BIO's comments regarding the NPRM that proposes changes to the HIPAA privacy regulation
Comments on Proposed Standards for Privacy of Individually Identifiable Health Information</p>
Robinsue Frohboese, Ph.D.
Acting Director, Office for Civil Rights
U.S. Department of Health and Human Services
Attention: Privacy 2, Room 425A
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201
Re: Comments on Proposed Standards for Privacy of
Individually Identifiable Health Information
Dear Dr. Frohboese:
The Biotechnology Industry Organization ("BIO") appreciates the opportunity to submit the following comments concerning the March 27, 2002, notice of proposed rulemaking issued by the Department of Health and Human Services ("HHS" or "Department"), which proposes modifications to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") privacy regulation. 1 BIO represents more than 1,000 biotechnology companies, academic institutions, state biotechnology centers, and related organizations in all fifty states and thirty-three foreign nations. 2 BIO's members conduct and sponsor research designed to discover medicines, diagnostics, and innovative new forms of therapy. Our members provide a home base for researchers who are committed to finding ways to use science to meet unmet medical needs. For most of our members, research is their business; only a handful have products approved for marketing. They are sustained by their prospective patients' hope and faith in their research enterprise, and by Americans' willingness to invest in that hope.
BIO's long-standing role as a proponent of federal safeguards to protect the confidentiality of medical information stems from our members' recognition that (1) the availability of sensitive and detailed medical information about individuals is indispensable for biomedical research, and (2) this availability depends on patients' trust and confidence that researchers will use medical information responsibly and protect it from misuse. BIO's members have long endorsed the principles of respect for the medical privacy of individual patients and strong laws with incentives for all concerned to protect medical information from abuse and unauthorized disclosure. Researchers work hard to maintain the trust and confidence of the patients who make themselves available for research.
Our members also believe, however, that patients are counting on them to pursue vigorously their research objectives. BIO believes that the public interest in the discoveries and findings of research is as strong as the public interest in medical privacy. For this reason, we are pleased with many of the NPRM's proposed modifications and clarifications, which clearly demonstrate HHS's awareness that the privacy regulation as it exists currently will result in substantial harm to biomedical research.
In particular, we wish to express our support for the Department's proposals to:
- standardize and clarify the regulation's authorization requirements and eliminate the distinction between research that involves treatment and research that does not; 3
- simplify the criteria for waiver of authorization by an institutional review board ("IRB") or privacy board and eliminate certain inappropriate and subjective criteria; 4
- clarify the requirements for permissive disclosure of protected health information for public health purposes. 5
- revise the transition provisions for research uses and disclosures to recognize previously obtained expressions of permission, informed consents, and waivers of informed consent pursuant to federal human subject protection regulations; 6 and
- eliminate the accounting requirement for disclosures of protected health information pursuant to authorizations. 7
BIO believes that each of these modifications and clarifications is an important and necessary change, and we urge the Department to finalize these proposals promptly. In the NPRM, HHS has demonstrated concern for protecting the public interest in biomedical research from inappropriate and unnecessary restrictions and administrative requirements. To this end, the remainder of our comments suggest refinements to several of the proposals and propose clarification of others. In addition, we describe why further modifications are necessary to prevent the regulation's accounting standard from undermining the NPRM's improvements with respect to data research and public health activities.
Uses and Disclosures of a Limited Data Set
BIO firmly supports the concept of permitting uses and disclosures of a limited data set for research, public health, and health care operations purposes pursuant to a data use agreement. As noted in our previous comments, the regulation's de-identification safe harbor is unsuitable for the creation of research data sets because the safe harbor requires the removal of dates, five-digit zip codes, and other fields that are critical for many kinds of biomedical research. The alternative method of de-identification-certification by a statistician-likely will be costly and time consuming, if it is possible at all, and many covered entities will not want to assume the potential liability that may arise from supposedly defective certifications. For these reasons, the regulation likely will discourage researchers from using de-identified data and instead encourage them to rely on waivers of authorization by an institutional review board ("IRB") or privacy board. Because these boards generally are or will be associated with or operated by a specific institution or provider, obtaining the multiple waivers required to assemble large data sets is a unwieldy and duplicative process. Moreover, each board may impose its own criteria or restrictions on the data, creating methodological problems that will infect the scientific validity of an analysis of data from multiple sites. In addition, given the potential liability the regulation imposes on covered entities for incorrectly relying on a flawed IRB or privacy board waiver, we believe there may be a reluctance to rely on decisions made by an IRB or privacy board unaffiliated with the covered entity. It is essential, therefore, that there be an alternative method other than waiver of authorization to create data sets for use in data analyses for research, public health, and health care operations purposes.
