Existing Law

EXISTING LAW

Three separate categories of US laws govern confidentiality issues in epidemiologic and outcomes research: the Federal Common Rule, the new federal medical privacy regulations promulgated under HIPAA, and the laws of various states.

COMMON RULE

As discussed more fully below, the Federal Common Rule¹¹ was designed to be a mechanism for protecting the interests of human subjects in federally funded or regulated research. Congress did not enact a law regulating research under its power to regulate matters affecting interstate commerce or even under its authority to safeguard the rights and liberties of individuals under the Constitution. Rather, the law is an expression of a federal policy not to spend federal money on research that is not consistent with certain social values. As a result, the applicability of the Common Rule, and the scope of authority of the administering agencies, is somewhat odd. It applies to

·    research conducted by the 17 agencies that have adopted the rule;

·    recipients of federal research grants as a condition of awarding the grant;

·    research that is included in an application submit-ted to the Food and Drug Administration (FDA) for approval of a drug, biologic or certain devices and

·    all research conducted in or by an employee of an institution that has filed an ‘assurance’ with the Department of Health and Human Services, whether or not a specific project is federally funded.

Thus, research conducted in private clinics or insti-tutions that do not have federal grants or an assur-ance appears to fall outside the scope of the Common Rule, as does research conducted by commercial research organizations that will not be used in a regulatory submission, e.g. many epidemiologic and outcomes studies. But, because the records of interest in epidemiologic research often are those collected by institutions subject to the Common Rule, the would-be researcher faces a tremendous catch-22: the research is not subject to the regulation, and under the law, the researcher has no claim on the time or resources of an IRB for obtaining review of the project or waiver of consent. However, each of the multiple academic medical centres from which the researcher wishes to obtain data is subject to the rule and must have the proposal reviewed by its own IRB. For example an epidemiologic researcher who wishes to analyze data from Johns Hopkins, Duke, M.D. Anderson and Stanford University Medical Centers will have the project reviewed by four separate IRBs each of which must approve the project and waive individual consent for it to go forward. In reality, if the researcher is not affiliated with the institution, it may be very difficult to get the IRB to review the proposal without form-ing a collaborative relationship with someone affil-iated with each institution who can get the project on the IRBs’ schedules or confining one’s research to those institutions that already have such collabo-rative arrangements. Neither is particularly compat-ible with sampling considerations for epidemiologic research.

Moreover, it is not clear that legal – and organizational – responsibility for review of large, multisite epidemiologic studies appropriately should be delegated and diffused in this manner, rather than being assumed by the research entity that is account-able for use and security of the data.

HIPAA MEDICAL PRIVACY LAW

The federal privacy regulations under HIPAA estab-lish that ‘covered entities’ may not use or disclose ‘protected health information’ except as permitted by the privacy regulation.¹² The regulation defines ‘covered entities’ to include health care providers (e.g. doctors, hospitals, laboratories, pharmaceuticals and clinics), health plans and health care clearing-houses.¹³ By requiring certain contractual terms in all covered entities’ contracts with vendors, suppli-ers and anyone else who may process or come into contact with protected health information in perform-ing services for the covered entity, the regulation indi-rectly applies to business associates of covered entities as well.

Under the privacy regulation, only the following categories of uses and disclosures of protected health information are permitted:

·    for purposes of treatment, payment and certain health operations related to the individual’s treat-ment or payment, with notice of these routine uses¹⁵;

·    for purposes unrelated to treatment, payment or health operations, with the prior written authoriza-tion of the individual;

·    for certain specific purposes enumerated in the regu-lation, including protecting the public health and conducting research under a waiver of authorization, provided that applicable conditions are met.¹⁷

In fact, the law expressly prohibits a covered entity from obtaining a blanket authorization for future research use of records of health care or health bene-fits; it also prohibits a covered entity from making the signing of any authorization a condition of treat-ment of the individual. Moreover, even with respect to permitted uses and disclosures, a covered entity may use or disclose only the minimum necessary infor-mation to accomplish the intended purpose. Unless every use or disclosure of information fits within one of these permitted categories, the provider or health plan would be exposed to potential civil and criminal penalties for supplying information to a researcher.

De-Identified Information

Many people have suggested that the regula-tion should not affect epidemiologic and outcomes research because it generally does not require access to ‘individually identifiable’ information. The statute says that ‘individually identifiable health information’ is any information, including demographic informa-tion collected from an individual, that (1) is created or received by a health care provider, health plan, employer or health care clearinghouse and (2) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an indi-vidual and (1) identifies the individual or (2) with respect to which there is a reasonable basis to believe that the information can be used to identify the indi-vidual.²⁰ Under the statute, information that does not fall within the category to be considered ‘individually identifiable’ is not subject to the statutory, or regulatory, requirements.

