Copyright 1999 Federal News Service, Inc.
Federal News Service
FEBRUARY 24, 1999, WEDNESDAY
SECTION: IN THE NEWS
LENGTH:
3561 words
HEADLINE: PREPARED STATEMENT OF
PROFESSOR CHAI FELDBLUM
THE PRIVACY WORKING GROUP OF
THE CONSORTIUM
FOR CITIZENS WITH DISABILITIES
BEFORE THE SENATE HEALTH,
EDUCATION, LABOR AND PENSIONS COMMITTEE
SUBJECT - HEARING ON MEDICAL RECORDS
PRIVACY
BODY:
Introduction
Good morning. My
name is Chai Feldblum and I am a Professor of Law and Director of the Federal
Legislation Clinic at Georgetown University Law Center. I am here today
representing one of the Clinic's clients, the Consortium for Citizens with
Disabilities (CCD) Privacy Working Group. Many members of the Privacy Working
Group are also members of the newly formed Consumer Coalition for Health
Privacy.
CCD is a Washington-based coalition of nearly 100 national
disability organizations that advocates with and on behalf of children and
adults with disabilities and their families. All persons who receive health care
services in this country have reason to be concerned with the inappropriate use
of highly personal information that is collected about them within the health
care system. As a coalition representing 54 million people living with
disabilities in the United States, however, CCD's views on this issue are
somewhat unique. Because people with disabilities have extensive medical records
and sometimes stigmatizing conditions, such individuals feel a particular
urgency in securing new privacy protection at the federal level. At the same
time, many people with disabilities interact on an almost a daily basis with the
medical establishment and thus benefit from a well-run, effective health care
system. Such individuals do not want federal privacy protection to reduce the
effectiveness of the health care system they must navigate on an ongoing basis.
All of our work in this area has taught us that these concerns are neither in
conflict with each other, nor do they require "balancing" of one interest
against another. Instead, establishing privacy protection can enhance the
operation of the health caresystem, by increasing individuals' trust and
confidence in that system, and does not have to reduce the effectiveness of that
system.
These same issues exist in the area of health research for people
with disabilities. People with disabilities often have the most to gain from
biomedical and health services research. Many people with disabilities live with
conditions that are progressively debilitating, and, in some cases, fatal.
Research leading to the development of new therapies or new habilitation and
rehabilitation techniques can significantly enhance the quality of life for
these individuals. In addition, all individuals -- not just people with
disabilities -- benefit from health research holding the potential to advance
our knowledge of the identification, prevention, or treatment of disease or to
improve our ability to deliver high quality health care services. At the same
time, due to the vulnerability of people with disabilities to discrimination on
the basis of disability, such individuals are more likely than other people to
be hurt by the unauthorized or inadvertent disclosure of their medical
information by or to researchers. Thus, CCD believes the status quo of no
federal privacy protection in the privately-funded research context is
unacceptable. CCD is also concerned that little attention -- if any -- is given
currently to privacy for publicly-funded research.
CCD does not wish, of
course, to create a system that is so protective of privacy that it makes our
nation's biomedical and health services research enterprises unworkable. As in
the health care system generally, however, our work in this area has
demonstrated to us that strong privacy protections can enhance research by
increasing individuals' trust in such research rather than hamper such
enterprises. We believe our final recommendations in the research arena create
an environment in which an individual's right to privacy is effectively
protected and useful research is effectively supported and encouraged.
Background
Before I discuss CCD's response to the GAO report and its
position on protecting privacy in the research context, I would like to briefly
review the existing federal regulations for the protection of human subjects
involved in research.1 Largely in response to concerns about biomedical and
behavioral research that caused harm to human subjects, many federal agencies
standardized their oversight of research involving human subjects by adopting
the Common Rule in 1991.2 Seventeen federal agencies and departments currently
adhere to the Common Rule.3 In addition, private research organizations
conducting research that is funded by these federal agencies must comply with
the requirements of the Common Rule. And finally, Food and Drug Administration
(FDA) regulations, which closely resemble the Common Rule, apply to entities
conducting research in connection with FDA- regulated products.4
Under the
Common Rule, research organizations conducting federally funded or regulated
research projects must establish and operate institutional review boards (IRBs),
which are responsible for reviewing research protocols and for implementing
federal requirements designed to protect the rights and safety of human
subjects,s Federal requirements specify that IRBs must have at least five
members, including one member with primarily scientific interests, one with
primarily unscientific interests, and one otherwise unaffiliated with the
institution in which the IRB resides.6 The IRB must review and either approve,
require modifications in, or disapprove all research activities covered by the
federal regulations.7 In addition, the IRB must conduct continuing review of the
research projects it approves.8
The Common Rule establishes different
frameworks for most research projects and for research projects involving solely
medical records databases or pathological specimens. In both cases, requirements
with regard to privacy are minimal, since as the GAO report correctly observes,
the IRB system was developed largely to protect the safety of human subjects
from physical risks in research.9 Of course, the fact that the IRB system may
not currently focus effectively on privacy does not mean the system is incapable
of doing so. It simply means a stronger standard for privacy needs to be
incorporated into the IRB system.
