Evolving Privacy Issues in Research with Human Participants at Home and Abroad Melissa M. Goldstein, JD Kirk J. Nahra Associate Professor, Department of WilmerHale Health Policy and Management 202.663.6128 Milken Institute School of Public Kirk.Nahra@wilmerhale.com Health @kirkjnahrawork The George Washington University mgoldste@gwu.edu
WILMERHALE Our presentation Key elements of the Common Rule Discussion of HIPAA and medical research A focus and discussion on some hot topics International/GDPR Complications De-identification issues Patient identification and location
Common Rule 45 CFR Part 46
45 CFR Part 46 (1981) • Common Rule (1991) • Baseline standard of human subjects research • Research conducted or supported by a federal agency • Does not apply to private research • Require review by an IRB • Emphasis on Individual Autonomy
45 CFR Part 46 • Subpart B: Fetuses, Pregnant Women, IVF • Subpart C: Prisoners • Subpart D: Children • No separate policies for those with diminished decisionmaking capacity • FDA operates under similar but not identical rules
Research vs. Non‐research Uses of Data • The main difference is the purpose of the use • Research Developing generalizable knowledge Often published or publicly available Can be observational, experimental, simulation, compiled, or reference Can include documents, surveys, data files, models, field notes, etc. • Source: https://www.bu.edu/datamanagement/background/whatisdata/ • Non‐research Internal business/operational improvement In health care, services/programs to improve overall public health and services
Revisions to the Common Rule • Released Jan. 18, 2017 by U.S. DHHS and 15 other federal agencies, in effect Jan. 21, 2019 • “strengthens protections for people who volunteer to participate in research, while ensuring that the oversight system does not add inappropriate administrative burdens, particularly to low‐risk research. It also allows more flexibility in keeping with today’s dynamic research environment.” (See http://wayback.archive‐ it.org/3926/20170127095200/https://www.hhs.gov/about/news/2017 /01/18/final‐rule‐enhances‐protections‐research‐participants‐ modernizes‐oversight‐system.html)
Decisions not (or Failure) to regulate • Decisions: • Not to update definition of identifiability • Not to adopt a standardized set of privacy and security safeguards for identifiable data and/or identifiable biospecimens
Biological Samples • Common Rule allows biological samples to be stored and used for research indefinitely as long as the sample is de‐identified. • Note: Drafters (~1981) did not foresee the possibility of reidentification, which may be possible today with the advent of genetic testing and sharing information on the internet…more on this later
Definition of Identifiability (1991) • Definition of “human subject” (and application of the rule) depends in part on whether the investigator conducting research obtains “identifiable private information” • “Private information” is considered individually identifiable only if the identity of the subject is or may readily be ascertained by the investigator or is associated with the information
Definition of Identifiability: New process • Common Rule departments will assess the scientific and technological landscape regularly to determine whether new developments require reconsideration of how identifiability is interpreted in the context of research
Privacy and Security Safeguards • Although the NPRM proposed the requirement of standardized privacy and security safeguards for biospecimens or identifiable private information (HIPAA‐esqe), the final rule instead retains the 1991 approach that rests the responsibility for ensuring appropriate safeguards upon IRBs
Re‐identification and Privacy With enough information, motivation, and effort, anonymized records could be used to identify people. • From genetic information : you can get racial background, genetic diseases, mitochondrial DNA (which indicates mother), and basic characteristics such as eye and hair color. • From insurance information : you can get age, weight, height, diseases, pregnancies, surgeries, current medication, and location of healthcare provider. • From pharmacy records and prescription insurance : you can get current medications, which can indicate diseases, psychological diseases, and can indicate if someone is on hormone therapy. • From self‐reported data: activity, location, weight, height, age, major medical conditions, sleep patterns
De‐identification and Re‐identification • De‐identification reduces risk ‐ it doesn’t eliminate it. • Policy currently provides incentives to de‐identify/reduce risk, but does not recognize re‐identification risks that remain.
WILMERHALE Research Principles (HIPAA) • HIPAA Standard - Research is defined in the Privacy Rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” • A covered entity may always use or disclose for research purposes PHI which has been de-identified. Page 15
WILMERHALE Research Principles (HIPAA) • Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. Page 16
WILMERHALE Health Care Operations (HIPAA) • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; • What does this mean? What does this allow? Page 17
WILMERHALE Research Principles (HIPAA) To use or disclose PHI without authorization by the research participant, a covered entity must obtain one of the following: • Documented Institutional Review Board (IRB) or Privacy Board Approval for “alteration or waiver of research participants’ authorization for use/disclosure of information about them for research purposes;” • Preparatory to Research • Limited Data Sets with a Data Use Agreement. Page 18
WILMERHALE Research Principles (HIPAA) The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: • an adequate plan to protect the identifiers from improper use and disclosure; • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and Page 19
WILMERHALE Research Principles (HIPAA) • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted; • The research could not practicably be conducted without the waiver or alteration; and • The research could not practicably be conducted without access to and use of the PHI. Page 20
WILMERHALE Research (HIPAA) Reviews preparatory to research. The covered entity obtains from the researcher representations that: (A)Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; (B) No protected health information is to be removed from the covered entity by the researcher in the course of the review; and (C) The protected health information for which use or access is sought is necessary for the research purposes. Page 21
WILMERHALE Research - Discussion question • How do you find patients for research studies? Page 22
WILMERHALE Hot Topics GDPR Consent GDPR Controller/processor issues Global approach in general Patient Recruitment (intersection with other laws) Community participation in research/consent Use of broad consent for future research (for studies on stored identifiable data or biospecimens) Identifiability/De-identification/Re-identification Page 23
WILMERHALE Questions? • Melissa M. Goldstein, JD Associate Professor, Department of Health Policy and Management Milken Institute School of Public Health The George Washington University mgoldste@gwu.edu • Kirk J. Nahra WilmerHale 202.663.6128 Kirk.Nahra@wilmerhale.com @kirkjnahrawork Page 24
Recommend
More recommend
