All rights reserved. The Agency for Healthcare Research and Quality (AHRQ) permits members of the public to reproduce, redistribute, publicly display, and incorporate this work into other materials provided that it must be reproduced without any changes to the work or portions thereof, except as permitted as fair use under the U.S. Copyright Act. This work contains certain tables and figures noted herein that are subject to copyright by third parties. These tables and figures may not be reproduced, redistributed, or incorporated into other materials independent of this work without permission of the third-party copyright owner(s). This work may not be reproduced, reprinted, or redistributed for a fee, nor may the work be sold for profit or incorporated into a profit-making venture without the express written consent of AHRQ. This work is subject to the restrictions of Section 1140 of the Social Security Act, 42 U.S.C. § 1320b-10. When parts of this work are used or quoted, the following citation should be used:
NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.
Gliklich RE, Leavy MB, Dreyer NA, editors. Registries for Evaluating Patient Outcomes: A User’s Guide [Internet]. 4th edition. Rockville (MD): Agency for Healthcare Research and Quality (US); 2020 Sep.
Registries for Evaluating Patient Outcomes: A User’s Guide [Internet]. 4th edition.
Show details1. Introduction
This chapter covers the ethical and legal considerations that are relevant to the development and use of all health information registries, including patient registries as defined in this document, for the purposes of public health activities, governmental health program oversight, quality assurance/improvement (A/I), and research. These considerations include generally accepted ethical principles for the collection and use of health information in connection with research as applied to the establishment and use of registries. Where relevant, this chapter also discusses notable emerging and evolving ethical and legal considerations. Related topics include issues of transparency in the operation of registries, oversight of registry activities, and property rights in healthcare information and registries.
Section 2.1. of this chapter discusses the ethical concerns and considerations involved with obtaining and using confidential health information in registries. Section 2.2. describes the transformation of ethical concerns into the legal regulation of human subjects research and the privacy of individually identifiable health information and other personally identifiable information. In Section 3, an overview is presented of these regulatory requirements and their interactions as they specifically relate to registries. Section 4 makes recommendations about registry transparency and oversight, based on the need to ensure the independence, integrity, and credibility of biomedical research, while preserving and improving the utility of registry data. Finally, property rights in health information and registries are briefly discussed.
Table 7-1 provides an overview of the applicable regulatory requirements based on the type of registry developer and the extent to which registry data are identifiable. The table summarizes key considerations relating to the applicability of and pathways under the Privacy Rule, Common Rule, and FDA GCP regulations. Note that the information in the table is a high-level summary of such considerations, and is not intended to address all of the requirements or considerations that may apply to the development or use of a registry, as such analysis is highly fact-specific. In addition, there may be other laws and individual institutional policies that apply. Each registry is unique. Therefore, this table is not intended to provide answers to specific questions that arise in the context of a given registry. This table is no substitute for consultation with institutional officials and others about the regulatory requirements that apply to a particular registry project.
As healthcare and, more broadly, consumer life become increasingly digitized, the extent and variety of information that can be leveraged for registries continue to expand. In the context of this chapter, health information is broadly construed to include any (i) information created or used by or on behalf of healthcare providers and insurance plans that relates to an individual’s health condition, the provision of healthcare services to an individual, or payment for healthcare services provided to an individual, as well as (ii) health, wellness, and other lifestyle-related information collected through devices, mobile applications, and other interfaces or initiatives that engage directly with individuals as consumers and are not provided or initiated on behalf of a healthcare provider.1 This definition is designed to reflect the growth of the “patient-as-consumer” construct. As a result, health information may include a broad range of information relating to the provision and payment of healthcare, such as medical history, prescription history, provider notes, test results and reports, genomic sequencing data, demographic information, and claims data, as well as self-reported data, metrics, and other information collected from wearables, mobile medical apps, and other platforms that may include information on mental health, lifestyle habits, medication adherence, socioeconomic status, the environment, and other factors that may affect health status or health risks. Certain types of genomic information2 and other health information includes information about family members, so it also can have an impact on the privacy of third parties. Individuals widely regard health information as private and thus expect confidentiality to be maintained, although such expectations may vary depending on the nature of the information and the context (such as the involvement of commercial entities versus academic institutions).
Concerns about potential risks to individual privacy have led to federal legal requirements for prospective review of research projects and conditions on the use or disclosure of health information for research and other purposes. The creation and use of patient registries for a research purpose ordinarily constitute “research involving human subjects” as defined by regulations applicable to research activities funded by the U.S. Department of Health and Human Services3 (HHS) and certain other Federal agencies.4 Moreover, federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)5 and modified by the Health Information Technology for Economic and Clinical Health Act (HITECH – part of the American Recovery and Reinvestment Act of 2009) specifically apply to the use and disclosure of certain individually identifiable health information, known as protected health information (PHI) under the HIPAA Rules, for research and other purposes. The Federal Food, Drug, and Cosmetic Act (FDCA) and implementing regulations of the U.S. Food and Drug Administration (FDA) also include requirements for the protection of human subjects in connection with clinical investigations, which may apply to certain activities involving the collection and use of health information in registries that fall under the FDA’s jurisdiction.
The term human subjects is used throughout this chapter for consistency with applicable Federal law. Some may prefer the term research participants.
This chapter provides a general guide to Federal legal requirements in the United States. (Legal requirements in other countries may also be relevant and may be different from those in this country, but a discussion of any applicable international rules is beyond the scope of this document.) These legal requirements may influence registry decisions involving the selection of data elements and data verification procedures, and may also affect subsequent uses of registry data for secondary research purposes. State laws also may apply to the use of health information for research purposes. The purpose of a registry, the status of its developer, and the nature and source of the registry data, including the extent to which such data are identifiable, largely determine applicable regulatory requirements. This chapter reviews the most common of these arrangements. The complexity and sophistication of registry structures and operations vary widely, with considerable variability also observed in the processes registry stewards use to obtain data. Nonetheless, common ethical and legal principles are associated with the creation and use of registries. These commonalities are the focus of this chapter.
Ethical concerns about the conduct of biomedical research, especially research involving the interaction of the clinical research community with its patients and commercial funding agencies, have produced an impetus to make financial and other arrangements more public. The discussion of transparency in this chapter includes recommendations for the public disclosure of registry operations as a means of maintaining public trust and confidence in the use of health information for registry purposes, particularly as questions and concerns about privacy intensify as a result of widely-reported cybersecurity breaches and reports of alleged violations of privacy by well-known companies and other entities. Reliance on a standing advisory committee is recommended to registry developers as a way to provide expert technical guidance for registry operations and to firmly establish the independence of the registry from committed or conflicted interests, as described in Chapter 9. This discussion of transparency in methods is not intended to discourage private investments in registries that produce proprietary information in some circumstances. Neither the funding source nor the generation of proprietary information from a registry determines whether a registry exercises and adheres to the good practices described in this guide.
Healthcare providers and health insurance plans have plausible claims to the exclusive use of health and claims information, although the public perspective on these claims has not been tested. Registry developers should anticipate negotiating access to health and claims information, especially when it is maintained in electronic form. Registry developers also are likely to encounter licensing requirements, including processing and use fees, in obtaining health and claims information. The processes for use of registry datasets, especially in multiple analyses by different investigators, should be publicly disclosed to assure the public that registries are appropriately protecting the confidentiality of health information.
2. Ethical Concerns Relating to Health Information Registries
2.1. Application of Ethical Principles
The Belmont Report6 is a summary of the basic principles and guidelines developed to assist in resolving ethical problems in conducting research using human subjects. It was the work product of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, which was created by the National Research Act of 1974.7
The Belmont Report identifies three fundamental principles for the ethical conduct of scientific research that involves human subjects. These principles are respect for persons as autonomous agents (self-determination), beneficence (do good, do no harm, protect from harm), and justice (fairness, equitable distribution of benefits and burdens, equal treatment). Together, they provide a foundation for the ethical analysis of human subjects research, including the use of health information in registries developed for scientific purposes with a prospect of producing social benefits. These principles are substantively the same as those identified by the Council for International Organizations of Medical Sciences in its international guidelines for the ethical review of epidemiologic studies.8
Nevertheless, the application of these principles to specific research activities can result in different conclusions about what comprises ethical design and conduct of the research in question. These different conclusions frequently occur because the principles are assigned different values and relative importance when more than one person performs the ethical analysis. In most of these situations, however, a generally supported consensus position on the ethical design and conduct of the research is a desired and achievable goal. This goal does not preclude re-analysis as social norms or concerns about research activities change over time in response to new information, new technologies or persistent ethical questioning.
The ethical principle of respect for persons supports the practice of obtaining individuals’ consent to the use of their health information for research purposes related or unrelated to the clinical and insurance reasons for creating the information. In connection with research registries, consent may have multiple components: (1) consent to registry creation by the compilation of patient information; (2) consent to the initial research purpose and uses of registry data; and (3) consent to subsequent use of registry data by the registry developer or others for the same or different research purposes. The consent process should adequately describe registry purposes and operations to inform potential subjects’ decisions about participation in a research registry. In some defined circumstances, the principle of respect for persons may be subordinate to other ethical principles and values, with the result that an explicit consent process for participation in the registry may not be necessary. A waiver of informed consent requirements may apply to the registry and be ethically acceptable. (See discussion of waivers of informed consent and authorization requirements below.) In these situations, alternatives to an explicit consent process for each individual contributing health information to the registry may be adequate. For example, the registry might provide readily accessible, publicly available information about its activities as an alternative to individual informed consent, or use an opt-out approach for collecting health information through the registry.
A general ethical requirement for consent clearly implies that human subjects voluntarily permit the use of their health information in a registry, unless a specific exception to voluntary participation applies to the registry. One such exception is a legally mandated, public health justification for the compilation of health information (e.g., certain infectious disease reporting). Voluntary agreement to the use of health information in a registry necessarily allows a subsequent decision to discontinue participation. Any limitation on an individual’s ability to withdraw information from the registry (e.g., once incorporation into aggregated data has occurred) should be clearly communicated in the consent process as a condition of initial participation. The consent process should also include instructions about the procedures for withdrawal at any time from participation in the registry unless a waiver of consent applies to the registry. Incentives for registry use of health information (e.g., insurance coverage of payments for healthcare services) should be carefully evaluated for undue influence both on the individuals whose health information is sought for registry projects and on the healthcare providers of those services.9,10
Conflicts of interest also may result in undue influence on patients and may compromise voluntary participation. One potential source of conflict widely identified within clinical research is the use of recruitment incentives paid by funding agencies to healthcare providers.11 Some professional societies and research organizations have established policy on the use of recruitment incentives. Many entities have characterized as unethical incentives that are significantly beyond fair market value for the work performed by the healthcare provider; others require disclosure to research subjects of any conflicting interest, financial or nonfinancial.12 Federal law now requires manufacturers of certain drugs, devices, or medical supplies to report, for public display, the amounts of remuneration paid to physicians for research purposes.13 Some States, including Massachusetts, have similar laws in effect.14 Research organizations, particularly grantees of Federal research funding, may have systematic policies and procedures in place that registry developers can rely on for managing employee conflicts of interest. Nonetheless, in their planning, registry developers should specify and implement recruitment practices that protect patients against inappropriate influences.
Applying the principle of respect for persons to the research use of health information generates additional ethical concerns about preserving the privacy and dignity of patients, protecting the confidentiality of health information, and minimizing potential harms. These concerns have intensified as healthcare services and third-party payment systems have become more complex and as technology continues to transform healthcare and contribute to the proliferation of data and the ease with which such data can be collected and shared. Legal standards for the use and disclosure of health information create a baseline of required privacy protections for individually identifiable health information. However, depending on the particular health condition, population of interest, or nature of the health information, safeguards for the confidentiality of registry data beyond applicable legal requirements may be ethically necessary or appropriate to protect the privacy and dignity of those individuals contributing health information to the registry. For example, certain institutions may determine that it would be prudent to use an informed consent model to collect genetic sequencing data that, while considered de-identified under current standards under HIPAA and the Common Rule, are obtained from members of a community that tends to be more disenfranchised or that experienced historical ethical transgressions in connection with human subjects research.
The principle of beneficence ethically obligates developers of health information registries for research purposes to minimize potential harms to the individuals or groups15 whose health information is included in the registry. There are usually no apparent benefits to offset potential harm to the individuals or groups whose health information is used in the registry. Exceptions to this arise when a registry is designed to provide benefits to the human subjects as individuals, such as longitudinal reports on treatment effects or health status or quality-of-care reports. Risks to privacy and dignity are minimized by conscientious protection of the confidentiality of the health information included in the registry16 through the use of appropriate physical, technical, and administrative safeguards for data in the operations of the registry. These safeguards should include controls on access to registry data, including access to individual identifiers that may be included in registry data. Minimization of risks also requires a precise determination of what information is necessary for the research purposes of the registry and limiting the information collected accordingly. Further, in considering the principle of beneficence, developers of health information registries should assess whether a proposed registry promotes the efficient use of resources, including whether individuals will be asked to contribute data that is duplicative of existing data sources.
Certain populations of patients may be vulnerable to social, economic, or psychological harms as a result of a stigmatizing health condition. This concern will likely become more pronounced as genetic testing and sequencing continues to play a bigger role in medicine and society, including in the direct-to-consumer context, and contributes to the proliferation of genomic data that can be used for registries. There has been much debate surrounding the notion of genetic exceptionalism (i.e., the proposition that genetic or genomic information should be treated and protected differently from other types of health information) and different institutions, IRBs, patient populations, and others will differ as to their position on the issue.17 Developers of registries compiling this health information must consider these challenging issues and determine whether additional efforts to protect the identities of the human subjects contributing data to the registry or other ethical safeguards are necessary or appropriate given the particular patient population and related contextual considerations. Additional protections also apply to populations such as pregnant women, human fetuses, neonates, prisoners, and children, who are considered vulnerable to undue influence and coercion during the consent process. In particular, data obtained from pediatric and adolescent populations may lead to ethical concerns if there is the potential for lifelong discrimination that may effectively exclude them from educational opportunities and other social benefits18 (e.g., health insurance, although under the Affordable Care Act health insurers may not discriminate against individuals on the basis of pre-existing conditions).
In an analysis applying the principle of beneficence, research involving human subjects that is unlikely to produce valid scientific information is unethical. This conclusion is based on the lack of social benefit to offset even minimal risks imposed by the research on participating individuals. Health information registries should incorporate an appropriate design (including, where appropriate, calculation of the patient sample as described in Chapter 3) and data elements, written operating procedures, and documented methodologies, as necessary, to ensure the fulfillment of a valid scientific purpose.19
An ethical analysis employing the principle of justice also yields candid recognition of the potential risks to those who contribute health information to a registry, and the probable lack of benefit to those individuals (except in the cases where registries are specifically constructed to provide benefit to those individuals). The imbalance of burden and benefit to individuals reinforces the need to minimize the risks from registry use of health information. Precise and well-developed scientific reasons for inclusion (or exclusion) of defined health information in a registry help ensure that the burden placed on individuals as a result of their participation is fair and equitable.
The above analysis refers to research activities. However, the ethical concerns expressed may also apply to other activities involving the use or disclosure of individuals’ health information for nonresearch purposes. Public health, oversight of the delivery of healthcare services through government programs, and quality A/I activities all can evoke the same set of ethical concerns as research activities about the protection of patient self-determination, privacy, and dignity; the maintenance of the confidentiality of individually identifiable health information to avoid potential harms; and the imposition of a risk of harm on some individuals to the benefit of others not at risk. In the past, different assignments of social value to these activities and different potential for the social benefits and harms they produce have created different levels of social acceptance and formal oversight for these activities compared with research activities. Nonetheless, these activities may include a research component in addition to their primary stated objectives, a circumstance that implicates the ethical concerns discussed above and produces additional concerns about compliance with the legal requirements for research activities. In addition, in an era of “big data,” registries may be leveraged for multiple purposes and intersecting activities that may make it challenging to properly categorize the nature of the registry and any distinct use, as well as the legal and ethical standards that should apply. Registry developers should prospectively apply careful scrutiny to the proposed purposes for and activities of a registry, in consultation with appropriate institutional officials, to avoid both ethical and compliance issues that may undermine achievement of the registry’s objectives.
Registry developers also must consider confidentiality and/or proprietary concerns with regard to the identity of the healthcare providers, at the level of both individual professionals and institutions, and the healthcare insurance plans from which they obtain registry data. Information about healthcare providers and insurance plans can also identify certain patient populations and, in rare circumstances, individual patients. Moreover, the objectives of any registry, broadly speaking, are to enhance the value of the healthcare services received, not to undermine the credibility and thus the effectiveness of healthcare providers and insurance plans in their communities. Developers of registries created for public health investigations, health system oversight activities, and quality A/I initiatives to monitor compliance with recognized clinical standards must consider whether safeguards for the identity of service professionals and institutions are appropriate. At the same time, however, any confidentiality safeguards should permit certain disclosures, as permitted by applicable law and designated by the service professionals and institutions, for the reporting of performance data, which are increasingly associated with payment from payers.
2.2. Transformation of Ethical Concerns Into Legal Requirements
Important ethical concerns about the creation, maintenance, and use of patient registries for research purposes include risks of harm to human subjects resulting from unauthorized access to registry data and inappropriate use of the compiled health information. These concerns about harms arise from public expectations of confidentiality for health information and the importance of that confidentiality in preserving the privacy and dignity of individual patients as well as the clinician/patient relationship.
Over the last decade, two rapid technological developments have intensified these ethical concerns. One of these advances was DNA sequencing, replication, recombination, and the concomitant application of this technology to facilitate the delivery of and research into precision medicine. Despite the potential that genomics holds in the quest to find cures and more effective treatments, its proliferation has also raised new ethical questions and prompted debate about whether it creates unique considerations and risks from an individual and group privacy standpoint.
