Comments on Proposed Standards for Privacy of Individually Identifiable Health Information

Dear Dr. Hamburg:

The Biotechnology Industry Organization ("BIO") is pleased to offer the following comments regarding proposed federal standards for protecting the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions.1 BIO represents over 850 biotechnology companies, academic institutions and state biotechnology centers, and related organizations in 46 states and more than 25 countries. BIO's members are in the business of conducting and sponsoring research designed to discover medicines, diagnostics, and innovative new forms of therapy. These companies provide a home base for researchers who are committed to finding ways to use science to meet unmet medical needs. For most of our members, research is their business; only a handful have products approved for marketing. Rather, these companies are sustained by their prospective patients' hope and faith in their research enterprise, and by Americans' willingness to invest their savings to finance that hope.

BIO's long-standing role as a proponent of federal legislation to safeguard the confidentiality of medical information stems from the recognition that (1) the availability of sensitive and detailed medical information about individuals is indispensable for biomedical research, and (2) this availability depends on patients' trust and confidence that researchers will use medical information responsibly and protect it from misuse. BIO’s members have long endorsed the principles of respect for the medical privacy of individual patients and strong laws with incentives for all concerned to protect medical information from abuse and unauthorized disclosure. Researchers work hard to maintain the trust and confidence of the patients who make themselves available for research. BIO's members also believe, however, that patients are counting on them to vigorously pursue their research objectives. BIO believes that the public interest in the discoveries and findings of research is as strong as the public interest in medical privacy.2 We note that since the enactment of the Health Insurance Portability and Accountability Act ("HIPAA"),3 the public debate and hearing record amply document that no one – from patient groups to privacy advocates, providers, payers, and government officials – advocates that research should be made more difficult or costly by the legal framework that we establish to protect medical privacy. Because matters affecting both biomedical research and medical privacy are within the jurisdiction of the Secretary of Health and Human Services, the public has the right to expect that the federal medical privacy regulations would be appropriately crafted so as to not adversely affect research.

Given this seemingly universal policy consensus, BIO's members were shocked and deeply disappointed that the proposed regulation failed at every turn to establish a legal framework that would serve both objectives. The preamble duly recites that the proposed rule does not reach anyone other than "covered entities," and BIO 's member companies clearly are not engaged in the transactions4 that under HIPAA would make the proposed regulations directly applicable to their operations. However, virtually all data used in the clinical phases of biotechnology research, and in monitoring the safety and efficacy of products after marketing, comes from patients who are receiving care from a "covered entity." As a result, the proposed regulation would have a direct and substantial adverse impact on the ability of biotechnology companies to carry out their research missions, because it establishes significant and detailed new requirements that would apply, for example, to any physician who might agree to support his or her patient’s decision to enroll in a clinical trial, to any health plan or hospital that might make its medical records available for outcomes analyses, to any medical student that wishes to write a case note, and so forth. Indeed, the regulation establishes several new sets of rules that directly regulate the research activities of physicians, hospitals, and health plans. This is not authorized or required by the statute, and it is not necessary to further the Secretary’s stated policy objectives in expanding the scope of the proposed regulation.5 BIO firmly believes that the Secretary’s creation of this burden is inconsistent with the public interest and public expectations regarding the impact of the federal medical privacy regulations.

BIO’s Comments are divided into two parts: (1) Issues stemming from the fact that the proposed regulatory framework would directly regulate research activities; and (2) Issues resulting from drafting problems that may have an unintended deleterious impact on the non-research activities of biotechnology companies.6 With respect to the first category of issues, BIO’s members believe that the overbroad reach of the proposed regulation must be modified, consistent with the scope and intent of HIPAA, to avoid creating significant, if unintentional impediments to biotechnology research. The issues in the second category clarify technical yet important changes to the draft regulation. Both parts offer specific amendments to the proposed regulation that, we believe, will further the Department’s expressed intentions with respect to implementation of HIPAA, while reducing the adverse impact of the regulation on research.7

Executive Overview

I. BIO Is Concerned That the Medical Privacy Regulations Establish New Ground Rules For All Medical Research

  • Use or Disclosure of "Minimum Necessary" Information for the Purpose. §164.506(b).

The Secretary proposes that a covered entity be subject to civil and criminal sanctions unless the entity has made "all reasonable efforts" to limit disclosures to the minimum necessary amount of information, including disclosures for IRB-approved research projects.

BIO believes that a covered entity should be permitted to disclose protected health information after making reasonable efforts to ensure that disclosure is limited to the minimum information necessary to achieve the purpose. For example, a covered entity should be permitted to rely upon the determinations of its own IRB or the central IRB in a multi-center clinical trial for purposes of determining whether disclosures have been appropriately limited. Equally important, BIO fears that the "all reasonable efforts" standard, applied to each disclosure of patient information, will deter covered entities from responding to the recent call of the Institute of Medicine to reduce the frequency of medical errors by affording all providers in the chain of care timely access to an integrated clinical information system.

BIO recommends that the proposed regulation be amended by removing the "minimum necessary" criterion as a disclosure "standard" under §164.506(b)(1) and incorporating "minimum necessary" as a required "safeguard" under the administrative requirements of §164.518(c)). With this change, a covered entity's compliance with the "minimum necessary" requirement would be judged according to the reasonableness standard of §164.518(c)(2), each entity could safely rely upon the "minimum necessary" determinations of its own IRB or the lead IRB in a multi-site trial, and covered entities could offer all providers access to integrated patient care records, as recommended by the Institute of Medicine.

  • Creation of De-identified Information. § 164.506(d)

The proposed regulation creates an unrealistic standard for de-identifying data, and imposes civil and criminal penalties if a covered entity fails to meet this standard when attempting to de-identify information made available for research and analysis.

To serve the public interest in improving the health care system through epidemiologic and health outcomes research, the proposed regulation should create a workable scheme for creating de-identified information and incentives to use de-identified information wherever possible.

BIO recommends that the proposed rule be modified in two ways: (1) to create a more reasonable set of identifiers that may be used to create presumptively de-identified information, and (2) to establish rules that would permit entities other than covered entities to use valid statistical methods for creating databases that may be treated as de-identified.

  • Modification of the Common Rule Regulating Research. §164.506(a)(1)(i); §164.508; §164.510(j).

The proposed regulation explicitly regulates research by establishing new criteria that must be included in patient authorization forms and new criteria for waiver of authorization; no longer would IRBs established under the Common Rule be responsible for decisions about the elements of informed consent, and HIPAA's civil and criminal penalties could be applied to uses of information for research if an IRB has failed to meet the new waiver criteria or use the new informed consent forms.

BIO believes that new medical privacy regulations should preserve the integrity of the Common Rule. IRBs should continue to determine the form and content of individual consents for research and whether or not to waive individual authorization under their current authority. The authority of newly created Privacy Boards should be strictly limited to the waiver of individual authorization for research uses of medical information collected or created in the ordinary course of treatment, payment, or health care operations.

BIO recommends that § 164.506 should be modified to ensure that covered entities are permitted to make information available for any research project that has been approved by an IRB established under the Common Rule.

(1) Where a research project is reviewed by an IRB and where a waiver of consent is not being sought, the form and content of patient authorizations should be determined by the IRB that is charged with oversight of the relevant research project.

(2) The exceptions to "conditioning" an authorization on treatment and "compound authorizations" should be eliminated from §164.508 as unnecessary complications.

(3) Disclosure of protected health information for research that is not reviewed by an IRB and is not granted a waiver of authorization under §164.510(j) should require a patient authorization that meets the requirements of §164.508.

The criteria for waiver of authorization under §164.510(j) must be modified to ensure that Privacy Boards review only privacy risks and grant waivers of individual authorization only for research using information gained by a covered entity during the ordinary course of treatment, payment, or health care operations.

BIO recommends the establishment of new criteria, independent of the Common Rule, to govern any waiver of the individual authorization required by the medical privacy regulations for non-interventional research.

  1. IRBs, the new privacy boards, or the covered entity's privacy officer should apply these criteria in deciding whether to waive individual authorization when the proposed research involves only the use of materials and information otherwise collected or created in the context of treatment, payment, or health care operations;

  2. IRBs should continue to decide whether or not to waive consent under the Common Rule, using the new waiver criteria as appropriate to their deliberations.
  • Research Information Unrelated to Treatment. §164.506(a)(1); §164.508(a)(3)(B)

The breadth and purpose of the Secretary's new information category labeled "research information unrelated to treatment" is unclear, but the requirements that apply to it complicate compliance in research institutions and undermine efforts to provide treating physicians with ready access to the information necessary for accurate and prompt diagnosis and treatment of patients.

To facilitate accurate medical record keeping and institutional compliance with the proposed regulation, health care facilities and individual providers must be free to share all information concerning a patient's care, including information related to the patient's participation in any clinical research protocols.

BIO recommends that the regulation be amended to delete the category of "research information unrelated to treatment" and all provisions making reference to it.

II. BIO Is Concerned That Ambiguities in the Proposed Regulation Appear to Regulate the Non-Research Activities of Biotechnology Companies.

  • Applicability; Definition of "Covered Entity."

Biotechnology companies should remain free to employ licensed health care providers and to enter into corporate relationships with provider institutions without fear of being deemed a "covered entity" under the proposed regulation.

BIO recommends that the "applicability" section (§160.102) be revised by making the proposed standards, rules, and implementation specifications applicable only to the component of an entity that engages in the transactions specified in §164.104.

  • Scope; Patient Assistance Programs; Professional Assistance

The proposed regulations should permit manufacturers to provide product support activities for the patients and health care professionals who use their products, without the burden of added complexities and costs.

Because the information disclosed to obtain the services of the personnel who staff product support programs may not meet the extremely strict criteria set for "de-identifying" information, BIO asks that the regulation be amended to ensure that health care professionals are not hampered in their efforts to obtain product support services. We also ask for clarification that the proposed regulations do not require the manufacturer to require the patient to submit an authorization form required under § 164.508(a)(1) before taking the patient's call and responding to the request for assistance.

  • Monitoring Activities/Reports to Manufacturers

The public health exception of § 164.510(b) must be modified to permit covered entities to use health information in preparing reports to manufacturers of approved medical products for public health purposes. As drafted, the proposed regulation permits covered entities to disclose protected health information to public health authorities, but our system for monitoring safety and effectiveness of approved products depends on covered entities’ voluntary reports to the registered manufacturers of approved products.

BIO recommends that § 164.510(b) of the proposed regulation be modified to permit covered entities to disclose protected health information to the registered manufacturer who is charged with monitoring the safety and effectiveness of marketed products.

  • Product Surveillance Activities.

The proposed regulation permits reports only to government officials in the United States.

BIO recommends that the definition in the proposed regulation should be amended to expand the definition of "public health authority" to include an agency or authority of a foreign government or international body that is responsible for public health matters.

  • The Proposed Effective Date Will Disrupt Ongoing IRB-Approved Research.