In order to approve research involving
human subjects, the full IRB must determine that the risks to the subjects'
safety are minimized and reasonable; that informed consent will be sought from
each prospective subject before participation in the study; and that, "(w)hen
appropriate, there are adequate provisions to protect the privacy of subjects
and to maintain the confidentiality of data."10 The regulations do not provide
an explanation of the circumstances under which it is appropriate for an IRB to
consider provisions regarding privacy and confidentiality or any guidance as to
how the IRB should evaluate the adequacy of those provisions. With regard to
informed consent, an individual's informed consent satisfies the requirements of
the Common Rule if the following information is provided to tile subject: the
purposes of the research; a description of the procedures to be followed; a
description of any reasonably foreseeable risks or benefits to the subject; and
"a statement describing the extent, if any, to which confidentiality of records
identifying the subject will be maintained."11 An IRB is authorized to approve a
consent procedure which alters the elements of informed consent set forth in the
regulation, or which waives the requirement to obtain informed consent
altogether, if the IRB finds the research involves no more than minimal risk to
the subjects and the research could not practicably be carried out without the
waiver or alteration.
12 A research project is considered to pose no
more than a "minimal risk" to a human subject when the "probability and
magnitude of harm or discomfort anticipated .in the research are not greater in
and of themselves than those ordinarily encountered in daily life or during the
performance of routine physical or psychological examinations or tests."13 This
definition of minimal risk focuses solely on the effect the research will have
on an individual's physical condition. This makes sense, given that the primary
concern driving adoption of the Common Rule was the physical safety of human
subjects in research. Unfortunately, the definition fails to include any
consideration of the risks a research project may pose to the confidentiality of
a subject's medical information. In addition, the current regulations do not
include any standard for circumstances when research cannot practicably be
carried out without the waiver.
The Common Rule establishes a different and
more lax procedure for research that uses solely medical records databases or
pathological specimens. An IRB may use an expedited review procedure to review
research that uses "existing data, documents, records, pathological specimens,
or diagnostic specimens."14 Such research is inherently considered to involve no
more than minimal risk for purposes of the Common Rule.15 Under the expedited
review process, a review may be carried out by the IRB chairperson, or by one or
more of the reviewers designated by the chairperson, rather than by the full
IRB.16 This one individual can waive the informed consent requirement of the
Common Rule, with regard to research using such data, as long as the research
could not practicably be carried out without the waiver. As the GAO reports, the
seven IRBs it contacted "generally waive informed consent requirements in cases
involving medical records-based research."17
The GAO Report
This hearing
is focused on the GAO's report on medical records privacy in the research
context. Because the GAO is testifying here today, I will not repeat in this
testimony a summary of its report. Essentially, however, the GAO report makes
the following points:
- The current IRB system is not adequately structured
or implemented to protect the privacy of medical information.
(GAO Report, pp. 12- 17). The Report does not indicate whether there is anything
inherent in the IRB system itself that makes it incapable of ensuring such
privacy, assuming that a system is appropriately structured and managed. - Many
organizations not subject to the Common Rule nevertheless use the IRB system.
(GAO Report, pp. 10-12)
- Many organizations not subject to the Common Rule
do not use IRBs, but have internal procedures designed to protect the
confidentiality of medical records data. (GAO Report, pp. 17-21)
- In
certain cases where there have been breaches of confidentiality in organizations
not subject to the Common Rule, HHS has lacked jurisdiction to take any action
to remedy the situation. (GAO Report, p. 17)
- In neither the Common Rule,
nor in any of the procedures established by organizations not covered by the
Common Rule. is there a requirement that researchers demonstrate that
identifiable information is necessary for the effective implementation of their
research projects.
