45 CFR Parts 160 through 164
February 17, 2000
Margaret Ann Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
U.S. Department of Health and Human Services
Attention: Privacy-P, Room G-322A
Hubert H. Humphrey Building
200 Independence Avenue SW
Washington, DC 20201
Re: 45 CFR Parts 160 through 164, As Proposed
Dear Dr. Hamburg:
On behalf of the International Society for Pharmacoepidemiology (ISPE), we are submitting comments regarding the proposed rule, Standards for Privacy of Individually Identifiable Health Information, published in the November 3, 1999 Federal Register.
ISPE is a non-profit international professional membership organization dedicated to promoting pharmacoepidemiology, the science that applies epidemiological approaches to studying the use, effectiveness, value, and safety of pharmaceuticals. ISPE is firmly committed to providing an unbiased scientific forum for the views of all parties with interests in drug development, drug delivery, drug use, drug costs, and drug effects. Our organization includes more than 1100 members from 45 countries, representing academic institutions (41%), industry (35%), government agencies (11%) and professionals working in clinical practice and consulting (13%).
ISPE developed a position paper on data privacy, Data Privacy, Medical Record Confidentiality, and Research in the Interest of Public Health, published September 1, 1997 and amended August 19, 1998. As we state in that paper, ISPE embraces the principle of protecting the confidentiality of individually identifiable medical information while preserving justified research access to such information in the interest of the public's health. ISPE urges that any new regulations or legislation aimed at further protecting data privacy should be formulated with a full awareness of the value to society of epidemiological research. A hard copy of the ISPE position paper is attached, and may also be accessed through the ISPE website address, http://www.pharmacoepi.org.
ISPE is disappointed that Congress has failed to enact comprehensive federal health data privacy legislation. In absence of Congressional action, we commend the Secretary for proposing the data privacy regulations that were mandated by the Health Insurance Portability and Accountability Act (HIPAA). As stated in our position paper on data privacy, ISPE has endorsed a set of principles for data privacy protection that draw on a report developed for the Secretary of HHS1 in preparing her recommendations to Congress for comprehensive medical privacy legislation, and we believe that our principles are consistent with the Secretary's objectives with respect to these proposed regulations. We note, however, that HIPAA gives the Secretary only the limited authority to regulate health care entities that engage in certain financial or administrative transactions.
As the Secretary acknowledges, HIPAA does not establish the authority to regulate other users of health information, including researchers. ISPE regrets this limitation in the existing law. Ideally, ISPE would like to see researchers share some responsibility for the appropriate use of medical data. Yet we believe that an overly expansive approach to the regulations that implement HIPAA will not solve the problem of the statute's limited scope, and may in fact create unintended obstacles to epidemiology and other public health research. We are anxious to ensure that techniques the Secretary may use to assure the adequacy of protections within this limited domain do not inadvertently create technical requirements that are incompatible with the data needs and practical requirements for sound research. Thus, we appreciate the Secretary's acknowledgement in the preamble of the importance of database research to science and society, but we fear that elements of the proposed regulation will erect needless legal and logistical barriers to vitally important work in our field. In the body of our comments ISPE will discuss our concerns in detail and offer suggested modifications to the proposed regulation.
ISPE strongly supports the enactment of additional federal legislation to fill the gaps in the Secretary's current authority. Accordingly, we believe that Congress should act now to establish uniform federal protections for sensitive health information, and to ensure secure and appropriate access by researchers to important data resources so that they can continue to develop the knowledge necessary to understand and address the health needs of populations. Future legislation should also penalize inappropriate uses and disclosures of health information. As an advocate of new laws that would extend uniform confidentiality obligations to researchers, ISPE looks forward to participating in future legislative dialogues on research and privacy, including the upcoming debate over appropriate refinements to and expansion of the federal Common Rule.