Because the proposed regulations add to and/or modify existing laws that apply to research under the Common Rule, the rule should establish a phase in requirement that prevents disruption of ongoing research projects monitored by an IRB.

Language should be added to § 164.524 (Effective Date) to clarify that nothing in the section shall require modification of any research approved and supervised by an Institutional Review Board as of the effective date of the regulation.

  • Disincentives for Covered Entities to be Involved in Research and Other Public Interest Activities that Depend on Medical Information.

Covered entities should be able to use or disclose protected health information pursuant to all § 164.510 activities in good faith reliance on credible representations that the regulation's requirements have been met.

BIO recommends that § 164.510(a) be modified to create a presumption that an entity that acts in good faith to meet each of the verification requirements § 164.518(c) is in compliance with the disclosure standards of § 164.510.

Part I

The Medical Privacy Regulations Establish New Ground Rules For All Medical Research

When Congress enacted the Administrative Simplification provisions of HIPAA,8 it intended to reduce the costs and administrative burdens of health care by standardizing the format for securely transmitting information for certain administrative and financial transactions.9 Through this standardization, Congress anticipated that the efficiency and effectiveness of the health care system would be enhanced, while the security and privacy of the transmitted information would be protected.10 There is no indication that Congress intended the regulatory system the Secretary is authorized to establish under this "regulatory fall-back" provision of the statute to create new requirements applicable to research that is already subject to the Common Rule's protections.11

BIO is concerned that in many respects, the proposed regulation would have the opposite effect of what seems to be the intent of HIPAA. Congress established legal authority for a uniform federal system to safeguard medical information transmitted by providers and health plans that have elected to use the power of information technology to expedite certain financial and administrative health benefits transactions. But instead of a transparent system of protections that would improve patients’ understanding of their rights and covered entities’ understanding of their obligations, the Secretary has created a cumbersome system in which documentation of compliance with very precise requirements –with respect to uses of electronic media, paper, and telephonic or other oral communication – is required to prevent the provider or health plan from being subject to civil and criminal penalties.12 In addition to actions that might be brought to enforce the regulatory requirements, the Secretary has established a whistle-blower system13 for collecting complaints, and has created the legal basis for plaintiffs to take their allegations into the courts.14

The impact of this detailed regulatory system on research is quite direct and explicit. With the civil and criminal penalties established by HIPAA as the enforcement mechanism—

    1. The regulation explicitly prohibits any "covered entity" from using or disclosing any medical information to which it has access for any research unless the detailed new requirements of the medical privacy regulations have been met.15
    2. The regulation makes significant modifications affecting implementation of the Common Rule, explicitly prohibiting any covered entity from making any information available to a researcher – even if that researcher has IRB clearance and signed patient authorizations – unless the covered entity also meets the detailed new requirements of the medical privacy regulation with respect to consent, or with respect to waiver of consent.
    3. The regulation imposes ambiguous new patient consent requirements applicable to any patient records "related to" research, with far-reaching implications for every provider treating a patient who is involved in research.

A health care provider or health plan whose primary activity is the provision of health care or health benefits could easily and justifiably conclude that research activities should be avoided because non-compliance carries a risk of civil and criminal penalties and potential litigation.16 Following are some of the major impediments and BIO’s suggestions for modifications of the proposed regulation to mitigate the damaging impact on research.

1. Use or Disclosure of "Minimum Necessary" Information for the Purpose. §164.506(b).

A covered entity should be permitted to disclose protected health information after making reasonable efforts to ensure that disclosure is limited to the minimum information necessary to achieve the purpose; a covered entity should also be permitted to rely upon the "minimum necessary" determinations of its own IRB or the central IRB in a multi-center clinical trial. The Secretary proposes a standard for evaluating every disclosure of protected health information with respect to whether the covered entity has made "all reasonable efforts" to use or disclose the "minimum necessary" amount of information.17 BIO accepts without question the proposition that every entity that handles protected health information should have procedures and internal standards for ensuring that medical information is accessed only by those with a legitimate purpose. Moreover, it is often appropriate for a legitimate user to be given access only to the pertinent subset of a comprehensive record.

BIO's concern stems from the fact that the standard of compliance for disclosures created by the actual regulation differs from the standard described in the preamble, and may in fact be legally impossible for covered entities to meet. In the preamble the Secretary states that what is "minimally necessary" in any circumstance will be judged by a general standard of reasonableness. The Secretary further suggests that covered entities who make "reasonable efforts" and incur "reasonable expense" to limit the use and disclosure of protected health information will fulfill their obligation to make only minimally necessary disclosures.18 Elsewhere in the Preamble, the Secretary asserts that compliance standards for the proposed rule's requirements must be flexible and scaleable in proportion to entity resources.19

By contrast, the proposed regulation would establish a far more sweeping requirement that covered entities make "all reasonable efforts" to limit the use and disclosure of protected health information.20 The covered entity must also "ensure" that its staff meets the same standard of conduct.21 As drafted, the proposed regulation goes too far -- failure to use "all reasonable efforts" to disclose the minimum necessary information would subject the covered entity to civil and criminal penalties. A covered entity may never be confident of the measures it has established to comply with the new regulations, because HIPAA imposes what is in essence strict liability: HIPAA’s criminal and civil sanctions may attach to the knowing disclosure of individually identifiable health information in violation of privacy rules, apparently even absent awareness that the disclosure was wrongful.22

In both the treatment and research contexts, enforcement of such a rigid standard promises to severely diminish the information that covered entities are willing to make available to attending physicians and to researchers who have authorization to use medical records.23 This is a dangerous result, and contrary to good clinical practice. For example, the Institute of Medicine (IOM) now advocates that medical centers improve patient safety by affording all providers timely access to an integrated clinical information system to minimize medical mistakes.24 The proposed rule and its sanctions for noncompliance will create disincentives for institutions to develop and use this type of information system because institutions will be subject to severe sanctions if it is later determined that any of the countless disclosures involved exceeded the minimum necessary. Federal medical privacy regulations that impose strict liability on covered entities that fail to limit access to their records are incompatible with the IOM's proposal and risk needlessly increasing medical errors.

Moreover, the proposed regulations require each covered entity to make its own independent "minimum necessary" determination for every research use or disclosure.25 According to the NPRM, this means that the covered entity must reach an independent judgment that the purpose of each use or disclosure could not be reasonably accomplished with information that is not identifiable.26 This is simply unworkable within the context of a large, multi-center clinical trial. IRBs that review biotechnology research protocols must make complex judgments about the value of the research, the scope of disclosure in the consent form, and the sufficiency of protections for patient privacy.27 Reviewers must develop enough expertise in the subject area to evaluate risk and benefit to participants, and the entire IRB must invest significant time and effort to thoroughly analyze all relevant considerations. To make more effective use of limited IRB resources, federal regulations permit institutions cooperating in multi-center clinical trials to delegate basic decisions about the structure of the research protocol, the contents of the consent form, and the scope of any patient waivers or authorizations to a central IRB.28 Delegation of review authority allows participating sites in a multi-center trial to rely upon an IRB whose members have special expertise and understanding of the proposed research. Unnecessary duplication of effort and expense is avoided, data collection is standardized, and the trial coordinator does not face the administrative burden of managing data and patient records from multiple sites whose IRBs might otherwise place differing requirements and limitations upon the protocol. The end result is that multi-center trials operate efficiently, ensuring competent, thorough review in a more realistic time frame, thus bringing more new therapies to more patients.

These arrangements likely would not be feasible under the "minimum necessary" rule, as drafted. Covered entities arguably could no longer delegate the substantive review of protocols and consent forms to the central IRB in a multi-center trial, because such review necessarily involves determinations about the amount of information necessary for the research purpose. Each trial site that is a covered entity is independently obligated to make all reasonable efforts to limit uses and disclosures, including but not limited to an independent review of what information is the minimum necessary for the specific research protocol.

When an IRB authorizes a covered entity's disclosures of protected health information to a researcher, the entity should not face prosecution for making the authorized disclosures, and courts and prosecutors should not second-guess how much information the specific research project required and whether the entity’s attempt to limit the information met the "all reasonable efforts" standard. Yet this is exactly what will happen unless the Secretary modifies the proposed regulation to apply a standard of reasonableness to the covered entity's "minimum necessary" determinations.

To accomplish this, BIO recommends that the proposed regulation be amended by removing the "minimum necessary" criterion as a disclosure "standard" under §164.506(b)(1) and incorporating "minimum necessary" as a required "safeguard" under the administrative requirements of §164.518(c)). With this change, covered entities' compliance with the "minimum necessary" requirement would be judged according to the reasonableness standard of §164.518(c)(2), and each entity could safely rely upon the "minimum necessary" determinations of its own IRB or the lead IRB in a multi-site trial.

2. Creation of de-identified information. § 164.506(d)

To achieve the appropriate balancing of the public interest in medical privacy and the public interest in the efficient and effective health care that results from health services, health outcomes, and epidemiologic research, the proposed regulation should create a workable scheme for creating de-identified information and incentives to use it wherever possible. Researchers often use data sets of de-identified information in their research. Such research projects include epidemiological studies, outcomes analyses, and studies of incidence of disease or access to care across populations, areas or time.29 For biotechnology companies, these studies are essential to identify unmet medical needs and to develop hypotheses about the environmental, social, behavioral, and genetic roots of diseases and conditions. Virtually all of the information used in these studies is in the form of existing databases of medical information maintained by covered entities.

In the preamble, the Secretary expresses a strong desire to facilitate such research through the proposed regulations' standards for "de-identification" of information.30 In explaining the de-identification standard, the preamble states that "[o]bvious identifiers on health information could be replaced with random numbers or encrypted codes, which can prevent the person using the record from identifying the subject, but which allow the person holding the code to re-identify the information."31 Such databases could be used for many research projects, without the need for the researcher to have access to the code or otherwise re-identify individuals.

However, in contrast to the preamble, the standard established by the proposed regulation is much more limiting. The regulation provides that de-identified health information is created by "removing, coding, encrypting, or otherwise eliminating or concealing the information that makes information individually identifiable."32 The regulation establishes a two-pronged test for creating presumptively de-identified data. Under HIPAA, if the information is not "de-identified," it is protected health information, and disclosure or use of it for research without complying with the proposed regulation's research requirements would subject the covered entity to the risk of civil and criminal penalties. Thus, the incentives created by the enforcement scheme are likely to lead covered entities to use and rely on de-identified information for research only if they can confidently meet the requirements for the information to be presumed de-identified. Both prongs of the test must be satisfied for information to be presumed de-identified.

