Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 118 of 124. Next Document

More Like This
Copyright 1999 Federal News Service, Inc.  
Federal News Service

FEBRUARY 24, 1999, WEDNESDAY

SECTION: IN THE NEWS

LENGTH: 3561 words

HEADLINE: PREPARED STATEMENT OF
PROFESSOR CHAI FELDBLUM
THE PRIVACY WORKING GROUP OF
THE CONSORTIUM FOR CITIZENS WITH DISABILITIES
BEFORE THE SENATE HEALTH, EDUCATION, LABOR AND PENSIONS COMMITTEE
SUBJECT - HEARING ON MEDICAL RECORDS PRIVACY

BODY:

Introduction
Good morning. My name is Chai Feldblum and I am a Professor of Law and Director of the Federal Legislation Clinic at Georgetown University Law Center. I am here today representing one of the Clinic's clients, the Consortium for Citizens with Disabilities (CCD) Privacy Working Group. Many members of the Privacy Working Group are also members of the newly formed Consumer Coalition for Health Privacy.
CCD is a Washington-based coalition of nearly 100 national disability organizations that advocates with and on behalf of children and adults with disabilities and their families. All persons who receive health care services in this country have reason to be concerned with the inappropriate use of highly personal information that is collected about them within the health care system. As a coalition representing 54 million people living with disabilities in the United States, however, CCD's views on this issue are somewhat unique. Because people with disabilities have extensive medical records and sometimes stigmatizing conditions, such individuals feel a particular urgency in securing new privacy protection at the federal level. At the same time, many people with disabilities interact on an almost a daily basis with the medical establishment and thus benefit from a well-run, effective health care system. Such individuals do not want federal privacy protection to reduce the effectiveness of the health care system they must navigate on an ongoing basis. All of our work in this area has taught us that these concerns are neither in conflict with each other, nor do they require "balancing" of one interest against another. Instead, establishing privacy protection can enhance the operation of the health caresystem, by increasing individuals' trust and confidence in that system, and does not have to reduce the effectiveness of that system.
These same issues exist in the area of health research for people with disabilities. People with disabilities often have the most to gain from biomedical and health services research. Many people with disabilities live with conditions that are progressively debilitating, and, in some cases, fatal. Research leading to the development of new therapies or new habilitation and rehabilitation techniques can significantly enhance the quality of life for these individuals. In addition, all individuals -- not just people with disabilities -- benefit from health research holding the potential to advance our knowledge of the identification, prevention, or treatment of disease or to improve our ability to deliver high quality health care services. At the same time, due to the vulnerability of people with disabilities to discrimination on the basis of disability, such individuals are more likely than other people to be hurt by the unauthorized or inadvertent disclosure of their medical information by or to researchers. Thus, CCD believes the status quo of no federal privacy protection in the privately-funded research context is unacceptable. CCD is also concerned that little attention -- if any -- is given currently to privacy for publicly-funded research.
CCD does not wish, of course, to create a system that is so protective of privacy that it makes our nation's biomedical and health services research enterprises unworkable. As in the health care system generally, however, our work in this area has demonstrated to us that strong privacy protections can enhance research by increasing individuals' trust in such research rather than hamper such enterprises. We believe our final recommendations in the research arena create an environment in which an individual's right to privacy is effectively protected and useful research is effectively supported and encouraged.
Background
Before I discuss CCD's response to the GAO report and its position on protecting privacy in the research context, I would like to briefly review the existing federal regulations for the protection of human subjects involved in research.1 Largely in response to concerns about biomedical and behavioral research that caused harm to human subjects, many federal agencies standardized their oversight of research involving human subjects by adopting the Common Rule in 1991.2 Seventeen federal agencies and departments currently adhere to the Common Rule.3 In addition, private research organizations conducting research that is funded by these federal agencies must comply with the requirements of the Common Rule. And finally, Food and Drug Administration (FDA) regulations, which closely resemble the Common Rule, apply to entities conducting research in connection with FDA- regulated products.4
Under the Common Rule, research organizations conducting federally funded or regulated research projects must establish and operate institutional review boards (IRBs), which are responsible for reviewing research protocols and for implementing federal requirements designed to protect the rights and safety of human subjects,s Federal requirements specify that IRBs must have at least five members, including one member with primarily scientific interests, one with primarily unscientific interests, and one otherwise unaffiliated with the institution in which the IRB resides.6 The IRB must review and either approve, require modifications in, or disapprove all research activities covered by the federal regulations.7 In addition, the IRB must conduct continuing review of the research projects it approves.8
The Common Rule establishes different frameworks for most research projects and for research projects involving solely medical records databases or pathological specimens. In both cases, requirements with regard to privacy are minimal, since as the GAO report correctly observes, the IRB system was developed largely to protect the safety of human subjects from physical risks in research.9 Of course, the fact that the IRB system may not currently focus effectively on privacy does not mean the system is incapable of doing so. It simply means a stronger standard for privacy needs to be incorporated into the IRB system.
In order to approve research involving human subjects, the full IRB must determine that the risks to the subjects' safety are minimized and reasonable; that informed consent will be sought from each prospective subject before participation in the study; and that, "(w)hen appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data."10 The regulations do not provide an explanation of the circumstances under which it is appropriate for an IRB to consider provisions regarding privacy and confidentiality or any guidance as to how the IRB should evaluate the adequacy of those provisions. With regard to informed consent, an individual's informed consent satisfies the requirements of the Common Rule if the following information is provided to tile subject: the purposes of the research; a description of the procedures to be followed; a description of any reasonably foreseeable risks or benefits to the subject; and "a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained."11 An IRB is authorized to approve a consent procedure which alters the elements of informed consent set forth in the regulation, or which waives the requirement to obtain informed consent altogether, if the IRB finds the research involves no more than minimal risk to the subjects and the research could not practicably be carried out without the waiver or alteration.