Another contributing factor is the rapid digitization of healthcare and daily consumer life, as exemplified by the advance of health information systems technology, electronic information processing, and development of connected devices and platforms that enable the rapid and extensive collection, generation, and sharing of electronic information that can be leveraged for research and other purposes. In some circumstances, such information is being gathered by entities that are not regulated under the traditional Federal healthcare privacy framework because they operate under a direct-to-consumer paradigm and not on behalf of a HIPAA covered entity.20 The emergence of these stakeholders, and the growing ease with which information can be harnessed in the digital age, raise new questions surrounding the protections that should be incorporated into health information registries. The discussion below about legal protections for the privacy of health information focuses solely on U.S. law.
2.2.1. The Common Rule
International and domestic concerns about the protection, respect, and privacy of human subjects resulted in a uniform set of regulations from the Federal agencies that fund such research known as the “Common Rule.”21,22 The legal requirements of the Common Rule apply to research involving human subjects conducted or supported by the 20 Federal departments and agencies, including HHS, that intend to follow the revised Common Rule (Common Rule Agencies). Some of these agencies may require additional legal protections for human subjects. In addition, under the revised Common Rule, institutions that receive funding from a Common Rule Agency may also voluntarily elect through their Federalwide Assurance (as discussed further below) to apply the Common Rule to all human subjects research, irrespective of funding source, conducted by their employees or agents.23
Significant amendments were made to the Common Rule in 2017. As of January 21, 2019, institutions are expected to be compliant with the revised Common Rule.
Each institution engaged in human subjects research conducted or supported by a Common Rule Agency must enter into a formal written agreement to comply with the Common Rule. For human subjects research conducted or supported by most of the Common Rule Agencies, the required agreement is called a Federalwide Assurance (FWA).24 The Office for Human Research Protections (OHRP) administers the Common Rule as it applies to human subjects research conducted or supported by HHS. The application of Common Rule requirements to a particular registry depends on the institutional context of the registry developer, relevant institutional policies, and whether the health information contributed to the registry maintains patient identifiers. Of particular note is that while the pre-2018 Common Rule allowed institutions to voluntarily subject all of their human subjects research, irrespective of the source of funding or support, to oversight by OHRP for compliance with the Common Rule, the revised Common Rule eliminated this option. Therefore, institutions that seek to conduct non-federally funded or supported human subjects research in accordance with the Common Rule will need to rely on internal oversight and compliance mechanisms to facilitate adherence to Common Rule standards.
Guidance documents published by OHRP, such as the 2008 guidance entitled “Coded Private Information or Specimens Use in Research” and the guidance entitled “Issues to Consider in the Research Use of Stored Data or Tissues” (last updated in 1997), discuss the research use of identifiable private health information.25 The latter guidance makes clear that OHRP considers the creation of health information registries—containing individually identifiable, private information—for research purposes to be human subjects research for the institutions subject to its jurisdiction.26 The applicability of the Common Rule to research registries is discussed in more detail in Section 3.
OHRP regulations for human subject protection require prospective review and approval of human subjects research by an institutional review board (IRB) and the informed consent (usually written) of each of the human subjects involved in the research, unless an IRB expressly grants a waiver of informed consent requirements.27 A research project must satisfy certain regulatory conditions to obtain IRB approval of a waiver of the informed consent requirements. (See below for discussion of waivers of informed consent requirements.) A registry plan is the research “protocol” reviewed by the IRB. At a minimum, the protocol should identify (1) the research purpose of a health information registry, (2) detailed arrangements for obtaining informed consent, or detailed justifications for not obtaining informed consent, to collect health information, and (3) appropriate safeguards for protecting the confidentiality of registry data, in addition to any other information required by the IRB on the risks and benefits of the research.28
As noted previously, for human subjects research conducted or supported by most Common Rule Agencies, an FWA satisfies the requirement for an approved assurance of compliance. In addition, irrespective of requirements applicable by operation of the revised Common Rule, some research organizations have explicit institutional policies and procedures that require IRB review and approval of all human subjects research.
2.2.2. The Privacy Rule
In the United States, HIPAA and its implementing regulations (namely, the Privacy, Security, and Breach Notification Rules, which are collectively referred to here as the HIPAA Rules) created legal protections for the privacy of individually identifiable health information created and maintained by “covered entities” and their “business associates.” “Individually identifiable health information” is information, including demographic data, created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse, that identifies an individual or could reasonably be used to identify an individual, and relates to (1) an individual’s past, present, or future physical or mental health or condition; (2) the provision of healthcare to an individual; or (3) the past, present, or future payment for healthcare to an individual. With certain exceptions, “individually identifiable health information” is “protected health information” (PHI) under the HIPAA Rules when it is transmitted or maintained by a covered entity or a business associate on behalf of a covered entity.29 Because registries may exist over long periods of time, it is important to note that the individually identifiable information of persons who have been deceased for more than 50 years is not considered PHI.
Covered entities are healthcare providers that engage in certain standard financial or administrative healthcare transactions electronically, health plans, and healthcare clearinghouses.30 Business associates generally are persons or organizations, other than a member of a covered entity’s workforce, that perform certain functions or services (e.g., claims processing, data analysis, data aggregation, patient safety activities) on the covered entity’s behalf that involve access to PHI.31 Covered entities and business associates are subject to civil—and in some cases criminal—liability for violations of the HIPAA Rules. This chapter will focus on covered entity healthcare providers and healthcare plans, as well as their respective business associates.
Generally, the Privacy Rule defines the circumstances under which covered entities and their business associates may use and disclose PHI for a variety of purposes, including research.32 The Privacy Rule establishes a Federal baseline of protections, and it does not preempt State laws that provide even greater, more stringent privacy protections for PHI.33 For example, the Privacy Rule requires covered entities to include certain information in patient authorizations for the use or disclosure of PHI, including an expiration date or event that can be many years in the future. The laws of the State of Maryland, however, specifically require that, absent certain exceptions, a patient’s authorization may only be valid for a maximum period of 1 year.34 In this case, a covered entity located in Maryland can and should satisfy both the Privacy Rule and State law requirements by complying with the State’s one-year maximum expiration deadline on its patient authorization forms.
The HIPAA Rules may apply to either or both the registry developer (as a covered entity or a business associate developing the registry in a business associate capacity) and the registry’s data sources. A registry’s initial collection of health information from a covered entity or business associate requires a disclosure pathway under the Privacy Rule. Thus, registry developers that are not themselves subject to the HIPAA Rules should nonetheless be knowledgeable about the HIPAA Rules to facilitate the necessary processes for any of their data sources that are covered entities or business associates. In developing a registry, they should expect to interact with clinicians, the privacy officer, the IRB or privacy board staff, health information system representatives, legal counsel, compliance officials, and contracting personnel. Registry developers should also maintain awareness of regulatory modifications or amendments to, or new guidance on how to comply with, the HIPAA Rules, which can be expected as the use of electronic PHI becomes more prevalent. For example, on January 25, 2013, HHS issued significant modifications to the HIPAA Rules, many of which implemented HITECH Act requirements.35 One of the most relevant modifications for registry developers, as mentioned above and discussed more fully below, is the extension of certain requirements of the HIPAA Rules and liability for noncompliance directly to business associates.36
The HIPAA Rules would also apply where the registry developer is a covered entity or business associate (creating the registry in its business associate capacity) and collects health information from other covered entities or business associates, or from data sources that are not subject to the HIPAA Rules. Examples of the latter may include developers of wearable devices and mobile applications that are provided directly, and not on behalf of a covered entity or health plan, to individuals to track their health and fitness. Although HIPAA does not apply to such data sources, a pathway under the Privacy Rule would still be necessary for the HIPAA covered registry developer to use and disclose the data once in its possession, as the data would then constitute PHI in its possession. Note also that the data source itself may be subject to other laws, such as the Federal Trade Commission Act’s (FTC Act), which prohibits unfair or deceptive trade practices, and State laws that include requirements for the protection of personal information from a privacy or consumer protection standpoint. Registry developers should anticipate that such non-HIPAA regulated data sources may become more prevalent with the proliferation of digital health solutions and consider the regulatory and legal requirements and other limitations (such as in privacy policies and terms of use applicable to the data collection platform) that may apply to the registry’s collection and use of data from such sources.
Under certain circumstances, registry developers and the associated institutions where the registry will reside may not be subject to the HIPAA Rules. Notably, the HIPAA Rules do not apply to registries that reside outside of a covered entity or business associate. Within academic medical centers, for example, registry developers may be associated with units that are outside of the institutional healthcare component to which the HIPAA Rules apply, such as a biostatistics or economics department. The FTC Act and similar state laws referenced above may apply to such registry developers if they are not a public agency or non-profit institution.37 To avoid running afoul of the FTC Act, such registry developers should be transparent in privacy notices provided to participants through any website or application used for information collection process about the intended uses and disclosures of the information. The registry developer should also limit uses and disclosures of information collected through the registry to those described in the privacy notice and maintain safeguards commensurate with the representations made in the privacy notice and the sensitivity of the information collected by the registry.
Ultimately, however, many potential data sources for registries will be covered entities or business associates, such that registry developers are likely to find themselves deeply enmeshed in the HIPAA Rules. As noted above, a registry may have direct liability under HIPAA if the registry is considered a business associate of a data source that is a covered entity (see the discussion below of the HITECH Act, which extended direct liability for compliance with certain requirements of the HIPAA Rules to business associates of covered entities, where before business associates were required and liable to protect the information to which they had access only through their business associate agreements with covered entities). Under such circumstances, the registry developer must enter into a business associate agreement with the covered entity that meets the requirements under the Privacy Rule before the registry developer can use or disclose PHI in connection with the development or deployment of the registry. Therefore, registry developers should be cognizant of the patient privacy considerations confronting their likely data sources—as well as themselves, if they are performing functions or services on behalf of their data sources as business associates—and should consider implementing certain HIPAA protections whether or not they are required to do so. In addition, the HIPAA Rules require that covered entities enter into formal agreements, known as data use agreements, with any recipient of PHI that constitutes a limited dataset before the recipient may use the limited dataset for permitted purposes (i.e., research, healthcare operations, or public health activities). Recipients of limited datasets may be subject to legally enforceable obligations under contract law by virtue of the data use agreement in addition to any regulatory obligations that apply in the event the recipient is a covered entity or business associate.
A registry developer that is not a covered entity or business associate and that seeks to collect information directly from individuals may also still encounter Privacy Rule requirements if patient information from a healthcare provider or insurance plan for purposes of is needed to recruit registry participants. For example, a patient authorization or waiver of authorization (discussed below) may be necessary for the disclosure of patient contact information by a healthcare provider or insurance plan (or their business associate) to a registry developer, even if the actual information to be collected by the registry will be provided from the patient him or herself. Note that the strategy of requesting data directly from individuals can be useful for collecting data on mobile populations, such as elderly retirees who occupy different residences in winter and summer, and for collecting the health records of school children. A Federal privacy law38 protects the health records of children that are held by schools from disclosure without explicit parental consent; thus, parents can often obtain copies of these records more easily than investigators.
Following the registry’s collection of data, its subsequent use and sharing of registry data will be informed by the regulatory conditions that applied to the initial collection of the registry data, as well as by other ethical and legal considerations. The Privacy Rule created multiple pathways by which registries can compile and use patient information. For instance, a registry within a covered entity may obtain a HIPAA authorization from each patient contributing PHI to a registry for a particular research project, such as the relationship between hypertension and Alzheimer’s disease. If the registry subsequently seeks to use the PHI for a different research purpose, it may do so if it obtains new authorizations or the use otherwise satisfies the Privacy Rule. For example, the registry may de-identify the PHI in accordance with the Privacy Rule’s de-identification standards, at which point the data would no longer be considered as PHI. Alternatively, the registry can obtain authorizations for use and disclosure of individuals’ PHI for future research purposes at the same time that it obtains authorization to place the information in the registry, as long as the authorization adequately describes the purposes of the future research such that it would be reasonable for the individual to expect that his or her information could be used or disclosed in connection with the future research activity.39
The authors recommend that registry developers establish a detailed tracking system, based on the extent to which registry data remain identifiable for individual patients, for the collection, uses, and disclosures of registry data. The tracking system should produce comprehensive documentation of compliance with both Privacy Rule requirements, including requirements to obtain authorizations, and any legally binding contractual obligations to data sources.
With regard to registries developed for research purposes, the Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”40 Commentary by HHS on the Privacy Rule explicitly includes within this definition of research the development (building and maintenance) of a repository or database for future research purposes.41 The definition of research in the Privacy Rule partially restates the definition of research in the Common Rule for the protection of human subjects, adopted by HHS and certain other Federal agencies.42 Some implications of this partial restatement of the definition of research are discussed later in this chapter.
The National Institutes of Health (NIH) has published guidance, in collaboration with the Office for Civil Rights and other HHS offices and agencies, on the impact of the Privacy Rule on health services research and research databases and repositories. The NIH guidance identifies the options available to investigators under the Privacy Rule to gain access to PHI held by healthcare providers and insurance plans.43 For example, in addition to provisions for the use or disclosure of identifiable patient information for research, the Privacy Rule permits healthcare providers and insurance plans (and business associates on their behalf) to use or disclose patient information for certain defined public health activities.44 The Privacy Rule defines a public health authority as “an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency… that is responsible for public health matters as part of its official mandate.” The Centers for Disease Control and Prevention and HHS have jointly published specific guidance on the Privacy Rule requirements related to public health activities.45 Other Privacy Rule provisions permit uses or disclosures of PHI that are required by law, including State laws.46
The protections for patient information created by the Privacy Rule that are generally relevant to registries developed for research purposes include explicit individual patient authorization for the use or disclosure of PHI,47 legally binding data use agreements for the release of “limited datasets” between health information sources and users,48 the removal of specified identifiers or statistical certification to achieve de-identification of health information,49 an accounting of disclosures to be made available to patients at their request,50 and notification in the event of a breach of unsecured PHI to affected individuals who may be affected by the breach, as well as HHS and, in some cases, the media. In addition, if certain criteria required by the Privacy Rule are satisfied, an IRB or privacy board may grant a waiver of individual patient authorization for the use or disclosure of health information in research.51
2.2.3. FDA Regulations
Depending on the circumstances, FDA regulatory requirements may apply to the development or use of a health information registry. In particular, FDA requirements for the protection of human subjects (also referred to as “Good Clinical Practice” or “GCP” requirements) apply to activities that constitute a “clinical investigation,” which generally means any experiment that involves an FDA-regulated test article and one or more human subjects, and that either is subject to FDA requirements for prior submission, or the results of which are intended to be submitted later to, or held for inspection by, the FDA as part of an application for a research or marketing permit.52 Where a health information registry is developed or used to collect data for supporting a marketing permit for a new product, a labeling update for a currently marketed product, or other submission to the FDA relating to an FDA-regulated drug, device, or biologic, FDA human subject protection regulations may apply.
Similar to the Common Rule, FDA human subject protection regulations include requirements for obtaining IRB review of proposed clinical investigations and the informed consent (or an IRB waiver thereof53) of participating human subjects.54 Informed consent must be documented by a signed written consent form unless an IRB waives the documentation requirement.55 Also of relevance to the establishment and use of such health information registries are the FDA regulatory requirements for the use of electronic records and electronic signatures.56 Commonly referred to as “Part 11,” these requirements include standards for access controls, audit trails, and other safeguards to protect the integrity and validity of electronic records and electronic signatures that are used to satisfy FDA statutory or regulatory records requirements.57
Unlike the Common Rule and HIPAA, FDA human subject protection regulations do not explicitly exclude clinical investigations that are limited to the use of de-identified information.58 Rather, FDA regulations define “human subject” as any “individual who is or becomes a participant in research, either as a recipient of the test article or as a control. A subject may be either a healthy human or a participant.”59 This paradigm is likely a reflection of the nature of much research involving FDA-regulated investigational products, which often involves interventions or interactions with living human subjects rather than constitute research limited to the retrospective analysis of data. Until July 2017, the challenge in the lack of a carve-out for research using de-identified data had been compounded by the inability of IRBs to waive FDA’s informed consent requirements for certain minimal risk research (as is permitted under the Common Rule and HIPAA).60 As real world data sources proliferate and technological advances make it increasingly easier to capture, share, and learn from electronic information, however, stakeholders are recognizing the potential that data holds in research and development, post-market surveillance, and other FDA-regulated activities.
In that regard, and driven in part by changes mandated under the 21st Century Cures Act,61 the FDA has taken steps to facilitate and provide more regulatory guidance regarding the secondary use of data. First, investigators may now seek IRB waiver of the informed consent requirement under FDA regulations according to criteria that are comparable to those under the Common Rule. The parameters for seeking IRB waiver of FDA informed consent requirements are discussed in more detail in Section 3.3.5. Additionally, developers of health information registries should note that the FDA has issued final guidance on the use of real world evidence to support FDA regulatory decision making for medical devices (RWE Guidance).62 The RWE Guidance includes the FDA’s recommendations for when a proposed collection of real world data that constitutes a clinical investigation would require an investigational device exemption (IDE). The FDA states that such a determination is fact- and context-specific, but that generally, if the collection of real world data involves using a device in the normal course of medical practice or routine clinical care under the authority of a healthcare practitioner, an IDE would likely not be required.63 In contrast, if the goal is to generate data on the safety and efficacy of a device and the process influences treatment decisions, an IDE may be required.64 The RWE Guidance also describes the characteristics of real world data that the FDA may assess to consider whether the data is suitable for regulatory decision making, including the relevance and reliability of the data.65
2.2.4. Applicability of Regulations to Research; Multiple-Purpose Registries
At many institutions, the IRB or the office that provides administrative support for the IRB interprets the regulations to determine which activities at that institution constitute human subjects research, and thus may itself determine what activities require IRB review. A registry developer is strongly encouraged to consult his or her organization’s IRB or a central IRB, as applicable, early in the registry planning process to avoid delays and lessen the need for multiple revisions of documentation submitted to the IRB. Distinctions between research and other activities that apply scientific methodologies are frequently unclear. Such other activities include both public health practice66 and quality-related investigations.67 Both the primary and secondary purposes of an activity are factors considered in the determination of whether registry activities constitute research. For purposes of the Common Rule, as interpreted by OHRP, an activity is considered research even if research is only a secondary purpose of the activity.68 This OHRP interpretation of research purpose differs from that of the Privacy Rule with respect to quality-related studies performed by healthcare providers and insurance plans. Under the Privacy Rule, only if the primary purpose of a quality-related activity is to obtain generalizable knowledge do the research provisions of the Privacy Rule apply; otherwise, the Privacy Rule defines the activity as a “healthcare operation.”69
Additionally, registry developers should be mindful of the distinctions between the scope of FDA GCP requirements, on the one hand, and the Common Rule and HIPAA, on the other hand. With the steps the FDA has taken to facilitate secondary use of data as described previously, the scope of potential FDA-regulated use cases for health information registries may expand. In that regard, while a research registry that is limited to collecting and using de-identified information would generally fall outside the scope of the Privacy Rule and the Common Rule,70 as noted above, FDA regulations do not explicitly exempt or exclude clinical investigations that use only de-identified data from FDA human subject protection requirements.71 Thus, compliance with FDA GCP requirements may be required for certain registry activities that are not subject to the Common Rule or HIPAA.