CCD's Response to the GAO Report and CCD's Position on
Research
CCD represents millions of people with disabilities who benefit
directly from public and private health research activities. We want such
research to proceed effectively and with full vigor. Indeed, we believe a
federal privacy law can ensure that such activities will go forward effectively,
while creating incentives for the use of nonidentifiable information when
appropriate and creating structures to protect the privacy of identifiable
information when such data is necessary.
As a general rule, if a health
researcher is dealing with live individuals, CCD believes such a researcher must
obtain informed consent from these individuals, pursuant to an authorization
section of federal privacy legislation, before using such
individuals (or their medical information or specimens) in a
research project. As set out in two bills introduced in the 105th Congress, such
authorization would be obtained under the second tier of the authorization
structure. Under this tier, delivery of treatment or payment for services may
not be conditioned on the receipt of the authorization.18 If this authorization
is received, there is no requirement for a researcher, if not previously subject
to the Common Rule, to engage with an IRB process CCD realizes, however, that
when research does not involve live human subjects, but rather involves medical
records data or stored blood or tissue samples, it may not be feasible for a
researcher to obtain the informed consent of the individuals who are the subject
of the information. For example, some studies require researchers to review
thousands of records for patients treated over a long period of time. In this
instance, it would be quite difficult for a researcher to contact every
individual whose medical records are contained in the database and ask for
authorization to use their identifiable data.
In these situations, CCD
believes researchers should be required to explain why identifiable information
is needed in order for the research project to proceed effectively. This is what
we at CCD term the "stop, think, and justify" moment. Even if identifiable
information is then justified for the research project, in many cases,
researchers will be able to use techniques of encryption that further protect
against unauthorized disclosures of such information. Indeed, the GAO report
indicates that many private organizations have taken the lead in encrypting data
used for research projects. As the GAO reports, "researchers at one integrated
health system that we contacted do not see fully identifiable information.
Rather, they work with information that has been encoded by computer programmers
on the research team -- the only individuals who have access to the fully
identifiable data."19
CCD has spent a good deal of time considering how best
to establish this "stop, think, and justify" moment in the research context.
Because the IRB system is the current paradigm for protection of research
subjects, CCD strongly supports using as much of the existing IRB process as
possible in the health research section of federal privacy legislation. Much of
the health research that is currently taking place in the United States is
already covered by the estimated 3,000 to 5,000 IRBs, which are associated with
hospitals, universities, or other research institutions, or exist in managed
care organizations, government agencies, and as independent entities employed by
the organizations conducting the research.20 Although privately funded research
is not subject to federal requirements, some organizations voluntarily apply
federal rules, including IRB review and approval procedures, to all of their
research, regardless of the source of funding.21
Other organizations,
however, choose not to apply either the Common Rule or IRB review if not
required to do SO.22 Non-publicly funded research conducted by these
organizations is not subject to any form of external oversight. CCD believes all
health research, both publicly anti privately funded, must comply with
reasonable privacy protections that include some form of external oversight.
Because the Common Rule was designed to focus on safety risks for human
subjects -not on the confidentiality of data used in health research -- the
Common Rule currently provides little guidance for IRBs with respect to
confidentiality. CCD believes that modification of the Common Rule will be
necessary to ensure that informed consent and confidentiality standards are met
by all research projects. CCD believes, however; that it will be far more
efficient to modify the existing IRB provisions rather than attempting, through
federal privacy legislation, to establish an entirely new oversight structure
for confidentiality protections.
Finally, although CCD believes that
modification of the Common Rule is necessary to ensure that researchers are
required to justify use of identifiable information, and are required to have in
place privacy protection for the identifiable information they do use, CCD
believes such modifications can be best implemented as part of the revision
process of the IRB system already proceeding under the Secretary of HHS's
authority. Thus, CCD believes a federal privacy law should direct the Secretary
of HHS, as part of her existing review of the IRB system, to update the Common
Rule by adding a separate section dealing with confidentiality. The section
should include regulatory guidelines for researchers and IRBs to ensure that,
the identifiable information used in research is indeed necessary for the
effectiveness of the research project.
In developing this section of the
Common Rule, CCD believes the Secretary should consider the measures already
taken by private research organizations to address privacy and confidentiality
concerns. The GAO Report describes several innovative procedures that private
organizations have implemented to protect the confidentiality of identifiable
information.