The Department has requested comments on the possibility of creating a "data use agreement safe harbor" in which a limited data set is made available under a data use agreement that specifies permissible uses and imposes privacy protection obligations on the recipient. BIO believes this concept has great potential to create the appropriate balance between individuals' privacy interests and the public interest in certain kinds of data analysis.
Whether the data use agreement safe harbor will achieve this balance, however, depends on how it is designed. The existing de-identification safe harbor fails to strike a reasonable balance between the public and private interests because it attempts to anticipate all potential misuses of data fields that would be included in the data set. The data use agreement safe harbor can avoid this problem by relying primarily on the legal obligations assumed by the recipient under the data use agreement to protect the confidentiality of the data set. A similar approach is used by the federal government to provide researchers with access to Medicare claims data.
Instead of attempting to demarcate all of the descriptors that are appropriate for inclusion in a limited data set, HHS should establish a data use agreement safe harbor that:
- defines the elements of the data use agreement and limits the permissible uses under such an agreement to research, public health, and health care operations analyses; and
- specifies the set of "direct identifiers" that must be removed to create a data set that may be disclosed pursuant to a data use agreement.
With this approach, the confidentiality obligations assumed by the recipient under the data use agreement guard against the unintended misuse of the data set, while removal of direct identifiers minimizes the chance that the recipient's routine and appropriate use of the data will result in knowledge of the data subject's identity. This approach is consistent with the fact that researchers rarely need access to a subject's direct identity, generally prefer not to know identities out of respect for individuals' privacy, and often use coded identifiers even when they have individuals' authorization to collect and use information for research.
For purposes of creating a limited data set, "direct identifier" should be defined as any of the following information about the subject of protected health information: name, street address, telephone number, fax number, e-mail address, social security number, certificate/license numbers, vehicle identifiers and vehicle serial numbers (including license plate numbers), Web Universe Resource Locators (URLs), Internet Protocol (IP) addresses, and full face photographic images and comparable images. This is essentially the same list discussed by HHS in the preamble to the NPRM.
It is our understanding that this list encompasses all of the identifiers that reasonably may be used to identify a data subject directly in the course of routine, daily use of the data set. Of course, it is possible that HHS may wish to amend the regulation at a future date to take account of new identifiers. For instance, if there will be a unique health identifier or other national identification number, HHS likely would want to add this identifier to the list. If the data use agreement safe harbor is to achieve its purpose, however, the definition of "direct identifiers" must not include any subjective, catch-all criteria, such as the "other unique identifying number, characteristic, or code" criterion included in the existing de-identification standard. 8
With regard to the Department's specific request for comments on geographic codes and date of birth, we offer the following observations. No geographic descriptors more general than street address should be included in the definition of "direct identifier." While five-digit zip codes provide sufficient detail for many protocols, certain studies may require more precise information-such as neighborhood-or a different way of categorizing physical location. For example, a researcher may need to map clusters of cancer cases, or exposure to radiation, by narrow geographic regions. It is simply too difficult to anticipate through regulation what geographical fields may be significant for particular research needs. More importantly, individuals' privacy will be protected primarily by the legal obligations assumed by the recipient under the data use agreement, not by the removal of identifiers. The same is true for health care operations analyses. Health planning activities and benchmarking analyses must reflect the geographical factors relevant to the health planning activity. As with research, the data use agreement-and not the stripping of geographic fields-is what protects the individual.
Dates, including dates of birth, also are critically important for many research activities. The Department has asked whether date of birth is required if precise age may be included in the data set. An approach that permits the inclusion of age but prohibits inclusion of date of birth adds complexity, cost, and potentially inaccuracy to the data set. Health care providers rely on date of birth to ensure that they have the records for the right individual at the point of care. For this reason, dates of birth usually are included in health care records. In addition, health care providers often need to know birth dates (even time of day) for newborns/neonates, where time of events may be measured in minutes or hours. If the safe harbor required date of birth to be converted to age before a record may be disclosed pursuant to a data use agreement, there would be significant additional cost to prepare large data sets used in multi-site research but little or no additional privacy protection. A requirement that each record in a large data set be modified to convert date of birth to age imposes a needless and expensive burden on the covered entity that otherwise might be willing to make data available under the data use agreement safe harbor.
