Mark J. Fox (mfox@acc.org) is Privacy and Research Compliance Officer at American College of Cardiology Foundation, Washington, DC. Thora A. Johnson (thora.johnson@orrick.com) is Partner at Orrick, Herrington & Sutcliffe LLP, Washington, DC. Deborah A. Marko Koeberer (deborah.markokoeberer@uhhospitals.org) is Director, Facility Compliance, Privacy, Compliance Operations at University Hospitals Health System (Cleveland), Shaker Heights, OH.
Regulations governing the use of data across the healthcare ecosystem continue to evolve to catch up with technological advances that enable researchers to use and exchange data to gain valuable insights. Recent revisions to 45 C.F.R. Part 46 Subpart A (the Common Rule) and the implementation of new interoperability rules under the 21st Century Cures Act have removed barriers that previously existed to the use of health-related data in research while protecting the right of individuals to keep their health information confidential and secure. In this piece, we provide background on these changes and explain how they can be leveraged by organizations to expand the responsible use of data in research settings. We then explore how organizations engaged in these activities can promote good data stewardship by implementing the fundamental principles of an institutional data governance structure.
Revised Common Rule
The Common Rule establishes the boundaries by which investigators may perform research while protecting the rights of human subjects. The Common Rule was revised in January 2017 in order to strengthen the protections for study participants while limiting burdensome administrative obligations for researchers.[1]
Prior to the introduction of the revised rule, there remained a large gap in how to address the secondary use of data in the performance of human subject research. The revised Common Rule included a number of changes to provide additional clarity on this use of data. For example, the revised Common Rule updated the definition of human subject to “a living individual about whom an investigator (whether professional or student) conducting research…obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or…obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens.”[2] This further clarified the inclusion of data and biospecimens.
In addition, several of the exemptions under the Common Rule were revised. Of particular note is Exemption 4, which applies to the secondary research use of identifiable private information or identifiable biospecimens. The revision to Exemption 4 expanded the applicability of the exemption to secondary research using identifiable private information if the research only covers the collection and analysis of identifiable information regulated under the Health Insurance Portability and Accountability Act (HIPAA) as “health care operations,” “research,” or “public health activities and purposes.”[3] (Note that secondary research is defined as research with materials originally obtained for nonresearch purposes or for research other than the current research proposal.) Under this exemption, informed consent from research subjects is not required for institutions that are either a covered entity or business associate under HIPAA and fully comply with the HIPAA Security Rule. This provides covered institutions with the ability to conduct secondary research with less regulatory burden.
Another concept under the revised Common Rule is broad consent. Exemption 7 of the revised Common Rule permits the use of broad consent for the storage or maintenance of identifiable private information or identifiable biospecimens for secondary research with limited institutional review board (IRB) review.[4]
There are six additional elements of broad consent that must be included in the consent form.[5] These elements include:[6]
A general description of the types of research that may be conducted with the identifiable private information or identifiable biospecimens. This description must include sufficient information such that a reasonable person would expect that the broad consent would permit the types of research conducted;
A description of the identifiable private information or identifiable biospecimens that might be used in research, whether sharing of identifiable private information or identifiable biospecimens might occur, and the types of institutions or researchers that might conduct research with the identifiable private information or identifiable biospecimens;
A description of the period of time that the identifiable private information or identifiable biospecimens may be stored and maintained (which period of time could be indefinite), and a description of the period of time that the identifiable private information or identifiable biospecimens may be used for research purposes (which period of time could be indefinite);
Unless the subject or legally authorized representative will be provided details about specific research studies, a statement that they will not be informed of the details of any specific research studies that might be conducted using the subject’s identifiable private information or identifiable biospecimens, including the purposes of the research, and that they might have chosen not to consent to some of those specific research studies;
Unless it is known that clinically relevant research results, including individual research results, will be disclosed to the subject in all circumstances, a statement that such results may not be disclosed to the subject; and
An explanation of whom to contact for answers to questions about the subject’s rights and about storage and use of the subject’s identifiable private information or identifiable biospecimens, and whom to contact in the event of a research-related harm.
The concept of broad consent is new, and many institutions are still struggling to determine its feasibility.
Complementing broad consent are revisions imposed by the HIPAA Omnibus Rule, which removed significant barriers to secondary research by allowing “compound authorizations.”[7] These authorizations allow researchers to combine “conditioned” and “unconditioned” uses of protected health information. One example is to combine an authorization for a clinical trial with an authorization to use data in a central data repository. Note that both conditioned and unconditioned uses must be clearly outlined with an opportunity to opt out of unconditioned uses.
The revised Common Rule does not impose privacy and security obligations as proposed in the initial notice of proposed rulemaking but does require the development of additional guidance on privacy and security safeguards.[8] Even in the absence of additional guidance, IRBs continue to have a role in appropriately safeguarding research studies. As organizations evaluate appropriate protocols, they should consider the following questions:
-
Does your IRB provide specific guidance on safeguarding private health information?
-
Has your institution developed research-specific guidance and policies on protecting the privacy and security of research data?