360 likes | 468 Views
HIT Policy Committee Privacy and Security Tiger Team. Deven McGraw, Chair Paul Egerman, Co-Chair September 14, 2011. 1. Tiger Team Members. Deven McGraw, Chair , Center for Democracy & Technology Paul Egerman, Co-Chair Dixie Baker , SAIC Neil Calman , Institute for Family Health
E N D
HIT Policy CommitteePrivacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair September 14, 2011 1
Tiger Team Members • Deven McGraw, Chair, Center for Democracy & Technology • Paul Egerman, Co-Chair • Dixie Baker, SAIC • Neil Calman, Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, EPIC Systems Corp. • Leslie Francis, University of Utah; NCVHS • Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center • Alice Leiter, National Partnership for Women & Families • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative • Contributing Experts: • Richard Platt, Harvard Pilgrim Healthcare Institute • Shaun Grannis, Regenstrief Center for Biomedical Informatics • Joy Pritts, ONC • Judy Sparrow, ONC 2
Today’s Topic • On July 22nd, 2011, The U.S. Department of Health and Human Services asked for the public’s input into proposed changes to the current regulations overseeing research on human subjects, often referred to as the Common Rule. • On July 26th, 2011, an Advanced Notice of Proposed Rulemaking (ANPRM) was published: Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators1 • Comment period ends Wednesday, October 26, 2011 1Department of Health and Human Services. Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators. 45 CFR Parts 46, 160, and 164. Vol. 76, 2011.
Objectives • Summary of the Common Rule • HIPAA and research • Summary of the ANPRM • Draft recommendations for the ANPRM
Summary of the Common Rule • Regulations governing most federally-funded research on human subjects • Designed to address clinical trials and focuses primarily on protecting human subjects from physical risks, as opposed to informational risks • Includes research using information that is identifiable • The Rule’s framework is based on two foundational requirements: • Independent review of research by an Institutional Research Board (IRB) • Informed consent of the research subject when there is more than minimal risk
Summary of the Common Rule (cont.) • IRB membership and role: • Composed of five members of various backgrounds, including one member not affiliated with the institution • Reviews and approves all research activity • Requires documentation of informed consent or may waive requirement • Conducts continuing review of research, not less than once per year
Summary of the Common Rule (cont.) • If research falls on an HHS list of categories of research involving no more than minimal risk, research can be reviewed by a single IRB member (called “expedited” review) • Certain categories of research are exempt from required IRB review • Of note, one category (category 4) is study of pre-existing data initially collected for purposes other than research (such as treatment data from EHRs), when the investigator receives information in a way that doesn’t directly or indirectly identify the subjects.
Summary of the Common Rule (cont.) • Most non-exempt research requires informed consent • In addition, an IRB may waive any requirements for consent that might otherwise apply: • For certain research conducted or approved by state and local officials • When the IRB documents that the (1) research involves minimal risk, (2) waiver will not adversely affect the rights or welfare of the subjects, (3) research could not be practicably conducted without the waiver, and (4) subjects, as appropriate, will be provided with additional pertinent information after participation
Summary of Common Rule (cont.) • Researchers are not required by the Common Rule to adopt any security measures. However: • Some researchers that are covered entities may also be covered by the HIPAA Security Rule • Disclosure of a limited data set to researcher may require a data use agreement, which requires the researcher to agree to safeguard the data
Research Rules under HIPAA • Applies only to covered entities (most health care providers, health plans, health care clearinghouses) and business associates conducting research on their behalf • Covers only protected health information, which is identifiable • Some entities may be subject to both HIPAA and the Common Rule • Research is distinguished from “health care operations,” which includes quality assessment and improvement activities, as long as “primary purpose” of such activities is not to “obtain generalizable knowledge”
Research Rules under HIPAA (cont.) • Requires authorization in most cases if research is using fully identifiable data • Authorization needs to be in writing, specific to the particular research project (pending regulation change would allow individuals to provide more general consent to research uses of their PHI) • A covered entity can release PHI for research purposes if it receives documentation that an IRB or “Privacy Board” has approved a waiver of the requirement. • Authorization not required in certain circumstances: • Purposes preparatory to research (e.g., development of research protocols) • Research on decedents • Release of a limited data set
HIPAA and Research • Covered entities may use and disclose a “limited data set” for research purposes • Stripped of name and other identifiers (but is still considered potentially re-identifiable) • Requires data use agreement and commitment not to re-identify • De-identified data is not largely subject to regulation by HIPAA. • De-identification standard = no reasonable basis to believe the data can be used to identify an individual. • No requirement of “data use agreement” or commitment not to re-identify (although covered entity recipients may not re-identify)