Registry developers should rely on their privacy officer’s and IRB’s experience and resources in defining research and other activities for their institutions and determining which activities require IRB review as research. In meeting accreditation standards, inpatient facilities typically maintain standing departmental (e.g., pediatrics) or service (e.g., pharmacy or nursing) committees to direct, review, and analyze quality-related activities. Some physician groups also establish and maintain quality-related programs, because good clinical practice includes ongoing evaluation of any substantive changes to the standard of care. These institutional quality committees can provide guidance on the activities that usually fall within their purview. Similarly, public health agencies typically maintain systematic review processes for identifying the activities that fit within their legal authority.
Standard confidentiality protections for registry data include requirements for physical, technical, and administrative safeguards to be incorporated into plans for a registry. In some instances, an IRB may not consider legally required protections for the research use of patient information sufficient to address relevant confidentiality concerns, including the Privacy Rule protections that may be applicable to registries created by or maintained within covered entities, such as healthcare providers and insurance plans, or business associates. Some IRBs and institutions, for example, may take the position that more stringent privacy protections should apply (if not required under applicable federal or state law) to genomic information. The potential bases for this position include the immutable nature of genetic traits, the potential stigma and discrimination that may result if the information were to be disclosed, and the notion that genomic information may be used to identify an individual or his or her genetic relatives, even if the genomic information does not contain any information that is currently considered PHI under HIPAA.72 Likewise, information about certain conditions (such as alcoholism or HIV-positive status) and certain populations (such as children) may be associated with a greater potential for harm from social stigma and discrimination. Under these circumstances, the IRB can make approval of a registry plan contingent on implementation of additional safeguards that it determines are necessary to minimize the risks to the individuals contributing health information to the registry.
3. Applicable Regulations
This section discusses the specific applicability of the Common Rule73, the Privacy Rule74, and FDA human subject protection regulations75 to the creation and use of health information registries. Registry developers are strongly encouraged to consult with their organization’s privacy officer and IRB or privacy board early in the planning process to clarify applicable regulatory requirements and the probable effect of those requirements on registry design and development.
This discussion assumes four general models for health information registries. One model is the creation of a registry containing the contact, demographic, and diagnostic or exposure information of potential research subjects who will be individually notified about projects in which they may be eligible to participate. The notification process permits the registry to shield registry participants from an inordinate number of invitations to participate in research projects, as well as to protect privacy and confidentiality. This model is particularly applicable to patients with unusual conditions, patients who constitute a vulnerable population,76 or both (e.g., children with a rare condition). A second model is the creation of a registry and the conduct of all subsequent research using registry data by the same group of investigators. No disclosures of registry data will occur and all research activities have the same scientific purpose. This model applies, in general, to quality improvement registries and other quality-related investigations of a clinical procedure or service. Note, however, that some quality improvement registries may involve confidential feedback to providers as well as public reporting of provider performance in a patient de-identified format. These activities may or may not constitute research as defined by the Common Rule. Under the Privacy Rule, these activities may be regulated as the healthcare operations of the covered entity that provides the data to the registry, rather than research, provided the obtaining of generalizable knowledge is not the primary purpose of the activities. A third model is the creation of a registry for an initial, specific purpose by a group of investigators with the express intent to use registry data themselves, as well as to disclose registry data to other investigators for additional related or unrelated scientific purposes. An example of this last model is a registry of health information from patients diagnosed with a condition that has multiple known comorbidities to which registry data can be applied. This third model is most directly applicable to industry-sponsored registries. The American College of Epidemiology encourages the data sharing contemplated in this last registry model.77 A fourth model, which is a variation of the third, is the creation of a registry to support multiple purposes and endeavors at the outset (such as for research and quality A/I activities), which may be for a specific organization, and to disclose registry data to other investigators and organizations for myriad scientific and other permitted purposes. This model underscores the trend toward “big data” initiatives that are designed to leverage central repositories of standardized, normalized, and curated data for many different purposes.
The extent to which the regulations will apply to each of these registry models will depend on factors such as the registry developer, purpose of the registry, potential for individual patient identification, consent process, and inclusion of genetic information. These factors are discussed further below.
3.1. Public Health, FDA-Regulated Products, Health Oversight
When Federal, State, or municipal public health agencies create registries in the course of public health practice, specific legislation typically authorizes the creation of the registries and regulates data acquisition, maintenance, security, use, and disclosures of registry data for research. Ethical considerations and concerns about maintaining the confidentiality of patient information used by public health authorities are similar to those for research use, but they generally are explicitly balanced against potential social benefits during the legislative process. Nonetheless, if the registry supports human subjects research activities as well as its public health purposes, Common Rule requirements for IRB review may apply to the creation and maintenance of the registry. Further, depending on the nature and structure of the activity, FDA GCP requirements may apply, such that IRB review and compliance with FDA informed consent requirements may be necessary.
Cancer registries performing public health surveillance activities mandated by State law are well-known exceptions to Common Rule regulation. However, secondary uses of public health registry data for research and the creation of registries funded by public health agencies, such as the Centers for Disease Control and Prevention and the Agency for Healthcare Research and Quality, may be subject to the Common Rule as sponsored research activities. The Common Rule’s definitions of human subjects research78 may encompass these activities, which are discussed in the next subsections of this chapter. Not all cancer registries support public health practice alone, even though the registries are the result of governmental programs. For example, the Surveillance Epidemiology and End Results (SEER) program, funded by the National Cancer Institute, operates and maintains a population-based cancer reporting system of multiple registries, including public use datasets with public domain software. SEER program data are used for many research purposes in addition to aiding public health practices. These latter research activities may be subject to the Common Rule.79
Disclosures of health information by healthcare providers and insurance plans (and their business associates on their behalf) for certain defined public health activities are expressly permitted by the Privacy Rule without patient authorization.80 An example of a public health activity is the practice of surveillance, in which the distributions and trends of designated risk factors, injuries, or diseases in populations are monitored and disseminated.81 Healthcare providers or insurance plans are likely to insist upon documentation of public health authority for legal review before making any disclosures of health information. Registry developers should obtain this documentation from the agency that funds or enters into a contract for the registry, and present it to the healthcare provider or insurance plan well in advance of data collection efforts.
The Privacy Rule characterizes responsibilities related to the quality, safety, or effectiveness of a product or activity regulated by the FDA as public health activities. This public health exception allows uses and disclosures of patient information to a person subject to FDA jurisdiction with respect to FDA-regulated products or activities for which the person has responsibility, such as for adverse event reporting; product tracking; product recalls, repairs, replacement, or look-back; and postmarketing surveillance (e.g., as part of a risk management program that is a condition for approval of an FDA-regulated product).82 Nonetheless, while the use and disclosure of PHI in connection with such public health activities may not necessarily require a research pathway under HIPAA, it is possible such activities may require compliance with FDA GCP requirements and an IDE or investigational new drug (IND) application.83 Determining the applicability of such FDA requirements is a fact-intensive analysis, and the FDA continues to consider the appropriate parameters and requirements and the value proposition for the use of real world data to support regulatory decision making.84 Registry developers and the users of the registry data, as applicable, should consult with the FDA early in the planning process should they anticipate that the registry may be used to support FDA-regulated activities, such as postmarket surveillance studies.85
The Privacy Rule also permits uses and disclosures by healthcare providers and insurance plans (and their business associates on their behalf) for “health oversight activities” authorized by law.86 These activities include audits and investigations necessary for oversight of the “healthcare system” and other entities subject to government regulatory programs for which health information is relevant to determining compliance with program standards.87 The collection of patient information, such as occurrences of decubitus ulceration, from nursing homes that are operating under a compliance or corporate integrity agreement with a Federal or State healthcare program, is an example of a health oversight activity.
3.2. Distinguishing Research Activities From Quality Assurance/Improvement Activities
Ascertaining whether the development and use of a health information registry would be regulated as research can be difficult. This is particularly the case as registries seek to maximize the utility of the data once it is collected and rendered usable – a potentially time- and resource-intensive task given the vast amounts of data that is often collected – by making the data available for myriad purposes. Some registries may support multiple activities, all of which are ultimately related in some way to the objective of improving quality in healthcare, but the nuances of each distinct activity may render some activities research (e.g., analyzing data to learn how to improve quality) while others constitute quality A/I (e.g., reviewing data to assess adherence to quality metrics). In creating and making the registry available for use, registry developers should consider independently the applicability of the various federal standards.
Under the Common Rule, research means “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Activities that meet this definition constitute research for purposes of the Common Rule, whether or not they are conducted or supported under a program that is considered research for other purposes. For example, some demonstration and service programs may include research activities.”88 OHRP would consider an activity to constitute research if it meets the above definition, irrespective of whether the expressly stated objectives or characterizations of the activity include references to research.89
The Privacy Rule’s definition of research40 restates the first sentence of the Common Rule definition set forth above. However, the Privacy Rule distinguishes between research and quality A/I conducted by covered entities or their business associates90 that meet the definition of “healthcare operations.” Under the Privacy Rule, if the primary purpose of a quality-related registry maintained by a covered entity is to support a research activity (i.e., to create generalizable knowledge), Privacy Rule requirements for research apply to the use or disclosure of the patient information to create the registry and to subsequent research use of registry data. If, however, the primary purpose is other than to create generalizable knowledge, the study is considered a healthcare operation of the covered entity and is not subject to Privacy Rule requirements for research activities, including the requirement to obtain patient authorization or a waiver of authorization from an IRB or privacy board for the uses or disclosures.
As noted earlier, both public health practice and quality A/I can be difficult to distinguish from research activities, and this may become increasingly so as healthcare industry stakeholders harness big data initiatives to support the need for insights and metrics in value-based purchasing contexts.91 The determination of whether a particular registry should be considered as or include a research activity under the Common Rule or the Privacy Rule depends on a number of different factors, including but not limited to:
- the nature of the organization where the registry will reside;
- the employment duties of the individuals performing the activities associated with the registry;
- the source of funding for the registry;
- the sources of registry data; and
- whether the creation or subsequent use of the registry:
- is designed to test a theory, hypothesis, or answer a question;
- entails the collection of data specifically for purposes of the registry or any interventions or interactions not necessary to deliver healthcare or assess the quality of healthcare provided;
- is intended to evaluate the safety or efficacy of a product, intervention, process, or activity that is not considered standard of care or supported by current medical evidence and literature;
- involves overriding or directing the treatment decisions of healthcare providers;
- will inform process or delivery changes immediately, or if changes would be delayed until the end of the activity;
- .is designed to help patients broadly and in the future, rather than specific patients in the present;
- requires adherence to a protocol and does not allow for procedures to be adapted to findings during the course of the project;
- involves the use of a product or a product for an indication not yet approved or cleared by the FDA; or
- involves evaluating the impact of an activity, process, or other intervention on the behavior of healthcare providers or organizations.
Quality A/I activities entail many of the same ethical concerns about protecting the confidentiality of health information as research activities do. Obtaining express patient consent to participate in quality A/I activities is not the usual practice; instead, the professional and cultural norms of healthcare providers, both individual and institutional, regulate these activities. Registry developers should consider whether the ethical concerns associated with a proposed quality A/I or patient safety registry require independent review and the use of special procedures such as notice to patients or providers. Registry advisory committee members, quality A/I and patient safety literature,92 hospital ethics committees, IRB members, and clinical ethicists can make valuable contributions to these decisions.
To avoid surprises and delays, the decision about the nature of the activity that the registry is intended to support should be made prospectively, in consultation with appropriate officials of the funding agency and officials of the organization where the registry will reside and, in the event of contemplated use of the registry for FDA-regulated purposes, the FDA. Some research institutions may have policies that either require IRB review for quality A/I, especially if publication of the activity is likely, or exclude them from IRB review. Frequently, IRBs make this determination on a case-by-case basis.
3.3. Potential for Individual Patient Identification
The specific regulatory requirements applicable to the use or disclosure of patient information for the creation of a registry to support human subjects research depend in part on the extent to which patient information received and maintained by the registry can be attributed to a particular person. Various categories of information, each with a variable potential for identifying individuals, are distinguished in the Privacy Rule: individually identifiable health information, de-identified information (all identifying elements removed), and a limited dataset of information (specified direct identifiers removed).93 The latter two categories of information may include codes that are assigned to each registry entry and could permit the re-identification of the entry by someone with the legend for the code, provided certain conditions are met.
Common Rule requirements would apply to any human subjects research involving information that is individually identifiable and obtained by the investigator conducting the research, and that is supported or funded by a Common Rule Agency or an FWA in which the institution has “checked the box.”94 The definition of “human subject” in the Common Rule is “a living individual about whom an investigator (whether professional or student) conducting research: (1) [o]btains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or (2) [o]btains, uses, studies, analyzes, or generates identifiable information or identifiable biospecimens.”
Private information includes information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.95
Registry developers should be mindful of the ways in which notions of identifiability are being scrutinized under the Common Rule, particularly as relating to genomic data. The Common Rule Final Rule, which has a compliance date of January 21, 2019, would require the Common Rule Agencies to periodically assess: (i) what constitutes identifiable private information and identifiable biospecimens, and (ii) whether there are analytic technologies and techniques that should be considered to generate identifiable private information and identifiable biospecimens.96 OHRP has indicated that it expects whole genome sequencing will be one of the first such technologies to be evaluated as part of this assessment.97 It is prudent to consider whether, under the applicable facts and circumstances, genomic data proposed to be used in connection with the registry would constitute identifiable private information or whether certain safeguards (such as robust data minimization protocols and access restrictions) may be appropriate to protect the interests of the individuals whose data is being used. Registry developers should consult an IRB early in the process of selecting data elements to obtain guidance about whether registry activities constitute human subjects research or may be exempt from Common Rule requirements.
Also among the criteria specified by the Common Rule for IRB approval of research involving human subjects are provisions to protect the privacy of subjects and to maintain the confidentiality of data.98 In addition, the consent process for research subjects should include explicit information about the confidentiality protections in place when records containing identifiers are going to be used.99
Data collection frequently requires patient identifiers, especially in prospective registries with ongoing data collection, revision, and updates. Secondary or subsequent research use by outside investigators (i.e., those not involved in the original data collection) of patient information containing direct identifiers is complicated, however, because ethical principles and regulatory criteria for the conduct of human subjects research require that risks, including risks to confidentiality of patient identifiable information, be minimized.100 Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule, as described above. In order for a HIPAA authorization to allow for secondary research uses of the patient information, the authorization must adequately describe the purpose of the future research. According to guidance that OCR issued pursuant to Section 2063(b) of the 21st Century Cures Act (which reiterates language in the preamble to the January 25, 2013 omnibus HIPAA final rule), a HIPAA authorization for the use or disclosure of PHI for future purposes (such as research) need not “specify each specific future study if the particular studies to be conducted are not yet determined.”101 Nonetheless, the authorization must adequately describe the purpose of any future use “such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.”102 Thus, unless the registry developer has anticipated and adequately described the purposes of the secondary research in the initial HIPAA authorization received from a patient, the initial authorization to contribute PHI to the registry may not have contemplated the use of the PHI for secondary research purposes. Although the HIPAA Rules may not apply directly to researchers that receive PHI pursuant to a HIPAA authorization (unless they are also covered entities or business associates), covered entities have a responsibility to ensure that the registries to which they disclose PHI are limiting their uses and disclosures of PHI to those stated in the original HIPAA authorization. Additionally, if the registry intends to seek IRB approval to conduct a secondary use study, the IRB is likely to consider the scope of the original consent and HIPAA authorization for the initial collection of the PHI.
In cases where there is no authorization for the secondary research, there may be other options under the Privacy Rule for secondary use of the data collected, such as de-identification of the information or the creation of a limited dataset.103 Chapter 16 of the third edition of the User’s Guide provides a discussion of the technical and legal considerations related to linking registry data for secondary research purposes.