The first prong lists eighteen specific "identifiers": if any of the eighteen is present, information cannot be presumed to be de-identified. Several of the listed "identifiers" would prohibit access to data elements and formats that are essential data for research purposes.33 Indeed, the last item in the list of "identifiers" would require a covered entity to remove "[a]ny other unique identifying . . .  characteristic  . . .  that the covered entity has reason to believe may be available to an anticipated recipient of the information."34 For biotechnology companies, the disease or condition under investigation often afflicts a limited population of individuals. In effect, the disease under investigation arguably could be considered a "unique identifying characteristic" available to the researcher, who (as a clinical expert in the disease) may otherwise be able to identify the patients afflicted with the disease. Thus, information from patients with rare diseases or conditions might never meet the regulation's definition of "de-identified" information. Moreover, even for more common diseases and conditions, removing all of the elements on the list of asserted "identifiers" would result in medical history data of questionable completeness, raising serious doubts about the validity of conclusions drawn from any research using a de-identified database.

The second prong of the de-identification presumption test requires that the covered entity have "no reason to believe that any anticipated recipient of such information could use the information, alone or in combination with other information, to identify an individual."35 This creates an extremely high standard for the presumption, and the proposed regulation provides no guidance regarding what a prosecutor or court might consider "reason to believe" that any anticipated recipient could identify individuals. As a result, BIO thinks that it is highly unlikely that any covered entities would be able to take advantage of the presumption for purposes of creating "de-identified" information for use in research.

There is a third "implementation specification" that may have more practical utility. Entities with statistical expertise are authorized to treat information as de-identified (even if the information includes any of the listed identifiers) if they determine that the probability of identifying individuals with the information is very low.36 However, this option is available under the proposed regulation only to covered entities with in-house "statistical expertise."37

If, as suggested in the preamble, the Secretary wishes to create incentives for covered entities to use de-identified information, BIO recommends that the proposed rule be modified in two ways: (1) to create a more reasonable set of identifiers that may be used to create presumptively de-identified information, and (2) to establish rules that would permit entities other than covered entities to use valid statistical methods for creating databases that may then be treated as de-identified. The proposed revisions are stated in the Attachment as amendments to §164.506(d).

3. HIPAA does not provide authority for the Secretary to directly regulate research activities or modify the Common Rule regulating research. §164.506(a)(1)(i); §164.508; §164.510(j).

To preserve the integrity of the Common Rule, IRBs should continue to determine the form and content of individual authorizations for research according to current criteria. The authority of newly-created Privacy Boards should be strictly limited to the waiver of individual authorization for research uses of existing medical information collected or created in the ordinary course of treatment, payment, or health care operations. As discussed above and acknowledged by the Secretary in the preamble,38 the authority to promulgate medical privacy regulations under HIPAA is limited in scope to certain entities that use individually identifiable information in certain financial and administrative transactions.39 Instead of maintaining this focus, the proposed regulation explicitly regulates research by establishing regulatory requirements that apply only to research. In discussing its proposals to regulate research, the NPRM states:

Our proposed requirements for this disclosure build on the requirements for such disclosure under the Federal regulation that protects human subjects in research conducted or funded by the Federal government, the Federal Policy for the Protection of Human Subjects (often referred to as the "Common Rule).40

If the Secretary wishes to extend the Common Rule to all research, she must seek additional authority from Congress that will permit her to regulate research. Authority to embark on such a controversial course clearly cannot be teased out of HIPAA's authority to ensure the privacy of information transmitted in connection with certain administrative and financial transactions.
41

As noted above, the proposed regulation prohibits all use or disclosure of protected health information for any research unless certain strict requirements are met. These medical privacy requirements governing the form of consent and its waiver are in addition to the requirements governing informed consent and its waiver under the Common Rule. As stated in the preamble, "For research projects to which both the Common Rule and this proposed rule would apply, both sets of requirements for obtaining the authorization of the subject for research would apply."42 Nothing in HIPAA and nothing in the broader structure of the Secretary's medical privacy regulations authorizes or requires this modification or augmentation of the Common Rule's requirements.

BIO's Comments with respect to each of the issues in this section advocate that the Secretary reshape her proposed regulation to be more consistent with the approach taken in the Greenwood bill43 and in the compromise worked out by Senators Frist and Kennedy in the Senate Health, Education, Labor and Pension Committee's mark up of medical privacy legislation. Both of these vehicles established a new mechanism for reviewing the privacy issues raised by proposed uses of health information for research purposes without modifying the Common Rule or the responsibilities or enforcement mechanisms applicable to IRBs under the Common Rule.

Form of Individual Authorization. § 164.508.

The authorization requirements of §164.508 should be modified to fit the context of clinical research. The proposed rule establishes twelve specific requirements regarding what must be included in a valid patient authorization, and states that there is no "authorization" for purposes of the regulation if any one of the elements is missing from the form signed by the patient.44 Several of the mandatory elements may be misleading or inappropriate when injected into the barrage of informed consent materials that explain the various research risks confronted by the clinical research participant.

For example, under the proposed rule authorizations must include a statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law.45 This requirement is misleading because it implies that the individual's privacy is at risk. But for research that is subject to the Common Rule, the patient’s privacy is protected through the requirement that the IRB consider the procedures in place to safeguard patients' confidential information, and these procedures are explained in the informed consent document.46 Researchers must abide by the provisions of the consent document, and IRBs must ensure that this happens; therefore, the statement required by the proposed medical privacy rule would confuse a patient about the researcher’s intentions and obligations under federal and state law.

In addition, the proposed regulation requires that where use or disclosure of the requested information will result in financial gain to the entity, authorizations must include a statement to that effect. This requirement appears to address concerns related to use of information for marketing and other commercial purposes - not biomedical research - and may create new and unnecessary anxieties for patients who wish to enroll in clinical trials. Marketing uses and commercialization of individually identifiable clinical trial data already would be inconsistent with IRB approval and the informed consent documents that specify the uses that the researcher may make of the information.

Furthermore, the proposed rule requires that an expiration date be included in all patient authorizations.47 This requirement cannot be implemented in a manner that is meaningful and fair to research participants, because the duration of any study depends on a complex variety of factors that cannot be predicted at the outset. This requirement would be even more problematic if patients enrolled in a trial had varying dates of expiration in their authorizations. Use of a precise expiration date is also incompatible with clinical research because of the requirement that manufacturers be able to audit, and permit FDA to audit, patient records that were the source of case report forms used in clinical trials that support product approval. It is not possible to predict the date on which a clinical trial is "complete," or more precisely, the date after which there is no potential need for the trial sponsor to be able to assure that FDA can audit the clinical trial sites.

The preamble states that the Secretary rejected alternatives to the specific expiration date for research purposes as being too unwieldy for covered entities.48 However, the Secretary’s conclusion results from her search for an "event" that defines expiration of consent. The sole purpose for an expiration date is to provide the patient with meaningful notice regarding the duration of the recipient’s ongoing access to information. These concerns are largely addressed by the fact that under the Common Rule, each patient is informed that he or she may withdraw from the study at any time, and where the IRB agrees, that he or she may limit further access to additional data as of the point of withdrawal from the study.

The proposed rule fails to help the research participant understand how medical privacy is protected in the research context. Moreover, the Secretary’s approach of requiring compliance with both the Common Rule and the medical privacy authorization requirements is explicit regulation of research, which exceeds her authority established under HIPAA. In view of its responsibility for approving and monitoring research, the IRB is uniquely qualified to determine the adequacy of patient authorizations for use of disclosure of protected health information. Each IRB will be familiar with the particular aspects of each research project that might raise privacy concerns; it will understand the particular patient population that is being enrolled in each study; and it will be sensitive to the information that should be disclosed for patients to make informed decisions about participation in the study.

BIO Recommends:49

(1) Where a research project is reviewed by an IRB and where a waiver of consent is not being sought, the form and content of patient authorizations should be determined by the IRB that is charged with oversight of the relevant research project.

(2) In light of the IRB’s discretion, the exceptions to "conditioning" an authorization on treatment and "compound authorizations" should be eliminated from §164.508 as unnecessary complications.

(3) Disclosure of protected health information for research that is not reviewed by an IRB and is not granted a waiver of authorization under §164.510(j), should require a patient authorization that meets the requirements of §164.508.

BIO does not propose to permit the new "privacy boards" authorized by the Secretary to determine the form of authorization for research purposes under the proposed medical privacy regulations. Maintaining an IRB-based approach to patient authorization requirements leaves the Common Rule unmodified by the NPRM and leaves intact the Secretary’s proposal to prohibit a covered entity from using or disclosing protected health information for research without patient authorization or waiver of authorization.

Waiver of Authorization. §164.510(j).

The criteria for waiver of authorization under §164.510(j) must be modified to ensure that Privacy Boards review only privacy risks, and grant waivers of individual authorization only for research involving existing records of information gained by a covered entity during the ordinary course of treatment, payment, or health care operations. BIO agrees that all non-interventional or "records" research should require a waiver of patient authorization under the privacy regulations that includes elements not currently included in an IRB waiver of authorization for research that is subject to the Common Rule.

As drafted, however, the Secretary's waiver proposal is so broad as to constitute a direct modification of the Common Rule.50 In fact, the privacy regulation explicitly recodifies the existing waiver requirements of the Common Rule, with some modifications, and joins them with other requirements of the Common Rule, to make them enforceable requirements under HIPAA, applicable to all research involving waiver of authorization.

BIO believes that the all-encompassing waiver approach taken in the proposed regulation is ill-advised and potentially dangerous to patients who elect to participate in clinical research. An IRB acting in accordance with the Common Rule may waive consent, not just for use of existing medical information, but occasionally for research involving active intervention with the patient for purposes of the research. Such a waiver of consent for interventional research comes only after the IRB has fully considered risk to the individual participants, ethical concerns, and the scientific merit of the proposal.

Privacy board review is intended to be something much more limited and specific: an evaluation of the risk to a patient's privacy interests posed by research involving use of existing medical records. Yet, by importing Common Rule concepts into the privacy regulations, the Secretary may create the impression in the minds of patients that privacy board review is equivalent to IRB review. BIO fears that patients, and possibly some researchers, may mistake a privacy board waiver of authorization under the medical privacy regulation for an IRB waiver of consent to participate in research. Only an IRB should be permitted to determine that the scientific value of a research project outweighs the complete spectrum of risks to the participant in considering whether or not to waive patient consent. Technically, privacy boards may not authorize an interventional research project,51 but under the proposed regulation the potential for confusion of the patient, the researcher and the provider is substantial. BIO maintains that importation of Common Rule concepts into privacy board review is not required to effectively implement the medical privacy requirements of HIPAA.

The new requirements also create confusion with respect to IRBs' obligations. Because some of the Common Rule's waiver criteria are incorporated into the proposed regulation that is implementing HIPAA, the Secretary arguably has made the penalties established by HIPAA applicable to covered entities' IRBs that fail to properly implement these Common Rule criteria.52 This enhanced legal risk creates an inappropriate incentive for covered entities not to use their IRBs to review a researcher's privacy safeguards, but to rely instead on documentation of waivers prepared by a privacy board established by the researcher.

BIO recommends the establishment of new criteria, independent of the Common Rule, to govern any waiver of the individual authorization required by the medical privacy regulations for non-interventional research.