Proposed Changes in the ANPRM • Focus is on changes to the Common Rule, but also expresses a desire to harmonize and streamline different research rules (in particular, the Common Rule and HIPAA). • There are a number of changes proposed. • For Tiger Team and Policy Committee purposes, we focused solely on the provisions with a direct impact on ONC programs – the rules surrounding the secondary uses of health information initially collected for another purpose, such as for treatment
Summary of Relevant ANPRM Provisions • Expand the scope to any institution receiving federal research funds, even if the particular research project in question is not supported with federal funding • Expresses a desire to harmonize HIPAA & other relevant rules governing research (such as the Privacy Act) • No change in the definition of research (still covers investigative activities intended to contribute to “generalizable knowledge”) • Continues to exempt research on existing data from IRB review (potentially even if identifiable); however, recommends study be registered by the filing of a “brief form” with an institutional office
Summary of Relevant ANPRM Provisions • Informed consent for use of pre-existing data originally collected for non-research (e.g., treatment) purposes: • ANPRM reiterates the existing rule that consent is required only if the researchers obtain information that identifies the subjects; such consent could be general in nature (yes/no for research) • Thus, no consent is required for research using a limited data set or de-identified information • ANPRM seeks comment on whether consent should be required here and if so, what type of consent
Summary of Relevant ANPRM Provisions • ANPRM proposes baseline security measures, which vary based on identifiability of data: • Adopt the HIPAA standards for individually identifiable information, a limited data set, and de-identified information • Research involving identifiable data and limited data sets could be required to adhere to data security standards modeled on the HIPAA Security Rule • Requires researchers using limited data sets and de-identified data to commit not to re-identify
Recommendations Are Focused in Two Areas • What secondary uses of EHR data should be considered to be “research”? • Application of the full complement of Fair Information Practices (not just consent, and not just security)
Secondary Uses of EHR Data Background/Framing: • Recommendation is confined to provider entities. • ANPRM retains the exemption from IRB approval for secondary use of clinical data for research – but requires general consent when the data is identifiable. • One of the goals of HITECH is the creation of a learning healthcare system. • The use of EHR systems creates new technological opportunities to improve treatment of patients and to evaluate the quality, safety and effectiveness of that care. We are concerned that the potential treatment of such activities as “research” could limit these activities
Secondary Uses of EHR Data Background/Framing (cont.): • Clarifying the definition of “research” could help remove real or perceived obstacles. • Current rules (both the Common Rule and HIPAA) define “research” as activities designed to develop or contribute to “generalizable knowledge.” • Characterizing research as any evaluative activity that is intended to contribute to “generalizable knowledge” may no longer serve the interests of either patients or providers.
Secondary Uses of EHR Data Draft recommendations: • The use of a provider entities’ EHR data for treatment purposes or to evaluate the safety, quality and effectiveness of prevention and treatment activities should not require consent or IRB approval or registration. Such activities should not be considered “research” but instead should qualify as treatment and operations if conducted by, or on behalf of (such as by a business associate), a provider entity. • This exemption should apply even if the results are intended to, or end up being, publicized or more widely shared (i.e., contribute to generalizable knowledge).
Secondary Uses of EHR Data Draft recommendations (cont.): • We expect provider entities to maintain proper oversight over, and be accountable for the conduct of, these activities. • Consent should not be required to access EHR data for these purposes, even if the data does not qualify as either a limited data set or de-identified data; however, provider entities should always use the minimum necessary amount of data to accomplish these activities (including removing patient identifiers prior to analysis for quality, safety and effectiveness when it is not necessary to identify individual patients).
Secondary Uses of EHR Data Draft recommendations (cont.): • Examples of activities the Tiger Team agrees should be covered by this recommendation (not intended to be an exhaustive list): • Using EHR data to improve care provided to patients. • Identifying patterns of adverse events to detect patient safety issues. • Evaluation of interventions designed to improve compliance with existing standards of care and outcomes. • Monitoring individual clinicians and professional staff for adherence to existing standards of care and existing treatment protocols. • Outreach efforts intended to increase patient compliance with existing standards.
Secondary Uses of EHR Data Draft recommendations (cont.): • Consistent with the Tiger Team’s previous recommendations, the previous exemption should apply only when the provider entity (or OHCA) retains oversight and control over decisions regarding when their identifiable EHR data is used for quality, safety and effectiveness evaluations.
