Focusing public attention on emerging privacy and civil liberties issues

Privacy and The Common Rule

Background

For decades the United States has utilized human subjects for research experimentation. Highly publicized ethical abuses in research, such as the Tuskegee Syphilis Study in which African-American men in Tuskegee, Alabama were infected with syphilis and left untreated by the U.S. Public Health Service so that doctors could monitor effects of the disease, led to the enactment of the 1974 National Research Act (Pub. L. 93-348). The Act created the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (National Commission). In 1979, the National Commission published "Ethical Principles and Guidelines for the Protection of Human Subjects of Research,"-otherwise known as the Belmont Report. The Belmont Report focused on three essential ethical principles for human subjects research;-"respect for persons, beneficence, and justice."

The Department of Health and Human Services (HHS) was the first federal agency to revise its regulations for the protection of human subjects based upon the Belmont Report and incorporate the "Common Rule," codified at 45 CFR part 46, subparts A through E. Based partially on the Belmont Report, the Common Rule requires that "[f]ederally funded investigators in most instances obtain and document the informed consent of research subjects, and describes requirements for institutional review board (IRB) membership, function, operations, research review, and recordkeeping." Since its inception, 15 federal departments and agencies including HHS have codified the Common Rule in their agency regulations.

In response to the dramatic changes in the human subject research landscape, the Office of the Secretary of the Department of Health and Human Services and the Office of Science and Technology Policy issued an Advanced Notice of Proposed Rulemaking (ANPRM) in July 2011 requesting comment on possible Common Rule revisions. The ANPRM seeks comment on the following seven areas concerning the Common Rule: (1) ensuring risk-based protections; (2) streamlining IRB Review of Multi-Site Studies; (3) improving informed consent; (4) strengthening data protections to minimize information risks; (5) data collection to enhance system oversight; (6) extension of federal regulations; and (7) clarifying and harmonizing regulatory requirements and agency guidance.

Issues

The revisions to the Common Rule have important privacy implications. Concerning the first area of revision—ensuring risk-based protections—the ANPRM proposes "mandatory standards for data security and information protection whenever data are collected, generated, stored, or used." Further, the level of protection for these standards "would be calibrated to the level of identifiability of the information, which would be based on the standard of identifiability under the HIPAA Privacy Rule."

Concerning the third area of revision—improving informed consent—the ANPRM aims to shorten the lengthy boilerplate consent forms by removing extraneous legal terms and otherwise simplify the language to better ensure informed consent. The ANPRM also seeks recommendations to clarify statutory criteria that currently permit IRBs to waive obtaining informed consent in primary data collection. Additionally, the ANPRM also seeks comment detailing under what circumstances should consent for general unspecified research.

The ANPRM seeks recommendations concerning adopting HIPAA standards to establish "what constitutes individually identifiable information, a limited data set, and de-identified information." The ANPRM also proposes audits and additional enforcement tools to ensure data security and information protection compliance.

EPIC's Interest

EPIC continually advocates for health information privacy rights and deidentified patient data. In comments to the Department of Health and Human Services, Professor Latanya Sweeney, Director and Founder of Harvard University’s Data Privacy Lab, and EPIC urged the Department of Health and Human Services not to adopt standards that would weaken the privacy rights implicated by the Common Rule. Specifically, EPIC and Professor Sweeney underscored that "[a]pplying the HIPAA Privacy Rule standards for de-identification to research broadly in an attempt to protect against the information risks described in the [Advanced Notice of Proposed Rulemaking] is poorly understood and all evidence suggest the HIPAA standards are gravely inadequate."

In FAA v. Cooper, EPIC filed an amicus brief asserting that the government should be allowed to avoid liability by asserting that it caused only mental and emotional harm when it intentionally and willfully violated the Privacy Act. FAA v. Cooper involves the Social Security Administration's disclosure of a pilot's HIV Status. The oral arguments for the case will be held November 30, 2011.

In Sorrell v. IMS Health, 630 F.3d 263 (2nd Cir. 2010), a case that was later considered by the Supreme Court, EPIC filed an amicus brief in support of a challenged Vermont law that regulates data mining companies that sell or use doctors' prescribing records containing personal information on patients. EPIC argued that the privacy interest in safeguarding medical records is substantial and that the de-identification techniques adopted by data mining firms do not protect patient privacy. The Second Circuit struck down the Vermont law as violating the First Amendment. Writing in dissent and siding with EPIC, Judge Debra Ann Livingston said that the majority reached the "wrong result," creating "precedent likely to have pernicious broader effects"on medical privacy case law. The Supreme Court affirmed the Second Circuit decision.

In IMS Health v. Ayotte, 550 F.3d 42 (1st Cir. 2008), EPIC filed an amicus brief in support of a New Hampshire law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. EPIC argued that there is a substantial privacy interest in de-identified patient data. The First Circuit upheld the New Hampshire law, and the Supreme Court refused to hear the challenge to the law.

News Articles

Questioning Privacy Protection in Research, Patricia Cohen, The New York Times, October 23, 2011.