STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
The Biotechnology Industry Organization ("BIO") is pleased to have the opportunity to submit testimony expressing our concerns about the federal medical privacy regulation issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) published on December 28, 2000. BIO represents more than 950 biotechnology companies, academic institutions, state biotechnology centers, and related organizations in all 50 US states and 33 other nations. BIO's members are in the business of conducting and sponsoring research designed to discover medicines, diagnostics, and innovative new forms of therapy. These companies provide a home base for researchers who are committed to finding ways to use science to meet unmet medical needs. For most BIO members, research is their business; only a handful have products approved for marketing. These companies are sustained by their prospective patients' hope and faith in their research enterprise, and by Americans' willingness to invest in that hope.
BIO's long-standing role as a proponent of federal legislation and regulations to safeguard the confidentiality of medical information stems from the recognition that (1) the availability of sensitive and detailed medical information about individuals is indispensable for biomedical research, and (2) this availability depends on patients' trust and confidence that researchers will use medical information responsibly and protect it from misuse. BIO’s members have long endorsed the principles of respect for the medical privacy of individual patients and strong laws with incentives for all concerned to protect medical information from abuse and unauthorized disclosure. Researchers work hard to maintain the trust and confidence of the patients who make themselves available for research.
BIO's members also believe, however, that patients are counting on them to vigorously pursue their research objectives. BIO believes that the public interest in the discoveries and findings of research is as strong as the public interest in medical privacy. We note that since the enactment of HIPAA, the public debate and hearing record amply document that no one – from patient groups to privacy advocates, providers, payers, and government officials – advocates that research should be made more difficult or costly by the legal framework that we establish to protect medical privacy.
BIO is pleased that the final regulation published on December 28, 2000 makes some significant improvements over the proposed rule regarding issues critical to the conduct of research. Our purpose in submitting this testimony is to express our great concern that the regulation still imposes significant new administrative burdens on those covered entities that choose to collaborate in our research activities, and we do not believe that these burdens are warranted in the context of the HIPAA administrative simplification regulations. Traditionally, a majority of clinical research sponsored by biotechnology companies involves collection of data by investigators associated with academic medical centers or other institutions that are “covered entities” that are required to comply with the new regulation. BIO is deeply concerned that the additional costs of the significant new administrative requirements, together with the new civil and criminal liability to which they are exposed, may have the unintended consequence of making these institutions reluctant to host sponsored research, or incur greater cost and risk to do so.
In particular, we are concerned that as they scramble to meet the aggressive timetable for bringing their patient care and reimbursement activities into compliance over the next two years, these entities may not have the time and resources to meet the new requirements for research imposed by the regulation including developing the new forms, implementing the new review criteria and modifying the duties of Institutional Review Boards (IRBs). Research will suffer if biotechnology companies are unable to count on the collaboration of academic scientists and hospitals. In addition to these general concerns, BIO would like to offer comments on specific research issues directly affected by the medical privacy regulation.
Regulation of Clinical Research. Research activities of biotechnology companies already are subject to the regulations of the Food and Drug Administration (FDA), the state laws that apply to every research site where we collect information about research participants, as well as the federal regulations that govern the IRBs responsible for reviewing each of the projects where data are collected from patients that are receiving care or participating in research at an academic institution. Research protocols typically involve data collected from individuals recruited by investigators affiliated with multiple separate institutions. As a result of the Common Rule, therefore, even without the new HIPAA requirements, the research protocols that companies sponsor, including the arrangements for safeguarding the privacy of participants and protecting the confidentiality of the data that is collected, are independently reviewed by IRBs at each institution where data are collected.
