11/20/03
My name is Joann Boughman, and I serve as the Executive Vice President of the American Society of Human Genetics (ASHG). I am a board-certified Ph.D. Medical Geneticist, with research experience in population and epidemiologic genetics. I was a full-time member of the faculty at the University of Maryland Baltimore, and was VP for Research and Development, and then VP for Academic Affairs and Dean of the Graduate School. I remain an adjunct professor of Pediatrics and Obstetrics and Gynecology and Reproductive Sciences at the University of Maryland, Baltimore. I would first like to thank you for considering the HIPAA policies and processes in your deliberations, with a focus on improving implementation of the Privacy Rule.
Today, I would like to share a perspective on HIPAA and its implementation from the viewpoint of the academic research community, with some emphasis on issues of special importance to the genetics community. Research geneticists have several concerns about HIPA implementation, and those concerns are sufficiently intense and wide-spread that our organization, the American Society of Human Genetics, initiated focused action to address these issues. Responding to the concerns expressed by members of the Board of Directors, the ASHG president, appointed an ad hoc committee with the following charge: to distill the complex HIPAA regulations; to summarize the key aspects of importance to genetics researchers; and to develop materials or references to facilitate the understanding and implementation of HIPAA by ASHG members.
The six ASHG members of the ad hoc group represent a broad cross section of interests and expertise. This group has not yet completed its work, but have met via conference call and determined that the following actions are essential.
1. The Committee should draft for Board approval a positive and assertive statement regarding HIPAA and its implications, including:
2. Further, the group focused on the following areas of research policy of primary interest to the ASHG membership:
Registries
Use of unlinked samples
Contact with relatives
Special family studies
Third-party definitions
Contact with
relatives
Registry issues
The ASHG Committee has not presented any statements to the Board of Directors for approval, but as the work of the Committee is completed, we would be pleased to share the final comments when they are approved by the Board.
The remainder of my comments are made on the basis of my personal knowledge, experience, and interaction with a variety of researchers, and therefore do NOT represent the position of the American Society of Human Genetics. Hopefully, I will be able to highlight areas of interest and concern for the research community at large.
I would like to address several major points, indicating the challenges and unforeseen consequences as well as the costs demanded by the implementation of such unfunded mandates.
1.Investigator training
Researchers have been following the Common Rule and geneticists have demonstrated especially intense interest in the implications of their research by actively participating in ELSI program initiatives. However, the adequate implementation of HIPAA requires additional training of all researchers in (a) providing HIPAA authorization forms in the informed consent process when needed, (b) recognizing when their work involves a HIPAA "covered entity" outside of their own, (c) understanding the HIPAA approach to the process of "de-identifying" data, (e) knowing the definitions of "limited data sets", and (f) recognizing the separate yet overlapping HIPAA and human subjects processes at their institutions.
The financial cost of implementation of HIPAA training for researchers is difficult to calculate as it is intertwined with health care provider and researcher training, but it may be substantial, including factors like implementation of formal training protocols, lost work time, and individual submission reviews are included.
An additional hidden ‘cost' is the disincentive of additional regulation on clinical investigation, resulting in reduced research. This cost is ultimately paid by the patients who stand to benefit from advances in biomedical research.
2. Institutional activities
In addition to the development and implementation of training programs for institutional faculty, each covered entity must have an ongoing oversight and compliance program, including a compliance officer at most institutions. Challenges for institutions include the smooth and interactive working of IRB's and Privacy Boards as needed. An enormous amount of resources are being expended at the institutional level, including legal and medical, as well as research personnel commitment. As a matter of course and convenience, researchers are often considered to be acting within the covered entity, and their work is treated as such.
3. Challenges in research on groups ascertained from covered entities
A major problem in many cross-sectional or longitudinal epidemiologic studies can be labeled the ‘fear factor'. Among nursing homes, hospitals, or other designated groups that often serve as primary data sources for community-based studies have become extremely reluctant to release data, even when the data would be deemed ‘exempt' and/or the researchers have obtained the necessary approvals – just because the entities are concerned that they will be sued or fined. While privacy issues may have been involved previously, the confounding of the Common Rule and the Privacy Rule enhances concern for many.
There is also the ‘hassle factor' related to the paperwork as it has become so complex, that ‘volunteer' collaborators such as nursing homes and hospitals don't think it is worth the time to assist with a research project. To garner collaboration, some type of financial incentive will be necessary to cover the extra costs related to increased paperwork. In addition, legal counsel fees may need to be covered as collaborator institutions require legal opinions from their perspective.
While some of these fears and hassles may be reduced or at least become institutionalized as time passes, for the foreseeable future new costs in money, time, and personnel resources will have to be absorbed in the process of applying for new research projects. The overall liability issue may need to be dealt with using new and innovative methods.
3. Questions of de-identification of data
The HIPAA regulations on de-identification of data read very clearly. It is straight-forward in the statement that by removing all 18 elements used to identify an individual, data may then be used. Removal of most of the 18 elements would create no serious impediments to researchers, including geneticists. However, elements #16 (biometric identifiers) and #17 (images), may create barriers rendering certain studies or publication of those studies impossible. In presenting data on certain disorders or conditions, images may be a critical element for consideration and evaluation of the study conclusions. Under HIPAA this would extend to deceased individuals as well.