Secondary Uses of EHR Data Draft recommendations (cont.): • This recommendation is based on previous Tiger Team/Policy Committee recommendations that recognize that patients place their trust in their health care providers with respect to stewardship of their health information. Consequently, when the provider entity (or the OHCA) that the patient trusts no longer has control over decisions regarding access to patient identifiable data (such as in certain centralized HIO arrangements), the patient should have meaningful choices regarding whether or not his or her identifiable information is part of such an arrangement.
Secondary Uses of EHR Data Draft recommendations (cont.): • This exemption should be interpreted to allow provider entities (or OHCAs) to collaborate and share identifiable information for treatment purposes or to conduct quality, safety and effectiveness assessments, as long as the entities remain in control over decisions regarding how their EHR identifiable data is to be accessed, used and disclosed.
Secondary Uses of EHR Data Draft recommendations (cont.): • Entities should follow the full complement of fair information practices in using identifiable data for these purposes, including (but not limited to) being transparent with patients about how their data is used for treatment and quality, safety and effectiveness evaluation purposes, using only the minimum amount of data needed to accomplish the particular activity, and protecting the data with security measures that are commensurate with the risks to privacy).
In Summary: ANPRM approach vs. Tiger Team Recommendations • ANPRM seeks to reduce obstacles to use of clinical data for evaluative purposes by continuing to exempt it from IRB approval, BUT: • Such quality, safety and effectiveness evaluations are still considered to be “research” • Such research must be registered (via a brief summary) with the institution • General consent would be required if the data involved is identifiable (not a limited data set or de-identified) • No other institutional obligations are put into place beyond compliance with appropriate provisions of the Security Rule.
In Summary: ANPRM approach vs. Tiger Team Recommendations (2) • The Tiger Team recommends not creating real or perceived obstacles to quality, safety and effectiveness evaluations that contribute to a learning health care system by calling such activities research, as long as they provider entity (or OHCA) maintains decision-making control over identifiable information accessed for such evaluations. • No consent should be required even if the data are identifiable. • Provider entities remain accountable to their patients and the public for activities performed using data under their stewardship.
Final Note • Under current regulatory definitions (and the ANPRM), activities with data are research if they are intended to contribute to “generalizable knowledge”. This distinction will no longer hold in a learning healthcare system. • However, is provider entity accountability enough to protect individuals from inappropriate uses of their health information? (e.g., are all quality, safety and effectiveness evaluations good?) • Perhaps there is a better way to draw the line between research and operations, to ensure widespread accountability – and we urge HHS to consider this further.
Application of Fair Information Practices Background: • ANPRM primarily focuses on when consent should apply to the secondary use of EHR data for research purposes. • Consent is but one element of fair information practices. • Overreliance on consent can inappropriately shift the burden for protecting privacy onto patients. • ONC has adopted an articulation of fair information for its programs. (Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information) • The Tiger Team/Policy Committee should provide its perspective on “private and secure” uses of EHR data, including for research. • Probably, most patients won’t understand the difference between a “covered entity” and a “research entity”, but will expect the same privacy and security standards applied to their data.
Application of Fair Information Practices Draft Recommendations (cont.): • Researcher entities should be required to adopt policies and/or best practices that follow the full complement of fair information practices, regardless of whether or not a patient’s consent is required to be obtained. • Examples: • Limit the amount of information collected to what is necessary. • Limit the number of people who have access to those performing the research. • Adopt and adhere to specific retention policies with respect to the data. • As another example of fair information practices, researchers should be required to adopt security protections consistent with the privacy risks associated with inappropriate exposure of the data. The Tiger Team applauds the ANPRM for recommending researchers be required to adopt security protections.
Backup Slides Backup Slides
Tiger Team Core Values • The relationship between the patient and his/her health care provider is the foundation for trust in health information exchange. • Providers are responsible for maintaining the privacy and security of their patients’ records. • Patients should not be surprised about or harmed by collections, uses or disclosures of their information.
Fair Information Practices and Consent Previous Recommendations: • All entities involved in health information exchange should follow the full complement of fair information practices when handling personally identifiable health information. • When the decision to disclose or exchange a patient’s identifiable health information is not in control of the provider (or the provider’s organized health care arrangement (OHCA)), patients should be able to exercise meaningful consent to their participation.
HHS Privacy and Security Framework • INDIVIDUAL ACCESS: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format. • CORRECTION: Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. • OPENNESS AND TRANSPARENCY: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information. • INDIVIDUAL CHOICE: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
HHS Privacy and Security Framework • COLLECTION, USE, AND DISCLOSURE LIMITATION: Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately. • DATA QUALITY AND INTEGRITY: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner. • SAFEGUARDS: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. • ACCOUNTABILITY: These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.