Is Your Research Data Safe? HHS Seeks to Strengthen Protections Under the Common Rule
By: Sarah E. Swank and Aaron Rabinowitz*
HIT News (American Health Lawyers Association)
The regulations governing human subjects research are about to change dramatically. The U.S. Department of Health and Human Services (HHS) and the Office of Science and Technology Policy (OSTP) are in the process of overhauling the regulations related to the Federal Policy for the Protection of Human Subjects, or the "Common Rule," which was adopted in 1991 to promote uniformity, understanding, and compliance with human subject protections. Last summer, HHS and OSTP released an advanced notice of proposed rulemaking (ANPRM) in an effort to better protect human subjects while facilitating valuable research and reducing obstacles for investigators).1
A main focus of the changes is on informational risk, or those risks related to the unauthorized use or disclosure of subject's information. HHS and OSTP looked to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, including the Privacy and Security Standards, as a potential framework to regulate informational risk. The scope of the potential changes will have significant implications for institutional review boards (IRBs), academic medical centers, community hospitals, contract research organizations, researchers, and the myriad other parties involved in clinical research. The release of the proposed rule is imminent, and it will be imperative for the research community to understand HHS' expectations with respect to research compliance.
The Current Data Security Rules
The current regulations for protecting human subjects have been in existence since 1991, when the Common Rule was published and codified in separate regulations by fifteen federal departments and agencies. In the intervening twenty years, however, HHS and OSTP have found that scientific and technological advances have rendered the Common Rule outdated and inefficient, especially as it relates to research data. When the Common Rule was first developed, human subjects research was predominantly conducted at universities, colleges, and medical institutions. Each study typically took place at a single site, and those involved in clinical research protected research data in its paper form usually using a physical lock and key method.
Today, human subjects research frequently involves multi-site clinical trials, electronic databases, genetic information, biological specimen repositories, and administrative claims data. Advances in genetics and information technologies have made the de-identification of biospecimens more difficult, and the ease of re-identification of sensitive health data is a mounting concern. These changes expose research subjects to informational risks that were largely nonexistent when the Common Rule was first promulgated.
Data Protection in the Face of New Technology
HHS and OSTP are seeking to modernize and strengthen data protections in the Common Rule to minimize informational risk from the collection and analysis of research data. At present, IRBs are charged with protecting human subjects from physical, psychological, and informational risks under the Common Rule. HHS and OSTP are questioning whether IRB oversight and review of research that poses informational risks is the optimal strategy for minimizing these risks. Often times, IRB members may not possess the expertise required to assess the adequacy of data protections or to undergo an in-depth HIPAA analysis of the consent process and documents and the privacy and security methods in research protocols. 1RB review may not prevent inconsistent or inadequate protections for subject's sensitive information, especially in multi-site studies. Other current approaches to minimizing informational risks face similar problems. Under the Public Health Service Act, for example, HHS is authorized to issue certificates of confidentiality to investigators conducting IRB-approved research that involves the collection of identifiable information. However, these certificates merely provide a legal right to refuse to disclose a subject's data. They do not prohibit disclosure of a subject's confidential information nor do they protect against unauthorized or accidental disclosures.
HHS and OSTP believe that standardized data protections, in lieu of IRB review or certificates of confidentiality, may be a preferable way to minimize informational risks. HHS and OSTP have proposed mandatory data security and information protection standards that would apply to all research that involves the collection, storage, analysis, or reuse of identifiable or potentially identifiable information. These new standards would likely place the responsibility for data privacy and security protections on the investigators rather than the IRB. The level of protection required by the standards would be proportional to the level of identifiability of the information. Due to inconsistencies in how identifiable and de-identified information are defined under the Common Rule and other regulations, HHS and OSTP propose to adopt the HIPAA standards for what constitutes individually identifiable information, a limited data set, and de-identified information. Due to emerging technologies and evolving information risks, however, HHS and OSTP also propose to revisit the set of identifiers that must be removed from a dataset to be considered "de-identified" under both the Common Rule and HIPAA Privacy Rule. In addition, because it is possible to extract DNA from a biospecimen and link it to otherwise-available data to identify individuals, the proposed rule would categorize all research involving the primary collection of biospecimens and the storage or secondary analysis of existing biospecimens as research involving identifiable information. In the ANPRM, HHS and OSTP enumerated three proposed requirements to strengthen the protections for research studies that pose informational risks.
Data Security Standards
HHS and OSTP propose that research involving the collection and use of identifiable data, as well as data in limited data set form, would be required to adhere to data security standards modeled on the HIPAA Security Rule. Specifically, the proposed data security standards could require the use of reasonable and appropriate encryption for data maintained or transmitted in electronic form, and strong physical safeguards for information maintained in paper form. HHS and OSTP seek to vest investigators with responsibility for compliance with these standards, and they would apply to all research studies regardless of whether the investigator was a covered entity under HIPAA. Consequently, IRBs would no longer be responsible for the informational risk analysis, making it unnecessary for IRBs to review studies posing only informational risks or to consider informational risks in studies involving other risks to human subjects. Although IRBs may have difficulty with the application of informational risk standards in some instances, they can play a vital role in ensuring that investigators comply with the current HIPAA and Common Rule requirements before research is commenced.
HHS and OSTP also are considering extending the breach notification standards that apply to HIPAA covered entities for breaches of individually identifiable health information to all investigators, regardless of whether they are required to comply with HIPAA. Following the discovery of a breach of unsecured protected health information, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires covered entities to notify the individual(s), the Secretary of HHS, and in certain cases the media (for breaches involving 500 or more individuals). In addition, HITECH requires the Secretary of HHS to post a list of covered entities with breaches involving 500 or more individuals on an HHS website. While these breach notification requirements already apply to health plans, hospitals, and physicians regardless of whether they conduct research, their application to the rest of the world of human subjects research would be a significant change from existing practice.
