BIO's Comments Regarding Proposed Standards For The Privacy of Individually Identifiable Health Information


BIO represents over 850 biotechnology companies, academic institutions, state biotechnology centers, and related organizations in 46 states and more than 25 countries. Our members are in the business of conducting and sponsoring research designed to discover medicines, diagnostics, and innovative new forms of therapy. BIO has long endorsed the principles of respect for the medical privacy of individual patients and strong laws with incentives for all concerned to protect medical information from abuse and unauthorized disclosure.

BIO is concerned that in many respects, the proposed regulation would have the opposite effect of what seems to be the intent of Health Insurance Portability and Accountability Act. Congress established legal authority for a uniform federal system to safeguard medical information transmitted by providers and health plans that have elected to use the power of information technology to expedite certain financial and administrative health benefits transactions. But instead of a transparent system of protections that would improve patients’ understanding of their rights and covered entities’ understanding of their obligations, the Secretary has created a cumbersome system in which documentation of compliance with very precise requirements with respect to uses of electronic media, paper, and telephonic or other oral communication is required to prevent the provider or health plan from being subject to civil and criminal penalties.

BIO's members were deeply disappointed that the proposed regulation fails at every turn to establish a legal framework that does not adversely affect research. BIO’s members believe that the federal regulation must be modified to bring it within the scope of the authority established by Congress in HIPAA and to avoid creating significant, if unintentional impediments to biotechnology research and biotechnology companies' non-research activities. BIO's comments offer specific amendments to the proposed regulation to address each of our concerns.

I. BIO Is Concerned That the Medical Privacy Regulations Establish New Ground Rules For All Medical Research

  • Use or Disclosure of "Minimum Necessary" Information for the Purpose. §164.506(b).

    The Secretary proposes that a covered entity be subject to civil and criminal sanctions unless the entity has made "all reasonable efforts" to limit disclosures to the minimum necessary amount of information, including disclosures for IRB-approved research projects.

    BIO believes that a covered entity should be permitted to disclose protected health information after making reasonable efforts to ensure that disclosure is limited to the minimum information necessary to achieve the purpose. A covered entity should also be permitted to rely upon the determinations of its own IRB or the central IRB in a multi-center clinical trial for purposes of determining whether disclosures have been appropriately limited. Equally important, BIO fears that the "all reasonable efforts" standard, applied to each disclosure of patient information, will deter covered entities from responding to the recent call of the Institute of Medicine to reduce the frequency of medical errors by affording all providers in the chain of care timely access to an integrated clinical information system.

    BIO recommends that the proposed regulation be amended by removing the "minimum necessary" criterion as a disclosure standard under §164.506(b)(1) and incorporating "minimum necessary" as a required "safeguard" under the administrative requirements of §164.518(c)). With this change, a covered entity's compliance with the "minimum necessary" requirement would be judged according to the reasonableness standard of §164.518(c)(2), each entity could safely rely upon the "minimum necessary" determinations of its own IRB or the lead IRB in a multi-site trial, and covered entities could offer all providers access to integrated patient care records, as recommended by the Institute of Medicine.

  • Creation of De-identified Information. § 164.506(d).

    The proposed regulation creates an unrealistic standard for de-identifying data, and imposes civil and criminal penalties if a covered entity fails to meet this standard when attempting to de-identify information made available for research and analysis.

    To serve the public interest in improving the health care system through epidemiologic and health outcomes research, the proposed regulation should create a workable scheme for creating de-identified information and incentives to use de-identified information wherever possible.

    BIO recommends that the proposed rule be modified in two ways: (1) to create a more reasonable set of identifiers that can be used to create presumptively de-identified information, and (2) to establish rules that would permit entities other than covered entities to use valid statistical methods for creating databases that may be treated as de-identified.

  • Modification of the Common Rule Regulating Research. §164.506(a)(1)(i §164.508; §164.510(j).

    The proposed regulation explicitly regulates research by establishing new criteria that must be in patient authorization forms and new criteria for waiver of authorization; no longer would IRBs established under the Common Rule be responsible for decisions about the elements of informed consent, and HIPAA's civil and criminal penalties could be applied to uses of information for research if an IRB has failed to meet the new waiver criteria or use the new informed consent forms.

    BIO believes that new medical privacy regulations should preserve the integrity of the Common Rule. IRBs should continue to determine the form and content of individual consents for research and whether or not to waive authorization under their current authority. The authority of newly-created Privacy Boards should be strictly limited to the waiver of individual authorization for research uses of medical information collected or created in the ordinary course of treatment, payment, or health care operations.

    BIO recommends that § 164.506 should be modified to ensure that covered entities are permitted to make information available for any research project that has been approved by an IRB established under the Common Rule.

    (1) Where a research project is reviewed by an IRB and where a waiver of consent is not being sought, the form and content of patient authorizations should be determined by the IRB that is charged with oversight of the relevant research project.

    (2) The exceptions to conditioning an authorization on treatment and compound authorizations should be eliminated from §164.508 as unnecessary complications.

