Evolving Privacy Issues in Research with Human Participants at Home - - PowerPoint PPT Presentation

evolving privacy issues in research with human
SMART_READER_LITE
LIVE PREVIEW

Evolving Privacy Issues in Research with Human Participants at Home - - PowerPoint PPT Presentation

Dec 17, 2022 302 likes •561 views

Evolving Privacy Issues in Research with Human Participants at Home and Abroad Melissa M. Goldstein, JD Kirk J. Nahra Associate Professor, Department of WilmerHale Health Policy and Management 202.663.6128 Milken Institute School of Public

slide-1
SLIDE 1

Evolving Privacy Issues in Research with Human Participants at Home and Abroad

Kirk J. Nahra WilmerHale 202.663.6128 Kirk.Nahra@wilmerhale.com @kirkjnahrawork Melissa M. Goldstein, JD Associate Professor, Department of Health Policy and Management Milken Institute School of Public Health The George Washington University mgoldste@gwu.edu

slide-2
SLIDE 2

WILMERHALE

Our presentation

Key elements of the Common Rule Discussion of HIPAA and medical research A focus and discussion on some hot topics International/GDPR Complications De-identification issues Patient identification and location

slide-3
SLIDE 3

Common Rule

45 CFR Part 46

slide-4
SLIDE 4

45 CFR Part 46 (1981)

  • Common Rule (1991)
  • Baseline standard of human subjects research
  • Research conducted or supported by a federal agency
  • Does not apply to private research
  • Require review by an IRB
  • Emphasis on Individual Autonomy
slide-5
SLIDE 5

45 CFR Part 46

  • Subpart B: Fetuses, Pregnant Women, IVF
  • Subpart C: Prisoners
  • Subpart D: Children
  • No separate policies for those with diminished

decisionmaking capacity

  • FDA operates under similar but not identical

rules

slide-6
SLIDE 6

Research vs. Non‐research Uses of Data

  • The main difference is the purpose of the use
  • Research
  • Developing generalizable knowledge
  • Often published or publicly available
  • Can be observational, experimental, simulation, compiled, or

reference

  • Can include documents, surveys, data files, models, field notes, etc.
  • Non‐research
  • Internal business/operational improvement
  • In health care, services/programs to improve overall public health

and services

  • Source: https://www.bu.edu/datamanagement/background/whatisdata/
slide-7
SLIDE 7
  • Released Jan. 18, 2017 by U.S. DHHS and 15 other federal agencies, in

effect Jan. 21, 2019

  • “strengthens protections for people who volunteer to participate in

research, while ensuring that the oversight system does not add inappropriate administrative burdens, particularly to low‐risk research. It also allows more flexibility in keeping with today’s dynamic research environment.” (See http://wayback.archive‐ it.org/3926/20170127095200/https://www.hhs.gov/about/news/2017 /01/18/final‐rule‐enhances‐protections‐research‐participants‐ modernizes‐oversight‐system.html)

Revisions to the Common Rule

slide-8
SLIDE 8
  • Decisions:
  • Not to update definition of identifiability
  • Not to adopt a standardized set of privacy and security safeguards for

identifiable data and/or identifiable biospecimens

Decisions not (or Failure) to regulate

slide-9
SLIDE 9

Biological Samples

  • Common Rule allows biological samples to be stored and used for

research indefinitely as long as the sample is de‐identified.

  • Note: Drafters (~1981) did not foresee the possibility of reidentification, which

may be possible today with the advent of genetic testing and sharing information on the internet…more on this later

slide-10
SLIDE 10
  • Definition of “human subject” (and application of

the rule) depends in part on whether the investigator conducting research obtains “identifiable private information”

  • “Private information” is considered individually

identifiable only if the identity of the subject is or may readily be ascertained by the investigator or is associated with the information

Definition of Identifiability (1991)

slide-11
SLIDE 11
  • Common Rule departments will assess the

scientific and technological landscape regularly to determine whether new developments require reconsideration of how identifiability is interpreted in the context of research

Definition of Identifiability: New process

slide-12
SLIDE 12
  • Although the NPRM proposed the requirement of standardized

privacy and security safeguards for biospecimens or identifiable private information (HIPAA‐esqe), the final rule instead retains the 1991 approach that rests the responsibility for ensuring appropriate safeguards upon IRBs

Privacy and Security Safeguards

slide-13
SLIDE 13

Re‐identification and Privacy

With enough information, motivation, and effort, anonymized records could be used to identify people.