De-identification of Data
The second proposed requirement to minimize informational risks is to amend the way that information is de-identified or put into limited data set form. Many investigators currently enlist "trusted third parties" to de-identify information by stripping research data of its identifiers or create limited data sets for research purposes prior to giving the information to the investigator. This process adds complexity and intermediaries to the de-identification process, however, and HHS and OSTP instead wish to vest investigators with this responsibility. Consequently, the ANPRM would require investigators to adhere to the data security and information protection standards, which could render these third-party relationships unnecessary.
Random Retrospective Audits
HHS and OSTP also propose to use periodic random retrospective audits and additional currently unspecified enforcement tools to mitigate informational risks and ensure compliance with data security and information protection standards. At this point, it is uncertain if these audits would resemble new HIPAA audits required by the HITECH Act, conducted by the HHS Office for Civil Rights. These efforts could be aided by the development of a central web-based repository that would house information on adverse events and unanticipated problems involving risks to subjects and others. Perhaps information breaches may be seen as adverse events, although HHS states it is not currently looking to expand the reporting requirements.
The Use of Tissue and Data for Future Studies
Investigators currently are required to obtain and document informed consent from subjects participating in research. The informed consent process has been heavily criticized, however, and HHS and OSTP are considering numerous changes to the regulations governing informed consent, especially to the length and complexity of the consent documents. One particularly salient area of concern is strengthening consent protections related to future research with pre-existing data and tissue (i.e., biospecimens).
Under the Common Rule and the HIPAA Privacy Rule, biospecimens and data that have been collected for purposes other than the proposed research can be used without obtaining informed consent or adhering to HIPAA authorization requirements if all identifiers are removed. If the identifiers have not been removed, the Common Rule permits investigators to obtain a general consent for future research with existing biospecimens and other information stored in databases under certain circumstances. The HIPAA Privacy Rule, in contrast, requires that authorizations for research be study specific.
IRBs frequently struggle with the use of biospecimens in future research. Regardless of the de-identification standard adopted under the revised Common Rule, DNA extracted from a biospecimen could potentially be linked to otherwise-available data to identify individuals. Some critics object to research performed on a person's biospecimens without consent. On the other hand, investigators worry that the need to obtain informed consent for every use of a biospecimen will significantly inhibit future research and create unmanageable logistical demands. To balance these competing concerns, HHS and OSTP propose that written general consent would be required for the research use of biospecimens. The standardized consent form could specifically permit the subject to say "no" to all future research, perhaps by checking a box.
The reuse of existing data can be an efficient way to conduct research without presenting additional physical or psychological risks to the human subject. HHS and OSTP are weighing several significant changes to the regulations that govern future research with pre-existing data:
- Pre-Existing Data Collected for Non-Research Purposes: Currently, a subject's written consent is required only if the investigator possesses information that could identify the subject. Under HIPAA, an investigator could de-identify the information or use a limited data set without a written consent. This requirement would remain unchanged under the proposed rule.
- Pre-Existing Data Collected for Research Purposes: If data is collected specifically for research purposes, then consent would be required regardless of whether the investigator obtains identifiers. This represents a dramatic change from the prevailing interpretation of the Common Rule, which permits investigators to inform subjects during the research consent process that their data will be used for one purpose, and subsequently use that data for another purpose after it has been stripped of identifiers.
Under the proposed changes to the Common Rule, the consent process could include general language regarding all data and biospecimens collected during a particular encounter (e.g., a hospital stay) or any data or biospecimen collected at any time by the institution. Because the use of biospecimens may present unique concerns for a significant segment of the public, the consent process would permit subjects to check boxes to separately consent to specific types of future research (e.g., reproductive research, creating a cell line) while withholding consent for others.
The Scope of the Potential Changes
The proposed changes to the Common Rule significantly shift the locus of responsibility for research compliance and informational risk assessment from the IRB to the investigator. In addition, HHS and OSTP are considering whether to apply some of the proposed changes retroactively to existing data and biospecimens. For example, HHS and OSTP ask in the ANPRM whether the new data security and information protection standards should apply not only prospectively to data and biospecimens that are collected after the implementation of the new rules, but instead to all data and biospecimens. Retroactive application to existing data and biospecimens would impose an immense burden and responsibility on all participants in clinical research. Vast amounts of electronic data would have to be encrypted, and new safeguards for information stored in physical form would be required in compliance with the regulations.
HHS and OSTP are also proposing to substantially expand the application of the Common Rule. At present, only some research studies funded by certain federal agencies are subject to the Common Rule or similar protections. In the future, the Common Rule could be extended to govern all research with human subjects conducted in the United States, regardless of funding source. Alternatively, all institutions in the United States that receive some federal funding from a Common Rule agency for research with human subjects may be required to extend the Common Rule protections to all research studies conducted at the institution. Regardless of the specific changes that are adopted, many of the potential revisions to the Common Rule also will affect U.S. Food and Drug Administration regulations, HIPAA, and other regulations governing particular populations of vulnerable subjects. Consequently, these rules and regulations will need to be harmonized with any proposed regulatory changes made to the Common Rule.
1 Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators, 76 Fed. Reg. 44512 (July 26, 2011).
* Aaron Rabinowitz is a former member of the Ober|Kaler Health Law Group.