Congress, the US Department of Health and Human Services Regulatory, privacy advocates, the research community and others have wrestled with the defini-tion of what characteristics of data create a ‘reasonable basis to believe’ that it could be used to identify the individual. What would be a reasonable standard? On one extreme are researchers and public health advo-cates who might argue that all data should be consid-ered exempt if the key ‘direct identifiers’ are removed. From this perspective, the importance of research using these data outweighs the low probability that these data might be used (or misused) to re-identify individual patients. On the other end of the spectrum are experts in database manipulation who advise that any database, even with the complete removal of iden-tifiers, could potentially be overlain with other data sources and through probability matching on certain information fields, could be used to re-identify some percentage of individuals. These assertions, together with the fears of some privacy advocates, have led some to conclude that even if the researcher has no interest in knowing the patients’ identities, no intent to link the files to other files for this purpose and estab-lishes physical and procedural safeguards to make it difficult or impossible for employees to do so, the mere possibility that files could theoretically be linked to re-identify patients is a privacy risk to society that should not be permitted.

For its part, in implementing this definition, the Department of Health and Human Services seems to have listened to the database experts and created an extremely high standard for information to be consid-ered as falling outside the category of individually identifiable health information. It specifically defined such information as ‘de-identified’. It chose to use statistical probability – as determined by a statisti-cian – to establish the permissible practices that can be used to establish a ‘reasonable basis to believe’.

The agency’s approach is firmly grounded in the art and science of database manipulation. It does not ask whether a reasonable person looking at the data fields on an individual record could discern who the person is or how to contact him or her. The regulation does not take into consideration who will use the data, for what purpose or the security arrangements for protect-ing the data from being accessed by unauthorized individuals or from being used to identify individuals. Rather, it asks whether the data fields that appear in a data set also appear in databases that are generally available and which therefore could be used by some-one who is attempting to identify data subjects. Exam-ples of such generally available databases include state drivers license data, voter registration lists, the telephone book, birth records, credit reports and so on. Because the construction and renting of databases of all kinds has been prevalent in US society, this approach to de-identification presents considerable challenges.

The regulation offers a ‘safe harbour’ method in which the covered entity must (1) have no actual knowledge that the information could be used alone or in combination with other information to iden-tify participants and (2) all of the following must be removed from the data:

·    names;

·    all geographic subdivisions smaller than a state, including street address, city, county and precinct,

·    zip code and their equivalent geocodes (the initial three digits of zip codes may be used if the result-ing geographical area contains more than 20 000 people or, for areas with less, the initial three digits of the zip code must be changed to 000);

·    all elements of date (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates indica-tive of such age, unless aggregated into a single category of age 90 or older;

·    telephone and fax numbers;

·    e-mail addresses;

·    social security, medical record, health plan benefi-ciary and account numbers;

·    certificate and license numbers;

·        vehicle identifiers and serial numbers, including license plate numbers;

·    device identifiers and serial numbers;

·    web universal resource locators (URLs);

·    Internet protocol (IP) address numbers;

·    biometric identifiers, including finger and voice prints;

·    full face photographic images and any comparable images and

·     any other unique identifying number, characteristic or code.

Some of the data fields in the list, such as social secu-rity number, e-mail address, telephone number and the like, offer a fairly ready way to find out who a data subject is.²¹ The other fields chosen for stripping appear a list of fields that a database expert would find to be useful for triangulating databases to zero in on identi-fied cases. Removal of all the fields listed in the regula-tion is the only ‘safe harbour’ for any data to be outside the regulation’s prohibitions on use or disclosure.

The only alternative to the safe harbour is for a statistician to find that the ‘risk is very small that the information could be used by an anticipated recipient to identify an individual who is the subject of the information’ (42 C.F.R. 164.514(a)(1)(i)). Under this ‘statistical’ method, a database can be considered ‘de-identified’

(a)if person with appropriate knowledge of and expe-rience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i)Applying such principles and methods, deter-mines that the risk is very small that the infor-mation could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

(ii)Documents the methods and results of the analy-sis that justify such determination.

As the rule is constructed, the inclusion of a patient-related date of any kind in a data set appears auto-matically to transform the data into protected health information. As a result, unless a statistician makes the risk finding, transmission of data including dates to anyone would be a technical violation of the regu-lation. Likewise, ‘county’ and ‘zip code’ are in the list of fields that are automatically considered to be ‘identifiers’ that must be removed for data to fit the de-identification ‘safe harbour’. In fact, unless each patient authorizes the disclosure or unless a statistician renders a risk opinion, an overly strict reading of the regulation would make the disclo-sure of a table of frequencies that includes any of the suspect fields a disclosure of protected health information, particularly if the cell sizes are modest. Unfortunately, responsibility for deciding whether data meet these criteria is placed on the physicians, hospitals and health plans that are subject to enforce-ment penalties if they wrongfully disclose protected health information. As a result, unless statisticians develop a robust new business of delivering opin-ions regarding the probability of re-identification of databases that include various dates, data that meet the de-identification safe harbour are virtually useless for sound and informative epidemiologic or outcomes research.