Nevertheless, to the already duplicative regime in existence under the Common Rule, the regulation adds new requirements. Specifically, it mandates a new privacy authorization form that addresses separate legal issues from the informed consent form under which each research participant agrees to participate in research and acknowledges the potential risks. For example, the form addresses whether the research participant agrees that information from the treatment that is part of the research protocol can be made available to the researcher. No deviations are allowed from any of the elements that are required to be in this new form unless the IRB specifically “waives” the form of authorization using a complex and subjective set of criteria. Nothing about this process is related to the privacy of individuals’ information transmitted in connection with the transactions specified in the HIPAA statute. This new research review requirement is simply a modification of the Common Rule to add privacy as a separate risk factor with its own IRB review, separate from the IRB’s consideration of other risks to research participants. The desirability of such a proposal must be addressed in the context of a broader consideration of the current federal research regulations, not added to the duties of academic medical centers and other covered entities involved in research as part of HIPAA.
De-Identified Information. Much useful research can be structured to protect privacy by creating incentives to use databases of de-identified information – information that does not identify an individual. Notwithstanding the Secretary's acknowledgement of this fact, the "safe harbor" criteria in the regulation for creating a de-identified database seem to be calculated to create data that are useless for research purposes. As a result, the regulation seems likely to have the incongruous result of encouraging researchers to seek review by an IRB, or to set up what the regulation calls a "privacy board" so that they can obtain data that are appropriate for research. BIO believes that de-identification appropriate to the researcher's proposed and permitted use of the data can be an effective means of protecting the confidentiality of data subjects. The regulation's use of a one-size-fits-all set of standards will deter people from taking these measures seriously in the research context.
-Post-Marketing Surveillance. BIO also is concerned that the regulation misunderstands the FDA regulatory scheme under which doctors and hospitals voluntarily report information about product outcomes to companies that are responsible for collecting information and reporting to FDA any “adverse events.” Companies collect information about unexpected events – often from health care providers – to detect which actually may be "adverse" events associated with use of a particular drug. By defining the permissible disclosure so strictly, and imposing serious penalties for infractions, the regulation may cause providers to be very conservative in selecting the few incidents to report.
The regulation permits reporting only of “adverse events” and such reports must be made to the entity “required to report” them. As such, the provider must make subjective determinations about whether events are “adverse”. The provider also must look beyond the name of the manufacturer on the label to ensure that the manufacturer is the entity “required or directed” by FDA to collect and report adverse events. It would be a terrible unintended consequence if, in the name of complying with federal privacy laws, providers were hesitant to report unusual outcomes to the manufacturer whose “800” number is on the product label, because of an uncertainty about whether or not the event is truly “adverse” or the labeled manufacturer is the entity required to collect and report events.
The same problem arises in connection with exposure registries that are used to more systematically collect information on use of products by special sub-populations in order to identify any issues that may not have been detectable in the clinical trials that supported product approval. In some cases, FDA has authority to require or direct the manufacturer to operate these registries (e.g., fast-track approvals). In other cases, the manufacturer may be willing to conduct a registry and FDA may support the idea, but FDA does not have authority to "require or direct" the manufacturer to do so. The privacy regulation says that covered entities may participate in the registries that FDA has "required or directed" but not in those that manufacturers voluntarily operate – even if they operate them consistent with the FDA's guidance documents regarding registries. We see no indication in Congress' enactment of the HIPAA administrative simplification requirements – including its provision for the Secretary to issue regulations protecting the privacy of medical information – that Congress wished the Secretary to use HIPAA's civil and criminal penalties in a manner that would cause providers to be leery of participating in our nation's system for monitoring the safety and efficacy of prescription pharmaceuticals.
BIO urges a delay in the effective date of the regulations. A two year deadline for each of the separately issued elements of HIPAA has the potential to be harmful to research conducted with covered entities. Because requirements such as privacy and security are so closely related, most of the final arrangements for compliance with privacy cannot be addressed until the other is finalized.
BIO also supports changes that would help facilitate critical medical research. We are living in an era of enormous promise and potential clinical breakthroughs as scientists use genetic knowledge to improve our medical interventions. Decades of responsible science under the Common Rule has shown that protecting the confidentiality of data and promoting medical research are mutually attainable goals. Perhaps the time has come to reexamine the Common Rule to ensure that it still provides the kind of comprehensive protection for research participants that is integral to the conduct of high quality research. There have been many changes in our research infrastructure and our science since the Common Rule was adopted. BIO looks forward to working with the Committee as it pursues that goal.