23 For example, many research organizations have
established confidentiality policies, both written and oral, delineating who can
have access to identifiable information. In addition, as noted above. some
research organizations have instituted technical measures and physical
safeguards to protect the confidentiality of information, such as the encryption
or encoding of identifiers to enhance the protection of research subjects.
Government can and should learn from the innovations of the private sector.
Thus, while CCD supports modifying the existing IRB structure to encompass
privacy and confidentiality protection, as opposed to creating a whole new
system for purposes of confidentiality, CCD believes the Secretary should draw
guidance from those procedures that have already proven effective in private and
public research settings.
Conclusion
People with disabilities want
biomedical and health services research to proceed quickly and accurately. Thus,
CCD does not want privacy protection in federal legislation ever to impede a
health researcher's ability to obtain identifiable information for legitimate,
important purposes. However, CCD believes federal law should change the status
quo in which most research takes place without a sufficient consideration of
privacy protection. An appropriate system would require, in most research
projects, that health researchers obtain authorizations from individuals before
they enroll such individuals in research projects. In those situations where it
would not be practical and feasible for a researcher to obtain such individual
authorizations (for example, where research would take place on stored blood or
tissue samples and obtaining informed consent is not feasible, or where the
research will use large medical databases), a researcher should be required to
"stop, think, and justify" his or her use of identifiable data to be excepted
from the general authorization requirement.
The existing IRB structure, once
it is modified by the Secretary. to take into account privacy concerns, is the
best framework for establishing this "stop, think, and justify" moment, whether
public or privately funded. CCD believes a streamlined IRB review and approval
process that incorporates a "stop, think, and justify" moment will maximize
protection of confidentiality, will promote the use of nonidentifiable health
information, and will enhance individuals' trust in research endeavors -- all
without jeopardizing the integrity of health research projects and, indeed,
resulting in the enhanced vigor of publicly and privately funded research in
this country.
For further information regarding this testimony or for
further information about the CCD Privacy Working Group, please contact
Professor Chai Feldblum at (202) 662-9595 or Jeffrey Crowley, Chair, CCD Privacy
Working Group at (202) 898-0414.
FOOTNOTES:
1 For purposes of this
testimony, I am following the GAO report and using the Common Rule's definition
of research: "a systematic investigation.., designed to develop or contribute to
generalizable knowledge." See, e.g., 45 C.F.R. 46.102(d) (1991); see also U.S.
GEN. ACCT. OFF., MED. REC. PRIVACY: ACCESS NEEDED FOR HEALTH RES. BUT OVERSIGHT
OF PRIVACY PROTECTIONS Is LIMITED app. I at 26 (1999) (hereinafter "GAO
REPORT").
2 See 45 C.F.R. 46 (1991); see also GAO REPORT at 5.
3 See GAO
REPORT at 5.
4 See 21 C.F.R. 50, 56 (1991); see also GAO REPORT at 2.
5
See 45 C.F.R. 46.101-.124 (1991); see also GAO REPORT at 5.
6 See 45 C.F.R.
46.107 (1991); see also GAO REPORT at 5.
7 See 45 C.F.R. 46.109(a) (1991).
8 See 45 C.F.R. 46.103(b), -.109(e) (199l).
9 As the Director of the
Office for Protection From Research Risks (OPRR) observed in the GAO Report,
privacy is not a major thrust of the Common Rule. See GAO REPORT at 13.
10
See 45 C.F.R. 46.111 (1991).
11 See 45 C.F.R. 46.116(b) (1991).
12 See
45 C.F.R. 46.116(d) (1991).
13 See 45 C.F.R. 46.102(I) (1991).
14 See 45
C.F.R. 46.110 app. 4 (1991).
15 See 45 C.F.R. 46.110 (1991).
16 See 45
C.F.R. 46.110 (1991).
17 See GAO REPORT at 14.
18 See, e.g., S. 1921,
105th Cong., 2d Sess. 203 (1998); S. 2609, 105th Cong., 2d Sess. 203 (1998); cf.
S. 1368, 105th Cong., 2d Sess. 202 (1998) (applying one authorization standard
to all disclosures of PHI).
19 See GAO REPORT at 18.
20 See GAO REPORT
at 5.
21 See GAO REPORT at 3.
22 See GAO REPORT at 3.
23 See GAO
REPORT at 17-21.
END
LOAD-DATE: February 25,
1999