12 A research project is considered to pose no more than a "minimal risk" to a human subject when the "probability and magnitude of harm or discomfort anticipated .in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests."13 This definition of minimal risk focuses solely on the effect the research will have on an individual's physical condition. This makes sense, given that the primary concern driving adoption of the Common Rule was the physical safety of human subjects in research. Unfortunately, the definition fails to include any consideration of the risks a research project may pose to the confidentiality of a subject's medical information. In addition, the current regulations do not include any standard for circumstances when research cannot practicably be carried out without the waiver.
The Common Rule establishes a different and more lax procedure for research that uses solely medical records databases or pathological specimens. An IRB may use an expedited review procedure to review research that uses "existing data, documents, records, pathological specimens, or diagnostic specimens."14 Such research is inherently considered to involve no more than minimal risk for purposes of the Common Rule.15 Under the expedited review process, a review may be carried out by the IRB chairperson, or by one or more of the reviewers designated by the chairperson, rather than by the full IRB.16 This one individual can waive the informed consent requirement of the Common Rule, with regard to research using such data, as long as the research could not practicably be carried out without the waiver. As the GAO reports, the seven IRBs it contacted "generally waive informed consent requirements in cases involving medical records-based research."17
The GAO Report
This hearing is focused on the GAO's report on medical records privacy in the research context. Because the GAO is testifying here today, I will not repeat in this testimony a summary of its report. Essentially, however, the GAO report makes the following points:
- The current IRB system is not adequately structured or implemented to protect the privacy of medical information. (GAO Report, pp. 12- 17). The Report does not indicate whether there is anything inherent in the IRB system itself that makes it incapable of ensuring such privacy, assuming that a system is appropriately structured and managed. - Many organizations not subject to the Common Rule nevertheless use the IRB system. (GAO Report, pp. 10-12)
- Many organizations not subject to the Common Rule do not use IRBs, but have internal procedures designed to protect the confidentiality of medical records data. (GAO Report, pp. 17-21)
- In certain cases where there have been breaches of confidentiality in organizations not subject to the Common Rule, HHS has lacked jurisdiction to take any action to remedy the situation. (GAO Report, p. 17)
- In neither the Common Rule, nor in any of the procedures established by organizations not covered by the Common Rule. is there a requirement that researchers demonstrate that identifiable information is necessary for the effective implementation of their research projects.
CCD's Response to the GAO Report and CCD's Position on Research
CCD represents millions of people with disabilities who benefit directly from public and private health research activities. We want such research to proceed effectively and with full vigor. Indeed, we believe a federal privacy law can ensure that such activities will go forward effectively, while creating incentives for the use of nonidentifiable information when appropriate and creating structures to protect the privacy of identifiable information when such data is necessary.
As a general rule, if a health researcher is dealing with live individuals, CCD believes such a researcher must obtain informed consent from these individuals, pursuant to an authorization section of federal privacy legislation, before using such individuals (or their medical information or specimens) in a research project. As set out in two bills introduced in the 105th Congress, such authorization would be obtained under the second tier of the authorization structure. Under this tier, delivery of treatment or payment for services may not be conditioned on the receipt of the authorization.18 If this authorization is received, there is no requirement for a researcher, if not previously subject to the Common Rule, to engage with an IRB process CCD realizes, however, that when research does not involve live human subjects, but rather involves medical records data or stored blood or tissue samples, it may not be feasible for a researcher to obtain the informed consent of the individuals who are the subject of the information. For example, some studies require researchers to review thousands of records for patients treated over a long period of time. In this instance, it would be quite difficult for a researcher to contact every individual whose medical records are contained in the database and ask for authorization to use their identifiable data.
