Testimony by Jean Wylie for the November 6, 2002 NCVHS Subcommittee on Privacy and Confidentialty Hearing

April 23, 2002

Comments provided in response to proposed Privacy Modifications of the Privacy Rule of HIPAA

An area of research use of protected health information that does not appear to be covered by the proposed Privacy Modifications is that of research resources created through linking of medical and other data. Research resources in this situation are defined as medical and other data, linked together at the individual level, for the purpose of biomedical research use by multiple users. Our greatly increased computing capacity over the past 20 years has fostered the growth of many such resources.

It is not clear, under the original Privacy Rule, nor the proposed modifications, how such resources will be affected. Some interpretations of the rule would simply preclude their creation and use; others would require that they be reviewed by an IRB or Privacy Board, as are research projects that use protected health information. (Currently, unless created specifically for a given project, the resource itself is not subject to IRB review, since it is not research per se.) Given the utility of such resources, it seems important to clarify how they may be operated under the new Rule.

Generally such resources are used in two ways: for epidemiology studies where the individually identifying information is only necessary for linking, or for case studies to identify potential subjects (or groups of subjects) where the individually identifying information is required both for linking and by the requesting research project. Following are three hypothetical examples of different research resources and how they might be used:

A School of Public Health has a research program focussing on causes and effects of auto accidents. The School creates a research database of Highway Patrol crash data linked to the medical records from the three main hospital chains in the state, as well as to the state’s death certificates. Many research projects are possible: efficacy of different treatments for the same injuries, morbidity outcomes for different injuries, psychosocial effects of different crash outcomes, etc. These are not possible at a population level without linking the various data together.
The departments of pediatrics at two medical schools form a birth defects research consortium. They link the statewide Birth Defects Registry held by the state’s Bureau of Vital Records to hospital treatment data from the three main hospital chains in the state, as well as to death records. They envision research projects like outcomes research for various treatments, effects of family coping strategies across different types of treatment modalities, etc.
A Human Genetics department creates a combined genealogy-hospital database for members of an isolated religious group. The members of the sect live in four specific geographic locations in the United States. The department links genealogy data provided by members of the group with medical data from the major hospitals in those four geographic locations. The research resource allows certain kinds of epidemiology research as well as ascertainment of familial clustering of diseases. In the latter case, potentially informative individuals can be identified and invited to join research projects searching for disease genes.

In order to create these databases so that certain kinds of biomedical research can be done, the identifying data from several sources must be combined at the individual level. All of the types of research described above can at least begin with an anonymized file. However, while it may be an anonymized file that researchers use, someone has to have the identifying information prior to any research being conducted with the file. Someone has to link the data. Furthermore, the fact that a records from one source links to a protected health information source means that “protected health information” of a sort is present in even the anonymized file.

Currently, a covered entity may use or disclose protected health information for research purposes without patient authorization if it obtains either of the following:

Documentation of approval of a waiver of authorization from an IRB or Privacy Board; or
Representation from a research that he/she plans to conduct a review of records “…preparatory to research” and that “the use or disclosure is sought solely for such a purpose and that the protected health information is necessary for the purpose.”

Much as with a medical records search to identify potential subjects, it is not possible to get the potential subject’s consent to link his/her information prior to having the records to link, since one does not know which records will be useful prior to linking them. Thus, the questions that arise in the case of research resources that need to link data to create the resource are:

Questions:

Is a similar IRB-approved waiver of consent necessary for the creation of such research resources?
If so, can/should university IRBs review and permit the creation of such research resources with a waiver of consent?
If not, may a covered entity release data to a research resource that makes the representations as described in 2 above without an IRB approved waiver of consent?
In either case, it is likely that there will be research projects that will identify cases within the anonymized database for contact – for more information, for biological samples, etc. How should they be contacted? What would they be told?

The issue of how to ethically create and use the potential for linking information is a complex one, as the above examples and questions illustrate. One means of doing so, which does not appear to be addressed in any of the HIPAA research rules, is to create a unit that links and manages access to the data as part of university administration, rather than being directed by a specific researcher.

The resource would receive data from data sources, link them, and create the anonymized file under either of the two mechanisms identified above. Researchers could obtain access to the file only with an IRB-approved research project. (Researchers would not need to get a waiver of consent for access to the file since it would be anonymized.) To ensure that the data are not used in ways inconsistent with the data sources’ legal and other requirements, it would be necessary to have some sort of review process that involved the data sources.

Contact of potential subjects could be conducted by the health care institutions that legitimately have information about the individuals within the database. Letters could be sent to potential subjects by the health care institutions informing their patient(s) that Researcher X is interested in Condition/Disease Y and would like to contact them about a research study. If the patient is interested, he/she responds to the health care institution, which then forwards the identifying information to Researcher X, who contacts the subject and attempts to recruit him/her into the study. If the patient does not wish to be contacted, no information goes to the investigator. (All costs of this contact would be born by the investigator.)

Such a research resource would need to have specific policies and procedures about how it would operate, handle data, and release data for research projects. Institutions that had such research resources would have to have some internal review mechanism for ensuring that they operated in an ethical manner. If institutions did so, then those research resources could refer to their policies and procedures in requesting data from covered entities. It seems that such an internal review would be more appropriate for something like a Privacy Board than an IRB, since review of the research resources would focus on policies and procedures rather than specific research projects.

Creation of biomedical research resources like those described above has become feasible due to the capacity for electronic linking of files. The very capacity that raises privacy concerns also provides the research community with tools to do research that was previously very difficult, if not impossible. It is important to develop new ways of managing data that will allow conduct of such research, while protecting the privacy of the very individuals whose information provides the bases of that research. With answers to the above questions, the Privacy Rule and the proposed modifications may do both.