Research Projects Raise Privacy IssuesRegulators Seek Comments on Updating Privacy Guidelines
The Department of Health and Human Services and the Food and Drug Administration have extended until Oct. 26 the deadline for submitting comments on an advance notice of proposed rulemaking, which amounts to a solicitation of ideas for changing the regulations overseeing research on human subjects. The rule now in place, known as the Common Rule, has been in effect for 20 years, so it's woefully out of date.
Regulators are seeking feedback on a plan to establish mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data. Information about how to submit comments is in the notice.
Rapidly evolving advances in technology, coupled with the increasing volume of data readily available, may soon allow identification of an individual from data that is currently considered de-identified.
"The current regulations governing human subjects research were developed years ago when research was predominantly conducted at universities, colleges and medical institutions, and each study generally took place at only a single site," according to the notice. "Although the regulations have been amended over the years, they have not kept pace with the evolving human research enterprise, the proliferation of multi-site clinical trials and observational studies ... research involving databases, the Internet, and biological specimen repositories and the use of advanced technologies, such as genomics."
De-Identification of DataIn a detailed section on "strengthening data protections to minimize information risks," the notice discusses the risks involved in de-identifying data for research purposes, an important area of concern for many privacy advocates.
"Rapidly evolving advances in technology coupled with the increasing volume of data readily available may soon allow identification of an individual from data that is currently considered de-identified," the notice acknowledges.
The notice also raises the notion of expanding the application of the HIPAA privacy and security rules to ensure they cover all researchers. But it also asks whether HIPAA, which contains some guidelines on de-identifying data for research purposes, is adequate to address all of the issues involved. And it seeks comments on whether additional data security and information protection standards should be considered.
We're hoping that this regulatory process, which could take many months to complete, will yield protections for patient information used in research that go far beyond what's now spelled out in HIPAA.
Tiger Team DeliberationsMeanwhile, the Privacy and Security Tiger Team, which advises the Office of the National Coordinator for Health IT, is studying the issues involved in secondary uses of patient information, such as for research.
The team will meet again Friday, Sept. 9, to continue its discussion of when a patient's consent should be required before their healthcare information can be used for research purposes, among other issues. In earlier discussions, the team has stressed that one of the core values it has articulated is: "Patients should not be surprised about or harmed by collections, uses or disclosures of their information."