Authorization for the Use and Release of Identifiable Information

The privacy regulation prohibits covered entities from using or disclosing protected health information for research purposes without an individual’s written authorization or a waiver of authorization in accord with the regulation. The regulation explicitly provides that using information for research is not one of the activities that is permitted under the arrangements for using and disclosing information for treatment, payment and health care operations. ‘Authorization’ to use information for research is required – in addi-tion to the requirements under the Federal Common Rule relating to ‘informed consent’ of the subject to participate in the research protocol – as discussed more fully below. Likewise, the criteria for waiver of authorization under the privacy regulation are differ-ent from and in addition to the criteria for waiver of informed consent under the Common Rule.

Authorization for Research

The privacy regulation specifies the required element for a valid authorization. To be effective, an autho-rization must include, among other elements

·     a specific description of the information to be used or disclosed;

·     specific identification of the person or entity with whom or to whom the covered entity may make the requested use or disclosure;

·     an expiration date;

·     a specific description of the purpose of the use or disclosure;

·     an explanation of how the individual may revoke the authorization;

·     a statement that the information disclosed may be subject to redisclosure by the researcher and no longer protected by the federal regulation and

·     whether the covered entity will receive either direct or indirect remuneration from a third party for making the disclosure, a statement to this effect.

The authorization must contain all the elements speci-fied in the privacy regulation, as well as any disclo-sures or elements required by any applicable state law, unless an IRB or privacy board grants a waiver of authorization or of the form of authorization with respect to one or more elements in accord with the regulation’s waiver criteria.

Waiver of Authorization Requirement

In lieu of asking individuals to authorize the disclo-sure of their protected health information, the covered entity may seek waiver of the authorization require-ment from an IRB established in accordance with the Common Rule or from a specially constituted privacy board. Either entity may grant a waiver of autho-rization if the research protocol meets the privacy regulation’s waiver criteria. These criteria resemble the Common Rule criteria for waiver of informed consent, discussed more fully below. However, the differences in type of risk and the findings, as well as the different purposes served by informed consent as opposed to the HIPAA authorization, have proved to be a significant source of confusion and administrative complexity for IRBs.

The medical privacy regulation became effective as of 14 April 2001. Because the regulation supple-ments but does not supersede the Common Rule, all data-only research that also is subject to the Common Rule must comply with requirements to have an IRB consider both a waiver of informed consent to participate in research and a waiver of authorization under the privacy regulation.

Research with Records of Deceased Individuals

Under the Common Rule, deceased individuals are not considered ‘human subjects’.²⁸ Absent state laws or institutional policies to the contrary, research using the records of deceased persons does not require IRB approval or an IRB waiver of informed consent. The privacy regulation, in contrast, includes deceased persons as ‘individuals’, whose privacy is protected by the regulation. The regulation states that a covered entity can provide access to records of deceased individuals only if it obtains representations from the researcher that the information sought will be used only for research purposes and is necessary for these purposes.²⁹ In addition, the covered entity, at its discretion, may require the researcher to document the death of the individuals whose protected health information is sought. Alternatively, an IRB or privacy board could waive authorization with respect to deceased individuals under the regulation’s criteria for waiver.

Data Use Agreement

In promulgating the final HIPAA medical privacy rule, the Secretary of Health and Human Services established an additional provision for data research using medical records in which ‘facially de-identified data’ could be made available for research and public health purposes under a data use agreement in which the researcher promises to protect the privacy of the data subjects and safeguard the data from use or disclosure for impermissible purposes.

When this proposed modification was announced, many in the research community applauded the possi-ble revisions as achieving a more appropriate balanc-ing of the public interest in research and public health with the public interest in protecting the privacy of data subjects. However, some expressed concern that even these arrangements for de-personalized, confi-dential use of facts compromise the privacy interests of the data subjects. In effect, the data use agree-ment binding the researcher was not believed to be adequate legal protection from the potential privacy risk that might result from a researcher’s violation of the provisions of the data use agreement.

As a result, the final regulation was a compro-mise: it is a hybrid of the protection provided by de-identification and the protection provided by the data use agreement binding the researcher not to use or disclose the data for purposes other than those spec-ified in the agreement. Unfortunately, the regulation specifically prohibits the use of this mechanism for research if a medical device serial number is included in the record to be reviewed – even if the agreement prohibits the researcher from using or disclosing the serial number in a way that would identify individ-uals. Thus, although this approach holds promise as a foundation for workable privacy protections that permit bona fide research, the HIPAA framework and authority is too fragmented to provide the necessary legal foundation.