Is Your Research Data Safe? Aligning HIPAA and the Common Rule

2012: Issue 1 - Focus on HIPAA/Privacy

Last summer, the United States Department of Health and Human Services (HHS) sought comments on potential revisions to the Common Rule [PDF] after over two decades of virtually no change. In the advanced notice of proposed rule making [PDF] related to the Common Rule, HHS sought to address concerns about institutional review boards’ (IRBs) review of informational risk, or those risks related to unauthorized release of research subject data, with the goal of balancing the protection provided by IRBs to human subjects with the progression of research. HHS looked to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its privacy and security standards as a potential framework to ensure these protections. In addition, HHS focused on the heightened risk in areas such as genetic research and sought feedback on future use biospecimens (such as tissue) and consent requirements.

HIPAA and Data Protection in the Face of New Technology

HHS recommended strengthening data protections in the Common Rule to minimize informational risk from the collection and analyses of research data. HHS concerns revolved around the potential for technology to convert currently de-identified information into identifiable data. HHS is also concerned that certificates of confidentiality fail to protect against unauthorized or accidental disclosures. Instead, certificates of confidentiality provide a legal right to refuse to disclose a subject’s data rather than create a legal requirement not to disclose. HHS questioned whether a standard should exist that prohibits re-identification outright or even sharing de-identified information in case it could be re-identified by the third party.

Protections for research subjects also can be found in HIPAA privacy and security rules, which require safeguards and standards for the use and disclosure of such information. HHS seeks to extend these standards to all investigators, even those investigators that are not covered entities under HIPAA. Under HIPAA, covered entities are defined as health plans, health clearing houses, and certain health care providers, such as hospitals and physicians. HHS is considering adopting the HIPAA standards as follows:

Individual identifiable health information
Limited data set
De-identification of health information

HHS proposes to use the HIPAA standards to ensure physical safeguards and data protections are in place for such information (i.e., locked cabinets, encrypted emails).

This potential mandatory data and information protection standard could apply to all research involving the collection, storage, analysis or reuse of potentially identifiable information. HHS proposes taking the informational risk analysis away from the IRBs and make them standalone data standards. Researchers would then be accountable for meeting the standards and would be audited against those standards, rather than discussing their security protocols as part of the IRB review of their research. HHS went as far as to say that the breach notification standards that apply to HIPAA covered entities in the future might apply to the research world.

Biospecimens and Data Collection Consents for Future Studies

One issue IRBs struggle with relates to biospecimens collected for approved research that then is used in future research. Regardless of the de-identification standard adopted under the revised Common Rule, DNA extracted from a biospecimen could potentially link it to identify individuals. HHS specifically proposes the following related to biospecimens and data used in future studies:

Biospecimens. HHS proposes that the written consent requirements would apply to biospecimens as long the investigator does not possess the identifiable health information linking the biospecimens to the subject.
Pre-Existing Data Collected for Non-Research Purposes. Currently, the subjects’ written consent is required only if the investigator possesses information that would identify the subjects. Under HIPAA, an investigator could de-identify the information or use a limited data set without a written consent. HHS suggests this requirement will remain unchanged.
Data Collected for Research Purposes. If data is collected specifically for research purposes, a consent is required regardless of whether the investigator obtains identifiable health information on the research subjects. This is a dramatic change from current practice.

Consent could include general language regarding all data and biospecimens collected during a particular encounter (e.g., hospital stay) or even as broad as any data or biospecimen collected at any time by an institution. The consent would allow subjects the opportunity to check the box yes and no to permit future use of their biospecimens. HHS also realizes that certain biospecimen research may raise additional concerns and would require separate check boxes for each specific type of research, such as cell line or reproductive research.

Changes to Come Soon

Historic changes to the Common Rule are likely around the corner. The proposed rule will likely address the growing use of databases and technology by the research community. HHS seeks to address the privacy and security requirements to allow subjects to rest assured that if they participate in research their data is safe. Hospitals, IRBs, investigators, sponsors and others from the research community are eagerly awaiting the proposed rule from HHS. In reviewing the proposed rule, they should consider the impact of the data security and privacy standards on the progress of clinical research and the protection of subjects.