    (3) Disclosure of protected health information for research that is not reviewed by an IRB and is not granted a waiver of authorization under §164.510(j) should require a patient authorization that meets the requirements of §164.508.

    The criteria for waiver of authorization under §164.510(j) must be modified to ensure that Privacy Boards review only privacy risks and grant waivers of individual authorization only for research using information gained by a covered entity during the ordinary course of treatment, payment, or healthcare operations.

    BIO recommends the establishment of new criteria, independent of the Common Rule, to govern any waiver of the individual authorization required by the medical privacy regulations for non-interventional research.

    (1) IRBs, the new privacy boards, or the covered entity's privacy officer should apply these criteria in deciding whether to waive individual authorization when the proposed research involves only the use of materials and information otherwise collected or created in the context of treatment, payment, or health care operations;

    (2) IRBs should continue to decide whether or not to waive consent under the Common Rule, using the new waiver criteria as appropriate to their deliberations.

  • Research Information Unrelated to Treatment. §164.506(a)(1 §164.508(a)(3)(B)

    The breadth and purpose of the Secretary's new information category labeled "research information unrelated to treatment" is unclear, but the requirements that apply to it complicate compliance in research institutions and undermine efforts to provide treating physicians with ready access to the information necessary for accurate and prompt diagnosis and treatment of patients.

    To facilitate accurate medical recordkeeping and institutional compliance with the proposed regulation, healthcare facilities and individual providers must be free to share all information concerning a patient's care, including information related to the patient's participation in any clinical research protocols.

    BIO recommends that the regulation be amended to delete the category of "research information unrelated to treatment and all provisions making reference to it.

    II. BIO Is Concerned That Ambiguities in the Proposed Regulation Appear to Regulate the Non-Research Activities of Biotechnology Companies.

  • Applicability; Definition of Covered Entity. §160.102

    Biotechnology companies should remain free to employ licensed health care providers and to enter corporate relationships with provider institutions without fear of being deemed a "covered entity" under the proposed regulation.

    BIO recommends that the applicability section (§160.102) be revised by making the proposed standards, rules, and implementation specifications applicable only to the component of an entity that engages in the transactions specified in §164.104.

  • Scope; Patient Assistance Programs; Professional Assistance

    The proposed regulations should permit manufacturers to provide product support activities for the patients and health care professionals who use their products, without the burden of added complexities and costs.

    Because information disclosed to obtain the services of the personnel who staff product support programs may not meet the extremely strict criteria set for "de-identifying" information, BIO asks that the regulation be amended to ensure that health care professionals are not hampered in their efforts to obtain product support services. We also ask for clarification that the proposed regulations do not require the manufacturer to require the patient to submit an authorization form required under § 164.508(a)(1) before taking the patient's call and responding to the request for assistance.

  • Monitoring Activities to Ensure Product Safety and Effectiveness.

    The public health exception of § 164.510(b) must be modified to permit covered entities to use health information in preparing reports to manufacturers of approved products for public health purposes. As drafted, the proposed regulation permits covered entities to disclose protected health information to public health authorities, but our system for monitoring safety and effectiveness of approved products depends upon covered entities' voluntary reports to the registered manufacturers of approved products.

    BIO recommends that § 164.510(b) of the proposed regulation be modified to permit covered entities to disclose protected health information to the registered manufacturer that is charged with monitoring the safety and effectiveness of marketed products.

  • Product Surveillance Activities Are International In Scope.

    The proposed regulation permits reports only to government officials in the United States.

    BIO recommends that the definition in the proposed regulation should be amended to expand the definition of "public health authority" to include an agency or authority of a foreign government or international body that is responsible for public health matters.

  • The Proposed Effective Date Will Disrupt Ongoing IRB-Approved Research.

    Because the proposed regulations add to and/or modify existing laws that apply to research under the Common Rule, the rule should establish a phase in requirement that prevents disruption of ongoing research projects monitored by an IRB.

    Language should be added to § 164.524 (Effective Date) to clarify that nothing in the section shall require modification of any research approved and supervised by an Institutional Review Board as of the effective date of the regulation.

  • The Regulation Should Mitigate the Disincentives HIPAA Creates for Covered Entities to be Involved in Research and Other Public Interest Activities that Depend on Medical Information.

    Covered entities should be able to use or disclose protected health information pursuant to all § 164.510 activities in good faith reliance on credible representations that the regulation's requirements have been met.

    BIO recommends that § 164.510(a) be modified to create a presumption that an entity that acts in good faith to meet each of the verification requirements § 164.518(c) is in compliance with the disclosure standards of § 164.510.

    III. Conclusion

    It is extremely important for patients' medical privacy to be protected and for federal rules to establish a uniform and transparent set of expectations about rights and obligations with respect to uses and disclosures of medical information. It also is important to ensure that the public interest in medical innovations and safe and effective therapeutic interventions is not sacrificed to this endeavor. BIO believes that our amendments offer a way to modify the Secretary’s chosen approach that serves both objectives yet remains consistent with Congressional intent and the regulatory authority established under HIPAA.