Although dates of birth, onset of illness, admission, service, discharge, and death are the most commonly needed dates in biomedical research, other dates may be critical for some analyses. Instead of presuming what dates might be important, HHS should allow the use and disclosure of all dates for research, public health, and health care operations purposes. The confidentiality obligations imposed on the recipient by the data use agreement mean that the privacy risk to an individual from disclosure of dates which may be in the record is very low.
With these observations in mind, BIO recommends that the Department amend the privacy regulation with the following three provisions to ensure that the balanced purposes of the data use agreement safe harbor are achieved:
Amend § 164.501 to add a new definition:
Direct identifier means any of the following information about the subject of protected health information:
- Street address;
- Telephone number;
- Fax number;
- E-mail address;
- Social security number;
- certificate/license number;
- Vehicle identifier, including vehicle serial number or license plate number;
- Web Universal Resource Locator (URL);
- Internet Protocol (IP) address; and
- Full face photographic images and any comparable images.
Amend § 164.502 to add the following new standard regarding use and disclosure of protected health information:
Standard: uses and disclosures of health information subject to a data use agreement. A covered entity may use and disclose protected health information to remove direct identifiers to create a limited data set for use in research, public health, and health care operations pursuant to a data use agreement in accord with § 164.514..
Amend § 164.514 to add the following new standard and implementation specifications for data use agreements:
- Standard: uses and disclosures of health information subject to a data use agreement. Uses and disclosures of health information pursuant to a data use agreement that meets the requirements of paragraph (2) of this subsection are not uses and disclosures of protected health information for purposes of this part.
Implementation specification: requirements for uses and disclosures of health information subject to a data use agreement. A data use agreement meets the requirements of this section provided that it is in writing and:
- it includes arrangements for removing all direct identifiers from the health information either by a signatory to the data use agreement or by a business associate of the covered entity prior to any other use of the health information under the data use agreement;
a recipient of the health information agrees:
- to limit its use of the health information to data analyses for research, public health or health care operations;
- to limit access to the health information to personnel involved in research, public health or health care operations; and
- not to identify, contact or attempt to identify or contact any individual who may be the subject of any of the health information; and
except as otherwise permitted or required by this subpart, the covered entity does not disclose to a recipient of the health information:
- a direct identifier of an individual to whom the information refers, or
- any key or system that may have been used under § 164.514(c) for assigning code numbers to the health information.
In connection with the preceding amendments, BIO also requests that the Department clarify that disclosures of a limited data set for "research" purposes include disclosures for the creation or maintenance of research databases and repositories. The Department acknowledged in the NPRM the importance of such databases and repositories in research activities, 9 but we are concerned that the regulation's definition of "research"-"a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge" 10 -could be construed so as not to encompass the creation and maintenance of these databases. BIO seeks clarification on this point to facilitate and encourage the inclusion of limited data sets, rather than individually identifiable information, in research databases whenever feasible.
Uses and Disclosures for Which Authorization is Required
The Department's proposal to allow open-ended authorizations for the creation of research databases is important for our members who use certain kinds of patient registries in post-marketing surveillance. The proposal is of little benefit, however, if patients are not permitted to authorize future uses and disclosures of information in the databases at the same time that they authorize inclusion of their information in the databases in perpetuity. The Department suggests in the preamble to the NPRM that two separate authorizations would be required-one, which need not include an expiration date or event, to permit the addition of the protected health information to the database, and a second, which must include an expiration date or event, to allow uses and disclosures of the same information. 11 The second authorization requirement essentially negates the usefulness of HHS's proposal.
BIO believes there is no legal or policy justification for the Department's attempt to distinguish the inclusion of protected health information in a database established for research purposes and the subsequent use or disclosure of that information for those purposes. A person who authorizes for an undefined period of time the inclusion of information about himself in a research database anticipates that the information will be used for research purposes, even well into the future, and, in fact, intends for this to occur. Should this person later decide that he does not want the information to be so used, he need only revoke the authorization. Thus, the second authorization requirement probably would provide little or no additional privacy benefit but assuredly would impose an enormous burden on researchers who, seeking to use data placed in a database years before, must locate the data subjects (assuming they are still alive and mentally competent to give consent) and obtain their authorization to do so. Accordingly, BIO recommends that HHS allow individuals to authorize in a single document the inclusion of protected health information in a research database or repository for an undefined period of time and the subsequent use and disclosure of this information for specific purposes.
