Research Data Protections Considered

Regulators Seek Comments on Updating Privacy Guidelines
Research Data Protections Considered
Policies for protecting the privacy of patient information that's used for research will be considered in the context of broader new federal guidelines for protecting human research subjects.

The Department of Health and Human Services and the Food and Drug Administration have issued an advance notice of proposed rulemaking, which amounts to a solicitation of ideas for changing the regulations overseeing research on human subjects. The rule now in place, known as the Common Rule, has been in effect for 20 years.

Regulators are seeking feedback on a plan to establish mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data.

"The current regulations governing human subjects research were developed years ago when research was predominantly conducted at universities, colleges and medical institutions, and each study generally took place at only a single site," according to the notice. "Although the regulations have been amended over the years, they have not kept pace with the evolving human research enterprise, the proliferation of multi-site clinical trials and observational studies ... research involving databases, the Internet, and biological specimen repositories and the use of advanced technologies, such as genomics."

Framework for Privacy Discussion

Joy Pritts, chief privacy officer for the HHS Office of the National Coordinator for Health IT, said July 22 that the Privacy and Security Tiger Team, which advises ONC, should consider using the notice as a framework for its upcoming discussions on privacy protections for the secondary uses of data.

Speaking at the team's meeting, Pritts stressed that the notice is a very preliminary document designed primarily to raise certain key issues and solicit comments. For example, in a detailed section on "strengthening data protections to minimize information risks," the notice discusses the risks involved in de-identifying data for research purposes. "Rapidly evolving advances in technology coupled with the increasing volume of data readily available may soon allow identification of an individual from data that is currently considered de-identified."

The notice raises the notion of expanding the application of the HIPAA privacy and security rules to ensure they cover all researchers. But it also asks whether HIPAA, which contains some guidelines on de-identifying data for research purposes, is adequate to address all of the issues involved. And it seeks comments on whether additional data security and information protection standards should be considered.

Federal authorities will be accepting comments on the notice for 60 days.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.