- ISPE's Concerns Regarding Specific Provisions of the Proposed Rule
Pharmacoepidemiologists observe the behavior of patients in the real world of clinical medicine. Within the world of medicine, covered entities - medical centers, pharmacies, managed care organizations - are the primary repositories of the patient data that pharmacoepidemiologists use to study the determinants of medical conditions and the uses and benefits of medicines. ISPE is concerned that in the face of new legal liabilities created by the proposed regulation, covered entities will hesitate to share patient data with researchers, and pharmacoepidemiologists' access to essential sources of data will be threatened.
- "Minimum Necessary" Disclosure § 164.508(b)
The proposed regulation subjects a covered entity to civil and criminal penalties if the entity discloses data to researchers without meeting a series of exacting requirements. One of these requirements is that the entity disclose only the minimum amount of information necessary to accomplish the intended purpose of the disclosure. The covered entity must designate a special official to make "minimum necessary" determinations on an individual basis for each disclosure, and both the entity and the official must exhaust "all reasonable efforts" to minimize disclosures.
ISPE is quite concerned about the scope of this provision, for several reasons. First, we believe that the term "all reasonable efforts" is both too broad and too ambiguous. How can a covered entity ever be certain that it has made all reasonable efforts to disclose the minimum necessary information? This uncertainty creates a strong disincentive for covered entities to voluntarily make data available to researchers, especially when the entities may themselves have no relationship to the researchers nor any direct stake in the research being conducted.
Second, ISPE interprets the proposed regulation to mean that covered entities participating in multi-site research studies may no longer rely upon the consent form approved by a central institutional review board (IRB); nor may participating entities report data to the researcher using the case report form approved by the central IRB to guide what data points to include. Each site would need to undertake a separate "minimum necessary" review for each disclosure. These requirements erect significant barriers to the conduct of research and may compromise the integrity and validity of data combined from multiple sites.
For epidemiologists, multi-site research is a core methodology: we link records from many sources and entities and search for statistically significant patterns in aggregations of data. ISPE is concerned by several of the statements in the preamble indicating that the combination of data from different sites is in and of itself a suspect activity. We did not see any evidence in the Secretary's discussion that would support establishing significant barriers to epidemiologists' responsible use of comprehensive databases created from multiple sites and sources. We do know that the creation of such databases is the foundation of our scientific approach. ISPE believes that with due safeguards such as IRB or privacy board approval, studies that link or combine data from multiple sites and sources pose minimal risk of re-identification and subsequent harm to individuals.
In our view, therefore, the proposed regulation must be modified to permit us to standardize the form and content of disclosures across study sites through the use of a single, IRB-approved consent form or waiver of patient authorization. Likewise, the regulations should permit covered entities to update their disclosures to researchers with new information about adverse experiences without undertaking additional internal review. Prompt updates of relevant patient information are essential if researchers are to draw valid conclusions from an epidemiological database.
ISPE suggests that the Secretary modify the proposed regulation to permit covered entities to disclose information to researchers after making "reasonable" (though not "all reasonable") efforts to limit disclosure to the minimum necessary amount. We also suggest that the Secretary absolve a covered entity of the responsibility to make its own individual "minimum necessary" determinations if the entity is disclosing information pursuant to an IRB or privacy board- approved protocol, or for public health or regulatory purposes.
- Data Privacy Boards and Waiver of Authorization. § 164.510(j)(1)(ii).
ISPE enthusiastically endorses the Secretary's creation of new Data Privacy Boards (DPBs) empowered to authorize archival records research of the kind typically undertaken by epidemiologists. We have some experience with ethical review boards in other countries and our data privacy principles endorse the use of such boards. We have long been concerned that IRBs, while in theory well-positioned to review confidentiality issues, are overburdened and somewhat inconsistent in their approach to the review of non-interventional research. ISPE believes that DPB review will be a valuable complement to IRB oversight of research, but only if procedures for expedited review remain available under the Common Rule and the new medical privacy regulations.