Accounting of Disclosures of Protected Health Information
BIO appreciates and supports the Department's proposal to simplify and rationalize the criteria for waiver of authorization by an IRB or privacy board. However, the privacy regulation generally entitles individuals to an accounting of disclosures of protected health information about them, including disclosures pursuant to a waiver of authorization. BIO's members understand that individuals have a justifiable interest in learning when protected health information about them has been disclosed to a third party. This interest must be weighed, however, against the adverse impact the accounting requirement will have on research activities.
For each disclosure of protected health information during the previous six years, a covered entity must account for the date and purpose of the disclosure, the name and address of the recipient, and the kind of information disclosed. 12 These obligations fall most heavily on disclosures for large scale outcomes studies-the studies for which waiver of authorization is most likely to be sought and granted. Such research often requires access to protected health information concerning thousands of individuals. The administrative and financial burden of documenting each disclosure in accordance with the regulation's standard will be staggering. A likely effect of this requirement is that many covered entities will be more reticent to make available their patient records to researchers.
Paradoxically, in making protected health information available under a waiver, the reviewing board must determine and document that the disclosed identifiers are necessary to the research and that provisions are in place to destroy the identifiers at the earliest opportunity consistent with the research. In fact, because of the overly expansive definition of "protected health information," the data made available pursuant to a waiver of authorization may not identify the individual at all. For instance, if records are made available for the purpose of identifying potential clinical trial enrollees, little more than relevant dates and case numbers may be available to the researchers. Yet, covered entities will have to annotate thousands of records as having been disclosed-and likely will have to answer questions from many individuals who received the accounting because their records were reviewed but who were not asked to be in the trial because they did not meet the enrollment criteria. Ultimately, the IRB or privacy board has the power to waive authorization if it finds that the authorization requirements would be difficult or impossible to satisfy, but the regulation's accounting requirement nonetheless will require the covered entity to annotate each individual's record and prepare for future questions about these disclosures.
On balance, BIO believes that the public's interest in the outcomes of large scale studies outweighs the individual's interest in learning whether protected health information has been disclosed to researchers pursuant to a waiver of authorization. In each case, the IRB or privacy board is charged with protecting individuals' privacy interests by making a finding that the disclosure poses "no more than minimal risk" to an individual's privacy. 13 Accordingly, BIO recommends the addition of an exemption from the accounting requirement for disclosures pursuant to a waiver of authorization. 14
Similarly, we believe that the accounting requirement should not apply to disclosures of protected health information pursuant to the regulation's public health provision. 15 BIO's members are concerned that providers will be less likely to contact them voluntarily to ask for follow-up information about events that may or may not be "adverse events." Because disclosure of even the date of service and initials or case number that the Food and Drug Administration ("FDA") requires manufacturers to obtain would constitute a disclosure of protected health information under the regulation, we are concerned that the additional documentation required by the accounting standard-and the questions patients assuredly will ask after receipt of an accounting-will cause providers to establish a higher threshold before taking the time to contact either the manufacturer or FDA. Even an unintentional shift in the threshold for reporting suspect occurrences is detrimental to the public health because it may delay detection of patterns of seemingly minor symptoms which, when viewed in the context of isolated reports of more serious but related events, would warrant prompt investigation by public health authorities. In our view, requiring providers to expend precious time accounting for public health disclosures-as opposed to other disclosures that raise significantly greater privacy concerns-is inefficient means of protecting patient privacy. Thus, BIO suggests that the Department create an exemption for disclosures of protected health information for public health purposes.
Clinical Trial Recruitment Communications as Health Care Operations
Specifically for the purpose of identifying and recruiting possible clinical trial participants, the NPRM discusses a partial waiver of authorization as an alternative to existing provisions of the privacy regulation 16 which permit researchers, under very limited circumstances, to review protected health information without patient authorization in preparation for research. 17 The preparatory review provisions, however, only address the situation where a covered entity makes protected health information available on a very limited basis to an outside researcher. Similarly, the department's partial waiver clarification focuses on disclosures to third party researchers. What these provisions do not address is whether and to what extent a covered provider may use protected health information in its possession, without individual authorization, to identify and communicate directly with appropriate clinical trial candidates.