The Privacy Rule also addresses potential pathways for the use and disclosure of a limited dataset. A limited dataset, which is still considered PHI under HIPAA, does not include specified direct identifiers of the patient, or the patient’s relatives, employer, or household members.104 In order to create a limited dataset, the covered entity or business associate (if permitted by the applicable business associate agreement) must remove the same identifiers listed under the Privacy Rule’s de-identification standard105 except for dates and certain geographic information such as city, state, and/or zip code.106
In an electronic environment, operationalizing de-identification or the removal of identifiers to create a limited dataset can be a complex task. Data suppression limits the utility of the information from the registry. Linkage or triangulation of information can enable the re-identification of individuals, even if unintended. A technical assessment of electronic records for their uniqueness within any dataset may be necessary to minimize the potential for re-identification. When publishing aggregated data for public use or to demonstrate results from research studies, researchers often take safety precautions to prevent the inadvertent disclosure of PHI within the results. For example, aggregated results revealing that only one person participating in the study suffered a rare adverse event could potentially reveal the identity of the individual, depending on the nature of the data. As a result, some study publishers institute policies requiring the suppression of aggregated results that reveal a small subgroup.107 An evaluation for uniqueness should be performed to ensure that the electronic format does not produce a potential for identification greater than this standard practice, including when the information is triangulated within a record or linked with other data files.
If a registry for research, public health, or other purposes will use any of the categories of health information discussed below, a registry developer should establish the purpose and contemplated uses of the registry and determine the applicability of the Common Rule and Privacy Rule requirements to the collection and use of registry data. Note that certain institutional policies or other considerations may require or warrant consultation with an IRB at the outset to determine whether the development or use of a registry constitutes human subjects research or an exemption determination. Further, as noted above, FDA GCP requirements may apply depending on the purpose of the development or use of the registry, even only de-identified health information or a limited dataset is involved. In addition, the registry developer may need to consult a representative of the information technology or health information system office of each healthcare provider or insurance plan that will be a source of data for the registry, so as to obtain feasibility estimates of data availability and formats.
3.3.1. De-Identified Health Information
The Privacy Rule describes two methods for de-identifying health information.108 The “Safe Harbor” method of de-identification requires the removal of 18 specific identifiers related to the individual and the individual’s relatives, household members, and employers. In addition, this method requires the removal of any information that “could be used alone or in combination with other information to identify an individual.”109 The “Expert Determination” method requires that a qualified expert certify that the potential for identifying an individual from the data elements is very small.
A qualified expert should have “appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” in order to make this determination.110 De-identified information may include a code permitting re-identification of the original record by the data source (covered entity), provided the code is not derived from information about an individual, including hash codes,111 and resists translation. In addition, the decoding key must remain solely with the healthcare provider or plan that is the source of the patient information, and the covered entity cannot use or disclose the code for any other purpose.
Research using existing data in which individual patients cannot be identified directly or indirectly through linked identifiers does not involve human subjects as defined by the Common Rule, and thus is not subject to the requirements of the Rule.95 Refer to the discussion later in this chapter. On the other hand, registry developers and users should note that FDA regulations do not explicitly exclude the use of de-identified information from the definition of a clinical investigation.112
As a prudent business practice, each healthcare provider or insurance plan or its respective business associate that is a source of de-identified information is likely to require an enforceable legal agreement with the registry developer. It should be signed by an appropriate institutional official on behalf of the registry developer. At a minimum, this agreement will likely contain the following terms, some of which may be negotiable: the identification of the content of the data and the medium for the data; a requirement that the data recipient, and perhaps the healthcare provider or insurance plan or their business associate providing the data, make no attempt to identify individual patients; the setting of fees for data processing and data use; limitations on disclosure or further use of the data, if any; and an allocation of the risks of legal liability for any improper use of the data.
In some cases, the registry developer may receive fully identifiable data from healthcare providers or insurance plans and then de-identify the data prior to including it in the registry. In these scenarios, the registry developer plays what is known as an “honest broker” function – which means that the registry developer must not only de-identify the data prior to including it in the registry, but must ensure that any identifiers that the registry developer receives remain inaccessible to the researchers that access the de-identified registry data. Registry developers that provide these “honest broker” services typically use administrative, physical, and/or technical safeguards to establish a “firewall” between the members of its workforce that have access to the fully identifiable data provided by healthcare providers and insurance plans and the workforce members that are performing analyses on the de-identified data. The firewall prevents the researcher from being able to access the identifiable information provided by health plans and insurance companies. Health providers or insurance plans that receive honest broker services from registry developers must enter into business associate agreements with the registry developer in order to disclose PHI to them for this purpose. Most healthcare providers and insurance plans have developed a standard business associate agreement in response to the Privacy Rule and will likely insist on using it, although some modifications may need to be negotiated in order to produce registry data. A registry developer hired to create a de-identified dataset must return or destroy the direct identifiers once the business associate relationship formed for purposes of creating the de-identified dataset terminates.
3.3.2. Limited Datasets of Health Information
De-identified health information may not suffice to carry out the purposes of a registry, especially if the registry is designed to receive followup information as a result of monitoring patients over time or information from multiple sources in order to compile information on a health event (e.g., cancer incidence). Dates of service and geographic location may be crucial to achieving the purposes of the registry or to the integrity and use of the data. Health information provided to the registry that is not fully de-identified but excludes direct identifiers may constitute a limited dataset as defined by the Privacy Rule. A healthcare provider or insurance plan (or business associate on behalf of a provider or plan if permitted by the terms of the business associate agreement) may disclose a limited dataset of health information for research, public health, or healthcare operations purposes, provided it enters into a data use agreement (DUA) with the recipient. The terms of the DUA must satisfy specific Privacy Rule requirements.113 Officials for both the data source and the registry developer should sign the DUA so that a legal contract results. The DUA establishes the permitted uses of the limited dataset by the registry developer (i.e., the creation of the registry and subsequent use of registry data for specified research purposes). The DUA may not authorize the registry developer to use or disclose the information in a way that would result in a violation of the Privacy Rule if done by the data source.114 Furthermore, the DUA for a limited dataset of health information must provide that the data recipient will appropriately safeguard the information and not attempt to identify individual patients or to contact those patients.115 Certain other requirements also apply.
An investigator who works for a healthcare provider or insurance plan to which the Privacy Rule applies and that is the source of the health information for a registry may use a limited dataset to develop a registry for its own research purpose. In these circumstances, the Privacy Rule still requires a DUA that satisfies the requirements of the Privacy Rule between the healthcare provider or insurance plan and the investigator. This agreement may be in the form of a written confidentiality agreement.116
As with de-identified data, a registry developer may assist a healthcare provider or insurance plan or their business associate by creating the limited dataset as an honest broker.106 In some situations, this assistance may be crucial to ensuring that data are accessible and available to the registry. In order for the registry developer to perform the honest broker function, the Privacy Rule requires that the data source (the covered entity or their business associate) and the registry developer (in this instance acting as a business associate) enter into a business associate agreement.117
The registry populated with a limited dataset may include a coded link that connects the data back to patient records, provided the link does not replicate part of a direct identifier. The key to the code (e.g., encryption key) may allow health information obtained from patients over time to supplement existing registry data or allow the combination of information from multiple sources.
If the registry data obtained by investigators constitutes a limited dataset, the investigator may elect to consult an IRB or an institutional official knowledgeable about the Common Rule requirements to determine whether the registry involves human subjects, as there is no clear crosswalk between the concept of a limited dataset under the Privacy Rule and the definition of a “human subject” under the Common Rule. Frequently, a special form for this purpose is available from the IRB. The IRB (or institutional official) should provide the registry developer with documentation of its decision. While the Secretary’s Advisory Committee for the Protection of Human Subjects has issued recommended guidance for OHRP’s consideration that would clarify that a limited dataset does not constitute a human subject for purposes of the Common Rule, OHRP has yet to adopt the recommendation as of the date of publication of the fourth edition of the User’s Guide.118
3.3.3. Direct Identifiers: Authorization and Consent
As discussed above, the Privacy Rule permits the use or disclosure of patient information for research with a valid, written authorization from each patient whose information is used or disclosed.119 The Privacy Rule specifies the content of this authorization, which gives permission for a specified use or disclosure of the health information.120 Healthcare providers and insurance plans frequently insist on using the specific authorization forms that they have developed in order to avoid additional legal review and minimize any potential liability that they believe might be associated with use of other forms.
One exception to the requirement for an authorization occurs when a healthcare provider or insurance plan creates a registry to support its “healthcare operations.”121 The Privacy Rule’s definition of “healthcare operations” explicitly includes quality improvement and quality assurance activities, outcomes evaluation, and the development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.40 For example, a hospital registry created to track its patient outcomes against a recognized clinical care standard as a quality improvement initiative has a healthcare operations purpose. The hospital would not be required to obtain authorizations from its patients to use or disclose health information in a registry for this purpose.
Research use of health information containing identifiable information constitutes human subjects research as defined by the Common Rule.95 In general, the Common Rule requires documented, legally effective, voluntary, and informed consent of each research subject.122 The applicability of FDA GCP requirements, as noted previously, does not turn on the identifiability of the information used. Like the Common Rule, where applicable, FDA GCP regulations require documented, legally effective, voluntary, and informed consent of each research subject.123
Documentation of the consent process required by the Common Rule or FDA regulations may be combined with the authorization required by the Privacy Rule for disclosure and use of health information.124 However, registry developers should be aware that a healthcare provider or insurance plan may not immediately accept the combined form as a valid authorization and may insist on legal review of a combined form before disclosing any health information.
In addition to being voluntary and legally effective, an individual’s consent should contain meaningful information about the research, including what activities are involved, and the expected risks and potential benefits from participation. The Common Rule and FDA regulations require the consent process to include specific elements of information.125 Registry developers should provide non–English-speaking patients with appropriate resources to ensure that the communication of these elements during the consent process is comprehensible. All written information for patients should be translated, or else arrangements should be made for qualified translators to assist in the consent process.
IRBs may approve waivers or alterations of both authorization (for use or disclosure of patient information for registry purposes) and consent (to registry participation), provided the research use of health information satisfies certain regulatory conditions. In addition, the Privacy Rule provides for the ability of privacy boards to approve waivers of authorization for the research use of health information where an organization does not have an IRB.126 Waivers are discussed in detail below.
In certain limited circumstances, research subjects can consent to future unspecified research using their identifiable private information. The Common Rule permits an IRB-approved consent process to be broader than a specific research project124 and to include information about research that may be done in the future. In its review of such future research, an IRB can subsequently determine that the previously obtained consent (1) satisfies or (2) does not satisfy the regulatory requirements for informed consent. If the previously obtained consent is not satisfactory, an additional consent process may be required; alternatively, the IRB may grant a waiver of consent, provided the regulatory criteria for a waiver are satisfied.
Investigators may seek informed consent for future unspecified research through one of two pathways under the revised Common Rule. First, as permitted under the pre-2018 Common Rule and now under the revised Common Rule, research subjects may provide consent to future research using their identifiable private information through a consent process that meets the elements set forth in 45 C.F.R. § 46.116(a)-(c), with the purpose of any future research described in accordance with such required elements (to the extent not waived or altered by the IRB).127 In addition, under the revised Common Rule, individuals could consent to such research through the new “broad consent” pathway, where the investigator maintains documentation of the broad consent, an IRB conducts a limited review of the proposed use of the information and the scope of the consent, and the investigator does not include returning individual research results to subjects as part of the study plan.128 This new consent pathway could allow registry developers to collect data in registries for secondary use studies under a more limited IRB review than previously required. The broad consent provided by individuals under this new consent pathway must include several required elements, including a description of reasonably foreseeable risks and benefits, information about how the confidentiality of the information will be maintained, a description of the type of information that might be used for research purposes and the types of research that will be conducted, a description of the time period that the information will be used, and, if appropriate, a statement that the information may be used for commercial profit (and if the individual will share in the research profit).129 OHRP has made clear that this new consent pathway does not replace the pathways noted above for conducting research – i.e., (1) full IRB review of a consent process that is designed to meet the “study-specific” informed consent framework as applied to future use and future studies involving existing datasets; and (2) obtaining a waiver of the consent and authorization requirements from an IRB. In addition, note that certain restrictions and requirements apply in the event an investigator seeks to use the broad consent pathway. For example, an IRB may not waive the informed consent requirement for the storage, maintenance, or secondary research use of identifiable private information or identifiable biospecimens if an individual was asked but declined to provide broad consent for the applicable research activity.130
Additionally, note that the elements of informed consent that are required under FDA regulations are comparable to those under the Common Rule. In particular, FDA has issued guidance indicating that the new basic and additional elements of informed consent under the revised Common Rule “are not inconsistent with FDA’s current policies and guidances,” thereby helping to avoid the need to develop separate informed consent forms to comply with FDA requirements and the revised Common Rule.131
Consistent with the parameters discussed above, an IRB-approved consent process for the creation of a research registry should include a description of the specific types of research to be conducted using registry data. For any future research that involves private identifiable information maintained by the registry, the IRB may determine that the original consent process (for the creation of the research registry) satisfies the applicable regulatory requirements because the prospect of future research and future research projects were adequately described. The specific details of that future research using registry data may not have been known when data were collected to create the registry, but that research may have been sufficiently anticipated and described to satisfy the regulatory requirements for informed consent. For consent to be informed as demanded by the ethical principle of respect for persons, however, any description of the nature and purposes of the research should be as specific as possible.
If a registry developer anticipates subsequent research use of identifiable private registry data, he or she should request an assessment by the IRB of the description of the research that will be used in the consent process for potential subjects at the time the data are initially collected. Nonetheless, in its review of any subsequent research, an IRB may require an additional consent process for each research subject or may grant a waiver for obtaining further consent.
With respect to HIPAA, historically, HHS rejected broadening the description of purpose in authorizations under the Privacy Rule to allow for future unspecified research.132 As a result, an authorization for the use or disclosure of health information to create a research registry could not also authorize the future research uses of the information if the specific details of the future studies were not known when the authorization was obtained.133 However, under the modified HIPAA Privacy Rule released on January 25, 2013, HHS modified its prior interpretation and guidance that research authorizations must be research study specific.134 While this modification does not make any changes to the authorization requirements at 45 CFR § 164.508, HHS no longer interprets the “purpose” provision for authorizations as permitting only study-specific descriptions. This change now allows future research to be authorized provided the authorization adequately describes the purposes of any future research such that it would be reasonable for the individual to expect that his or her health information could be used or disclosed for such future research.135 Where an authorization for the use or disclosure of registry data for the future research does not exist, a healthcare provider or health insurance plan maintaining the registry may need to obtain an additional authorization for the research from individuals or seek a waiver of authorization from an IRB or privacy board. Alternatively, the use or disclosure of a limited dataset or de-identified registry data can occur, provided regulatory criteria are satisfied. Registries maintained by organizations to which the Privacy Rule does not apply (e.g., funding agencies for research that are not healthcare providers or insurance plans, professional societies, or non-healthcare components of hybrid entities such as in many universities) are not legally bound by the limited purpose of any original authorization that was obtained to permit data sources to disclose identifiable patient information to the registry. However, data sources or their business associates that are subject to the Privacy Rule are unlikely to be willing to provide patient information without a written agreement with the registry developer that includes legally enforceable protections against redisclosure of identifiable patient information. Regardless of whether such a written agreement is in place, a valid authorization must contain a warning to patients that their health information may not be protected by Privacy Rule protections once disclosed to recipient organizations.136
3.3.4. Certificates of Confidentiality and Other Privacy Protections
Certificates of confidentiality (CoCs) granted by the NIH permanently protect identifiable, sensitive information about research subjects from legally compelled disclosure. For the purposes of CoCs, identifiable, sensitive information is broadly defined to include any information “through which an individual is identified,” or “for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, or other available data sources could be used to deduce the identity of an individual.”137
Prior to the enactment of the 21st Century Cures Act, the issuance of CoCs was discretionary by the NIH or other HHS agencies to which a researcher may submit a request for a CoC. With the passage of the 21st Century Cures Act, the Secretary of HHS is required to issue a CoC to all ongoing or new research funded in whole or in part by the federal government as of December 13, 2016, that collects or uses identifiable, sensitive information.138 For NIH-funded research, this includes any non-exempt human subjects research as defined under the Common Rule, as well as any research involving generating individual level, human genomic data from biospecimens or using such data, whether the data is recorded in a manner that enables the identification of human subjects as defined under the Common Rule.139 That research involving non-identifiable genomic data is required to be protected by a CoC further underscores the diverse and shifting views on genomic privacy and the safeguards that are deemed necessary or appropriate for research involving genomic information. Separately, researchers may continue to seek a CoC for non-federally funded research involving the collection or use of identifiable, sensitive information, which HHS may issue in its discretion.140 Registry developers and investigators should determine whether a registry or research conducted using the registry would be subject to the amended NIH CoC policy described above and thus be automatically issued a CoC.
An investigator whose research project has been granted a CoC may refuse to disclose identifying information collected for that research even though a valid subpoena demands that information for a civil, criminal, administrative, or legislative proceeding at the Federal, State, or local level. The protection provided by a CoC is intended to prevent the disclosure of personal information that could result in adverse effects on the social, economic, employment, or insurance status of a research subject.141 Detailed information about CoCs is available on the NIH website.142
The grant of a CoC to a research project, however, is not intended to affect State laws requiring healthcare and other professionals to report certain conditions to State officials; for example, designated communicable diseases, neglect and abuse of children and the elderly, or threats of violent harm. If investigators are mandatory reporters under State law, in general, they continue to have a legal obligation to make these reports.143 In addition, other limitations to the privacy protection provided by CoCs exist and may be relevant to particular research projects. Information on the NIH website describes some of these other legal limitations.142
Registry developers should also be aware that Federal law provides specific confidentiality protections for the identifiable information of patients in drug abuse and alcoholism treatment programs that receive Federal funding.144 These programs may disclose identifiable information about their patients for research activities only with the documented approval of the program director or authorization of the patient.145 The basis for the director’s approval is receipt of written assurances about the qualifications of the investigator to conduct the research and the confidentiality safeguards incorporated into the research protocol, and an assurance that there will be no further disclosure of identifying information by the investigator. Moreover, an independent review of the research project should determine and verify in writing that the protocol provides adequate protection of the rights and welfare of the patients and that the benefits of the research outweigh any risks to patients.145 Prior to submitting proposed consent documentation to an IRB, registry developers should consult legal counsel about the limitations of these confidentiality protections.