Under the category of ‘biometric identifiers', fingerprints and voice prints are listed. Let us imagine a study evaluating the personal impact of determining carrier status of a cancer gene in three different ethnic groups. DNA tests would be performed, and via taped interview, a series of questions are asked before, immediately after and 6 months after the test results are shared. Could any of the data [ the DNA results, the DNA samples, the taped interviews] be shared with researchers at another institution after the study is completed? Would sharing these nameless, faceless voices and DNA results really defy the spirit of HIPAA? Some would surely say that at least the language of HIPAA would be violated by such an action.
Further, it is not clear, whether DNA profiles would fit into the category of biometrics, but if so, many of the DNA-based studies would be greatly hampered or impossible to pursue.
In addition, it is not clear as to how pedigree structure information can be legitimately used while remaining compliant to the spirit and letter of the rule. As you can imagine, certain large pedigree structures could be theoretically identifiable from their structure and delineation of individuals affected with certain disorders. Our hope is that the research community may be able to provide clear language that could guide researchers on processes that would decrease red tape and facilitate genetic research to move forward while still protecting the privacy of the individual volunteers.
4. HIPAA and CLIA conflicts on releasing lab results
HIPAA calls for the release of laboratory results to patients and subjects upon request. Providing sufficient information to all participants with appropriate context of many research studies would be costly to the study. Considerable concern would be raised regarding the real possibility that initial promising data are found by a later study to be incorrect. HIPAA does allow studies to be designed to delay the return of results until the completion of the study, but this option does not always address all concerns especially for preliminary studies for which data may be uninterpretable.
Laboratory studies in research are (by definition) often performed in research laboratories (as compared to certified clinical labs). For early research studies or for tests done on de-identified samples, it is inappropriate for the testing to be done in clinical laboratories, creating a conundrum for researchers. HIPAA states that subjects may request results, and CLIA states that only tests done in certified clinical laboratories may have the results released. Therefore, researchers may be required by HIPAA to give information, but would be liable under CLIA if they comply with HIPAA.
5. Questions about family studies, including contact with relatives
The key concern of geneticists is on the challenges faced in using family history, either as entry criteria for a study or collection of family history as a part of the study design. The concerns might best be exemplified by use of examples.
a) Entry criteria: Researchers design a study of the extent to which tamoxifen alters the frequency and/or age of development of breast cancer in BRCA1 positive females. Assume, for the example, we don't yet have the data showing an ~ 80 percent chance to develop breast cancer regardless of family history. The study calls for 50 BRCA1+ females with no family history of breast cancer, and 50 with at least three relatives with reported breast cancer. The overworked IRB that also serves as a Privacy Board plays it safe and makes it easier for the Board, saying you cannot get/use any family history data without the consent from each relative. The subjects with positive family histories must therefore obtain a "permission slip" from relatives before the subject can enroll.
b) Family history studies: The most critical information a clinical geneticist can obtain is a pedigree or family health history. As more is understood about the genetic factors in common diseases, all physicians and health care providers will come to value more highly the family history as well. Family studies play a key role in the determination of specific genetic risk factors for diseases and conditions. The family history and family data may be obtained and utilized in a wide variety of ways, and clarification in HIPAA language would be extremely useful in determining the process for data ascertainment that is required.
For example: a registry of patients with retinitis pigmentosa, each well-defined clinically, is established, and each patient is asked to provide a family history of blindness, progressive visual loss, and recognized hearing loss. Should permission be required from each relative mentioned by the subject?
If the relatives are contacted by researchers for any information, they become subjects, and permissions must be obtained. Certainly for release of records, examination, etc, these subjects would be expected to provide full informed consent. However, if the original subject contacts relatives to garner information on their own behalf it is not clear when the relatives must provide consent to the investigators for the investigators to be fully compliant.
An additional challenge is presented by HIPAA being applied to deceased individuals, while IRB language does not apply. It is not clear how decedent family history may be obtained and used while remaining in strict compliance with HIPAA. The Common Rule emphasizes protection of the living, but HIPAA rules require health care providers to protect PHI of the dead forever.
It is the plan of the ASHG group to address these issues and suggest clarifying language that defines what geneticists should do in these situations. Our hope is that the responsible agencies will work with us and review and comment on proposed guidelines that are generated by the research community.
Summary
Having served on national advisory committees myself, I am aware of the challenges and limitations that the NCVHS is facing. I hope the information provided will be useful to you in your deliberations regarding the important issues surrounding the implementation of HIPAA and the Privacy Rule. We first recognize that there is a reaction phase that includes over-reaction by some parties and entities. This phase will eventually pass. As the transitional period passes, it is sincerely hoped that practical limits may be maintained, and best practice models shared among interested parties. The American Society of Human Genetics is addressing the transition by developing clarified language regarding family history data, DNA studies, and other issues of particular interest to geneticists. The genetics community is keenly aware of the importance of privacy, and seeks to protect subjects and patients appropriately, while continuing to perform the exciting and very promising genetic and genomic research of our time.
Thank you for this opportunity to share some information about the experience and concerns about HIPAA and its implementation from the genetics research community.