In these situations, CCD believes researchers should be required to explain why identifiable information is needed in order for the research project to proceed effectively. This is what we at CCD term the "stop, think, and justify" moment. Even if identifiable information is then justified for the research project, in many cases, researchers will be able to use techniques of encryption that further protect against unauthorized disclosures of such information. Indeed, the GAO report indicates that many private organizations have taken the lead in encrypting data used for research projects. As the GAO reports, "researchers at one integrated health system that we contacted do not see fully identifiable information. Rather, they work with information that has been encoded by computer programmers on the research team -- the only individuals who have access to the fully identifiable data."19
CCD has spent a good deal of time considering how best to establish this "stop, think, and justify" moment in the research context. Because the IRB system is the current paradigm for protection of research subjects, CCD strongly supports using as much of the existing IRB process as possible in the health research section of federal privacy legislation. Much of the health research that is currently taking place in the United States is already covered by the estimated 3,000 to 5,000 IRBs, which are associated with hospitals, universities, or other research institutions, or exist in managed care organizations, government agencies, and as independent entities employed by the organizations conducting the research.20 Although privately funded research is not subject to federal requirements, some organizations voluntarily apply federal rules, including IRB review and approval procedures, to all of their research, regardless of the source of funding.21
Other organizations, however, choose not to apply either the Common Rule or IRB review if not required to do SO.22 Non-publicly funded research conducted by these organizations is not subject to any form of external oversight. CCD believes all health research, both publicly anti privately funded, must comply with reasonable privacy protections that include some form of external oversight.
Because the Common Rule was designed to focus on safety risks for human subjects -not on the confidentiality of data used in health research -- the Common Rule currently provides little guidance for IRBs with respect to confidentiality. CCD believes that modification of the Common Rule will be necessary to ensure that informed consent and confidentiality standards are met by all research projects. CCD believes, however; that it will be far more efficient to modify the existing IRB provisions rather than attempting, through federal privacy legislation, to establish an entirely new oversight structure for confidentiality protections.
Finally, although CCD believes that modification of the Common Rule is necessary to ensure that researchers are required to justify use of identifiable information, and are required to have in place privacy protection for the identifiable information they do use, CCD believes such modifications can be best implemented as part of the revision process of the IRB system already proceeding under the Secretary of HHS's authority. Thus, CCD believes a federal privacy law should direct the Secretary of HHS, as part of her existing review of the IRB system, to update the Common Rule by adding a separate section dealing with confidentiality. The section should include regulatory guidelines for researchers and IRBs to ensure that, the identifiable information used in research is indeed necessary for the effectiveness of the research project.
In developing this section of the Common Rule, CCD believes the Secretary should consider the measures already taken by private research organizations to address privacy and confidentiality concerns. The GAO Report describes several innovative procedures that private organizations have implemented to protect the confidentiality of identifiable information.