As a condition of approval, IRBs frequently require investigators to obtain a CoC for research involving information about substance use disorder or other illegal activities (e.g., underage purchase of tobacco products) and sexual attitudes and practices. Registry developers should consult legal counsel to determine if and how the limitations of a CoC may affect privacy protection planning for registry data. In all circumstances, the consent process should ensure that clear notice is given to research subjects about the extent of privacy protections they may expect for their health information when it is incorporated into a registry.
In the absence of a CoC, a valid subpoena or court order for registry data will usually compel disclosure of the data unless State law specifically protects the confidentiality of data. For example, Louisiana’s laws specifically protect the collection of information related to tobacco use from subpoena.146 On the other hand, a subpoena or court order may supersede State law confidentiality protections. These legal instruments can be challenged in the court having jurisdiction for the underlying legal proceeding. In some circumstances, research institutions may be willing to pursue such a challenge. The remote yet definite possibility of this sort of disclosure should be clearly communicated to research subjects as a limitation on confidentiality protections, both during the consent process and in an authorization for use or disclosure of patient information.
State law may assure the confidentiality of certain quality A/I activities performed by healthcare providers as peer review activities.147 When State law protects the confidentiality of peer review activities, generally, it is implementing public policy that encourages internal activities and initiatives by healthcare providers to improve healthcare services by reducing the risks of medical errors and systematic failures. Protection by peer review statutes may limit the use of data generated by quality A/I activities for any other purposes.
3.3.5. Waivers and Alterations of Authorization and Consent
Waiver or alteration of authorization and informed consent is a key potential pathway for registry developers in the creation and use of health information registries. This is particularly true where the creation of the registry is limited to the collection of data originally created for other purposes, and does not involve the collection of information, such as patient-reported outcomes, specifically for purposes of the registry. Where the needs of a registry may be satisfied through the secondary use of data, including the data of a large number of individuals, waiver of authorization and informed consent is a pathway that many registry developers may pursue.
The Privacy Rule, the Common Rule, and FDA guidance148 all provide for the ability of IRBs (and, in the case of the Privacy Rule, privacy boards) to waive or alter the authorization requirement (in the case of the Privacy Rule) and informed consent requirement (in the case of the Common Rule and FDCA) for the disclosure or use of health information for research purposes, provided applicable criteria are satisfied. It is important for registry developers to keep distinct the terms “informed consent” and “authorization,” as they are not interchangeable with respect to the Privacy Rule, the Common Rule, and FDA regulations. As described above, authorization is the term used to describe individuals’ written agreement to the use or disclosure of their PHI under the Privacy Rule, while informed consent is the term used to describe research subjects’ agreement to participate in research or a clinical investigation, as required by the Common Rule and FDA regulations, respectively. There are separate and distinct requirements for obtaining and waiving or altering each of these permissions.
As technological advances enable and facilitate the collection and sharing of vast amounts of data regarding thousands or even millions of individuals, the use of waivers should be considered in view of the potential risks to the patients participating in the registry. A waiver of authorization potentially imposes the risk of a loss of confidentiality and consequent invasion of privacy. A waiver of consent potentially imposes risks of harm from the loss of self-determination, dignity, and privacy expected under the ethical principles of respect for persons and beneficence. Acknowledging these potential risks, regulatory criteria for waiver and alterations require an IRB or privacy board to determine that risks are minimal, in addition to other criteria. This determination is a necessary condition for approval of an investigator’s request for a waiver or alteration of these permissions.
The following discussion refers only to waivers; registry developers should note that privacy boards and IRBs may approve alterations to authorizations or the consent process, provided a requested alteration satisfies all of the criteria required for a waiver by the Privacy Rule, Common Rule, or FDA regulations and guidance, as applicable. While alterations are arguably more aligned with the principle of respect for persons because they entail obtaining some (albeit altered) form of authorization or informed consent from the subject, they may be less practicable where very large numbers of individuals are contemplated as participants.
The Privacy Rule permits a covered entity to obtain the approval of an IRB or privacy board for a waiver of authorization if the following criteria are met: (1) the use or disclosure involves no more than minimal risk to the privacy of individuals; (2) the research cannot practicably be conducted without the waiver; and (3) the research cannot be practicably conducted without access to, and use of, the health information. The determination of minimal risk to privacy includes several elements: an adequate plan to protect identifiers from improper use or disclosure; an adequate plan to destroy identifiers at the earliest opportunity, unless a health or research justification exists to retain them; and adequate written assurances that the health information will not be reused or disclosed to others, except as required by law, as necessary for oversight of the research, or as permitted by the Privacy Rule for other research.149 The registry developer should provide detailed documentation of the IRB or privacy board’s decision to the healthcare provider or insurance plan (covered entity) that is the source of the health information for registry data. The documentation should clearly communicate that each of the criteria for a waiver required by the Privacy Rule has been satisfied.150 The privacy board or IRB documentation should also provide a description of the health information it determined to be necessary to the conduct of the research and the procedure it used to approve the waiver.151 A healthcare provider or insurance plan might insist on legal review of this documentation before disclosing any health information.
The criteria for waiver of consent under the Common Rule are similar to those for a waiver of authorization under the Privacy Rule. Specifically, an IRB may waive the requirement to obtain informed consent under the Common Rule if the following criteria are met: (1) the research involves no more than minimal risk to subjects; (2) the research could not practicably be carried out without the requested waiver; (3) if the research involves using identifiable private information or identifiable biospecimens, the research could not practicably be carried out without using such information or biospecimens in an identifiable format; (4) the waiver will not adversely affect the rights and welfare of the subjects; and (5) whenever appropriate, the subjects or legally authorized representatives will be provided with additional information after participation.152 The criterion for additional information can be satisfied at least in part by public disclosure of the purposes, procedures, and operations of a registry, as discussed below.
While the FDA has not always permitted IRBs to waive the informed consent requirement under FDA regulations, it has initiated notice and comment rulemaking to allow for such IRB waiver.153 Prior to publishing its proposed rule, FDA issued guidance indicating that it does not intend to object to clinical investigations for which an IRB has waived consent pursuant to the criteria set forth in the guidance.154 Specifically, the guidance states that an IRB may waive the FDA’s consent requirement if it determines that: (1) the clinical investigation involves no more than minimal risk to subjects (as defined under 21 CFR 50.3(k) or 56.102(i)); (2) the waiver will not adversely affect the rights and welfare of subjects; (3) the clinical investigation cannot practicably be carried out without a waiver; and (4) whenever appropriate, subjects will be provided with additional information after participation.155 It remains to be seen whether FDA will align its waiver criteria with those under the revised Common Rule as set forth above, which added a fifth criterion requiring that the research could not practicably be carried out without the use of information in an identifiable format.
Some IRBs produce guidance about what constitutes “not practicable” justifications and the circumstances in which justifications are applicable. For population-based research projects, registry developers may also present the scientific justification of avoiding selection bias. A waiver permits the registry to include the health information of all patients who are eligible. As patient portals, email, and other electronic platforms make it easier to communicate remotely with digitally connected patients, registry developers should be mindful of whether the circumstances support a finding of “not practicable.”156 Likewise, where a registry involves the collection of particularly sensitive information, or use for research that may be potentially stigmatizing, registry developers and users should consider whether the “minimal risk” criterion is satisfied.157
Separately, the Common Rule and FDA regulations also permit an IRB to waive documentation of the consent process under certain circumstances. Waiver of documentation may be particularly useful where registry developers have a platform that enables electronic consent but not the ability to obtain an electronic signature that meets requirements under applicable law. For purposes of the Common Rule, one set of conditions for approval of this limited waiver requires that the only record linking an individual subject to the research is the consent document, and that the principal risk to subjects is the potential harm from a breach of confidentiality. Each subject individually determines whether his or her consent should be documented.158 Alternatively, as permitted under the Common Rule and FDA regulations, an IRB can waive documentation of consent if the research involves no more than minimal risk of harm to subjects and entails no procedures for which written consent is normally obtained outside of a research context.159 For any of these circumstances, the IRB may require the investigator to provide subjects with written information about the research activities in which they participate.160 The written information may be as simple as a statement of research purposes and activities, or it may be more elaborate, such as a website for regularly updated information describing the progress of the research project.
3.3.6. Patient Safety Organizations
This section provides basic information about the Patient Safety and Quality Improvement Act of 2005 (PSQIA) and an overview of some considerations for registries that are considering becoming or working with a Federally-listed Patient Safety Organization (PSO). The PSQIA was enacted in response to a 1999 report by the Institute of Medicine (now the National Academy of Medicine) that identified medical errors as a leading cause of hospital deaths in the United States, with many such errors being preventable.161 It creates Federal confidentiality and privilege protections for certain information that meets the criteria in the statute to qualify as patient safety work product (PSWP). The Patient Safety Rule at 42 CFR Part 3, the implementing regulation for the PSQIA, became effective on January 19, 2009.
The PSQIA authorized the U.S. Department of Health and Human Services (HHS) to list PSOs, entities with patient safety expertise, to which providers can voluntarily report patient safety events with the aim of improving patient safety and the quality of care. PSOs provide feedback to providers to assist them with improving patient safety, encouraging a culture of safety and minimizing patient risks. The HHS Agency for Healthcare Research and Quality (AHRQ) is responsible for listing PSOs.
Generally, PSWP is any data, reports, records, memoranda, analyses, or written or oral statements which: (1) could improve patient safety, healthcare quality, or healthcare outcomes and are assembled or developed by a provider to be reported to, and are reported to a PSO, or are developed by a PSO to conduct patient safety activities; or (2) identify or constitute the deliberations or analysis of, or fact of reporting to, a patient safety evaluation system. Information collected, maintained, or developed separately from, or existing separately from, a patient safety evaluation system as defined in the statute is excluded from the definition of PSWP. Thus, individual patient medical records, billing and discharge information, and any other original patient or provider records are not confidential and privileged under the PSQIA.
With specified exceptions, PSWP is privileged and confidential and is not subject to subpoena, order or discovery in connection with a Federal, State, or local civil, criminal, or administrative proceeding, including a Federal, State, or local civil or administrative disciplinary proceeding; may not be admitted as evidence in any Federal, State, or local governmental civil, criminal or administrative rulemaking proceeding, or administrative adjudicatory proceeding; is not subject to disclosure under the Federal Freedom of Information Act or any other similar Federal, State, or local law; and may not be admitted in a professional disciplinary proceeding of a professional disciplinary body established or specifically authorized under State law.
Once PSWP is received by a PSO, it may be aggregated and analyzed by the PSO to assist a provider in determining and addressing underlying factors that contribute to patient safety risks. Under the PSQIA, PSWP may not be disclosed unless specified requirements in the Patient Safety Rule are met. Civil money penalties may be imposed for confidentiality violations.162 In addition, the HIPAA Privacy Rule’s limitations on uses and disclosures may apply where PSWP includes protected health information (PHI).
Information collected by a provider to comply with external reporting requirements (for example, State incident reporting requirements) is not PSWP, and PSWP generally may not be used to comply with such obligations. Thus, a significant amount of data in its original form remains outside the PSWP definition. This includes registry data that is not developed by a provider or an AHRQ-listed PSO in a manner that meets the definition of PSWP. The statute and regulation provide no protection for information in registries acting outside the protected scope of the PSO arena. For example, if a PSO also operates a registry that submits data to the Centers for Medicare and Medicaid Services (CMS) on behalf of individual clinicians or groups to meet the requirements for their participation in a quality payment incentive program, neither the data submitted by the provider to the registry for this purpose nor the data submitted by the registry to CMS is PSWP. A provider may submit a copy of these registry data to the PSO, and the copy may be protected as PSWP, as long as the original exists outside of the patient safety evaluation system.
A registry may choose to seek listing by AHRQ as a PSO so long as it meets the requirements to become listed as a PSO. However, the registry should carefully assess whether it would be able to conduct all of its intended operations as a PSO. The disclosure of PSWP is limited to specific permissible disclosures enumerated in 42 CFR § 3.206(b) (and is also subject to the HIPAA Privacy Rule and other requirements, if applicable). The limitations on disclosure in the Patient Safety Rule might not allow a registry to conduct research, publish or disseminate PSWP to the same extent or in the same way it would do so with registry information that is not PSWP.
There are some additional points an entity operating a registry may want to consider before seeking listing as a PSO:
- Information received by a registry from providers prior to the registry becoming an AHRQ-listed PSO would not be PSWP unless the information was PSWP prior to being provided to the registry. However, a provider could submit or authorize the submission of a copy of non-PSWP it previously reported to the registry to the PSO, as long the original is maintained separately. The copy could become PSWP, provided the copy satisfies all other requirements of the definition of PSWP. Before preparing copies for reporting to the PSO of information originally developed for a registry, the provider will want to ensure that making such copies is permissible; that disclosing the information to a PSO does not affect other confidentiality or privilege protections, such as those under State law; and that the disclosure is not prohibited by other laws, regulations or contractual obligations.
- When PHI is contained in PSWP, both the Patient Safety Rule and HIPAA Privacy and Security Rules must be taken into account. The Patient Safety Rule permits PSWP containing PHI to be disclosed to a PSO for the conduct of patient safety activities, which are considered healthcare operations under the HIPAA Privacy Rule.
- The Patient Safety Rule definition of provider primarily relates to individuals or entities licensed or otherwise authorized under U.S. State law to provide healthcare services and individuals or entities that deliver healthcare as part of U.S. Federal, State, local, or tribal governments. Data reported to a PSO from healthcare providers who do not satisfy this definition is not confidential or privileged PSWP. Additionally, the PSQIA privilege protections only apply in U.S. tribunals.
- A registry should also consider the long-term implications for any data that are PSWP if its PSO is subsequently delisted. The regulations do not permit a former PSO to retain any of the PSWP it collected during its period of listing, even if the PSO delists voluntarily. All PSOs must meet the PSWP disposition requirements set forth at 42 CFR § 3.108(b)(3) at the time of delisting.
Finally, it is important for registry developers to know that, instead of becoming a PSO itself, a registry may elect to form a separate unit or division of a legal entity, or a separate legal entity that can become listed as a PSO. The Patient Safety Rule defines this type of PSO as a “component PSO.” The Patient Safety Rule prohibits health insurance issuers from becoming listed as or forming a PSO. However, the other excluded entities may create or designate a component organization to seek listing as a PSO. (see 42 CFR § 3.102(a)(2)) Whether the component PSO is part of an excluded entity or not, the Patient Safety Rule’s additional requirements regarding component PSOs must be satisfied. A component PSO must maintain PSWP separately from non-PSWP and from the rest of the parent organization.
3.4. Developments Affecting the HIPAA Privacy Rule
3.4.1. The Institute of Medicine Report
On February 4, 2009, the Institute of Medicine (IOM) published a report that examined how research was being conducted within the framework of the Privacy Rule. The IOM Report presented findings and recommendations of an IOM Committee tasked with assessing the impact of the HIPAA Privacy Rule on health research. This group had proposed recommendations to ensure that important health research might be conducted while maintaining or strengthening privacy protections for research subjects’ health information.163 The IOM Report stated that certain Privacy Rule requirements were difficult to reconcile with other regulations governing the conduct of research, including the Common Rule and the FDA regulations, and it noted a number of inconsistencies among applicable regulations related to the de-identification of data and the ability to obtain informed consent for future research studies, among other differences.
Citing more uniform regulations in other countries, the IOM Report affirmed that “a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research.”164 As its primary recommendation, the IOM Committee held that Congress should authorize HHS and other Federal agencies to develop a new approach to protecting privacy that would apply uniformly to all health research and to exempt health research from the Privacy Rule when this new approach was implemented. Until such an overhaul could be accomplished, the IOM Committee called upon HHS to revise the Privacy Rule and associated guidance to address certain issues. HHS addressed some of these issues in the January 25, 2013, modifications to the Privacy Rule, such as by allowing HIPAA authorizations to encompass future research and removing prohibitions on combining certain HIPAA authorizations for multiple research studies, thereby harmonizing these HIPAA Privacy Rule requirements with the Common Rule. Nevertheless, registry operators should be aware that additional clarifications or modifications to the Privacy Rule as it relates to research activities may continue to be made in the future.
3.4.2. The Genetic Information Nondiscrimination Act of 2008
The Genetic Information Nondiscrimination Act of 2008 (GINA) was signed into law on May 21, 2008. In general, GINA prohibits discrimination in health insurance coverage (Title I) and employment (Title II) based on genetic information. GINA defines genetic information as, with respect to any individual, information about the individual’s genetic tests, the genetic tests of the individual’s family members, and the manifestation of a disease or disorder in the individual’s family members (e.g., family health history). Title I of GINA took effect for most health insurance plans on May 22, 2009, and Title II became effective for employers on November 21, 2009. GINA also specifies that the definition of genetic information includes the genetic information of a fetus carried by a pregnant woman and an embryo legally held by an individual or family member utilizing an assisted reproductive technology. Pursuant to GINA, health insurers are prohibited from using the genetic information of individuals for underwriting purposes (e.g., determining health insurance eligibility and coverage, or premium setting), and employers are prohibited from using genetic information in making employment-related decisions.
In addition to its nondiscrimination requirements, GINA also required related amendments to the Privacy Rule to clarify that genetic information is PHI for purposes of the Privacy Rule, and to prohibit certain health plans from using or disclosing genetic information for underwriting purposes.165
3.4.3. The HITECH Act
The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Funds appropriated as a result of passage of ARRA are supporting new registries developed to study comparative effectiveness of treatments and protocols. It should be noted that there are no specific exceptions to regulatory or ethical requirements for such comparative effectiveness registries. Title XIII of division A and Title IV of division B of ARRA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) significantly modified the obligations of HIPAA covered entities and their business associates.