  1. IRBs, the new privacy boards, or the covered entity's privacy officer should apply these criteria in deciding whether to waive individual authorization when the proposed research involves only the use of materials and information otherwise collected or created in the context of treatment, payment, or health care operations.

  2. IRBs should continue to decide whether or not to waive consent under the Common Rule, using the new waiver criteria as appropriate to their deliberations.

The Attachment proposes modifications of the draft regulation that would accomplish this purpose and modify the criteria for waiver to make them appropriate for the more focused task of waiving the authorization required under the medical privacy regulation.53 Additionally, BIO proposes to allow the covered entity to rely upon a waiver granted pursuant to a review by the entity's own privacy officer, who may be in a better position than a privacy board to evaluate the potential privacy risks from the research proposal as well as the expectations of patients in light of the covered entity’s privacy policy.54

Research Information Unrelated to Treatment. §164.506(a)(1); §164.508(a)(3)(B)

To facilitate accurate medical recordkeeping and institutional compliance with the proposed regulation, health care facilities and individual providers must be free to exchange all pertinent information concerning a patient's care, including information related to the patient's participation in any clinical research protocols. The breadth and purpose of the Secretary's new information category labeled "research information unrelated to treatment" is unclear, but the requirements that apply to it complicate compliance in research institutions, and undermine efforts to provide treating physicians with ready access to the information necessary for accurate and prompt diagnosis and treatment of the patient. The proposed rule creates a new category of health information called "research information unrelated to treatment" and prohibits all uses and disclosures of such information without specific patient authorization. The name makes it sound as though this category may pertain to information that a researcher creates and uses exclusively in the research context, such as tissue studies, images and assays that are not yet used in interactions with patients. But this reading would be incorrect. The proposed regulation defines this category of information to effectively include treatment information that results from or is related to therapeutic research in a clinical setting. The category includes "information created or received by a covered entity in the course of conducting research, for which there is insufficient scientific and medical evidence regarding the validity or utility of the information such that it should not be used for the purpose of providing health care, and with respect to which the covered entity has not requested payment from a third party payor."55 In effect, it might be more accurate to label the category "treatment information related to research."

The regulatory definition of "research" is extremely broad, and would encompass much of the treatment furnished by clinician/researchers practicing in health care institutions that are at the forefront of medical innovation.56 Indeed, some BIO members have maintained that in order to ensure that this prohibition is not violated, the regulation would require the health care professional who is attending to the needs of a patient that may be enrolled in a research project to document all care and observations that arguably are part of a research protocol in a separate, largely duplicate record from the record of care provided by the hospital – since that record might be used or disclosed for treatment, payment, or health care operations without obtaining a patient authorization.57 Thus, the potential that patient care records would be incomplete raises significant concerns about the increased risk of medical errors by downstream providers, as well as the validity and fairness of quality assessment and peer review activities of the institution -- all of which rely on the patient care record, not the records kept by a researcher.58

In attempting to segregate "research" information from "treatment" information, BIO understands that the Department may have intended to provide added protection for certain information, such as genetic information, that might be used to discriminate against the patient.59 BIO strongly supports measures to prevent and punish genetic discrimination, but BIO opposes the creation of different degrees of protection for different types of information. The "research information unrelated to treatment" provision is particularly ill advised.60 It fails to add any measure of protection beyond what already is provided for under existing law. Moreover, in creating a special category of sensitive information, the provision undermines the general uniform structure of the regulation in a way that will be harmful primarily to the work of covered entities whose mission includes patient care and biomedical research. The creation of this category of information is self-defeating: it "protects" patients by burdening their doctors at the point of care with the legal duty to make artificial and somewhat arbitrary distinctions between facts and data attributable to treatment and those attributable to research.

In reality, there is no such bright-line distinction between types of medical information. The Secretary cites the example of a patient enrolled in a drug study that includes an experimental genetic test. If the test pertains to a condition for which there is no accepted medical intervention, it may seem easy to agree that the patient's genetic test results would be considered "research" information because the genetic data would not be relevant to the patient’s clinical care, if the patient were not enrolled in the clinical trial.61 But in that context the fact that the patient may be receiving an experimental drug is itself health information of uncertain clinical utility. And yet that fact clearly is relevant to the care provided by any health care professional, whether as part of the research or otherwise. Moreover, diagnostic aids can help health care professionals make better decisions about care even when there is no "cure." For example, if a patient and doctor understand that certain symptoms are related to a genetic condition for which there is no cure, the fact that other causes of those symptoms have been ruled out can help with decisions regarding whether or not to use of some of the more invasive therapies for those symptoms.

Yet under the proposed regulatory scheme, the fact of the patient's participation in the trial and the identity of the study drug would be "research information unrelated to treatment." Such information about treatment in connection with research may not be shared within the health care system like other health information; in fact, researchers will face civil and criminal liability if they make good faith disclosures of "research information" to treating clinicians without express patient authorization.

This result is especially inappropriate given that experimental drug and device research is often conducted within the hospital setting, where clinicians are also researchers, and where treating physicians must be aware of all information that might affect a patient's health status. The "research information" exclusion also fails to accommodate compassionate use protocols, in which a researcher administers an experimental therapy to a single patient, with the intent to treat that patient, yet the "treatment" is actually research conducted under IRB supervision due to the experimental nature of the drug or device.62 In such a situation the proposed regulation unwisely forces a clinical researcher to guess – on pain of criminal sanction – what information must be excluded from the patient’s medical record or withheld from other health care providers.

Finally, the "research unrelated to treatment" provision will introduce inaccuracies and omissions into the medical record and negatively impact patient care just as the health care community has begun to confront the pervasive problem of medical errors and substandard protections for patient safety. As the Institute of Medicine (IOM) observed in its recent report, errors in the health care system are at an "unacceptably high" level: preventable medical error ranks among the ten leading causes of death in this country, surpassing deaths caused by AIDS, breast cancer, or auto accidents.63

The IOM attributes many of these preventable medical errors -- particularly medication errors  -- to a decentralized health care system in which community physicians, hospitals, and pharmacists all keep separate records, and in which no provider has access to complete medical information about the patient.64 To address the problem, IOM advocates that providers adopt comprehensive electronic medical records and share access to this medical information across all points of patient care.65 Patient safety dictates that these medical records be as complete and accurate as possible -- proposed § 164.506(a)(1)(i), with its confusing prohibition against the disclosure of clinical research information, even among health care providers, is inconsistent with this goal.

BIO recommends that the regulation be amended to delete the category of "research information unrelated to treatment" and all provisions making reference to it. These proposed amendments are shown in the Attachment as amendments to §164.508 and §164.506(a)(1)(i).

Part II

Ambiguities in the Proposed Regulation Appear to Regulate the Non-Research Activities of Biotechnology Companies.

1. Applicability; definition of "covered entity."

Biotechnology companies should remain free to employ licensed health care providers and to enter corporate relationships with provider institutions without fear of being deemed a "covered entity" under the proposed regulation. Many BIO members employ physicians or other health care professionals who perform various functions that do not involve the provision of routine health care to patients, and these employees certainly are not paid by health plans. Of course, some BIO members may engage in, or have subsidiaries or components that engage in activities that may make them "covered entities" (or business partners of covered entities) as defined in the proposed regulation.66 However, even under these circumstances, most of our members are not primarily engaged in businesses that involve them in the provision of health care or health care benefits, nor do they process or engage in the transactions that were Congress’ focus in enacting the administrative simplification provisions of HIPAA.67 The preamble of the NPRM directly addresses this situation in discussing "organizations that provide health care or have created health plans but are primarily engaged in other unrelated activities."68 The preamble states: "The health care component (whether or not separately incorporated) of the organization would be the covered entity."69 We agree that this is a reasonable way for the government to avoid imposing burdensome requirements and inappropriate legal obligations on businesses that are not primarily engaged in the standard transactions that would bring them within the jurisdiction of the HIPAA medical privacy requirements.70

However, the proposed regulation fails to implement the policy stated in the preamble. The regulation states that it applies to "covered entities," but that term is defined by referring to health plans, clearinghouses and providers.71 Those terms are defined by referring to the activities and services that an "entity" performs that bring it within the ambit of the regulations. In short, because the definition of "covered entity" is entirely circular, it fails to specify that status as a "covered entity" attaches only to the component of the entity that engages in the regulated activities. To remedy this defect, BIO recommends that the "applicability" section in §160.102 be revised by amending it to apply the proposed standards, rules, and implementation specifications only to the component of an entity that engages in the transactions specified in §164.104. Specific language is provided in the Attachment as an amendment to §160.102.

2. Scope; patient assistance programs; professional assistance

The proposed regulations should permit manufacturers to provide product support activities for the health care professionals and patients who use their products, without the burden of added complexities and costs. BIO seeks clarification that its members are not considered "covered entities" with respect to certain product support services that they provide to patients and health care professionals, upon request.

A manufacturer's professional services staff should be permitted to engage in the full range of product support activities. For example, most manufacturers provide 800 numbers that health care professionals may call to ask questions about a product. Physicians – and the FDA -- expect the product manufacturer to provide assistance, for example, with the sophisticated calculations necessary for calibrating appropriate dosages, problems in reconstituting a product, questions about product quality, storage and handling, and so forth. Manufacturers commonly provide these product support services through a staff of health care professionals who respond to questions and share their knowledge of the product and its use. Moreover, some doctors may seek advice about appropriate use of the product for patients with complicating conditions that may not have been reported on the package insert. Because of their unique position, the personnel who staff manufacturers' professional services lines can be extremely valuable sources of information for the treating physician. They can provide quick access to published information and clinical insight regarding use of the product by acting as a resource for the patient's physician; however, they are not providing health care to the patient. Arguably, physicians should be able to use patient information in posing questions to professional services personnel because these interactions are necessary to assure that the physician has the requisite professional competence to use these sophisticated products to treat his or her patients.

We note that the patient information exchanged in these interactions need not identify the patient. Moreover, after the regulations are promulgated, the physician would be obligated to ensure that the minimum information necessary to achieve the purpose would be conveyed to the professional services staff. However, the information that is exchanged likely would not meet the regulations' definition for being considered "de-identified." Because of the extremely strict criteria set for "de-identifying" information, BIO asks that the regulation be amended to ensure that health care professionals are not inadvertently deprived of this essential resource regarding safe and appropriate use of products. The proposed amendment is presented in the Attachment as an amendment to §164.510(b).

In addition, manufacturers should not be considered covered entities based on their willingness to provide reimbursement assistance to patients or to provide free products, information, or reimbursement assistance to needy patients. Some of BIO's members maintain information services for patients, as well as expanded patient services that may include help in evaluating health plan payment and coverage requirements, and programs under which patients may receive free products, coupons or other financial support to offset their expenditures for the drug.