  • From genetic information: you can get racial background, genetic diseases, mitochondrial

DNA (which indicates mother), and basic characteristics such as eye and hair color.

  • From insurance information: you can get age, weight, height, diseases, pregnancies,

surgeries, current medication, and location of healthcare provider.

  • From pharmacy records and prescription insurance: you can get current medications, which

can indicate diseases, psychological diseases, and can indicate if someone is on hormone therapy.

  • From self‐reported data: activity, location, weight, height, age, major medical conditions,

sleep patterns

slide-14
SLIDE 14

De‐identification and Re‐identification

  • De‐identification reduces risk ‐ it doesn’t eliminate it.
  • Policy currently provides incentives to de‐identify/reduce

risk, but does not recognize re‐identification risks that remain.

slide-15
SLIDE 15

WILMERHALE

Research Principles (HIPAA)

  • HIPAA Standard - Research is defined in the Privacy Rule as

“a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

  • A covered entity may always use or disclose for research

purposes PHI which has been de-identified.

Page 15

slide-16
SLIDE 16

WILMERHALE

Research Principles (HIPAA)

  • Under the Privacy Rule, covered entities are permitted

to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.

Page 16

slide-17
SLIDE 17

WILMERHALE

Health Care Operations (HIPAA)

  • Conducting quality assessment and improvement activities,

including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities;

  • What does this mean? What does this allow?

Page 17

slide-18
SLIDE 18

WILMERHALE

Research Principles (HIPAA)

To use or disclose PHI without authorization by the research participant, a covered entity must obtain one of the following:

  • Documented Institutional Review Board (IRB) or Privacy Board Approval

for “alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes;”

  • Preparatory to Research
  • Limited Data Sets with a Data Use Agreement.

Page 18

slide-19
SLIDE 19

WILMERHALE

Research Principles (HIPAA)

The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

  • an adequate plan to protect the identifiers from improper use and

disclosure;

  • an adequate plan to destroy the identifiers at the earliest opportunity

consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is

  • therwise required by law; and

Page 19

slide-20
SLIDE 20

WILMERHALE

Research Principles (HIPAA)

  • adequate written assurances that the PHI will not be reused or disclosed

to any other person or entity, except as required by law, for authorized

  • versight of the research project, or for other research for which the use
  • r disclosure of PHI would be permitted;
  • The research could not practicably be conducted without the waiver or

alteration; and

  • The research could not practicably be conducted without access to and

use of the PHI.

Page 20

slide-21
SLIDE 21

WILMERHALE

Research (HIPAA)

Reviews preparatory to research. The covered entity obtains from the researcher representations that: (A)Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; (B) No protected health information is to be removed from the covered entity by the researcher in the course of the review; and (C) The protected health information for which use or access is sought is necessary for the research purposes.

Page 21

slide-22
SLIDE 22

WILMERHALE

Research

  • Discussion question
  • How do you find patients for research studies?

Page 22

slide-23
SLIDE 23

WILMERHALE

Hot Topics

GDPR Consent GDPR Controller/processor issues Global approach in general Patient Recruitment (intersection with other laws) Community participation in research/consent Use of broad consent for future research (for studies on stored identifiable data or biospecimens) Identifiability/De-identification/Re-identification

Page 23

slide-24
SLIDE 24

WILMERHALE

Questions?

  • Melissa M. Goldstein, JD

Associate Professor, Department of Health Policy and Management Milken Institute School of Public Health The George Washington University mgoldste@gwu.edu

  • Kirk J. Nahra

WilmerHale 202.663.6128 Kirk.Nahra@wilmerhale.com @kirkjnahrawork

Page 24