Recruiting candidates for clinical trials poses a challenge for research sponsors; correspondingly, for would-be study participants, finding an appropriate trial may be a significant challenge. Covered entities, particularly providers, are in a position to bridge this gap by identifying patients who might benefit from an alternative therapy under study and informing these patients of the option of enrolling in a clinical trial. However, it remains unclear whether the privacy regulation permits a covered entity to do so. The use of a partial waiver is not a practical solution in these circumstances because the burden on the covered entity of engaging an IRB or privacy board for each trial would effectively foreclose this routine means of communicating information about the variety of clinical trials available to patients.
Thus, to facilitate recruitment of patients for clinical trials, BIO urges the Department to clarify that using information to identify prospective clinical trial enrollees and notifying individuals directly about clinical trials is a permissible health care operation of a covered entity and is not an impermissible marketing activity. BIO seeks express clarification on this point to dispel further confusion and uncertainty among covered entities who are integral to the study recruitment process. In requesting this clarification, BIO acknowledges that the privacy regulation prohibits disclosure without authorization of patient lists to third parties for commercial purposes; the requested clarification is not intended to modify this prohibition.
In issuing the NPRM, the Department has made great strides toward achieving an appropriate balance between safeguarding individuals' privacy and facilitating important biomedical research. Decades of responsible science have shown that protecting the confidentiality of data and promoting medical research are mutually attainable goals. Indeed, BIO's members understand clearly that measures that promote research but do not adequately protect individuals' privacy do not serve the public interest because they undermine the public's trust in the motives of researchers. In our effort to establish privacy safeguards, however, we must be careful not to impose needless administrative burdens on the health care providers and plans whose participation is critical to the research process and to the protection of the public health. As noted above, BIO strongly supports HHS's proposal to modify the privacy regulation in ways that will eliminate inappropriate and unnecessary requirements that hinder uses and disclosures of protected health information for important research, public health, and data analysis purposes. We urge the Department to adopt these modifications as soon as possible. In addition, we request that the Department make the other changes, refinements, and clarifications recommended in these comments, which we believe also are necessary to protect the public interest in biomedical research.
Michael J. Werner, Esq.
1: Office for Civil Rights, Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776 (March 27, 2002) (to be codified at 45 C.F.R. parts 160 and 164).
2. The activities and interests of BIO's members vary widely. BIO limits its comments to those aspects of the NPRM that are likely to affect the industry's principal activities in researching, developing, and marketing safe and effective new biotechnology products and in monitoring their use in medical and consumer practice. However, individual members may submit comments which discuss the impact of the NPRM on their specific businesses.
3. See id. at 14,795-98 (to be codified at 45 C.F.R. § 164.508).
4. See id. at 14,795 (to be codified at 45 C.F.R. § 164.512(i)(2)(ii)).
5. See id. at 14,801-02 (to be codified at 45 C.F.R. § 164.512(b)(1)).
6. See id. at 14,796-97 (to be codified at 45 C.F.R. § 164.532(c)).
7. See id. at 14,801 (to be codified at 45 C.F.R. § 164.528).
8. We note that this single criterion is the primary obstacle to developing a feasible system for statistical certification under the existing de-identification standard.
9.See id. at 14,796.
10. 45 C.F.R. § 164.501.
11.See 67 Fed. Reg. at 14,796.
12. 45 C.F.R. § 164.528(b)(1)-(2).
13. 67 Fed. Reg. at 14,814 (to be codified at § 164.512(i)(2)(ii)(A)).
14. The regulation already requires covered entities to keep records of each waiver of authorization. While it may not be possible to use this documentation to track situations in which a specific individual's protected health information was used or disclosed in research, it arguably provides the right balancing of the public interest in oversight of the waiver process with the public interest in assuring the secure and confidential use of data in research. In the event of suspected problems or complaints, the Secretary would have access to the relevant records for determining whether information may have been used or disclosed in violation of the rule.
15. 45 C.F.R. § 164.512(b).
16. See id. § 164.512(i)(1)(ii).
17. See 67 Fed. Reg. at 14,794.