My name is Donna Boswell, and I am a partner at Hogan & Hartson, in Washington, DC. I want to thank the Committee for inviting me to be here today to discuss the research implications of the medical privacy regulation promulgated under HIPAA. Although our health care practice serves virtually all of the entities involved in the delivery and financing of health care, I want to focus today on the issues facing our clients who are research-based medical products companies (including pharmaceuticals, biotechnology products, and medical devices), academic medical centers, and hospitals. First, a disclaimer: I am not here to speak on behalf of any specific client, and I have not cleared my remarks with any of them. I have some very strong views, and in the interest of sharing them with you, I am may take positions and express views that they may not agree with.
Over the past five years, many participants in the research sector have explained in a reasoned way the problems with the approach to research that is taken by the regulation (and the proposed legislation), its fundamental misunderstanding of how research is conducted, the incongruities its requirements impose on research in the name of privacy, and have offered mechanisms that provide more appropriate ways of protecting privacy in research activities and settings. Perhaps the most frustrating thing about the regulation, is that its research requirements, while amazingly burdensome and costly to implement, seem to have little or nothing to do with enhancing the privacy of research participants, and everything to do with elaborating the formal structure of the rule, and fixing problems created by other requirements of the rule.
Today, I propose to avoid reciting the oft-repeated list of the rule's research failures. Instead, I propose to be explicit about the requirements of the rule that I am hard pressed to find a cost-effective way for covered entities to implement - without taking on excess legal liability. To facilitate this discussion, I ask you to think of health care research in three distinctly separate categories: (1) research that involves the use of data and medical archives collected for other purposes; (2) research that is subject to the Common Rule or the FDA's codification of the Common Rule; and (3) research that falls in neither of the two previous categories. I note that the privacy regulation lumps both of the last two categories into a single group -- a category of requirements relating to "a covered entity that creates protected health information for the purpose, in whole or in part, of research that includes treatment of individuals." 42 C.F.R. 164.508(f)(1). This failure to distinguish the two is likely a cause of may of the legalistic boxes that the regulation builds for itself, and for the regulated industry.
OTHERWISE UNREGULATED INTERVENTIONS OR MANIPULATIONS FOR RESEARCH PURPOSES.
First, I invite you, for the moment to disregard this third category. I want to set it aside because it is deeply troubling to me. This category largely pertains to research that intentionally subjects persons to clinical, biological or psychological interventions in order to collect research data but which is not already subject to regulation under either the Common Rule or the FDA's version of the Common Rule. Without any specific research provisions, I think it is clear that a covered entity creating or disclosing protected health information for such purposes, would be required to obtain the explicit authorization of the research participants to use or disclose information for research purposes. I do not understand why this is not sufficient in its own right. I do not understand why, in the name of new federal privacy regulations, one would create elaborate new provisions for waiving individual authorization by a "Privacy Board" in cases where human beings and/or their health care is being manipulated in the name of science. Yet this is specifically authorized under 42 C.F.R. 164.512(i), provided that certain findings with respect to privacy are made.
RESEARCH UNDER THE COMMON RULE.
One of the implications of the privacy rule that has not been discussed in any meaningful way is the fact that where an IRB is operated by a covered entity, all of the administrative requirements of the privacy rule - notice of uses and disclosures, policies, procedures, employee training, minimum necessary amount, etc. - may already encompass the IRB activities, just as the requirements of state medical privacy laws currently are applicable to the IRB's activities and the requirements it imposes on the researcher in the name of individual privacy. Instead of building on this fact by establishing provisions that would address unique research uses of data, the regulation imposes extensive new requirements on research that is already regulated by the Common Rule, including the FDA codification of the Common Rule.
These new research requirements are included in the elements of an "authorization to use and disclose PHI for research that includes treatment." 42 C.F.R. 164.508(f)(1). If we parse these requirements, they boil down to (a) authorization for the covered entity to use PHI for research and to disclose PHI to a researcher that is not affiliated with the covered entity (42 C.F.R. 164.508(f)(1)(i), and (b) authorization for the covered entity to use research information for treatment, payment and health care operations. 42 C.F.R. 164.508(f)(1)(ii).
