AMC Security and Privacy Conference: Daily Track Report

1. AMC Security and Privacy Conference: Daily Track Report For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497

2. Sessions Being Reported On: • Future of the Common Rule and Its Effect on Privacy and Security • International Security & Privacy • RHIOs – New Security and Privacy Issues

3. Key Points: Future Uses of Encryption • Difficulty with harmonization Privacy Rule and Common Rule even after 2 years • Compliance obligations linked – HIPAA, Common Rule, AAHRPP • Conflict arises because Privacy Rule is permissive in areas where the Common Rule isn’t (ex. de-identification, IRB approval of authorization, recruitment strategies or monitoring) • Future of guidance – further harmonization HIPAA and Common Rule • Issues still under discussion: data repositories/tissue banks and future unspecified research, compound authorizations, genetic samples, recruitment strategies (e.g. telephone screening tools, researchers outside the CE that contact patients, etc.)

4. Key Instant Poll Results • Polled item/responses: • 3 participants sat on IRBs (out of 18 total) • IRBs will not approve informed consent and HIPAA authorizations that are inconsistent on the future use issue – if known • About ½ of the participants said that their IRBs review authorizations – even though IRB review is not required to do so under HIPAA • Most institutions are making use of verbal authorizations (per guidance) • Key observation: • IRBs may not deeply investigate finer points of these issues, but exercise their best judgment for the moment

5. Follow ups • Need for additional harmonization between Common Rule and HIPAA • Need for ongoing discussion and education regarding these issues

6. Key Points: International Security & Privacy • International data protection controls more stringent than US • International principles are similar: Notice, individual choice and consent, participant access to data, security and organizational accountability • Additional levels of accountability in other countries: • Data processing authority – regional centralized authorities that manage study data • Data Controller – regulated entity that is subject to the local law where they are located. • Desire for harmonized legal framework (particularly in Europe) • International Conference on Harmonization (ICH) of Technical Requirements for Regulation of Human Use • Safe harbors to allow US to participate in international research

7. Follow ups • More study on: • Issues surrounding privacy and security related to international research are complex • Future implications of interoperable EHR and data that will be more accessible outside the institution and potentially internationally • International threats to local vulnerabilities with resulting risk to healthcare infrastructure

8. Key Points: RHIOs: New Security and Privacy Issues • Central goal is to give providers better information for treatment purposes at the point of care • RHIOs are real - 25 “fully operational” (up from 9 in 2004) • 59% of “advanced stage respondents” – privacy policies go beyond HIPAA requirements • RHIOs have greater risk than the organizations – bigger and more attractive target • Many legal issues and complexities – type of CE, liability, plethora of other laws/regs, contracts, data ownership, intellectual property, etc. • Varying privacy and security issues based upon model – repository, peer-to-peer, etc.

9. Follow ups • Have further discussion regarding governance structure, entity type, etc. • Need to fully understand risks that RHIOs undertake – risk assessment tool/model • More education / dialogue needed around these issues