Genentech, Inc.
Mr. Chairman and Members of the Committee. Thank you for inviting me to testify today regarding Genentech's concerns with the Privacy Rule published by the Department of Health and Human Services (HHS). My name is Bernice Welles. I am head of Product Development at Genentech, one of the nation's leading biotechnology companies. Over the past several years, Genentech has been uniquely involved in the national debate regarding the confidentiality of patient health information. As such, we appreciate this opportunity to share with you our experience, and our serious concerns with the impact of the HHS privacy Rule on biomedical research. We have submitted for the record a copy of our official comments on the Interim Final Rule (March 29, 2001), along with specific recommendations for modification of the Rule.
We have spent innumerable hours analyzing this Rule and preparing for our compliance with its requirements. While Genentech is able to comply with the letter of the Rule, the scope and structure of Rule could make this fact moot. Simply put, Genentech believes that, as currently written, the HHS Privacy Rule will have a detrimental impact on the ability of academic and private researchers to pursue our critical mission - to research, develop, test and monitor breakthrough therapies for serious unmet medical needs. And without swift and significant modification, patients will unavoidably be denied access to these medical breakthroughs, causing harm overall to the nation's health and health care system.
Specifically, we are concerned about the following: (1) the overall structure of the Rule; (2) the definition of "de-identified"; (3) the provisions relating to patient registries; (4) the "minimum necessary" requirements; and (5) the Rule's modifications to the existing Common Rule.
Overall Structure of the Rule
Our primary concern with the Rule is that it appears to have placed all of the obligations, responsibilities and liabilities associated with disclosure of protected health information for research purposes on the wrong entities. Specifically, the rules all apply to HIPAA covered entities, with some obligations placed on researchers themselves. In light of these obligations and potential liabilities, we are concerned that covered entities, which are important data sources for research companies, will be less willing to share with us this rich resource of data. Such a chilling effect on the willingness of covered entities to disclose Protected Health Information (PHI) to researchers would seriously undermine biomedical research nationwide.
To cure this potential effect, we recommend revising the Rule to include "research" as an activity for which covered entities are allowed to disclose PHI without patient authorization, along with "treatment, payment and health care operations." As researchers, we would remain obligated to protect this information and to limit our uses of the information consistent with that which is otherwise allowed by the Rule. In addition, we believe that IRB or privacy board review of a particular research protocol would still be necessary to determine whether the patient's authorization would be required to use the data for research or whether the circumstances warrant waiver of such authorization. In so doing, access to the data would be allowed, yet use of the data by the researcher remains controlled under the Rule to ensure its confidential and responsible use.
Definition of De-identified
Although many point to the Rule's reliance on "de-identification" as a way to circumvent the myriad requirements necessary to obtain PHI for research purposes, our literal reading of the definition of "de-identified" is that it is too restrictive to meet. Specifically, Method 2 requires that the PHI be stripped of each of 18 kinds of identifiers and that the entity does not have actual knowledge that the data could be used alone or in combination with other information to identify an individual. First, stripping the data of the types of identifiers specified in the regulation would render a data set essentially useless for research purposes. For example, knowledge of a patient's age and gender are relevant when researching the association between age and sex with risk for heart attack.
In addition, the second test in method two establishes an impossible standard. In reality, researchers are almost always aware that a particular data set could be used or combined with other data to ultimately identify an individual. By relying on what could be done with the data rather than on what is actually done, the Rule arguably establishes an impossible standard to satisfy.
Alternatively, Method One (which calls for a subjective review by a statistician) is equally unrealistic in that it will prove costly, time consuming and administratively burdensome in practice, particularly for large scale studies involving reviews of thousands of archived patients records.
For these reasons, we recommend amendments be made to the definition of "de-identified" under the Rule, which are attached.
Post Marketing Surveillance and Patient Registries
The Rule allows for disclosure of PHI without an individual's authorization for use in patient registries and post-marketing surveillance studies, but only where such registries or studies are required by law. To date, most registries are not required by law but are strongly encouraged by the Food and Drug Administration (FDA) as an effective tool for monitoring ongoing safety and efficacy of drugs already approved by the FDA. The ability to obtain specific patient authorization for these large-scale studies is impossible, and if enforced, would dramatically limit the scope and quality of information obtained for this important aspect of the research continuum.
Accordingly, we recommend that the existing language of the Rule be replaced with language which allows disclosure of PHI "to conduct post marketing surveillance using procedures and formats for registries and reports that do not identify patients by name or with identifiers such as address, phone number or email address."
Minimum Necessary Requirement
The Rule's "minimum necessary" requirement which limits the PHI a covered entity may disclose to that which is the "minimum necessary" to achieve the specified purpose, is particularly problematic when applied to research uses of data. Specifically, should a covered entity decide to disclose PHI to a researcher, pursuant to the various requirements imposed under the Rule, the covered entity is further limited to disclose only the minimum amount of PHI necessary to the performance of the particular research goal. Researchers typically obtain information from multiple sources, each under the minimum necessary obligation. With different individuals responsible for each making subjective determinations regarding the minimum necessary requirement, researchers will inevitably receive disparate data sets. As such, researchers will be unable to establish a reliable baseline from which to study the data, as there will be no way to ensure that the data sets received are comparable. This requirement will undoubtedly introduce bias into records-based research, making the results of such research questionable at best.
Considering the unique needs of researchers, we recommend that the "minimum necessary" requirement be waived when PHI is lawfully disclosed for research purposes.
Modification of the Common Rule
Finally, we are troubled that the Rule directly modifies the existing Common Rule, which we strongly believe is beyond the scope of the HIPAA mandate. Specifically, the Rule imposes an unprecedented new set of privacy conditions on research conducted in accordance with the Common Rule by requiring investigators to obtain an individual's authorization or waiver of authorization in addition to the informed consent obtained or waived under the Common Rule. Further, the Rule adds to the existing criteria an IRB (and now, a privacy board) is directed to consider when reviewing a research protocol. These new criteria go well beyond the arguable authority of an IRB by directing them to consider the overall merits of a particular research project. Until now, such judgments about what research has societal value are left to patients and to the marketplace. These new criteria suggest that the government should now play a role in directing the areas worthy of research.
We strongly believe that these substantive modifications to the Common Rule are well beyond the scope of HIPAA. As such, we recommend that the Rule be amended to exempt from the authorization and waiver of authorization requirements, all human subject research subject to review by a properly constituted IRB acting in accordance with the Common Rule. In addition, we recommend that the new IRB review criteria added by the Rule be deleted, leaving IRBs subject to the current Common Rule mandate.
Thank you all, again, for your time and consideration of these matters. We would be happy to discuss with you any questions you may have.
Recommended Amendments to HHS Privacy Rule
Overall Structure of the Rule
De-Identification of Protected Health Information
Post-Marketing Surveillance & Patient Registries
Minimum Necessary Standard
Common Rule Modifications