BIO asks for clarification that these professional service and patient assistance activities do not transform manufacturers into "covered entities" for purposes of the proposed regulation. We note that where contact with the manufacturer is initiated by or on behalf of the patient, there is no covered entity disclosing the information to the manufacturer. Accordingly, BIO also asks for clarification that the proposed regulations do not require the manufacturer to require the patient to submit an authorization form required under § 164.508(a)(1) before taking the patient's call and responding to the request for assistance.

3. Monitoring activities to ensure product safety and effectiveness.

The public health exception to the regulation's prohibition of use and disclosure of protected health information must be modified to accommodate the unique features of postmarketing surveillance of the safety and efficacy of prescription pharmaceutical and biological products, and the regulatory requirement that manufacturers continue to monitor approved products. The proposed regulation provides an exception so that it does not inadvertently become illegal for providers to participate in public health activities without the authorization of each patient. It states that a covered entity may disclose protected health information for the public health activities and purposes described therein, but these disclosures may be made only to certain entities engaging in certain authorized activities. Three sets of modifications to the proposed regulation are necessary to avoid creating obstacles and ambiguity regarding the legality of product surveillance activities under the medical privacy regulations.

The public health exception of § 164.510(b) must be modified to permit covered entities to use information in preparing public reports for public health purposes.

As drafted, the proposed regulation permits covered entities to "disclose" "protected health information" to public health authorities, but it does not permit them to "use" information in their possession or control to prepare such reports. As noted above, the regulatory definitions of "disclose" and "use" are very different, and both activities are prohibited without authorization in the regulation, or by the individual.72 Some, but not all of the reports to be filed for public health surveillance activities do not require patient-identifying information, but can be prepared by aggregating incidence reports or submitting extracts of records that do not include direct patient identifiers. Arguably, in prohibiting "use" of protected health information for public health activities, the regulation creates a disincentive for covered entities to perform the screening of their records databases necessary to complete such reports. The draft regulation should be modified to permit covered entities to use or disclose protected health information for public health surveillance activities. Specific language is proposed in the Attachment as an amendment to § 164.510(b).73

Product surveillance activities are international in scope, so the proposed regulation must be modified to permit reports to agencies and authorities of foreign governments and international bodies responsible for public health matters.

Section 164.510(b)(a) authorizes covered entities to make reports to a "public health authority" for the purpose of preventing or controlling disease, injury, or disability . . .  ." BIO assumes that the "prevention" of disease, injury or disability would encompass the reports necessary to monitor the safety and efficacy of marketed products. However, the regulation limits the definition of public health authority to U.S. entities. Products that are marketed throughout the world are subject to the reporting requirements of any country in which they are marketed, as well as the requirements of the European Union. To avoid creating international impediments to safe and effective use of products, the definition in the proposed regulation should be amended to expand the definition of "public health authority" to include an agency or authority of a foreign government or international body that is responsible for public health matters. Specific language is proposed in the Attachment as an amendment to § 164.510(b)(a).

The public health exception of 164.510(b) must be modified to permit reporting to manufacturers for surveillance of the post-marketing safety and efficacy of their marketed products.

This nation's system of reports concerning the safety and efficacy of prescription drug and biological products approved for marketing in the United States depends on the post-marketing surveillance and monitoring activities undertaken by the company that holds the license to market the drug under the Federal Food Drug and Cosmetic Act.74 The law imposes an obligation on the manufacturer to report certain events and information to the FDA,75 but the manufacturer establishes appropriate mechanisms for collecting and organizing the information based on the characteristics of the product, the disease, and the patient populations in which the product is being used. Laws establishing authority and requiring reports to trace public health threats from communicable disease, pollution, or contamination apply directly to the health care professionals and institutions that have contact with the patient. But the laws providing for post-marketing surveillance of prescription drugs and biologics impose requirements only on the manufacturer that has approval to market the product, who has no direct access to patients or the records of their health care. Under this surveillance system, the information manufacturers are required to report to FDA can be complete and reliable only if health care professionals and institutions voluntarily elect to contact the manufacturer regarding a patient's experience with the product.76 Maintaining the integrity of this monitoring system is essential to permit FDA to oversee issues that may arise in connection with the safe and effective use of a drug in the general population, among patients who are extremely diverse in their health needs and whose providers may or may not have access to comprehensive information regarding the patient that could affect the appropriateness of a particular drug product selection. The proposed regulation fails to specifically authorize these voluntary reports to manufacturers.

In establishing surveillance mechanisms for tracking the post-marketing safety and efficacy of their products, most manufacturers collect some information through their professional services support lines, as discussed above. Some, but not all of the inquiries they receive may pertain to an unexpected patient reaction or interaction with another drug or disease that would be a reportable event for purposes of the FDA requirements. Some of these reports come through patient assistance lines or other communications directly from patients. For other products, it may be important for a manufacturer to be proactive in reaching out to the provider community to collect information regarding experience with approved products.

One of the most useful mechanisms for this purpose is a patient registry.77 The use of registries is essential because the manufacturer has no way to control for the way that provider and patient psychology affects the voluntary reporting of adverse events. That is, reactions that are dramatic and relatively rare – seizures, high fever, organ failure – are likely to be reported, while reactions that are familiar – minor rash, nausea, or irritability – are less likely to be reported.78 As a result, the voluntary reporting mechanism tends to under-estimate the frequency of some potential problems and over-estimate the frequency of others. Yet any reaction, frequent or infrequent, may be part of a pattern indicating a "serious" issue that the manufacturer will need to investigate further.

In the preamble, the Secretary acknowledges the importance of registries and of safety and efficacy monitoring in which reports are made to "non-government entities."79 However, the examples cited are medical device registries and cancer registries. Perhaps the limited focus on these examples has created the distortion in the proposed regulation that limits reporting to what is required by public health authorities. For biotechnology products, it is unusual for FDA to require that a registry to be established or to provide specific authority under which the manufacturer can require users of its product to keep track of specific patients. For pharmaceutical and biological products, many registries more nearly resemble an added outreach component of the post-marketing safety and efficacy surveillance required of the manufacturer under federal law. In one of the simplest models, the registry80 is established and its existence made known in professional circles, and it then receives and analyzes voluntary reports from health care professionals. The only legal "authority" for the manufacturer to collect this information is pursuant to its obligations as a license holder under the FFDCA to report to the FDA adverse events of which it becomes aware.

By comparison, the proposed regulation states that—

A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to . . . [a] person or entity other than a governmental authority that can demonstrate or demonstrates that it is acting to comply with requirements or direction of a public health authority.81

This provision seems to contemplate the interaction between a covered entity and a contractor retained by a public health department to survey providers about reportable incidents, but the regulation fails to accommodate providers' voluntary reports to the manufacturers of pharmaceutical and biological products. A physician may infer, based on the product labeling, what entity is the FDA-registered manufacturer, but there would be no occasion for anyone to "demonstrate" to the doctor on the telephone that the manufacturer's employee is answering the phone "to comply with requirements or direction of a public health authority," as required by the draft regulation.82

BIO recommends that § 164.510(b) be amended to accommodate the public interest in ensuring that providers continue to make voluntary reports to manufacturers regarding use or exposure to prescription products, by permitting such reports to the person identified in the labeling of a prescription drug or biological product as the manufacturer registered with the Federal Food and Drug Administration to distribute the product.

4. Provide for smooth phase-in of the effective date to prevent disruption of ongoing research.

Because the proposed regulations add to and/or modify existing federal and state laws that apply to research under the Common Rule, the new rule should establish a phase in requirement that prevents disruption of ongoing research projects monitored by an IRB. The Secretary should not add to the burden on IRBs by requiring them to re-evaluate the informed consent documents or waivers granted for a project that is already in progress as of the effective date of the regulations. The Secretary should clarify that nothing in § 164.524 shall require modification of any research approved and under the supervision of an Institutional Review Board as of the effective date of the regulation. Specific language is proposed in the Attachment as an amendment to § 164.524.

5. Mitigate the disincentives HIPAA creates for covered entities to be involved in research and other public interest activities that depend on medical information.

Covered entities should be able to use or disclose protected health information pursuant to all § 164.510 activities in good faith reliance on credible representations that the regulation's requirements have been met. As discussed in Part I of these comments, the proposed rule requires that health plans and health care providers comply with strict documentation requirements before disclosing protected health information for any purpose other than treatment, payment, or health care operations. This requirement encompasses disclosures pursuant to § 164.510 that are necessary to enable various activities that are in the public interest and that depend on medical information, including information from health care encounters. If a covered entity fails to meet even a single one of the specific and technical requirements of § 164.510, the entity's disclosures are unlawful. Given the serious penalties and the various enforcement mechanisms available under HIPAA, the regulation creates disincentives for covered entities to engage in research, to make public health reports, and to participate in the purely voluntary activities underlying the other permitted disclosures under § 164.510.

As recognized in the preamble, the permitted uses and disclosures included in § 164.510 support critical public health priorities and help to enable the U.S. health care system to function efficiently and effectively.83 "Because the activities are so important to the population as a whole," the Secretary decided to allow covered entities to use or disclose information pursuant to these activities, even when the disclosures are not legally required.84

Under the proposed regulation, many of these important permissive disclosures will be unlawful unless the covered entity obtains documentation meeting certain criteria and verifies the authority of the individual requesting the information. As drafted, the proposed rule creates ambiguity about the covered entity's liability when making permissive disclosures. Under § 164.510, the covered entity must comply with any applicable verification requirements under § 164.518(c). This latter section requires the entity to establish and implement complex procedures for verification, but permits the entity to "reasonably rely" upon documentation that facially conforms to the verification requirements. Yet § 164.510, by contrast, permits the covered entity to act in reasonable reliance only when disclosing information in emergency circumstances. It appears that all other disclosures must be literally and technically correct, and good faith is no defense. If, for example, an entity makes a non-emergency § 164.510 disclosure in reliance upon defective documentation of IRB waiver of authorization, the entity may face civil and criminal penalties for a violation of HIPAA.85

BIO recommends that the regulation be modified to create the presumption that an entity that acts in good faith to meet the verification requirements of § 164.518(c) is in compliance with the disclosure standards of § 164.510(a). Specific language is provided in the Attachment as an amendment to § 164.510.

Conclusion

BIO appreciates the opportunity to make these comments. It is extremely important for patients' medical privacy to be protected and for federal rules to establish a uniform and transparent set of expectations about rights and obligations with respect to uses and disclosures of medical information. It also is important to ensure that the public interest in medical innovations and safe and effective therapies is not sacrificed to this endeavor. BIO believes that our amendments offer a way to modify the Secretary’s chosen approach that serves both objectives yet remains consistent with Congressional intent and the regulatory authority established under HIPAA.

Sincerely,

 

Michael J. Werner, Esq.
Bioethics Counsel

 

 

Attachment
(Proposed additions to the regulation showing in bold, double-underlined text;
proposed deletions shown in strikethrough text)86

45 C.F.R. §160.102: Proposed amendments relating to "component entities"

§ 160.102 Applicability.