It should be fairly obvious that when a participant gives informed consent to clinical research by signing a form reviewed and approved by an IRB, data will be used and disclosed for the purposes of the research that is described in painstaking detail in the informed consent process. Moreover, the purposes for which the information can be used and, generally, how long it will be retained in a patient-identifiable format, are spelled out in the consent documents that the IRB has approved specifically for use in that protocol. The fact that the consent is revocable at any time is also explicit, as are any special limitations on access to records of health care during the course of research.
There are 12 required elements in this new research authorization. Unfortunately, the required elements either duplicate those included in the informed consent documents, are patently untrue, or are needlessly complicated discussions of irrelevant legal niceties. There is no new privacy protection apart from the fact that what is implicit in electing to give informed consent participate -- is now made explicit and separately documented in a legal form.
The new authorization requirements that are duplicative of the informed consent, must be repeated because the regulation is clear that the research consent is not the same as the authorization. Therefore, the participant arguably has independent rights to grant or revoke consent but not authorization, or vice versa. This independence arguably is true of all of the duplicated elements.
I want to give you two examples of required elements that are patently untrue - without a fair amount of qualification and explanation.
First, the authorization is required to state that the information disclosed to a researcher "may be subject to redisclosure by the recipient and no longer be protected by this rule." I am aware of no informed consent documents or IRB approvals in recent years that would permit a researcher simply to disclose research information. To the contrary, the Common Rule and IRB process assure that research information is used and disclosed only for the purposes specified in the consent documents. To say that the protections afforded by consent documents are not the same as the protections afforded by the regulation is a nice legal technicality. But in practice it means that a discussion of very real research risks to the participant must be disrupted in order for a health care professional and a patient to have a legalistic discussion about the different forms of privacy protection -- contractual vs. regulatory, state law vs. federal law, and so forth.
Second in the category of untruths (or clever partial truths) is the fact that the authorization is required to state that the individual may inspect or copy the PHI to be used or disclosed in the research "as provided in 164.524." As noted above, any limitations on a research participant's access to information about his or her health and health care that is necessitated by the research protocol is explicitly a part of the informed consent document. By comparison, without a great deal more explanation about the regulation, the statement required to be in the authorization is deceptive; it appears to give the participant the right to inspect and copy proprietary research data. Fine reading of 164.524 dispels the deception because the researcher's proprietary database does not meet the definition of a "designated record set" to which individuals have access, making this requirement, at best, merely another discussion of legal technicalities that must be explained to the participant if the researcher wishes to avoid unintentional misunderstandings.
Finally, we come to the requirements that are virtually incomprehensible in the research setting. When an individual consents to participate in clinical research, it is patently obvious that the clinician who is collecting the research data is also using that data in monitoring the participant's well-being, and in providing appropriate treatment. In fact, this is typically specified in the informed consent document's discussion of the various treatment and control measures, as well as what to do and how the participant will be cared for in the event of an unexpected or untoward symptom or reaction. It also has become customary for informed consent documents to make it clear that routine care that is provided during the course of the research, will be submitted to the participant's health plan for payment.
Yet the regulation adds an additional new requirement that, in effect, is an authorization for research information to be used in providing treatment. It specifically requires that the patient be told what information created in the course of research will be used in the provider's treatment, payment and health care operations, and what information will not. In the middle of a discussion of research risks, the patient and the clinician are required to stop and discuss what data elements will be created in the course of research, which of them are integral to routine care, and thus may be included in the hospital's record of care and submitted for payment, which analyses and data elements will be used only for research, and which will be used in both research and health care.
The authorization also must explain that if the patient was given a notice of privacy practices and signed a consent upon admission to the hospital, this "section" -- presumably this means the authorization signed under this section -- and not the consent governs the patient's rights and the permissible uses and disclosures of information.
Here is yet another sidebar discussion of the modern health care system and the impact of the regulation that the researcher is required to import into the informed consent process.