Perhaps most significantly, the HITECH Act extends to business associates direct liability for compliance with many of the key privacy and security obligations contained in the HIPAA Rules, whereas business associates were previously only contractually liable for failing to protect PHI in accordance with the terms of their business associate agreement with covered entities. Specifically, the HITECH Act imposed direct liability on business associates for compliance with the HIPAA Security Rule’s requirements for implementing administrative, physical, and technical safeguards to protect electronic PHI, as well as for compliance with the use and disclosure provisions of the Privacy Rule and the terms of business associate agreement into which they enter. While many business associate agreements previously contained general safeguarding requirements (e.g., requiring the business associate to maintain appropriate technical safeguards), these agreements often had not imposed specific security requirements (e.g., a requirement that the business associate establish a security management process, which includes conducting security risk assessments and developing risk management plans). The HITECH provisions now subject business associates to civil and criminal penalties once reserved only for covered entities under the HIPAA Rules. The HITECH Act obligations imposed on business associates were finalized through HHS rulemaking on January 25, 2013, with compliance required by September 23, 2013.
The HITECH Act also created new breach notification requirements for covered entities and business associates. The Breach Notification Rule requires covered entities to notify the affected individuals, HHS, and in some cases, the media, of a breach of unsecured PHI. Notification must be provided without unreasonable delay but in no case later than 60 calendar days after the breach is discovered (except in cases of reports to HHS of breaches affecting less than 500 individuals, in which case, notification to HHS is required within 60 days after the end of the calendar year in which the breach was discovered). Depending on the circumstances, individual notification may include both direct, written notification to affected individuals via first-class mail or email, as well as substitute notice via conspicuous posting on the entity’s website or in major print or broadcast media.
If a business associate experiences a breach of any unsecured PHI it maintains, the business associate must provide notification to the applicable covered entity without unreasonable delay, and in no case later than 60 calendar days after the breach is discovered, so that the covered entity can provide the notifications described above with respect to the breach or delegate that responsibility to the business associate. Any notification by a business associate must include the identification of any individual(s) whose information was accessed, acquired, or disclosed during the breach. The Department issued an interim final rule to implement the breach notification requirements on August 24, 2009, which became effective on September 23, 2009. On January 25, 2013, the Department published modifications to and made permanent these breach notification requirements.166
3.4.4. Summary of Regulatory Requirements
The use and disclosure of health information by healthcare providers and insurance plans for research purposes, including for registries, are assumed by the authors of this chapter to be subject to regulation under the HIPAA Rules and may be subject to the Common Rule and/or FDA regulations.
In general, the Privacy Rule permits a covered entity (or business associate on its behalf) to use or disclose patient information for registry purposes, subject to specific conditions, where the use or disclosure is: (1) for a registry supporting certain public health activities, including registries developed in connection with FDA-regulated products; (2) for a registry supporting the healthcare operations of a healthcare provider or insurance plan (covered entities), such as for quality A/I; (3) for a registry created by health oversight authorities for health system oversight activities authorized by law; (4) limited to de-identified health information; (5) limited to a “limited dataset” of patient information that lacks specified direct identifiers, and a data use agreement is in place with the recipient; (6) pursuant to patient authorizations; or (7) consistent with a waiver or alteration of authorization by an IRB or privacy board.
The Common Rule will apply to the creation and use of registry data if (1) the registry is funded by a Common Rule Agency or the organization responsible for the registry has an FWA that encompasses the registry project, regardless of funding,167 and (2) the creation of the registry and subsequent research use of the registry data constitute nonexempt human subjects research as defined by the Common Rule. As interpreted by OHRP, human subjects research includes the creation or use of a registry that has any research purpose, even if the main purpose of the registry or use of the registry is not research. Registry developers are strongly encouraged to consult the IRB, not only about the applicability of the Common Rule, but also about the selection of data elements, the content of the consent process or the regulatory criteria for waiver, and any anticipated future research involving identifiable registry data.
FDA GCP requirements may apply to the creation and/or use of a registry if the registry involves the collection of data specifically for purposes of gathering information regarding the safety or effectiveness of a product in a manner that influences treatment decisions, or if the registry data relates to the use of an FDA-regulated product and the data or analyses thereof are intended to be submitted to or held for inspection by the FDA. The scope and requirements of FDA regulations with respect to the use of real world data continue to evolve, and registry developers should be mindful of the purposes for which the registry is developed and/or used to assess the potential applicability of FDA requirements for the protection of human subjects (even if the registry or downstream use of the registry is limited to de-identified data). With the FDA’s harmonization of its consent waiver and alteration requirements with those under the Common Rule and HIPAA, it is possible that more registries will be used to support FDA-regulated research.
State laws regulate public health activities and may also apply in various ways to the research use of health information. NIH may issue – either as a matter of course or upon request, depending on the funding source of the study – CoCs to particular research projects for the protection of identifiable, sensitive information from most legally compelled disclosures. Federal law provides specific privacy protections to the health information of patients in substance use disorder programs that receive Federal funding (42 CFR Part 2). Under recent revisions to 42 CFR Part 2 that became effective in 2017, HIPAA covered entities and business associates may conduct research on information from a federally supported substance use disorder program if the HIPAA covered entity or business associate has obtained and documented authorization from the patient, or a waiver of authorization consistent with the Privacy Rule and complied with the Common Rule in obtaining informed consent (if applicable to it). Researchers subject to the Common Rule and not HIPAA may also conduct research substance use disorder information covered by 42 CFR Part 2 if they conduct the research in compliance with the Common Rule. Note, the Coronavirus Aid, Relief and Economic Security Act (CARES Act), which was signed into law on March 27, 2020, amended certain confidentiality protections and requirements for substance-use disorder records under 42 CFR Part 2. HHS is expected to issue the regulations amending 42 CFR Part 2 later in 2020 or early 2021. Although there will remain some discrepancies, the new regulations are expected to more closely align 42 CFR Part 2 and the HIPAA Privacy Rule.
The institutional policies of healthcare providers and insurance plans may also affect the use and disclosure of the health information of their patient or insured populations. Legal requirements applying to use or disclosure of health information for research are evolving and can significantly influence the planning decisions of registry developers and investigators. It is prudent to obtain early and frequent consultation, as necessary, with institutional privacy officers, privacy board or IRB staff and members, information system representatives of healthcare providers and insurance plans, funding agencies and the FDA (as applicable), the developers of any device or application from which the registry will directly collect data, and technology transfer representatives and legal counsel.
4. Registry Transparency, Oversight, and Data Ownership
4.1. Registry Transparency
Efforts to make registry operations transparent (i.e., to make information about registry operations public and readily accessible to anyone who is interested) are desirable and may even be required under certain circumstances involving waiver or alteration of consent. Registry transparency can educate registry participants and the public about scientific processes. Transparency also contributes to public and professional confidence in the scientific integrity and validity of registry processes, and therefore in the conclusions reached as a result of registry activities. Public information about registry operations may also increase the scientific utility of registry data by promoting inquiries from scientists with interests to which registry data may apply. Registry participants who are more informed as to the objectives of the registry and how their data helps achieve those objectives may have an enhanced sense of investment in the registry’s success and be less likely to decline or revoke permission for, or object to, the use their data. This may be particularly valuable in response to overarching concerns and anxieties among patients, consumers, or the public regarding the extent to which their privacy is being adequately protected.
Registry developers can promote transparency by making the registry’s scientific objectives, governance, eligibility criteria, sampling and recruitment strategies, general operating protocol, and sources of data available to anyone who is interested. Proprietary interests of funding agencies, contractual obligations, and licensing terms for the use of patient or claims information may limit, to some extent, the information available to the public about the registry. It is important to stress that, while transparency and access to information are to be encouraged, the intent is not to discourage or criticize investments in patient registries that produce proprietary information. Neither the funding source nor the generation of proprietary information from a registry determines whether a registry adheres to the good practices described in this handbook. Funding agencies, healthcare providers, and insurance plans do, however, have an important stake in maintaining public confidence in how health information is managed. The extent of registry transparency should be prospectively negotiated with these entities.
Creating a website of information about registry objectives and operations is one method of achieving transparency; ideally, registry information should be available in various media. One example of registry transparency can currently be found on an international transplant registry website.168 Also instructive may be the accounting of disclosures construct under HIPAA, even if HIPAA does not apply to a particular activity by operation of law. In particular, registry developers may consider the elements of information that must be included in an abbreviated accounting that a covered entity may provide for certain research-related disclosures involving 50 or more people.169 Including similar information regarding a registry on a publicly accessible website or other platform may be helpful in promoting transparency regarding how the registry is maintained and the various ways in which it is used. Particularly where a registry collects information that is considered by many to be more sensitive (such as genomic data), the provision of additional meaningful information regarding the objectives the registry and how confidentiality is protected may be a key tool to enhance participant buy-in and mitigate the risk of participant declinations of permission, opt-outs, or revocations of permission. Note also that an IRB may require registry transparency as a condition of approval to satisfy one of the regulatory criteria for granting a waiver of consent, which is to provide “additional pertinent information after participation.”170
4.2. Registry Oversight
Registry governance must reflect the nature and extent of registry operations. As described in Chapter 9, governing structures can vary widely, from one in which the registry developer is the sole decision-maker to a system of governance by committee(s) comprised of representatives of all stakeholders in the registry, including investigators, the funding agency, patients, clinicians, biostatisticians, information technology specialists, and government agencies.
Registry developers should also consider appointing an independent advisory board to provide oversight of registry operations. An advisory board can assist registry operations in two important ways: (1) providing guidance for the technical aspects of the registry operations and (2) establishing the scientific independence of the registry. The latter function can be valuable when controversies arise, especially those related to patient safety and treatment, or resulting from actions by a regulatory agency. Advisory boards collectively should have relevant technical expertise, but should also include representatives of other registry stakeholders, including patients. Advisory board actions should be limited to making recommendations to the ultimate decision-maker, whether an executive committee or the registry developer.
Registry developers may also appoint other types of oversight committees to resolve specific recurring problems, such as verifying diagnoses of patient conditions or adjudicating data inconsistencies.
4.3. Data Ownership
4.3.1. Health Information Ownership and Value Proposition
There is no general consensus with respect to the ownership of health information, and multiple stakeholders assert ownership claims to health information in various forms. Certain States have enacted laws that seek to clarify ownership of health records, aiming to strike the balance between healthcare provider’s rights to these records and patients’ rights to maintain confidentiality of, and have access to, the information in their records. However, there is much inconsistency among these laws,171 and, accordingly, these laws are helpful to outline providers’ and patients’ rights, but do not definitely answer the ownership question. In addition to healthcare providers and individuals, any number of stakeholders could claim ownership of health-related information, including insurance plans, funding agencies for registry projects, research institutions, government agencies, registry developers, and investigators. The basis for these claims is typically possession or control of the tangible expression of the health information or an interest in controlling its use.
While many entities claim ownership of healthcare data, the central question should be who has the possession of the data and the right to control its use. As a general matter, there is no legal basis for assertions of ownership of facts or raw data elements. In fact, long-established public policy supports the free exchange of ideas and wide dissemination of facts as fundamental to innovation and social progress.172 However, an entity in possession or control of health information in the form of raw data elements has the ability to control it by maintaining it as confidential, thereby acting as if it is the owner of the information because it can control how such information is shared and used. For example, an entity in possession or control of health information may transfer it to another party under contractual conditions that restrict the recipient’s use and disclosure. In addition, entities that are in possession or control may allocate “ownership” of health information by contract as between them – without reference to the true owner. This may permit, for example, the funding agency for a registry to assert claims to ownership as a matter of contract law in their sponsorship agreements with research organizations.
U.S. copyright law allows an individual or entity to claim ownership of compilations of facts if the facts are selected, coordinated or arranged in a manner that meets a degree of originality.173 Electronic health records systems and data warehouses contain vast amounts of heath information that can be aggregated or complied in unique way, leading to datasets that may be protected under U.S. copyright law. Accordingly, it is possible to create a registry that is selected, coordinated or arranged in such a way to be protect the registry under U.S. copyright law; however, stakeholders developing registries should be aware that protection of registries as a compilation under U.S. copyright law will be thin, and will not protect the underlying data. Therefore, it is advisable to develop a protection strategy for registries that includes a combination of confidentiality requirements and copyright protection.
Notwithstanding any copyright protection that may be available, stakeholders need to bear in mind that registry data constitutes legally protected, confidential information about individual patients to which independent and varied legal protections apply. Copyright protections may marginally enhance, but do not diminish, other legal restrictions on access to and use of health information and registry data.
For more information on copyright law, see Appendix B.
4.3.2. Publications
For academic institutions, publication rights are an important component of the value proposition of healthcare data, and any publication itself (but not the data therein) constitutes a literary work under U.S. copyright law. Formal institutional policies may address publication rights resulting from faculty educational and research activities. Moreover, the social utility and benefit of any registry is evaluated on the basis of its publicly known findings and any conclusions based on them. The authors strongly encourage registry developers to maximize public communication of registry findings through the customary channels of scientific conferences and peer-reviewed journals. The goal of public communication for scientific findings and conclusions applies equally to registries operated outside of academic institutions (i.e., directly by industry or professional societies). For further discussion of developing data access and publication policies for registries, see Chapters 2 and 8.
4.3.3. Intersection of Ownership Rights With Other Considerations
The concept of ownership does not fit comfortably in the context of health information, because it largely fails to acknowledge individual patient privacy interests in health information. An inescapable personal nexus exists between individuals and information about their health. Considerations for rights with respect to health information may derive from applicable Federal or State law. The Privacy Rule, for example, provides individuals with the right to access, amend, and obtain an accounting of disclosures of their PHI contained in a designated record set, although it does not directly affect existing laws, if any, regarding property rights in health information.174 A designated record set means a group of records maintained by or for a covered entity that is: (i) the medical records and billing records maintained by or for a covered entity healthcare provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (iii) used by or for the covered entity to make decisions about individuals.175 The assessment of whether a registry would contain data that constitutes a designated record set is a fact-specific one. Where applicable, such individual rights with respect to health information in a registry may inform the extent to which an individual has ownership rights in the information.
At the time of this writing, health information sources and other users privately reach agreement to manage access and control. The question of the extent to which individuals have rights in their own health information will likely become more pronounced insofar as registries seek to expand the collection of patient-reported outcomes. Likewise, as more health information becomes generated through connected devices, mobile applications, and other digital platforms that are deployed in a consumer context, it will be important for registry developers and the entities that collect and make available to the registry such data to consider the terms and conditions and privacy policies that apply to the platforms, and the attendant implications for the ability of individuals to access or otherwise assert rights with respect to such data. These contractual terms, the legal and regulatory requirements described above, as well as claims of property rights and concerns about legal liability, will inform the formal written agreements for the establishment and use of registries. Registry developers should also consider what, if any, rights they are willing to or should provide to the individuals whose data is being used, such as by giving individuals the ability to access or request the sharing of their own data, receive reports or updates regarding the use of their data, or other means of engagement that may enhance transparency or buy-in from the individuals with respect to the registry’s mission or activities.
5. Conclusions
Ethical considerations arise in many of the essential aspects of planning and operating a registry. These considerations can affect the scientific, logistical, and regulatory components of registry development, as well as claims of property rights in health information. The guiding ethical principles for these considerations are beneficence, justice, and respect for persons and avoidance of harm.
At the most fundamental level, investigations that involve human subjects and that are not capable of achieving their scientific purpose are unethical. The risk-benefit ratio of such studies is unacceptable in an analysis based on the principle of beneficence, which obligates investigators to avoid harming subjects, as well as maximize the benefits and minimize the harms of research projects. Ethical scientific design must be robust, must be based on an important question, and must ensure sufficient statistical power, precise eligibility criteria, appropriately selected data elements, and adequately documented operating procedures and methodologies.
In addition, an ethical obligation to minimize harms requires planning for and establishing adequate protections to ensure the confidentiality of the health information disclosed to a registry, taking into consideration the evolving and diversifying nature and rapidly proliferating amounts of data that is becoming available to registry developers. Such planning should include developing policies and procedures for the appropriate use and disclosure of registry data, and implementing physical, technical, and administrative safeguards to limit access to and use of registry data accordingly. Reducing the potential harms associated with the use of health information in a registry is particularly important (for example, where genomic or particularly sensitive health information is involved), because generally no directly offsetting benefit from participation in a registry accrues to individuals whose health information is used in the registry. According to an analysis applying the principle of justice, research activities that produce a significant imbalance of potential risks and benefits to participating individuals are unethical.
Protection of the confidentiality of the health information used to populate a registry reflects the ethical principle of respect for persons and avoidance of harm. Health information intimately engages the privacy and dignity of patients. Registry developers should acknowledge public expectations of protection for patient privacy and dignity with clear and consistent communications to patients about protections in place to prevent inappropriate access to and use of registry data.
The regulatory requirements of the Privacy Rule and Common Rule and FDA GCP regulations reflect past ethical concerns about research involving human subjects, a recognition that the use of solely data in connection with research nonetheless warrants protections for the individuals whose data is used, as well as general social anxiety about potential loss of privacy associated with rapid advances in health information systems technology and communications and biomedical developments in human genetics. Compliance with these regulatory requirements not only is a cost of doing business for a registry project, but also demonstrates recognition of the ethical considerations accompanying use of health information for scientific purposes. Compliance efforts by registry developers also acknowledge the important public relations and liability concerns of healthcare providers and insurance plans, public health agencies, health oversight agencies, and research organizations. Regulatory compliance contributes to, and generally supports, the credibility of scientific research activities and research organizations, as well as that of particular projects.
These and other Federal and State privacy laws may affect registry development, especially registries created for public health purposes. Such laws express an explicit, legislatively determined balance of individual patient interests in health information against the potential social benefits from various uses of that information, including in research. Consultation with legal counsel is strongly recommended to determine the possible effect of these laws on a particular registry project.
