Analysis of NPRM

Finally, HHS has recognized that requiring covered entities to track disclosures authorized by an individual and, upon request, provide the individual with a history of such disclosures over the previous six years, imposes an unnecessary and costly administrative burden on academic medical centers and other research partners. Thus, HHS proposes to eliminate the six-year accounting requirement for PHI disclosed pursuant to an individual authorization. This change responds directly to BIO's assertion that the regulation's administrative requirements would have the unintended consequence of making academic medical centers and others reluctant to host sponsored research or incur greater cost in doing so. (However, the tracking requirement has not been eliminated where data are disclosed under a waiver or authorization, or where data are included in reports for public health purposes, including post-marketing surveillance of product safety and efficacy.)

Criteria for Waiver of Authorization for Research Streamlined

BIO's comments emphasized that the regulation's criteria for waiver of research authorization are both confusing and inconsistent with the Common Rule's waiver criteria. The NPRM deletes or modifies several criteria that are duplicative or are impracticable to apply to patient privacy. For example, HHS proposes to eliminate the requirements that an IRB or privacy board determine that the privacy risks to the study participants are reasonable in relation to the anticipated benefits, if any, to the individual and the importance of the knowledge that may reasonably be expected from the research. This provision in the regulation was a major - and particularly objectionable - expansion of the Common Rule.

Should these changes go into effect, the privacy regulation would, as amended by the NPRM, require a finding by the IRB or privacy board that the following criteria have been satisfied to waive or alter the authorization requirements:

1. the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals based on at least the presence of-
   1. an adequate plan to protect identifiers from improper use and disclosure,
   2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research (unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law), and
   3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity (except as required by law, for oversight of the study, or for other research for which the use or disclosure of PHI would be permitted by the regulation);
2. the research could not practicably be conducted without the waiver; and
3. the research could not practicably be conducted without access to and use of the PHI.

In addition, the NPRM clarifies that IRBs and privacy boards may grant waivers of authorization for the specific purpose of disclosing PHI to researchers and sponsors as necessary to contact and recruit potential study participants.

Comments Sought on Safe Harbor For Research Use of Facially De-identified Information

BIO has consistently argued that the regulation's de-identification safe harbor is so stringent as to be useless for many research purposes. The preamble to the NPRM acknowledges this concern. The NPRM slightly modifies the clarifies that age may be expressed in months, days, or hours, and that a re-identification code does not constitute a proscribed identifier the presence of which removes a data set from the safe harbor.

HHS has specifically requested public comment on a proposal (not incorporated in the regulatory text of the NPRM) to create an alternative de-identification standard that would permit uses and disclosures of a "limited data set" of facially de-identified information for research, public health, and health care operations purposes. Under the proposal, which echoes BIO's recommendation that HHS permit the retention of dates and five-digit zip codes for research uses and disclosures, the limited data set could include admission, discharge, and service dates; dates of death; ages (including age 90 or older); and five-digit zip codes. The "de-identified" data could not, however, include names, street addresses, telephone or fax numbers, e-mail addresses, Social Security numbers, certificate/license numbers, vehicle identifiers or serial numbers, URLs or IP addresses, or full face photos or comparable images. Researchers and sponsors who receive limited data sets would be required to enter into data use or similar agreements in which the recipient agrees to limit the use of the data to research purposes, to limit who may use or receive the data, and not to re-identify or contact the individuals to whom the information refers.

HHS specifically requests comments on the feasibility of this alternative de-identification standard and, in particular, on the need to permit the inclusion of other geographic units (e.g., city, county, precinct, neighborhood) and dates of birth as well. It is critical that the regulation's definition of de-identified is changed to be consistent with good research practice. BIO members should take advantage of this opportunity to submit comments in support of HHS's proposal and also to advocate for the inclusion of dates of birth and geographic units other than addresses.