There is a serious disconnect in these requirements. The elements of the informed
consent pertain to the research and the researcher, the risks to the participant and the provisions made for the participant's well being. The new authorization requirements shift the focus away from the participant and researcher to the requirements of the privacy regulation, including how or whether they apply to the specific clinician who is involved in the research, and the institution in which the data are collected. All of the protections and rights of the research participant are completely disregarded, as if the privacy regulation is the only thing that matters to an individual who is deciding whether to participate in clinical research.
IMPLEMENTATION STRATEGIES. The covered entity is offered essentially two choices in attempting to implement these new requirements.
1. Provide extensive training to IRBs that will permit them to incorporate these incongruous new requirements into the informed consent documents, and to waive the authorization, or specific required elements of the authorization, in those cases where the fit just does not work and the criteria for waiver can be met. For a research company's multi-site trial, this has to be done with every IRB affiliated with a covered entity that is one of its research sites in a product trial.
OR
2. Create a standard authorization form that is separate from the informed consent document; make it as plain as possible, include all of the required elements, whether they are true or not, whether they make sense or not, and just ask all participants to sign it as a separate interaction from the informed consent process. The requirements of the rule are met if a legally valid form is signed, whether or not the participant - or the researcher - understands what the form means.
If I pursue the IRB waiver route, I will not only be adding to the IRBs' workload, I will be asking it to make the finding necessary to waive elements of authorization for purposes 164.512(i) at the same time that it is requiring the researcher to obtain informed consent. Moreover, the first required finding for waiver of a required element of authorization is that "The use or disclosure of PHI involves no more than minimal risk to the individual." 1674.512(i)(2)(ii). Because virtually any clinical research involving a new drug or biologic involves more than minimal risk, an IRB will have to have its legalistic thinking cap on in order to make this finding - it applies only to the use or disclosure of the information, and not the risk of the research itself. In effect, the regulation requires the IRB as well as researchers and participants to engage in legal hairsplitting.
If I pursue the "get the legal document" approach, I am distorting the clinical research relationship by sending the implicit message that documents and forms are not part of the process for protecting the individual, but are merely to cover the legal liabilities of the covered entity that participates in research.
DATA STUDIES. Finally, I want to take a few minutes to address the issues posed by research using data that already have been collected by a covered entity in the course of activities permitted under the regulation. First, it should be noted that without the provisions relating to de-identification, all data research, including every research use of medical information by a physician affiliated with an academic medical center, will be required to obtain the authorization of each data subject, including the 12 core required elements discussed above, or a waiver of authorization by an IRB or privacy board. The same is true each time a third party researcher is given access to existing data for research, so long as the data meets the definition of "individually identifiable health information" for purposes of the regulation.
And here we come to the gist of the problem with respect to the deidentification provision that the preamble suggests will be a privacy-protecting panacea to make information available for data studies. The regulation utterly fails to deliver on the promises of the preamble.
The statute says that individually identifiable health information is health information "that identifies an individual; or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual." 42 U.S.C. 1320d(6). Under the statute, information that does not fall within the category to be considered "individually identifiable" is not subject to the statutory, or regulatory, requirements.
The regulation "flips" the statutory standard. Information created or received by a covered entity is protected health information unless it fits within a tightly drawn category of "deidentified" information.
The regulatory standard for information to be considered as falling outside the category of individually identifiable health information is based on statistical probability that information could be used to identify someone-- as determined by a statistician. The agency's approach is firmly grounded in the art and science of database manipulation. It does not ask whether a reasonable person looking at the data fields on an individual record could discern who the person is or how to contact him or her. It does not take into consideration who will use the data, for what purpose, or how the data are protected from being used to identify individuals. Rather, it asks whether the data fields that appear in a data set also appear in databases that are generally available and which therefore could be used by someone attempting to identify the data subjects. Examples of such databases include state drivers license data, voter registration lists, the telephone book, birth records, etc. The regulation offers a list of fields that a statistician would find to be useful for triangulating databases in order to zero in on identified cases. Removal of all of the fields listed in the regulation is the only "safe harbor" for any data to be outside the regulation's prohibitions on use or disclosure. The only alternative to the safe harbor is for a statistician to find that the "risk is very small that the information could be used ... by an anticipated recipient to identify an individual who is the subject of the information." 42 C.F.R. 164.514(a)(1)(i).