Additional ethical considerations also affect the operational aspects of registries, including governance, transparency, and data ownership. Registry governance, discussed in Chapter 9, should reflect both appropriate expertise and representation of stakeholders, including patients. An independent advisory committee can provide useful guidance to registry developers and managers, especially on controversial issues. Transparency involves making information about registry governance and operations publicly available. Registry transparency improves the credibility of the scientific endeavors of a registry, the use of health information for scientific purposes, and the results based on analyses of registry data. In short, registry transparency promotes public trust.
There is no general consensus with respect to the ownership of health information, and, as a general matter, there is no legal basis for assertions of ownership of facts or raw data elements. Nonetheless, in theory, copyright protections for compilations may be applied to the patient information held by healthcare providers and insurance plans, as well as to registries. In general, property rights related to health information are likely to be negotiated privately under the terms and conditions of formal agreements between registry developers, funding agencies, and healthcare providers or insurance plans. As a practical matter, “ownership” implies operational control of registry data and publication rights, and the more relevant question may be which stakeholder have the right to control use of registry data.
In summary, careful attention to the ethical considerations associated with the design and operation of a registry, and fulfillment of the applicable legal requirements, are critical to the success of registry projects and to the realization of their social and scientific benefits.
References for Chapter 7
- 1.
- Subsection (i) is based to a certain extent on 45 CFR 160.103: definition of individually identifiable health information. Subsection (ii) refers broadly to other types of personal information that is not regulated as “protected health information” under HIPAA but that may be protected under other applicable federal and state law.
- 2.
- Genomic information may relate to somatic mutations and/or germline mutations. Germline mutations are those that are inherited and present in every cell in the individual’s body; importantly, they can be passed on from generation to generation. Conversely, somatic mutations are not inherited but acquired (such as through exposure to sunlight or other external causes), affect only the cells that grow from the mutated cell, and are not passed on to future generations. Griffiths AJF, Miller JH, Suzuki DT, et al., An Introduction to Genetic Analysis (7th Ed.) (2000), available at https://www
.ncbi.nlm .nih.gov/books/NBK21894/. - 3.
- 45 CFR Part 46.
- 4.
- These regulations, also known as the “Common Rule,” currently also apply to institutions that receive funding for human subjects research from such federal agencies and that voluntarily elect to conduct all of its human subjects research in accordance with the Common Rule, irrespective of funding source.
- 5.
- Part C of Title XI of the Social Security Act, 42 USC §§ 1320d to 1320d-9, and section 264 of the Health Insurance Portability and Accountability Act of 1996, 42 USC §1320d-2 note; 45 CFR Parts 160 and 164.
- 6.
- The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. Apr 18, 1979. [March 4, 2014].http://www
.hhs.gov/ohrp /humansubjects/guidance/belmont.html. - 7.
- Public Law 93-348 (1974), Title II.
- 8.
- Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. Noted to be under revision. http://www
.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. See especially sections entitled General Ethical Principles and Informed Consent. - 9.
- Grant RW, Sugarman J. Ethics in human subjects research: do incentives matter? J Med Philos. 2004 Dec;29(6):717–38. [PubMed] [PubMed: 15590518]
- 10.
- Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. Note 6, at paragraphs 11 and 12. http://www
.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. - 11.
- U.S. Department of Health and Human Services; Office of the Inspector General. Recruiting Human Subjects: Sample Guidelines for Practice. Jun, 2000. p. 5. OEI-01-97-00196. http://oig
.hhs.gov/oei /reports/oei-01-97-00196.pdf. - 12.
- U.S. Department of Health and Human Services; Office of the Inspector General. Recruiting Human Subjects: Sample Guidelines for Practice. Jun, 2000. Appendix A. OEI-01-97-00196. http://oig
.hhs.gov/oei /reports/oei-01-97-00196.pdf. - 13.
- Patient Protection and Affordable Care Act. Section 6002, Transparency Reports and Reporting of Physician Ownership or Investment Interests. Public Law 111-148. Mar 23, 2010. http://www
.gpo.gov/fdsys /pkg/PLAW-111publ148 /pdf/PLAW-111publ148.pdf. - 14.
- Massachusetts regulation 105 CMR 970.000 implementing Massachusetts General Law, Chapter 111N, Pharmaceutical and Medical Device Manufacturer Conduct, as enacted under Chapter 305 of the Acts of 2008, An Act To Promote Cost Containment, Transparency and Efficiency in the Delivery of Quality Health Care. http://www
.lawlib.state .ma.us/source/mass /cmr/cmrtext/105CMR970.pdf. - 15.
- Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. Note 6, at paragraphs 18–21. http://www
.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. - 16.
- Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. Note 6, at paragraph 26. http://www
.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. - 17.
- Amy L. McGuire et al, Confidentiality, Privacy, and Security of Genetic and Genomic Test Information in Electronic Health Records: Points to Consider, Genetics in Medicine, July 2008; Witt, Magdalena M., and Michał P. Witt. “Privacy and Confidentiality Measures in Genetic Testing and Counselling: Arguing on Genetic Exceptionalism Again?” Journal of Applied Genetics 57.4 (2016): 483–485. PMC. Web. 26 July 2018. [PMC free article: PMC5061827] [PubMed: 26886574]
- 18.
- Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. See generally. Note 6, at paragraph 43. http://www
.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. Patient Protection and Affordable Care Act of 2010, Sec. 1101. See also the. http://www .gpo.gov/fdsys /pkg/PLAW-111publ148 /pdf/PLAW-111publ148.pdf. - 19.
- Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. Note 6, at paragraph 40. http://www
.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. - 20.
- For a discussion of health information privacy and security considerations for entities that do not fall within the purview of HIPAA, see U.S. Department of Health and Human Services; Office of the National Coordinator for Health Information Technology. Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. June 17, 2016. https://www
.healthit .gov/sites/default/files /non-covered_entities _report_june_17_2016.pdf - 21.
- See, for example, U.S. Department of Health and Human Services regulations at 45 CFR Part 46; 21 CFR Parts 50 and 56 for research conducted in support of products regulated by the U.S. Food and Drug Administration (FDA); and Williams ED. Federal Protection for Human Research Subjects: An Analysis of the Common Rule and Its Interactions with FDA Regulations and the HIPAA Privacy Rule. Congressional Research Service, Library of Congress. Updated June 2, 2005. http://www
.fas.org/sgp/crs/misc/RL32909 .pdf - 22.
- Regulations identical to 45 CFR 46 Subpart A apply to research funded or conducted by a total of 17 Federal agencies, some of which may also require additional legal protections for human subjects.
- 23.
- The final rule amending the Common Rule, published January 19, 2017, removes the option for institutions to “check the box” in their Federalwide Assurance with OHRP. 82 Fed. Reg. 7149, 7156 (Jan. 19, 2017). The compliance date of the aforementioned final rule has been delayed to January 21, 2019. Federal Policy for the Protection of Human Subjects: Six Month Delay of the General Compliance Date of Revisions While Allowing the Use of Three Burden-Reducing Provisions During the Delay Period, 83 Fed. Reg. 28,497 (June 19, 2018).
- 24.
- U.S. Department of Health and Human Services; Office for Human Research Protections. Terms of the Model Federalwide Assurance (FWA) for the Protection of Human Subjects. [March 4, 2014]. http://www
.hhs.gov/ohrp /assurances/assurances/filasurt.html. - 25.
- U.S. Department of Health and Human Services; Office for Human Research Protections. Guidance on Research Involving Coded Private Information or Biological Specimens. Oct 16, 2008. http://www
.hhs.gov/ohrp/policy/cdebiol .html; Issues to Consider in the Research Use of Stored Data or Tissues. Nov 7, 1997. https://www .hhs.gov/ohrp /regulations-and-policy /guidance/issues-to-consider-in-use-of-stored-data-or-tissues/index.html. - 26.
- U.S. Department of Health and Human Services; Office for Human Research Protections. Guidance on Research Involving Coded Private Information or Biological Specimens. Oct 16, 2008. http://www
.hhs.gov/ohrp/policy/cdebiol .html. - 27.
- 45 CFR Part 46, Subpart A.
- 28.
- Epstein M. International Society for Pharmacoepidemiology. Guidelines for Good Pharmacoepidemiology Practices (GPP) Pharmacoepidemiol Drug Safety. 2005 August;14(8):589–95. See, for example on the essential elements of a protocol. [PubMed]
- 29.
- See 45 CFR 160.103.
- 30.
- 45 CFR 160102, Applicability, and 160103, definitions of covered entity, health care provider, health plan, health care clearinghouse, and transaction.
- 31.
- 45 CFR 160.103, definition of business associate.
- 32.
- 45 CFR 160.103 defines both “disclosure” and “use” for the purposes of the HIPAA Rules.
- 33.
- 45 CFR 160.203.
- 34.
- Maryland Health General Statute § 4–303(b)(4).
- 35.
- Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5566 (January 25, 2013) (codified at 45 CFR pts 160 and 164). [PubMed: 23476971]
- 36.
- HITECH Act §13404(a); 45 CFR 164.104(b); 78 Fed. Reg. at 5591.
- 37.
- 15 USC 45(a)(1); See Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. March 2012. https://www
.ftc.gov/sites /default/files/documents /reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations /120326privacyreport.pdf. - 38.
- Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g, 34 CFR Part 99.
- 39.
- See U.S. Department of Health and Human Services; Office for Civil Rights. Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research. June 2019. https://www
.hhs.gov/sites /default/files/hipaa-future-research-authorization-guidance-06122018%20v2 .pdf. - 40.
- 45 CFR 164.501.
- 41.
- 67 Fed Reg 53231, August 14, 2002.
- 42.
- 45 CFR 46.102(d).
- 43.
- National Institutes of Health. Health Services Research and the HIPAA Privacy Rule. May, 2005. NIH Publication Number 05-5308. http:
//privacyruleandresearch .nih.gov/healthservicesprivacy .asp. National Institutes of Health. Research Repositories, Databases, and the HIPAA Privacy Rule. Jan, 2004. See also. NIH Publication Number 04-5489. http: //privacyruleandresearch .nih.gov/research_repositories .asp. - 44.
- 45 CFR 164. 512(b).
- 45.
- Centers for Disease Control and Prevention. HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services. MMWR. 2003;52 [PubMed] [PubMed: 12741579]
- 46.
- 45 CFR 164. 512(a).
- 47.
- 45 CFR 164.508(a).
- 48.
- 45 CFR 164.514(e)
- 49.
- 45 CFR 164.514(a)–(c).
- 50.
- 45 CFR 164.528.
- 51.
- 45 CFR 164.512(i)(1)(i).
- 52.
- 21 CFR 50.3(c).
- 53.
- The FDA has issued guidance pursuant to the 21st Century Cures Act indicating that it does “not intend to object to an IRB approving a consent procedure that does not include, or that alters, some or all of the elements of informed consent [under FDA regulations] or waiving the requirements to obtain informed consent” provided the IRB finds that certain criteria – comparable to those under the Common Rule – are satisfied. In the guidance, the FDA indicates that it intends to amend its regulations regarding informed consent to incorporate this waiver or alteration pathway, after which the FDA will withdraw the guidance. U.S. Food & Drug Admin., IRB Waiver or Alteration of Informed Consent for Clinical Investigations Involving No More Than Minimal Risk to Human Subjects at 4 (July 2017), available at https://www
.fda.gov/downloads /RegulatoryInformation /Guidances/UCM566948.pdf. - 54.
- 21 CFR Parts 50, 56.
- 55.
- 21 CFR 56.109(c)-(d).
- 56.
- Part 11 applies to electronic records that are created, modified, maintained, archived, retrieved, or transmitted under any FDA regulatory requirements, or that are submitted to the FDA under the statutory requirements of the FDCA or Public Health Service Act, as well as to electronic signatures. 21 CFR 11.1.
- 57.
- Note that the FDA currently exercises enforcement discretion with respect to certain Part 11 requirements and has issued draft guidance to update recommendations in its prior 2003 guidance document regarding the scope and application of Part 11 requirements. U.S. Food & Drug Admin., Part 11, Electronic Records; Electronic Signatures – Scope and Application (Aug. 2003), available at https://www
.fda.gov/downloads /regulatoryinformation /guidances/ucm125125.pdf; U.S. Food & Drug Admin., Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers (Draft Guidance, June 2017), available at https://www .fda.gov/downloads /drugs/guidancecomplianceregulatoryinformation /guidances/ucm563785.pdf. - 58.
- See 21 CFR 50.3(g) (definition of “human subject”).
- 59.
- 21 CFR 50.3(g).
- 60.
- 21 CFR 50.23, 50.24 (permitting exception from informed consent requirements only in certain life-threatening situations or for emergency research).
- 61.
- Pub. L. 114-255 (2016).
- 62.
- U.S. Food & Drug Admin., Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices (Aug. 31, 2017), available at https://www
.fda.gov/downloads /medicaldevices /deviceregulationandguidance /guidancedocuments /ucm513027.pdf. - 63.
- U.S. Food & Drug Admin., Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices at 11 (Aug. 31, 2017), available at https://www
.fda.gov/downloads /medicaldevices /deviceregulationandguidance /guidancedocuments /ucm513027.pdf. - 64.
- U.S. Food & Drug Admin., Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices at 11 (Aug. 31, 2017), available at https://www
.fda.gov/downloads /medicaldevices /deviceregulationandguidance /guidancedocuments /ucm513027.pdf. - 65.
- U.S. Food & Drug Admin., Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices at 12–17 (Aug. 31, 2017), available at https://www
.fda.gov/downloads /medicaldevices /deviceregulationandguidance /guidancedocuments /ucm513027.pdf. - 66.
- Centers for Disease Control and Prevention. Guidelines for Defining Public Health Research and Public Health Non-Research. [March 4, 2014]. Revised October 4, 1999, http://www
.cdc.gov/od /science/integrity/docs /defining-public-health-research-non-research-1999.pdf.
Gostin LO. Public Health Law: Power, Duty, Restraint. Berkeley and Los Angeles, CA: University of California Press; 2000. pp. 126–127. New York: The Milbank Memorial Fund.
Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. See also. Note 6, Introduction, noting that epidemiological practice and research may overlap. http://www.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm. - 67.
- Bellin E, Dubler NN. The quality improvement-research divide and the need for external oversight. Am J Public Health. 2001;91(9):1512–1517.[PMC free article] [PubMed] [PMC free article: PMC1446813] [PubMed: 11527790]
Lindenauer PK, Benjami EM, et al. The role of the institutional review board in quality improvement: a survey of quality officers, institutional review board chairs, and journal editors. Am J Med. 2002;113(7):575–9.[PubMed] [PubMed: 12459404]
Lo B, Groman M. Oversight of quality improvement: focusing on benefits and risks. Arch Intern Med. 2003;163(12):1481–6. [PubMed] [PubMed: 12824099] - 68.
- U.S. Department of Health and Human Services; Office for Human Research Protections. [March 4, 2014]. http://www
.hhs.gov/ohrp. - 69.
- National Institutes of Health. Health Services Research and the HIPAA Privacy Rule. pp. 2–3. NIH Publication Number 05-5308. 45 CFR 164.501 for the definition of health care operations. See also. http:
//privacyruleandresearch .nih.gov/healthservicesprivacy .asp. - 70.
- The use and disclosure restrictions under the Privacy Rule do not apply to data that has been de-identified in accordance with the Privacy Rule. Office for Civil Rights, Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, at 6 (Nov. 26, 2012), available at https://www
.hhs.gov/sites /default/files/ocr /privacy/hipaa/understanding /coveredentities /De-identification /hhs_deid_guidance.pdf The Common Rule defines “human subject” in part as an individual about whom an investigator obtains identifiable private information. 45 CFR 46.102(f). For guidance regarding the use of coded identifiable private information, see Office for Human Research Protections, Coded Private Information or Specimens Use in Research, Guidance (2008), available at https://www .hhs.gov/ohrp /regulations-and-policy /guidance/research-involving-coded-private-information/index.html. - 71.
- 21 CFR 56.102(c); Secretary’s Advisory Committee on Human Research Protections, Attachment E – Recommendations on FDA Draft Real-World Evidence Guidance (May 26, 2017), available at https://www
.hhs.gov/ohrp /sachrp-committee /recommendations/attachment-e-august-2-2017/index.html (suggesting that identifiability is one criterion the FDA could adopt in clarifying which registries constitute clinical investigations). - 72.
- The identifiability of genomic information and biospecimens was the subject of extensive debate during the notice and comment rulemaking process to amend the Common Rule. In the September 8, 2015 Notice of Proposed Rulemaking to amend the Common Rule, the Common Rule Agencies had proposed to consider any biospecimen to constitute a “human subject” even if the investigator does not have access to information that would enable him/her to identify the individual from whom the biospecimen was obtained. Federal Policy for the Protection of Human Subjects, 80 Fed. Reg. 53,933, 53,936 (Proposed Rule, Sept. 8, 2015). This proposal was not finalized. See Section [3.3] for a more detailed discussion of considerations relating to genomic privacy.
- 73.
- A copy of the HHS version of the “Common Rule,” 45 CFR Part 46, subpart A, and additional subparts B, C, and D regarding vulnerable populations, with which institutions must comply until January 21, 2019 (the general compliance date of the Common Rule Final Rule) may be obtained on the Web site of the Office for Human Research Protection (OHRP) in the U.S. Department of Health and Human Services. [March 4, 2014]. http://www
.hhs.gov/ohrp /humansubjects/guidance/45cfr46.html. A copy of the Common Rule Final Rule, the fate of which is subject to some uncertainty due to the delays to its effective and compliance date following its publication, likewise may be obtained on the Web site of OHRP. https://www .gpo.gov/fdsys /pkg/FR-2017-01-19/pdf/2017-01058 .pdf. - 74.