Except as otherwise provided, the standards, requirements, and implementation specifications adopted or designated under the parts of this subchapter apply to any entity that is:

(a) A health plan;

(b) A health care clearinghouse; and

(c) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

With respect to any entity that has a component licensed as a health plan or health care provider under the applicable laws of any state, the standards, requirements, and implementation specifications of this subchapter shall apply solely to the component of the entity that engages in the transactions specified in §164.104, regardless of whether such component is separately incorporated or operated as a discrete business unit.

 

§164.504 Definitions: Proposed amendments relating to public health activities

Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe that is responsible for public health matters as part of its official mandate, or an agency or authority of a foreign government or international body that is responsible for public health matters.

45 C.F.R. §164.506 – Proposed amendments relating to research governed by the Common Rule.

§ 164.506 Uses and disclosures of protected health information: general rules.

(a) Standard. A covered entity may not use or disclose an individual’s protected health information, except as otherwise permitted or required by this part or as required to comply with applicable requirements of this subchapter.

(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:

(i) Except for research information unrelated to treatment, to To carry out treatment, payment, or health care operations;

(ii) Pursuant to an authorization by the individual that complies with § 164.508;

(iii) For research that has been approved by Institutional Review Board established in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 28 CFR 46.107.32, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107.45 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or

(iii) (iv) As permitted by and in compliance with this section or § 164.510.

(2) Required disclosures. A covered entity is required to disclose protected health information:

(i) To an individual, when a request is made under § 164.514; or

(ii) When required by the Secretary under § 164.522 to investigate or determine the entity’s compliance with this part.

 

45 C.F.R. §164.506 (b)(1) – Proposed amendments related to compliance with safeguards.

(b)(1) Standard: compliance with safeguards. minimum necessary. A covered entity must make all reasonable efforts to make all disclosures in compliance with the safeguards established under § 164.518. not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure. This requirement does not apply to uses or disclosures that are:

(i) [remainder of section moved to §  164.518(c)(5)]

 

45 C.F.R. §164.506(d) – Proposed amendments relating to de-identification.

(d)(1) Standard: use or disclosure of de-identified protected health information. The requirements of this subpart do not apply to protected health information that a covered entity has been de-identified, provided, however, that:

(i) Disclosure of a key or other device designed to enable coded or otherwise de-identified information to be re-identified to an entity that has access to the corresponding de-identified information constitutes disclosure of protected health information;

and (ii) A covered entity may use or disclose protected health information for the purpose of de-identifying the information, provided that the covered entity requires the entity de-identifying the protected health information to return the protected health information and any unique key created for de-identifying the information, and provided that the covered entity prohibits such entity from subsequently re-identifying the de-identified information;

(ii)(iii) A covered entity may not disclose de-identified information to any person that it has reason to believe may use the information, alone or in combination with other information, to identify an individual; and

(iv) If a covered entity re-identifies de-identified information, it may use or disclose such re-identified information only in accordance with this subpart.

(2) Implementation specifications. (i) A covered entity may use or disclose protected health information to create de-identified information by removing, coding, encrypting, or otherwise eliminating or concealing the information that makes such information individually identifiable.

(ii) Information is presumed not to be individually identifiable (de-identified), if identifiers that would readily permit the intended recipient to identify an individual who is the subject of the protected health information (A) The following identifiers have been removed or otherwise concealed:.

(A) For purposes of this section, "identifiers" means data elements that are routinely used to retrieve information about specific individuals in databases or record sets that are available, with or without payment of a fee, to entities other than those who create or maintain the database or record set. Such identifiers include:

(1) Name;

(2)Street address; (2) Address, including street address, city, county, zip code, and equivalent geocodes;

(3) Names of relatives;

(4) Names of employers;

(3) Birth date;

(3) Telephone numbers;

(4) Fax numbers;

(5) Electronic mail addresses;

(6) Social security number, whether labeled as such or used as a proxy for another number;

(7) Medical record number;
(8)Drivers' license number;

(9)Voter registration number;

(11) Health plan beneficiary number;

(12) Account number;

(13) Certificate/license number;

(14) Any vehicle or other device serial number
(10) Motor vehicle registration number;

(11) Full face or profile photographs used for identification purposes;

(12) Web Universal Resource Locator (URL);

(13) Internet Protocol (IP) address number;

(17) Finger or voice prints;

(18) Photographic images; and

(14) Any other unique identifying number, characteristic, or code that the Secretary may specify by regulation covered entity has reason to believe may be available to an anticipated recipient of the information; and

(B) The covered entity has no reason to believe that any anticipated recipient of such information could use the information, alone or in combination with other information, to identify an individual.

(iii) Notwithstanding paragraph (d)(2)(ii) of this section, entities with appropriate statistical experience and expertise may treat information as de-identified, if they include information listed in paragraph (d)(2)(ii) of this section and they determine that the probability of identifying individuals with such identifying information retained is very low, or may remove additional information, if they have a reasonable basis to believe such additional information could be used to identify an individual.

 

45 C.F.R. § 164.508: Proposed amendments relating to "research information unrelated to treatment"; conforming amendments relating to authorization for research.

§ 164.508 Uses and disclosures for which individual authorization is required.

(a) Standard. An authorization executed in accordance with this section is required in order for the covered entity to use or disclose protected health information in the following situations:

(1) Request by individual. Where the individual requests the covered entity to use or disclose the information.

(2) Request by covered entity. (i) Where the covered entity requests the individual to authorize the use or disclosure of the information. The covered entity must request and obtain an authorization from the individual for all uses and disclosures that are not:

(A) Except as provided in paragraph (a)(3) of this section, compatible with or directly related to treatment, payment, or health care operations;

(B) Covered by § 164.506(a)(iii);

(C) Covered by § 164.510;

(C) (D)Covered by paragraph (a)(1) of this section; or

(D) (E)Required by this subpart.

(ii) Uses and disclosures of protected health information for which individual authorization is required include, but are not limited to, the following:

(A) Use for marketing of health and non-health items and services by the covered entity;

(B) Disclosure by sale, rental, or barter;

(C) Use and disclosure to non-health related divisions of the covered entity, e.g., for use in marketing life or casualty insurance or banking services;

(D) Disclosure, prior to an individual’s enrollment in a health plan, to the health plan or health care provider for making eligibility or enrollment determinations relating to the individual or for underwriting or risk rating determinations;

(E) Disclosure to an employer for use in employment determinations; and

(F) Use or disclosure for fundraising purposes.

(iii) A covered entity may not condition the provision to an individual of treatment or payment on the provision by the individual of a requested authorization for use or disclosure, except where the authorization is requested in connection with a clinical trial.

(iv) Except where required by law, a covered entity may not require an individual to sign an authorization for use or disclosure of protected health information for treatment, payment, or health care operations purposes.

(3) Authorization required: special cases. (i) Except as otherwise required by this subpart or permitted under § 164.510, a covered entity must obtain the authorization of the individual for the use following uses and disclosures of protected health information about the individual:

(A) Use by a person other than the creator, or disclosure, of psychotherapy notes; and.

(B) Use or disclosure of research information unrelated to treatment.

(ii) The requirements of paragraphs (b) through (e) of this section apply to such authorizations, as appropriate.

(iii) A covered entity may not condition treatment, enrollment in a health plan, or payment on a requirement that the individual authorize use or disclosure of research information unrelated to treatment or psychotherapy notes relating to the individual.

(iv) For purposes of this section :

(A) P psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. For purposes of this definition, "psychotherapy notes" excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.

(B) Research information unrelated to treatment means health information that is received or created by a covered entity in the course of conducting research, for which there is insufficient scientific and medical evidence regarding the validity or utility of the information such that it should not be used for the purpose of providing health care, and with respect to which the covered entity has not requested payment from a third party payor.

(b) General implementation specifications for authorizations. (1) General requirements. A copy of the model form which appears in Appendix A hereto, or a document that contains the elements listed in paragraphs (c) or (d) of this section, as applicable, must be accepted by the covered entity.

(2) Defective authorizations. There is no "authorization" within the meaning of this section, if the submitted form has any of the following defects:

(i) The expiration date has passed;

(ii) The form has not been filled out completely;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The form lacks an element required by paragraph (c) or (d) of this section, as applicable;

(v) The information on the form is known by the covered entity to be false.

(3) Compound authorizations. Except where authorization is requested in connection with a clinical trial, an An authorization for use or disclosure of protected health information for purposes other than treatment or payment may not be in the same document as an authorization for or consent to treatment or payment.

(c) Implementation specifications for authorizations requested by an individual. (1) Required elements. Before a covered entity may use or disclose protected health information of an individual pursuant to a request from the individual, it must obtain a completed authorization for use or disclosure executed by the individual that contains at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

(ii) The name of the covered entity, or class of entities or persons, authorized to make the requested use or disclosure;

(iii) The name or other specific identification of the person(s) or entity(ies), which may include the covered entity itself, to whom the covered entity may make the requested use or disclosure;

(iv) An expiration date;

(v) Signature and date;

(vi) If the authorization is executed by a legal representative or other person authorized to act for the individual, a description of his or her authority to act or relationship to the individual;

(vii) A statement in which the individual acknowledges that he or she has the right to revoke the authorization, except to the extent that information has already been released under the authorization; and

(viii) A statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by the federal privacy law.

(2) Plain language requirement. The model form at Appendix A to this subpart may be used. If the model form at Appendix A to this subpart is not used, the authorization form must be written in plain language.

(d) Implementation specifications for authorizations for uses and disclosures requested by covered entities. (1) Required elements. Before a covered entity may use or disclose protected health information of an individual pursuant to a request that it has made, it must obtain a completed authorization for use or disclosure executed by the individual that meets the requirements of paragraph (c) of this section and contains the following additional elements:

(i) Except where the authorization is requested for a clinical trial, a A statement that it will not condition treatment or payment on the individual’s providing authorization for the requested use or disclosure;

(ii) A description of the purpose(s) of the requested use or disclosure;

(iii) A statement that the individual may:

(A) Inspect or copy the protected health information to be used or disclosed as provided in § 164.514; and

(B) Refuse to sign the authorization; and

(iv) Where use or disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result.

(2) Required procedures. In requesting authorization from an individual under this paragraph, a covered entity must:

(i) Have procedures designed to enable it to request only the minimum amount of protected health information necessary to accomplish the purpose for which the request is made; and

(ii) Provide the individual with a copy of the executed authorization.

(e) Revocation of authorizations. An individual may revoke an authorization to use or disclose his or her protected health information at any time, except to the extent that the covered entity has taken action in reliance thereon.

 

45 C.F.R. §164.510: Proposed amendments to permit covered entities to participate in public interest activities in good faith reliance on their efforts to comply with the regulations.

§ 164.510 Uses and disclosures for which individual authorization is not required.