Some of the data fields in the list, such as social security number, email address, telephone number and the like, offer a fairly ready way to find out who a data subject is. The irony, of course, is that in health care and health benefits administration, even the patient's name, address, and telephone number are not necessarily adequate for a provider to know that a health record such as a lab report is part of a single individual's history, or for a payer to know that the services were provided to an individual who is covered by a health plan. The same household may have many individuals named John Smith, Maria Hernandez, or Sally Wong. As a result, date of birth or social security number is almost always needed for health information systems to perform at an acceptable level of accuracy in identifying individuals.
Following the regulation literally, an epidemiologist's report of frequencies stating the total number of admissions to each of ten hospitals on a given day of the year, would be "protected health information" -- even if that were the only information transmitted about any given patient's case. As the rule is constructed, the inclusion of a patient-related date of any kind in a transmission of data automatically transforms the data into protected health information. As a result, unless a statistician made the risk finding, transmission of such tabular data by a covered entity to anyone would be a technical violation of the regulation even if the number of daily admissions for each hospital were in the hundreds. Likewise, disclosure of a table showing how many of the total number of inpatient admissions in a given county went to each of several hospitals would be a violation of the regulation, as would a table for a given hospital showing how many of its admissions in a year come from which zip code. "County" and "zip code" are in the list of fields that are automatically considered to be "identifiers" that must be removed in order for data to fit the deidentification "safe harbor." Therefore, unless each patient authorizes the disclosure or unless a statistician renders a risk opinion, the regulation makes use or disclosure of such a table of frequencies for research purposes a disclosure of protected health information that could be subject to the civil and criminal penalties of the statute.
IMPLEMENTATION FOR DATA STUDIES
The regulation essentially leaves the covered entity with two choices if it elects to make exising data available for research.
1. See if its IRB will make and document a finding that individual authorization of the data subjects can be waived.
OR
2. Retain a statistician to make a finding regarding the risk of reidentification and hope that it is "very low."
On its face, the situation for a researcher affiliated with a covered entity who uses data to do public health epidemiologic studies or outcomes research is quite grim. The institution must allocate funds for IRB review of each use of existing data AND each publication of statistical or other reports that include the regulations "suspect fields" or provide essentially full-time access to a statistician for making risk findings that would allow the report to be considered "deidentified."
The alternatives for data studies and for research conducted under the Common Rule are not attractive. All of them are costly, complicated, and time consuming. Moreover, because they do not have any logical or natural relevance to the conduct of research or measures in place to protect research participants, they will likely prove to be confusing to everyone involved -- researchers, institutions, IRBs, and participants. In my view, all of these are legalistic technicalities that will create the need for lots of new documentation to protect research entities from significant potential legal exposure. Moreover, I am hard pressed to see how any of them enhances the privacy protection provided to participants or data subjects.
Some have said that this cumbersome and illogical set of requirements is necessitated by the fact that Congress did not give HHS authority to regulate research. For my part, I do not find this to be a valid excuse. True, HIPAA does not give HHS authority to regulate research entities that are not otherwise "covered entities." But none of the requirements that I have discussed in this paper apply to research companies that are not covered entities.
The statute explicitly states that HHS has authority to regulate privacy with respect to "the uses and disclosures of [individually identifiable health] information that should be authorized or required." HIPAA Section 264(b)(3) and (c)(1). Nothing in the statute would preclude HHS from determining that research uses should be authorized - or even required. In fact, this statutory provision is the only one that provides any authority for the incongruous requirements discussed above. The structure of the scheme included in the medical privacy regulation, in my view, cannot be attributed to Congress' failure to permit HHS to authorize research uses. Rather, it appears to reflect explicit policy decisions by the agency to focus its resources on articulating the elaborate consent-based structure it had created for regulating covered entities' use and disclosure of information. Research uses and disclosures come in only as an afterthought, because the scheme otherwise would have made all research without explicit individual authorization illegal.