario’s Office of the Information and Privacy Commissioner, October 20, 2008.

10

The Cardiac Care Network of Ontario (Registry of Cardiac Services), INSCYTE (Information System for Cytology), The Canadian Stroke Network (Canadian Stroke Registry), Cancer Care Ontario (Colorectal Cancer Screening Registry), and Hamilton Health Sciences Corporation (Critical Care Information System).

11

A number of bills from the 110th Congress also address the implementation of HIT, but do not include comprehensive privacy or research provisions, including HR 1368, S 1408, and S 1455.

12

U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59967 (1999) (for a discussion on the benefits of health records research).

Copyright © 2009, National Academy of Sciences.
Bookshelf ID: NBK9585
PubReader format: click here to try

Views

  • PubReader
  • Print View
  • Cite this Page
  • PDF version of this title (1.6M)
  • Disable Glossary Links

Related information

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...