Moreover, it is ISPE's position that IRBs need more explicit criteria to guide their review of records research, including their determinations of when data are sufficiently anonymized that a proposed study is exempt from full or even expedited review. ISPE is concerned, however, that the proposed criteria for waiver of the authorization required by the privacy regulation are confusing because they mix elements from the existing Common Rule waiver of subject consent (including consent to experimental interventions) and the elements that would be appropriate to safeguarding the patient's privacy interests and the confidentiality of information made available for research under such waiver of authorization. Until such time as research regulation is revisited2, we would urge the Secretary to simplify the waiver criteria and limit them to consideration and mitigation of the privacy risks that may arise in connection with the use of existing data, rather than matters such as the scientific value of the research project, provisions for contacting the subjects with follow-on information, and so forth.
ISPE suggests that the Secretary limit the DPB authority to waive authorization only to archival records research, and limit the waiver criteria, whether applied by an IRB or a DPB, to focus only on patient privacy and confidentiality protections.
- Form of Individual Authorization. § 164.508.
The Secretary proposes twelve mandatory requirements for a valid authorization for use of information in research, or for any other activities. Among these are the requirement that an authorization permit subjects to retroactively withdraw authorization for the use of their data, and the requirement that an authorization contain expiration dates. ISPE is deeply concerned about the implications of these particular requirements for the validity and scientific rigor of epidemiological research. Research subjects have the right to withdraw from further participation in a clinical trial at any time; they do not, and must not, have the unlimited right to block inclusion of their already collected information in the analysis of the trial results. Epidemiologists cannot draw valid and reliable conclusions from datasets that are riddled with missing data, and patients who self-select to revoke their consent may bias the outcome of data analyses.
Moreover, the proposed regulation could be interpreted to prohibit the authors of any published study from disclosing how many participants had chosen to block inclusion of their data in trial analyses, because disclosing this information would constitute further use of information after the patient had withdrawn authorization. Yet without these details about the composition of the study sample, the validity of any conclusion is suspect. Regulatory agencies will not accept studies in which the investigator cannot disclose which data have been withdrawn from statistical analysis; similarly, scientific journals will not accept the reports of such studies for publication. Indeed, under a worst case scenario, the proposed regulation's prohibition against revealing which participants revoked consent might be an invitation to scientific fraud. It is a fundamental requirement of any valid research report for the researcher to disclose the characteristics of the study population and to characterize any study drop outs. If the regulation prohibited the researcher from using information about the drop outs, an unscrupulous researcher could selectively encourage certain participants to withdraw permission for the use of their data without fear that attempts to bias study outcomes would be detected by the normal peer review and editorial review processes.
The proposed regulation also mandates expiration dates on all patient authorizations for research. ISPE understands the need for patients to have control over the release of their information; however, expirations simply don't make sense in the context of much clinical and epidemiological research. For example, some clinical trials are run until a fixed number of events occur, rather than for a fixed period of time. Even for trials of a predetermined duration, it is entirely likely that unanticipated questions about safety or efficacy will require further analyses after the study is completed - as when regulatory agencies ask a manufacturer to conduct long term follow-up studies of an approved drug when a safety problem is identified in a related drug. In fact, FDA regulations require the source documents for any data used in a submission to that agency to be available for audit and inspection. It also is customary for researchers to use data from completed trials to provide information that will make future trials more rigorous and cost-effective.
Tracking expiration dates and withdrawing expired data from existing databases could be a logistical nightmare for researchers. In the research context, the cost and complexity of the task for researchers and the burden on research participants who must be repeatedly approached to renew their consent may well outweigh any hypothetical benefits of time-limited authorizations. Additionally, there are often valid scientific and public health reasons to avoid placing fixed time limits on either research uses of data that have been collected from patients who consented to participate in an IRB approved protocol, or research uses of data collected pursuant to an IRB-approved waiver of authorization. For protocols that take a long time to accrue subjects, the attrition rate due to expiration of consents for subjects already tested may well make it impossible to assure a full and valid sample in each research arm.
ISPE suggests that the Secretary modify the proposed regulation to allow IRBs or privacy boards to determine the duration of consent and the circumstances under which a research participant should be permitted to retroactively revoke his or her consent to the use of data already collected by the researcher.
