Research Data Protections ConsideredRegulators Seek Comments on Updating Privacy Guidelines
The Department of Health and Human Services and the Food and Drug Administration have issued an advance notice of proposed rulemaking, which amounts to a solicitation of ideas for changing the regulations overseeing research on human subjects. The rule now in place, known as the Common Rule, has been in effect for 20 years.
Regulators are seeking feedback on a plan to establish mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data.
"The current regulations governing human subjects research were developed years ago when research was predominantly conducted at universities, colleges and medical institutions, and each study generally took place at only a single site," according to the notice. "Although the regulations have been amended over the years, they have not kept pace with the evolving human research enterprise, the proliferation of multi-site clinical trials and observational studies ... research involving databases, the Internet, and biological specimen repositories and the use of advanced technologies, such as genomics."
Framework for Privacy DiscussionJoy Pritts, chief privacy officer for the HHS Office of the National Coordinator for Health IT, said July 22 that the Privacy and Security Tiger Team, which advises ONC, should consider using the notice as a framework for its upcoming discussions on privacy protections for the secondary uses of data.
Speaking at the team's meeting, Pritts stressed that the notice is a very preliminary document designed primarily to raise certain key issues and solicit comments. For example, in a detailed section on "strengthening data protections to minimize information risks," the notice discusses the risks involved in de-identifying data for research purposes. "Rapidly evolving advances in technology coupled with the increasing volume of data readily available may soon allow identification of an individual from data that is currently considered de-identified."
The notice raises the notion of expanding the application of the HIPAA privacy and security rules to ensure they cover all researchers. But it also asks whether HIPAA, which contains some guidelines on de-identifying data for research purposes, is adequate to address all of the issues involved. And it seeks comments on whether additional data security and information protection standards should be considered.
Federal authorities will be accepting comments on the notice for 60 days.