A covered entity may use or disclose protected health information, for purposes other than treatment, payment, or health care operations, without the authorization of the individual, in the situations covered by this section and subject to the applicable requirements provided for by this section.

(a)(1) Verification. (i) A covered entity must comply with any applicable verification requirements under § 164.518(c).

(ii) A use or disclosure of protected health information for purposes of this subsection is presumed to be in compliance with the requirements of this subsection if the covered entity acts in good faith.

 

§164.510(b): Proposed amendments relating to post-marketing surveillance of safety and efficacy; product support services; related definition

(b) Disclosures and uses for public health activities. (1) Permitted disclosures. A covered entity may use protected health information to prepare reports or disclose protected health information for the public health activities and purposes described in this paragraph to:

(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions;

(ii) A public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect;

(iii) A person or entity other than a governmental authority that can demonstrate or demonstrates that it is acting to comply with requirements or direction of a public health authority; or

(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and is authorized by law to be notified as necessary in the conduct of a public health intervention or investigation; or

(v) A person identified in the labeling of a prescription drug, biological product, or medical device as the manufacturer registered with the Federal Food and Drug Administration to distribute the product, in connection with post-marketing safety and efficacy surveillance, or for the entity to obtain information about the product and its use.

(2) Permitted use. Where the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section.

 

164.510(j)(1) : Proposed amendments relating to waiver of authorization.

(j) Uses and disclosures for research purposes. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that, the covered entity has obtained written documentation of the following:

(1) Waiver of authorization. A waiver, in whole or in part, of authorization for use or disclosure of protected health information that has been approved by either:

(i) An Institutional Review Board, established in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 28 CFR 46.107.32, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107.45 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or

(ii) A privacy board that:

(A) Has members with varying backgrounds and appropriate professional competency as necessary to review the research protocol;

(B) Includes at least one member who is not affiliated with the entity conducting the research or related to a person who is affiliated with such entity; and

(C) Does not have any member participating in a review of any project in which the member has a direct conflict of interest, or

(iii) the privacy official of the covered entity.

(2) Date of approval. The date of approval of the waiver, in whole or in part, of authorization by an Institutional Review Board or privacy board.

(3) Criteria. The Institutional Review Board or privacy board or official has determined that the waiver, in whole or in part, of authorization satisfies the following criteria:

(i) The use or disclosure of information to be used or disclosed is limited to protected health information involves no more than minimal risk to the subjects; created or maintained by the covered entity in the ordinary course of treatment, payment or health care operations;

(ii) The waiver will not adversely affect the rights and welfare of the subjects;

(ii) The purpose of the proposed project meets the definition of research in § 164.504;

(iv) (iii) The research could not practicably be conducted without the waiver;

(iv) Whenever appropriate, the subjects will be provided with additional pertinent information after participation;

(v) (iv) The research could not practicably be conducted without access to and use of the protected health information;

(vi) The research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure;

(vii)(v) There is an adequate plan to protect the identifiers from improper use and disclosure;

and

(viii)(vi) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers; and

(vii) Use or disclosure of the protected health information involves no more than minimal risk to the privacy of individuals whose information is subject to the use or disclosure..

(4) Required signature. The written documentation must be signed by the chair of, as applicable, the Institutional Review Board or the privacy board or the privacy official.

Proposed 45 C.F.R. § 164.518(c)(5): Proposed Amendments relating to Administrative Requirements.

(5) Implementation specification: minimum necessary. A covered entity must have policies and procedures to provide for the use or disclosure of the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure. This requirement does not apply to uses or disclosures that are:

(i) Made in accordance with §§164.508(a)(1), 164.514, or §164.522;

(ii) Permitted under §164.510;

(iii) Made to a health care provider for treatment purposes;

(iv) Required for compliance with applicable requirements of this subchapter; or

(v) Made by a health care provider to a health plan, when the information is requested for audit and related purposes.

 

Proposed 45 C.F.R. § 164.524: Amendments relating to phase in of effective date for research approved by an IRB established under the Common Rule.

A covered entity must be in compliance with this subpart not later than 24 months following the effective date of this rule, except that a covered entity that is a small health plan must be in compliance with this subpart not later than 36 months following the effective date of the rule. Nothing in this section shall require modification of any research approved and under the supervision of an Institutional Review Board as of the effective data established under this section.

 


Notes:

1. The proposed regulation was published by the Secretary of Health and Human Services (hereinafter, "the Secretary") in the Federal Register on November 3, 1999 (hereinafter "proposed rule or regulation"). Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918 (Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160-164) ("NPRM").

2. The Secretary acknowledges in the preamble that the public has a strong interest in the development of promising new drugs and treatments for people with serious diseases. See e.g., 64 Fed. Reg. at 59,967.

3. Pub. L. No. 104-191 (Aug. 21, 1996) (amending the Social Security Act ("SSA") by adding Part C of Title XI, codified at 42 U.S.C. §§ 1320d et seq.).

4. See SSA § 1173(a)(2) (codified at 42 U.S.C. § 1320d-2(a)).

5. See 64 Fed. Reg. at 59928-59929.

6. BIO would prefer elements of Mr. Greenwood's bill and the bipartisan compromise developed in the Senate mark-up of medical privacy legislation by Mr. Kennedy and Mr. Frist. These elements will be used in suggesting improvements to the proposed regulation in the following section.

7. Because of the puzzling disparity between some of the statements in the preamble and the legal requirements established under the proposed regulations, it is possible that this impact was not intended, but resulted from the tight time frame that may have prevented the Secretary from more fully considering the research implications of the proposed regulation. BIO regards the modifications it offers here as essential if the proposed regulation is not to become a serious impediment to biomedical research and medical innovation.

8. HIPAA §261 et seq.

9. See e.g., HIPAA § 261: "It is the purpose of this subtitle to improve the . . . efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information."

10. As observed in the NPRM: "In section 262, Congress recognized and sought to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords." 64 Fed. Reg. at 59,920.

11. The federal regulatory framework for the protection of human research subjects is known as the Common Rule. It has been codified, in some cases with slight modifications, by 17 different federal agencies at 7 C.F.R. Part 1c; 10 C.F.R. Part 745; 14 C.F.R. Part 1230; 15 C.F.R. Part 27; 16 C.F.R. Part 1028; 21 C.F.R. Part 56; 22 C.F.R. Part 225; 28 C.F.R. Part 46; 32 C.F.R. Part 219; 34 C.F.R. Part 97; 38 C.F.R. Part 16; 40 C.F.R. Part 26.; 45 C.F.R. Part 46; 45 C.F.R. Part 690; and 49 C.F.R. Part 11. See 56 Fed. Reg. 28002 (June 18, 1991), implementing Pub. L. 95-622, 92 Stat. 3412, Title III, Section 301 (Nov. 9, 1978). The NPRM states that "Current human subjects rules impose no substantive restrictions on disclosure of patient information." 64 Fed. Reg. at 60,014. This is somewhat misleading, since federal law in the form of the Common Rule makes substantive requirements of state laws restricting the disclosure of information applicable to research. Under existing federal law, Institutional Review Boards are required to apply state laws in reviewing informed consent documents and occasionally granting waivers of the existing federal requirement that informed consent be obtained for all research. 45 C.F.R. § 46.116(e). The Common Rule applies to all research involving human subjects conducted, supported, or otherwise subject to regulation by any federal department or agency which takes appropriate administrative action to make the policy applicable to such research. 45 C.F.R. § 46.101(a).

12. See SSA §§ 1176 (42 U.S.C. § 1320d-5) and 1177 (42 U.S.C. § 1320d-6).

13. Proposed 45 C.F.R. § 164.522(b).

14. See proposed 45 C.F.R. § 164.506(e)(1) and § 164.506(e)(2)(ii)(A), requiring that covered entities enter into contracts with their business partners and requiring that such contracts grant third party beneficiary status to individuals whose protected health information is disclosed under the contracts.

15. As discussed below, the cumbersome requirements to be met for creating "de-identified information" make this option virtually useless for research purposes.

16. There are signs that such a result may already be occurring in the state of Minnesota as a result of the requirements imposed by its medical privacy laws on research activities. See Association of American Medical Colleges, "Confidentiality of Medical Records - AAMC Report on the Minnesota Experience" (1999 Issue Brief) at pp. 4-7. [http://www.aamc.org/advocacy/issues/research/minrepot.htm]

17. See 64 Fed. Reg. at 59,943.

18. Id.

19. See 64 Fed. Reg. at 59,925.

20. Proposed 45 C.F.R. § 164.506(b)(1).

21. Id. at § 164.506(b)(2)(ii).

22. See SSA §1177(a) (42 U.S.C. § 1320d-6) (making penalties applicable to a "person who knowingly and in violation of this part uses . . ." a unique health identifier, obtains or discloses individually identifiable health information). Much of the adverse impact of the proposed regulation's detailed and yet ambiguous requirements may be attributed to the litigation that is likely to be required to interpret and apply this standard to specific uses of data.

23 The minimum necessary standard applies to all uses and disclosures of protected health information, even with respect to a physician's treatment decisions and research conducted with patient authorization - circumstances in which the public interest in informed decision-making argues for using other means to protect privacy. See §164.506(b)(1)(i).

24. See Institute of Medicine, "To Err is Human: Building a Safer Health System," (1999) at 153 ("IOM Report").

25. Proposed 45 C.F.R. § 164.506(b)(2)(iii) ("Within the limits of the entity's technological capabilities, provide for the making of [minimum necessary] determinations individually.")

26. 64 Fed. Reg. at 59,944.

27. Traditionally, it has been unusual for a biotechnology company to have its own IRB or board of the type required by the proposed regulations. The Common Rule provides for review of research protocols by local IRBs to ensure that the values, laws and expectations of the community govern the IRB's deliberations. The research conducted by biotechnology companies is almost always done in collaboration with academic medical centers or specialty hospitals, whose IRBs provide the requisite review.

28. See 45 C.F.R. § 46.114. Local IRBs retain the right to review and approve protocols and model consent documents in a cooperative clinical trial.

29. See 64 Fed. Reg. at 59,946.

30. Id. at 59,947.

31. Id. at 59,935 (emphasis added).

32. Proposed 45 C.F.R. § 164.506(d)(2)(i).

33. For example, one item on the list is "photographic images." Id. at § 164.506(d)(2)(ii)(A)(18). There is no definition of "photographic image," but presumably this would include photographs of wounds, scars, rashes and other such images in the medical record; because the proposed regulation does not state a rationale for including such a broadly worded term in its list of identifiers, it might also include prints of X-rays, and various more sophisticated scanning images. Another listed identifier is birth date. Id. at § 164.506(d)(2)(ii)(A)(5). There would be serious questions about the validity of virtually any biomedical or epidemiologic study that failed to specify the age of the subjects, and age expressed in years is not always an acceptable substitute for date of birth.