- Uses and Disclosures for Research Purposes. § 164.510(j).
When individual authorization is waived by an IRB or a DPB, the proposed regulation requires the board to consider requiring researchers to provide subjects with additional information after the completion of a study. For data studies, ISPE believes that this requirement is inappropriate, and is potentially more detrimental to patients' privacy interests than the conduct of the research itself.
Moreover, ISPE believes this requirement for the provision of additional information is inconsistent with the Secretary's rationale for prohibiting disclosures of "research information unrelated to treatment" for purposes other than research. Due to potential liability concerns under the privacy regulations, a covered entity may feel compelled to provide its patients whose records are used in research information about every risk factor identified by each study. Yet in most cases, the prognostic significance of these putative risk factors will be uncertain without further investigation. Information of uncertain clinical validity (i.e., "research information unrelated to treatment") is exactly the type of information that § 164.506(a)(1)(i) precludes a covered entity from using for healthcare decisions, and for which § 164.508(a)(3)(B) requires individual authorization. The privacy regulations should not mandate that a covered entity provide such information directly to patients. Through the publication of research findings and other channels of communication between researchers and providers, treating physicians currently receive information about research findings. A patient's physician, not a researcher, should be the one to contact a patient to discuss the significance of new research findings for that individual patient's care.
ISPE believes that requiring researchers to provide further information to an individual whose records were used in a study conducted under a waiver of authorization may prove harmful to participants, because research findings are often too preliminary for use in treatment decisions. ISPE suggests that this requirement be eliminated from the regulation, as the goal of full disclosure may be met in most cases by publication of the findings in the medical literature, or in the more rare cases where significant risks are uncovered, by pre-publication communication between the researcher and the provider who was the data source.
- Accounting of Disclosures. § 164.515.
ISPE is concerned that requiring a covered entity to keep a record of all disclosures other than those made for treatment, payment, healthcare operations, or law enforcement and regulatory oversight will, with respect to research, be contrary to the public and the patient's interest. Such a requirement could result in the creation of a permanent record listing all research studies in which a person's medical records have ever been used under a waiver of authorization. Such a database would be at least as sensitive as much of the patient's actual health information, since the very titles of many research projects may suggest diagnoses or other sensitive aspects of a patient's medical history. Compiling these data will be costly, and security will be difficult to maintain since the proposed regulation requires that these tracking records be disclosed to patients upon request.
- Creation of De-Identified Information. § 164.506(d).
ISPE applauds the Secretary for permitting and attempting to encourage the use of de-identified data for research. We are concerned, however, that the proposed regulations create an inflexible approach to de-identification and an unrealistic threshold for the covered entity to presume that its data have indeed been sufficiently de-identified to permit release to researchers. As the proposal now stands, a covered entity cannot de-identify data without removing identifiers such as date of birth and geographic codes, yet these variables are pertinent to virtually every epidemiological research project and their removal would make de-identified datasets useless for population-based research. At the extreme, the regulation would prevent epidemiologists from parsing data by geographic region. For example, an otherwise unidentifiable datum known to originate from the Framingham Heart Study would, under the proposed regulation, no longer be considered de-identified.
Removing all of the specific identifiers that the Secretary has proposed would make it difficult, if not impossible, for researchers to study the effects of environmental pollution or geographic variation in the incidence of cancers and other diseases. Instead of a regulatory laundry list of identifiers that must be removed from every dataset, ISPE supports the development of varying criteria for data that bear either a high or a low potential for re-identification. Here the statistical methods cited by the Secretary can aid covered entities in categorizing data appropriately.
Although ISPE agrees that de-identified data should be used whenever possible, we must alert the Secretary to the fact that in epidemiological research, re-identification often is both necessary and in the public interest. It may be necessary (with appropriate IRB review and waiver of authorization) to re-identify individuals to update study databases, to follow-up with a cohort of patients when new safety issues emerge, or to monitor the quality or authenticity of patient data. These purposes require retention within various databases of codes that permit related patient information to be linked or updated.