23 For example, many research organizations have established confidentiality policies, both written and oral, delineating who can have access to identifiable information. In addition, as noted above. some research organizations have instituted technical measures and physical safeguards to protect the confidentiality of information, such as the encryption or encoding of identifiers to enhance the protection of research subjects. Government can and should learn from the innovations of the private sector. Thus, while CCD supports modifying the existing IRB structure to encompass privacy and confidentiality protection, as opposed to creating a whole new system for purposes of confidentiality, CCD believes the Secretary should draw guidance from those procedures that have already proven effective in private and public research settings.
Conclusion
People with disabilities want biomedical and health services research to proceed quickly and accurately. Thus, CCD does not want privacy protection in federal legislation ever to impede a health researcher's ability to obtain identifiable information for legitimate, important purposes. However, CCD believes federal law should change the status quo in which most research takes place without a sufficient consideration of privacy protection. An appropriate system would require, in most research projects, that health researchers obtain authorizations from individuals before they enroll such individuals in research projects. In those situations where it would not be practical and feasible for a researcher to obtain such individual authorizations (for example, where research would take place on stored blood or tissue samples and obtaining informed consent is not feasible, or where the research will use large medical databases), a researcher should be required to "stop, think, and justify" his or her use of identifiable data to be excepted from the general authorization requirement.
The existing IRB structure, once it is modified by the Secretary. to take into account privacy concerns, is the best framework for establishing this "stop, think, and justify" moment, whether public or privately funded. CCD believes a streamlined IRB review and approval process that incorporates a "stop, think, and justify" moment will maximize protection of confidentiality, will promote the use of nonidentifiable health information, and will enhance individuals' trust in research endeavors -- all without jeopardizing the integrity of health research projects and, indeed, resulting in the enhanced vigor of publicly and privately funded research in this country.
For further information regarding this testimony or for further information about the CCD Privacy Working Group, please contact Professor Chai Feldblum at (202) 662-9595 or Jeffrey Crowley, Chair, CCD Privacy Working Group at (202) 898-0414.
FOOTNOTES:
1 For purposes of this testimony, I am following the GAO report and using the Common Rule's definition of research: "a systematic investigation.., designed to develop or contribute to generalizable knowledge." See, e.g., 45 C.F.R. 46.102(d) (1991); see also U.S. GEN. ACCT. OFF., MED. REC. PRIVACY: ACCESS NEEDED FOR HEALTH RES. BUT OVERSIGHT OF PRIVACY PROTECTIONS Is LIMITED app. I at 26 (1999) (hereinafter "GAO REPORT").
2 See 45 C.F.R. 46 (1991); see also GAO REPORT at 5.
3 See GAO REPORT at 5.
4 See 21 C.F.R. 50, 56 (1991); see also GAO REPORT at 2.
5 See 45 C.F.R. 46.101-.124 (1991); see also GAO REPORT at 5.
6 See 45 C.F.R. 46.107 (1991); see also GAO REPORT at 5.
7 See 45 C.F.R. 46.109(a) (1991).
8 See 45 C.F.R. 46.103(b), -.109(e) (199l).
9 As the Director of the Office for Protection From Research Risks (OPRR) observed in the GAO Report, privacy is not a major thrust of the Common Rule. See GAO REPORT at 13.
10 See 45 C.F.R. 46.111 (1991).
11 See 45 C.F.R. 46.116(b) (1991).
12 See 45 C.F.R. 46.116(d) (1991).
13 See 45 C.F.R. 46.102(I) (1991).
14 See 45 C.F.R. 46.110 app. 4 (1991).
15 See 45 C.F.R. 46.110 (1991).
16 See 45 C.F.R. 46.110 (1991).
17 See GAO REPORT at 14.
18 See, e.g., S. 1921, 105th Cong., 2d Sess. 203 (1998); S. 2609, 105th Cong., 2d Sess. 203 (1998); cf. S. 1368, 105th Cong., 2d Sess. 202 (1998) (applying one authorization standard to all disclosures of PHI).
19 See GAO REPORT at 18.
20 See GAO REPORT at 5.
21 See GAO REPORT at 3.
22 See GAO REPORT at 3.
23 See GAO REPORT at 17-21.
END


LOAD-DATE: February 25, 1999




Previous Document Document 118 of 124. Next Document


FOCUS

Search Terms: medical w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.