- A copy of the “Privacy Rule,” 45 CFR Parts 160 and 164, may be obtained on the Web site of the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services. [March 4, 2014]. http://www
.hhs.gov/ocr/hipaa/finalreg .html. - 75.
- 21 CFR Part 50, 56, 312, and 812 are key FDA regulations governing the scope of good clinical practice.
- 76.
- The Common Rule as adopted by the U.S. Department of Health and Human Services contains special protections for certain defined “vulnerable” populations, i.e., women, human fetuses, neonates, prisoners, and children. 45 CFR Part 46, Subparts B, C, D. See.
- 77.
- American College of Epidemiology: Policy Statement on Sharing Data from Epidemiologic Studies. May, 2002. [March 4, 2014]. http://www
.acepidemiology .org/sites/default /files/DataSharing.pdf. - 78.
- 45 CFR 46.102
- 79.
- National Cancer Institute. Surveillance Epidemiology and End Results.[August 27, 2012]. http://seer
.cancer.gov. - 80.
- 45 CFR 164.512(b).
- 81.
- Gostin LO, Lillienfeld DE, Stolley PD. Foundations of Epidemiology (revised). Oxford University Press; 1994. p. 104.
Gostin LO. Public Health Law: Power, Duty, Restraint. Berkeley and Los Angeles, CA: University of California Press; 2000. See also. New York: The Milbank Memorial Fund. Note 43, at 114, Table 5. - 82.
- 45 CFR 164.512(b)(1)(iii).
- 83.
- U.S. Food & Drug Admin., Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices, at 19 (Aug. 31, 2017), available at https://www
.fda.gov/downloads /medicaldevices /deviceregulationandguidance /guidancedocuments /ucm513027.pdf. - 84.
- Scott Gottlieb, M.D., FDA Budget Matters: A Cross-Cutting Data Enterprise for Real World Evidence (July 10, 2018), https://blogs
.fda.gov/fdavoice/index .php /2018/07/fda-budget-matters-a-cross-cutting-data-enterprise-for-real-world-evidence/. - 85.
- U.S. Food & Drug Admin., Use of Real-World Evidence to Support Regulatory Decision-Making for Medical Devices, at 12 (Aug. 31, 2017), available at https://www
.fda.gov/downloads /medicaldevices /deviceregulationandguidance /guidancedocuments /ucm513027.pdf. - 86.
- 45 CFR 164.512(d).
- 87.
- 45 CFR 164.512(d)(1).
- 88.
- 45 CFR 46.102(d).
- 89.
- Whether the Common Rule applies by operation of law to human subjects research depends on whether the activity is funded or supported by a Common Rule Agency. See Section [2.2.1] for a discussion of how the Common Rule Final Rule amends the scope of the Common Rule and removes the ability of institutions to make a voluntary election in their FWAs to apply the Common Rule to all of their human subjects research, irrespective of the source of funding or support.
- 90.
- National Institutes of Health. Health Services Research and the HIPAA Privacy Rule. May, 2005. [March 13, 2014]. pp. 2–3. NIH Publication No. 05-5308. http:
//privacyruleandresearch .nih.gov/healthservicesprivacy .asp. - 91.
- Centers for Disease Control and Prevention. Guidelines for Defining Public Health Research and Public Health Non-Research. Oct 4, 1999. [March 4, 2014]. pp. 126–7. http://www
.cdc.gov/od /science/integrity/docs /defining-public-health-research-non-research-1999.pdf.
Gostin LO. Public Health Law: Power, Duty, Restraint. Berkeley and Los Angeles, CA: University of California Press; 2000. New York: The Milbank Memorial Fund. Note 43.
Council for International Organizations of Medical Sciences. International Guidelines for Ethical Review of Epidemiological Studies. 1991. [March 4, 2014]. See also. Note 6, Introduction, noting that epidemiological practice and research may overlap. http://www.cioms.ch/publications /guidelines /1991_texts_of_guidelines.htm.
Bellin E, Dubler NN. The quality improvement-research divide and the need for external oversight. Am J Public Health. 2001;91(9):1512–1517. And. Note 44. [PMC free article: PMC1446813] [PubMed: 11527790] - 92.
- Bellin E, Dubler NN. The quality improvement-research divide and the need for external oversight. Am J Public Health. 2001;91(9):1512–1517. Note 44. [PMC free article: PMC1446813] [PubMed: 11527790]
Lindenauer PK, Benjamin EM, et al. The role of the institutional review board in quality improvement: a survey of quality officers, institutional review board chairs, and journal editors. Am J Med. 2002;113(7):575–9. [PubMed: 12459404]
Lo B, Groman M. Oversight of quality improvement: focusing on benefits and risks. Arch Intern Med. 2003;163(12):1481–6. [PubMed: 12824099] - 93.
- See 45 CFR 160.103 for the definition of individually identifiable health information and 45 CFR 164.514(a)–(c) and (e) on the de-identification of health information and limited datasets, respectively.
- 94.
- But see Section [2.2.1] for changes to the scope of the Common Rule under the Common Rule Final Rule.
- 95.
- 45 CFR 46.102(f).
- 96.
- 82 Fed. Reg. 7149 (Jan. 19, 2017) (see §__.102(e)(7)).
- 97.
- 82 Fed. Reg. 7149 at 7169.
- 98.
- 45 CFR 46.111(a)(7).
- 99.
- 45 CFR 46.116(a)(5).
- 100.
- 45 CFR 46.111(a).
- 101.
- U.S. Department of Health & Human Services, Office for Civil Rights. Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research. https://www
.hhs.gov/sites /default/files/hipaa-future-research-authorization-guidance-06122018%20v2 .pdf. - 102.
- U.S. Department of Health & Human Services, Office for Civil Rights. Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research. https://www
.hhs.gov/sites /default/files/hipaa-future-research-authorization-guidance-06122018%20v2 .pdf. As indicated in this guidance, OCR issued the guidance as interim guidance to allow for additional consideration of the issue. - 103.
- See 45 CFR 164.514(a)–(c) and (e) on the deidentification of health information and limited datasets, respectively.
- 104.
- 45 CFR 164.514(e)(2).
- 105.
- 45 CFR 164.514(b)(2).
- 106.
- 45 CFR 164.514(e). The creation of a limited dataset also does not require the removal of “[a]ny other unique identifying number, characteristic, or code”, nor a lack of “actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information”, as required for de-identification at 45 CFR 164.514((b)(2)(i)(R) and (b)(2)(ii), respectively.
- 107.
- See, e.g., Centers for Medicare & Medicaid Services. CMS Cell Size Suppression Policy. May 8, 2017. [August 7, 2018]. https://www
.resdac.org /resconnect/articles/26. - 108.
- 45 CFR 164.514(b).
- 109.
- The 18 identifiers that must be removed from PHI under the Safe Harbor de-identification method are: (a) names; (b) all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; (c) all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (d) telephone numbers; (e) fax numbers; (f) electronic mail addresses; (g) Social security numbers; (h) medical record numbers; (i) health plan beneficiary members; (j) account numbers; (k) certificate/license numbers; (l) vehicle identifiers and serial numbers, including license plate numbers; (m) device identifiers and serial numbers; (n) web universal resource locators (URLs), (o) Internet Protocol (IP) address numbers; (p) biometric identifiers, including finger and voice prints; (q) full face photographic images and any comparable images; and (r) any other unique identifying number, characteristic, or code (except codes assigned by the covered entity to re-identify the de-identified information).
- 110.
- 45 CFR 164.514(b)(1).
- 111.
- 67 FR 53182, 53233, August 14, 2002.
- 112.
- 21 CFR 50.3.
- 113.
- 45 CFR 164.514(e)(4).
- 114.
- 45 CFR 164.514(e)(4)(ii)(A).
- 115.
- 45 CFR 164.514(e)(4)(ii)(C)(2) and (5), respectively.
- 116.
- 67 Fed Reg 53182, 53236, August 14, 2002.
- 117.
- 45 CFR 164.504(e).
- 118.
- Secretary’s Advisory Committee on Human Research Protections, Attachment C – Updated FAQs on Informed Consent for Use of Biospecimens and Data (April 11, 2018), available at https://www
.hhs.gov/ohrp /sachrp-committee /recommendations/attachment-c-faqs-recommendations-and-glossary-informed-consent-and-research-use-of-biospecimens-and-associated-data /index.html. - 119.
- 45 CFR 164.508.
- 120.
- 45 CFR 164.508(c).
- 121.
- 45 CFR 164.502(a)(1).
- 122.
- 45 CFR 46.116.
- 123.
- 21 CFR Part 50.
- 124.
- 45 CFR 164.508(b)(3).
- 125.
- 45 CFR 46.116; 21 CFR 50.25.
- 126.
- 45 CFR 164.512(i)(1)(i)(B).
- 127.
- 45 CFR 46.116(a)-(c).
- 128.
- Office for Human Research Protections. Attachment C – Recommendations for Broad Consent Guidance. July 26, 2017. [August 8, 2018]. https://www
.hhs.gov/ohrp /sachrp-committee /recommendations/attachment-c-august-2-2017/index.html. - 129.
- Office for Human Research Protections. Attachment C – Recommendations for Broad Consent Guidance. July 26, 2017. [August 8, 2018]. https://www
.hhs.gov/ohrp /sachrp-committee /recommendations/attachment-c-august-2-2017/index.html. - 130.
- 45 CFR 46.116(f)(1).
- 131.
- 21 CFR 50.25. U.S. Food & Drug Administration, Impact of Certain Provisions of the Revised Common Rule on FDA-Regulated Clinical Investigations (October 2018). https://www
.fda.gov/downloads /RegulatoryInformation /Guidances/UCM623211.pdf. - 132.
- 67 Fed Reg 53182, 53226, August 14, 2002.
- 133.
- National Institutes of Health. Institutional Review Boards and the HIPAA Privacy Rule. Aug, 2003. [March 4, 2014]. pp. 15–16. NIH Publication Number 03-5428. http:
//privacyruleandresearch .nih.gov/irbandprivacyrule.asp. - 134.
- 45 CFR 164.508(b)(3); 78 Fed. Reg. at 5612.
- 135.
- 45 CFR 164.508(c) and 164.508(c)(1)(iv). See also U.S. Department of Health & Human Services, Office for Civil Rights. Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research. https://www
.hhs.gov/sites /default/files/hipaa-future-research-authorization-guidance-06122018%20v2 .pdf. - 136.
- 45 CFR 164.508(c)(2)(iii).
- 137.
- 42 USC 241(d)(4); National Institutes of Health; Office of Extramural Research. Grants & Funding. Frequently Asked Questions, Certificates of Confidentiality. Definitions – What does identifying characteristic mean? [March 4, 2014]. http://grants1
.nih.gov /grants/policy/coc/faqs.htm#369. - 138.
- 21st Century Cures Act, Pub. L. 114-255, Sec. 2012 (2016); Nat’l Insts. of Health, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109), Sept. 7, 2017, available at https://grants
.nih.gov /grants/guide/notice-files /NOT-OD-17-109.html. - 139.
- Nat’l Insts. of Health, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109), Sept. 7, 2017, available at https://grants
.nih.gov /grants/guide/notice-files /NOT-OD-17-109.html. - 140.
- Nat’l Insts. Of Health, Certificates of Confidentiality (CoC) Kiosk, Frequently Asked Questions, https:
//humansubjects.nih.gov/coc/faqs. - 141.
- National Institutes of Health. NIH Announces Statement on Certificates of Confidentiality. Mar 15, 2002. [March 4, 2014]. Notice NOTOD-02-037. http://grants1
.nih.gov /grants/guide/notice-files /NOT-OD-02-037.html. - 142.
- Information about obtaining a certificate of confidentiality is available at the “Certificates of Confidentiality Kiosk” on the National Institutes of Health Web site. [March 4, 2014]. http://grants
.nih.gov /grants/policy/coc/index.htm. - 143.
- National Institutes of Health; Office of Extramural Research. Certificates of Confidentiality: Background Information. Febrary 14, 2006. [March 4, 2014]. http://grants
.nih.gov /grants/policy/coc/background.htm. - 144.
- 42 USCS 290dd-2 and 290ee-3; 42 CFR Part 2.
- 145.
- 42 CFR 2.52(a).
- 146.
- In re Philip Morris, 706 So. 2d 665 (La.App. 4 Cir. Jan. 28, 1998) holding that raw data from research on tobacco use is protected under Louisiana statutes that govern the confidentiality of public health data).
- 147.
- See, for example, Wis Stat. 146.38.
- 148.
- See supra note 55.
- 149.
- 45 CFR 164.512(i)(2)(ii).
- 150.
- 45 CFR 164.512(i)(2).
- 151.
- 45 CFR 164.512(i)(2)(iii) and (iv).
- 152.
- 45 CFR 46.116(f)(3).
- 153.
- Institutional Review Board Waiver or Alteration of Informed Consent for Minimal Risk Clinical Investigations, 83 Fed. Reg. 57,378 (Nov. 15, 2018); Institutional Review Board Waiver or Alteration of Informed Consent for Minimal Risk Clinical Investigations; Reopening of Comment Period, 84 Fed. Reg. 5968 (Feb. 25, 2019) (reopening comment period to allow for submission of comments by March 7, 2019).
- 154.
- U.S. Food & Drug Admin., IRB Waiver or Alteration of Informed Consent for Clinical Investigations Involving No More Than Minimal Risk to Human Subjects at 4 (July 2017), available at https://www
.fda.gov/downloads /RegulatoryInformation /Guidances/UCM566948.pdf. - 155.
- U.S. Food & Drug Admin., IRB Waiver or Alteration of Informed Consent for Clinical Investigations Involving No More Than Minimal Risk to Human Subjects at 4 (July 2017), available at https://www
.fda.gov/downloads /RegulatoryInformation /Guidances/UCM566948.pdf. - 156.
- Jennifer Kulynych & Henry T. Greely, Clinical Genomics, Big Data, and Electronic Medical Records: Reconciling Patient Rights with Research When Privacy and Science Collide, J. Law & Biosciences, April 2017, at 127, available at https://www
.n\cbi.nlm .nih.gov/pmc/articles /PMC5570692/pdf/lsw061.pdf. [PMC free article: PMC5570692] [PubMed: 28852559] - 157.
- The Common Rule and FDA regulations define “minimal risk” as where the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests. 45 CFR 46.102(i); 21 CFR 50.3(k).
- 158.
- 45 CFR 46.117(c)(1).
- 159.
- 45 CFR 46.117(c)(2); 21 CFR 56.109(c).
- 160.
- 45 CFR 46.117(c); 21 CFR 56.109(d).
- 161.
- Kohn LT, Corrigan JM, Donaldson MS, editors. To Err is Human: Building a Safer Health System. Washington, D.C.: National Academies Press; 1999. [PubMed: 25077248]
- 162.
- 42 CFR § 3.402.
- 163.
- Nass SJ, Levit LA, Gostin LO, Committee on Health Research and the Privacy of Health Information, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies Press; The HIPAA Privacy Rule; Institute of Medicine; [March 4, 2014]. http://www
.nap.edu/catalog/12458.html. [PubMed: 20662116] - 164.
- Nass SJ, Levit LA, Gostin LO, Committee on Health Research and the Privacy of Health Information, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies Press; The HIPAA Privacy Rule; Institute of Medicine; [March 4, 2014]. p. 26. http://www
.nap.edu/catalog/12458.html. [PubMed: 20662116] - 165.
- 45 CFR § 160.103, definition of health information; 78 Fed. Reg. at 5658-61.
- 166.
- 74 FR 42740 (August 24, 2009); 78 Fed. Reg. at 5638-58 (January 25, 2013); 45 CFR 164.400-164.414.
- 167.
- But see supra note 25.
- 168.
- Center for International Blood & Marrow Transplant Research. [March 4, 2014]. http://www
.cibmtr.org/pages/index.aspx. - 169.
- 45 CFR 164.528(b)(4); Jennifer Kulynych & Henry T. Greely, Clinical Genomics, Big Data, and Electronic Medical Records: Reconciling Patient Rights with Research When Privacy and Science Collide, J. Law & Biosciences, April 2017, at 33, available at https://www
.ncbi.nlm .nih.gov/pmc/articles /PMC5570692/pdf/lsw061.pdf. The Privacy Rule creates a legal right for patients to receive, upon request, an accounting of certain disclosures of their PHI that are made by health care providers, insurance plans, and their business associates. 45 CFR 164.528. The accounting must include disclosures that occur with a waiver of authorization approved by a privacy board or IRB. The Privacy Rule specifies the information that an accounting should contain and requires it to cover a six-year period or any requested shorter period of time. 45 CFR 164.518(b)(1). The content of an accounting may be more abbreviated if, during the period covered by an accounting, the entity made disclosures for a particular research purpose for 50 or more individuals. 45 CFR 164.518(b)(4). - 170.
- 45 CFR 46.116(d)(4).
- 171.
- Compare Ga. Code Ann. § 31-33-3 (2008) and Ind. Code Ann. § 16-39-5-3 (2016) with N.H. Rev. Stat. Ann. § 151:21 (2015)
- 172.
- Joyce C, Patry W, Leaffer M, et al. Copyright Law. 3rd ed. New York and San Francisco: Matthew Bender & Co., Inc; 1994. Introduction: the landscape of copyright; pp. 1–41. (reprinted 1997):chapter 1.
- 173.
- 17 U.S.C. §§ 103; Feist Publications, Inc. v. Rural Telephone Service, Co., Inc., 499 U.S. 340, 347–349 (1991).
- 174.
- 45 CFR 164.524 - .528; 78 FR 5566 at 5606 (January 25, 2013).
- 175.
- 45 CFR 164.501.
- Principles of Registry Ethics, Data Ownership, and Privacy - Registries for Eval...Principles of Registry Ethics, Data Ownership, and Privacy - Registries for Evaluating Patient Outcomes: A User’s Guide
Your browsing activity is empty.
Activity recording is turned off.
See more...