The proposed regulation does not accommodate this essential feature of epidemiological research. Even with all the listed identifiers removed, information is not de-identified under the regulation if a covered entity has any reason to believe that the recipient could re-identify individuals. ISPE believes that covered entities should be allowed to disclose data containing codes that would permit linkage and re-identification, so long as the covered entity retains the key to the code and limits uses of the code to the purposes defined and approved in the original research protocol. Moreover, it is important that covered entities be able to rely on others with statistical expertise to make these estimates. We are concerned that as is the case with the "minimum necessary" disclosure limitation discussed above, the regulation seems to require each covered entity to made de-identified data available for research only if it has the statistical expertise necessary to make such an assessment. This would severely limit epidemiologists' access to necessary data from smaller providers and more remote regions where institutions may not employ these statisticians.
ISPE suggests that the Secretary create more flexible and realistic standards for the de-identification of data. In particular, new regulations should tailor use restrictions to the statistical probability that data may be re-identified. Researchers should be permitted access to data that has been encoded to permit re-identification, so long as the use of code keys for re-identification is carefully monitored by a covered entity's privacy officer, or an IRB or DPB.
- Public Health. § 164.510(b).
ISPE believes that the language in the proposed regulation must be clarified to ensure that covered entities and pharmaceutical industry sponsors are permitted to meet their mandatory responsibilities to report adverse product experiences and their voluntary commitments to monitor approved products. Covered entities and sponsors must be able to establish exposure registries that solicit reports about health experiences of those who have been exposed to specific drugs, including prenatal exposures, immunization registries, and so forth. As we explain in greater detail in the ISPE position paper on data privacy, observational approaches such as pregnancy registries are often the only means of gathering critical public health information about risks to fetuses, because direct experimentation on pregnant women is in many cases unethical3.
ISPE suggests that the proposed regulation be amended to clarify that physicians and other covered entities may disclose patient health information in cooperation with any mandatory or voluntary product surveillance system, whether such a system is established by a manufacturer or by a regulatory authority.
- Structure of the General Rules. § 164.506.
ISPE endorses the principle that all health information should receive uniform protection from unauthorized use or disclosure. We congratulate the Secretary on her recognition that no additional, disease-specific provisions are necessary because the proposed regulation offers sufficient protection to all patients. We are concerned, however, that the proposed regulations do not address the cross-national transfer of data, which is essential to much epidemiological research, because the definition of "public health authority" is limited to U.S. agencies.
ISPE suggests that the regulations be amended to permit the cross-national transfer of data, particularly adverse experience reports.
ISPE appreciates the opportunity to submit our comments regarding the proposed regulation. As an organization and as individuals, we are fully committed to new rules that protect patient privacy. Yet as scientists engaged in public health research, we also hope that the Secretary will consider fully how new regulations that impede scientific research may ultimately do more harm than good. We offer these comments to assist the Secretary in modifying the proposed regulation to better balance individuals' privacy interests with society's need for sound information on medical and public health issues.
|Elizabeth Andrews, Ph.D.
International Society of Pharmacoepidemiology
|Don Willison, PhD
North American Data Privacy Committee
1 Privacy and Health Research: A Report to the US Secretary of Health and Human Services from William W. Lowrance. May, 1997. (Web site: http://aspe.os.dhhs.gov/datacncl/PHR.htm)
2 For example, the President's National Bioethics Advisory Commission (NBAC) is presently engaged in a comprehensive review of the scope and adequacy of human subjects protections under the Common Rule. For details, see the Agenda for the Jan. 13-14, 2000 NBAC meeting, available at http://www.bioethics.gov. We also understand that the Institute of Medicine has commissioned a report on the Common Rule, and that, in service of the same objective, the General Accounting Office is studying research that is not covered by the Common Rule.
3 International Society for Pharmacoepidemiology (1997) Data Privacy, Medical Record Confidentiality, and Research In the Interest of Public Health, Addendum 2, "Pregnancy Registry" (dated August 19, 1998).