34. Id. at § 164.506(d)(2)(ii)(A)(19).

35. Id. at § 164.506(d)(2)(ii)(B).

36. Id. at § 164.506(d)(2)(iii).

37. Id. at §164.506(d)(2)(iii). As drafted, BIO believes that the statistical expertise must be "in-house" rather than the expertise of a paid contractors, because the proposed regulation states that it applies to information that the covered entity has de-identified. Id. at §164.506(d)(1). Moreover, under the regulation, all uses and disclosures that are not affirmatively authorized are prohibited; "use" and "disclosure" are defined in such a way as to distinguish activities "within" from activities "outside" the entity, and the specification states only that the covered entity may use information to create de-identified information (as compared to authority to use or disclose information for treatment, payment and health care operations). Id. at §164.506(d)(2)(i).

38. 64 Fed. Reg. at 59,924 ("Under section 1172(a) of the Act, the provisions of this proposed rule apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the "covered entities").

39. See HIPAA § 264(c)(1).

40. 64 Fed. Reg. at 59,967.

41. This conclusion is based on the assumption that the research does not involve the transmission of information in connection with the enumerated transactions in SSA § 1173(a) (42 U.S.C. § 1320d-2(a)(2)).

42. 64 Fed. Reg. at 59,971.

43. "Medical Information Protection and Research Enhancement Act of 1999," H.R. 2470, 106th Cong. (1999) (introduced by Rep. Greenwood (R-PA)); see also "Health Care Personal Information Nondisclosure Act of 1999," S. 578, 106th Cong. (1999) (introduced by Sen. Jeffords (R-VT)).

44. Proposed 45 C.F.R. § 164.508(b)(2). There is no provision for waiver of any of these elements by an Institutional Review Board that is responsible for approving the research protocol and informed consent documents.

45. Id. at § 164.508(c)(viii).

46. Human subject research used to support FDA approval of new drugs, biologics, devices or diagnostics is subject to the Common Rule, even if such research is conducted wholly with private funds. Under the Common Rule, the required elements of informed consent include, among other things, notice of the consequences of a subject's decision to withdraw from the research and procedures for orderly termination of participation (45 C.F.R. § 46.116(b)(4)), and a statement describing the extent to which confidentiality of medical records identifying the subject will be maintained. Id. at § 46.116(a)(5).

47.Proposed 45 C.F.R. § 164.508(c)(iv).

48. 64 Fed. Reg. at 59,953.

49. The specific changes in the proposed regulation necessary to implement these recommendations are shown in the Attachment as modifications to §164.506(a), and conforming deletions from §164.508. The amendment to §164.506 addresses the relation between the medical privacy regulations and all research under the Common Rule, whether pursuant to patient authorization or waiver of authorization as discussed below.

50. BIO prefers the approach taken by Representative Greenwood in his medical privacy legislation, and by Senators Kennedy and Frist in their compromise research provisions in the Senate mark-up of medical confidentiality legislation. It is not necessary to undermine the protections in place under the Common Rule to address the impediments to other research that result from the broad prohibitions established under the Secretary's regulations.

51. Indeed, if the Secretary intended to create a waiver for this purpose, we would argue that as an explicit new approval process for research, it exceeds her authority under HIPAA.

52. Where the IRB is sponsored by a covered entity, the covered entity arguably is responsible for ensuring that its IRB complies with applicable law, whether the Common Rule or the medical privacy regulations. Currently, non-compliance with the Common Rule is subject to penalties in accord with the applicable federal agency's enforcement mechanisms. For purposes of the privacy regulation, it would be reasonable to argue that a covered entity knew or should have known that documentation authorizing its disclosure under a waiver of individual authorization by its own IRB was defective. The Secretary's privacy regulations, therefore, would have the presumably unintended effect of penalizing covered entities that require review and documentation from their own boards rather than documentation by external privacy boards or the IRBs of a covered entity other than the one relying on the documentation.

53. As noted above, the proposed amendment to §164.506 eliminates the proposed regulation's modification of the Common Rule requirements. The amendments to §164.510(j) address waivers by the new privacy boards.

54. Under the proposed regulations, the privacy officer is responsible for developing and implementing the covered entity's privacy policies. In view of the entity's legal liability for non-compliance with the privacy regulation, the privacy officer will arguably be motivated to strictly scrutinize proposals by researchers for gaining access to the entity's patient information.

55. Proposed 45 C.F.R. § 164.508(a)(3)(iv)(B). The creation of this category of information and its exclusion from the permitted use and disclosure of health information for purposes of treatment, payment, and health care operations has caused much confusion and anxiety on the part of researchers and health care providers. Providers anticipate daily struggles in deciding whether information resulting from participation in a research protocol should be included in a patient's medical record (in case such information becomes critical to a patient's treatment at a later date) or whether such information should be excluded from the medical record to avoid civil and criminal penalties.

56. It is important to note that the category of information at issue here is a subset of the information available to the physician tending to the patient/trial participant's medical needs; it is not the same as the information that is in the files of the researcher. The case report forms prepared for a sponsor of a multicenter research project, for example, are likely a subset of the information regarding a specific patient's care that is maintained at the trial site.

57. If this is true, this requirement would undermine the audit and inspection mechanisms that FDA uses to verify the data used in clinical trials. We understand that it is standard practice for a clinical site to prepare the sponsor's case report forms using their own records of patient care. Thus, in an audit, a sponsor's case report forms are presumed to be a subset of the clinical site's more comprehensive patient care records. This would not be true after implementation of this requirement.

58. Moreover, much health services research is designed to collect evidence to support use of treatment protocols and critical care pathways as valid guides for delivering health care; virtually all of the "real-life" comparisons of health services delivery appear to fit within this category. Indeed, some have argued that the activities of managed care plans and hospitals that implement evidence-based medicine by establishing critical care pathways and collecting information on patient outcomes, may be affected by the proposed regulation's requirement that patient authorization be obtained for every use and disclosure of this category of information. In effect, any health care entity that also is engaged in health services delivery research may not be able to rely on the regulatory authorization that it may use patient information for treatment and health care operations. The intent of this provision is ambiguous, but it almost certainly could be achieved without this provision's effect of establishing additional legal disincentives for hospitals and managed care entities to engage in research.

59. See 64 Fed. Reg. 59,942.

60. Consistent with applicable state laws regarding medical records, researchers, physicians, and individuals are free to ensure that the results of genetic tests that are performed for any purpose are not included in the record of care that is made available to other providers and health plans. There is nothing unique about the research situation that would warrant the creation of this new category of information and establish special rules.

61. See id.

62. See § 312.34 (1999).

63. See IOM Report, at 1.

64. See id. at 3, 137.

65. See id. at 153,158.

66. For example, some companies may own licensed pharmacies or have units that offer counseling and disease management programs directly to patients or under contracts with health plans.

67. We understand that the regulatory authority established by Congress under HIPAA encompasses those entities that maintain or transmit individually identifiable health information in connection with any of the financial and administrative transactions that are specified in the Social Security Act. See HIPAA §264(c)(1) (defining medical privacy regulations as applicable to the standards for financial and administrative transactions delineated in SSA §1173(a)).

68. 64 Fed. Reg. at 59,951.

69. Id.

70. See SSA §1173(a) (42 U.S.C. §1320d-2).

71. Proposed 45 C.F.R. §163.102.

72. The regulation permits "use" of records for public health activities only where the covered entity also is a public health authority. § 164.510(b)(2).

73. § 164.510(b)(1).

74. 21 C.F.R. part 310, subpart D; Food and Drug Administration, Guidance for Industry. Postmarketing Adverse Experience Reporting for Human Drug and Licensed Biological Products: Clarification of what to report (August 1997).

75. Under the regulations, names, addresses and other direct patient identifiers are not required to be reported to FDA. However, FDA does require the manufacturer to ensure that the event is traceable to an "identifiable patient." 21 C.F.R. part 310, subpart D. There are several underlying policy reasons for this requirement. For example, it is important not to vastly overestimate the scope of the risk to the problem if multiple reports are made about the same individual's experience. Also, in the event that FDA requires the manufacturer to follow up and investigate a series of reported events, it will be necessary for the manufacturer to contact the doctor or provider who reported the event to ask further questions. If such follow up investigation is required, it will be essential for the manufacturer to have a case number or code that will enable the physician to locate the case file and answer the other questions necessary to provide a more complete picture of the product risks.

76. We note that, as discussed above, the Secretary's proposed new category of "research information unrelated to treatment" also would prohibit physicians from making adverse event reports stemming from research uses of products without the specific written authorization of the patient. See also, 64 Fed. Reg. 427, 428 (Jan. 5, 2000) (making certain corrections to the NPRM).

77. A registry would be the appropriate mechanism when long-term outcome or effects of product use is what needs to be studied. A registry also would be an appropriate mechanism when a manufacturer is attempting to collect information on the relative incidence of any observed reactions in the broader population that is using the product.

78. The severity or drama of the observed symptom may have little to do with whether it should be investigated further. It is the company's scientists, who have detailed knowledge of the product's systemic effects, that are in the best position to analyze the pertinent facts in the report in relation to what is already known about the product from the clinical trials and from other reports.

79. 64 Fed. Reg. at 59956-57.

80. The provider is asked to report cases meeting certain criteria and to indicate for whom the product has been prescribed. The patient's identity is not part of the report, but a case number or code is necessary to permit the provider to follow up at a subsequent date when the manufacturer calls to update the case report. Inclusion of relevant medical facts and the code necessary to permit the future communications regarding the same case means that the report to the registry will not be considered "de-identified" information for purpose of the proposed regulation.

81. § 104.510(b)(iii).

82. Of course, under the structure of the regulation, the covered entity that makes an adverse event report to a manufacturer or a registry without such authority could be subject to civil and criminal penalties. This might occur, for example, when there are licensed distributors (as often occurs with multiple source generic drugs), but the original manufacturer retains responsibility under the law for collecting and reporting adverse events, including the collection of reports inadvertently filed with its licensees.

83.64 Fed. Reg. at 59,955.

84. Id.

85. The proposed rule's permitted use and disclosure of protected health information in emergency circumstances provides a useful model that could be applied to § 164.510 in general. Proposed §164.510(k) includes a "presumption of reasonable belief" provision, which states that "[a] covered entity that makes a disclosure pursuant to any of the following provisions in this subsection is presumed to have acted under a reasonable belief, if the disclosure is made in good faith based upon a credible representation by a person with apparent knowledge or authority." Similarly, use or disclosure of information made in good faith based upon credible representations that pertinent requirements have been met should not be subject to HIPAA's penalties for all § 164.510 activities. We note that the preamble states that for disclosures of protected health information for research purposes under 510(j), the required documentation of IRB or privacy board approval would constitute sufficient verification. 64 Fed. Reg. at 59970. However, this principle should be explicitly incorporated into the rule, and should apply to all § 164.510 uses and disclosures.

86. Proposed amendments are in the order they would appear in the regulation as codified by the Department, which differs from the order in which they are discussed in the text of the Comments.